verification-layer 0.21.0 → 0.22.0

package/dist/scanners/authentication/patterns.js

@@ -0,0 +1,133 @@
+/**
+ * Multi-Factor Authentication (MFA) Detection Patterns
+ * Enforces MFA requirements per HIPAA NPRM §164.312(d)
+ */
+/**
+ * MFA-001: Auth Provider Configuration Without MFA
+ * Detects NextAuth, Clerk, Auth0, Supabase Auth configs without MFA enabled
+ */
+export const AUTH_CONFIG_NO_MFA = {
+    id: 'MFA-001',
+    name: 'Authentication Configuration Without MFA Enabled',
+    description: 'Auth provider configuration (NextAuth, Clerk, Auth0, Supabase) does not have MFA/2FA/TOTP enabled',
+    severity: 'critical',
+    hipaaReference: 'NPRM §164.312(d) - Person or Entity Authentication',
+    patterns: [
+        // NextAuth configuration
+        /NextAuth\s*\(/i,
+        /export\s+(?:default\s+)?NextAuth/i,
+        /authOptions\s*[:=]/i,
+        // Clerk configuration
+        /ClerkProvider/i,
+        /clerk\.(?:setup|configure)/i,
+        // Auth0 configuration
+        /Auth0Provider/i,
+        /auth0\.WebAuth/i,
+        /new\s+Auth0Client/i,
+        // Supabase Auth configuration
+        /supabase\.auth\.signUp/i,
+        /createClient.*?supabase/i,
+        // Generic auth configs
+        /authConfig\s*[:=]/i,
+        /authentication\s*:\s*\{/i,
+    ],
+    negativePatterns: [
+        // Indicators that MFA is enabled
+        /mfa/i,
+        /2fa/i,
+        /totp/i,
+        /otp/i,
+        /multiFactor/i,
+        /multi[-_]factor/i,
+        /twoFactor/i,
+        /two[-_]factor/i,
+        /authenticator/i,
+    ],
+    recommendation: 'Enable MFA in your auth provider configuration. For NextAuth: add adapter with MFA support. For Clerk: enable MFA in dashboard. For Auth0: enable MFA in tenant settings. For Supabase: enable MFA in auth settings.',
+    category: 'authentication',
+};
+/**
+ * MFA-002: Login Flow Without Second Factor
+ * Detects signIn/login with only email+password without MFA verification
+ */
+export const LOGIN_NO_SECOND_FACTOR = {
+    id: 'MFA-002',
+    name: 'Login Flow Without Second Factor Authentication',
+    description: 'Login/sign-in flow authenticates with only email and password without requiring second factor verification',
+    severity: 'high',
+    hipaaReference: 'NPRM §164.312(d) - Person or Entity Authentication',
+    patterns: [
+        // signIn with email+password
+        /(?:signIn|login|authenticate)\s*\([^)]*(?:email|username)[^)]*password/i,
+        /(?:signIn|login|authenticate)\s*\(\s*\{[^}]*(?:email|username)[^}]*password[^}]*\}/i,
+        // Credentials-based auth without MFA
+        /credentials\s*:\s*\{[^}]*(?:email|username)[^}]*password[^}]*\}/i,
+        // Direct password authentication
+        /(?:email|username)\s*,\s*password\s*\)/i,
+        /password\s*,\s*(?:email|username)\s*\)/i,
+    ],
+    negativePatterns: [
+        // Indicators of MFA verification
+        /mfaToken/i,
+        /totpCode/i,
+        /verificationCode/i,
+        /twoFactorCode/i,
+        /authenticatorCode/i,
+        /otp/i,
+        /mfaVerified/i,
+        /requireMfa/i,
+        /checkMfa/i,
+        /verifyMfa/i,
+    ],
+    recommendation: 'Add second factor verification to login flow. After successful password authentication, require MFA token/TOTP code before granting access. Example: if (user.mfaEnabled && !mfaToken) return { error: "MFA required" }',
+    category: 'authentication',
+};
+/**
+ * MFA-003: MFA Bypass in Code
+ * Detects code that explicitly bypasses or disables MFA requirements
+ */
+export const MFA_BYPASS = {
+    id: 'MFA-003',
+    name: 'MFA Bypass Detected in Code',
+    description: 'Code explicitly bypasses, skips, or disables MFA requirements',
+    severity: 'critical',
+    hipaaReference: 'NPRM §164.312(d) - Person or Entity Authentication',
+    patterns: [
+        // Explicit bypass functions
+        /skipMfa/i,
+        /bypassMfa/i,
+        /disableMfa/i,
+        /ignoreMfa/i,
+        // MFA disabled in config
+        /mfaEnabled\s*[:=]\s*false/i,
+        /requireMfa\s*[:=]\s*false/i,
+        /require(?:Two|2)Factor\s*[:=]\s*false/i,
+        /mfa\s*:\s*\{\s*enabled\s*:\s*false/i,
+        /twoFactor\s*:\s*false/i,
+        // Conditional bypass
+        /if\s*\([^)]*skip.*mfa/i,
+        /if\s*\([^)]*!.*(?:mfa|2fa|totp)/i,
+        // Environment-based bypass (common anti-pattern)
+        /process\.env\.(?:SKIP|DISABLE|BYPASS).*MFA/i,
+    ],
+    negativePatterns: [
+        // Valid use cases (testing, error messages)
+        /\/\/.*test/i,
+        /\/\*.*test/i,
+        /describe\(/i,
+        /it\(/i,
+        /test\(/i,
+        /\.test\./i,
+        /\.spec\./i,
+        /console\.(?:log|warn|error)/i,
+        /throw.*error/i,
+    ],
+    recommendation: 'Remove MFA bypass code. MFA should be mandatory for all users accessing PHI. If testing is needed, use proper test isolation instead of disabling MFA in production code.',
+    category: 'authentication',
+};
+export const ALL_MFA_PATTERNS = [
+    AUTH_CONFIG_NO_MFA,
+    LOGIN_NO_SECOND_FACTOR,
+    MFA_BYPASS,
+];
+//# sourceMappingURL=patterns.js.map

package/dist/scanners/authentication/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/scanners/authentication/patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAcH;;;GAGG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAe;IAC5C,EAAE,EAAE,SAAS;IACb,IAAI,EAAE,kDAAkD;IACxD,WAAW,EACT,mGAAmG;IACrG,QAAQ,EAAE,UAAU;IACpB,cAAc,EAAE,oDAAoD;IACpE,QAAQ,EAAE;QACR,yBAAyB;QACzB,gBAAgB;QAChB,mCAAmC;QACnC,qBAAqB;QAErB,sBAAsB;QACtB,gBAAgB;QAChB,6BAA6B;QAE7B,sBAAsB;QACtB,gBAAgB;QAChB,iBAAiB;QACjB,oBAAoB;QAEpB,8BAA8B;QAC9B,yBAAyB;QACzB,0BAA0B;QAE1B,uBAAuB;QACvB,oBAAoB;QACpB,0BAA0B;KAC3B;IACD,gBAAgB,EAAE;QAChB,iCAAiC;QACjC,MAAM;QACN,MAAM;QACN,OAAO;QACP,MAAM;QACN,cAAc;QACd,kBAAkB;QAClB,YAAY;QACZ,gBAAgB;QAChB,gBAAgB;KACjB;IACD,cAAc,EACZ,sNAAsN;IACxN,QAAQ,EAAE,gBAAgB;CAC3B,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAe;IAChD,EAAE,EAAE,SAAS;IACb,IAAI,EAAE,iDAAiD;IACvD,WAAW,EACT,4GAA4G;IAC9G,QAAQ,EAAE,MAAM;IAChB,cAAc,EAAE,oDAAoD;IACpE,QAAQ,EAAE;QACR,6BAA6B;QAC7B,yEAAyE;QACzE,qFAAqF;QAErF,qCAAqC;QACrC,kEAAkE;QAElE,iCAAiC;QACjC,yCAAyC;QACzC,yCAAyC;KAC1C;IACD,gBAAgB,EAAE;QAChB,iCAAiC;QACjC,WAAW;QACX,WAAW;QACX,mBAAmB;QACnB,gBAAgB;QAChB,oBAAoB;QACpB,MAAM;QACN,cAAc;QACd,aAAa;QACb,WAAW;QACX,YAAY;KACb;IACD,cAAc,EACZ,yNAAyN;IAC3N,QAAQ,EAAE,gBAAgB;CAC3B,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,UAAU,GAAe;IACpC,EAAE,EAAE,SAAS;IACb,IAAI,EAAE,6BAA6B;IACnC,WAAW,EACT,+DAA+D;IACjE,QAAQ,EAAE,UAAU;IACpB,cAAc,EAAE,oDAAoD;IACpE,QAAQ,EAAE;QACR,4BAA4B;QAC5B,UAAU;QACV,YAAY;QACZ,aAAa;QACb,YAAY;QAEZ,yBAAyB;QACzB,4BAA4B;QAC5B,4BAA4B;QAC5B,wCAAwC;QACxC,qCAAqC;QACrC,wBAAwB;QAExB,qBAAqB;QACrB,wBAAwB;QACxB,kCAAkC;QAElC,iDAAiD;QACjD,6CAA6C;KAC9C;IACD,gBAAgB,EAAE;QAChB,4CAA4C;QAC5C,aAAa;QACb,aAAa;QACb,aAAa;QACb,OAAO;QACP,SAAS;QACT,WAAW;QACX,WAAW;QACX,8BAA8B;QAC9B,eAAe;KAChB;IACD,cAAc,EACZ,2KAA2K;IAC7K,QAAQ,EAAE,gBAAgB;CAC3B,CAAC;AAEF,MAAM,CAAC,MAAM,gBAAgB,GAAiB;IAC5C,kBAAkB;IAClB,sBAAsB;IACtB,UAAU;CACX,CAAC"}

package/dist/scanners/configuration/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Configuration Security Scanner
+ * Detects insecure configuration settings and missing security controls
+ */
+import type { Scanner } from '../../types.js';
+export declare const configurationScanner: Scanner;
+export default configurationScanner;
+//# sourceMappingURL=index.d.ts.map

package/dist/scanners/configuration/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/configuration/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAwB,MAAM,gBAAgB,CAAC;AAGpE,eAAO,MAAM,oBAAoB,EAAE,OA8FlC,CAAC;AAEF,eAAe,oBAAoB,CAAC"}

package/dist/scanners/configuration/index.js

@@ -0,0 +1,87 @@
+/**
+ * Configuration Security Scanner
+ * Detects insecure configuration settings and missing security controls
+ */
+import * as fs from 'fs/promises';
+import { ALL_CONFIGURATION_PATTERNS } from './patterns.js';
+export const configurationScanner = {
+    name: 'Configuration Security Scanner',
+    category: 'audit-logging',
+    async scan(files, options) {
+        const findings = [];
+        // Filter to code files
+        const codeFiles = files.filter((f) => /\.(ts|tsx|js|jsx)$/.test(f));
+        for (const file of codeFiles) {
+            try {
+                const content = await fs.readFile(file, 'utf-8');
+                const lines = content.split('\n');
+                // Check if this is a test file for CONFIG-003
+                const isTestFile = /\.(?:test|spec)\.[jt]sx?$/.test(file);
+                for (let i = 0; i < lines.length; i++) {
+                    const line = lines[i];
+                    const lineNumber = i + 1;
+                    // Skip empty lines and full-line comments
+                    if (/^\s*$/.test(line) || /^\s*\/\//.test(line))
+                        continue;
+                    // Scan each pattern
+                    for (const pattern of ALL_CONFIGURATION_PATTERNS) {
+                        // CONFIG-003: Skip test files entirely
+                        if (pattern.id === 'CONFIG-003' && isTestFile)
+                            continue;
+                        // Check if line matches violation pattern
+                        const matched = pattern.patterns.some((regex) => regex.test(line));
+                        if (!matched)
+                            continue;
+                        // Get surrounding context
+                        const contextBefore = pattern.id === 'CONFIG-001' ? 5 :
+                            pattern.id === 'CONFIG-002' ? 20 : 0;
+                        const contextAfter = pattern.id === 'CONFIG-001' ? 5 :
+                            pattern.id === 'CONFIG-002' ? 10 : 0;
+                        const contextStart = Math.max(0, i - contextBefore);
+                        const contextEnd = Math.min(lines.length, i + contextAfter + 1);
+                        const contextLines = lines.slice(contextStart, contextEnd);
+                        // Filter out comment lines from context
+                        const codeOnlyContext = contextLines
+                            .filter(l => !/^\s*\/\//.test(l) && !/^\s*\/\*/.test(l) && !/^\s*\*/.test(l))
+                            .join('\n');
+                        // Check negative patterns (safe usage indicators)
+                        const isSafe = pattern.negativePatterns?.some((regex) => {
+                            // For CONFIG-001, check if there's NODE_ENV gate in context
+                            if (pattern.id === 'CONFIG-001') {
+                                return regex.test(codeOnlyContext);
+                            }
+                            // For CONFIG-002, check if security headers are set in context
+                            if (pattern.id === 'CONFIG-002') {
+                                return regex.test(codeOnlyContext);
+                            }
+                            // For CONFIG-003, no negative patterns to check (handled by filename)
+                            return false;
+                        });
+                        if (isSafe)
+                            continue;
+                        // Create finding
+                        const finding = {
+                            id: pattern.id,
+                            category: pattern.category,
+                            severity: pattern.severity,
+                            title: pattern.name,
+                            description: `${pattern.description}\n\nCode: ${line.trim()}`,
+                            file: file,
+                            line: lineNumber,
+                            recommendation: pattern.recommendation,
+                            hipaaReference: pattern.hipaaReference,
+                            confidence: 'high',
+                        };
+                        findings.push(finding);
+                    }
+                }
+            }
+            catch (error) {
+                // Skip files that can't be read
+            }
+        }
+        return findings;
+    },
+};
+export default configurationScanner;
+//# sourceMappingURL=index.js.map

package/dist/scanners/configuration/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/scanners/configuration/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAElC,OAAO,EAAE,0BAA0B,EAAE,MAAM,eAAe,CAAC;AAE3D,MAAM,CAAC,MAAM,oBAAoB,GAAY;IAC3C,IAAI,EAAE,gCAAgC;IACtC,QAAQ,EAAE,eAAe;IAEzB,KAAK,CAAC,IAAI,CAAC,KAAe,EAAE,OAAoB;QAC9C,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,uBAAuB;QACvB,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACnC,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,CAC7B,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;gBACjD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAElC,8CAA8C;gBAC9C,MAAM,UAAU,GAAG,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAE1D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACtB,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,CAAC;oBAEzB,0CAA0C;oBAC1C,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;wBAAE,SAAS;oBAE1D,oBAAoB;oBACpB,KAAK,MAAM,OAAO,IAAI,0BAA0B,EAAE,CAAC;wBACjD,uCAAuC;wBACvC,IAAI,OAAO,CAAC,EAAE,KAAK,YAAY,IAAI,UAAU;4BAAE,SAAS;wBAExD,0CAA0C;wBAC1C,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;wBAEnE,IAAI,CAAC,OAAO;4BAAE,SAAS;wBAEvB,0BAA0B;wBAC1B,MAAM,aAAa,GAAG,OAAO,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;4BACjC,OAAO,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;wBAC3D,MAAM,YAAY,GAAG,OAAO,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;4BACjC,OAAO,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;wBAE1D,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,aAAa,CAAC,CAAC;wBACpD,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,YAAY,GAAG,CAAC,CAAC,CAAC;wBAChE,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;wBAE3D,wCAAwC;wBACxC,MAAM,eAAe,GAAG,YAAY;6BACjC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;6BAC5E,IAAI,CAAC,IAAI,CAAC,CAAC;wBAEd,kDAAkD;wBAClD,MAAM,MAAM,GAAG,OAAO,CAAC,gBAAgB,EAAE,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;4BACtD,4DAA4D;4BAC5D,IAAI,OAAO,CAAC,EAAE,KAAK,YAAY,EAAE,CAAC;gCAChC,OAAO,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;4BACrC,CAAC;4BAED,+DAA+D;4BAC/D,IAAI,OAAO,CAAC,EAAE,KAAK,YAAY,EAAE,CAAC;gCAChC,OAAO,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;4BACrC,CAAC;4BAED,sEAAsE;4BACtE,OAAO,KAAK,CAAC;wBACf,CAAC,CAAC,CAAC;wBAEH,IAAI,MAAM;4BAAE,SAAS;wBAErB,iBAAiB;wBACjB,MAAM,OAAO,GAAY;4BACvB,EAAE,EAAE,OAAO,CAAC,EAAE;4BACd,QAAQ,EAAE,OAAO,CAAC,QAAe;4BACjC,QAAQ,EAAE,OAAO,CAAC,QAAQ;4BAC1B,KAAK,EAAE,OAAO,CAAC,IAAI;4BACnB,WAAW,EAAE,GAAG,OAAO,CAAC,WAAW,aAAa,IAAI,CAAC,IAAI,EAAE,EAAE;4BAC7D,IAAI,EAAE,IAAI;4BACV,IAAI,EAAE,UAAU;4BAChB,cAAc,EAAE,OAAO,CAAC,cAAc;4BACtC,cAAc,EAAE,OAAO,CAAC,cAAc;4BACtC,UAAU,EAAE,MAAM;yBACnB,CAAC;wBAEF,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;oBACzB,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,gCAAgC;YAClC,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF,eAAe,oBAAoB,CAAC"}

package/dist/scanners/configuration/index.test.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Configuration Security Scanner Tests
+ */
+export {};
+//# sourceMappingURL=index.test.d.ts.map

package/dist/scanners/configuration/index.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.test.d.ts","sourceRoot":"","sources":["../../../src/scanners/configuration/index.test.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/dist/scanners/configuration/index.test.js

@@ -0,0 +1,344 @@
+/**
+ * Configuration Security Scanner Tests
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { configurationScanner } from './index.js';
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import * as os from 'os';
+describe('Configuration Security Scanner', () => {
+    let tempDir = '';
+    let testFiles = [];
+    beforeEach(async () => {
+        tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'config-test-'));
+    });
+    afterEach(async () => {
+        // Cleanup
+        for (const file of testFiles) {
+            try {
+                await fs.unlink(file);
+            }
+            catch {
+                // Ignore
+            }
+        }
+        try {
+            await fs.rm(tempDir, { recursive: true, force: true });
+        }
+        catch {
+            // Ignore
+        }
+        testFiles = [];
+    });
+    async function createTestFile(filename, content) {
+        const filePath = path.join(tempDir, filename);
+        await fs.writeFile(filePath, content, 'utf-8');
+        testFiles.push(filePath);
+        return filePath;
+    }
+    const scanOptions = {
+        path: tempDir,
+    };
+    describe('CONFIG-001: Debug/Verbose Mode Without Environment Gate', () => {
+        it('should detect debug:true without NODE_ENV gate', async () => {
+            const file = await createTestFile('config.ts', `export const config = {
+  debug: true,
+  apiUrl: 'https://api.example.com'
+};`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            const configFindings = findings.filter((f) => f.id === 'CONFIG-001');
+            expect(configFindings.length).toBeGreaterThan(0);
+            expect(configFindings[0].severity).toBe('high');
+        });
+        it('should detect DEBUG:true', async () => {
+            const file = await createTestFile('env.ts', `
+const settings = {
+  DEBUG: true,
+  port: 3000
+};
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'CONFIG-001')).toBe(true);
+        });
+        it('should detect verbose:true', async () => {
+            const file = await createTestFile('logger.ts', `
+const loggerConfig = {
+  verbose: true,
+  level: 'info'
+};
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'CONFIG-001')).toBe(true);
+        });
+        it('should detect devTools:true', async () => {
+            const file = await createTestFile('redux.ts', `
+const store = createStore(reducer, {
+  devTools: true
+});
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'CONFIG-001')).toBe(true);
+        });
+        it('should NOT flag debug with NODE_ENV gate', async () => {
+            const file = await createTestFile('safe-config.ts', `
+export const config = {
+  debug: process.env.NODE_ENV === 'development',
+  apiUrl: 'https://api.example.com'
+};
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            const configFindings = findings.filter((f) => f.id === 'CONFIG-001');
+            expect(configFindings.length).toBe(0);
+        });
+        it('should NOT flag debug with isDevelopment check', async () => {
+            const file = await createTestFile('safe-debug.ts', `
+const isDevelopment = process.env.NODE_ENV === 'development';
+export const config = {
+  debug: isDevelopment
+};
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            const configFindings = findings.filter((f) => f.id === 'CONFIG-001');
+            expect(configFindings.length).toBe(0);
+        });
+        it('should NOT flag debug in test files', async () => {
+            const file = await createTestFile('app.test.ts', `
+describe('app', () => {
+  const config = { debug: true };
+  it('should work', () => {});
+});
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            const configFindings = findings.filter((f) => f.id === 'CONFIG-001');
+            expect(configFindings.length).toBe(0);
+        });
+        it('should NOT flag debug in conditional', async () => {
+            const file = await createTestFile('conditional.ts', `
+const config = {
+  debug: process.env.NODE_ENV !== 'production'
+};
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            const configFindings = findings.filter((f) => f.id === 'CONFIG-001');
+            expect(configFindings.length).toBe(0);
+        });
+    });
+    describe('CONFIG-002: Web Server Without Security Headers', () => {
+        it('should detect express() without helmet', async () => {
+            const file = await createTestFile('server.ts', `
+import express from 'express';
+
+const app = express();
+
+app.get('/', (req, res) => {
+  res.send('Hello');
+});
+
+app.listen(3000);
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            const configFindings = findings.filter((f) => f.id === 'CONFIG-002');
+            expect(configFindings.length).toBeGreaterThan(0);
+            expect(configFindings[0].severity).toBe('medium');
+        });
+        it('should detect http.createServer without headers', async () => {
+            const file = await createTestFile('http-server.ts', `
+import http from 'http';
+
+const server = http.createServer((req, res) => {
+  res.end('Hello');
+});
+
+server.listen(3000);
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'CONFIG-002')).toBe(true);
+        });
+        it('should detect new Hono() without security', async () => {
+            const file = await createTestFile('hono-app.ts', `
+import { Hono } from 'hono';
+
+const app = new Hono();
+
+app.get('/', (c) => c.text('Hello'));
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'CONFIG-002')).toBe(true);
+        });
+        it('should detect new Elysia() without security', async () => {
+            const file = await createTestFile('elysia-app.ts', `
+import { Elysia } from 'elysia';
+
+const app = new Elysia();
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'CONFIG-002')).toBe(true);
+        });
+        it('should NOT flag express with helmet', async () => {
+            const file = await createTestFile('secure-express.ts', `
+import express from 'express';
+import helmet from 'helmet';
+
+const app = express();
+app.use(helmet());
+
+app.listen(3000);
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            const configFindings = findings.filter((f) => f.id === 'CONFIG-002');
+            expect(configFindings.length).toBe(0);
+        });
+        it('should NOT flag server with X-Frame-Options header', async () => {
+            const file = await createTestFile('secure-headers.ts', `
+const app = express();
+
+app.use((req, res, next) => {
+  res.setHeader('X-Frame-Options', 'DENY');
+  res.setHeader('X-Content-Type-Options', 'nosniff');
+  next();
+});
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            const configFindings = findings.filter((f) => f.id === 'CONFIG-002');
+            expect(configFindings.length).toBe(0);
+        });
+        it('should NOT flag server with CSP header', async () => {
+            const file = await createTestFile('csp-headers.ts', `
+import http from 'http';
+
+const server = http.createServer((req, res) => {
+  res.setHeader('Content-Security-Policy', "default-src 'self'");
+  res.end('Hello');
+});
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            const configFindings = findings.filter((f) => f.id === 'CONFIG-002');
+            expect(configFindings.length).toBe(0);
+        });
+    });
+    describe('CONFIG-003: Test Framework Imports in Production Code', () => {
+        it('should detect jest import in production file', async () => {
+            const file = await createTestFile('utils.ts', `
+import { jest } from '@jest/globals';
+
+export function mockFunction() {
+  return jest.fn();
+}
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            const configFindings = findings.filter((f) => f.id === 'CONFIG-003');
+            expect(configFindings.length).toBeGreaterThan(0);
+            expect(configFindings[0].severity).toBe('low');
+        });
+        it('should detect vitest import in production file', async () => {
+            const file = await createTestFile('helper.ts', `
+import { describe, it, expect } from 'vitest';
+
+export function runTests() {
+  describe('tests', () => {});
+}
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'CONFIG-003')).toBe(true);
+        });
+        it('should detect mocha import in production file', async () => {
+            const file = await createTestFile('runner.ts', `
+import { describe } from 'mocha';
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'CONFIG-003')).toBe(true);
+        });
+        it('should detect chai import in production file', async () => {
+            const file = await createTestFile('assertions.ts', `
+import { expect } from 'chai';
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'CONFIG-003')).toBe(true);
+        });
+        it('should detect faker import in production file', async () => {
+            const file = await createTestFile('data.ts', `
+import { faker } from '@faker-js/faker';
+
+export const fakeData = faker.name.firstName();
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'CONFIG-003')).toBe(true);
+        });
+        it('should detect cypress import in production file', async () => {
+            const file = await createTestFile('commands.ts', `
+import { cy } from 'cypress';
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'CONFIG-003')).toBe(true);
+        });
+        it('should NOT flag test framework imports in test files', async () => {
+            const file = await createTestFile('app.test.ts', `
+import { describe, it, expect } from 'vitest';
+import { jest } from '@jest/globals';
+
+describe('app', () => {
+  it('should work', () => {
+    expect(true).toBe(true);
+  });
+});
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            const configFindings = findings.filter((f) => f.id === 'CONFIG-003');
+            expect(configFindings.length).toBe(0);
+        });
+        it('should NOT flag test framework imports in spec files', async () => {
+            const file = await createTestFile('component.spec.ts', `
+import { describe, it } from 'mocha';
+import { expect } from 'chai';
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            const configFindings = findings.filter((f) => f.id === 'CONFIG-003');
+            expect(configFindings.length).toBe(0);
+        });
+    });
+    describe('Combined violations', () => {
+        it('should detect multiple CONFIG violations in same file', async () => {
+            const file = await createTestFile('bad-config.ts', `
+import { jest } from '@jest/globals';
+import express from 'express';
+
+const config = {
+  debug: true,
+  verbose: true
+};
+
+const app = express();
+
+app.listen(3000);
+`);
+            const findings = await configurationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'CONFIG-001')).toBe(true);
+            expect(findings.some((f) => f.id === 'CONFIG-002')).toBe(true);
+            expect(findings.some((f) => f.id === 'CONFIG-003')).toBe(true);
+        });
+    });
+    it('should provide correct HIPAA references', async () => {
+        const file = await createTestFile('hipaa-refs.ts', `
+const config = { debug: true };
+const app = express();
+import { vitest } from 'vitest';
+`);
+        const findings = await configurationScanner.scan([file], scanOptions);
+        expect(findings.every((f) => f.hipaaReference?.includes('Configuration Management'))).toBe(true);
+    });
+    it('should have correct severity levels', async () => {
+        const file1 = await createTestFile('severity-high.ts', `const config = { debug: true };`);
+        const file2 = await createTestFile('severity-medium.ts', `const app = express();`);
+        const file3 = await createTestFile('severity-low.ts', `import { jest } from '@jest/globals';`);
+        const findings1 = await configurationScanner.scan([file1], scanOptions);
+        const findings2 = await configurationScanner.scan([file2], scanOptions);
+        const findings3 = await configurationScanner.scan([file3], scanOptions);
+        const config001 = findings1.find((f) => f.id === 'CONFIG-001');
+        const config002 = findings2.find((f) => f.id === 'CONFIG-002');
+        const config003 = findings3.find((f) => f.id === 'CONFIG-003');
+        expect(config001?.severity).toBe('high');
+        expect(config002?.severity).toBe('medium');
+        expect(config003?.severity).toBe('low');
+    });
+});
+//# sourceMappingURL=index.test.js.map

package/dist/scanners/configuration/index.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.test.js","sourceRoot":"","sources":["../../../src/scanners/configuration/index.test.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAElD,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAClC,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AAEzB,QAAQ,CAAC,gCAAgC,EAAE,GAAG,EAAE;IAC9C,IAAI,OAAO,GAAW,EAAE,CAAC;IACzB,IAAI,SAAS,GAAa,EAAE,CAAC;IAE7B,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,cAAc,CAAC,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,UAAU;QACV,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC;QACD,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,SAAS,GAAG,EAAE,CAAC;IACjB,CAAC,CAAC,CAAC;IAEH,KAAK,UAAU,cAAc,CAC3B,QAAgB,EAChB,OAAe;QAEf,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC9C,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAC/C,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,WAAW,GAAgB;QAC/B,IAAI,EAAE,OAAO;KACd,CAAC;IAEF,QAAQ,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACvE,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;YAC9D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,WAAW,EACX;;;GAGL,CACI,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YACjD,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0BAA0B,EAAE,KAAK,IAAI,EAAE;YACxC,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,QAAQ,EACR;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4BAA4B,EAAE,KAAK,IAAI,EAAE;YAC1C,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,WAAW,EACX;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6BAA6B,EAAE,KAAK,IAAI,EAAE;YAC3C,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,UAAU,EACV;;;;CAIP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;YACxD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;YAC9D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;YACnD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;YACpD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;;;CAIP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,iDAAiD,EAAE,GAAG,EAAE;QAC/D,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,WAAW,EACX;;;;;;;;;;CAUP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YACjD,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;YAC/D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;;;;;;;CAQP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;YACzD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;;;;;CAMP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;;;CAIP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;YACnD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,mBAAmB,EACnB;;;;;;;;CAQP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;YAClE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,mBAAmB,EACnB;;;;;;;;CAQP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;;;;;;CAOP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,uDAAuD,EAAE,GAAG,EAAE;QACrE,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;YAC5D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,UAAU,EACV;;;;;;CAMP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YACjD,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;YAC9D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,WAAW,EACX;;;;;;CAMP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,WAAW,EACX;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;YAC5D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,SAAS,EACT;;;;CAIP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;YAC/D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;YACpE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;;;;;;;;CASP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;YACpE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,mBAAmB,EACnB;;;CAGP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;QACnC,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;YACrE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;;;;;;;;;;;CAYP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACtE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC/D,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC/D,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;;;CAIL,CACI,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;QACtE,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,EAAE,QAAQ,CAAC,0BAA0B,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnG,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,MAAM,KAAK,GAAG,MAAM,cAAc,CAChC,kBAAkB,EAClB,iCAAiC,CAClC,CAAC;QAEF,MAAM,KAAK,GAAG,MAAM,cAAc,CAChC,oBAAoB,EACpB,wBAAwB,CACzB,CAAC;QAEF,MAAM,KAAK,GAAG,MAAM,cAAc,CAChC,iBAAiB,EACjB,uCAAuC,CACxC,CAAC;QAEF,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,EAAE,WAAW,CAAC,CAAC;QACxE,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,EAAE,WAAW,CAAC,CAAC;QACxE,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,EAAE,WAAW,CAAC,CAAC;QAExE,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;QAC/D,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;QAC/D,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;QAE/D,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACzC,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC3C,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/scanners/configuration/patterns.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Configuration Security Detection Patterns
+ * Detects insecure configuration settings and missing security controls
+ */
+export interface ConfigurationPattern {
+    id: string;
+    name: string;
+    description: string;
+    severity: 'high' | 'medium' | 'low';
+    hipaaReference: string;
+    patterns: RegExp[];
+    negativePatterns?: RegExp[];
+    recommendation: string;
+    category: string;
+}
+/**
+ * CONFIG-001: Debug/Verbose Mode Without Environment Gate
+ * Detects debug/verbose flags enabled without NODE_ENV check
+ */
+export declare const DEBUG_WITHOUT_ENV_GATE: ConfigurationPattern;
+/**
+ * CONFIG-002: Web Server Without Security Headers
+ * Detects web servers created without helmet or security headers middleware
+ */
+export declare const SERVER_WITHOUT_SECURITY_HEADERS: ConfigurationPattern;
+/**
+ * CONFIG-003: Test Framework Imports in Production Code
+ * Detects test framework imports in non-test files
+ */
+export declare const TEST_IMPORTS_IN_PRODUCTION: ConfigurationPattern;
+export declare const ALL_CONFIGURATION_PATTERNS: ConfigurationPattern[];
+//# sourceMappingURL=patterns.d.ts.map

package/dist/scanners/configuration/patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../src/scanners/configuration/patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,oBAAoB;IACnC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACpC,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,eAAO,MAAM,sBAAsB,EAAE,oBAwDpC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,+BAA+B,EAAE,oBAqD7C,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,0BAA0B,EAAE,oBA0CxC,CAAC;AAEF,eAAO,MAAM,0BAA0B,EAAE,oBAAoB,EAI5D,CAAC"}