secure-review-extension 1.0.11 → 1.0.12

package/package.json

@@ -2,7 +2,7 @@
   "name": "secure-review-extension",
   "displayName": "Secure Review",
   "description": "Run deep static and Docker-based dynamic secure code reviews directly inside VS Code.",
-  "version": "1.0.11",
+  "version": "1.0.12",
   "publisher": "Ankit-QI",
   "icon": "media/shield.png",
   "license": "MIT",

package/src/scanners/bootstrap-tools.js

@@ -2,6 +2,7 @@ const fs = require("node:fs");
 const path = require("node:path");
 const os = require("node:os");
 const { execFileSync } = require("node:child_process");
+const { SHELL_EXTENSIONS, looksLikeAnsibleContent, looksLikeAnsiblePath } = require("./scan-targets");
 
 function detectWorkspace(workspaceRoot) {
   const manifestNames = new Set(walkFiles(workspaceRoot, 4).map((file) => path.relative(workspaceRoot, file)));
@@ -113,7 +114,7 @@ function detectWorkspace(workspaceRoot) {
     if (ext === ".php") languages.add("php");
     if (ext === ".rb") languages.add("ruby");
     if (ext === ".cs") languages.add("csharp");
-    if ([".sh", ".bash", ".zsh", ".ksh"].includes(ext)) languages.add("shell");
+    if (SHELL_EXTENSIONS.has(ext)) languages.add("shell");
     if ([".js", ".jsx", ".ts", ".tsx", ".mjs", ".cjs"].includes(ext)) languages.add("javascript");
     if ([".yml", ".yaml"].includes(ext) && looksLikeAnsibleFile(workspaceRoot, file)) frameworks.add("ansible");
   }
@@ -413,12 +414,7 @@ function readJson(filePath) {
 }
 
 function looksLikeAnsibleFile(workspaceRoot, relativePath) {
-  const normalizedPath = relativePath.toLowerCase();
-  if (/(^|\/)(playbooks?|roles|tasks|handlers|group_vars|host_vars)\//.test(normalizedPath)) {
-    return true;
-  }
-
-  if (/(^|\/)(site|playbook|deploy|provision)\.ya?ml$/.test(normalizedPath)) {
+  if (looksLikeAnsiblePath(relativePath)) {
     return true;
   }
 
@@ -428,12 +424,7 @@ function looksLikeAnsibleFile(workspaceRoot, relativePath) {
   }
 
   try {
-    const content = fs.readFileSync(fullPath, "utf8").toLowerCase();
-    return (
-      /(^|\n)\s*hosts\s*:\s*.+/m.test(content)
-        && /(^|\n)\s*(tasks|handlers)\s*:/m.test(content)
-    ) || /ansible\.builtin\./.test(content)
-      || /(^|\n)\s*become\s*:\s*(true|yes)\b/m.test(content);
+    return looksLikeAnsibleContent(fs.readFileSync(fullPath, "utf8"));
   } catch {
     return false;
   }

package/src/scanners/repository-heuristics.js

@@ -0,0 +1,437 @@
+const path = require("node:path");
+const { hashFinding, toPosixPath } = require("../utils");
+
+function analyzeRepository(files, workspaceRoot) {
+  const findings = [];
+  const fileSet = new Set(files.map((file) => file.relativePath));
+
+  const packageJsonFiles = files.filter((file) => path.basename(file.relativePath) === "package.json");
+  for (const packageJsonFile of packageJsonFiles) {
+    findings.push(...analyzePackageJson(packageJsonFile, fileSet, workspaceRoot));
+  }
+
+  const requirementsFiles = files.filter((file) => path.basename(file.relativePath) === "requirements.txt");
+  for (const requirementsFile of requirementsFiles) {
+    findings.push(...analyzeRequirements(requirementsFile, workspaceRoot));
+  }
+
+  const goModFiles = files.filter((file) => path.basename(file.relativePath) === "go.mod");
+  for (const goModFile of goModFiles) {
+    findings.push(...analyzeGoMod(goModFile, workspaceRoot));
+  }
+
+  const cargoTomlFiles = files.filter((file) => path.basename(file.relativePath) === "Cargo.toml");
+  for (const cargoTomlFile of cargoTomlFiles) {
+    findings.push(...analyzeCargoToml(cargoTomlFile, workspaceRoot));
+  }
+
+  for (const file of files) {
+    const base = path.basename(file.relativePath);
+    if (base === "Dockerfile") {
+      findings.push(...analyzeDockerfile(file, workspaceRoot));
+    }
+    if (base === "docker-compose.yml" || base === "docker-compose.yaml") {
+      findings.push(...analyzeDockerCompose(file, workspaceRoot));
+    }
+    if (file.relativePath.includes(".github/workflows/") && file.ext === ".yml") {
+      findings.push(...analyzeGithubWorkflow(file, workspaceRoot));
+    }
+    if (file.relativePath.toLowerCase().includes("openapi") || file.relativePath.endsWith("swagger.json") || file.relativePath.endsWith("swagger.yaml")) {
+      findings.push(...analyzeApiSpec(file, workspaceRoot));
+    }
+    if (looksLikeKubernetesManifest(file)) {
+      findings.push(...analyzeKubernetesManifest(file, workspaceRoot));
+    }
+    if (looksLikeWebServerConfig(file)) {
+      findings.push(...analyzeWebServerConfig(file, workspaceRoot));
+    }
+    if (file.ext === ".tf") {
+      findings.push(...analyzeTerraform(file, workspaceRoot));
+    }
+    if (looksLikeRuntimeConfig(file)) {
+      findings.push(...analyzeRuntimeEnvironment(file, workspaceRoot));
+    }
+    if (looksLikePackageManagerConfig(file)) {
+      findings.push(...analyzePackageManagerConfig(file, workspaceRoot));
+    }
+    findings.push(...analyzeFileSizeAndComplexity(file, workspaceRoot));
+  }
+
+  return findings;
+}
+
+function analyzePackageJson(file, fileSet, workspaceRoot) {
+  const findings = [];
+  try {
+    const payload = JSON.parse(file.content);
+    const dependencies = {
+      ...(payload.dependencies || {}),
+      ...(payload.devDependencies || {}),
+      ...(payload.optionalDependencies || {}),
+      ...(payload.peerDependencies || {})
+    };
+    const dependencyNames = Object.keys(dependencies);
+    const packageDir = path.posix.dirname(file.relativePath);
+
+    if (dependencyNames.length > 80) {
+      findings.push(repoFinding(workspaceRoot, file.relativePath, "dependency-bloat", "High dependency count may increase maintenance and supply-chain risk", "medium", "Dependency Risk", "Dependency Bloat", "dependency-risk", `Detected ${dependencyNames.length} dependencies in package.json.`, "Review whether all dependencies are still required and remove unnecessary packages.", "Trim unused dependencies and keep the dependency graph intentionally small.", "Large dependency graphs increase attack surface and upgrade complexity.", ["Supply Chain Review"]));
+    }
+
+    const weakPins = dependencyNames.filter((name) => /^[~^*]/.test(String(dependencies[name])));
+    if (weakPins.length >= 5) {
+      findings.push(repoFinding(workspaceRoot, file.relativePath, "weak-version-pinning", "Dependency version pinning appears loose", "medium", "Dependency Risk", "Version Pinning", "dependency-risk", weakPins.slice(0, 8).map((name) => `${name}@${dependencies[name]}`).join(", "), "Pin critical runtime dependencies more tightly or use a disciplined update workflow.", "Adopt explicit upgrade windows and lockfile hygiene for runtime dependencies.", "Loose version ranges can increase drift and make builds less predictable.", ["Supply Chain Review"]));
+    }
+
+    const prereleaseDependencies = dependencyNames.filter((name) => /(?:alpha|beta|rc|canary|next)/i.test(String(dependencies[name])));
+    if (prereleaseDependencies.length) {
+      findings.push(repoFinding(workspaceRoot, file.relativePath, "prerelease-dependencies", "Workspace depends on prerelease package versions", "medium", "Dependency Risk", "Release Stability", "dependency-risk", prereleaseDependencies.slice(0, 8).map((name) => `${name}@${dependencies[name]}`).join(", "), "Prefer stable reviewed releases for production paths or document why prerelease packages are required.", "Isolate prerelease packages to development-only contexts or pin them under explicit approval.", "Prerelease dependencies often carry higher change risk and less predictable support.", ["Supply Chain Review"]));
+    }
+
+    const nonRegistryDependencies = dependencyNames.filter((name) => /^(git\+|https?:|file:|link:|github:|bitbucket:)/i.test(String(dependencies[name])));
+    if (nonRegistryDependencies.length) {
+      findings.push(repoFinding(workspaceRoot, file.relativePath, "non-registry-dependencies", "Dependencies are pulled from git, file, or URL sources", "high", "Dependency Risk", "Supply Chain Source", "dependency-risk", nonRegistryDependencies.slice(0, 8).map((name) => `${name}@${dependencies[name]}`).join(", "), "Review non-registry dependency sources carefully and pin them to trusted immutable revisions where possible.", "Prefer reviewed registry releases or immutable commit SHAs instead of mutable URL or local path references.", "Non-registry dependency sources can bypass normal package review and make builds harder to reproduce.", ["Supply Chain Review"]));
+    }
+
+    const zeroMajorDependencies = dependencyNames.filter((name) => /^0\./.test(String(dependencies[name]).replace(/^[~^]/, "")));
+    if (zeroMajorDependencies.length >= 5) {
+      findings.push(repoFinding(workspaceRoot, file.relativePath, "zero-major-dependencies", "Multiple dependencies are still on zero-major versions", "low", "Dependency Risk", "Maturity Signal", "dependency-risk", zeroMajorDependencies.slice(0, 8).map((name) => `${name}@${dependencies[name]}`).join(", "), "Review whether zero-major dependencies are appropriate for production-critical paths.", "Track maturity and support expectations for early-stage packages in core flows.", "Zero-major versions can signal APIs and maintenance posture that are still evolving quickly.", ["Supply Chain Review"]));
+    }
+
+    const expectedLockfiles = [
+      packageDir === "." ? "package-lock.json" : `${packageDir}/package-lock.json`,
+      packageDir === "." ? "pnpm-lock.yaml" : `${packageDir}/pnpm-lock.yaml`,
+      packageDir === "." ? "yarn.lock" : `${packageDir}/yarn.lock`
+    ];
+    if (!expectedLockfiles.some((candidate) => fileSet.has(candidate))) {
+      findings.push(repoFinding(workspaceRoot, file.relativePath, "missing-lockfile", "JavaScript workspace appears to be missing a lockfile", "medium", "Dependency Risk", "Build Reproducibility", "dependency-risk", `No package-lock.json, pnpm-lock.yaml, or yarn.lock detected near ${file.relativePath}.`, "Commit a lockfile to support reproducible builds and dependency review.", "Use a lockfile in version control for deterministic installs and better auditability.", "Missing lockfiles make builds less reproducible and can hide dependency drift.", ["Build Integrity"]));
+    }
+
+    const scripts = payload.scripts || {};
+    for (const [name, command] of Object.entries(scripts)) {
+      if (/curl\s+.*\|\s*(bash|sh)/i.test(String(command))) {
+        findings.push(repoFinding(workspaceRoot, file.relativePath, "unsafe-install-script", "Script pipes remote content into a shell", "high", "DevOps", "Unsafe Script Pattern", "security", `${name}: ${command}`, "Avoid piping remote content directly into a shell in package scripts.", "Download artifacts explicitly, verify them, and execute only trusted local files.", "Remote shell piping increases supply-chain and command-execution risk.", ["CWE-494"]));
+      }
+    }
+  } catch {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "package-json-parse", "package.json could not be parsed during repository review", "low", "Reliability", "Manifest Parsing", "reliability", "Unable to parse package.json cleanly.", "Validate manifest syntax and keep project metadata well-formed.", "Fix malformed manifests early to keep tooling predictable.", "Broken manifests can disrupt review tooling and build workflows.", ["Build Reliability"]));
+  }
+
+  return findings;
+}
+
+function analyzeRequirements(file, workspaceRoot) {
+  const findings = [];
+  const lines = file.content.split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
+  const unpinned = lines.filter((line) => !line.startsWith("#") && !/(==|~=|>=|<=)/.test(line));
+  if (unpinned.length >= 3) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "unpinned-python-dependencies", "Python dependencies may be insufficiently pinned", "medium", "Dependency Risk", "Version Pinning", "dependency-risk", unpinned.slice(0, 8).join(", "), "Pin Python dependencies to reviewed versions and add an upgrade process.", "Use constraints or lock tooling for deterministic Python environments.", "Unpinned dependencies increase build drift and make vulnerability management harder.", ["Supply Chain Review"]));
+  }
+
+  const vcsOrDirectRefs = lines.filter((line) => !line.startsWith("#") && /(@\s*git\+|git\+https?:|https?:\/\/|file:|-e\s+)/i.test(line));
+  if (vcsOrDirectRefs.length) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "python-direct-source-dependencies", "Python requirements include editable, VCS, or direct URL dependencies", "high", "Dependency Risk", "Supply Chain Source", "dependency-risk", vcsOrDirectRefs.slice(0, 8).join(", "), "Review direct-source Python dependencies carefully and pin them to immutable reviewed revisions where possible.", "Prefer reviewed package releases or explicitly approved commit-pinned references over mutable source locations.", "Editable, VCS, and direct URL dependencies can bypass normal package review and make builds less reproducible.", ["Supply Chain Review"]));
+  }
+
+  const prerelease = lines.filter((line) => !line.startsWith("#") && /(a\d+|b\d+|rc\d+|alpha|beta)/i.test(line));
+  if (prerelease.length) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "python-prerelease-dependencies", "Python requirements include prerelease versions", "medium", "Dependency Risk", "Release Stability", "dependency-risk", prerelease.slice(0, 8).join(", "), "Use stable reviewed versions for production paths unless prerelease usage is explicitly justified.", "Limit prerelease dependencies to controlled testing contexts or document the risk acceptance clearly.", "Prerelease Python packages can have higher change risk and weaker long-term support guarantees.", ["Supply Chain Review"]));
+  }
+
+  const insecureIndexes = lines.filter((line) => !line.startsWith("#") && /(--index-url|--extra-index-url)\s+http:\/\//i.test(line));
+  if (insecureIndexes.length) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "python-insecure-package-index", "Python requirements use an insecure package index URL", "high", "Dependency Risk", "Insecure Package Transport", "dependency-risk", insecureIndexes.slice(0, 6).join(", "), "Use HTTPS-backed package indexes and avoid cleartext dependency downloads.", "Move package sources to trusted TLS-protected registries and mirror endpoints.", "Insecure package index transport can expose dependency downloads to tampering or credential leakage.", ["Supply Chain Review", "CWE-319"]));
+  }
+
+  const trustedHosts = lines.filter((line) => !line.startsWith("#") && /--trusted-host\b/i.test(line));
+  if (trustedHosts.length) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "python-trusted-host", "Python requirements bypass normal package host verification", "medium", "Dependency Risk", "Transport Trust Override", "dependency-risk", trustedHosts.slice(0, 6).join(", "), "Use trusted hosts only when there is a documented and controlled need, and prefer proper TLS trust configuration.", "Fix certificate trust or mirror configuration instead of broadly bypassing host verification.", "Trusted-host overrides weaken package transport assurances and can mask registry trust problems.", ["Supply Chain Review"]));
+  }
+  return findings;
+}
+
+function analyzeGoMod(file, workspaceRoot) {
+  const findings = [];
+  const replaceDirectives = [...file.content.matchAll(/^\s*replace\s+(.+)$/gim)].map((match) => match[1].trim());
+  if (replaceDirectives.length) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "go-mod-replace", "go.mod contains replace directives", "medium", "Dependency Risk", "Module Override", "dependency-risk", replaceDirectives.slice(0, 6).join("; "), "Review replace directives carefully and ensure overridden modules are intentional, trusted, and reproducible.", "Document why each module override is needed and avoid local-path replacements in production builds.", "Module replacement directives can change supply-chain trust assumptions and make builds harder to reproduce.", ["Supply Chain Review"]));
+  }
+
+  const pseudoVersions = [...file.content.matchAll(/v\d+\.\d+\.\d+-\d{14}-[0-9a-f]{12}/g)].map((match) => match[0]);
+  if (pseudoVersions.length >= 3) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "go-pseudo-versions", "go.mod uses multiple pseudo-version dependencies", "low", "Dependency Risk", "Version Stability", "dependency-risk", pseudoVersions.slice(0, 6).join(", "), "Prefer tagged releases for production-critical dependencies where possible.", "Track pseudo-version usage explicitly so upgrades and incident response stay predictable.", "Pseudo-versions can be valid, but they often signal dependencies not pinned to formal releases.", ["Supply Chain Review"]));
+  }
+
+  return findings;
+}
+
+function analyzeCargoToml(file, workspaceRoot) {
+  const findings = [];
+  const gitOrPathDeps = [...file.content.matchAll(/^\s*[A-Za-z0-9_-]+\s*=\s*\{[^}]*\b(git|path)\s*=/gim)].map((match) => match[0].trim());
+  if (gitOrPathDeps.length) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "cargo-git-or-path-dependencies", "Cargo manifest includes git or path dependencies", "high", "Dependency Risk", "Supply Chain Source", "dependency-risk", gitOrPathDeps.slice(0, 8).join("; "), "Review git and path dependencies carefully and pin them to trusted immutable revisions where possible.", "Prefer published crate releases for production builds or document explicit exceptions for git/path dependencies.", "Git and path crate dependencies can bypass standard release review and reduce build reproducibility.", ["Supply Chain Review"]));
+  }
+
+  return findings;
+}
+
+function analyzeDockerfile(file, workspaceRoot) {
+  const findings = [];
+  if (/^FROM\s+.+:latest/im.test(file.content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "docker-latest-tag", "Docker image uses the latest tag", "medium", "DevOps", "Container Reproducibility", "outdated-practices", "Dockerfile uses a latest base image tag.", "Pin the base image to a reviewed version or digest.", "Use immutable digests or explicit version tags for container bases.", "Latest tags create non-deterministic builds and make rollbacks harder.", ["Container Review"]));
+  }
+  if (!/^USER\s+/im.test(file.content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "docker-root-user", "Dockerfile does not appear to switch away from root", "medium", "DevOps", "Container Privilege", "security", "No USER directive detected in Dockerfile.", "Run containers as a non-root user where feasible.", "Create a dedicated runtime user and drop privileges before launching the app.", "Root containers increase blast radius if the application is compromised.", ["Container Review"]));
+  }
+  if (/^\s*ENV\s+(?:NODE_ENV|FLASK_ENV|APP_ENV)\s*=\s*(development|dev|debug)\b/im.test(file.content) || /^\s*ENV\s+DEBUG\s*=\s*(1|true|yes)\b/im.test(file.content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "docker-debug-runtime", "Dockerfile bakes debug or development runtime settings into the image", "medium", "Configuration", "Runtime Environment", "security", "Debug or development-oriented ENV settings detected in Dockerfile.", "Avoid baking debug-oriented runtime settings into production container images.", "Keep production images environment-neutral and supply safe runtime values during deployment.", "Debug runtime defaults can expose verbose errors, weaker safeguards, or operational drift in deployed containers.", ["Container Review"]));
+  }
+  if (/^\s*(ENV|RUN)\s+.*(?:NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*0|PYTHONHTTPSVERIFY\s*=\s*0|GIT_SSL_NO_VERIFY\s*=\s*1|strict-ssl\s+false|curl\s+-k\b)/im.test(file.content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "docker-tls-verification-disabled", "Dockerfile appears to disable TLS or certificate verification", "high", "Configuration", "Transport Security", "security", "Dockerfile contains environment or command settings that disable TLS verification.", "Remove TLS verification bypasses from image builds and runtime defaults.", "Configure trusted CAs or package mirrors instead of disabling certificate checks.", "Disabling TLS verification can expose artifact retrieval and outbound connections to interception and tampering.", ["Container Review", "CWE-295"]));
+  }
+  return findings;
+}
+
+function analyzeDockerCompose(file, workspaceRoot) {
+  const findings = [];
+
+  if (/privileged\s*:\s*true/i.test(file.content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "compose-privileged", "Docker Compose service runs in privileged mode", "high", "DevOps", "Container Privilege", "security", "privileged: true detected in Compose configuration.", "Avoid privileged containers unless there is a documented and tightly controlled exception.", "Drop privileged mode and grant only the minimum required capabilities.", "Privileged containers significantly expand host compromise risk if the service is breached.", ["Container Review"]));
+  }
+
+  if (/network_mode\s*:\s*["']?host["']?/i.test(file.content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "compose-host-network", "Docker Compose service uses host networking", "medium", "DevOps", "Network Isolation", "security", "network_mode: host detected in Compose configuration.", "Use bridged or explicitly defined networks unless host networking is strictly required.", "Isolate container networking to reduce unintended service exposure.", "Host networking bypasses normal container isolation and can expand network blast radius.", ["Container Review"]));
+  }
+
+  if (/ports:\s*[\r\n]+(?:\s*-\s*["']?0\.0\.0\.0:|\s*-\s*["']?\d+\.\d+\.\d+\.\d+:)/i.test(file.content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "compose-bind-all-interfaces", "Docker Compose publishes ports on broad host interfaces", "medium", "DevOps", "Network Exposure", "security", "Compose ports appear to bind to all interfaces or explicit host IPs.", "Publish only the ports that are required and bind them to trusted interfaces where possible.", "Limit published services to localhost or controlled network boundaries during development and testing.", "Broad port publishing can expose internal services more widely than intended.", ["Container Review"]));
+  }
+
+  return findings;
+}
+
+function analyzeGithubWorkflow(file, workspaceRoot) {
+  const findings = [];
+  const unpinnedActions = [...file.content.matchAll(/uses:\s*([^\n@]+)@(main|master|v?\d+\s*$)/gmi)];
+  if (unpinnedActions.length) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "workflow-unpinned-action", "GitHub Actions workflow may use loosely pinned actions", "medium", "DevOps", "CI Supply Chain", "security", unpinnedActions.slice(0, 5).map((match) => match[0].trim()).join("; "), "Pin actions to trusted versions or commit SHAs.", "Use immutable action SHAs for sensitive CI workflows.", "Loosely pinned CI actions increase supply-chain risk in build pipelines.", ["CI/CD Review"]));
+  }
+  return findings;
+}
+
+function analyzeApiSpec(file, workspaceRoot) {
+  const findings = [];
+  if (!/securitySchemes|security:/i.test(file.content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "api-spec-missing-security", "API specification may be missing explicit security definitions", "medium", "API Review", "Security Contract", "architecture", "No obvious securitySchemes or security declarations were found in the API spec.", "Document authentication and authorization expectations directly in the API contract.", "Use the API spec as the source of truth for auth and sensitive endpoint behavior.", "Underspecified API security contracts increase integration and review ambiguity.", ["API Review"]));
+  }
+  return findings;
+}
+
+function analyzeKubernetesManifest(file, workspaceRoot) {
+  const findings = [];
+
+  if (/privileged\s*:\s*true/i.test(file.content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "k8s-privileged-container", "Kubernetes workload enables privileged container mode", "high", "DevOps", "Pod Security", "security", "privileged: true detected in workload manifest.", "Avoid privileged pods unless there is a tightly controlled operational requirement.", "Use Pod Security Standards and least-privilege container settings by default.", "Privileged containers can break isolation boundaries and increase cluster compromise risk.", ["Kubernetes Review"]));
+  }
+
+  if (!/runAsNonRoot\s*:\s*true/i.test(file.content) && /kind:\s*(Deployment|StatefulSet|DaemonSet|Job|CronJob|Pod)/i.test(file.content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "k8s-run-as-root", "Kubernetes workload may not enforce non-root execution", "medium", "DevOps", "Pod Security", "security", "No obvious runAsNonRoot: true setting detected for workload manifest.", "Set runAsNonRoot and related securityContext fields for application containers.", "Adopt non-root container execution as the default baseline in cluster workloads.", "Root containers in Kubernetes increase the blast radius of container compromise.", ["Kubernetes Review"]));
+  }
+
+  if (/allowPrivilegeEscalation\s*:\s*true/i.test(file.content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "k8s-allow-privilege-escalation", "Kubernetes workload allows privilege escalation", "high", "DevOps", "Pod Security", "security", "allowPrivilegeEscalation: true detected in manifest.", "Disable privilege escalation unless there is an explicit and reviewed need.", "Set allowPrivilegeEscalation to false for normal application workloads.", "Privilege escalation increases the risk that a container escape or local exploit can become more severe.", ["Kubernetes Review"]));
+  }
+
+  return findings;
+}
+
+function analyzeWebServerConfig(file, workspaceRoot) {
+  const findings = [];
+
+  if (/(autoindex\s+on;|Options\s+\+Indexes)/i.test(file.content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "webserver-directory-listing", "Web server configuration appears to enable directory listing", "medium", "Configuration", "Directory Listing", "security", "Directory indexing/listing directive detected.", "Disable directory listing unless there is a deliberate and reviewed need for it.", "Serve only intended resources and avoid exposing directory indexes.", "Directory listing can leak internal files, naming conventions, and sensitive static assets.", ["Web Server Review"]));
+  }
+
+  if (!/(add_header\s+X-Frame-Options|Header\s+always\s+set\s+X-Frame-Options|add_header\s+Content-Security-Policy|Header\s+always\s+set\s+Content-Security-Policy)/i.test(file.content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "webserver-missing-security-headers", "Web server config may be missing clickjacking or CSP header hardening", "medium", "Configuration", "Security Headers", "security", "No obvious X-Frame-Options or Content-Security-Policy header directives detected.", "Add the required security headers at the web server or reverse proxy layer where appropriate.", "Define a consistent baseline for clickjacking and content loading protections in edge configs.", "Missing security headers can leave web applications more exposed even when application code is otherwise hardened.", ["Web Server Review"]));
+  }
+
+  return findings;
+}
+
+function analyzeTerraform(file, workspaceRoot) {
+  const findings = [];
+
+  if (/0\.0\.0\.0\/0/.test(file.content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "terraform-open-cidr", "Terraform allows exposure to 0.0.0.0/0", "high", "DevOps", "Network Exposure", "security", "0.0.0.0/0 detected in Terraform configuration.", "Restrict ingress and egress CIDRs to only the required address ranges.", "Use narrowly scoped network rules and document justified public exposure explicitly.", "World-open CIDRs can expose services or management planes broadly if applied to sensitive resources.", ["IaC Review"]));
+  }
+
+  if (/public_access\s*=\s*true|publicly_accessible\s*=\s*true/i.test(file.content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "terraform-public-resource", "Terraform marks a resource as publicly accessible", "medium", "DevOps", "Public Exposure", "security", "public access flag detected in Terraform resource definition.", "Review whether the resource truly needs public exposure and protect it with layered controls if so.", "Prefer private-by-default resource placement and explicit ingress controls.", "Publicly accessible infrastructure expands the attack surface and needs stronger review and monitoring.", ["IaC Review"]));
+  }
+
+  return findings;
+}
+
+function analyzeRuntimeEnvironment(file, workspaceRoot) {
+  const findings = [];
+  const content = file.content;
+
+  if (/(^|\n)\s*(?:DEBUG|FLASK_DEBUG|DJANGO_DEBUG|APP_DEBUG|ENABLE_DEBUG)\s*[:=]\s*(1|true|yes|on)\b/i.test(content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "runtime-debug-enabled", "Runtime configuration enables debug behavior", "medium", "Configuration", "Debug Mode", "security", "Debug-oriented runtime setting detected in config.", "Disable debug mode in deployed environments and use controlled logging or diagnostics instead.", "Keep debugging features off by default outside local development.", "Debug mode can expose stack traces, internal configuration, or relaxed security behavior in runtime environments.", ["Runtime Review"]));
+  }
+
+  if (/(^|\n)\s*(?:HOST|BIND|BIND_ADDRESS|LISTEN_ADDR|SERVER_HOST|FLASK_HOST)\s*[:=]\s*(0\.0\.0\.0|\*)\b/i.test(content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "runtime-bind-all-interfaces", "Runtime configuration binds the service to all interfaces", "medium", "Configuration", "Network Exposure", "security", "Broad bind address detected in runtime config.", "Bind services to the minimum required interface or document the network boundary controls protecting them.", "Prefer localhost or controlled internal interfaces for local and administrative services.", "Binding to all interfaces expands reachability and can expose services more broadly than intended.", ["Runtime Review"]));
+  }
+
+  if (/(^|\n)\s*(?:NODE_TLS_REJECT_UNAUTHORIZED|PYTHONHTTPSVERIFY|GIT_SSL_NO_VERIFY|NPM_CONFIG_STRICT_SSL|STRICT_SSL|CURL_INSECURE)\s*[:=]\s*(0|false|no|off)\b/i.test(content) || /(^|\n)\s*CURL_INSECURE\s*[:=]\s*(1|true|yes|on)\b/i.test(content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "runtime-tls-verification-disabled", "Runtime configuration disables TLS or certificate verification", "high", "Configuration", "Transport Security", "security", "TLS verification bypass detected in runtime config.", "Remove TLS verification bypasses and configure trusted CA roots or package mirrors properly.", "Use proper certificate trust management instead of disabling verification at runtime.", "Disabling TLS verification increases the risk of man-in-the-middle attacks and unsafe package or API transport.", ["Runtime Review", "CWE-295"]));
+  }
+
+  if (/(^|\n)\s*(?:LOG_LEVEL|LOGLEVEL)\s*[:=]\s*debug\b/i.test(content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "runtime-debug-logging", "Runtime configuration enables debug-level logging", "low", "Configuration", "Logging Exposure", "security", "Debug log level detected in runtime config.", "Review whether debug logging is appropriate for the target environment and redact sensitive data if retained.", "Use safer default log levels in shared or production-like environments.", "Debug logs can leak sensitive identifiers, tokens, or internal implementation details if enabled broadly.", ["Runtime Review"]));
+  }
+
+  return findings;
+}
+
+function analyzePackageManagerConfig(file, workspaceRoot) {
+  const findings = [];
+  const content = file.content;
+
+  if (/strict-ssl\s*=\s*false/i.test(content) || /registry\s*=\s*http:\/\//i.test(content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "package-manager-insecure-transport", "Package manager configuration weakens registry transport security", "high", "Dependency Risk", "Registry Transport", "dependency-risk", "Package manager config appears to disable strict SSL or use an HTTP registry.", "Use HTTPS registries and keep strict SSL verification enabled.", "Fix certificate trust or mirror configuration instead of weakening package-manager transport settings.", "Weak registry transport settings can expose dependency downloads and credentials to tampering or interception.", ["Supply Chain Review", "CWE-319"]));
+  }
+
+  if (/trusted-host\s*=|trusted-host\b/i.test(content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "package-manager-trusted-host", "Package manager configuration overrides normal host trust checks", "medium", "Dependency Risk", "Registry Trust Override", "dependency-risk", "Trusted host override detected in package-manager config.", "Review trusted-host usage carefully and prefer proper CA trust configuration or approved mirrors.", "Limit host-trust overrides to tightly controlled internal repositories with documented justification.", "Trust overrides weaken transport assurances and can make dependency integrity harder to reason about.", ["Supply Chain Review"]));
+  }
+
+  return findings;
+}
+
+function looksLikeKubernetesManifest(file) {
+  if (![".yml", ".yaml"].includes(file.ext)) {
+    return false;
+  }
+
+  return /kind:\s*(Deployment|StatefulSet|DaemonSet|Job|CronJob|Pod|Ingress|ServiceAccount|Role|ClusterRole)\b/i.test(file.content)
+    || /apiVersion:\s*apps\/v1/i.test(file.content)
+    || /apiVersion:\s*batch\/v1/i.test(file.content);
+}
+
+function looksLikeWebServerConfig(file) {
+  const normalized = file.relativePath.toLowerCase();
+  const base = path.basename(file.relativePath).toLowerCase();
+  return base === "nginx.conf"
+    || base === "default.conf"
+    || base === "apache2.conf"
+    || base === "httpd.conf"
+    || normalized.includes("/nginx/")
+    || normalized.includes("/apache/")
+    || normalized.includes("/httpd/");
+}
+
+function looksLikeRuntimeConfig(file) {
+  const normalized = file.relativePath.toLowerCase();
+  const base = path.basename(file.relativePath).toLowerCase();
+  return isEnvLikeFile(file.relativePath, base)
+    || [".properties", ".ini", ".cfg", ".conf"].includes(file.ext)
+    || base === "application.yml"
+    || base === "application.yaml"
+    || base === "application.properties"
+    || base === "settings.ini"
+    || base === "settings.cfg";
+}
+
+function looksLikePackageManagerConfig(file) {
+  const normalized = file.relativePath.toLowerCase();
+  const base = path.basename(file.relativePath).toLowerCase();
+  return base === ".npmrc"
+    || base === "pip.conf"
+    || base === "pip.ini"
+    || normalized.endsWith("/pip/pip.conf");
+}
+
+function analyzeFileSizeAndComplexity(file, workspaceRoot) {
+  const findings = [];
+  const lineCount = file.content.split(/\r?\n/).length;
+  if (lineCount > 800) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "large-file", "Large source file may indicate weak modularity", "low", "Maintainability", "Large File", "maintainability", `${lineCount} lines detected in a single file.`, "Split large files into smaller modules with clearer ownership boundaries.", "Separate transport, business logic, and data handling concerns.", "Very large files are harder to review, test, and secure correctly.", ["Maintainability Review"]));
+  }
+  return findings;
+}
+
+function repoFinding(workspaceRoot, relativePath, code, title, severity, category, subcategory, reviewDomain, evidence, remediation, suggestion, whyItMatters, standards) {
+  const quality = deriveRepoFindingQuality({ code, category, reviewDomain, severity });
+  return {
+    id: hashFinding([relativePath, code, title]),
+    source: "static",
+    title,
+    severity,
+    confidence: "medium",
+    category,
+    subcategory,
+    reviewDomain,
+    filePath: workspaceRoot ? path.join(workspaceRoot, relativePath) : relativePath,
+    relativePath,
+    line: 1,
+    column: 1,
+    code,
+    message: `${title} in ${toPosixPath(relativePath)}`,
+    evidence,
+    remediation,
+    suggestion,
+    whyItMatters,
+    standards,
+    findingType: quality.findingType,
+    evidenceStrength: quality.evidenceStrength,
+    flaggedBy: "repository-heuristics",
+    manualReviewRecommended: quality.manualReviewRecommended
+  };
+}
+
+function deriveRepoFindingQuality({ code, category, reviewDomain, severity }) {
+  const lowerCode = String(code || "").toLowerCase();
+  const lowerCategory = String(category || "").toLowerCase();
+  const lowerDomain = String(reviewDomain || "").toLowerCase();
+
+  if (lowerDomain === "dependency-risk" || lowerCategory.includes("dependency")) {
+    return {
+      findingType: "dependency-risk",
+      evidenceStrength: "medium",
+      manualReviewRecommended: true
+    };
+  }
+
+  if (lowerCode.includes("debug") || lowerCode.includes("bind-all") || lowerCode.includes("open-cidr") || lowerCode.includes("public-resource") || lowerCode.includes("tls-verification")) {
+    return {
+      findingType: "contextual-warning",
+      evidenceStrength: severity === "high" ? "high" : "medium",
+      manualReviewRecommended: true
+    };
+  }
+
+  if (lowerDomain === "maintainability" || lowerDomain === "code-quality" || lowerDomain === "architecture") {
+    return {
+      findingType: "recommendation",
+      evidenceStrength: "medium",
+      manualReviewRecommended: true
+    };
+  }
+
+  return {
+    findingType: lowerDomain === "security" ? "contextual-warning" : "recommendation",
+    evidenceStrength: "medium",
+    manualReviewRecommended: true
+  };
+}
+
+function isEnvLikeFile(filePath, baseName) {
+  return [".env", ".env.local", ".env.development", ".env.production", ".env.test"].includes(baseName)
+    || /\.env(\.|$)/i.test(filePath);
+}
+
+module.exports = {
+  analyzeRepository
+};

package/src/scanners/rule-builders.js

@@ -0,0 +1,66 @@
+const SEVERITY = Object.freeze({
+  CRITICAL: "critical",
+  HIGH: "high",
+  MEDIUM: "medium",
+  LOW: "low"
+});
+
+const CONFIDENCE = Object.freeze({
+  HIGH: "high",
+  MEDIUM: "medium",
+  LOW: "low"
+});
+
+const VALID_SEVERITIES = new Set(Object.values(SEVERITY));
+const VALID_CONFIDENCE = new Set(Object.values(CONFIDENCE));
+
+function defineRule(rule, defaults = {}) {
+  const merged = {
+    confidence: CONFIDENCE.MEDIUM,
+    standards: [],
+    ...defaults,
+    ...rule
+  };
+
+  return {
+    ...merged,
+    severity: normalizeEnum(merged.severity, VALID_SEVERITIES, SEVERITY.MEDIUM),
+    confidence: normalizeEnum(merged.confidence, VALID_CONFIDENCE, CONFIDENCE.MEDIUM),
+    standards: normalizeArray(merged.standards),
+    includeExtensions: normalizeOptionalArray(merged.includeExtensions),
+    excludeExtensions: normalizeOptionalArray(merged.excludeExtensions),
+    includeFrameworks: normalizeOptionalArray(merged.includeFrameworks),
+    excludeFrameworks: normalizeOptionalArray(merged.excludeFrameworks),
+    includePathPatterns: normalizeOptionalArray(merged.includePathPatterns),
+    excludePathPatterns: normalizeOptionalArray(merged.excludePathPatterns)
+  };
+}
+
+function defineRuleFactory(defaults = {}) {
+  return (rule) => defineRule(rule, defaults);
+}
+
+function normalizeEnum(value, allowed, fallback) {
+  return allowed.has(value) ? value : fallback;
+}
+
+function normalizeArray(value) {
+  if (!value) {
+    return [];
+  }
+  return Array.isArray(value) ? value : [value];
+}
+
+function normalizeOptionalArray(value) {
+  if (value === undefined) {
+    return undefined;
+  }
+  return normalizeArray(value);
+}
+
+module.exports = {
+  CONFIDENCE,
+  SEVERITY,
+  defineRule,
+  defineRuleFactory
+};