thuban 0.4.1 → 0.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (35) hide show
  1. package/dist/cli.js +1 -1
  2. package/dist/package.json +63 -0
  3. package/dist/packages/crucible/banner.js +1 -1
  4. package/dist/packages/crucible/rule-loader.js +1 -1
  5. package/dist/packages/crucible/rules/code-scanner-core.json +147 -0
  6. package/dist/packages/crucible/rules/command-injection.json +411 -0
  7. package/dist/packages/crucible/rules/crypto-misuse.json +35 -0
  8. package/dist/packages/crucible/rules/deserialization.json +152 -0
  9. package/dist/packages/crucible/rules/env-injection.json +46 -0
  10. package/dist/packages/crucible/rules/eval-abuse.json +104 -0
  11. package/dist/packages/crucible/rules/file-upload.json +46 -0
  12. package/dist/packages/crucible/rules/hallucination.json +22 -0
  13. package/dist/packages/crucible/rules/hardcoded-secret.json +397 -0
  14. package/dist/packages/crucible/rules/hardcoded-url.json +13 -0
  15. package/dist/packages/crucible/rules/insecure-crypto.json +302 -0
  16. package/dist/packages/crucible/rules/integer-overflow.json +35 -0
  17. package/dist/packages/crucible/rules/log-injection.json +33 -0
  18. package/dist/packages/crucible/rules/mass-assignment.json +112 -0
  19. package/dist/packages/crucible/rules/open-redirect.json +196 -0
  20. package/dist/packages/crucible/rules/path-traversal.json +422 -0
  21. package/dist/packages/crucible/rules/prototype-pollution.json +22 -0
  22. package/dist/packages/crucible/rules/sql-injection.json +619 -0
  23. package/dist/packages/crucible/rules/ssrf.json +557 -0
  24. package/dist/packages/crucible/rules/timing-attack.json +55 -0
  25. package/dist/packages/crucible/rules/unsafe-block.json +24 -0
  26. package/dist/packages/crucible/rules/xss.json +663 -0
  27. package/dist/packages/crucible/rules/xxe.json +66 -0
  28. package/dist/packages/crucible/rules/yaml-deserialization.json +22 -0
  29. package/dist/packages/crucible/rules/yaml-injection.json +22 -0
  30. package/dist/packages/scanner/drift-detector.js +1 -1
  31. package/dist/packages/scanner/export-verifier.js +1 -1
  32. package/dist/packages/scanner/license-manager.js +1 -1
  33. package/dist/packages/scanner/monitor-service.js +1 -1
  34. package/dist/packages/scanner/taint-tracker.js +1 -1
  35. package/package.json +4 -2
@@ -0,0 +1,397 @@
1
+ [
2
+ {
3
+ "id": "SEC001",
4
+ "pattern": "AKIA[0-9A-Z]{16}|AKIA[A-Z0-9]+['\"]|\\bAKIA",
5
+ "flags": "i",
6
+ "category": "hardcoded_secret",
7
+ "description": "Hardcoded secrets",
8
+ "language": [
9
+ "js",
10
+ "ts",
11
+ "python",
12
+ "java",
13
+ "go",
14
+ "csharp",
15
+ "php",
16
+ "ruby",
17
+ "rust",
18
+ "kotlin"
19
+ ],
20
+ "severity": "critical"
21
+ },
22
+ {
23
+ "id": "SEC002",
24
+ "pattern": "sk-[a-zA-Z0-9]{20,}|sk_live_[a-zA-Z0-9]{20,}|ghp_[a-zA-Z0-9]{20,}|AIzaSy[a-zA-Z0-9]{33}",
25
+ "flags": "i",
26
+ "category": "hardcoded_secret",
27
+ "description": "Hardcoded secrets",
28
+ "language": [
29
+ "js",
30
+ "ts",
31
+ "python",
32
+ "java",
33
+ "go",
34
+ "csharp",
35
+ "php",
36
+ "ruby",
37
+ "rust",
38
+ "kotlin"
39
+ ],
40
+ "severity": "critical"
41
+ },
42
+ {
43
+ "id": "SEC003",
44
+ "pattern": "-----BEGIN (RSA |DSA |EC |OPENSSH |PGP )?PRIVATE KEY-----|SuperSecretProd\\d+!|hardcoded-jwt-secret",
45
+ "flags": "i",
46
+ "category": "hardcoded_secret",
47
+ "description": "Hardcoded secrets",
48
+ "language": [
49
+ "js",
50
+ "ts",
51
+ "python",
52
+ "java",
53
+ "go",
54
+ "csharp",
55
+ "php",
56
+ "ruby",
57
+ "rust",
58
+ "kotlin"
59
+ ],
60
+ "severity": "critical"
61
+ },
62
+ {
63
+ "id": "SEC004",
64
+ "pattern": "(?:JWT_SECRET|HMAC_SECRET|SECRET_KEY|API_SECRET|WEBHOOK_SECRET)\\s*=\\s*['\"][^'\"]{12,}['\"]",
65
+ "flags": "i",
66
+ "category": "hardcoded_secret",
67
+ "description": "Generic JWT/HMAC secrets (long strings in secret/key variables)",
68
+ "language": [
69
+ "js",
70
+ "ts",
71
+ "python",
72
+ "java",
73
+ "go",
74
+ "csharp",
75
+ "php",
76
+ "ruby",
77
+ "rust",
78
+ "kotlin"
79
+ ],
80
+ "severity": "critical"
81
+ },
82
+ {
83
+ "id": "SEC005",
84
+ "pattern": "(?:admin_sk_live|xoxb-[0-9]{11,}|rk_live_[a-zA-Z0-9]{32,})",
85
+ "flags": "i",
86
+ "category": "hardcoded_secret",
87
+ "description": "Generic JWT/HMAC secrets (long strings in secret/key variables)",
88
+ "language": [
89
+ "js",
90
+ "ts",
91
+ "python",
92
+ "java",
93
+ "go",
94
+ "csharp",
95
+ "php",
96
+ "ruby",
97
+ "rust",
98
+ "kotlin"
99
+ ],
100
+ "severity": "critical"
101
+ },
102
+ {
103
+ "id": "SEC006",
104
+ "pattern": "(?:JWT_SECRET|JWT_REFRESH_SECRET|SIGNING_KEY|SigningKey|jwtSecret|jwt_secret|secret(?:Key|_key)|signingSecret)\\s*[=:]\\s*['\"`][^'\"`]{12,}['\"`]",
105
+ "flags": "i",
106
+ "category": "hardcoded_secret",
107
+ "description": "JWT signing secrets / refresh secrets assigned to variables",
108
+ "language": [
109
+ "js",
110
+ "ts",
111
+ "python",
112
+ "java",
113
+ "go",
114
+ "csharp",
115
+ "php",
116
+ "ruby",
117
+ "rust",
118
+ "kotlin"
119
+ ],
120
+ "severity": "critical"
121
+ },
122
+ {
123
+ "id": "SEC007",
124
+ "pattern": "GOCSPX-[A-Za-z0-9_-]{20,}|SG\\.[A-Za-z0-9_-]{20,}\\.[A-Za-z0-9_-]{20,}",
125
+ "flags": "",
126
+ "category": "hardcoded_secret",
127
+ "description": "OAuth client secrets, SendGrid, GOCSPX, GitHub secret tokens",
128
+ "language": [
129
+ "js",
130
+ "ts",
131
+ "python",
132
+ "java",
133
+ "go",
134
+ "csharp",
135
+ "php",
136
+ "ruby",
137
+ "rust",
138
+ "kotlin"
139
+ ],
140
+ "severity": "critical"
141
+ },
142
+ {
143
+ "id": "SEC008",
144
+ "pattern": "(?:clientSecret|client_secret|refreshToken|refresh_token)\\s*[=:]\\s*['\"`][A-Za-z0-9/_\\-\\.]{16,}['\"`]",
145
+ "flags": "i",
146
+ "category": "hardcoded_secret",
147
+ "description": "OAuth client secrets, SendGrid, GOCSPX, GitHub secret tokens",
148
+ "language": [
149
+ "js",
150
+ "ts",
151
+ "python",
152
+ "java",
153
+ "go",
154
+ "csharp",
155
+ "php",
156
+ "ruby",
157
+ "rust",
158
+ "kotlin"
159
+ ],
160
+ "severity": "critical"
161
+ },
162
+ {
163
+ "id": "SEC009",
164
+ "pattern": "(?:password|passwd|pwd)\\s*[:=]\\s*['\"`][^'\"`\\s]{6,}['\"`]",
165
+ "flags": "i",
166
+ "category": "hardcoded_secret",
167
+ "description": "Hardcoded passwords / connection strings with embedded passwords in source code",
168
+ "language": [
169
+ "js",
170
+ "ts",
171
+ "python",
172
+ "java",
173
+ "go",
174
+ "csharp",
175
+ "php",
176
+ "ruby",
177
+ "rust",
178
+ "kotlin"
179
+ ],
180
+ "severity": "critical"
181
+ },
182
+ {
183
+ "id": "SEC010",
184
+ "pattern": "redis:\\/\\/:?[^@\\s'\"]{6,}@|mongodb:\\/\\/[^:\\s'\"]+:[^@\\s'\"]{6,}@",
185
+ "flags": "i",
186
+ "category": "hardcoded_secret",
187
+ "description": "Hardcoded passwords / connection strings with embedded passwords in source code",
188
+ "language": [
189
+ "js",
190
+ "ts",
191
+ "python",
192
+ "java",
193
+ "go",
194
+ "csharp",
195
+ "php",
196
+ "ruby",
197
+ "rust",
198
+ "kotlin"
199
+ ],
200
+ "severity": "critical"
201
+ },
202
+ {
203
+ "id": "SEC011",
204
+ "pattern": "(?:ENCRYPTION_KEY|HMAC_KEY|ENCRYPT_KEY|AES_KEY|encKey|EncKey|hmacKey)\\s*[=:]\\s*(?:['\"`]|b['\"])[^\\s'\"]{12,}",
205
+ "flags": "i",
206
+ "category": "hardcoded_secret",
207
+ "description": "Encryption keys / HMAC keys in const/var",
208
+ "language": [
209
+ "js",
210
+ "ts",
211
+ "python",
212
+ "java",
213
+ "go",
214
+ "csharp",
215
+ "php",
216
+ "ruby",
217
+ "rust",
218
+ "kotlin"
219
+ ],
220
+ "severity": "critical"
221
+ },
222
+ {
223
+ "id": "SEC012",
224
+ "pattern": "auth\\s*:\\s*\\{[^}]*pass\\s*:\\s*['\"`][^'\"`\\s]{4,}['\"`]",
225
+ "flags": "i",
226
+ "category": "hardcoded_secret",
227
+ "description": "SMTP auth passwords in transport config",
228
+ "language": [
229
+ "js",
230
+ "ts",
231
+ "python",
232
+ "java",
233
+ "go",
234
+ "csharp",
235
+ "php",
236
+ "ruby",
237
+ "rust",
238
+ "kotlin"
239
+ ],
240
+ "severity": "critical"
241
+ },
242
+ {
243
+ "id": "SEC013",
244
+ "pattern": "(?:const|let|var|val|final)\\s+\\w*(?:[Tt]oken|[Aa][Pp][Ii][Kk]ey|[Ss]ecret|[Pp]assword|[Pp]asswd)\\w*\\s*[=:]\\s*['\"`][A-Za-z0-9+\\/=_\\-\\.@#!$%^&*]{12,}['\"`]",
245
+ "flags": "i",
246
+ "category": "hardcoded_secret",
247
+ "description": "Generic hardcoded token/key/secret/apiKey assignment",
248
+ "language": [
249
+ "js",
250
+ "ts",
251
+ "python",
252
+ "java",
253
+ "go",
254
+ "csharp",
255
+ "php",
256
+ "ruby",
257
+ "rust",
258
+ "kotlin"
259
+ ],
260
+ "severity": "critical"
261
+ },
262
+ {
263
+ "id": "SEC014",
264
+ "pattern": "Password=[^;\\s'\"]{6,}[;'\"]|pwd=[^;\\s'\"]{6,}[;'\"]",
265
+ "flags": "i",
266
+ "category": "hardcoded_secret",
267
+ "description": "Connection strings with embedded Password= (SQL Server, ODBC)",
268
+ "language": [
269
+ "js",
270
+ "ts",
271
+ "python",
272
+ "java",
273
+ "go",
274
+ "csharp",
275
+ "php",
276
+ "ruby",
277
+ "rust",
278
+ "kotlin"
279
+ ],
280
+ "severity": "critical"
281
+ },
282
+ {
283
+ "id": "SEC015",
284
+ "pattern": "AccountKey=[A-Za-z0-9+\\/=]{20,}",
285
+ "flags": "i",
286
+ "category": "hardcoded_secret",
287
+ "description": "Azure AccountKey= in connection strings (base64 encoded key)",
288
+ "language": [
289
+ "js",
290
+ "ts",
291
+ "python",
292
+ "java",
293
+ "go",
294
+ "csharp",
295
+ "php",
296
+ "ruby",
297
+ "rust",
298
+ "kotlin"
299
+ ],
300
+ "severity": "critical"
301
+ },
302
+ {
303
+ "id": "SEC016",
304
+ "pattern": "hooks\\.slack\\.com\\/services\\/[A-Z0-9]+\\/[A-Z0-9]+\\/[A-Za-z0-9]+",
305
+ "flags": "i",
306
+ "category": "hardcoded_secret",
307
+ "description": "Slack webhook URL",
308
+ "language": [
309
+ "js",
310
+ "ts",
311
+ "python",
312
+ "java",
313
+ "go",
314
+ "csharp",
315
+ "php",
316
+ "ruby",
317
+ "rust",
318
+ "kotlin"
319
+ ],
320
+ "severity": "critical"
321
+ },
322
+ {
323
+ "id": "SEC017",
324
+ "pattern": "pdkey-[a-z]-[A-Za-z0-9]{16,}",
325
+ "flags": "i",
326
+ "category": "hardcoded_secret",
327
+ "description": "PagerDuty / generic pdkey token",
328
+ "language": [
329
+ "js",
330
+ "ts",
331
+ "python",
332
+ "java",
333
+ "go",
334
+ "csharp",
335
+ "php",
336
+ "ruby",
337
+ "rust",
338
+ "kotlin"
339
+ ],
340
+ "severity": "critical"
341
+ },
342
+ {
343
+ "id": "SEC018",
344
+ "pattern": "private\\s+static\\s+final\\s+String\\s+\\w*(?:SECRET|KEY|TOKEN|PASSWORD|SIGNING)\\w*\\s*=\\s*[\"'][^\"']{12,}[\"']|static\\s+final\\s+String\\s+\\w*(?:SECRET|KEY|TOKEN|PASSWORD|SIGNING)\\w*\\s*=\\s*[\"'][^\"']{12,}[\"']",
345
+ "flags": "i",
346
+ "category": "hardcoded_secret",
347
+ "description": "Java static final String SECRET/KEY/TOKEN with hardcoded value",
348
+ "language": [
349
+ "java"
350
+ ],
351
+ "severity": "critical"
352
+ },
353
+ {
354
+ "id": "SEC019",
355
+ "pattern": "\\[\\s*\\]byte\\s*\\(\\s*[\"'][^\"']{12,}[\"']\\s*\\)",
356
+ "flags": "",
357
+ "category": "hardcoded_secret",
358
+ "description": "Go []byte(\"hardcoded secret string\") for JWT signing keys",
359
+ "language": [
360
+ "go"
361
+ ],
362
+ "severity": "critical"
363
+ },
364
+ {
365
+ "id": "SEC020",
366
+ "pattern": "(?:AesKey|AesIv|EncKey|HmacKey|aesKey|hmacKey)\\s*=\\s*new\\s+byte\\s*\\[\\s*\\]",
367
+ "flags": "i",
368
+ "category": "hardcoded_secret",
369
+ "description": "Hardcoded byte array AES key (C#: new byte[] { 0x2b, 0x7e, ... })",
370
+ "language": [
371
+ "csharp"
372
+ ],
373
+ "severity": "critical"
374
+ },
375
+ {
376
+ "id": "SEC021",
377
+ "pattern": "define\\s*\\(\\s*['\"](?:REDIS_PASSWORD|SESSION_SECRET|CSRF_SECRET|DB_PASS|APP_SECRET|SMTP_PASS|JWT_SECRET)['\"]\\s*,\\s*['\"][^'\"]{6,}['\"]",
378
+ "flags": "i",
379
+ "category": "hardcoded_secret",
380
+ "description": "PHP hardcoded secrets: define() with password/secret constants",
381
+ "language": [
382
+ "php"
383
+ ],
384
+ "severity": "critical"
385
+ },
386
+ {
387
+ "id": "SEC022",
388
+ "pattern": "const\\s+\\w*(?:SECRET|_SECRET)\\w*\\s*:\\s*string\\s*=\\s*['\"`][^'\"`]{12,}['\"`]",
389
+ "flags": "i",
390
+ "category": "hardcoded_secret",
391
+ "description": "TypeScript: hardcoded secret with type annotation",
392
+ "language": [
393
+ "typescript"
394
+ ],
395
+ "severity": "critical"
396
+ }
397
+ ]
@@ -0,0 +1,13 @@
1
+ [
2
+ {
3
+ "id": "URL001",
4
+ "pattern": "const\\s+val\\s+\\w*(?:URL|_URL)\\w*\\s*=\\s*[\"']https?:\\/\\/",
5
+ "flags": "i",
6
+ "category": "hardcoded_url",
7
+ "description": "Kotlin: hardcoded production/debug URLs",
8
+ "language": [
9
+ "kotlin"
10
+ ],
11
+ "severity": "medium"
12
+ }
13
+ ]