secure-review-extension 1.0.9 → 1.0.11

package/package.json

@@ -2,7 +2,7 @@
   "name": "secure-review-extension",
   "displayName": "Secure Review",
   "description": "Run deep static and Docker-based dynamic secure code reviews directly inside VS Code.",
-  "version": "1.0.9",
+  "version": "1.0.11",
   "publisher": "Ankit-QI",
   "icon": "media/shield.png",
   "license": "MIT",
@@ -272,6 +272,16 @@
           "default": true,
           "description": "If cppcheck is installed locally, include C and C++ static analysis findings."
         },
+        "secureReview.enableShellcheck": {
+          "type": "boolean",
+          "default": true,
+          "description": "If ShellCheck is installed locally, include shell script lint and safety findings."
+        },
+        "secureReview.enableAnsibleLint": {
+          "type": "boolean",
+          "default": true,
+          "description": "If ansible-lint is installed locally, include Ansible playbook findings."
+        },
         "secureReview.enableDotnetVuln": {
           "type": "boolean",
           "default": true,

package/src/scanners/bootstrap-tools.js

@@ -8,61 +8,88 @@ function detectWorkspace(workspaceRoot) {
   const languages = new Set();
   const frameworks = new Set();
 
-  if (exists("package.json")) {
+  const packageJsonFiles = [...manifestNames].filter((file) => path.basename(file) === "package.json");
+  if (packageJsonFiles.length) {
     languages.add("javascript");
-    const packageJson = readJson(path.join(workspaceRoot, "package.json"));
-    const dependencies = {
-      ...(packageJson.dependencies || {}),
-      ...(packageJson.devDependencies || {}),
-      ...(packageJson.peerDependencies || {})
-    };
-
-    if (dependencies.react) frameworks.add("react");
-    if (dependencies.next) frameworks.add("nextjs");
-    if (dependencies.vue) frameworks.add("vue");
-    if (dependencies["@angular/core"]) frameworks.add("angular");
-    if (dependencies.express) frameworks.add("express");
-    if (dependencies["@nestjs/core"]) frameworks.add("nestjs");
-  }
-
-  if (exists("requirements.txt") || exists("pyproject.toml") || exists("Pipfile")) {
+    for (const packageJsonPath of packageJsonFiles) {
+      const packageJson = readJson(path.join(workspaceRoot, packageJsonPath));
+      const dependencies = {
+        ...(packageJson.dependencies || {}),
+        ...(packageJson.devDependencies || {}),
+        ...(packageJson.peerDependencies || {})
+      };
+
+      if (dependencies.react) frameworks.add("react");
+      if (dependencies.next) frameworks.add("nextjs");
+      if (dependencies.vue) frameworks.add("vue");
+      if (dependencies["@angular/core"]) frameworks.add("angular");
+      if (dependencies.express) frameworks.add("express");
+      if (dependencies["@nestjs/core"]) frameworks.add("nestjs");
+      if (dependencies.svelte) frameworks.add("svelte");
+      if (dependencies.koa) frameworks.add("koa");
+      if (dependencies.fastify) frameworks.add("fastify");
+    }
+  }
+
+  const pythonManifestFiles = [...manifestNames].filter((file) => {
+    const base = path.basename(file);
+    return base === "requirements.txt" || base === "pyproject.toml" || base === "Pipfile";
+  });
+  if (pythonManifestFiles.length) {
     languages.add("python");
-    const pythonText = readTextIfExists("requirements.txt") || readTextIfExists("pyproject.toml") || "";
-    if (/django/i.test(pythonText)) frameworks.add("django");
-    if (/flask/i.test(pythonText)) frameworks.add("flask");
-    if (/fastapi/i.test(pythonText)) frameworks.add("fastapi");
+    for (const manifestPath of pythonManifestFiles) {
+      const pythonText = readTextIfExists(manifestPath);
+      if (/django/i.test(pythonText)) frameworks.add("django");
+      if (/flask/i.test(pythonText)) frameworks.add("flask");
+      if (/fastapi/i.test(pythonText)) frameworks.add("fastapi");
+    }
   }
 
-  if (exists("go.mod")) {
+  const goModFiles = [...manifestNames].filter((file) => path.basename(file) === "go.mod");
+  if (goModFiles.length) {
     languages.add("go");
-    const goMod = readTextIfExists("go.mod");
-    if (/gin-gonic\/gin/i.test(goMod)) frameworks.add("gin");
-    if (/labstack\/echo/i.test(goMod)) frameworks.add("echo");
+    for (const goModPath of goModFiles) {
+      const goMod = readTextIfExists(goModPath);
+      if (/gin-gonic\/gin/i.test(goMod)) frameworks.add("gin");
+      if (/labstack\/echo/i.test(goMod)) frameworks.add("echo");
+      if (/gofiber\/fiber/i.test(goMod)) frameworks.add("fiber");
+    }
   }
 
-  if (exists("Cargo.toml")) {
+  const cargoTomlFiles = [...manifestNames].filter((file) => path.basename(file) === "Cargo.toml");
+  if (cargoTomlFiles.length) {
     languages.add("rust");
-    const cargoToml = readTextIfExists("Cargo.toml");
-    if (/actix-web/i.test(cargoToml)) frameworks.add("actix-web");
-    if (/\baxum\b/i.test(cargoToml)) frameworks.add("axum");
+    for (const cargoTomlPath of cargoTomlFiles) {
+      const cargoToml = readTextIfExists(cargoTomlPath);
+      if (/actix-web/i.test(cargoToml)) frameworks.add("actix-web");
+      if (/\baxum\b/i.test(cargoToml)) frameworks.add("axum");
+      if (/rocket/i.test(cargoToml)) frameworks.add("rocket");
+    }
   }
 
-  if (exists("pom.xml") || exists("build.gradle") || exists("build.gradle.kts")) {
+  const javaManifestFiles = [...manifestNames].filter((file) => {
+    const base = path.basename(file);
+    return base === "pom.xml" || base === "build.gradle" || base === "build.gradle.kts";
+  });
+  if (javaManifestFiles.length) {
     languages.add("java");
-    const javaText = readTextIfExists("pom.xml") || readTextIfExists("build.gradle") || readTextIfExists("build.gradle.kts") || "";
-    if (/spring/i.test(javaText)) frameworks.add("spring");
+    for (const manifestPath of javaManifestFiles) {
+      const javaText = readTextIfExists(manifestPath);
+      if (/spring/i.test(javaText)) frameworks.add("spring");
+      if (/quarkus/i.test(javaText)) frameworks.add("quarkus");
+    }
   }
 
-  if (exists("CMakeLists.txt") || exists("Makefile")) {
+  if (manifestNames.has("CMakeLists.txt") || manifestNames.has("Makefile")) {
     languages.add("c");
     languages.add("cpp");
   }
 
-  if (exists("composer.json")) {
+  if ([...manifestNames].some((file) => path.basename(file) === "composer.json")) {
     languages.add("php");
   }
 
-  if (exists("Gemfile")) {
+  if ([...manifestNames].some((file) => path.basename(file) === "Gemfile")) {
     languages.add("ruby");
     frameworks.add("rails");
   }
@@ -71,6 +98,10 @@ function detectWorkspace(workspaceRoot) {
     languages.add("csharp");
   }
 
+  if ([...manifestNames].some((file) => path.basename(file) === "ansible.cfg")) {
+    frameworks.add("ansible");
+  }
+
   for (const file of manifestNames) {
     const ext = path.extname(file).toLowerCase();
     if ([".c", ".h"].includes(ext)) languages.add("c");
@@ -82,7 +113,9 @@ function detectWorkspace(workspaceRoot) {
     if (ext === ".php") languages.add("php");
     if (ext === ".rb") languages.add("ruby");
     if (ext === ".cs") languages.add("csharp");
+    if ([".sh", ".bash", ".zsh", ".ksh"].includes(ext)) languages.add("shell");
     if ([".js", ".jsx", ".ts", ".tsx", ".mjs", ".cjs"].includes(ext)) languages.add("javascript");
+    if ([".yml", ".yaml"].includes(ext) && looksLikeAnsibleFile(workspaceRoot, file)) frameworks.add("ansible");
   }
 
   return {
@@ -202,6 +235,24 @@ function buildInstallPlan(profile) {
     });
   }
 
+  if (hasAny(profile.languages, ["shell"])) {
+    addTool(plan, seen, {
+      tool: "ShellCheck",
+      requiredFor: ["Shell scripts"],
+      install: resolveShellcheckInstall(),
+      verify: ["shellcheck", "--version"]
+    });
+  }
+
+  if (hasAny(profile.frameworks, ["ansible"])) {
+    addTool(plan, seen, {
+      tool: "ansible-lint",
+      requiredFor: ["Ansible / playbooks"],
+      install: resolvePythonInstall("ansible-lint"),
+      verify: ["ansible-lint", "--version"]
+    });
+  }
+
   if (hasAny(profile.languages, ["csharp"])) {
     addTool(plan, seen, {
       tool: ".NET package audit",
@@ -294,6 +345,13 @@ function resolveCppcheckInstall() {
   return { kind: "manual", note: "Install cppcheck with your system package manager." };
 }
 
+function resolveShellcheckInstall() {
+  if (hasCommand("shellcheck")) return { kind: "already-installed" };
+  if (os.platform() === "linux") return { kind: "command", command: ["sudo", "apt-get", "install", "-y", "shellcheck"] };
+  if (hasCommand("brew")) return { kind: "command", command: ["brew", "install", "shellcheck"] };
+  return { kind: "manual", note: "Install shellcheck with your system package manager." };
+}
+
 function resolveSpotBugsInstall() {
   if (hasCommand("spotbugs")) return { kind: "already-installed" };
   if (hasCommand("brew")) return { kind: "command", command: ["brew", "install", "spotbugs"] };
@@ -354,6 +412,33 @@ function readJson(filePath) {
   }
 }
 
+function looksLikeAnsibleFile(workspaceRoot, relativePath) {
+  const normalizedPath = relativePath.toLowerCase();
+  if (/(^|\/)(playbooks?|roles|tasks|handlers|group_vars|host_vars)\//.test(normalizedPath)) {
+    return true;
+  }
+
+  if (/(^|\/)(site|playbook|deploy|provision)\.ya?ml$/.test(normalizedPath)) {
+    return true;
+  }
+
+  const fullPath = path.join(workspaceRoot, relativePath);
+  if (!fs.existsSync(fullPath)) {
+    return false;
+  }
+
+  try {
+    const content = fs.readFileSync(fullPath, "utf8").toLowerCase();
+    return (
+      /(^|\n)\s*hosts\s*:\s*.+/m.test(content)
+        && /(^|\n)\s*(tasks|handlers)\s*:/m.test(content)
+    ) || /ansible\.builtin\./.test(content)
+      || /(^|\n)\s*become\s*:\s*(true|yes)\b/m.test(content);
+  } catch {
+    return false;
+  }
+}
+
 module.exports = {
   detectWorkspace,
   buildInstallPlan,

package/src/scanners/static-rules.js

@@ -1,3 +1,8 @@
+const ANSIBLE_PATH_PATTERNS = [
+  /(^|\/)(playbooks?|roles|tasks|handlers|group_vars|host_vars)\//i,
+  /(^|\/)(site|playbook|deploy|provision)\.ya?ml$/i
+];
+
 const STATIC_RULES = [
   {
     id: "hardcoded-secret",
@@ -776,6 +781,279 @@ const STATIC_RULES = [
     suggestion: "Call subprocesses with validated argument lists and strict allowlisting.",
     whyItMatters: "Shell execution expands the attack surface for command injection and quoting bugs.",
     standards: ["CWE-78", "OWASP:A03"]
+  },
+  {
+    id: "shell-unsafe-variable-expansion",
+    title: "Shell script may use unsafe variable expansion in a command path",
+    severity: "high",
+    confidence: "medium",
+    category: "Code Execution",
+    subcategory: "Shell Expansion",
+    reviewDomain: "security",
+    regex: /\b(rm|cp|mv|cat|grep|sed|awk|find|tar|chmod|chown|mkdir)\b[^\n"'#]*\$(\{?[A-Za-z_][A-Za-z0-9_]*\}?)/g,
+    remediation: "Quote shell variables and validate command arguments before using them in file or command operations.",
+    suggestion: "Use double-quoted expansions and strict allowlists for file paths, patterns, and command inputs.",
+    whyItMatters: "Unsafe shell expansion can lead to path confusion, globbing surprises, or injection-like behavior in automation.",
+    standards: ["CWE-78", "Shell Safety Review"],
+    includeExtensions: [".sh", ".bash", ".zsh", ".ksh"]
+  },
+  {
+    id: "shell-unquoted-variable",
+    title: "Shell script appears to use an unquoted variable expansion",
+    severity: "medium",
+    confidence: "medium",
+    category: "Reliability",
+    subcategory: "Shell Quoting",
+    reviewDomain: "reliability",
+    regex: /(^|[=\s(])\$(\{?[A-Za-z_][A-Za-z0-9_]*\}?)(?=\s|$|\/|\*)/gm,
+    remediation: "Quote shell variables unless word splitting and glob expansion are explicitly intended and safe.",
+    suggestion: "Wrap variable expansions in double quotes and document the rare cases where unquoted expansion is required.",
+    whyItMatters: "Unquoted shell variables can split into multiple arguments or expand globs unexpectedly.",
+    standards: ["Shell Safety Review"],
+    includeExtensions: [".sh", ".bash", ".zsh", ".ksh"]
+  },
+  {
+    id: "shell-dangerous-eval",
+    title: "Shell script uses eval",
+    severity: "high",
+    confidence: "high",
+    category: "Code Execution",
+    subcategory: "Unsafe Execution",
+    reviewDomain: "security",
+    regex: /\beval\s+["'$({A-Za-z_]/g,
+    remediation: "Avoid eval in shell scripts and replace it with structured command dispatch or explicit argument handling.",
+    suggestion: "Use arrays, case statements, or vetted command maps instead of string-built eval execution.",
+    whyItMatters: "eval makes shell scripts highly sensitive to injection and quoting mistakes.",
+    standards: ["CWE-95", "Shell Safety Review"],
+    includeExtensions: [".sh", ".bash", ".zsh", ".ksh"]
+  },
+  {
+    id: "shell-insecure-temp-file",
+    title: "Shell script may use insecure temporary file handling",
+    severity: "high",
+    confidence: "medium",
+    category: "File Handling",
+    subcategory: "Temporary Files",
+    reviewDomain: "security",
+    regex: /(\/tmp\/[A-Za-z0-9._-]+|mktemp\s+-u\b)/g,
+    remediation: "Use secure mktemp patterns and avoid predictable paths in world-writable temporary directories.",
+    suggestion: "Create temporary files with mktemp and restrictive permissions, and clean them up predictably.",
+    whyItMatters: "Predictable or unsafe temporary files can be abused through race conditions or file replacement.",
+    standards: ["CWE-377", "Shell Safety Review"],
+    includeExtensions: [".sh", ".bash", ".zsh", ".ksh"]
+  },
+  {
+    id: "shell-curl-pipe-sh",
+    title: "Shell script pipes remote content directly into a shell",
+    severity: "high",
+    confidence: "high",
+    category: "Code Execution",
+    subcategory: "Remote Script Execution",
+    reviewDomain: "security",
+    regex: /\b(curl|wget)\b[^\n|]*\|\s*(bash|sh)\b/g,
+    remediation: "Download remote scripts explicitly, verify integrity, and execute only trusted local content.",
+    suggestion: "Use signed artifacts, checksums, and explicit local review instead of streaming remote content into a shell.",
+    whyItMatters: "Piping remote content into a shell creates a strong supply-chain and command-execution risk.",
+    standards: ["CWE-494", "Shell Safety Review"],
+    includeExtensions: [".sh", ".bash", ".zsh", ".ksh"]
+  },
+  {
+    id: "shell-disabled-error-handling",
+    title: "Shell script disables strict error handling",
+    severity: "medium",
+    confidence: "medium",
+    category: "Reliability",
+    subcategory: "Error Handling",
+    reviewDomain: "reliability",
+    regex: /(^|\n)\s*set\s+\+[eEuU]\b|(^|\n)\s*set\s+\+o\s+pipefail\b/gm,
+    remediation: "Keep strict error handling enabled unless there is a documented and tightly scoped exception.",
+    suggestion: "Prefer set -euo pipefail and temporarily suppress specific failures only where necessary.",
+    whyItMatters: "Disabled shell error handling can mask failed commands and produce unsafe partial execution.",
+    standards: ["Reliability Review", "Shell Safety Review"],
+    includeExtensions: [".sh", ".bash", ".zsh", ".ksh"]
+  },
+  {
+    id: "shell-unsafe-permissions",
+    title: "Shell script applies unsafe permission changes",
+    severity: "high",
+    confidence: "high",
+    category: "Configuration",
+    subcategory: "Permissions",
+    reviewDomain: "security",
+    regex: /\bchmod\s+(?:-R\s+)?(?:777|666)\b/g,
+    remediation: "Use the least-permissive file mode needed for the task instead of world-writable permissions.",
+    suggestion: "Set explicit owner/group and minimal modes such as 640, 644, 750, or 755 as appropriate.",
+    whyItMatters: "Overly broad file permissions increase tampering and data exposure risk on shared systems.",
+    standards: ["CWE-732", "Shell Safety Review"],
+    includeExtensions: [".sh", ".bash", ".zsh", ".ksh"]
+  },
+  {
+    id: "shell-world-writable-creation",
+    title: "Shell script may create world-writable files or directories",
+    severity: "high",
+    confidence: "medium",
+    category: "Configuration",
+    subcategory: "Permissions",
+    reviewDomain: "security",
+    regex: /\b(mkdir|install)\b[^\n]*(?:-m\s*["']?(0777|0666|777|666)["']?)/g,
+    remediation: "Create files and directories with minimal required permissions and review umask handling.",
+    suggestion: "Use restrictive modes for creation and widen access only where it is explicitly justified.",
+    whyItMatters: "World-writable file creation can enable unauthorized tampering or data exposure.",
+    standards: ["CWE-732", "Shell Safety Review"],
+    includeExtensions: [".sh", ".bash", ".zsh", ".ksh"]
+  },
+  {
+    id: "ansible-shell-module",
+    title: "Ansible playbook uses the shell module",
+    severity: "medium",
+    confidence: "medium",
+    category: "Configuration",
+    subcategory: "Ansible Execution",
+    reviewDomain: "security",
+    regex: /^\s*(ansible\.builtin\.)?shell\s*:/gm,
+    remediation: "Use command or a more specific Ansible module unless shell features are explicitly required.",
+    suggestion: "Prefer idempotent purpose-built modules and reserve shell for the few cases that truly require it.",
+    whyItMatters: "Shell tasks in playbooks increase quoting, injection, and idempotence risk compared with dedicated modules.",
+    standards: ["Ansible Review"],
+    includeExtensions: [".yml", ".yaml"],
+    includeFrameworks: ["ansible"],
+    includePathPatterns: ANSIBLE_PATH_PATTERNS
+  },
+  {
+    id: "ansible-ignore-errors",
+    title: "Ansible task ignores execution errors",
+    severity: "medium",
+    confidence: "high",
+    category: "Reliability",
+    subcategory: "Error Handling",
+    reviewDomain: "reliability",
+    regex: /^\s*ignore_errors\s*:\s*(true|yes)\b/gmi,
+    remediation: "Avoid ignore_errors unless the failure is truly non-critical and well documented.",
+    suggestion: "Handle expected failure cases explicitly with conditionals or register/when logic instead of suppressing all errors.",
+    whyItMatters: "Ignoring errors can hide failed automation steps and leave systems in unsafe partial states.",
+    standards: ["Ansible Review"],
+    includeExtensions: [".yml", ".yaml"],
+    includeFrameworks: ["ansible"],
+    includePathPatterns: ANSIBLE_PATH_PATTERNS
+  },
+  {
+    id: "ansible-command-idempotence",
+    title: "Ansible shell or command task may be missing creates/removes guards",
+    severity: "medium",
+    confidence: "low",
+    category: "Configuration",
+    subcategory: "Idempotence",
+    reviewDomain: "reliability",
+    regex: /^\s*(ansible\.builtin\.)?(shell|command)\s*:/gm,
+    remediation: "Add creates/removes or use an idempotent module so repeated runs stay safe and predictable.",
+    suggestion: "Treat shell and command tasks as exceptions and make their side effects explicit with creates/removes guards.",
+    whyItMatters: "Command-style Ansible tasks are more likely to be non-idempotent and can drift or repeat unsafe actions.",
+    standards: ["Ansible Review"],
+    includeExtensions: [".yml", ".yaml"],
+    includeFrameworks: ["ansible"],
+    includePathPatterns: ANSIBLE_PATH_PATTERNS
+  },
+  {
+    id: "ansible-plaintext-secret",
+    title: "Ansible playbook may define plaintext secret material",
+    severity: "high",
+    confidence: "medium",
+    category: "Secrets",
+    subcategory: "Credential Exposure",
+    reviewDomain: "security",
+    regex: /^\s*(password|passwd|token|secret|api[_-]?key|vault_password)\s*:\s*["']?[^"'!\n][^#\n]{7,}$/gmi,
+    remediation: "Move secrets to Ansible Vault, environment-backed injection, or a proper secret manager and rotate exposed values.",
+    suggestion: "Keep secret values out of playbook YAML and reference them through vault, vars files, or secret lookups instead.",
+    whyItMatters: "Plaintext secrets in playbooks are easy to leak through source control and automation logs.",
+    standards: ["CWE-798", "Ansible Review"],
+    includeExtensions: [".yml", ".yaml"],
+    includeFrameworks: ["ansible"],
+    includePathPatterns: ANSIBLE_PATH_PATTERNS
+  },
+  {
+    id: "ansible-become-true",
+    title: "Ansible playbook uses privilege escalation",
+    severity: "medium",
+    confidence: "low",
+    category: "Configuration",
+    subcategory: "Privilege Escalation",
+    reviewDomain: "security",
+    regex: /^\s*become\s*:\s*(true|yes)\b/gmi,
+    remediation: "Review whether privilege escalation is necessary for the task and scope it as narrowly as possible.",
+    suggestion: "Use become only on the tasks that need it and document the elevated action being performed.",
+    whyItMatters: "Broad privilege escalation can make automation mistakes more damaging and widen the blast radius of compromise.",
+    standards: ["Ansible Review"],
+    includeExtensions: [".yml", ".yaml"],
+    includeFrameworks: ["ansible"],
+    includePathPatterns: ANSIBLE_PATH_PATTERNS
+  },
+  {
+    id: "ansible-open-permissions",
+    title: "Ansible playbook may set open file permissions",
+    severity: "high",
+    confidence: "high",
+    category: "Configuration",
+    subcategory: "Permissions",
+    reviewDomain: "security",
+    regex: /^\s*mode\s*:\s*["']?(0777|0666|777|666)["']?/gmi,
+    remediation: "Use least-privilege file modes and avoid world-writable permissions in managed resources.",
+    suggestion: "Set explicit restrictive modes that match the intended owner and access requirements.",
+    whyItMatters: "Open file permissions make configuration drift and unauthorized tampering easier on shared systems.",
+    standards: ["CWE-732", "Ansible Review"],
+    includeExtensions: [".yml", ".yaml"],
+    includeFrameworks: ["ansible"],
+    includePathPatterns: ANSIBLE_PATH_PATTERNS
+  },
+  {
+    id: "ansible-external-download",
+    title: "Ansible playbook downloads external content",
+    severity: "medium",
+    confidence: "medium",
+    category: "Configuration",
+    subcategory: "External Download",
+    reviewDomain: "security",
+    regex: /^\s*(ansible\.builtin\.)?(get_url|uri)\s*:/gmi,
+    remediation: "Validate remote sources, pin checksums where possible, and avoid executing downloaded artifacts without review.",
+    suggestion: "Treat downloaded artifacts as supply-chain inputs and require integrity verification before use.",
+    whyItMatters: "External downloads in automation can introduce supply-chain and remote content trust risks.",
+    standards: ["CWE-494", "Ansible Review"],
+    includeExtensions: [".yml", ".yaml"],
+    includeFrameworks: ["ansible"],
+    includePathPatterns: ANSIBLE_PATH_PATTERNS
+  },
+  {
+    id: "ansible-no-checksum",
+    title: "Ansible get_url task may be missing checksum validation",
+    severity: "medium",
+    confidence: "low",
+    category: "Configuration",
+    subcategory: "Integrity Validation",
+    reviewDomain: "security",
+    regex: /^\s*(ansible\.builtin\.)?get_url\s*:/gmi,
+    remediation: "Add checksum validation for downloaded artifacts where the source and workflow support it.",
+    suggestion: "Use checksums or signed artifacts so automation can verify integrity before using downloaded content.",
+    whyItMatters: "Downloaded artifacts without integrity checks are more vulnerable to tampering and mirror compromise.",
+    standards: ["CWE-494", "Ansible Review"],
+    includeExtensions: [".yml", ".yaml"],
+    includeFrameworks: ["ansible"],
+    includePathPatterns: ANSIBLE_PATH_PATTERNS
+  },
+  {
+    id: "ansible-validate-certs-disabled",
+    title: "Ansible task disables TLS certificate validation",
+    severity: "high",
+    confidence: "high",
+    category: "Configuration",
+    subcategory: "TLS Validation",
+    reviewDomain: "security",
+    regex: /^\s*validate_certs\s*:\s*(false|no)\b/gmi,
+    remediation: "Keep TLS validation enabled and fix trust-chain issues instead of suppressing certificate checks.",
+    suggestion: "Use trusted certificates or a managed CA bundle rather than disabling transport verification.",
+    whyItMatters: "Disabling TLS validation makes automation vulnerable to tampering and man-in-the-middle attacks.",
+    standards: ["CWE-295", "Ansible Review"],
+    includeExtensions: [".yml", ".yaml"],
+    includeFrameworks: ["ansible"],
+    includePathPatterns: ANSIBLE_PATH_PATTERNS
   }
 ];
 

package/src/scanners/static-scan.js

@@ -38,9 +38,14 @@ const ALLOWED_EXTENSIONS = new Set([
   ".toml",
   ".tf",
   ".sh",
+  ".bash",
+  ".zsh",
+  ".ksh",
   ".env",
   ".properties",
-  ".xml"
+  ".xml",
+  ".cfg",
+  ".conf"
 ]);
 
 const LOCKFILE_NAMES = new Set([
@@ -59,6 +64,18 @@ const ENV_LIKE_NAMES = new Set([
   ".env.test"
 ]);
 
+const SPECIAL_SINGLE_FILE_NAMES = new Set([
+  "Dockerfile",
+  "docker-compose.yml",
+  "docker-compose.yaml",
+  "CMakeLists.txt",
+  "Makefile",
+  "swagger.yaml",
+  "swagger.yml",
+  "swagger.json",
+  "ansible.cfg"
+]);
+
 const ENV_ALLOWED_RULES = new Set([
   "hardcoded-secret",
   "aws-access-key",
@@ -152,15 +169,38 @@ async function scanFileAtPath(filePath, options = {}) {
     maxFiles: options.maxFiles || 400
   });
 
-  if (!shouldAnalyzeFile(filePath)) {
+  if (!shouldAnalyzeSingleFile(filePath)) {
     return [];
   }
 
-  return dedupeFindings(scanContent(filePath, content, workspaceRoot, {
+  const ext = path.extname(filePath).toLowerCase();
+  const relativePath = path.relative(workspaceRoot, filePath).split(path.sep).join("/");
+  const fileRecord = {
+    fsPath: filePath,
+    relativePath,
+    baseName: path.basename(filePath),
+    ext,
+    content
+  };
+
+  const contentFindings = scanContent(filePath, content, workspaceRoot, {
     languages: workspaceProfile.languages,
     frameworks: workspaceProfile.frameworks,
     isSecureReviewWorkspace: workspaceProfile.isSecureReviewWorkspace
-  }));
+  });
+  const repoFindings = analyzeRepository([fileRecord], workspaceRoot);
+
+  return dedupeFindings([...contentFindings, ...repoFindings]);
+}
+
+function shouldAnalyzeSingleFile(filePath) {
+  const baseName = path.basename(filePath);
+  if (LOCKFILE_NAMES.has(baseName) || ENV_LIKE_NAMES.has(baseName) || SPECIAL_SINGLE_FILE_NAMES.has(baseName)) {
+    return true;
+  }
+
+  const ext = path.extname(filePath).toLowerCase();
+  return ALLOWED_EXTENSIONS.has(ext);
 }
 
 function scanProfile(workspaceProfile, config) {

package/src/scanners/tool-integrations.js

@@ -85,6 +85,18 @@ function createScannerRegistry(config, workspaceProfile) {
       applies: () => hasLanguage(workspaceProfile, ["c", "cpp"]),
       run: () => runCppcheck(workspaceProfile, config)
     },
+    {
+      id: "shellcheck",
+      enabled: config.get("enableShellcheck", true),
+      applies: () => hasLanguage(workspaceProfile, ["shell"]),
+      run: () => runShellcheck(workspaceProfile, config)
+    },
+    {
+      id: "ansible-lint",
+      enabled: config.get("enableAnsibleLint", true),
+      applies: () => hasFramework(workspaceProfile, ["ansible"]),
+      run: () => runAnsibleLint(workspaceProfile, config)
+    },
     {
       id: "dotnet-vuln",
       enabled: config.get("enableDotnetVuln", true),
@@ -715,6 +727,96 @@ async function runCppcheck(workspaceProfile, config) {
   });
 }
 
+async function runShellcheck(workspaceProfile, config) {
+  const shellFiles = workspaceProfile.files.filter((file) =>
+    [".sh", ".bash", ".zsh", ".ksh"].includes(file.ext)
+    || looksLikeShellScript(file)
+  );
+
+  if (!shellFiles.length) {
+    return [];
+  }
+
+  const args = ["--format=json1", ...shellFiles.map((file) => file.relativePath)];
+  const result = await execFileAsync("shellcheck", args, scannerOptions(workspaceProfile, config));
+
+  if (result.error && !result.stdout) {
+    throw result.error;
+  }
+
+  const payload = parseJson(result.stdout);
+  const comments = payload.comments || [];
+  return comments.map((item) => normalizeStaticFinding({
+    workspaceRoot: workspaceProfile.workspaceRoot,
+    tool: "shellcheck",
+    title: item.message || `ShellCheck ${item.code || "finding"}`,
+    severity: mapShellcheckLevel(item.level),
+    confidence: "medium",
+    category: mapShellcheckCategory(item.code),
+    subcategory: "ShellCheck",
+    reviewDomain: mapShellcheckReviewDomain(item.code),
+    relativePath: relativize(workspaceProfile.workspaceRoot, item.file),
+    line: item.line || 1,
+    column: item.column || 1,
+    code: item.code ? `SC${item.code}` : "shellcheck",
+    message: item.message || "ShellCheck finding",
+    evidence: item.fix?.replacements?.[0]?.replacement || "",
+    remediation: "Review the shell script for quoting, expansion, and command-safety issues and apply the ShellCheck guidance.",
+    suggestion: "Treat shell script findings in automation and deployment paths as production-impacting until reviewed.",
+    whyItMatters: "Shell scripts are especially sensitive to quoting, expansion, and command-construction mistakes that can become security or reliability issues.",
+    standards: ["ShellCheck"]
+  }));
+}
+
+async function runAnsibleLint(workspaceProfile, config) {
+  const targetFiles = workspaceProfile.files
+    .filter((file) => isLikelyAnsibleFile(file))
+    .map((file) => file.relativePath);
+
+  if (!targetFiles.length) {
+    return [];
+  }
+
+  const result = await execFileAsync("ansible-lint", ["-f", "json", ...targetFiles], scannerOptions(workspaceProfile, config));
+
+  if (result.error && !result.stdout) {
+    throw result.error;
+  }
+
+  const payload = parseJson(result.stdout);
+  const items = Array.isArray(payload) ? payload : payload.issues || payload.results || [];
+
+  return items.map((item) => {
+    const location = item.location || {};
+    const begin = location.positions?.begin || {};
+    const rule = item.rule || {};
+    const ruleId = item.rule?.id || item.check_name || item.tag || "ansible-lint";
+    const severity = mapAnsibleLintSeverity(item.severity || item.level || rule.severity || ruleId);
+    const message = item.description || item.message || item.name || rule.shortdesc || rule.description || ruleId;
+
+    return normalizeStaticFinding({
+      workspaceRoot: workspaceProfile.workspaceRoot,
+      tool: "ansible-lint",
+      title: message,
+      severity,
+      confidence: severity === "high" ? "high" : "medium",
+      category: "Configuration",
+      subcategory: "Ansible",
+      reviewDomain: /(security|risky|yaml|command-shell|latest|no-changed-when|package-latest|risky-file-permissions)/i.test(ruleId) ? "security" : "code-quality",
+      relativePath: relativize(workspaceProfile.workspaceRoot, location.path || item.path || item.filename || ""),
+      line: begin.line || item.line || 1,
+      column: begin.column || item.column || 1,
+      code: ruleId,
+      message,
+      evidence: item.details || item.url || rule.description || "",
+      remediation: "Review the playbook task and replace the risky or non-idiomatic pattern with an Ansible-safe equivalent.",
+      suggestion: "Prefer explicit modules, validated downloads, secure permissions, and idempotent task design in playbooks.",
+      whyItMatters: "Ansible automation can introduce security and operational risk when shell execution, permissions, downloads, or error handling are unsafe.",
+      standards: ["ansible-lint"]
+    });
+  });
+}
+
 async function runDotnetVulnerabilityCheck(workspaceProfile, config) {
   const target = findExistingPath(workspaceProfile.workspaceRoot, listDotnetScanCandidates(workspaceProfile.workspaceRoot));
   if (!target) {
@@ -838,6 +940,14 @@ function deriveScannerFindingQuality(input) {
     };
   }
 
+  if (["shellcheck", "ansible-lint"].includes(tool)) {
+    return {
+      findingType: reviewDomain === "security" ? "contextual-warning" : "recommendation",
+      evidenceStrength: "medium",
+      manualReviewRecommended: true
+    };
+  }
+
   return {
     findingType: reviewDomain === "dependency-risk" ? "dependency-risk" : "recommendation",
     evidenceStrength: "medium",
@@ -972,6 +1082,71 @@ function mapBrakemanConfidence(value) {
   return "low";
 }
 
+function mapShellcheckLevel(value) {
+  const normalized = String(value || "").toLowerCase();
+  if (normalized === "error") {
+    return "high";
+  }
+  if (normalized === "warning") {
+    return "medium";
+  }
+  return "low";
+}
+
+function mapShellcheckReviewDomain(code) {
+  const numeric = Number(code || 0);
+  if ([2086, 2046, 2090, 2091, 2164, 2155, 2115].includes(numeric)) {
+    return "security";
+  }
+  return "reliability";
+}
+
+function mapShellcheckCategory(code) {
+  return mapShellcheckReviewDomain(code) === "security" ? "Security" : "Reliability";
+}
+
+function mapAnsibleLintSeverity(value) {
+  const normalized = String(value || "").toLowerCase();
+  if (/(error|high|critical|risky|syntax-check)/.test(normalized)) {
+    return "high";
+  }
+  if (/(warn|medium|major)/.test(normalized)) {
+    return "medium";
+  }
+  return "low";
+}
+
+function looksLikeShellScript(file) {
+  if (!file || !file.content) {
+    return false;
+  }
+
+  const baseName = path.basename(file.relativePath || file.fsPath || "");
+  return !path.extname(baseName) && /^#!.*\b(bash|sh|zsh|ksh)\b/m.test(file.content);
+}
+
+function isLikelyAnsibleFile(file) {
+  if (!file || ![".yml", ".yaml"].includes(file.ext)) {
+    return false;
+  }
+
+  const normalizedPath = String(file.relativePath || "").toLowerCase();
+  if (/(^|\/)(playbooks?|roles|tasks|handlers|group_vars|host_vars)\//.test(normalizedPath)) {
+    return true;
+  }
+
+  if (/(^|\/)(site|playbook|deploy|provision)\.ya?ml$/.test(normalizedPath)) {
+    return true;
+  }
+
+  const lower = String(file.content || "").toLowerCase();
+  return (
+    /(^|\n)\s*hosts\s*:\s*.+/m.test(lower)
+      && /(^|\n)\s*(tasks|handlers)\s*:/m.test(lower)
+  ) || /ansible\.builtin\./.test(lower)
+    || /(^|\n)\s*become\s*:\s*(true|yes)\b/m.test(lower);
+}
+
 module.exports = {
   runRegisteredScanners,
   createScannerRegistry

package/src/scanners/workspace-profile.js

@@ -36,7 +36,12 @@ const LANGUAGE_BY_EXTENSION = new Map([
   [".xml", "config"],
   [".tf", "config"],
   [".properties", "config"],
-  [".sh", "shell"]
+  [".sh", "shell"],
+  [".bash", "shell"],
+  [".zsh", "shell"],
+  [".ksh", "shell"],
+  [".cfg", "config"],
+  [".conf", "config"]
 ]);
 
 const SPECIAL_FILENAMES = new Set([
@@ -63,7 +68,8 @@ const SPECIAL_FILENAMES = new Set([
   "Gemfile",
   "CMakeLists.txt",
   "Makefile",
-  "global.json"
+  "global.json",
+  "ansible.cfg"
 ]);
 
 const DEFAULT_EXCLUDE_GLOBS = [
@@ -303,6 +309,9 @@ function detectFrameworks(files) {
 
   for (const file of files) {
     const lower = file.content.toLowerCase();
+    if (file.baseName === "ansible.cfg") {
+      frameworks.add("ansible");
+    }
     if (file.baseName === "requirements.txt" || file.baseName === "pyproject.toml") {
       addIfText(frameworks, lower, "django", "django");
       addIfText(frameworks, lower, "flask", "flask");
@@ -322,6 +331,9 @@ function detectFrameworks(files) {
       addIfText(frameworks, lower, "rocket", "rocket");
       addIfText(frameworks, lower, "axum", "axum");
     }
+    if (looksLikeAnsibleFile(file)) {
+      frameworks.add("ansible");
+    }
   }
 
   return frameworks;
@@ -384,6 +396,28 @@ function addIfText(frameworks, haystack, needle, frameworkName) {
   }
 }
 
+function looksLikeAnsibleFile(file) {
+  if (![".yml", ".yaml"].includes(file.ext)) {
+    return false;
+  }
+
+  const normalizedPath = file.relativePath.toLowerCase();
+  if (/(^|\/)(playbooks?|roles|tasks|handlers|group_vars|host_vars)\//.test(normalizedPath)) {
+    return true;
+  }
+
+  if (/\/(site|playbook|deploy|provision)\.ya?ml$/.test(normalizedPath) || /(^|\/)(site|playbook|deploy|provision)\.ya?ml$/.test(normalizedPath)) {
+    return true;
+  }
+
+  const lower = file.content.toLowerCase();
+  return (
+    /(^|\n)\s*hosts\s*:\s*.+/m.test(lower)
+      && /(^|\n)\s*(tasks|handlers)\s*:/m.test(lower)
+  ) || /ansible\.builtin\./.test(lower)
+    || /(^|\n)\s*become\s*:\s*(true|yes)\b/m.test(lower);
+}
+
 async function readText(filePath) {
   try {
     return await fs.readFile(filePath, "utf8");