vbguard 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 vibeguard contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,175 @@
+# ⚡ vibeguard
+
+**Security scanner built for AI-generated code. Catches what traditional scanners miss.**
+
+[![npm version](https://img.shields.io/npm/v/vibeguard.svg)](https://www.npmjs.com/package/vibeguard)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+---
+
+Vibe coding is fast. But 45% of AI-generated code ships with known vulnerabilities. The Moltbook breach, the pickle exploits, the hardcoded Supabase keys — all caused by patterns that traditional scanners weren't designed to catch.
+
+**vibeguard** scans your codebase for the security mistakes that AI coding tools (Cursor, Claude Code, Copilot, Lovable, Bolt, Replit) introduce most often.
+
+## Quick Start
+
+```bash
+npx vibeguard .
+```
+
+That's it. No config, no account, no API key.
+
+## What It Catches
+
+| Category | Examples | Severity |
+|----------|----------|----------|
+| **Hardcoded Secrets** | API keys, DB connection strings, JWTs, private keys inline in code | Critical |
+| **Frontend-Exposed Secrets** | Stripe secret keys, service role tokens, DB URLs in client-side code | Critical |
+| **Dangerous Functions** | `pickle.loads()`, `eval()` with user input, SQL injection via f-strings/template literals | Critical |
+| **Missing Auth** | Express/Flask/FastAPI servers with no authentication middleware | High |
+| **Permissive Configs** | `cors(*)`, `debug=True`, Firebase rules `allow: if true`, Supabase without RLS | High |
+| **No Rate Limiting** | HTTP servers without rate limiting middleware | High |
+| **Dangerous Dependencies** | Compromised packages (event-stream, faker), deprecated libs AI still suggests | Medium |
+| **Missing .gitignore** | `.env` files not gitignored, secrets about to be committed | Critical |
+| **Docker Misconfigs** | Running as root, copying `.env` into images, exposed DB ports | Medium-High |
+
+## Supported Languages
+
+- **JavaScript / TypeScript** — Express, Fastify, Next.js, React, Vue, Svelte
+- **Python** — Flask, FastAPI, Django
+
+## Usage
+
+```bash
+# Scan current directory
+vibeguard .
+
+# Scan a specific project
+vibeguard ./my-app
+
+# Only show high and critical issues
+vibeguard . --severity=high
+
+# Output as JSON (for CI/CD)
+vibeguard . --json
+
+# Hide fix suggestions
+vibeguard . --no-fix
+
+# Ignore specific directories
+vibeguard . --ignore=tests,scripts
+```
+
+## CI/CD Integration
+
+### GitHub Actions
+
+```yaml
+name: Security Scan
+on: [push, pull_request]
+
+jobs:
+  vibeguard:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+      - run: npx vibeguard . --severity=high
+```
+
+vibeguard exits with code 1 if critical or high severity issues are found, making it easy to block deploys.
+
+### Pre-commit Hook
+
+```bash
+# .husky/pre-commit
+npx vibeguard . --severity=high
+```
+
+## Example Output
+
+```
+  ⚡ vibeguard v0.1.0
+  Security scanner for AI-generated code
+
+  Scanning: /Users/dev/my-vibe-app
+
+  🚨 CRITICAL (3)
+
+    ▸ secret/openai-api-key
+      src/api/chat.ts:5
+      Hardcoded OpenAI API Key detected. AI tools commonly inline
+      credentials — this is a top cause of breaches in vibe-coded apps.
+      💡 Fix: Move to environment variable OPENAI_API_KEY.
+
+    ▸ frontend/stripe-secret-key-in-client
+      src/components/Checkout.tsx:12
+      Stripe Secret Key in Client found in client-side code. This will
+      be visible to anyone who opens browser DevTools.
+      💡 Fix: Stripe secret keys must NEVER be in frontend code.
+
+    ▸ dangerous/pickle-deserialization
+      api/data.py:23
+      pickle.load() allows arbitrary code execution when deserializing
+      untrusted data.
+      💡 Fix: Use json.loads() for data exchange.
+
+  🔴 HIGH (2)
+
+    ▸ defaults/no-rate-limiting
+      src/api/server.ts
+      No rate limiting detected on HTTP server.
+      💡 Fix: Add express-rate-limit.
+
+    ▸ defaults/permissive-cors
+      src/api/server.ts:8
+      CORS is set to allow all origins (*).
+      💡 Fix: Set specific origin: cors({ origin: 'https://yourdomain.com' })
+
+  ─────────────────────────────────────────
+  5 issues found: 3 critical, 2 high
+  Scanned 24 files in 12ms
+
+  ⚠ Fix critical and high severity issues before deploying!
+```
+
+## Why Not Just Use Snyk / Semgrep / SonarQube?
+
+Those tools are great for traditional code. But they weren't designed for AI-generated code patterns:
+
+- **Snyk** focuses on dependency vulnerabilities, not hardcoded secrets or missing middleware
+- **Semgrep** requires writing custom rules — vibeguard ships with AI-specific patterns out of the box
+- **SonarQube** is enterprise-heavy and takes hours to configure
+
+vibeguard is opinionated, zero-config, and runs in milliseconds. It's built specifically for the patterns that Cursor, Claude Code, Copilot, Lovable, and Bolt introduce.
+
+## How It Works
+
+vibeguard uses pattern matching (regex + structural analysis) against a curated ruleset of AI-specific vulnerability patterns. No AI, no API calls, no data leaves your machine. It runs entirely locally.
+
+The ruleset is based on real-world breaches and academic research:
+- The Moltbook breach (Supabase misconfiguration)
+- Tenzai's 2025 study (69 vulnerabilities across 5 AI coding tools)
+- Escape.tech's scan of 5,600 vibe-coded apps
+- Georgia Tech's Vibe Security Radar (tracking AI-generated CVEs)
+
+## Contributing
+
+Contributions welcome. If you've found a vulnerability pattern that AI tools commonly introduce, open a PR to add it to the scanner.
+
+```
+src/scanners/
+  secrets.js           # Hardcoded API keys, tokens, connection strings
+  dangerous-defaults.js # Missing auth, rate limiting, CORS, headers
+  dangerous-functions.js # eval, pickle, SQL injection, XSS
+  exposed-frontend.js   # Server secrets in client-side code
+  permissive-configs.js  # Supabase, Firebase, Docker misconfigs
+  dependencies.js       # Compromised/deprecated packages
+  gitignore.js          # Missing .gitignore entries
+```
+
+## License
+
+MIT

package/package.json

@@ -0,0 +1,35 @@
+{
+  "name": "vbguard",
+  "version": "0.1.0",
+  "description": "Security scanner for AI-generated code. Catches what traditional scanners miss — hardcoded secrets, dangerous defaults, exposed keys, and more.",
+  "main": "src/index.js",
+  "bin": {
+    "vbguard": "./src/cli.js"
+  },
+  "scripts": {
+    "start": "node src/cli.js",
+    "test": "node test/test.js"
+  },
+  "keywords": [
+    "security",
+    "vibe-coding",
+    "ai-code",
+    "scanner",
+    "vulnerability",
+    "cli",
+    "vibeguard",
+    "sast",
+    "secrets",
+    "ai-security"
+  ],
+  "author": "",
+  "license": "MIT",
+  "engines": {
+    "node": ">=16.0.0"
+  },
+  "files": [
+    "src/**/*",
+    "README.md",
+    "LICENSE"
+  ]
+}

package/src/cli.js

@@ -0,0 +1,62 @@
+const path = require('path');
+const { scanDirectory } = require('./index');
+const { formatReport } = require('./reporter');
+
+const args = process.argv.slice(2);
+
+const HELP = `
+  vbguard - Security scanner for AI-generated code
+
+  Usage:
+    vbguard [directory] [options]
+
+  Options:
+    --json          Output results as JSON
+    --severity=X    Minimum severity (low, medium, high, critical)
+    --no-fix        Hide fix suggestions
+    --ignore=X      Comma-separated patterns to ignore
+    -h, --help      Show this help
+    -v, --version   Show version
+`;
+
+function parseArgs(args) {
+  const opts = { dir: '.', json: false, severity: 'low', showFix: true, ignore: [] };
+  for (const arg of args) {
+    if (arg === '-h' || arg === '--help') { console.log(HELP); process.exit(0); }
+    if (arg === '-v' || arg === '--version') { console.log('0.1.0'); process.exit(0); }
+    if (arg === '--json') opts.json = true;
+    else if (arg === '--no-fix') opts.showFix = false;
+    else if (arg.startsWith('--severity=')) opts.severity = arg.split('=')[1];
+    else if (arg.startsWith('--ignore=')) opts.ignore = arg.split('=')[1].split(',');
+    else if (!arg.startsWith('-')) opts.dir = arg;
+  }
+  return opts;
+}
+
+async function main() {
+  const opts = parseArgs(args);
+  const targetDir = path.resolve(opts.dir);
+
+  console.log('');
+  console.log('  \x1b[1m\x1b[35m\u26a1 vbguard\x1b[0m \x1b[2mv0.1.0\x1b[0m');
+  console.log('  \x1b[2mSecurity scanner for AI-generated code\x1b[0m');
+  console.log('');
+  console.log(`  \x1b[2mScanning:\x1b[0m ${targetDir}`);
+  console.log('');
+
+  try {
+    const results = await scanDirectory(targetDir, opts);
+    if (opts.json) {
+      console.log(JSON.stringify(results, null, 2));
+    } else {
+      formatReport(results, opts);
+    }
+    const hasCritical = results.findings.some(f => f.severity === 'critical' || f.severity === 'high');
+    process.exit(hasCritical ? 1 : 0);
+  } catch (err) {
+    console.error(`\x1b[31m  Error: ${err.message}\x1b[0m`);
+    process.exit(2);
+  }
+}
+
+main();

package/src/index.js

@@ -0,0 +1,135 @@
+const fs = require('fs');
+const path = require('path');
+
+const { scanSecrets } = require('./scanners/secrets');
+const { scanDangerousDefaults } = require('./scanners/dangerous-defaults');
+const { scanExposedFrontend } = require('./scanners/exposed-frontend');
+const { scanMissingGitignore } = require('./scanners/gitignore');
+const { scanDangerousFunctions } = require('./scanners/dangerous-functions');
+const { scanPermissiveConfigs } = require('./scanners/permissive-configs');
+const { scanDependencies } = require('./scanners/dependencies');
+
+const IGNORE_DIRS = new Set([
+  'node_modules', '.git', '.next', '__pycache__', '.venv', 'venv',
+  'env', '.env', 'dist', 'build', '.cache', 'coverage', '.nyc_output',
+  '.pytest_cache', 'egg-info', '.tox', '.mypy_cache',
+]);
+
+const SCAN_EXTENSIONS = new Set([
+  '.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs',
+  '.py', '.pyw',
+  '.json', '.yaml', '.yml', '.toml',
+  '.env', '.env.local', '.env.production', '.env.development',
+  '.html', '.htm', '.vue', '.svelte',
+]);
+
+function shouldScanFile(filePath) {
+  const ext = path.extname(filePath).toLowerCase();
+  const basename = path.basename(filePath);
+
+  // Always scan dotenv files
+  if (basename.startsWith('.env')) return true;
+  // Always scan config files
+  if (['Dockerfile', 'docker-compose.yml', 'docker-compose.yaml',
+       'firestore.rules', 'database.rules.json', 'storage.rules',
+       'firebase.json'].includes(basename)) return true;
+
+  return SCAN_EXTENSIONS.has(ext);
+}
+
+function walkDir(dir, ignore = []) {
+  const files = [];
+
+  function walk(currentDir) {
+    let entries;
+    try {
+      entries = fs.readdirSync(currentDir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+
+    for (const entry of entries) {
+      const fullPath = path.join(currentDir, entry.name);
+      const relativePath = path.relative(dir, fullPath);
+
+      if (entry.isDirectory()) {
+        if (IGNORE_DIRS.has(entry.name)) continue;
+        if (ignore.some((pattern) => relativePath.includes(pattern))) continue;
+        walk(fullPath);
+      } else if (entry.isFile()) {
+        if (shouldScanFile(fullPath)) {
+          files.push(fullPath);
+        }
+      }
+    }
+  }
+
+  walk(dir);
+  return files;
+}
+
+async function scanDirectory(dir, opts = {}) {
+  const startTime = Date.now();
+
+  if (!fs.existsSync(dir)) {
+    throw new Error(`Directory not found: ${dir}`);
+  }
+
+  const files = walkDir(dir, opts.ignore || []);
+  const findings = [];
+  let filesScanned = 0;
+
+  // Per-file scanners
+  for (const filePath of files) {
+    let content;
+    try {
+      const stat = fs.statSync(filePath);
+      // Skip files > 1MB
+      if (stat.size > 1_000_000) continue;
+      content = fs.readFileSync(filePath, 'utf-8');
+    } catch {
+      continue;
+    }
+
+    filesScanned++;
+    const relativePath = path.relative(dir, filePath);
+    const ext = path.extname(filePath).toLowerCase();
+    const basename = path.basename(filePath);
+
+    const ctx = { filePath, relativePath, content, ext, basename };
+
+    findings.push(...scanSecrets(ctx));
+    findings.push(...scanDangerousDefaults(ctx));
+    findings.push(...scanExposedFrontend(ctx));
+    findings.push(...scanDangerousFunctions(ctx));
+    findings.push(...scanPermissiveConfigs(ctx));
+  }
+
+  // Project-level scanners
+  findings.push(...scanMissingGitignore(dir));
+  findings.push(...(await scanDependencies(dir)));
+
+  // Filter by severity
+  const severityOrder = { critical: 4, high: 3, medium: 2, low: 1 };
+  const minSeverity = severityOrder[opts.severity || 'low'] || 1;
+  const filtered = findings.filter(
+    (f) => (severityOrder[f.severity] || 0) >= minSeverity
+  );
+
+  const elapsed = Date.now() - startTime;
+
+  return {
+    findings: filtered,
+    summary: {
+      filesScanned,
+      totalFindings: filtered.length,
+      critical: filtered.filter((f) => f.severity === 'critical').length,
+      high: filtered.filter((f) => f.severity === 'high').length,
+      medium: filtered.filter((f) => f.severity === 'medium').length,
+      low: filtered.filter((f) => f.severity === 'low').length,
+      elapsed,
+    },
+  };
+}
+
+module.exports = { scanDirectory };

package/src/reporter.js

@@ -0,0 +1,78 @@
+const SEVERITY_COLORS = {
+  critical: '\x1b[41m\x1b[37m',  // white on red bg
+  high: '\x1b[31m',               // red
+  medium: '\x1b[33m',             // yellow
+  low: '\x1b[36m',                // cyan
+};
+
+const SEVERITY_ICONS = {
+  critical: '🚨',
+  high: '🔴',
+  medium: '🟡',
+  low: '🔵',
+};
+
+const RESET = '\x1b[0m';
+const DIM = '\x1b[2m';
+const BOLD = '\x1b[1m';
+
+function formatReport(results, opts = {}) {
+  const { findings, summary } = results;
+
+  if (findings.length === 0) {
+    console.log('  \x1b[32m✓ No security issues found!\x1b[0m');
+    console.log(`  ${DIM}Scanned ${summary.filesScanned} files in ${summary.elapsed}ms${RESET}`);
+    console.log('');
+    return;
+  }
+
+  // Group by severity
+  const grouped = { critical: [], high: [], medium: [], low: [] };
+  for (const f of findings) {
+    if (grouped[f.severity]) {
+      grouped[f.severity].push(f);
+    }
+  }
+
+  for (const severity of ['critical', 'high', 'medium', 'low']) {
+    const items = grouped[severity];
+    if (items.length === 0) continue;
+
+    const color = SEVERITY_COLORS[severity];
+    const icon = SEVERITY_ICONS[severity];
+
+    console.log(`  ${color}${BOLD}${icon} ${severity.toUpperCase()} (${items.length})${RESET}`);
+    console.log('');
+
+    for (const finding of items) {
+      console.log(`  ${color}  ▸ ${finding.rule}${RESET}`);
+      console.log(`    ${DIM}${finding.file}${finding.line ? `:${finding.line}` : ''}${RESET}`);
+      console.log(`    ${finding.message}`);
+
+      if (opts.showFix !== false && finding.fix) {
+        console.log(`    ${DIM}💡 Fix: ${finding.fix}${RESET}`);
+      }
+
+      console.log('');
+    }
+  }
+
+  // Summary bar
+  console.log('  ─────────────────────────────────────────');
+  const parts = [];
+  if (summary.critical > 0) parts.push(`\x1b[31m${summary.critical} critical${RESET}`);
+  if (summary.high > 0) parts.push(`\x1b[31m${summary.high} high${RESET}`);
+  if (summary.medium > 0) parts.push(`\x1b[33m${summary.medium} medium${RESET}`);
+  if (summary.low > 0) parts.push(`\x1b[36m${summary.low} low${RESET}`);
+
+  console.log(`  ${BOLD}${summary.totalFindings} issues${RESET} found: ${parts.join(', ')}`);
+  console.log(`  ${DIM}Scanned ${summary.filesScanned} files in ${summary.elapsed}ms${RESET}`);
+  console.log('');
+
+  if (summary.critical > 0 || summary.high > 0) {
+    console.log(`  \x1b[31m${BOLD}⚠ Fix critical and high severity issues before deploying!${RESET}`);
+    console.log('');
+  }
+}
+
+module.exports = { formatReport };

package/src/scanners/dangerous-defaults.js

@@ -0,0 +1,166 @@
+// AI-generated code frequently ships without basic security middleware
+// These checks catch the most common omissions
+
+function scanDangerousDefaults(ctx) {
+  const { content, relativePath, ext, basename } = ctx;
+  const findings = [];
+
+  const isJS = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'].includes(ext);
+  const isPy = ['.py', '.pyw'].includes(ext);
+  const isServerFile = /(?:server|app|index|main|api)\.(js|ts|py)$/i.test(basename) ||
+    /(?:server|api|backend|routes)/i.test(relativePath);
+
+  if (!isServerFile) return findings;
+
+  // === Express / Node.js checks ===
+  if (isJS) {
+    const hasExpress = /require\s*\(\s*['"]express['"]\s*\)|from\s+['"]express['"]/i.test(content);
+    const hasFastify = /require\s*\(\s*['"]fastify['"]\s*\)|from\s+['"]fastify['"]/i.test(content);
+    const hasKoa = /require\s*\(\s*['"]koa['"]\s*\)|from\s+['"]koa['"]/i.test(content);
+    const isHttpServer = hasExpress || hasFastify || hasKoa;
+
+    if (isHttpServer) {
+      // No rate limiting
+      if (!/rate.?limit|express-rate-limit|@fastify\/rate-limit|bottleneck|express-slow-down/i.test(content)) {
+        findings.push({
+          rule: 'defaults/no-rate-limiting',
+          severity: 'high',
+          file: relativePath,
+          line: null,
+          message: 'No rate limiting detected on HTTP server. AI-generated servers almost never include rate limiting, making them vulnerable to brute force and DDoS.',
+          fix: 'Add express-rate-limit: app.use(rateLimit({ windowMs: 15*60*1000, max: 100 }))',
+        });
+      }
+
+      // No helmet / security headers
+      if (!/helmet|security.?headers|x-content-type|x-frame-options|strict-transport/i.test(content)) {
+        findings.push({
+          rule: 'defaults/no-security-headers',
+          severity: 'medium',
+          file: relativePath,
+          line: null,
+          message: 'No security headers middleware (helmet) detected. Missing headers like X-Frame-Options, CSP, HSTS.',
+          fix: 'Add helmet: app.use(helmet()). Install with npm install helmet.',
+        });
+      }
+
+      // Permissive CORS
+      const corsMatch = content.match(/cors\(\s*\{?\s*origin\s*:\s*['"`]\*['"`]|cors\(\s*\)/);
+      if (corsMatch) {
+        const lineNum = content.substring(0, corsMatch.index).split('\n').length;
+        findings.push({
+          rule: 'defaults/permissive-cors',
+          severity: 'high',
+          file: relativePath,
+          line: lineNum,
+          message: 'CORS is set to allow all origins (*). AI tools default to permissive CORS. Restrict to your actual frontend domain.',
+          fix: "Set specific origin: cors({ origin: 'https://yourdomain.com' })",
+        });
+      }
+
+      // No input validation
+      if (!/zod|joi|yup|express-validator|class-validator|ajv|superstruct/i.test(content)) {
+        // Check if there are POST/PUT route handlers
+        if (/\.(post|put|patch)\s*\(/i.test(content)) {
+          findings.push({
+            rule: 'defaults/no-input-validation',
+            severity: 'medium',
+            file: relativePath,
+            line: null,
+            message: 'No input validation library detected but POST/PUT handlers exist. AI-generated APIs rarely validate input, enabling injection attacks.',
+            fix: 'Add zod or joi for request body validation on all mutation endpoints.',
+          });
+        }
+      }
+
+      // No auth middleware
+      if (/\.(get|post|put|patch|delete)\s*\(/i.test(content)) {
+        if (!/auth|jwt|passport|clerk|supabase.*auth|next-auth|lucia|session|bearer/i.test(content)) {
+          findings.push({
+            rule: 'defaults/no-auth-middleware',
+            severity: 'high',
+            file: relativePath,
+            line: null,
+            message: 'Route handlers detected but no authentication middleware found. AI tools frequently skip auth, leaving all endpoints publicly accessible.',
+            fix: 'Add authentication middleware to protected routes. Use passport, clerk, or JWT verification.',
+          });
+        }
+      }
+    }
+  }
+
+  // === Python / Flask / FastAPI / Django checks ===
+  if (isPy) {
+    const hasFlask = /from\s+flask\s+import|import\s+flask/i.test(content);
+    const hasFastAPI = /from\s+fastapi\s+import|import\s+fastapi/i.test(content);
+    const hasDjango = /from\s+django/i.test(content);
+    const isPyServer = hasFlask || hasFastAPI || hasDjango;
+
+    if (isPyServer) {
+      // Debug mode in production
+      const debugMatch = content.match(/debug\s*=\s*True|DEBUG\s*=\s*True|app\.run\([^)]*debug\s*=\s*True/i);
+      if (debugMatch) {
+        const lineNum = content.substring(0, debugMatch.index).split('\n').length;
+        findings.push({
+          rule: 'defaults/debug-mode-enabled',
+          severity: 'critical',
+          file: relativePath,
+          line: lineNum,
+          message: 'Debug mode enabled. AI tools always set debug=True. This exposes stack traces, allows code execution (Flask debugger), and leaks secrets in production.',
+          fix: 'Set debug=False or use environment variable: debug=os.environ.get("DEBUG", "False") == "True"',
+        });
+      }
+
+      // Flask secret key hardcoded
+      const secretKeyMatch = content.match(/(?:secret_key|SECRET_KEY)\s*=\s*['"`]([^'"`]{1,100})['"`]/i);
+      if (secretKeyMatch) {
+        const lineNum = content.substring(0, secretKeyMatch.index).split('\n').length;
+        const key = secretKeyMatch[1];
+        if (!/os\.environ|os\.getenv|environ/i.test(content.split('\n')[lineNum - 1] || '')) {
+          findings.push({
+            rule: 'defaults/hardcoded-secret-key',
+            severity: 'critical',
+            file: relativePath,
+            line: lineNum,
+            message: 'Hardcoded SECRET_KEY. AI tools generate a static secret key. This compromises session security and CSRF protection.',
+            fix: "Use os.environ.get('SECRET_KEY') with a randomly generated value.",
+          });
+        }
+      }
+
+      // No CORS restriction (FastAPI)
+      if (hasFastAPI) {
+        const corsAll = content.match(/allow_origins\s*=\s*\[\s*['"`]\*['"`]\s*\]/);
+        if (corsAll) {
+          const lineNum = content.substring(0, corsAll.index).split('\n').length;
+          findings.push({
+            rule: 'defaults/permissive-cors',
+            severity: 'high',
+            file: relativePath,
+            line: lineNum,
+            message: 'FastAPI CORS allows all origins. Restrict to your frontend domain.',
+            fix: "Set allow_origins=['https://yourdomain.com']",
+          });
+        }
+      }
+
+      // No rate limiting
+      if (!/slowapi|flask.?limiter|ratelimit|throttle/i.test(content)) {
+        if (/@app\.(?:route|get|post|put|delete)|@router\./i.test(content)) {
+          findings.push({
+            rule: 'defaults/no-rate-limiting',
+            severity: 'high',
+            file: relativePath,
+            line: null,
+            message: 'No rate limiting on Python server. Add slowapi (FastAPI) or flask-limiter (Flask).',
+            fix: 'Install and configure rate limiting: pip install slowapi',
+          });
+        }
+      }
+    }
+  }
+
+  return findings;
+}
+
+module.exports = { scanDangerousDefaults };