verification-layer 0.25.3 → 0.27.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (40) hide show
  1. package/dist/cli.js +38 -0
  2. package/dist/cli.js.map +1 -1
  3. package/dist/index.d.ts +2 -0
  4. package/dist/index.d.ts.map +1 -1
  5. package/dist/index.js +1 -0
  6. package/dist/index.js.map +1 -1
  7. package/dist/rule-catalog.json +1491 -0
  8. package/dist/rules/catalog.d.ts +44 -0
  9. package/dist/rules/catalog.d.ts.map +1 -0
  10. package/dist/rules/catalog.js +196 -0
  11. package/dist/rules/catalog.js.map +1 -0
  12. package/dist/rules/catalog.test.d.ts +2 -0
  13. package/dist/rules/catalog.test.d.ts.map +1 -0
  14. package/dist/rules/catalog.test.js +80 -0
  15. package/dist/rules/catalog.test.js.map +1 -0
  16. package/dist/rules/schema.d.ts +13 -0
  17. package/dist/rules/schema.d.ts.map +1 -1
  18. package/dist/rules/schema.js +13 -1
  19. package/dist/rules/schema.js.map +1 -1
  20. package/dist/scanners/access/index.d.ts +22 -0
  21. package/dist/scanners/access/index.d.ts.map +1 -1
  22. package/dist/scanners/access/index.js +1 -1
  23. package/dist/scanners/access/index.js.map +1 -1
  24. package/dist/scanners/audit/index.d.ts +21 -0
  25. package/dist/scanners/audit/index.d.ts.map +1 -1
  26. package/dist/scanners/audit/index.js +24 -0
  27. package/dist/scanners/audit/index.js.map +1 -1
  28. package/dist/scanners/encryption/index.d.ts +25 -1
  29. package/dist/scanners/encryption/index.d.ts.map +1 -1
  30. package/dist/scanners/encryption/index.js +20 -20
  31. package/dist/scanners/encryption/index.js.map +1 -1
  32. package/dist/scanners/retention/index.d.ts +33 -0
  33. package/dist/scanners/retention/index.d.ts.map +1 -1
  34. package/dist/scanners/retention/index.js +1 -1
  35. package/dist/scanners/retention/index.js.map +1 -1
  36. package/dist/scanners/security/index.d.ts +10 -1
  37. package/dist/scanners/security/index.d.ts.map +1 -1
  38. package/dist/scanners/security/index.js +1 -1
  39. package/dist/scanners/security/index.js.map +1 -1
  40. package/package.json +2 -2
@@ -0,0 +1,1491 @@
1
+ {
2
+ "package": "verification-layer",
3
+ "version": "0.27.0",
4
+ "total": 143,
5
+ "counts": {
6
+ "phi-exposure": 29,
7
+ "encryption": 20,
8
+ "audit-logging": 8,
9
+ "access-control": 77,
10
+ "data-retention": 9
11
+ },
12
+ "rules": [
13
+ {
14
+ "id": "ssn-hardcoded",
15
+ "category": "phi-exposure",
16
+ "severity": "critical",
17
+ "title": "Potential SSN detected",
18
+ "description": "A pattern matching Social Security Number format was found in the code.",
19
+ "recommendation": "Remove hardcoded SSN. Use secure storage and encryption for sensitive identifiers.",
20
+ "source": "pattern",
21
+ "scanner": "phi"
22
+ },
23
+ {
24
+ "id": "medical-record-number",
25
+ "category": "phi-exposure",
26
+ "severity": "high",
27
+ "title": "Medical Record Number exposure",
28
+ "description": "A hardcoded medical record number was detected.",
29
+ "recommendation": "Never hardcode MRNs. Fetch from secure, encrypted storage.",
30
+ "source": "pattern",
31
+ "scanner": "phi"
32
+ },
33
+ {
34
+ "id": "dob-exposed",
35
+ "category": "phi-exposure",
36
+ "severity": "high",
37
+ "title": "Date of birth exposure",
38
+ "description": "Date of birth information may be hardcoded or improperly handled.",
39
+ "recommendation": "Encrypt DOB at rest and in transit. Apply minimum necessary principle.",
40
+ "source": "pattern",
41
+ "scanner": "phi"
42
+ },
43
+ {
44
+ "id": "diagnosis-code",
45
+ "category": "phi-exposure",
46
+ "severity": "medium",
47
+ "title": "Diagnosis code in source",
48
+ "description": "ICD-10 diagnosis codes found in source code.",
49
+ "recommendation": "Load diagnosis codes from secure configuration, not source code.",
50
+ "source": "pattern",
51
+ "scanner": "phi"
52
+ },
53
+ {
54
+ "id": "phi-in-url",
55
+ "category": "phi-exposure",
56
+ "severity": "high",
57
+ "title": "PHI identifier in URL pattern",
58
+ "description": "URL pattern suggests PHI may be exposed in URLs.",
59
+ "recommendation": "Never include PHI in URLs. Use opaque tokens or encrypted identifiers.",
60
+ "source": "pattern",
61
+ "scanner": "phi"
62
+ },
63
+ {
64
+ "id": "patient-name-log",
65
+ "category": "phi-exposure",
66
+ "severity": "high",
67
+ "title": "Patient name in console output",
68
+ "description": "Patient names may be logged to console, exposing PHI.",
69
+ "recommendation": "Remove patient identifiers from logs. Use anonymized IDs for debugging.",
70
+ "source": "pattern",
71
+ "scanner": "phi"
72
+ },
73
+ {
74
+ "id": "phi-console-log",
75
+ "category": "phi-exposure",
76
+ "severity": "high",
77
+ "title": "PHI data in console output",
78
+ "description": "Sensitive health information may be logged to console.",
79
+ "recommendation": "Never log PHI to console. Use structured logging with PHI redaction.",
80
+ "source": "pattern",
81
+ "scanner": "phi"
82
+ },
83
+ {
84
+ "id": "phi-json-stringify-log",
85
+ "category": "phi-exposure",
86
+ "severity": "high",
87
+ "title": "Patient object serialized to console",
88
+ "description": "Patient objects are being serialized and logged, potentially exposing all PHI fields.",
89
+ "recommendation": "Create a sanitized version of patient objects for logging, excluding PHI fields.",
90
+ "source": "pattern",
91
+ "scanner": "phi"
92
+ },
93
+ {
94
+ "id": "phi-template-log",
95
+ "category": "phi-exposure",
96
+ "severity": "high",
97
+ "title": "PHI in template literal log",
98
+ "description": "Template literal logging may expose PHI data.",
99
+ "recommendation": "Avoid interpolating PHI into log messages.",
100
+ "source": "pattern",
101
+ "scanner": "phi"
102
+ },
103
+ {
104
+ "id": "phi-localstorage",
105
+ "category": "phi-exposure",
106
+ "severity": "critical",
107
+ "title": "PHI stored in localStorage",
108
+ "description": "PHI data is being stored in localStorage which is not encrypted and persists indefinitely.",
109
+ "recommendation": "Never store PHI in localStorage. Use encrypted server-side storage with proper access controls.",
110
+ "source": "pattern",
111
+ "scanner": "phi"
112
+ },
113
+ {
114
+ "id": "phi-sessionstorage",
115
+ "category": "phi-exposure",
116
+ "severity": "high",
117
+ "title": "PHI stored in sessionStorage",
118
+ "description": "PHI data is being stored in sessionStorage which is not encrypted.",
119
+ "recommendation": "Avoid storing PHI in browser storage. Use secure, encrypted server-side sessions.",
120
+ "source": "pattern",
121
+ "scanner": "phi"
122
+ },
123
+ {
124
+ "id": "phi-cookie-storage",
125
+ "category": "phi-exposure",
126
+ "severity": "critical",
127
+ "title": "PHI stored in cookies",
128
+ "description": "PHI data may be stored in browser cookies without encryption.",
129
+ "recommendation": "Never store PHI in cookies. Use encrypted server-side sessions with secure, httpOnly cookies for session IDs only.",
130
+ "source": "pattern",
131
+ "scanner": "phi"
132
+ },
133
+ {
134
+ "id": "phi-indexeddb",
135
+ "category": "phi-exposure",
136
+ "severity": "high",
137
+ "title": "PHI potentially stored in IndexedDB",
138
+ "description": "PHI may be stored in IndexedDB which lacks built-in encryption.",
139
+ "recommendation": "If using IndexedDB for PHI, implement client-side encryption and proper key management.",
140
+ "source": "pattern",
141
+ "scanner": "phi"
142
+ },
143
+ {
144
+ "id": "email-phi-context",
145
+ "category": "phi-exposure",
146
+ "severity": "medium",
147
+ "title": "Patient email handling detected",
148
+ "description": "Code handles patient email addresses which are PHI.",
149
+ "recommendation": "Ensure patient emails are encrypted and access is logged.",
150
+ "source": "pattern",
151
+ "scanner": "phi"
152
+ },
153
+ {
154
+ "id": "phone-phi-context",
155
+ "category": "phi-exposure",
156
+ "severity": "medium",
157
+ "title": "Patient phone handling detected",
158
+ "description": "Code handles patient phone numbers which are PHI.",
159
+ "recommendation": "Ensure patient contact info is encrypted and access is logged.",
160
+ "source": "pattern",
161
+ "scanner": "phi"
162
+ },
163
+ {
164
+ "id": "address-phi-context",
165
+ "category": "phi-exposure",
166
+ "severity": "medium",
167
+ "title": "Patient address handling detected",
168
+ "description": "Code handles patient addresses which are PHI.",
169
+ "recommendation": "Ensure patient addresses are encrypted and access is logged.",
170
+ "source": "pattern",
171
+ "scanner": "phi"
172
+ },
173
+ {
174
+ "id": "phi-query-param",
175
+ "category": "phi-exposure",
176
+ "severity": "critical",
177
+ "title": "PHI in URL query parameter",
178
+ "description": "PHI identifiers are being passed as URL query parameters, which may be logged in server logs, browser history, and referrer headers.",
179
+ "recommendation": "Never pass PHI in URLs. Use POST requests with encrypted body or session-based lookups.",
180
+ "source": "pattern",
181
+ "scanner": "phi"
182
+ },
183
+ {
184
+ "id": "phi-url-interpolation",
185
+ "category": "phi-exposure",
186
+ "severity": "critical",
187
+ "title": "PHI interpolated into URL",
188
+ "description": "PHI values are being interpolated into URLs, exposing sensitive data.",
189
+ "recommendation": "Use opaque tokens or encrypted references instead of PHI in URLs.",
190
+ "source": "pattern",
191
+ "scanner": "phi"
192
+ },
193
+ {
194
+ "id": "phi-fetch-url",
195
+ "category": "phi-exposure",
196
+ "severity": "high",
197
+ "title": "PHI in fetch URL",
198
+ "description": "Fetch request URL contains PHI identifiers.",
199
+ "recommendation": "Pass PHI in request body with proper encryption, not in URLs.",
200
+ "source": "pattern",
201
+ "scanner": "phi"
202
+ },
203
+ {
204
+ "id": "phi-header-set",
205
+ "category": "phi-exposure",
206
+ "severity": "critical",
207
+ "title": "PHI in HTTP header",
208
+ "description": "PHI data is being set in HTTP headers, which may be logged or cached.",
209
+ "recommendation": "Never transmit PHI in HTTP headers. Use encrypted request/response body.",
210
+ "source": "pattern",
211
+ "scanner": "phi"
212
+ },
213
+ {
214
+ "id": "phi-header-object",
215
+ "category": "phi-exposure",
216
+ "severity": "critical",
217
+ "title": "PHI in headers object",
218
+ "description": "Headers object contains PHI-related fields.",
219
+ "recommendation": "Remove PHI from headers. Transmit sensitive data in encrypted request body only.",
220
+ "source": "pattern",
221
+ "scanner": "phi"
222
+ },
223
+ {
224
+ "id": "phi-authorization-header",
225
+ "category": "phi-exposure",
226
+ "severity": "high",
227
+ "title": "Patient data in authorization context",
228
+ "description": "Patient identifiers may be exposed in authorization headers.",
229
+ "recommendation": "Use opaque session tokens for authorization, not patient identifiers.",
230
+ "source": "pattern",
231
+ "scanner": "phi"
232
+ },
233
+ {
234
+ "id": "phi-email-body",
235
+ "category": "phi-exposure",
236
+ "severity": "high",
237
+ "title": "PHI in email content",
238
+ "description": "Patient data may be included in email body, which is typically unencrypted.",
239
+ "recommendation": "Avoid sending PHI via email. Use secure patient portals with authentication.",
240
+ "source": "pattern",
241
+ "scanner": "phi"
242
+ },
243
+ {
244
+ "id": "phi-email-template",
245
+ "category": "phi-exposure",
246
+ "severity": "high",
247
+ "title": "PHI in email template",
248
+ "description": "Email templates may contain patient data placeholders.",
249
+ "recommendation": "Do not include PHI in email templates. Send secure links to authenticated portals instead.",
250
+ "source": "pattern",
251
+ "scanner": "phi"
252
+ },
253
+ {
254
+ "id": "phi-email-subject",
255
+ "category": "phi-exposure",
256
+ "severity": "medium",
257
+ "title": "Potential PHI in email subject",
258
+ "description": "Email subject lines may contain patient-related information.",
259
+ "recommendation": "Keep email subjects generic. Never include patient names, diagnoses, or identifiers.",
260
+ "source": "pattern",
261
+ "scanner": "phi"
262
+ },
263
+ {
264
+ "id": "phi-logger-unredacted",
265
+ "category": "phi-exposure",
266
+ "severity": "high",
267
+ "title": "PHI logged without redaction",
268
+ "description": "Patient data is being logged without apparent redaction or masking.",
269
+ "recommendation": "Implement PHI redaction in logging. Use structured logging with automatic PII masking.",
270
+ "source": "pattern",
271
+ "scanner": "phi"
272
+ },
273
+ {
274
+ "id": "phi-log-file",
275
+ "category": "phi-exposure",
276
+ "severity": "high",
277
+ "title": "PHI written to log file",
278
+ "description": "Patient data may be written directly to log files.",
279
+ "recommendation": "Use structured logging with PHI redaction. Never write raw PHI to log files.",
280
+ "source": "pattern",
281
+ "scanner": "phi"
282
+ },
283
+ {
284
+ "id": "phi-debug-output",
285
+ "category": "phi-exposure",
286
+ "severity": "medium",
287
+ "title": "Debug mode with patient data",
288
+ "description": "Debug mode enabled in code handling patient data may expose PHI.",
289
+ "recommendation": "Ensure debug logging excludes PHI or uses proper redaction.",
290
+ "source": "pattern",
291
+ "scanner": "phi"
292
+ },
293
+ {
294
+ "id": "skill-phi-hardcoded-ssn",
295
+ "category": "access-control",
296
+ "severity": "critical",
297
+ "title": "Hardcoded SSN in skill prompt",
298
+ "description": "Social Security Number found in skill definition",
299
+ "recommendation": "Never hardcode PHI in skill prompts. Use placeholders like {{patient_id}} instead.",
300
+ "hipaaReference": "§164.502(a) - PHI Use and Disclosure",
301
+ "source": "pattern",
302
+ "scanner": "skills"
303
+ },
304
+ {
305
+ "id": "skill-phi-patient-name",
306
+ "category": "access-control",
307
+ "severity": "high",
308
+ "title": "Patient name in example",
309
+ "description": "Real patient name appears in skill prompt example",
310
+ "recommendation": "Use fictional names (e.g., \"John Doe\") or template variables {{patient_name}}",
311
+ "hipaaReference": "§164.502(a) - PHI Use and Disclosure",
312
+ "source": "pattern",
313
+ "scanner": "skills"
314
+ },
315
+ {
316
+ "id": "skill-phi-dob",
317
+ "category": "access-control",
318
+ "severity": "high",
319
+ "title": "Date of birth in prompt",
320
+ "description": "Date of birth found in skill definition",
321
+ "recommendation": "Use template variable {{date_of_birth}} instead of actual dates",
322
+ "hipaaReference": "§164.502(a) - PHI Use and Disclosure",
323
+ "source": "pattern",
324
+ "scanner": "skills"
325
+ },
326
+ {
327
+ "id": "skill-phi-mrn",
328
+ "category": "access-control",
329
+ "severity": "critical",
330
+ "title": "Medical Record Number exposed",
331
+ "description": "Medical Record Number found in skill prompt",
332
+ "recommendation": "Never include real MRNs. Use {{medical_record_number}} placeholder.",
333
+ "hipaaReference": "§164.502(a) - PHI Use and Disclosure",
334
+ "source": "pattern",
335
+ "scanner": "skills"
336
+ },
337
+ {
338
+ "id": "skill-phi-diagnosis",
339
+ "category": "access-control",
340
+ "severity": "medium",
341
+ "title": "Diagnosis code in prompt",
342
+ "description": "ICD diagnosis code found in skill example",
343
+ "recommendation": "Use generic examples or template variables for diagnoses",
344
+ "hipaaReference": "§164.502(a) - PHI Use and Disclosure",
345
+ "source": "pattern",
346
+ "scanner": "skills"
347
+ },
348
+ {
349
+ "id": "skill-api-key-exposed",
350
+ "category": "access-control",
351
+ "severity": "critical",
352
+ "title": "API key in skill configuration",
353
+ "description": "Hardcoded API key found in skill",
354
+ "recommendation": "Use environment variables: ${ANTHROPIC_API_KEY} or prompt user for keys",
355
+ "source": "pattern",
356
+ "scanner": "skills"
357
+ },
358
+ {
359
+ "id": "skill-aws-credentials",
360
+ "category": "access-control",
361
+ "severity": "critical",
362
+ "title": "AWS credentials exposed",
363
+ "description": "AWS credentials found in skill definition",
364
+ "recommendation": "Never hardcode AWS credentials. Use IAM roles or environment variables.",
365
+ "source": "pattern",
366
+ "scanner": "skills"
367
+ },
368
+ {
369
+ "id": "skill-database-password",
370
+ "category": "access-control",
371
+ "severity": "critical",
372
+ "title": "Database password in connection string",
373
+ "description": "Database password exposed in connection string",
374
+ "recommendation": "Use environment variables: ${DB_PASSWORD} or credential manager",
375
+ "source": "pattern",
376
+ "scanner": "skills"
377
+ },
378
+ {
379
+ "id": "skill-bearer-token",
380
+ "category": "access-control",
381
+ "severity": "critical",
382
+ "title": "Bearer token hardcoded",
383
+ "description": "Bearer authentication token found in skill",
384
+ "recommendation": "Tokens should be fetched securely at runtime, not hardcoded",
385
+ "source": "pattern",
386
+ "scanner": "skills"
387
+ },
388
+ {
389
+ "id": "skill-private-key",
390
+ "category": "access-control",
391
+ "severity": "critical",
392
+ "title": "Private key in skill",
393
+ "description": "Private cryptographic key found in skill definition",
394
+ "recommendation": "Never include private keys. Use key management service.",
395
+ "source": "pattern",
396
+ "scanner": "skills"
397
+ },
398
+ {
399
+ "id": "skill-data-exfiltration",
400
+ "category": "access-control",
401
+ "severity": "critical",
402
+ "title": "Data exfiltration detected",
403
+ "description": "Potential data exfiltration via curl to external domain",
404
+ "recommendation": "Review external API calls. Healthcare data should not be sent to unknown endpoints.",
405
+ "hipaaReference": "§164.308(a)(4) - Access Controls",
406
+ "source": "pattern",
407
+ "scanner": "skills"
408
+ },
409
+ {
410
+ "id": "skill-reverse-shell",
411
+ "category": "access-control",
412
+ "severity": "critical",
413
+ "title": "Reverse shell attempt",
414
+ "description": "Reverse shell command detected - potential backdoor",
415
+ "recommendation": "REJECT THIS SKILL. This is a clear malicious pattern.",
416
+ "source": "pattern",
417
+ "scanner": "skills"
418
+ },
419
+ {
420
+ "id": "skill-atomic-stealer",
421
+ "category": "access-control",
422
+ "severity": "critical",
423
+ "title": "Atomic Stealer pattern",
424
+ "description": "Pattern matches known Atomic Stealer malware distribution",
425
+ "recommendation": "REJECT THIS SKILL. This matches malware signatures from Snyk analysis.",
426
+ "source": "pattern",
427
+ "scanner": "skills"
428
+ },
429
+ {
430
+ "id": "skill-credential-scraper",
431
+ "category": "access-control",
432
+ "severity": "high",
433
+ "title": "Credential scraping detected",
434
+ "description": "Commands that search for credential files",
435
+ "recommendation": "Verify legitimacy. Skills should not scrape credential files.",
436
+ "source": "pattern",
437
+ "scanner": "skills"
438
+ },
439
+ {
440
+ "id": "skill-obfuscated-command",
441
+ "category": "access-control",
442
+ "severity": "high",
443
+ "title": "Obfuscated command execution",
444
+ "description": "Command substitution or eval - common in malware",
445
+ "recommendation": "Review carefully. Obfuscation often hides malicious intent.",
446
+ "source": "pattern",
447
+ "scanner": "skills"
448
+ },
449
+ {
450
+ "id": "skill-http-phi-transmission",
451
+ "category": "access-control",
452
+ "severity": "critical",
453
+ "title": "PHI transmitted over HTTP",
454
+ "description": "Skill transmits PHI over unencrypted HTTP",
455
+ "recommendation": "Use HTTPS for all PHI transmission. HTTP violates HIPAA encryption requirements.",
456
+ "hipaaReference": "§164.312(e)(1) - Transmission Security",
457
+ "source": "pattern",
458
+ "scanner": "skills"
459
+ },
460
+ {
461
+ "id": "skill-no-audit-logging",
462
+ "category": "access-control",
463
+ "severity": "high",
464
+ "title": "PHI access without audit logging",
465
+ "description": "Skill accesses PHI database without audit logging",
466
+ "recommendation": "Add audit logging: auditLog.record({ action, userId, resourceId })",
467
+ "hipaaReference": "§164.308(a)(1)(ii)(D) - Audit Controls",
468
+ "source": "pattern",
469
+ "scanner": "skills"
470
+ },
471
+ {
472
+ "id": "skill-phi-in-logs",
473
+ "category": "access-control",
474
+ "severity": "high",
475
+ "title": "PHI logged to console/files",
476
+ "description": "Skill logs PHI to console or log files",
477
+ "recommendation": "Never log PHI. Use redacted logging: logger.info({ patientId: \"***\" })",
478
+ "hipaaReference": "§164.502(a) - PHI Use and Disclosure",
479
+ "source": "pattern",
480
+ "scanner": "skills"
481
+ },
482
+ {
483
+ "id": "skill-phi-in-url",
484
+ "category": "access-control",
485
+ "severity": "critical",
486
+ "title": "PHI in URL parameters",
487
+ "description": "Skill passes PHI in URL query parameters",
488
+ "recommendation": "Use POST with encrypted body. URLs are logged by proxies/servers.",
489
+ "hipaaReference": "§164.312(e)(1) - Transmission Security",
490
+ "source": "pattern",
491
+ "scanner": "skills"
492
+ },
493
+ {
494
+ "id": "skill-no-encryption",
495
+ "category": "access-control",
496
+ "severity": "critical",
497
+ "title": "Missing encryption for PHI storage",
498
+ "description": "Skill stores PHI in browser storage without encryption",
499
+ "recommendation": "Use encrypted storage or server-side session storage only.",
500
+ "hipaaReference": "§164.312(a)(2)(iv) - Encryption",
501
+ "source": "pattern",
502
+ "scanner": "skills"
503
+ },
504
+ {
505
+ "id": "HIPAA-MFA-001",
506
+ "category": "access-control",
507
+ "severity": "critical",
508
+ "title": "Missing Multi-Factor Authentication for PHI Access",
509
+ "description": "Endpoints accessing PHI must enforce MFA. All auth configs must require multi-factor authentication.",
510
+ "hipaaReference": "45 CFR §164.312(a)(2)(i) - Access Control (Required)",
511
+ "source": "pattern",
512
+ "scanner": "hipaa2026"
513
+ },
514
+ {
515
+ "id": "HIPAA-ENC-REST-001",
516
+ "category": "access-control",
517
+ "severity": "critical",
518
+ "title": "ePHI Stored Without Encryption at Rest",
519
+ "description": "All ePHI must be encrypted at rest using AES-256 or stronger.",
520
+ "hipaaReference": "45 CFR §164.312(a)(2)(iv) - Encryption (Required)",
521
+ "source": "pattern",
522
+ "scanner": "hipaa2026"
523
+ },
524
+ {
525
+ "id": "HIPAA-SESSION-001",
526
+ "category": "access-control",
527
+ "severity": "high",
528
+ "title": "Missing Automatic Session Timeout",
529
+ "description": "PHI access sessions must auto-expire within 15 minutes of inactivity.",
530
+ "hipaaReference": "45 CFR §164.312(a)(2)(iii) - Session Control (Required)",
531
+ "source": "pattern",
532
+ "scanner": "hipaa2026"
533
+ },
534
+ {
535
+ "id": "HIPAA-REVOKE-001",
536
+ "category": "access-control",
537
+ "severity": "critical",
538
+ "title": "Missing Immediate Access Revocation",
539
+ "description": "User deactivation must immediately invalidate all sessions and tokens.",
540
+ "hipaaReference": "45 CFR §164.308(a)(3)(ii)(C) - Termination Procedures (Required)",
541
+ "source": "pattern",
542
+ "scanner": "hipaa2026"
543
+ },
544
+ {
545
+ "id": "HIPAA-BREACH-001",
546
+ "category": "access-control",
547
+ "severity": "critical",
548
+ "title": "Missing Breach Notification Mechanism",
549
+ "description": "Must have automated breach detection and notification within 24 hours.",
550
+ "hipaaReference": "45 CFR §164.308(a)(6)(ii) - Security Incident Procedures (Required)",
551
+ "source": "pattern",
552
+ "scanner": "hipaa2026"
553
+ },
554
+ {
555
+ "id": "HIPAA-SEGMENT-001",
556
+ "category": "access-control",
557
+ "severity": "critical",
558
+ "title": "Missing Network Segmentation for PHI",
559
+ "description": "PHI services must be network-segmented with restricted CORS and firewall rules.",
560
+ "hipaaReference": "45 CFR §164.312(e)(1) - Transmission Security (Required)",
561
+ "source": "pattern",
562
+ "scanner": "hipaa2026"
563
+ },
564
+ {
565
+ "id": "HIPAA-ASSET-001",
566
+ "category": "access-control",
567
+ "severity": "high",
568
+ "title": "Generate ePHI Technology Asset Inventory",
569
+ "description": "Automatic inventory of all systems processing, storing, or transmitting ePHI.",
570
+ "hipaaReference": "45 CFR §164.308(a)(1)(ii)(A) - Risk Analysis (Required)",
571
+ "source": "pattern",
572
+ "scanner": "hipaa2026"
573
+ },
574
+ {
575
+ "id": "HIPAA-FLOW-001",
576
+ "category": "access-control",
577
+ "severity": "high",
578
+ "title": "Generate ePHI Flow Map",
579
+ "description": "Automatic mapping of PHI data flow through system (input → processing → storage → output).",
580
+ "hipaaReference": "45 CFR §164.308(a)(1)(ii)(A) - Risk Analysis (Required)",
581
+ "source": "pattern",
582
+ "scanner": "hipaa2026"
583
+ },
584
+ {
585
+ "id": "HIPAA-PENTEST-001",
586
+ "category": "access-control",
587
+ "severity": "high",
588
+ "title": "Missing Vulnerability Scanning Configuration",
589
+ "description": "Must have automated vulnerability scanning (Dependabot, Snyk, Trivy) in CI/CD.",
590
+ "hipaaReference": "45 CFR §164.308(a)(8) - Evaluation (Required)",
591
+ "source": "pattern",
592
+ "scanner": "hipaa2026"
593
+ },
594
+ {
595
+ "id": "RATE-001",
596
+ "category": "access-control",
597
+ "severity": "high",
598
+ "title": "Authentication Routes Without Rate Limiting",
599
+ "description": "Authentication route (/login, /signin, /auth, /register, /signup, /password-reset, /forgot-password) defined without rate limiting middleware (rateLimit, rateLimiter, throttle, slowDown, @upstash/ratelimit). Vulnerable to brute force attacks.",
600
+ "recommendation": "Add rate limiting middleware to authentication routes. Example: const limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 5 }); app.post(\"/login\", limiter, loginHandler). Prevent brute force attacks on auth endpoints.",
601
+ "hipaaReference": "45 CFR §164.312(a)(1) - Access Control",
602
+ "source": "pattern",
603
+ "scanner": "api-security"
604
+ },
605
+ {
606
+ "id": "CORS-001",
607
+ "category": "access-control",
608
+ "severity": "high",
609
+ "title": "Open CORS Configuration (origin: \"*\")",
610
+ "description": "CORS configured with origin: \"*\" or Access-Control-Allow-Origin: *. PHI endpoints must restrict access to trusted domains only. Exposes API to cross-origin attacks from any domain.",
611
+ "recommendation": "Restrict CORS to trusted domains. Example: cors({ origin: [\"https://app.example.com\", \"https://admin.example.com\"] }) or use environment variables: cors({ origin: process.env.ALLOWED_ORIGINS.split(\",\") }). Never use origin: \"*\" for PHI endpoints.",
612
+ "hipaaReference": "45 CFR §164.312(e)(1) - Transmission Security",
613
+ "source": "pattern",
614
+ "scanner": "api-security"
615
+ },
616
+ {
617
+ "id": "API-001",
618
+ "category": "access-control",
619
+ "severity": "high",
620
+ "title": "PHI Data in URL Query Parameters",
621
+ "description": "PHI data (ssn, dob, patient_name, patientName, diagnosis, medication, mrn, health_record) passed as URL query parameters (?ssn=, &dob=). URLs are logged by servers, proxies, and browsers, exposing PHI in logs.",
622
+ "recommendation": "Never pass PHI in URL query parameters. Use POST request body instead. Example: Instead of GET /api/patient?ssn=123-45-6789, use POST /api/patient with body: { ssn: \"123-45-6789\" }. URLs are logged in server logs, proxy logs, and browser history.",
623
+ "hipaaReference": "45 CFR §164.312(a)(1) - Access Control",
624
+ "source": "pattern",
625
+ "scanner": "api-security"
626
+ },
627
+ {
628
+ "id": "CONFIG-001",
629
+ "category": "audit-logging",
630
+ "severity": "high",
631
+ "title": "Debug/Verbose Mode Without Environment Gate",
632
+ "description": "Debug or verbose mode enabled (debug:true, DEBUG:true, verbose:true, devTools:true) without NODE_ENV environment gate. May expose sensitive information in production.",
633
+ "recommendation": "Gate debug/verbose modes with environment checks. Example: debug: process.env.NODE_ENV === \"development\", or use environment variables: debug: process.env.DEBUG === \"true\". Never hardcode debug:true in production config.",
634
+ "hipaaReference": "NPRM Configuration Management",
635
+ "source": "pattern",
636
+ "scanner": "configuration"
637
+ },
638
+ {
639
+ "id": "CONFIG-002",
640
+ "category": "audit-logging",
641
+ "severity": "medium",
642
+ "title": "Web Server Without Security Headers Middleware",
643
+ "description": "Web server created (express(), createServer, new Hono, new Elysia) without helmet() or security headers middleware (CSP, X-Frame-Options, X-Content-Type-Options). Missing security headers expose app to XSS, clickjacking, and MIME sniffing attacks.",
644
+ "recommendation": "Add helmet middleware for Express: app.use(helmet()), or set security headers manually: res.setHeader(\"X-Frame-Options\", \"DENY\"); res.setHeader(\"X-Content-Type-Options\", \"nosniff\"); res.setHeader(\"Content-Security-Policy\", \"default-src 'self'\"). Use helmet for comprehensive security headers.",
645
+ "hipaaReference": "NPRM Configuration Management",
646
+ "source": "pattern",
647
+ "scanner": "configuration"
648
+ },
649
+ {
650
+ "id": "CONFIG-003",
651
+ "category": "audit-logging",
652
+ "severity": "low",
653
+ "title": "Test Framework Imports in Production Code",
654
+ "description": "Test framework imports (jest, vitest, mocha, chai, faker, cypress) found in production code (non-test files). Test frameworks should only be imported in test files (*.test.*, *.spec.*).",
655
+ "recommendation": "Remove test framework imports from production code. Test frameworks should only be imported in test files (*.test.ts, *.spec.js, etc.). Move test utilities to separate test helper files.",
656
+ "hipaaReference": "NPRM Configuration Management",
657
+ "source": "pattern",
658
+ "scanner": "configuration"
659
+ },
660
+ {
661
+ "id": "MFA-001",
662
+ "category": "access-control",
663
+ "severity": "critical",
664
+ "title": "Authentication Configuration Without MFA Enabled",
665
+ "description": "Auth provider configuration (NextAuth, Clerk, Auth0, Supabase) does not have MFA/2FA/TOTP enabled",
666
+ "recommendation": "Enable MFA in your auth provider configuration. For NextAuth: add adapter with MFA support. For Clerk: enable MFA in dashboard. For Auth0: enable MFA in tenant settings. For Supabase: enable MFA in auth settings.",
667
+ "hipaaReference": "NPRM §164.312(d) - Person or Entity Authentication",
668
+ "source": "pattern",
669
+ "scanner": "authentication"
670
+ },
671
+ {
672
+ "id": "MFA-002",
673
+ "category": "access-control",
674
+ "severity": "high",
675
+ "title": "Login Flow Without Second Factor Authentication",
676
+ "description": "Login/sign-in flow authenticates with only email and password without requiring second factor verification",
677
+ "recommendation": "Add second factor verification to login flow. After successful password authentication, require MFA token/TOTP code before granting access. Example: if (user.mfaEnabled && !mfaToken) return { error: \"MFA required\" }",
678
+ "hipaaReference": "NPRM §164.312(d) - Person or Entity Authentication",
679
+ "source": "pattern",
680
+ "scanner": "authentication"
681
+ },
682
+ {
683
+ "id": "MFA-003",
684
+ "category": "access-control",
685
+ "severity": "critical",
686
+ "title": "MFA Bypass Detected in Code",
687
+ "description": "Code explicitly bypasses, skips, or disables MFA requirements",
688
+ "recommendation": "Remove MFA bypass code. MFA should be mandatory for all users accessing PHI. If testing is needed, use proper test isolation instead of disabling MFA in production code.",
689
+ "hipaaReference": "NPRM §164.312(d) - Person or Entity Authentication",
690
+ "source": "pattern",
691
+ "scanner": "authentication"
692
+ },
693
+ {
694
+ "id": "ERROR-001",
695
+ "category": "audit-logging",
696
+ "severity": "high",
697
+ "title": "Unsanitized Error Details Sent to User",
698
+ "description": "Response sends error.stack or error.message directly to user without sanitization, potentially exposing sensitive system information",
699
+ "recommendation": "Never send error.stack or error.message directly to users. Use generic error messages for production. Example: res.status(500).json({ error: \"An error occurred\" }). Log detailed errors server-side only.",
700
+ "hipaaReference": "45 CFR §164.312(b) - Audit Controls",
701
+ "source": "pattern",
702
+ "scanner": "errors"
703
+ },
704
+ {
705
+ "id": "ERROR-002",
706
+ "category": "audit-logging",
707
+ "severity": "critical",
708
+ "title": "PHI Data in Error Logs or Thrown Errors",
709
+ "description": "Protected Health Information (patient, ssn, dob, mrn, diagnosis, medication, healthRecord) exposed in console logs, logger, or thrown errors",
710
+ "recommendation": "Never log PHI in error messages. Redact sensitive data before logging. Example: logger.error(\"Error processing patient\", { patientId: redact(patient.id) }). Use patient IDs only, never full PHI.",
711
+ "hipaaReference": "45 CFR §164.312(c) - Integrity Controls",
712
+ "source": "pattern",
713
+ "scanner": "errors"
714
+ },
715
+ {
716
+ "id": "BACKUP-001",
717
+ "category": "data-retention",
718
+ "severity": "medium",
719
+ "title": "Database Without Backup Configuration",
720
+ "description": "Database usage detected (supabase, prisma, mongoose, drizzle, typeorm, sequelize, knex) without backup/snapshot/replicate configuration references in project. Advisory: Full verification requires infrastructure inspection.",
721
+ "recommendation": "Configure automated database backups. Examples: Enable Supabase automatic backups, configure Prisma backup scripts, set up MongoDB Atlas continuous backups, or use pg_dump/mongodump in CI/CD. Document backup schedule and retention policy.",
722
+ "hipaaReference": "45 CFR §164.308(a)(7)(ii)(A) - Data Backup Plan",
723
+ "source": "pattern",
724
+ "scanner": "operational"
725
+ },
726
+ {
727
+ "id": "RETENTION-001",
728
+ "category": "data-retention",
729
+ "severity": "medium",
730
+ "title": "PHI Records Created Without Retention Fields",
731
+ "description": "PHI record creation (insert/create/save/upsert on patient/health/medical/clinical tables) without retention fields (expiresAt, ttl, retainUntil, retentionPeriod, deleteAfter). HIPAA requires minimum necessary retention periods.",
732
+ "recommendation": "Add retention fields to PHI record creation. Example: { ...patientData, expiresAt: new Date(Date.now() + 7 * 365 * 24 * 60 * 60 * 1000) } or { ...data, retentionPeriod: \"7years\", deleteAfter: calculateDeleteDate() }. Define retention policy based on record type and regulatory requirements.",
733
+ "hipaaReference": "45 CFR §164.316(b)(2)(i) - Retention Period",
734
+ "source": "pattern",
735
+ "scanner": "operational"
736
+ },
737
+ {
738
+ "id": "API-002",
739
+ "category": "data-retention",
740
+ "severity": "low",
741
+ "title": "JSON Body Parser Without Size Limit",
742
+ "description": "express.json() or bodyParser.json() configured without limit option. Unlimited body size can lead to DoS attacks via large payload submissions.",
743
+ "recommendation": "Configure body size limits. Example: app.use(express.json({ limit: \"10mb\" })) or bodyParser.json({ limit: \"1mb\" }). Set limit based on expected payload size. Typical values: 1mb for APIs, 10mb for file uploads.",
744
+ "hipaaReference": "45 CFR §164.308(a)(1)(ii)(D) - System Security",
745
+ "source": "pattern",
746
+ "scanner": "operational"
747
+ },
748
+ {
749
+ "id": "CRED-001",
750
+ "category": "encryption",
751
+ "severity": "critical",
752
+ "title": "Weak Password Hashing Algorithm Detected",
753
+ "description": "Using MD5, SHA1, or SHA256 for password hashing instead of secure algorithms like bcrypt, argon2, or scrypt",
754
+ "recommendation": "Use bcrypt, argon2, or scrypt for password hashing. Example: await bcrypt.hash(password, 10) or await argon2.hash(password). Never use MD5, SHA1, or simple SHA256 for passwords.",
755
+ "hipaaReference": "45 CFR §164.312(d) - Person or Entity Authentication",
756
+ "source": "pattern",
757
+ "scanner": "credentials"
758
+ },
759
+ {
760
+ "id": "CRED-002",
761
+ "category": "encryption",
762
+ "severity": "critical",
763
+ "title": "Hardcoded Credentials Detected",
764
+ "description": "Credentials (password, apiKey, secret, token, connectionString) hardcoded as string literals instead of using environment variables",
765
+ "recommendation": "Move credentials to environment variables. Use process.env.PASSWORD or a secure secrets manager. Never commit credentials to source control. Add credentials to .gitignore.",
766
+ "hipaaReference": "45 CFR §164.312(a)(2)(i) - Unique User Identification",
767
+ "source": "pattern",
768
+ "scanner": "credentials"
769
+ },
770
+ {
771
+ "id": "CRED-003",
772
+ "category": "encryption",
773
+ "severity": "critical",
774
+ "title": "Secrets Exposed to Client via NEXT_PUBLIC_ Prefix",
775
+ "description": "Sensitive credentials exposed to client-side code using NEXT_PUBLIC_ environment variable prefix",
776
+ "recommendation": "Remove NEXT_PUBLIC_ prefix from sensitive variables. Use server-side environment variables (without NEXT_PUBLIC_) and access them in API routes or getServerSideProps. Only use NEXT_PUBLIC_ for truly public values like API endpoints or publishable keys.",
777
+ "hipaaReference": "45 CFR §164.312(a)(2)(i) - Unique User Identification",
778
+ "source": "pattern",
779
+ "scanner": "credentials"
780
+ },
781
+ {
782
+ "id": "RBAC-001",
783
+ "category": "access-control",
784
+ "severity": "high",
785
+ "title": "PHI Data Access Without Role/Permission Verification",
786
+ "description": "Database query accessing PHI data (patient, health, medical, diagnosis, treatment, prescription) without role or permission verification",
787
+ "recommendation": "Add role/permission verification before accessing PHI data. Example: if (!hasPermission(user, \"read:patients\")) throw new Error(\"Unauthorized\"). Implement RBAC middleware to verify user roles before database queries.",
788
+ "hipaaReference": "45 CFR §164.312(a)(1) - Access Control",
789
+ "source": "pattern",
790
+ "scanner": "rbac"
791
+ },
792
+ {
793
+ "id": "RBAC-002",
794
+ "category": "access-control",
795
+ "severity": "critical",
796
+ "title": "Service Role Key or Admin Default in Client Code",
797
+ "description": "Privileged service_role key exposed in client-side code, isAdmin set to true as default, or conditions that always grant admin access",
798
+ "recommendation": "Remove service_role keys from client-side code - these should only exist in server-side API routes. Never default isAdmin to true. Implement proper role assignment based on authenticated user data from secure backend.",
799
+ "hipaaReference": "45 CFR §164.312(a)(1) - Access Control",
800
+ "source": "pattern",
801
+ "scanner": "rbac"
802
+ },
803
+ {
804
+ "id": "RBAC-003",
805
+ "category": "access-control",
806
+ "severity": "medium",
807
+ "title": "SELECT * on PHI Tables Violates Minimum Necessary Principle",
808
+ "description": "Query uses SELECT * or .select(\"*\") on tables containing PHI, retrieving more data than necessary in violation of HIPAA minimum necessary principle",
809
+ "recommendation": "Select only the minimum necessary fields required for the operation. Example: Instead of SELECT * FROM patients, use SELECT id, name, dob FROM patients. For ORMs: .select(\"id, name, dob\") or use field projections.",
810
+ "hipaaReference": "45 CFR §164.502(b) - Minimum Necessary Requirement",
811
+ "source": "pattern",
812
+ "scanner": "rbac"
813
+ },
814
+ {
815
+ "id": "SANITIZE-001",
816
+ "category": "access-control",
817
+ "severity": "critical",
818
+ "title": "Unsanitized User Input in Database Operations",
819
+ "description": "User input from req.body, req.params, or req.query used directly in database operations (insert, update, query, sql, where) without validation (zod, yup, joi, validate, sanitize, parse)",
820
+ "recommendation": "Always validate and sanitize user input before database operations. Use validation libraries like Zod, Yup, or Joi. Example: const validated = schema.parse(req.body); await db.insert(validated). Never use raw req.body/params/query directly in database operations.",
821
+ "hipaaReference": "NPRM Anti-malware",
822
+ "source": "pattern",
823
+ "scanner": "sanitization"
824
+ },
825
+ {
826
+ "id": "SANITIZE-002",
827
+ "category": "access-control",
828
+ "severity": "high",
829
+ "title": "Insecure File Upload Configuration",
830
+ "description": "File upload configuration (multer, formidable, busboy) missing fileFilter, limits, or MIME type validation",
831
+ "recommendation": "Configure file upload middleware with proper validation. Example: multer({ fileFilter: (req, file, cb) => { if (allowedMimes.includes(file.mimetype)) cb(null, true); else cb(new Error(\"Invalid file type\")); }, limits: { fileSize: 5 * 1024 * 1024 } }). Always validate file type, size, and extension.",
832
+ "hipaaReference": "NPRM Anti-malware",
833
+ "source": "pattern",
834
+ "scanner": "sanitization"
835
+ },
836
+ {
837
+ "id": "REVOKE-001",
838
+ "category": "access-control",
839
+ "severity": "high",
840
+ "title": "JWT Without Server-Side Revocation Mechanism",
841
+ "description": "JWT token generation (jwt.sign, jsonwebtoken, jose) without server-side revocation mechanism (revoke, blacklist, allowlist, tokenStore, invalidate, denylist). HIPAA NPRM requires ability to revoke access within 1 hour.",
842
+ "recommendation": "Implement server-side token revocation mechanism. Store active tokens in Redis/database with TTL, or maintain a blacklist of revoked tokens. Example: await redis.set(`token:${userId}`, token, \"EX\", 3600); await redis.del(`token:${userId}`) to revoke. HIPAA requires ability to revoke access within 1 hour.",
843
+ "hipaaReference": "NPRM §164.308(a)(3)(ii)(C) - Access Revocation",
844
+ "source": "pattern",
845
+ "scanner": "revocation"
846
+ },
847
+ {
848
+ "id": "REVOKE-002",
849
+ "category": "access-control",
850
+ "severity": "medium",
851
+ "title": "Excessive Token Expiration Time",
852
+ "description": "JWT token with excessive expiration time. Access tokens should expire within 24 hours (expiresIn: \"24h\" or less). Refresh tokens should not exceed 7 days for sensitive data.",
853
+ "recommendation": "Use short-lived access tokens (≤ 24 hours): expiresIn: \"1h\" or expiresIn: \"15m\". For longer sessions, implement refresh token rotation. Example: accessToken with expiresIn: \"1h\", refreshToken with expiresIn: \"7d\". Reduce attack window if token is compromised.",
854
+ "hipaaReference": "NPRM §164.308(a)(3)(ii)(C) - Access Revocation",
855
+ "source": "pattern",
856
+ "scanner": "revocation"
857
+ },
858
+ {
859
+ "id": "select-star",
860
+ "category": "access-control",
861
+ "severity": "medium",
862
+ "title": "SELECT * on sensitive table",
863
+ "description": "Using SELECT * may retrieve more PHI than necessary.",
864
+ "recommendation": "Select only required columns to minimize PHI exposure (minimum necessary).",
865
+ "source": "pattern",
866
+ "scanner": "access"
867
+ },
868
+ {
869
+ "id": "hardcoded-admin",
870
+ "category": "access-control",
871
+ "severity": "high",
872
+ "title": "Hardcoded admin role",
873
+ "description": "Hardcoded administrative role assignment detected.",
874
+ "recommendation": "Use role-based access control (RBAC) with proper authentication.",
875
+ "source": "pattern",
876
+ "scanner": "access"
877
+ },
878
+ {
879
+ "id": "auth-bypass",
880
+ "category": "access-control",
881
+ "severity": "critical",
882
+ "title": "Potential authentication bypass",
883
+ "description": "Code pattern suggests authentication may be bypassed.",
884
+ "recommendation": "Remove any authentication bypass mechanisms in production code.",
885
+ "source": "pattern",
886
+ "scanner": "access"
887
+ },
888
+ {
889
+ "id": "admin-flag",
890
+ "category": "access-control",
891
+ "severity": "medium",
892
+ "title": "Hardcoded admin flag",
893
+ "description": "Admin privileges set via hardcoded flag.",
894
+ "recommendation": "Determine admin status through secure authentication flow.",
895
+ "source": "pattern",
896
+ "scanner": "access"
897
+ },
898
+ {
899
+ "id": "public-password",
900
+ "category": "access-control",
901
+ "severity": "critical",
902
+ "title": "Password field with public visibility",
903
+ "description": "Password field may have public accessibility.",
904
+ "recommendation": "Password fields should be private and never exposed.",
905
+ "source": "pattern",
906
+ "scanner": "access"
907
+ },
908
+ {
909
+ "id": "cors-wildcard",
910
+ "category": "access-control",
911
+ "severity": "high",
912
+ "title": "CORS wildcard origin",
913
+ "description": "CORS configured to allow all origins.",
914
+ "recommendation": "Restrict CORS to specific trusted domains for PHI-handling endpoints.",
915
+ "source": "pattern",
916
+ "scanner": "access"
917
+ },
918
+ {
919
+ "id": "no-session-expiry",
920
+ "category": "access-control",
921
+ "severity": "high",
922
+ "title": "Session without expiration",
923
+ "description": "Session configured without expiration.",
924
+ "recommendation": "Implement automatic session timeout for PHI access (HIPAA recommends 15 min idle).",
925
+ "source": "pattern",
926
+ "scanner": "access"
927
+ },
928
+ {
929
+ "id": "short-retention",
930
+ "category": "data-retention",
931
+ "severity": "high",
932
+ "title": "PHI retention period may be too short",
933
+ "description": "Data deletion configured with period shorter than HIPAA requirements.",
934
+ "recommendation": "HIPAA requires PHI retention for 6 years from creation or last effective date.",
935
+ "source": "pattern",
936
+ "scanner": "retention"
937
+ },
938
+ {
939
+ "id": "unlogged-delete",
940
+ "category": "data-retention",
941
+ "severity": "medium",
942
+ "title": "Data deletion without apparent logging",
943
+ "description": "Data deletion operation without visible audit logging.",
944
+ "recommendation": "Log all PHI deletions with timestamp, user, and record identifiers.",
945
+ "source": "pattern",
946
+ "scanner": "retention"
947
+ },
948
+ {
949
+ "id": "bulk-delete",
950
+ "category": "data-retention",
951
+ "severity": "critical",
952
+ "title": "Bulk data deletion operation",
953
+ "description": "Bulk deletion (TRUNCATE/DROP) could delete PHI without proper retention.",
954
+ "recommendation": "Implement soft-delete with retention periods before permanent deletion.",
955
+ "source": "pattern",
956
+ "scanner": "retention"
957
+ },
958
+ {
959
+ "id": "backup-disabled",
960
+ "category": "data-retention",
961
+ "severity": "high",
962
+ "title": "Backup may be disabled",
963
+ "description": "Code pattern suggests backups might be disabled.",
964
+ "recommendation": "Maintain encrypted backups with proper retention for disaster recovery.",
965
+ "source": "pattern",
966
+ "scanner": "retention"
967
+ },
968
+ {
969
+ "id": "phi-cache",
970
+ "category": "data-retention",
971
+ "severity": "medium",
972
+ "title": "PHI caching detected",
973
+ "description": "Patient data may be cached, requiring retention policy consideration.",
974
+ "recommendation": "Ensure cached PHI has appropriate TTL and is encrypted at rest.",
975
+ "source": "pattern",
976
+ "scanner": "retention"
977
+ },
978
+ {
979
+ "id": "hardcoded-password",
980
+ "category": "access-control",
981
+ "severity": "critical",
982
+ "title": "Hardcoded password detected",
983
+ "description": "A password appears to be hardcoded in the source code.",
984
+ "recommendation": "Use environment variables or a secrets manager for credentials. Never commit passwords to source control.",
985
+ "source": "pattern",
986
+ "scanner": "security"
987
+ },
988
+ {
989
+ "id": "hardcoded-pwd",
990
+ "category": "access-control",
991
+ "severity": "critical",
992
+ "title": "Hardcoded password (pwd) detected",
993
+ "description": "A password appears to be hardcoded using \"pwd\" variable.",
994
+ "recommendation": "Use environment variables or a secrets manager for credentials.",
995
+ "source": "pattern",
996
+ "scanner": "security"
997
+ },
998
+ {
999
+ "id": "hardcoded-secret",
1000
+ "category": "access-control",
1001
+ "severity": "critical",
1002
+ "title": "Hardcoded secret detected",
1003
+ "description": "A secret value appears to be hardcoded in the source code.",
1004
+ "recommendation": "Use environment variables or a secrets manager for secrets.",
1005
+ "source": "pattern",
1006
+ "scanner": "security"
1007
+ },
1008
+ {
1009
+ "id": "credentials-object",
1010
+ "category": "access-control",
1011
+ "severity": "high",
1012
+ "title": "Credentials object with password",
1013
+ "description": "A credentials object containing password field was detected.",
1014
+ "recommendation": "Load credentials from secure configuration, not source code.",
1015
+ "source": "pattern",
1016
+ "scanner": "security"
1017
+ },
1018
+ {
1019
+ "id": "api-key-exposed",
1020
+ "category": "access-control",
1021
+ "severity": "critical",
1022
+ "title": "API key exposed in source",
1023
+ "description": "An API key appears to be hardcoded in the source code.",
1024
+ "recommendation": "Use environment variables for API keys. Add to .gitignore and use .env files.",
1025
+ "source": "pattern",
1026
+ "scanner": "security"
1027
+ },
1028
+ {
1029
+ "id": "apikey-exposed",
1030
+ "category": "access-control",
1031
+ "severity": "critical",
1032
+ "title": "API key (apikey) exposed in source",
1033
+ "description": "An API key appears to be hardcoded.",
1034
+ "recommendation": "Use environment variables for API keys.",
1035
+ "source": "pattern",
1036
+ "scanner": "security"
1037
+ },
1038
+ {
1039
+ "id": "stripe-key-exposed",
1040
+ "category": "access-control",
1041
+ "severity": "critical",
1042
+ "title": "Stripe API key exposed",
1043
+ "description": "A Stripe API key pattern was detected in the source code.",
1044
+ "recommendation": "Never commit Stripe keys. Use environment variables and restrict key permissions.",
1045
+ "source": "pattern",
1046
+ "scanner": "security"
1047
+ },
1048
+ {
1049
+ "id": "aws-key-exposed",
1050
+ "category": "access-control",
1051
+ "severity": "critical",
1052
+ "title": "AWS Access Key exposed",
1053
+ "description": "An AWS Access Key ID pattern was detected.",
1054
+ "recommendation": "Rotate this key immediately. Use IAM roles or environment variables instead.",
1055
+ "source": "pattern",
1056
+ "scanner": "security"
1057
+ },
1058
+ {
1059
+ "id": "bearer-token-exposed",
1060
+ "category": "access-control",
1061
+ "severity": "high",
1062
+ "title": "Bearer token in source",
1063
+ "description": "A bearer token appears to be hardcoded.",
1064
+ "recommendation": "Tokens should be fetched at runtime, not hardcoded.",
1065
+ "source": "pattern",
1066
+ "scanner": "security"
1067
+ },
1068
+ {
1069
+ "id": "auth-token-exposed",
1070
+ "category": "access-control",
1071
+ "severity": "critical",
1072
+ "title": "Auth token exposed in source",
1073
+ "description": "An authentication token appears to be hardcoded.",
1074
+ "recommendation": "Use secure token management. Never commit tokens to source control.",
1075
+ "source": "pattern",
1076
+ "scanner": "security"
1077
+ },
1078
+ {
1079
+ "id": "private-key-exposed",
1080
+ "category": "access-control",
1081
+ "severity": "critical",
1082
+ "title": "Private key exposed in source",
1083
+ "description": "A private key appears to be embedded in source code.",
1084
+ "recommendation": "Never commit private keys. Use secure key management services.",
1085
+ "source": "pattern",
1086
+ "scanner": "security"
1087
+ },
1088
+ {
1089
+ "id": "mongodb-uri-credentials",
1090
+ "category": "access-control",
1091
+ "severity": "critical",
1092
+ "title": "MongoDB URI with credentials",
1093
+ "description": "A MongoDB connection string with embedded credentials was detected.",
1094
+ "recommendation": "Use environment variables for database connection strings.",
1095
+ "source": "pattern",
1096
+ "scanner": "security"
1097
+ },
1098
+ {
1099
+ "id": "postgres-uri-credentials",
1100
+ "category": "access-control",
1101
+ "severity": "critical",
1102
+ "title": "PostgreSQL URI with credentials",
1103
+ "description": "A PostgreSQL connection string with embedded credentials was detected.",
1104
+ "recommendation": "Use environment variables for database connection strings.",
1105
+ "source": "pattern",
1106
+ "scanner": "security"
1107
+ },
1108
+ {
1109
+ "id": "mysql-uri-credentials",
1110
+ "category": "access-control",
1111
+ "severity": "critical",
1112
+ "title": "MySQL URI with credentials",
1113
+ "description": "A MySQL connection string with embedded credentials was detected.",
1114
+ "recommendation": "Use environment variables for database connection strings.",
1115
+ "source": "pattern",
1116
+ "scanner": "security"
1117
+ },
1118
+ {
1119
+ "id": "innerhtml-unsanitized",
1120
+ "category": "access-control",
1121
+ "severity": "high",
1122
+ "title": "Unsanitized innerHTML assignment",
1123
+ "description": "Direct innerHTML assignment without sanitization can lead to XSS vulnerabilities.",
1124
+ "recommendation": "Use textContent for text, or sanitize HTML with DOMPurify before innerHTML assignment.",
1125
+ "source": "pattern",
1126
+ "scanner": "security"
1127
+ },
1128
+ {
1129
+ "id": "dangerous-innerhtml-react",
1130
+ "category": "access-control",
1131
+ "severity": "high",
1132
+ "title": "dangerouslySetInnerHTML usage",
1133
+ "description": "Using dangerouslySetInnerHTML can expose the application to XSS attacks.",
1134
+ "recommendation": "Sanitize content with DOMPurify before using dangerouslySetInnerHTML.",
1135
+ "source": "pattern",
1136
+ "scanner": "security"
1137
+ },
1138
+ {
1139
+ "id": "eval-usage",
1140
+ "category": "access-control",
1141
+ "severity": "critical",
1142
+ "title": "eval() usage detected",
1143
+ "description": "Using eval() can execute arbitrary code and is a security risk.",
1144
+ "recommendation": "Avoid eval(). Use safer alternatives like JSON.parse() for data parsing.",
1145
+ "source": "pattern",
1146
+ "scanner": "security"
1147
+ },
1148
+ {
1149
+ "id": "function-constructor",
1150
+ "category": "access-control",
1151
+ "severity": "high",
1152
+ "title": "Function constructor usage",
1153
+ "description": "The Function constructor can execute arbitrary code like eval().",
1154
+ "recommendation": "Avoid dynamic code execution. Use predefined functions instead.",
1155
+ "source": "pattern",
1156
+ "scanner": "security"
1157
+ },
1158
+ {
1159
+ "id": "document-write",
1160
+ "category": "access-control",
1161
+ "severity": "medium",
1162
+ "title": "document.write usage",
1163
+ "description": "document.write can be exploited for XSS and blocks page rendering.",
1164
+ "recommendation": "Use DOM manipulation methods (appendChild, insertAdjacentHTML) instead.",
1165
+ "source": "pattern",
1166
+ "scanner": "security"
1167
+ },
1168
+ {
1169
+ "id": "sql-string-concat",
1170
+ "category": "access-control",
1171
+ "severity": "critical",
1172
+ "title": "SQL query string concatenation",
1173
+ "description": "Building SQL queries with string concatenation is vulnerable to SQL injection.",
1174
+ "recommendation": "Use parameterized queries or prepared statements. Never concatenate user input into SQL.",
1175
+ "source": "pattern",
1176
+ "scanner": "security"
1177
+ },
1178
+ {
1179
+ "id": "sql-template-literal",
1180
+ "category": "access-control",
1181
+ "severity": "critical",
1182
+ "title": "SQL query with template literal interpolation",
1183
+ "description": "Interpolating variables directly into SQL queries enables SQL injection.",
1184
+ "recommendation": "Use parameterized queries. Pass variables as parameters, not interpolated strings.",
1185
+ "source": "pattern",
1186
+ "scanner": "security"
1187
+ },
1188
+ {
1189
+ "id": "query-template-injection",
1190
+ "category": "access-control",
1191
+ "severity": "critical",
1192
+ "title": "Database query with template interpolation",
1193
+ "description": "Template literal interpolation in database queries can lead to injection attacks.",
1194
+ "recommendation": "Use parameterized queries: query(\"SELECT * FROM users WHERE id = $1\", [userId])",
1195
+ "source": "pattern",
1196
+ "scanner": "security"
1197
+ },
1198
+ {
1199
+ "id": "execute-string-concat",
1200
+ "category": "access-control",
1201
+ "severity": "critical",
1202
+ "title": "SQL execute with string concatenation",
1203
+ "description": "Concatenating strings in SQL execute statements enables injection.",
1204
+ "recommendation": "Use parameterized queries instead of string concatenation.",
1205
+ "source": "pattern",
1206
+ "scanner": "security"
1207
+ },
1208
+ {
1209
+ "id": "raw-query-injection",
1210
+ "category": "access-control",
1211
+ "severity": "critical",
1212
+ "title": "Raw SQL query with interpolation",
1213
+ "description": "Raw SQL queries with interpolated values are vulnerable to injection.",
1214
+ "recommendation": "Even with raw queries, use parameter binding for user-supplied values.",
1215
+ "source": "pattern",
1216
+ "scanner": "security"
1217
+ },
1218
+ {
1219
+ "id": "cookie-no-httponly",
1220
+ "category": "access-control",
1221
+ "severity": "high",
1222
+ "title": "Cookie without httpOnly flag",
1223
+ "description": "Cookies without httpOnly can be accessed by JavaScript, enabling XSS attacks.",
1224
+ "recommendation": "Add httpOnly: true and secure: true to all cookies, especially session cookies.",
1225
+ "source": "pattern",
1226
+ "scanner": "security"
1227
+ },
1228
+ {
1229
+ "id": "cookie-config-insecure",
1230
+ "category": "access-control",
1231
+ "severity": "high",
1232
+ "title": "Cookie configuration missing security flags",
1233
+ "description": "Cookie configuration is missing httpOnly and/or secure flags.",
1234
+ "recommendation": "Always set httpOnly: true, secure: true for cookies handling sensitive data.",
1235
+ "source": "pattern",
1236
+ "scanner": "security"
1237
+ },
1238
+ {
1239
+ "id": "audit-no-framework",
1240
+ "category": "audit-logging",
1241
+ "severity": "high",
1242
+ "title": "No audit logging framework detected",
1243
+ "description": "No recognized logging framework found in dependencies.",
1244
+ "recommendation": "Implement structured audit logging using winston, pino, or similar.",
1245
+ "hipaaReference": "§164.312(b)",
1246
+ "source": "pattern",
1247
+ "scanner": "audit"
1248
+ },
1249
+ {
1250
+ "id": "audit-unlogged-action",
1251
+ "category": "audit-logging",
1252
+ "severity": "medium",
1253
+ "title": "PHI operation may lack audit logging",
1254
+ "description": "A create, update, delete, read, or auth operation on PHI-related data was found without apparent audit logging in the same file.",
1255
+ "recommendation": "Log all PHI operations with timestamp, user ID, and action details.",
1256
+ "hipaaReference": "§164.312(b)",
1257
+ "source": "pattern",
1258
+ "scanner": "audit"
1259
+ },
1260
+ {
1261
+ "id": "enc-md5",
1262
+ "category": "encryption",
1263
+ "severity": "high",
1264
+ "title": "MD5 hash function",
1265
+ "description": "MD5 hash function is not suitable for protecting PHI.",
1266
+ "recommendation": "Use AES-256-GCM for encryption and SHA-256 or stronger for hashing.",
1267
+ "hipaaReference": "§164.312(a)(2)(iv), §164.312(e)(2)(ii)",
1268
+ "source": "pattern",
1269
+ "scanner": "encryption"
1270
+ },
1271
+ {
1272
+ "id": "enc-sha1",
1273
+ "category": "encryption",
1274
+ "severity": "medium",
1275
+ "title": "SHA1 hash function",
1276
+ "description": "SHA1 hash function is not suitable for protecting PHI.",
1277
+ "recommendation": "Use AES-256-GCM for encryption and SHA-256 or stronger for hashing.",
1278
+ "hipaaReference": "§164.312(a)(2)(iv), §164.312(e)(2)(ii)",
1279
+ "source": "pattern",
1280
+ "scanner": "encryption"
1281
+ },
1282
+ {
1283
+ "id": "enc-des",
1284
+ "category": "encryption",
1285
+ "severity": "critical",
1286
+ "title": "DES encryption",
1287
+ "description": "DES encryption is not suitable for protecting PHI.",
1288
+ "recommendation": "Use AES-256-GCM for encryption and SHA-256 or stronger for hashing.",
1289
+ "hipaaReference": "§164.312(a)(2)(iv), §164.312(e)(2)(ii)",
1290
+ "source": "pattern",
1291
+ "scanner": "encryption"
1292
+ },
1293
+ {
1294
+ "id": "enc-rc4",
1295
+ "category": "encryption",
1296
+ "severity": "critical",
1297
+ "title": "RC4 encryption",
1298
+ "description": "RC4 encryption is not suitable for protecting PHI.",
1299
+ "recommendation": "Use AES-256-GCM for encryption and SHA-256 or stronger for hashing.",
1300
+ "hipaaReference": "§164.312(a)(2)(iv), §164.312(e)(2)(ii)",
1301
+ "source": "pattern",
1302
+ "scanner": "encryption"
1303
+ },
1304
+ {
1305
+ "id": "enc-deprecated-cipher",
1306
+ "category": "encryption",
1307
+ "severity": "high",
1308
+ "title": "Deprecated cipher method",
1309
+ "description": "Deprecated cipher method is not suitable for protecting PHI.",
1310
+ "recommendation": "Use AES-256-GCM for encryption and SHA-256 or stronger for hashing.",
1311
+ "hipaaReference": "§164.312(a)(2)(iv), §164.312(e)(2)(ii)",
1312
+ "source": "pattern",
1313
+ "scanner": "encryption"
1314
+ },
1315
+ {
1316
+ "id": "enc-ecb-mode",
1317
+ "category": "encryption",
1318
+ "severity": "high",
1319
+ "title": "ECB mode encryption",
1320
+ "description": "ECB mode encryption is not suitable for protecting PHI.",
1321
+ "recommendation": "Use AES-256-GCM for encryption and SHA-256 or stronger for hashing.",
1322
+ "hipaaReference": "§164.312(a)(2)(iv), §164.312(e)(2)(ii)",
1323
+ "source": "pattern",
1324
+ "scanner": "encryption"
1325
+ },
1326
+ {
1327
+ "id": "enc-http-url",
1328
+ "category": "encryption",
1329
+ "severity": "high",
1330
+ "title": "Unencrypted HTTP URL",
1331
+ "description": "Unencrypted HTTP URL may expose PHI in transit or at rest.",
1332
+ "recommendation": "Enforce TLS 1.2+ for PHI in transit and encrypt PHI (including backups) at rest.",
1333
+ "hipaaReference": "§164.312(e)(1)",
1334
+ "source": "pattern",
1335
+ "scanner": "encryption"
1336
+ },
1337
+ {
1338
+ "id": "enc-ssl-disabled",
1339
+ "category": "encryption",
1340
+ "severity": "critical",
1341
+ "title": "SSL disabled",
1342
+ "description": "SSL disabled may expose PHI in transit or at rest.",
1343
+ "recommendation": "Enforce TLS 1.2+ for PHI in transit and encrypt PHI (including backups) at rest.",
1344
+ "hipaaReference": "§164.312(e)(1)",
1345
+ "source": "pattern",
1346
+ "scanner": "encryption"
1347
+ },
1348
+ {
1349
+ "id": "enc-ssl-verify-disabled",
1350
+ "category": "encryption",
1351
+ "severity": "critical",
1352
+ "title": "SSL verification disabled",
1353
+ "description": "SSL verification disabled may expose PHI in transit or at rest.",
1354
+ "recommendation": "Enforce TLS 1.2+ for PHI in transit and encrypt PHI (including backups) at rest.",
1355
+ "hipaaReference": "§164.312(e)(1)",
1356
+ "source": "pattern",
1357
+ "scanner": "encryption"
1358
+ },
1359
+ {
1360
+ "id": "enc-tls-cert-validation-disabled",
1361
+ "category": "encryption",
1362
+ "severity": "critical",
1363
+ "title": "TLS certificate validation disabled",
1364
+ "description": "TLS certificate validation disabled may expose PHI in transit or at rest.",
1365
+ "recommendation": "Enforce TLS 1.2+ for PHI in transit and encrypt PHI (including backups) at rest.",
1366
+ "hipaaReference": "§164.312(e)(1)",
1367
+ "source": "pattern",
1368
+ "scanner": "encryption"
1369
+ },
1370
+ {
1371
+ "id": "enc-backup-encryption-disabled",
1372
+ "category": "encryption",
1373
+ "severity": "critical",
1374
+ "title": "Backup encryption disabled",
1375
+ "description": "Backup encryption disabled may expose PHI in transit or at rest.",
1376
+ "recommendation": "Enforce TLS 1.2+ for PHI in transit and encrypt PHI (including backups) at rest.",
1377
+ "hipaaReference": "§164.312(e)(1)",
1378
+ "source": "pattern",
1379
+ "scanner": "encryption"
1380
+ },
1381
+ {
1382
+ "id": "enc-db-backup-no-ssl",
1383
+ "category": "encryption",
1384
+ "severity": "high",
1385
+ "title": "Database backup without SSL",
1386
+ "description": "Database backup without SSL may expose PHI in transit or at rest.",
1387
+ "recommendation": "Enforce TLS 1.2+ for PHI in transit and encrypt PHI (including backups) at rest.",
1388
+ "hipaaReference": "§164.312(e)(1)",
1389
+ "source": "pattern",
1390
+ "scanner": "encryption"
1391
+ },
1392
+ {
1393
+ "id": "enc-backup-file-unencrypted",
1394
+ "category": "encryption",
1395
+ "severity": "high",
1396
+ "title": "Unencrypted backup file format",
1397
+ "description": "Unencrypted backup file format may expose PHI in transit or at rest.",
1398
+ "recommendation": "Enforce TLS 1.2+ for PHI in transit and encrypt PHI (including backups) at rest.",
1399
+ "hipaaReference": "§164.312(e)(1)",
1400
+ "source": "pattern",
1401
+ "scanner": "encryption"
1402
+ },
1403
+ {
1404
+ "id": "enc-phi-backup-unencrypted",
1405
+ "category": "encryption",
1406
+ "severity": "critical",
1407
+ "title": "PHI backup without encryption",
1408
+ "description": "PHI backup without encryption may expose PHI in transit or at rest.",
1409
+ "recommendation": "Enforce TLS 1.2+ for PHI in transit and encrypt PHI (including backups) at rest.",
1410
+ "hipaaReference": "§164.312(e)(1)",
1411
+ "source": "pattern",
1412
+ "scanner": "encryption"
1413
+ },
1414
+ {
1415
+ "id": "enc-s3-backup-no-sse",
1416
+ "category": "encryption",
1417
+ "severity": "high",
1418
+ "title": "S3 backup without server-side encryption",
1419
+ "description": "S3 backup without server-side encryption may expose PHI in transit or at rest.",
1420
+ "recommendation": "Enforce TLS 1.2+ for PHI in transit and encrypt PHI (including backups) at rest.",
1421
+ "hipaaReference": "§164.312(e)(1)",
1422
+ "source": "pattern",
1423
+ "scanner": "encryption"
1424
+ },
1425
+ {
1426
+ "id": "enc-backup-storage-unencrypted",
1427
+ "category": "encryption",
1428
+ "severity": "medium",
1429
+ "title": "Backup storage without encryption specified",
1430
+ "description": "Backup storage without encryption specified may expose PHI in transit or at rest.",
1431
+ "recommendation": "Enforce TLS 1.2+ for PHI in transit and encrypt PHI (including backups) at rest.",
1432
+ "hipaaReference": "§164.312(e)(1)",
1433
+ "source": "pattern",
1434
+ "scanner": "encryption"
1435
+ },
1436
+ {
1437
+ "id": "HIPAA-PHI-003",
1438
+ "category": "phi-exposure",
1439
+ "severity": "info",
1440
+ "title": "Minimum Necessary Access",
1441
+ "description": "Minimum Necessary Access",
1442
+ "source": "ai",
1443
+ "scanner": "ai"
1444
+ },
1445
+ {
1446
+ "id": "HIPAA-SEC-001",
1447
+ "category": "encryption",
1448
+ "severity": "info",
1449
+ "title": "PHI Encryption",
1450
+ "description": "PHI Encryption",
1451
+ "source": "ai",
1452
+ "scanner": "ai"
1453
+ },
1454
+ {
1455
+ "id": "HIPAA-ACCESS-001",
1456
+ "category": "access-control",
1457
+ "severity": "info",
1458
+ "title": "Role-Based Access Control",
1459
+ "description": "Role-Based Access Control",
1460
+ "source": "ai",
1461
+ "scanner": "ai"
1462
+ },
1463
+ {
1464
+ "id": "HIPAA-AUDIT-001",
1465
+ "category": "audit-logging",
1466
+ "severity": "info",
1467
+ "title": "Audit Logging",
1468
+ "description": "Audit Logging",
1469
+ "source": "ai",
1470
+ "scanner": "ai"
1471
+ },
1472
+ {
1473
+ "id": "HIPAA-RETENTION-001",
1474
+ "category": "data-retention",
1475
+ "severity": "info",
1476
+ "title": "Data Retention",
1477
+ "description": "Data Retention",
1478
+ "source": "ai",
1479
+ "scanner": "ai"
1480
+ },
1481
+ {
1482
+ "id": "HIPAA-AUTH-001",
1483
+ "category": "access-control",
1484
+ "severity": "info",
1485
+ "title": "Session Management",
1486
+ "description": "Session Management",
1487
+ "source": "ai",
1488
+ "scanner": "ai"
1489
+ }
1490
+ ]
1491
+ }