verification-layer 0.4.0

package/dist/scanners/phi/patterns.js

@@ -0,0 +1,242 @@
+export const PHI_PATTERNS = [
+    // === SSN and identifiers ===
+    {
+        id: 'ssn-hardcoded',
+        regex: /\b\d{3}-\d{2}-\d{4}\b/,
+        severity: 'critical',
+        title: 'Potential SSN detected',
+        description: 'A pattern matching Social Security Number format was found in the code.',
+        recommendation: 'Remove hardcoded SSN. Use secure storage and encryption for sensitive identifiers.',
+    },
+    {
+        id: 'medical-record-number',
+        regex: /\b(mrn|medical.?record.?number)\s*[:=]\s*['"`]\d+['"`]/i,
+        severity: 'high',
+        title: 'Medical Record Number exposure',
+        description: 'A hardcoded medical record number was detected.',
+        recommendation: 'Never hardcode MRNs. Fetch from secure, encrypted storage.',
+    },
+    {
+        id: 'dob-exposed',
+        regex: /\b(date.?of.?birth|dob|birth.?date)\s*[:=]\s*['"`]/i,
+        severity: 'high',
+        title: 'Date of birth exposure',
+        description: 'Date of birth information may be hardcoded or improperly handled.',
+        recommendation: 'Encrypt DOB at rest and in transit. Apply minimum necessary principle.',
+    },
+    {
+        id: 'diagnosis-code',
+        regex: /\b(icd.?10|diagnosis.?code|icd.?code)\s*[:=]\s*['"`][A-Z]\d{2}/i,
+        severity: 'medium',
+        title: 'Diagnosis code in source',
+        description: 'ICD-10 diagnosis codes found in source code.',
+        recommendation: 'Load diagnosis codes from secure configuration, not source code.',
+    },
+    {
+        id: 'phi-in-url',
+        regex: /\/(patient|user)\/\d+\/(ssn|dob|mrn|diagnosis)/i,
+        severity: 'high',
+        title: 'PHI identifier in URL pattern',
+        description: 'URL pattern suggests PHI may be exposed in URLs.',
+        recommendation: 'Never include PHI in URLs. Use opaque tokens or encrypted identifiers.',
+    },
+    // === PHI Logging Detection ===
+    {
+        id: 'patient-name-log',
+        regex: /console\.(log|info|debug|warn|error)\s*\([^)]*patient.*name/i,
+        severity: 'high',
+        title: 'Patient name in console output',
+        description: 'Patient names may be logged to console, exposing PHI.',
+        recommendation: 'Remove patient identifiers from logs. Use anonymized IDs for debugging.',
+        fixType: 'phi-console-log',
+    },
+    {
+        id: 'phi-console-log',
+        regex: /console\.(log|info|debug|warn|error)\s*\([^)]*(ssn|social.?security|diagnosis|medical.?record|health.?info|patient.?data|dob|birth.?date)/i,
+        severity: 'high',
+        title: 'PHI data in console output',
+        description: 'Sensitive health information may be logged to console.',
+        recommendation: 'Never log PHI to console. Use structured logging with PHI redaction.',
+        fixType: 'phi-console-log',
+    },
+    {
+        id: 'phi-json-stringify-log',
+        regex: /console\.(log|info|debug)\s*\(\s*JSON\.stringify\s*\([^)]*patient/i,
+        severity: 'high',
+        title: 'Patient object serialized to console',
+        description: 'Patient objects are being serialized and logged, potentially exposing all PHI fields.',
+        recommendation: 'Create a sanitized version of patient objects for logging, excluding PHI fields.',
+        fixType: 'phi-console-log',
+    },
+    {
+        id: 'phi-template-log',
+        regex: /console\.(log|info|debug)\s*\(\s*`[^`]*(patient|ssn|diagnosis|dob|\$\{.*patient)/i,
+        severity: 'high',
+        title: 'PHI in template literal log',
+        description: 'Template literal logging may expose PHI data.',
+        recommendation: 'Avoid interpolating PHI into log messages.',
+        fixType: 'phi-console-log',
+    },
+    // === Insecure Storage Detection ===
+    {
+        id: 'phi-localstorage',
+        regex: /localStorage\.(setItem|getItem)\s*\(\s*['"`][^'"`]*(patient|ssn|diagnosis|medical|health|dob|mrn)/i,
+        severity: 'critical',
+        title: 'PHI stored in localStorage',
+        description: 'PHI data is being stored in localStorage which is not encrypted and persists indefinitely.',
+        recommendation: 'Never store PHI in localStorage. Use encrypted server-side storage with proper access controls.',
+        fixType: 'phi-localstorage',
+    },
+    {
+        id: 'phi-sessionstorage',
+        regex: /sessionStorage\.(setItem|getItem)\s*\(\s*['"`][^'"`]*(patient|ssn|diagnosis|medical|health|dob|mrn)/i,
+        severity: 'high',
+        title: 'PHI stored in sessionStorage',
+        description: 'PHI data is being stored in sessionStorage which is not encrypted.',
+        recommendation: 'Avoid storing PHI in browser storage. Use secure, encrypted server-side sessions.',
+    },
+    {
+        id: 'phi-cookie-storage',
+        regex: /document\.cookie\s*=.*?(patient|ssn|diagnosis|medical|health|dob|mrn)/i,
+        severity: 'critical',
+        title: 'PHI stored in cookies',
+        description: 'PHI data may be stored in browser cookies without encryption.',
+        recommendation: 'Never store PHI in cookies. Use encrypted server-side sessions with secure, httpOnly cookies for session IDs only.',
+    },
+    {
+        id: 'phi-indexeddb',
+        regex: /indexedDB|IDBDatabase.*?(patient|health|medical|diagnosis)/i,
+        severity: 'high',
+        title: 'PHI potentially stored in IndexedDB',
+        description: 'PHI may be stored in IndexedDB which lacks built-in encryption.',
+        recommendation: 'If using IndexedDB for PHI, implement client-side encryption and proper key management.',
+    },
+    // === Email and contact PHI ===
+    {
+        id: 'email-phi-context',
+        regex: /patient.*email|email.*patient/i,
+        severity: 'medium',
+        title: 'Patient email handling detected',
+        description: 'Code handles patient email addresses which are PHI.',
+        recommendation: 'Ensure patient emails are encrypted and access is logged.',
+    },
+    {
+        id: 'phone-phi-context',
+        regex: /patient.*(phone|mobile|cell)|phone.*patient/i,
+        severity: 'medium',
+        title: 'Patient phone handling detected',
+        description: 'Code handles patient phone numbers which are PHI.',
+        recommendation: 'Ensure patient contact info is encrypted and access is logged.',
+    },
+    {
+        id: 'address-phi-context',
+        regex: /patient.*(address|street|city|zip)|address.*patient/i,
+        severity: 'medium',
+        title: 'Patient address handling detected',
+        description: 'Code handles patient addresses which are PHI.',
+        recommendation: 'Ensure patient addresses are encrypted and access is logged.',
+    },
+    // === PHI in URL Query Parameters ===
+    {
+        id: 'phi-query-param',
+        regex: /[?&](ssn|social.?security|patient.?id|mrn|dob|birth.?date|diagnosis|medical.?record)=/i,
+        severity: 'critical',
+        title: 'PHI in URL query parameter',
+        description: 'PHI identifiers are being passed as URL query parameters, which may be logged in server logs, browser history, and referrer headers.',
+        recommendation: 'Never pass PHI in URLs. Use POST requests with encrypted body or session-based lookups.',
+        fixType: 'phi-url-param',
+    },
+    {
+        id: 'phi-url-interpolation',
+        regex: /\$\{[^}]*(ssn|patientId|mrn|dob|diagnosis)[^}]*\}.*[?&]/i,
+        severity: 'critical',
+        title: 'PHI interpolated into URL',
+        description: 'PHI values are being interpolated into URLs, exposing sensitive data.',
+        recommendation: 'Use opaque tokens or encrypted references instead of PHI in URLs.',
+    },
+    {
+        id: 'phi-fetch-url',
+        regex: /fetch\s*\(\s*`[^`]*[?&](patient|ssn|mrn|dob)/i,
+        severity: 'high',
+        title: 'PHI in fetch URL',
+        description: 'Fetch request URL contains PHI identifiers.',
+        recommendation: 'Pass PHI in request body with proper encryption, not in URLs.',
+    },
+    // === PHI in HTTP Headers ===
+    {
+        id: 'phi-header-set',
+        regex: /setHeader\s*\(\s*['"`][^'"`]*(patient|ssn|mrn|dob|diagnosis|medical)/i,
+        severity: 'critical',
+        title: 'PHI in HTTP header',
+        description: 'PHI data is being set in HTTP headers, which may be logged or cached.',
+        recommendation: 'Never transmit PHI in HTTP headers. Use encrypted request/response body.',
+    },
+    {
+        id: 'phi-header-object',
+        regex: /headers\s*[:=]\s*\{[^}]*(patient|ssn|mrn|dob|diagnosis|x-patient|x-medical)/i,
+        severity: 'critical',
+        title: 'PHI in headers object',
+        description: 'Headers object contains PHI-related fields.',
+        recommendation: 'Remove PHI from headers. Transmit sensitive data in encrypted request body only.',
+    },
+    {
+        id: 'phi-authorization-header',
+        regex: /authorization.*patient|patient.*authorization/i,
+        severity: 'high',
+        title: 'Patient data in authorization context',
+        description: 'Patient identifiers may be exposed in authorization headers.',
+        recommendation: 'Use opaque session tokens for authorization, not patient identifiers.',
+    },
+    // === PHI in Email ===
+    {
+        id: 'phi-email-body',
+        regex: /(sendMail|sendEmail|send_email|mailer\.send)\s*\([^)]*patient/i,
+        severity: 'high',
+        title: 'PHI in email content',
+        description: 'Patient data may be included in email body, which is typically unencrypted.',
+        recommendation: 'Avoid sending PHI via email. Use secure patient portals with authentication.',
+    },
+    {
+        id: 'phi-email-template',
+        regex: /(email|mail).*template.*patient|patient.*(email|mail).*template/i,
+        severity: 'high',
+        title: 'PHI in email template',
+        description: 'Email templates may contain patient data placeholders.',
+        recommendation: 'Do not include PHI in email templates. Send secure links to authenticated portals instead.',
+    },
+    {
+        id: 'phi-email-subject',
+        regex: /subject\s*[:=].*patient|subject.*diagnosis|subject.*medical/i,
+        severity: 'medium',
+        title: 'Potential PHI in email subject',
+        description: 'Email subject lines may contain patient-related information.',
+        recommendation: 'Keep email subjects generic. Never include patient names, diagnoses, or identifiers.',
+    },
+    // === PHI Logging Without Redaction ===
+    {
+        id: 'phi-logger-unredacted',
+        regex: /logger\.(info|debug|warn|error)\s*\([^)]*patient(?!.*redact|.*mask|.*sanitize)/i,
+        severity: 'high',
+        title: 'PHI logged without redaction',
+        description: 'Patient data is being logged without apparent redaction or masking.',
+        recommendation: 'Implement PHI redaction in logging. Use structured logging with automatic PII masking.',
+        fixType: 'phi-log-unredacted',
+    },
+    {
+        id: 'phi-log-file',
+        regex: /writeFile.*log.*patient|patient.*writeFile.*log/i,
+        severity: 'high',
+        title: 'PHI written to log file',
+        description: 'Patient data may be written directly to log files.',
+        recommendation: 'Use structured logging with PHI redaction. Never write raw PHI to log files.',
+    },
+    {
+        id: 'phi-debug-output',
+        regex: /debug\s*[:=]\s*true.*patient|patient.*debug\s*[:=]\s*true/i,
+        severity: 'medium',
+        title: 'Debug mode with patient data',
+        description: 'Debug mode enabled in code handling patient data may expose PHI.',
+        recommendation: 'Ensure debug logging excludes PHI or uses proper redaction.',
+    },
+];
+//# sourceMappingURL=patterns.js.map

package/dist/scanners/phi/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/scanners/phi/patterns.ts"],"names":[],"mappings":"AAYA,MAAM,CAAC,MAAM,YAAY,GAAiB;IACxC,8BAA8B;IAC9B;QACE,EAAE,EAAE,eAAe;QACnB,KAAK,EAAE,uBAAuB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EAAE,yEAAyE;QACtF,cAAc,EAAE,oFAAoF;KACrG;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,KAAK,EAAE,yDAAyD;QAChE,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,iDAAiD;QAC9D,cAAc,EAAE,4DAA4D;KAC7E;IACD;QACE,EAAE,EAAE,aAAa;QACjB,KAAK,EAAE,qDAAqD;QAC5D,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EAAE,mEAAmE;QAChF,cAAc,EAAE,wEAAwE;KACzF;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,iEAAiE;QACxE,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,0BAA0B;QACjC,WAAW,EAAE,8CAA8C;QAC3D,cAAc,EAAE,kEAAkE;KACnF;IACD;QACE,EAAE,EAAE,YAAY;QAChB,KAAK,EAAE,iDAAiD;QACxD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,+BAA+B;QACtC,WAAW,EAAE,kDAAkD;QAC/D,cAAc,EAAE,wEAAwE;KACzF;IAED,gCAAgC;IAChC;QACE,EAAE,EAAE,kBAAkB;QACtB,KAAK,EAAE,8DAA8D;QACrE,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,uDAAuD;QACpE,cAAc,EAAE,yEAAyE;QACzF,OAAO,EAAE,iBAAiB;KAC3B;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,KAAK,EAAE,4IAA4I;QACnJ,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,4BAA4B;QACnC,WAAW,EAAE,wDAAwD;QACrE,cAAc,EAAE,sEAAsE;QACtF,OAAO,EAAE,iBAAiB;KAC3B;IACD;QACE,EAAE,EAAE,wBAAwB;QAC5B,KAAK,EAAE,oEAAoE;QAC3E,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,sCAAsC;QAC7C,WAAW,EAAE,uFAAuF;QACpG,cAAc,EAAE,kFAAkF;QAClG,OAAO,EAAE,iBAAiB;KAC3B;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,KAAK,EAAE,mFAAmF;QAC1F,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,6BAA6B;QACpC,WAAW,EAAE,+CAA+C;QAC5D,cAAc,EAAE,4CAA4C;QAC5D,OAAO,EAAE,iBAAiB;KAC3B;IAED,qCAAqC;IACrC;QACE,EAAE,EAAE,kBAAkB;QACtB,KAAK,EAAE,oGAAoG;QAC3G,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,4BAA4B;QACnC,WAAW,EAAE,4FAA4F;QACzG,cAAc,EAAE,iGAAiG;QACjH,OAAO,EAAE,kBAAkB;KAC5B;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,KAAK,EAAE,sGAAsG;QAC7G,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,8BAA8B;QACrC,WAAW,EAAE,oEAAoE;QACjF,cAAc,EAAE,mFAAmF;KACpG;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,KAAK,EAAE,wEAAwE;QAC/E,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,uBAAuB;QAC9B,WAAW,EAAE,+DAA+D;QAC5E,cAAc,EAAE,oHAAoH;KACrI;IACD;QACE,EAAE,EAAE,eAAe;QACnB,KAAK,EAAE,6DAA6D;QACpE,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,qCAAqC;QAC5C,WAAW,EAAE,iEAAiE;QAC9E,cAAc,EAAE,yFAAyF;KAC1G;IAED,gCAAgC;IAChC;QACE,EAAE,EAAE,mBAAmB;QACvB,KAAK,EAAE,gCAAgC;QACvC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,iCAAiC;QACxC,WAAW,EAAE,qDAAqD;QAClE,cAAc,EAAE,2DAA2D;KAC5E;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,KAAK,EAAE,8CAA8C;QACrD,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,iCAAiC;QACxC,WAAW,EAAE,mDAAmD;QAChE,cAAc,EAAE,gEAAgE;KACjF;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,KAAK,EAAE,sDAAsD;QAC7D,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,mCAAmC;QAC1C,WAAW,EAAE,+CAA+C;QAC5D,cAAc,EAAE,8DAA8D;KAC/E;IAED,sCAAsC;IACtC;QACE,EAAE,EAAE,iBAAiB;QACrB,KAAK,EAAE,wFAAwF;QAC/F,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,4BAA4B;QACnC,WAAW,EAAE,sIAAsI;QACnJ,cAAc,EAAE,yFAAyF;QACzG,OAAO,EAAE,eAAe;KACzB;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,KAAK,EAAE,0DAA0D;QACjE,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,2BAA2B;QAClC,WAAW,EAAE,uEAAuE;QACpF,cAAc,EAAE,mEAAmE;KACpF;IACD;QACE,EAAE,EAAE,eAAe;QACnB,KAAK,EAAE,+CAA+C;QACtD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kBAAkB;QACzB,WAAW,EAAE,6CAA6C;QAC1D,cAAc,EAAE,+DAA+D;KAChF;IAED,8BAA8B;IAC9B;QACE,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,uEAAuE;QAC9E,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,uEAAuE;QACpF,cAAc,EAAE,0EAA0E;KAC3F;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,KAAK,EAAE,8EAA8E;QACrF,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,uBAAuB;QAC9B,WAAW,EAAE,6CAA6C;QAC1D,cAAc,EAAE,kFAAkF;KACnG;IACD;QACE,EAAE,EAAE,0BAA0B;QAC9B,KAAK,EAAE,gDAAgD;QACvD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,uCAAuC;QAC9C,WAAW,EAAE,8DAA8D;QAC3E,cAAc,EAAE,uEAAuE;KACxF;IAED,uBAAuB;IACvB;QACE,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,gEAAgE;QACvE,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,sBAAsB;QAC7B,WAAW,EAAE,6EAA6E;QAC1F,cAAc,EAAE,8EAA8E;KAC/F;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,KAAK,EAAE,kEAAkE;QACzE,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,uBAAuB;QAC9B,WAAW,EAAE,wDAAwD;QACrE,cAAc,EAAE,4FAA4F;KAC7G;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,KAAK,EAAE,8DAA8D;QACrE,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,8DAA8D;QAC3E,cAAc,EAAE,sFAAsF;KACvG;IAED,wCAAwC;IACxC;QACE,EAAE,EAAE,uBAAuB;QAC3B,KAAK,EAAE,iFAAiF;QACxF,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,8BAA8B;QACrC,WAAW,EAAE,qEAAqE;QAClF,cAAc,EAAE,wFAAwF;QACxG,OAAO,EAAE,oBAAoB;KAC9B;IACD;QACE,EAAE,EAAE,cAAc;QAClB,KAAK,EAAE,kDAAkD;QACzD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,yBAAyB;QAChC,WAAW,EAAE,oDAAoD;QACjE,cAAc,EAAE,8EAA8E;KAC/F;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,KAAK,EAAE,4DAA4D;QACnE,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,8BAA8B;QACrC,WAAW,EAAE,kEAAkE;QAC/E,cAAc,EAAE,6DAA6D;KAC9E;CACF,CAAC"}

package/dist/scanners/retention/index.d.ts

@@ -0,0 +1,3 @@
+import type { Scanner } from '../../types.js';
+export declare const retentionScanner: Scanner;
+//# sourceMappingURL=index.d.ts.map

package/dist/scanners/retention/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/retention/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAwB,MAAM,gBAAgB,CAAC;AAuDpE,eAAO,MAAM,gBAAgB,EAAE,OAiD9B,CAAC"}

package/dist/scanners/retention/index.js

@@ -0,0 +1,102 @@
+import { readFile } from 'fs/promises';
+import { DEFAULT_CONFIG } from '../../config.js';
+import { getContextLines } from '../../utils/context.js';
+const RETENTION_ISSUES = [
+    {
+        regex: /deleteAfter\s*[:=]\s*(\d+)\s*(day|hour|minute)/i,
+        id: 'short-retention',
+        check: (match) => {
+            const value = parseInt(match[1]);
+            const unit = match[2].toLowerCase();
+            // HIPAA requires 6 years minimum for most records
+            if (unit === 'day' && value < 2190)
+                return true; // ~6 years in days
+            if (unit === 'hour' || unit === 'minute')
+                return true;
+            return false;
+        },
+        severity: 'high',
+        title: 'PHI retention period may be too short',
+        description: 'Data deletion configured with period shorter than HIPAA requirements.',
+        recommendation: 'HIPAA requires PHI retention for 6 years from creation or last effective date.',
+    },
+    {
+        regex: /\.delete\s*\(\s*\)(?!.*audit|.*log)/i,
+        id: 'unlogged-delete',
+        severity: 'medium',
+        title: 'Data deletion without apparent logging',
+        description: 'Data deletion operation without visible audit logging.',
+        recommendation: 'Log all PHI deletions with timestamp, user, and record identifiers.',
+    },
+    {
+        regex: /truncate\s+table|drop\s+table/i,
+        id: 'bulk-delete',
+        severity: 'critical',
+        title: 'Bulk data deletion operation',
+        description: 'Bulk deletion (TRUNCATE/DROP) could delete PHI without proper retention.',
+        recommendation: 'Implement soft-delete with retention periods before permanent deletion.',
+    },
+    {
+        regex: /backup.*disable|disable.*backup/i,
+        id: 'backup-disabled',
+        severity: 'high',
+        title: 'Backup may be disabled',
+        description: 'Code pattern suggests backups might be disabled.',
+        recommendation: 'Maintain encrypted backups with proper retention for disaster recovery.',
+    },
+    {
+        regex: /cache.*patient|patient.*cache/i,
+        id: 'phi-cache',
+        severity: 'medium',
+        title: 'PHI caching detected',
+        description: 'Patient data may be cached, requiring retention policy consideration.',
+        recommendation: 'Ensure cached PHI has appropriate TTL and is encrypted at rest.',
+    },
+];
+export const retentionScanner = {
+    name: 'Data Retention Scanner',
+    category: 'data-retention',
+    async scan(files, options) {
+        const findings = [];
+        const config = options.config ?? DEFAULT_CONFIG;
+        const contextSize = config.contextLines ?? 2;
+        const codeExtensions = ['.ts', '.js', '.tsx', '.jsx', '.py', '.java', '.go', '.rb', '.php', '.sql', '.yaml', '.yml'];
+        const codeFiles = files.filter(f => codeExtensions.some(ext => f.endsWith(ext)));
+        for (const filePath of codeFiles) {
+            try {
+                const content = await readFile(filePath, 'utf-8');
+                const lines = content.split('\n');
+                for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+                    const line = lines[lineNum];
+                    for (const issue of RETENTION_ISSUES) {
+                        const match = line.match(issue.regex);
+                        if (match) {
+                            // Check if there's a custom check function
+                            if ('check' in issue && issue.check) {
+                                if (!issue.check(match))
+                                    continue;
+                            }
+                            findings.push({
+                                id: `retention-${issue.id}-${lineNum}`,
+                                category: 'data-retention',
+                                severity: issue.severity,
+                                title: issue.title,
+                                description: issue.description,
+                                file: filePath,
+                                line: lineNum + 1,
+                                recommendation: issue.recommendation,
+                                hipaaReference: '§164.530(j)',
+                                context: getContextLines(lines, lineNum, contextSize),
+                            });
+                        }
+                    }
+                }
+            }
+            catch {
+                // Skip files that can't be read
+            }
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=index.js.map

package/dist/scanners/retention/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/scanners/retention/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEvC,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAEzD,MAAM,gBAAgB,GAAG;IACvB;QACE,KAAK,EAAE,iDAAiD;QACxD,EAAE,EAAE,iBAAiB;QACrB,KAAK,EAAE,CAAC,KAAuB,EAAE,EAAE;YACjC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YACjC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;YACpC,kDAAkD;YAClD,IAAI,IAAI,KAAK,KAAK,IAAI,KAAK,GAAG,IAAI;gBAAE,OAAO,IAAI,CAAC,CAAC,mBAAmB;YACpE,IAAI,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YACtD,OAAO,KAAK,CAAC;QACf,CAAC;QACD,QAAQ,EAAE,MAAe;QACzB,KAAK,EAAE,uCAAuC;QAC9C,WAAW,EAAE,uEAAuE;QACpF,cAAc,EAAE,gFAAgF;KACjG;IACD;QACE,KAAK,EAAE,sCAAsC;QAC7C,EAAE,EAAE,iBAAiB;QACrB,QAAQ,EAAE,QAAiB;QAC3B,KAAK,EAAE,wCAAwC;QAC/C,WAAW,EAAE,wDAAwD;QACrE,cAAc,EAAE,qEAAqE;KACtF;IACD;QACE,KAAK,EAAE,gCAAgC;QACvC,EAAE,EAAE,aAAa;QACjB,QAAQ,EAAE,UAAmB;QAC7B,KAAK,EAAE,8BAA8B;QACrC,WAAW,EAAE,0EAA0E;QACvF,cAAc,EAAE,yEAAyE;KAC1F;IACD;QACE,KAAK,EAAE,kCAAkC;QACzC,EAAE,EAAE,iBAAiB;QACrB,QAAQ,EAAE,MAAe;QACzB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EAAE,kDAAkD;QAC/D,cAAc,EAAE,yEAAyE;KAC1F;IACD;QACE,KAAK,EAAE,gCAAgC;QACvC,EAAE,EAAE,WAAW;QACf,QAAQ,EAAE,QAAiB;QAC3B,KAAK,EAAE,sBAAsB;QAC7B,WAAW,EAAE,uEAAuE;QACpF,cAAc,EAAE,iEAAiE;KAClF;CACF,CAAC;AAEF,MAAM,CAAC,MAAM,gBAAgB,GAAY;IACvC,IAAI,EAAE,wBAAwB;IAC9B,QAAQ,EAAE,gBAAgB;IAE1B,KAAK,CAAC,IAAI,CAAC,KAAe,EAAE,OAAoB;QAC9C,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,cAAc,CAAC;QAChD,MAAM,WAAW,GAAG,MAAM,CAAC,YAAY,IAAI,CAAC,CAAC;QAC7C,MAAM,cAAc,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;QACrH,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAEjF,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;gBAClD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAElC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;oBACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;oBAE5B,KAAK,MAAM,KAAK,IAAI,gBAAgB,EAAE,CAAC;wBACrC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;wBACtC,IAAI,KAAK,EAAE,CAAC;4BACV,2CAA2C;4BAC3C,IAAI,OAAO,IAAI,KAAK,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;gCACpC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC;oCAAE,SAAS;4BACpC,CAAC;4BAED,QAAQ,CAAC,IAAI,CAAC;gCACZ,EAAE,EAAE,aAAa,KAAK,CAAC,EAAE,IAAI,OAAO,EAAE;gCACtC,QAAQ,EAAE,gBAAgB;gCAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;gCACxB,KAAK,EAAE,KAAK,CAAC,KAAK;gCAClB,WAAW,EAAE,KAAK,CAAC,WAAW;gCAC9B,IAAI,EAAE,QAAQ;gCACd,IAAI,EAAE,OAAO,GAAG,CAAC;gCACjB,cAAc,EAAE,KAAK,CAAC,cAAc;gCACpC,cAAc,EAAE,aAAa;gCAC7B,OAAO,EAAE,eAAe,CAAC,KAAK,EAAE,OAAO,EAAE,WAAW,CAAC;6BACtD,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,gCAAgC;YAClC,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC"}

package/dist/scanners/security/index.d.ts

@@ -0,0 +1,3 @@
+import type { Scanner } from '../../types.js';
+export declare const securityScanner: Scanner;
+//# sourceMappingURL=index.d.ts.map

package/dist/scanners/security/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/security/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAiC,MAAM,gBAAgB,CAAC;AAuP7E,eAAO,MAAM,eAAe,EAAE,OAoD7B,CAAC"}

package/dist/scanners/security/index.js

@@ -0,0 +1,280 @@
+import { readFile } from 'fs/promises';
+import { DEFAULT_CONFIG } from '../../config.js';
+import { getContextLines } from '../../utils/context.js';
+const SECURITY_PATTERNS = [
+    // === Hardcoded Passwords ===
+    {
+        regex: /password\s*[:=]\s*['"`][^'"`]{4,}['"`]/i,
+        id: 'hardcoded-password',
+        severity: 'critical',
+        title: 'Hardcoded password detected',
+        description: 'A password appears to be hardcoded in the source code.',
+        recommendation: 'Use environment variables or a secrets manager for credentials. Never commit passwords to source control.',
+        fixType: 'hardcoded-password',
+    },
+    {
+        regex: /pwd\s*[:=]\s*['"`][^'"`]{4,}['"`]/i,
+        id: 'hardcoded-pwd',
+        severity: 'critical',
+        title: 'Hardcoded password (pwd) detected',
+        description: 'A password appears to be hardcoded using "pwd" variable.',
+        recommendation: 'Use environment variables or a secrets manager for credentials.',
+        fixType: 'hardcoded-password',
+    },
+    {
+        regex: /secret\s*[:=]\s*['"`][^'"`]{8,}['"`]/i,
+        id: 'hardcoded-secret',
+        severity: 'critical',
+        title: 'Hardcoded secret detected',
+        description: 'A secret value appears to be hardcoded in the source code.',
+        recommendation: 'Use environment variables or a secrets manager for secrets.',
+        fixType: 'hardcoded-secret',
+    },
+    {
+        regex: /credentials?\s*[:=]\s*\{[^}]*password\s*:/i,
+        id: 'credentials-object',
+        severity: 'high',
+        title: 'Credentials object with password',
+        description: 'A credentials object containing password field was detected.',
+        recommendation: 'Load credentials from secure configuration, not source code.',
+    },
+    // === API Keys Exposure ===
+    {
+        regex: /api[_-]?key\s*[:=]\s*['"`][A-Za-z0-9_-]{20,}['"`]/i,
+        id: 'api-key-exposed',
+        severity: 'critical',
+        title: 'API key exposed in source',
+        description: 'An API key appears to be hardcoded in the source code.',
+        recommendation: 'Use environment variables for API keys. Add to .gitignore and use .env files.',
+        fixType: 'api-key-exposed',
+    },
+    {
+        regex: /apikey\s*[:=]\s*['"`][A-Za-z0-9_-]{20,}['"`]/i,
+        id: 'apikey-exposed',
+        severity: 'critical',
+        title: 'API key (apikey) exposed in source',
+        description: 'An API key appears to be hardcoded.',
+        recommendation: 'Use environment variables for API keys.',
+        fixType: 'api-key-exposed',
+    },
+    {
+        regex: /(sk|pk)[_-](live|test)[_-][A-Za-z0-9]{20,}/i,
+        id: 'stripe-key-exposed',
+        severity: 'critical',
+        title: 'Stripe API key exposed',
+        description: 'A Stripe API key pattern was detected in the source code.',
+        recommendation: 'Never commit Stripe keys. Use environment variables and restrict key permissions.',
+    },
+    {
+        regex: /AKIA[0-9A-Z]{16}/,
+        id: 'aws-key-exposed',
+        severity: 'critical',
+        title: 'AWS Access Key exposed',
+        description: 'An AWS Access Key ID pattern was detected.',
+        recommendation: 'Rotate this key immediately. Use IAM roles or environment variables instead.',
+    },
+    {
+        regex: /bearer\s+[A-Za-z0-9_.-]{20,}/i,
+        id: 'bearer-token-exposed',
+        severity: 'high',
+        title: 'Bearer token in source',
+        description: 'A bearer token appears to be hardcoded.',
+        recommendation: 'Tokens should be fetched at runtime, not hardcoded.',
+    },
+    {
+        regex: /auth[_-]?token\s*[:=]\s*['"`][A-Za-z0-9_.-]{20,}['"`]/i,
+        id: 'auth-token-exposed',
+        severity: 'critical',
+        title: 'Auth token exposed in source',
+        description: 'An authentication token appears to be hardcoded.',
+        recommendation: 'Use secure token management. Never commit tokens to source control.',
+    },
+    {
+        regex: /private[_-]?key\s*[:=]\s*['"`]-----BEGIN/i,
+        id: 'private-key-exposed',
+        severity: 'critical',
+        title: 'Private key exposed in source',
+        description: 'A private key appears to be embedded in source code.',
+        recommendation: 'Never commit private keys. Use secure key management services.',
+    },
+    // === Database Credentials ===
+    {
+        regex: /mongodb(\+srv)?:\/\/[^:]+:[^@]+@/i,
+        id: 'mongodb-uri-credentials',
+        severity: 'critical',
+        title: 'MongoDB URI with credentials',
+        description: 'A MongoDB connection string with embedded credentials was detected.',
+        recommendation: 'Use environment variables for database connection strings.',
+    },
+    {
+        regex: /postgres(ql)?:\/\/[^:]+:[^@]+@/i,
+        id: 'postgres-uri-credentials',
+        severity: 'critical',
+        title: 'PostgreSQL URI with credentials',
+        description: 'A PostgreSQL connection string with embedded credentials was detected.',
+        recommendation: 'Use environment variables for database connection strings.',
+    },
+    {
+        regex: /mysql:\/\/[^:]+:[^@]+@/i,
+        id: 'mysql-uri-credentials',
+        severity: 'critical',
+        title: 'MySQL URI with credentials',
+        description: 'A MySQL connection string with embedded credentials was detected.',
+        recommendation: 'Use environment variables for database connection strings.',
+    },
+    // === Input Sanitization Issues ===
+    {
+        regex: /\.innerHTML\s*=\s*[^'"`\s;]+/i,
+        id: 'innerhtml-unsanitized',
+        severity: 'high',
+        title: 'Unsanitized innerHTML assignment',
+        description: 'Direct innerHTML assignment without sanitization can lead to XSS vulnerabilities.',
+        recommendation: 'Use textContent for text, or sanitize HTML with DOMPurify before innerHTML assignment.',
+        fixType: 'innerhtml-unsanitized',
+    },
+    {
+        regex: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html:/i,
+        id: 'dangerous-innerhtml-react',
+        severity: 'high',
+        title: 'dangerouslySetInnerHTML usage',
+        description: 'Using dangerouslySetInnerHTML can expose the application to XSS attacks.',
+        recommendation: 'Sanitize content with DOMPurify before using dangerouslySetInnerHTML.',
+    },
+    {
+        regex: /eval\s*\(\s*[^)]*\)/i,
+        id: 'eval-usage',
+        severity: 'critical',
+        title: 'eval() usage detected',
+        description: 'Using eval() can execute arbitrary code and is a security risk.',
+        recommendation: 'Avoid eval(). Use safer alternatives like JSON.parse() for data parsing.',
+    },
+    {
+        regex: /new\s+Function\s*\([^)]*\)/i,
+        id: 'function-constructor',
+        severity: 'high',
+        title: 'Function constructor usage',
+        description: 'The Function constructor can execute arbitrary code like eval().',
+        recommendation: 'Avoid dynamic code execution. Use predefined functions instead.',
+    },
+    {
+        regex: /document\.write\s*\(/i,
+        id: 'document-write',
+        severity: 'medium',
+        title: 'document.write usage',
+        description: 'document.write can be exploited for XSS and blocks page rendering.',
+        recommendation: 'Use DOM manipulation methods (appendChild, insertAdjacentHTML) instead.',
+    },
+    // === SQL Injection Risks ===
+    {
+        regex: /\b(SELECT|INSERT|UPDATE|DELETE)\b.*['"`]\s*\+\s*\w+\s*\+?\s*['"`]?/i,
+        id: 'sql-string-concat',
+        severity: 'critical',
+        title: 'SQL query string concatenation',
+        description: 'Building SQL queries with string concatenation is vulnerable to SQL injection.',
+        recommendation: 'Use parameterized queries or prepared statements. Never concatenate user input into SQL.',
+        fixType: 'sql-injection-concat',
+    },
+    {
+        regex: /\bSELECT\b.*\$\{[^}]+\}|\bWHERE\b.*\$\{[^}]+\}|\bINSERT\s+INTO\b.*\$\{[^}]+\}|\bUPDATE\b.*\bSET\b.*\$\{[^}]+\}|\bDELETE\s+FROM\b.*\$\{[^}]+\}/i,
+        id: 'sql-template-literal',
+        severity: 'critical',
+        title: 'SQL query with template literal interpolation',
+        description: 'Interpolating variables directly into SQL queries enables SQL injection.',
+        recommendation: 'Use parameterized queries. Pass variables as parameters, not interpolated strings.',
+        fixType: 'sql-injection-template',
+    },
+    {
+        regex: /\.(query|execute|raw|sql)\s*\(\s*`[^`]*\$\{/i,
+        id: 'query-template-injection',
+        severity: 'critical',
+        title: 'Database query with template interpolation',
+        description: 'Template literal interpolation in database queries can lead to injection attacks.',
+        recommendation: 'Use parameterized queries: query("SELECT * FROM users WHERE id = $1", [userId])',
+        fixType: 'sql-injection-template',
+    },
+    {
+        regex: /\.(query|execute|sql)\s*\(\s*['"][^'"]*['"]\s*\+/i,
+        id: 'execute-string-concat',
+        severity: 'critical',
+        title: 'SQL execute with string concatenation',
+        description: 'Concatenating strings in SQL execute statements enables injection.',
+        recommendation: 'Use parameterized queries instead of string concatenation.',
+        fixType: 'sql-injection-concat',
+    },
+    {
+        regex: /\$\{[^}]+\}\s*\)\s*$.*\b(SELECT|INSERT|UPDATE|DELETE)\b/i,
+        id: 'raw-query-injection',
+        severity: 'critical',
+        title: 'Raw SQL query with interpolation',
+        description: 'Raw SQL queries with interpolated values are vulnerable to injection.',
+        recommendation: 'Even with raw queries, use parameter binding for user-supplied values.',
+        fixType: 'sql-injection-template',
+    },
+    // === Cookie Security ===
+    {
+        regex: /res\.cookie\s*\([^)]+\)(?!.*httpOnly)/i,
+        id: 'cookie-no-httponly',
+        severity: 'high',
+        title: 'Cookie without httpOnly flag',
+        description: 'Cookies without httpOnly can be accessed by JavaScript, enabling XSS attacks.',
+        recommendation: 'Add httpOnly: true and secure: true to all cookies, especially session cookies.',
+        fixType: 'cookie-insecure',
+    },
+    {
+        regex: /cookie\s*:\s*\{[^}]*\}(?!.*httpOnly)/i,
+        id: 'cookie-config-insecure',
+        severity: 'high',
+        title: 'Cookie configuration missing security flags',
+        description: 'Cookie configuration is missing httpOnly and/or secure flags.',
+        recommendation: 'Always set httpOnly: true, secure: true for cookies handling sensitive data.',
+        fixType: 'cookie-insecure',
+    },
+];
+export const securityScanner = {
+    name: 'Security Scanner',
+    category: 'access-control', // Using access-control category for now
+    async scan(files, options) {
+        const findings = [];
+        const config = options.config ?? DEFAULT_CONFIG;
+        const contextSize = config.contextLines ?? 2;
+        const codeExtensions = ['.ts', '.js', '.tsx', '.jsx', '.py', '.java', '.go', '.rb', '.php', '.env', '.sql'];
+        const codeFiles = files.filter(f => codeExtensions.some(ext => f.endsWith(ext)));
+        for (const filePath of codeFiles) {
+            // Skip test files for some patterns to reduce noise
+            const isTestFile = filePath.includes('test') || filePath.includes('spec') || filePath.includes('mock');
+            try {
+                const content = await readFile(filePath, 'utf-8');
+                const lines = content.split('\n');
+                for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+                    const line = lines[lineNum];
+                    for (const pattern of SECURITY_PATTERNS) {
+                        if (pattern.regex.test(line)) {
+                            // Skip some false positives in test files
+                            if (isTestFile && ['hardcoded-password', 'hardcoded-secret'].includes(pattern.id)) {
+                                continue;
+                            }
+                            findings.push({
+                                id: `security-${pattern.id}-${lineNum}`,
+                                category: 'access-control',
+                                severity: pattern.severity,
+                                title: pattern.title,
+                                description: pattern.description,
+                                file: filePath,
+                                line: lineNum + 1,
+                                recommendation: pattern.recommendation,
+                                hipaaReference: '§164.312(a)(1), §164.312(d)',
+                                context: getContextLines(lines, lineNum, contextSize),
+                                fixType: pattern.fixType,
+                            });
+                        }
+                    }
+                }
+            }
+            catch {
+                // Skip files that can't be read
+            }
+        }
+        return findings;
+    },
+};
+//# sourceMappingURL=index.js.map