ship-safe 4.2.0 → 4.3.0

package/README.md

@@ -9,13 +9,14 @@
   <a href="https://github.com/asamassekou10/ship-safe/actions/workflows/ci.yml"><img src="https://github.com/asamassekou10/ship-safe/actions/workflows/ci.yml/badge.svg" alt="CI" /></a>
   <a href="https://nodejs.org"><img src="https://img.shields.io/node/v/ship-safe" alt="Node.js version" /></a>
   <a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/License-MIT-yellow.svg" alt="License: MIT" /></a>
+  <a href="https://github.com/asamassekou10/ship-safe/stargazers"><img src="https://img.shields.io/github/stars/asamassekou10/ship-safe?style=social" alt="GitHub stars" /></a>
 </p>
 
 ---
 
-12 security agents. 50+ attack classes. One command.
+13 security agents. 50+ attack classes. One command.
 
-**Ship Safe v4.0** is an AI-powered security platform that runs 12 specialized agents against your codebase — scanning for secrets, injection vulnerabilities, auth bypass, SSRF, supply chain attacks, Docker/Terraform misconfigs, CI/CD pipeline poisoning, LLM security issues, and more. It produces a prioritized remediation plan so you know exactly what to fix first.
+**Ship Safe v4.3** is an AI-powered security platform that runs 13 specialized agents in parallel against your codebase — scanning for secrets, injection vulnerabilities, auth bypass, SSRF, supply chain attacks, Supabase RLS misconfigs, Docker/Terraform/Kubernetes misconfigs, CI/CD pipeline poisoning, LLM security issues, and more. Context-aware confidence tuning reduces false positives by up to 70%. Baseline support lets teams adopt incrementally — accept existing debt, focus on not making it worse.
 
 ---
 
@@ -33,6 +34,13 @@ npx ship-safe scan .
 
 # Security health score (0-100)
 npx ship-safe score .
+
+# Accept current findings, only report regressions
+npx ship-safe baseline .
+npx ship-safe audit . --baseline
+
+# Environment diagnostics
+npx ship-safe doctor
 ```
 
 ![ship-safe terminal demo](.github/assets/ship%20safe%20terminal.jpg)
@@ -49,11 +57,11 @@ npx ship-safe audit .
 
 ```
 ════════════════════════════════════════════════════════════
-  Ship Safe v4.0 — Full Security Audit
+  Ship Safe v4.3 — Full Security Audit
 ════════════════════════════════════════════════════════════
 
   [Phase 1/4] Scanning for secrets...         ✔ 49 found
-  [Phase 2/4] Running 12 security agents...   ✔ 103 findings
+  [Phase 2/4] Running 13 security agents...   ✔ 103 findings
   [Phase 3/4] Auditing dependencies...        ✔ 44 CVEs
   [Phase 4/4] Computing security score...     ✔ 25/100 F
 
@@ -80,36 +88,44 @@ npx ship-safe audit .
 
 **What it runs:**
 1. **Secret scan** — 50+ patterns with entropy scoring (API keys, passwords, tokens)
-2. **12 security agents** — injection, auth, SSRF, supply chain, config, LLM, mobile, git history, CI/CD, API
+2. **13 security agents** — run in parallel with per-agent timeouts (injection, auth, SSRF, supply chain, config, Supabase RLS, LLM, mobile, git history, CI/CD, API)
 3. **Dependency audit** — npm/pip/bundler CVE scanning
-4. **Score computation** — 8-category weighted scoring (0-100, A-F)
-5. **Remediation plan** — prioritized fix list grouped by severity
-6. **HTML report** — standalone dark-themed report with table of contents
+4. **Score computation** — confidence-weighted scoring across 8 categories (0-100, A-F)
+5. **Context-aware confidence tuning** — downgrades findings in test files, docs, and comments
+6. **Remediation plan** — prioritized fix list grouped by severity
+7. **HTML report** — standalone dark-themed report with code context
 
 **Flags:**
 - `--json` — structured JSON output (clean for piping)
 - `--sarif` — SARIF format for GitHub Code Scanning
+- `--csv` — CSV export for spreadsheets
+- `--md` — Markdown report
 - `--html [file]` — custom HTML report path (default: `ship-safe-report.html`)
+- `--compare` — show per-category score delta vs. last scan
+- `--timeout <ms>` — per-agent timeout (default: 30s)
 - `--no-deps` — skip dependency audit
 - `--no-ai` — skip AI classification
 - `--no-cache` — force full rescan (ignore cached results)
+- `--baseline` — only show findings not in the baseline
+- `--pdf [file]` — generate PDF report (requires Chrome/Chromium)
 
 ---
 
-## 12 Security Agents
+## 13 Security Agents
 
 | Agent | Category | What It Detects |
 |-------|----------|-----------------|
-| **InjectionTester** | Code Vulns | SQL/NoSQL injection, command injection, code injection (eval), XSS, path traversal, XXE, ReDoS, prototype pollution |
-| **AuthBypassAgent** | Auth | JWT vulnerabilities (alg:none, weak secrets), cookie security, CSRF, OAuth misconfig, BOLA/IDOR, weak crypto, timing attacks, TLS bypass |
+| **InjectionTester** | Code Vulns | SQL/NoSQL injection, command injection, code injection (eval), XSS, path traversal, XXE, ReDoS, prototype pollution, Python f-string SQL injection, Python subprocess shell injection |
+| **AuthBypassAgent** | Auth | JWT vulnerabilities (alg:none, weak secrets), cookie security, CSRF, OAuth misconfig, BOLA/IDOR, weak crypto, timing attacks, TLS bypass, Django `DEBUG = True`, Flask hardcoded secret keys |
 | **SSRFProber** | SSRF | User input in fetch/axios, cloud metadata endpoints, internal IPs, redirect following |
-| **SupplyChainAudit** | Supply Chain | Typosquatting (Levenshtein distance), git/URL dependencies, wildcard versions, suspicious install scripts |
-| **ConfigAuditor** | Config | Dockerfile (running as root, :latest tags), Terraform (public S3, open SG), Kubernetes (privileged containers), CORS, CSP, Firebase, Nginx |
+| **SupplyChainAudit** | Supply Chain | Typosquatting (Levenshtein distance), git/URL dependencies, wildcard versions, suspicious install scripts, dependency confusion, scoped packages without registry pinning |
+| **ConfigAuditor** | Config | Dockerfile (running as root, :latest tags), Terraform (public S3/RDS, open SG, CloudFront HTTP, Lambda admin, S3 no versioning), Kubernetes (privileged containers, `:latest` tags, missing NetworkPolicy), CORS, CSP, Firebase, Nginx |
+| **SupabaseRLSAgent** | Auth | Supabase Row Level Security — `service_role` key in client code, `CREATE TABLE` without RLS, anon key inserts, unprotected storage operations |
 | **LLMRedTeam** | AI/LLM | OWASP LLM Top 10 — prompt injection, excessive agency, system prompt leakage, unbounded consumption, RAG poisoning |
 | **MobileScanner** | Mobile | OWASP Mobile Top 10 2024 — insecure storage, WebView JS injection, HTTP endpoints, excessive permissions, debug mode |
 | **GitHistoryScanner** | Secrets | Leaked secrets in git commit history (checks if still active in working tree) |
 | **CICDScanner** | CI/CD | OWASP CI/CD Top 10 — pipeline poisoning, unpinned actions, secret logging, self-hosted runners, script injection |
-| **APIFuzzer** | API | Routes without auth, missing input validation, mass assignment, unrestricted file upload, GraphQL introspection, debug endpoints |
+| **APIFuzzer** | API | Routes without auth, missing input validation, mass assignment, unrestricted file upload, GraphQL introspection, debug endpoints, missing rate limiting, OpenAPI spec security issues |
 | **ReconAgent** | Recon | Attack surface discovery — frameworks, languages, auth patterns, databases, cloud providers, IaC, CI/CD pipelines |
 | **ScoringEngine** | Scoring | 8-category weighted scoring with trend tracking |
 
@@ -123,7 +139,7 @@ npx ship-safe audit .
 # Full audit with remediation plan + HTML report
 npx ship-safe audit .
 
-# Red team: 12 agents, 50+ attack classes
+# Red team: 13 agents, 50+ attack classes
 npx ship-safe red-team .
 npx ship-safe red-team . --agents injection,auth    # Run specific agents
 npx ship-safe red-team . --html report.html         # HTML report
@@ -150,11 +166,35 @@ npx ship-safe agent .
 
 # Auto-fix hardcoded secrets: rewrite code + write .env
 npx ship-safe remediate .
+npx ship-safe remediate . --all    # Also fix agent findings (TLS, debug, XSS, etc.)
 
 # Revoke exposed keys — opens provider dashboards
 npx ship-safe rotate .
 ```
 
+### Baseline Management
+
+```bash
+# Accept current findings as baseline
+npx ship-safe baseline .
+
+# Audit showing only new findings since baseline
+npx ship-safe audit . --baseline
+
+# Show what changed since baseline
+npx ship-safe baseline --diff
+
+# Remove baseline
+npx ship-safe baseline --clear
+```
+
+### Diagnostics
+
+```bash
+# Environment check — Node.js, git, npm, API keys, cache, version
+npx ship-safe doctor
+```
+
 ### Infrastructure Commands
 
 ```bash
@@ -214,6 +254,10 @@ Ship Safe caches file hashes and findings in `.ship-safe/context.json`. On subse
 
 The cache is stored in `.ship-safe/` which is automatically excluded from scans.
 
+### LLM Response Caching
+
+When using AI classification (`--no-ai` to disable), results are cached in `.ship-safe/llm-cache.json` with a 7-day TTL. Repeated scans reuse cached classifications — reducing API costs significantly.
+
 ---
 
 ## Smart `.gitignore` Handling
@@ -247,7 +291,7 @@ Auto-detected from environment variables. No API key required for scanning — A
 
 ## Scoring System
 
-Starts at 100. Each finding deducts points by severity and category.
+Starts at 100. Each finding deducts points by severity and category, weighted by confidence level (high: 100%, medium: 60%, low: 30%) to reduce noise from heuristic patterns.
 
 **8 Categories** (with weight caps):
 
@@ -306,6 +350,9 @@ jobs:
       - name: Full security audit
         run: npx ship-safe audit . --no-ai --json
 
+      - name: Score delta vs. last scan
+        run: npx ship-safe audit . --no-ai --compare
+
       - name: Upload SARIF to GitHub Security tab
         run: npx ship-safe audit . --no-ai --sarif > results.sarif
 
@@ -314,6 +361,8 @@ jobs:
           sarif_file: results.sarif
 ```
 
+**Export formats:** `--json`, `--sarif`, `--csv`, `--md`, `--html`, `--pdf`
+
 ---
 
 ## Suppress False Positives

package/cli/__tests__/agents.test.js

@@ -493,4 +493,230 @@ describe('Orchestrator', async () => {
     const deduped = orchestrator.deduplicate(findings);
     assert.equal(deduped.length, 2);
   });
+
+  it('tunes confidence for test files', () => {
+    const orchestrator = new Orchestrator();
+    const findings = [
+      { file: '/project/__tests__/foo.test.js', line: 1, rule: 'R1', severity: 'high', confidence: 'high', matched: 'eval(x)' },
+      { file: '/project/src/app.js', line: 1, rule: 'R2', severity: 'high', confidence: 'high', matched: 'eval(x)' },
+    ];
+    const tuned = orchestrator.tuneConfidence(findings);
+    assert.equal(tuned[0].confidence, 'low');  // test file → low
+    assert.equal(tuned[1].confidence, 'high'); // src file → unchanged
+  });
+
+  it('tunes confidence for doc files', () => {
+    const orchestrator = new Orchestrator();
+    const findings = [
+      { file: '/project/README.md', line: 5, rule: 'R1', severity: 'high', confidence: 'high', matched: 'password = "test"' },
+    ];
+    const tuned = orchestrator.tuneConfidence(findings);
+    assert.equal(tuned[0].confidence, 'low');
+  });
+
+  it('tunes confidence for example paths', () => {
+    const orchestrator = new Orchestrator();
+    const findings = [
+      { file: '/project/examples/demo.js', line: 1, rule: 'R1', severity: 'high', confidence: 'high', matched: 'eval(x)' },
+    ];
+    const tuned = orchestrator.tuneConfidence(findings);
+    assert.equal(tuned[0].confidence, 'medium');
+  });
+});
+
+// =============================================================================
+// SUPABASE RLS AGENT
+// =============================================================================
+
+describe('SupabaseRLSAgent', () => {
+  it('detects service_role key in client code', async () => {
+    const { SupabaseRLSAgent } = await import('../agents/supabase-rls-agent.js');
+    const agent = new SupabaseRLSAgent();
+    const { dir, file } = writeTempFile(`const supabase = createClient(url, SUPABASE_SERVICE_ROLE_KEY);`);
+    try {
+      const findings = agent.scanFileWithPatterns(file, [
+        { rule: 'SUPABASE_SERVICE_KEY_CLIENT', regex: /SUPABASE_SERVICE_ROLE_KEY|service_role_key|serviceRoleKey|supabaseAdmin/g, severity: 'critical', title: 'test', description: 'test' }
+      ]);
+      assert.ok(findings.some(f => f.rule === 'SUPABASE_SERVICE_KEY_CLIENT'));
+    } finally { cleanup(dir); }
+  });
+
+  it('detects missing RLS on table', async () => {
+    const { SupabaseRLSAgent } = await import('../agents/supabase-rls-agent.js');
+    const agent = new SupabaseRLSAgent();
+
+    const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'shipsafe-rls-'));
+    const sqlFile = path.join(dir, 'migration.sql');
+    fs.writeFileSync(sqlFile, `CREATE TABLE users (id uuid PRIMARY KEY, name text);\nCREATE TABLE posts (id uuid PRIMARY KEY);`);
+    const jsFile = path.join(dir, 'app.js');
+    fs.writeFileSync(jsFile, 'const x = 1;');
+
+    try {
+      const findings = await agent.analyze({
+        rootPath: dir,
+        files: [sqlFile, jsFile],
+        recon: {},
+        options: {},
+      });
+      // Should flag both tables as missing RLS
+      const rlsFindings = findings.filter(f => f.rule === 'SUPABASE_NO_RLS_POLICY');
+      assert.ok(rlsFindings.length >= 2, `Expected >=2 RLS findings, got ${rlsFindings.length}`);
+    } finally { cleanup(dir); }
+  });
+
+  it('does not flag tables with RLS enabled', async () => {
+    const { SupabaseRLSAgent } = await import('../agents/supabase-rls-agent.js');
+    const agent = new SupabaseRLSAgent();
+
+    const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'shipsafe-rls2-'));
+    const sqlFile = path.join(dir, 'migration.sql');
+    fs.writeFileSync(sqlFile, `CREATE TABLE users (id uuid PRIMARY KEY);\nALTER TABLE users ENABLE ROW LEVEL SECURITY;`);
+
+    try {
+      const findings = await agent.analyze({
+        rootPath: dir,
+        files: [sqlFile],
+        recon: {},
+        options: {},
+      });
+      const rlsFindings = findings.filter(f => f.rule === 'SUPABASE_NO_RLS_POLICY');
+      assert.equal(rlsFindings.length, 0);
+    } finally { cleanup(dir); }
+  });
+});
+
+// =============================================================================
+// CONFIG AUDITOR — NEW TERRAFORM/K8S PATTERNS
+// =============================================================================
+
+describe('ConfigAuditor (v4.3 patterns)', () => {
+  it('detects publicly accessible RDS', async () => {
+    const { ConfigAuditor } = await import('../agents/config-auditor.js');
+    const agent = new ConfigAuditor();
+    const { dir, file } = writeTempFile(`resource "aws_db_instance" "main" {\n  publicly_accessible = true\n}`, '.tf');
+    try {
+      const findings = await agent.analyze({ rootPath: dir, files: [file], recon: {}, options: {} });
+      assert.ok(findings.some(f => f.rule === 'TERRAFORM_RDS_PUBLIC'));
+    } finally { cleanup(dir); }
+  });
+
+  it('detects CloudFront allowing HTTP', async () => {
+    const { ConfigAuditor } = await import('../agents/config-auditor.js');
+    const agent = new ConfigAuditor();
+    const { dir, file } = writeTempFile(`viewer_protocol_policy = "allow-all"`, '.tf');
+    try {
+      const findings = await agent.analyze({ rootPath: dir, files: [file], recon: {}, options: {} });
+      assert.ok(findings.some(f => f.rule === 'TERRAFORM_CLOUDFRONT_HTTP'));
+    } finally { cleanup(dir); }
+  });
+
+  it('detects K8s :latest image tag', async () => {
+    const { ConfigAuditor } = await import('../agents/config-auditor.js');
+    const agent = new ConfigAuditor();
+    const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'shipsafe-k8s-'));
+    const k8sDir = path.join(dir, 'k8s');
+    fs.mkdirSync(k8sDir);
+    const file = path.join(k8sDir, 'deployment.yaml');
+    fs.writeFileSync(file, `kind: Deployment\nspec:\n  containers:\n  - image: nginx:latest`);
+    try {
+      const findings = await agent.analyze({ rootPath: dir, files: [file], recon: {}, options: {} });
+      assert.ok(findings.some(f => f.rule === 'K8S_LATEST_IMAGE'));
+    } finally { cleanup(dir); }
+  });
+});
+
+// =============================================================================
+// API FUZZER — RATE LIMITING & OPENAPI
+// =============================================================================
+
+describe('APIFuzzer (v4.3 patterns)', () => {
+  it('detects missing rate limiting in Express app', async () => {
+    const { APIFuzzer } = await import('../agents/api-fuzzer.js');
+    const agent = new APIFuzzer();
+
+    const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'shipsafe-api-'));
+    const file = path.join(dir, 'app.js');
+    fs.writeFileSync(file, `import express from 'express';\nconst app = express();\napp.listen(3000);`);
+
+    try {
+      const findings = await agent.analyze({ rootPath: dir, files: [file], recon: {}, options: {} });
+      assert.ok(findings.some(f => f.rule === 'API_NO_RATE_LIMIT'));
+    } finally { cleanup(dir); }
+  });
+
+  it('does not flag when rate limiter is present', async () => {
+    const { APIFuzzer } = await import('../agents/api-fuzzer.js');
+    const agent = new APIFuzzer();
+
+    const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'shipsafe-api2-'));
+    const file = path.join(dir, 'app.js');
+    fs.writeFileSync(file, `import express from 'express';\nimport rateLimit from 'express-rate-limit';\nconst app = express();\napp.listen(3000);`);
+
+    try {
+      const findings = await agent.analyze({ rootPath: dir, files: [file], recon: {}, options: {} });
+      assert.ok(!findings.some(f => f.rule === 'API_NO_RATE_LIMIT'));
+    } finally { cleanup(dir); }
+  });
+
+  it('detects secrets in OpenAPI examples', async () => {
+    const { APIFuzzer } = await import('../agents/api-fuzzer.js');
+    const agent = new APIFuzzer();
+
+    const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'shipsafe-oas-'));
+    const file = path.join(dir, 'openapi.yaml');
+    fs.writeFileSync(file, `openapi: 3.0.0\npaths:\n  /users:\n    get:\n      parameters:\n        - name: token\n          example: sk-proj-abc123xyz`);
+
+    try {
+      const findings = await agent.analyze({ rootPath: dir, files: [file], recon: {}, options: {} });
+      assert.ok(findings.some(f => f.rule === 'OPENAPI_EXAMPLE_SECRETS' || f.rule === 'OPENAPI_NO_SECURITY'));
+    } finally { cleanup(dir); }
+  });
+});
+
+// =============================================================================
+// AUTOFIX RULES
+// =============================================================================
+
+describe('Autofix Rules', () => {
+  it('fixes rejectUnauthorized: false', async () => {
+    const { applyAutofix } = await import('../utils/autofix-rules.js');
+    const line = '  rejectUnauthorized: false,';
+    const fixed = applyAutofix('TLS_REJECT_UNAUTHORIZED', line);
+    assert.ok(fixed.includes('rejectUnauthorized: true'));
+    assert.ok(!fixed.includes('false'));
+  });
+
+  it('fixes DEBUG = true', async () => {
+    const { applyAutofix } = await import('../utils/autofix-rules.js');
+    assert.ok(applyAutofix('DEBUG_MODE_PRODUCTION', 'DEBUG = true').includes('false'));
+    assert.ok(applyAutofix('DEBUG_MODE_PRODUCTION', 'DEBUG = True').includes('False'));
+  });
+
+  it('fixes shell: true', async () => {
+    const { applyAutofix } = await import('../utils/autofix-rules.js');
+    const fixed = applyAutofix('CMD_INJECTION_SHELL_TRUE', '  shell: true');
+    assert.ok(fixed.includes('shell: false'));
+  });
+});
+
+// =============================================================================
+// CODE CONTEXT
+// =============================================================================
+
+describe('Code Context in Findings', () => {
+  it('attaches codeContext to findings from scanFileWithPatterns', async () => {
+    const { InjectionTester } = await import('../agents/injection-tester.js');
+    const agent = new InjectionTester();
+    const code = `const x = 1;\nconst y = 2;\nconst z = eval(userInput);\nconst w = 3;\nconst v = 4;`;
+    const { dir, file } = writeTempFile(code);
+    try {
+      const findings = await agent.analyze({ rootPath: dir, files: [file], recon: {}, options: {} });
+      const evalFinding = findings.find(f => f.rule && f.rule.includes('EVAL'));
+      if (evalFinding) {
+        assert.ok(evalFinding.codeContext, 'Finding should have codeContext');
+        assert.ok(Array.isArray(evalFinding.codeContext));
+        assert.ok(evalFinding.codeContext.some(c => c.highlight === true));
+      }
+    } finally { cleanup(dir); }
+  });
 });

package/cli/agents/api-fuzzer.js

@@ -209,6 +209,49 @@ const PATTERNS = [
     description: 'No body size limit configured. Large payloads can cause memory exhaustion.',
     fix: 'Set limit: express.json({ limit: "1mb" })',
   },
+  {
+    rule: 'API_NO_PAGINATION',
+    title: 'API: Query Without Limit',
+    regex: /\.find\s*\(\s*\{?\s*\}\s*\)/g,
+    severity: 'low',
+    cwe: 'CWE-400',
+    confidence: 'low',
+    description: 'Database query returns all records without limit. Can exhaust memory on large tables.',
+    fix: 'Add pagination: .find({}).limit(50).skip(offset)',
+  },
+];
+
+// OpenAPI/Swagger spec patterns
+const OPENAPI_PATTERNS = [
+  {
+    rule: 'OPENAPI_NO_SECURITY',
+    title: 'OpenAPI: No Security Scheme Defined',
+    regex: /(?:openapi|swagger)\s*:\s*["']?[23]\./g,
+    severity: 'high',
+    cwe: 'CWE-306',
+    owasp: 'A07:2021',
+    confidence: 'medium',
+    description: 'OpenAPI spec detected without security schemes. API endpoints may be unprotected.',
+    fix: 'Add securityDefinitions/securitySchemes to your OpenAPI spec',
+  },
+  {
+    rule: 'OPENAPI_HTTP_SERVER',
+    title: 'OpenAPI: Non-HTTPS Server URL',
+    regex: /url\s*:\s*["']?http:\/\//g,
+    severity: 'high',
+    cwe: 'CWE-319',
+    description: 'OpenAPI spec defines an HTTP (non-HTTPS) server URL. Use HTTPS in production.',
+    fix: 'Change server URL to use https://',
+  },
+  {
+    rule: 'OPENAPI_EXAMPLE_SECRETS',
+    title: 'OpenAPI: Secrets in Examples',
+    regex: /example\s*:\s*['"]?(?:sk-|sk_live_|ghp_|gho_|AKIA[0-9A-Z]|Bearer\s+ey[A-Za-z0-9])/g,
+    severity: 'critical',
+    cwe: 'CWE-798',
+    description: 'Real API keys or tokens found in OpenAPI spec examples.',
+    fix: 'Replace real secrets with placeholder values in examples',
+  },
 ];
 
 export class APIFuzzer extends BaseAgent {
@@ -227,6 +270,74 @@ export class APIFuzzer extends BaseAgent {
     for (const file of codeFiles) {
       findings = findings.concat(this.scanFileWithPatterns(file, PATTERNS));
     }
+
+    // ── Project-level: Rate limiting check ────────────────────────────────────
+    let hasExpressApp = false;
+    let hasRateLimiter = false;
+    let expressAppFile = null;
+
+    for (const file of codeFiles) {
+      const content = this.readFile(file);
+      if (!content) continue;
+      if (/(?:express\s*\(\)|app\.listen|createServer)\s*/.test(content)) {
+        hasExpressApp = true;
+        if (!expressAppFile) expressAppFile = file;
+      }
+      if (/(?:express-rate-limit|rate-limiter-flexible|@upstash\/ratelimit|limiter|bottleneck|rateLimit)/i.test(content)) {
+        hasRateLimiter = true;
+      }
+    }
+
+    if (hasExpressApp && !hasRateLimiter && expressAppFile) {
+      findings.push(createFinding({
+        file: expressAppFile,
+        line: 0,
+        severity: 'medium',
+        category: 'api',
+        rule: 'API_NO_RATE_LIMIT',
+        title: 'API: No Rate Limiting Detected',
+        description: 'HTTP server detected without any rate-limiting library. APIs without rate limits are vulnerable to brute-force and DoS attacks.',
+        matched: 'No rate-limiting middleware found',
+        confidence: 'medium',
+        cwe: 'CWE-307',
+        owasp: 'A07:2021',
+        fix: 'Add rate limiting: npm i express-rate-limit && app.use(rateLimit({ windowMs: 15*60*1000, max: 100 }))',
+      }));
+    }
+
+    // ── OpenAPI/Swagger spec scanning ─────────────────────────────────────────
+    const specFiles = files.filter(f => {
+      const basename = path.basename(f).toLowerCase();
+      return /(?:openapi|swagger)\.(json|ya?ml)$/i.test(basename);
+    });
+
+    for (const file of specFiles) {
+      const specFindings = this.scanFileWithPatterns(file, OPENAPI_PATTERNS);
+      // Check if spec has securitySchemes
+      const content = this.readFile(file);
+      if (content && /(?:openapi|swagger)\s*:\s*["']?[23]\./.test(content)) {
+        if (!/securitySchemes|securityDefinitions/i.test(content)) {
+          findings.push(createFinding({
+            file,
+            line: 0,
+            severity: 'high',
+            category: 'api',
+            rule: 'OPENAPI_NO_SECURITY',
+            title: 'OpenAPI: No Security Scheme Defined',
+            description: 'OpenAPI spec has no securitySchemes/securityDefinitions. API endpoints may be unprotected.',
+            matched: 'Missing securitySchemes',
+            confidence: 'high',
+            cwe: 'CWE-306',
+            fix: 'Add securitySchemes with Bearer token, API key, or OAuth2',
+          }));
+        }
+      }
+      // Add other OpenAPI pattern matches (HTTP server, example secrets)
+      findings = findings.concat(
+        specFindings.filter(f => f.rule !== 'OPENAPI_NO_SECURITY')
+      );
+    }
+
     return findings;
   }
 }