xploitscan-shared-rules 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +5597 -0
- package/dist/index.cjs.map +1 -0
- package/dist/index.d.cts +249 -0
- package/dist/index.d.ts +249 -0
- package/dist/index.js +5394 -0
- package/dist/index.js.map +1 -0
- package/package.json +54 -0
package/dist/index.d.cts
ADDED
|
@@ -0,0 +1,249 @@
|
|
|
1
|
+
type Severity = "critical" | "high" | "medium" | "low" | "info";
|
|
2
|
+
type Confidence = "high" | "medium" | "low";
|
|
3
|
+
interface Finding {
|
|
4
|
+
id: string;
|
|
5
|
+
rule: string;
|
|
6
|
+
severity: Severity;
|
|
7
|
+
confidence?: Confidence;
|
|
8
|
+
title: string;
|
|
9
|
+
description: string;
|
|
10
|
+
file: string;
|
|
11
|
+
line: number;
|
|
12
|
+
column?: number;
|
|
13
|
+
snippet: string;
|
|
14
|
+
fix?: string;
|
|
15
|
+
fixCode?: {
|
|
16
|
+
before: string;
|
|
17
|
+
after: string;
|
|
18
|
+
};
|
|
19
|
+
category: string;
|
|
20
|
+
source: "custom" | "semgrep" | "gitleaks" | "ai" | "dependency" | "entropy" | "config" | "multi-file";
|
|
21
|
+
owasp?: string;
|
|
22
|
+
cwe?: string;
|
|
23
|
+
}
|
|
24
|
+
interface RuleMatch {
|
|
25
|
+
rule: string;
|
|
26
|
+
title: string;
|
|
27
|
+
severity: Severity;
|
|
28
|
+
category: string;
|
|
29
|
+
file: string;
|
|
30
|
+
line: number;
|
|
31
|
+
column?: number;
|
|
32
|
+
snippet: string;
|
|
33
|
+
fix?: string;
|
|
34
|
+
}
|
|
35
|
+
interface CustomRule {
|
|
36
|
+
id: string;
|
|
37
|
+
title: string;
|
|
38
|
+
severity: Severity;
|
|
39
|
+
category: string;
|
|
40
|
+
description: string;
|
|
41
|
+
check: (content: string, filePath: string) => RuleMatch[];
|
|
42
|
+
}
|
|
43
|
+
|
|
44
|
+
/**
|
|
45
|
+
* Return a small code snippet around a given line number with a `>` marker on the matched line.
|
|
46
|
+
* Pure string manipulation — no fs dependency, so this is safe to use in both the CLI
|
|
47
|
+
* and in serverless/edge environments like the web API.
|
|
48
|
+
*/
|
|
49
|
+
declare function getSnippet(content: string, line: number, contextLines?: number): string;
|
|
50
|
+
|
|
51
|
+
declare const hardcodedSecrets: CustomRule;
|
|
52
|
+
declare const exposedEnvFile: CustomRule;
|
|
53
|
+
declare const missingAuthMiddleware: CustomRule;
|
|
54
|
+
declare const supabaseNoRLS: CustomRule;
|
|
55
|
+
declare const stripeWebhookUnprotected: CustomRule;
|
|
56
|
+
declare const sqlInjection: CustomRule;
|
|
57
|
+
declare const xssVulnerability: CustomRule;
|
|
58
|
+
declare const noRateLimiting: CustomRule;
|
|
59
|
+
declare const corsWildcard: CustomRule;
|
|
60
|
+
declare const clientSideAuth: CustomRule;
|
|
61
|
+
declare const nextPublicSecret: CustomRule;
|
|
62
|
+
declare const firebaseClientConfig: CustomRule;
|
|
63
|
+
declare const supabaseAnonAdmin: CustomRule;
|
|
64
|
+
declare const envNotGitignored: CustomRule;
|
|
65
|
+
declare const evalUsage: CustomRule;
|
|
66
|
+
declare const unvalidatedRedirect: CustomRule;
|
|
67
|
+
declare const insecureCookies: CustomRule;
|
|
68
|
+
declare const exposedAuthSecret: CustomRule;
|
|
69
|
+
declare const insecureElectronWindow: CustomRule;
|
|
70
|
+
declare const missingCSP: CustomRule;
|
|
71
|
+
declare const ipcPathTraversal: CustomRule;
|
|
72
|
+
declare const unsanitizedHTMLExport: CustomRule;
|
|
73
|
+
declare const prototypePollution: CustomRule;
|
|
74
|
+
declare const missingFileSizeLimits: CustomRule;
|
|
75
|
+
declare const unsanitizedFilenames: CustomRule;
|
|
76
|
+
declare const electronNavigationUnrestricted: CustomRule;
|
|
77
|
+
declare const missingSecurityMeta: CustomRule;
|
|
78
|
+
declare const unvalidatedAPIParams: CustomRule;
|
|
79
|
+
declare const unvalidatedEventData: CustomRule;
|
|
80
|
+
declare const insecureDeserialization: CustomRule;
|
|
81
|
+
declare const hardcodedJWTSecret: CustomRule;
|
|
82
|
+
declare const missingHTTPS: CustomRule;
|
|
83
|
+
declare const exposedDebugMode: CustomRule;
|
|
84
|
+
declare const insecureRandomness: CustomRule;
|
|
85
|
+
declare const openRedirectParams: CustomRule;
|
|
86
|
+
declare const missingErrorBoundary: CustomRule;
|
|
87
|
+
declare const exposedStackTraces: CustomRule;
|
|
88
|
+
declare const insecureFileUpload: CustomRule;
|
|
89
|
+
declare const missingLockFile: CustomRule;
|
|
90
|
+
declare const exposedGitDir: CustomRule;
|
|
91
|
+
declare const ssrfVulnerability: CustomRule;
|
|
92
|
+
declare const massAssignment: CustomRule;
|
|
93
|
+
declare const timingAttack: CustomRule;
|
|
94
|
+
declare const logInjection: CustomRule;
|
|
95
|
+
declare const weakPasswordRequirements: CustomRule;
|
|
96
|
+
declare const sessionFixation: CustomRule;
|
|
97
|
+
declare const missingBruteForce: CustomRule;
|
|
98
|
+
declare const nosqlInjection: CustomRule;
|
|
99
|
+
declare const exposedDBCredentials: CustomRule;
|
|
100
|
+
declare const missingDBEncryption: CustomRule;
|
|
101
|
+
declare const graphqlIntrospection: CustomRule;
|
|
102
|
+
declare const missingRequestSizeLimit: CustomRule;
|
|
103
|
+
declare const hardcodedIPAllowlist: CustomRule;
|
|
104
|
+
declare const sensitiveLocalStorage: CustomRule;
|
|
105
|
+
declare const exposedSourceMaps: CustomRule;
|
|
106
|
+
declare const clickjacking: CustomRule;
|
|
107
|
+
declare const overlyPermissiveIAM: CustomRule;
|
|
108
|
+
declare const dockerRunAsRoot: CustomRule;
|
|
109
|
+
declare const exposedDockerPorts: CustomRule;
|
|
110
|
+
declare const weakHashing: CustomRule;
|
|
111
|
+
declare const disabledTLSVerification: CustomRule;
|
|
112
|
+
declare const hardcodedEncryptionKey: CustomRule;
|
|
113
|
+
declare const dangerousInnerHTML: CustomRule;
|
|
114
|
+
declare const exposedServerActions: CustomRule;
|
|
115
|
+
declare const unprotectedAPIRoutes: CustomRule;
|
|
116
|
+
declare const clientComponentSecret: CustomRule;
|
|
117
|
+
declare const insecureDeepLink: CustomRule;
|
|
118
|
+
declare const sensitiveAsyncStorage: CustomRule;
|
|
119
|
+
declare const missingCertPinning: CustomRule;
|
|
120
|
+
declare const androidDebuggable: CustomRule;
|
|
121
|
+
declare const djangoDebug: CustomRule;
|
|
122
|
+
declare const flaskSecretKey: CustomRule;
|
|
123
|
+
declare const pickleDeserialization: CustomRule;
|
|
124
|
+
declare const missingCSRF: CustomRule;
|
|
125
|
+
declare const githubActionsInjection: CustomRule;
|
|
126
|
+
declare const secretsInCI: CustomRule;
|
|
127
|
+
declare const corsServerless: CustomRule;
|
|
128
|
+
declare const k8sPrivileged: CustomRule;
|
|
129
|
+
type DetectedFramework = "next.js" | "react" | "react-native" | "express" | "hono" | "fastify" | "django" | "flask" | "electron" | "vue" | "svelte" | "unknown";
|
|
130
|
+
declare function detectFramework(files: {
|
|
131
|
+
path: string;
|
|
132
|
+
content: string;
|
|
133
|
+
}[]): DetectedFramework[];
|
|
134
|
+
type SecurityGrade = "A+" | "A" | "B" | "C" | "D" | "F";
|
|
135
|
+
interface GradeResult {
|
|
136
|
+
grade: SecurityGrade;
|
|
137
|
+
score: number;
|
|
138
|
+
summary: string;
|
|
139
|
+
}
|
|
140
|
+
declare function calculateGrade(findings: Finding[], _totalFiles: number): GradeResult;
|
|
141
|
+
declare const jwtAlgConfusion: CustomRule;
|
|
142
|
+
declare const regexDos: CustomRule;
|
|
143
|
+
declare const xxeVulnerability: CustomRule;
|
|
144
|
+
declare const ssti: CustomRule;
|
|
145
|
+
declare const javaDeserialization: CustomRule;
|
|
146
|
+
declare const missingSRI: CustomRule;
|
|
147
|
+
declare const exposedAdminRoutes: CustomRule;
|
|
148
|
+
declare const insecureWebSocket: CustomRule;
|
|
149
|
+
declare const missingHSTS: CustomRule;
|
|
150
|
+
declare const sensitiveURLParams: CustomRule;
|
|
151
|
+
declare const missingContentDisposition: CustomRule;
|
|
152
|
+
declare const hostHeaderRedirect: CustomRule;
|
|
153
|
+
declare const raceCondition: CustomRule;
|
|
154
|
+
declare const unsafeObjectAssign: CustomRule;
|
|
155
|
+
declare const unprotectedDownload: CustomRule;
|
|
156
|
+
declare const commandInjection: CustomRule;
|
|
157
|
+
declare const corsLocalhost: CustomRule;
|
|
158
|
+
declare const insecureGRPC: CustomRule;
|
|
159
|
+
declare const complianceMap: Record<string, {
|
|
160
|
+
owasp: string;
|
|
161
|
+
cwe: string;
|
|
162
|
+
}>;
|
|
163
|
+
declare const consoleLogProduction: CustomRule;
|
|
164
|
+
declare const syncFileOps: CustomRule;
|
|
165
|
+
declare const eventListenerLeak: CustomRule;
|
|
166
|
+
declare const nPlusOneQuery: CustomRule;
|
|
167
|
+
declare const largeBundleImport: CustomRule;
|
|
168
|
+
declare const blockingMainThread: CustomRule;
|
|
169
|
+
declare const todoLeftInCode: CustomRule;
|
|
170
|
+
declare const emptyCatchBlock: CustomRule;
|
|
171
|
+
declare const callbackHell: CustomRule;
|
|
172
|
+
declare const magicNumbers: CustomRule;
|
|
173
|
+
declare const s3BucketNoEncryption: CustomRule;
|
|
174
|
+
declare const securityGroupAllInbound: CustomRule;
|
|
175
|
+
declare const rdsPubliclyAccessible: CustomRule;
|
|
176
|
+
declare const missingCloudTrail: CustomRule;
|
|
177
|
+
declare const lambdaWithoutVPC: CustomRule;
|
|
178
|
+
declare const dockerLatestTag: CustomRule;
|
|
179
|
+
declare const dockerCopySensitive: CustomRule;
|
|
180
|
+
declare const dockerTooManyPorts: CustomRule;
|
|
181
|
+
declare const k8sSecretNotEncrypted: CustomRule;
|
|
182
|
+
declare const k8sNoResourceLimits: CustomRule;
|
|
183
|
+
declare const pathTraversal: CustomRule;
|
|
184
|
+
declare const piiInLogs: CustomRule;
|
|
185
|
+
declare const hardcodedOAuthSecret: CustomRule;
|
|
186
|
+
declare const missingOAuthState: CustomRule;
|
|
187
|
+
declare const unpinnedGitHubAction: CustomRule;
|
|
188
|
+
declare const deprecatedTLS: CustomRule;
|
|
189
|
+
declare const weakRSAKeySize: CustomRule;
|
|
190
|
+
declare const ecbModeEncryption: CustomRule;
|
|
191
|
+
declare const insecurePasswordReset: CustomRule;
|
|
192
|
+
declare const terraformStateExposed: CustomRule;
|
|
193
|
+
declare const insecureHTTPMethods: CustomRule;
|
|
194
|
+
declare const httpRequestSmuggling: CustomRule;
|
|
195
|
+
declare const unencryptedPII: CustomRule;
|
|
196
|
+
declare const missingAuthRateLimit: CustomRule;
|
|
197
|
+
declare const vulnerableDependencies: CustomRule;
|
|
198
|
+
declare const hardcodedAnthropicKey: CustomRule;
|
|
199
|
+
declare const hardcodedGitHubPAT: CustomRule;
|
|
200
|
+
declare const hardcodedSendGridKey: CustomRule;
|
|
201
|
+
declare const hardcodedSlackToken: CustomRule;
|
|
202
|
+
declare const hardcodedGCPServiceAccount: CustomRule;
|
|
203
|
+
declare const hardcodedShopifyToken: CustomRule;
|
|
204
|
+
declare const hardcodedGitLabToken: CustomRule;
|
|
205
|
+
declare const hardcodedTwilioKey: CustomRule;
|
|
206
|
+
declare const hardcodedMailgunKey: CustomRule;
|
|
207
|
+
declare const hardcodedDatadogKey: CustomRule;
|
|
208
|
+
declare const hardcodedVercelToken: CustomRule;
|
|
209
|
+
declare const hardcodedSupabaseServiceRole: CustomRule;
|
|
210
|
+
declare const hardcodedVaultToken: CustomRule;
|
|
211
|
+
declare const hardcodedPineconeKey: CustomRule;
|
|
212
|
+
declare const secretInURLParam: CustomRule;
|
|
213
|
+
declare const secretLoggedToConsole: CustomRule;
|
|
214
|
+
declare const secretInErrorResponse: CustomRule;
|
|
215
|
+
declare const secretInBundleConfig: CustomRule;
|
|
216
|
+
declare const secretInHTMLAttribute: CustomRule;
|
|
217
|
+
declare const secretInCLIArgument: CustomRule;
|
|
218
|
+
declare const webhookSignatureVerification: CustomRule;
|
|
219
|
+
declare const reflectedCORSOrigin: CustomRule;
|
|
220
|
+
declare const missingRequestValidation: CustomRule;
|
|
221
|
+
declare const missingAIRateLimit: CustomRule;
|
|
222
|
+
declare const missingPagination: CustomRule;
|
|
223
|
+
declare const exposedDatabaseStudio: CustomRule;
|
|
224
|
+
declare const insecureDirectObjectReference: CustomRule;
|
|
225
|
+
declare const freeRules: CustomRule[];
|
|
226
|
+
declare const allRules: CustomRule[];
|
|
227
|
+
declare const allCustomRules: CustomRule[];
|
|
228
|
+
declare function runCustomRules(content: string, filePath: string, disabledRules?: string[], tier?: "free" | "pro", extraRules?: CustomRule[]): Finding[];
|
|
229
|
+
|
|
230
|
+
interface FilteredFinding {
|
|
231
|
+
finding: Finding;
|
|
232
|
+
reason: string;
|
|
233
|
+
}
|
|
234
|
+
interface AIFilterResult {
|
|
235
|
+
findings: Finding[];
|
|
236
|
+
filteredFindings: FilteredFinding[];
|
|
237
|
+
aiReviewed: boolean;
|
|
238
|
+
removedCount: number;
|
|
239
|
+
totalBefore: number;
|
|
240
|
+
}
|
|
241
|
+
/**
|
|
242
|
+
* Filter false positives from findings using Claude Haiku.
|
|
243
|
+
*
|
|
244
|
+
* Returns filtered findings, the removed findings with AI reasons,
|
|
245
|
+
* and metadata about what the AI did.
|
|
246
|
+
*/
|
|
247
|
+
declare function filterFalsePositives(findings: Finding[], fileContents: Map<string, string>): Promise<AIFilterResult>;
|
|
248
|
+
|
|
249
|
+
export { type AIFilterResult, type Confidence, type CustomRule, type DetectedFramework, type FilteredFinding, type Finding, type GradeResult, type RuleMatch, type SecurityGrade, type Severity, allCustomRules, allRules, androidDebuggable, blockingMainThread, calculateGrade, callbackHell, clickjacking, clientComponentSecret, clientSideAuth, commandInjection, complianceMap, consoleLogProduction, corsLocalhost, corsServerless, corsWildcard, dangerousInnerHTML, deprecatedTLS, detectFramework, disabledTLSVerification, djangoDebug, dockerCopySensitive, dockerLatestTag, dockerRunAsRoot, dockerTooManyPorts, ecbModeEncryption, electronNavigationUnrestricted, emptyCatchBlock, envNotGitignored, evalUsage, eventListenerLeak, exposedAdminRoutes, exposedAuthSecret, exposedDBCredentials, exposedDatabaseStudio, exposedDebugMode, exposedDockerPorts, exposedEnvFile, exposedGitDir, exposedServerActions, exposedSourceMaps, exposedStackTraces, filterFalsePositives, firebaseClientConfig, flaskSecretKey, freeRules, getSnippet, githubActionsInjection, graphqlIntrospection, hardcodedAnthropicKey, hardcodedDatadogKey, hardcodedEncryptionKey, hardcodedGCPServiceAccount, hardcodedGitHubPAT, hardcodedGitLabToken, hardcodedIPAllowlist, hardcodedJWTSecret, hardcodedMailgunKey, hardcodedOAuthSecret, hardcodedPineconeKey, hardcodedSecrets, hardcodedSendGridKey, hardcodedShopifyToken, hardcodedSlackToken, hardcodedSupabaseServiceRole, hardcodedTwilioKey, hardcodedVaultToken, hardcodedVercelToken, hostHeaderRedirect, httpRequestSmuggling, insecureCookies, insecureDeepLink, insecureDeserialization, insecureDirectObjectReference, insecureElectronWindow, insecureFileUpload, insecureGRPC, insecureHTTPMethods, insecurePasswordReset, insecureRandomness, insecureWebSocket, ipcPathTraversal, javaDeserialization, jwtAlgConfusion, k8sNoResourceLimits, k8sPrivileged, k8sSecretNotEncrypted, lambdaWithoutVPC, largeBundleImport, logInjection, magicNumbers, massAssignment, missingAIRateLimit, missingAuthMiddleware, missingAuthRateLimit, missingBruteForce, missingCSP, missingCSRF, missingCertPinning, missingCloudTrail, missingContentDisposition, missingDBEncryption, missingErrorBoundary, missingFileSizeLimits, missingHSTS, missingHTTPS, missingLockFile, missingOAuthState, missingPagination, missingRequestSizeLimit, missingRequestValidation, missingSRI, missingSecurityMeta, nPlusOneQuery, nextPublicSecret, noRateLimiting, nosqlInjection, openRedirectParams, overlyPermissiveIAM, pathTraversal, pickleDeserialization, piiInLogs, prototypePollution, raceCondition, rdsPubliclyAccessible, reflectedCORSOrigin, regexDos, runCustomRules, s3BucketNoEncryption, secretInBundleConfig, secretInCLIArgument, secretInErrorResponse, secretInHTMLAttribute, secretInURLParam, secretLoggedToConsole, secretsInCI, securityGroupAllInbound, sensitiveAsyncStorage, sensitiveLocalStorage, sensitiveURLParams, sessionFixation, sqlInjection, ssrfVulnerability, ssti, stripeWebhookUnprotected, supabaseAnonAdmin, supabaseNoRLS, syncFileOps, terraformStateExposed, timingAttack, todoLeftInCode, unencryptedPII, unpinnedGitHubAction, unprotectedAPIRoutes, unprotectedDownload, unsafeObjectAssign, unsanitizedFilenames, unsanitizedHTMLExport, unvalidatedAPIParams, unvalidatedEventData, unvalidatedRedirect, vulnerableDependencies, weakHashing, weakPasswordRequirements, weakRSAKeySize, webhookSignatureVerification, xssVulnerability, xxeVulnerability };
|
package/dist/index.d.ts
ADDED
|
@@ -0,0 +1,249 @@
|
|
|
1
|
+
type Severity = "critical" | "high" | "medium" | "low" | "info";
|
|
2
|
+
type Confidence = "high" | "medium" | "low";
|
|
3
|
+
interface Finding {
|
|
4
|
+
id: string;
|
|
5
|
+
rule: string;
|
|
6
|
+
severity: Severity;
|
|
7
|
+
confidence?: Confidence;
|
|
8
|
+
title: string;
|
|
9
|
+
description: string;
|
|
10
|
+
file: string;
|
|
11
|
+
line: number;
|
|
12
|
+
column?: number;
|
|
13
|
+
snippet: string;
|
|
14
|
+
fix?: string;
|
|
15
|
+
fixCode?: {
|
|
16
|
+
before: string;
|
|
17
|
+
after: string;
|
|
18
|
+
};
|
|
19
|
+
category: string;
|
|
20
|
+
source: "custom" | "semgrep" | "gitleaks" | "ai" | "dependency" | "entropy" | "config" | "multi-file";
|
|
21
|
+
owasp?: string;
|
|
22
|
+
cwe?: string;
|
|
23
|
+
}
|
|
24
|
+
interface RuleMatch {
|
|
25
|
+
rule: string;
|
|
26
|
+
title: string;
|
|
27
|
+
severity: Severity;
|
|
28
|
+
category: string;
|
|
29
|
+
file: string;
|
|
30
|
+
line: number;
|
|
31
|
+
column?: number;
|
|
32
|
+
snippet: string;
|
|
33
|
+
fix?: string;
|
|
34
|
+
}
|
|
35
|
+
interface CustomRule {
|
|
36
|
+
id: string;
|
|
37
|
+
title: string;
|
|
38
|
+
severity: Severity;
|
|
39
|
+
category: string;
|
|
40
|
+
description: string;
|
|
41
|
+
check: (content: string, filePath: string) => RuleMatch[];
|
|
42
|
+
}
|
|
43
|
+
|
|
44
|
+
/**
|
|
45
|
+
* Return a small code snippet around a given line number with a `>` marker on the matched line.
|
|
46
|
+
* Pure string manipulation — no fs dependency, so this is safe to use in both the CLI
|
|
47
|
+
* and in serverless/edge environments like the web API.
|
|
48
|
+
*/
|
|
49
|
+
declare function getSnippet(content: string, line: number, contextLines?: number): string;
|
|
50
|
+
|
|
51
|
+
declare const hardcodedSecrets: CustomRule;
|
|
52
|
+
declare const exposedEnvFile: CustomRule;
|
|
53
|
+
declare const missingAuthMiddleware: CustomRule;
|
|
54
|
+
declare const supabaseNoRLS: CustomRule;
|
|
55
|
+
declare const stripeWebhookUnprotected: CustomRule;
|
|
56
|
+
declare const sqlInjection: CustomRule;
|
|
57
|
+
declare const xssVulnerability: CustomRule;
|
|
58
|
+
declare const noRateLimiting: CustomRule;
|
|
59
|
+
declare const corsWildcard: CustomRule;
|
|
60
|
+
declare const clientSideAuth: CustomRule;
|
|
61
|
+
declare const nextPublicSecret: CustomRule;
|
|
62
|
+
declare const firebaseClientConfig: CustomRule;
|
|
63
|
+
declare const supabaseAnonAdmin: CustomRule;
|
|
64
|
+
declare const envNotGitignored: CustomRule;
|
|
65
|
+
declare const evalUsage: CustomRule;
|
|
66
|
+
declare const unvalidatedRedirect: CustomRule;
|
|
67
|
+
declare const insecureCookies: CustomRule;
|
|
68
|
+
declare const exposedAuthSecret: CustomRule;
|
|
69
|
+
declare const insecureElectronWindow: CustomRule;
|
|
70
|
+
declare const missingCSP: CustomRule;
|
|
71
|
+
declare const ipcPathTraversal: CustomRule;
|
|
72
|
+
declare const unsanitizedHTMLExport: CustomRule;
|
|
73
|
+
declare const prototypePollution: CustomRule;
|
|
74
|
+
declare const missingFileSizeLimits: CustomRule;
|
|
75
|
+
declare const unsanitizedFilenames: CustomRule;
|
|
76
|
+
declare const electronNavigationUnrestricted: CustomRule;
|
|
77
|
+
declare const missingSecurityMeta: CustomRule;
|
|
78
|
+
declare const unvalidatedAPIParams: CustomRule;
|
|
79
|
+
declare const unvalidatedEventData: CustomRule;
|
|
80
|
+
declare const insecureDeserialization: CustomRule;
|
|
81
|
+
declare const hardcodedJWTSecret: CustomRule;
|
|
82
|
+
declare const missingHTTPS: CustomRule;
|
|
83
|
+
declare const exposedDebugMode: CustomRule;
|
|
84
|
+
declare const insecureRandomness: CustomRule;
|
|
85
|
+
declare const openRedirectParams: CustomRule;
|
|
86
|
+
declare const missingErrorBoundary: CustomRule;
|
|
87
|
+
declare const exposedStackTraces: CustomRule;
|
|
88
|
+
declare const insecureFileUpload: CustomRule;
|
|
89
|
+
declare const missingLockFile: CustomRule;
|
|
90
|
+
declare const exposedGitDir: CustomRule;
|
|
91
|
+
declare const ssrfVulnerability: CustomRule;
|
|
92
|
+
declare const massAssignment: CustomRule;
|
|
93
|
+
declare const timingAttack: CustomRule;
|
|
94
|
+
declare const logInjection: CustomRule;
|
|
95
|
+
declare const weakPasswordRequirements: CustomRule;
|
|
96
|
+
declare const sessionFixation: CustomRule;
|
|
97
|
+
declare const missingBruteForce: CustomRule;
|
|
98
|
+
declare const nosqlInjection: CustomRule;
|
|
99
|
+
declare const exposedDBCredentials: CustomRule;
|
|
100
|
+
declare const missingDBEncryption: CustomRule;
|
|
101
|
+
declare const graphqlIntrospection: CustomRule;
|
|
102
|
+
declare const missingRequestSizeLimit: CustomRule;
|
|
103
|
+
declare const hardcodedIPAllowlist: CustomRule;
|
|
104
|
+
declare const sensitiveLocalStorage: CustomRule;
|
|
105
|
+
declare const exposedSourceMaps: CustomRule;
|
|
106
|
+
declare const clickjacking: CustomRule;
|
|
107
|
+
declare const overlyPermissiveIAM: CustomRule;
|
|
108
|
+
declare const dockerRunAsRoot: CustomRule;
|
|
109
|
+
declare const exposedDockerPorts: CustomRule;
|
|
110
|
+
declare const weakHashing: CustomRule;
|
|
111
|
+
declare const disabledTLSVerification: CustomRule;
|
|
112
|
+
declare const hardcodedEncryptionKey: CustomRule;
|
|
113
|
+
declare const dangerousInnerHTML: CustomRule;
|
|
114
|
+
declare const exposedServerActions: CustomRule;
|
|
115
|
+
declare const unprotectedAPIRoutes: CustomRule;
|
|
116
|
+
declare const clientComponentSecret: CustomRule;
|
|
117
|
+
declare const insecureDeepLink: CustomRule;
|
|
118
|
+
declare const sensitiveAsyncStorage: CustomRule;
|
|
119
|
+
declare const missingCertPinning: CustomRule;
|
|
120
|
+
declare const androidDebuggable: CustomRule;
|
|
121
|
+
declare const djangoDebug: CustomRule;
|
|
122
|
+
declare const flaskSecretKey: CustomRule;
|
|
123
|
+
declare const pickleDeserialization: CustomRule;
|
|
124
|
+
declare const missingCSRF: CustomRule;
|
|
125
|
+
declare const githubActionsInjection: CustomRule;
|
|
126
|
+
declare const secretsInCI: CustomRule;
|
|
127
|
+
declare const corsServerless: CustomRule;
|
|
128
|
+
declare const k8sPrivileged: CustomRule;
|
|
129
|
+
type DetectedFramework = "next.js" | "react" | "react-native" | "express" | "hono" | "fastify" | "django" | "flask" | "electron" | "vue" | "svelte" | "unknown";
|
|
130
|
+
declare function detectFramework(files: {
|
|
131
|
+
path: string;
|
|
132
|
+
content: string;
|
|
133
|
+
}[]): DetectedFramework[];
|
|
134
|
+
type SecurityGrade = "A+" | "A" | "B" | "C" | "D" | "F";
|
|
135
|
+
interface GradeResult {
|
|
136
|
+
grade: SecurityGrade;
|
|
137
|
+
score: number;
|
|
138
|
+
summary: string;
|
|
139
|
+
}
|
|
140
|
+
declare function calculateGrade(findings: Finding[], _totalFiles: number): GradeResult;
|
|
141
|
+
declare const jwtAlgConfusion: CustomRule;
|
|
142
|
+
declare const regexDos: CustomRule;
|
|
143
|
+
declare const xxeVulnerability: CustomRule;
|
|
144
|
+
declare const ssti: CustomRule;
|
|
145
|
+
declare const javaDeserialization: CustomRule;
|
|
146
|
+
declare const missingSRI: CustomRule;
|
|
147
|
+
declare const exposedAdminRoutes: CustomRule;
|
|
148
|
+
declare const insecureWebSocket: CustomRule;
|
|
149
|
+
declare const missingHSTS: CustomRule;
|
|
150
|
+
declare const sensitiveURLParams: CustomRule;
|
|
151
|
+
declare const missingContentDisposition: CustomRule;
|
|
152
|
+
declare const hostHeaderRedirect: CustomRule;
|
|
153
|
+
declare const raceCondition: CustomRule;
|
|
154
|
+
declare const unsafeObjectAssign: CustomRule;
|
|
155
|
+
declare const unprotectedDownload: CustomRule;
|
|
156
|
+
declare const commandInjection: CustomRule;
|
|
157
|
+
declare const corsLocalhost: CustomRule;
|
|
158
|
+
declare const insecureGRPC: CustomRule;
|
|
159
|
+
declare const complianceMap: Record<string, {
|
|
160
|
+
owasp: string;
|
|
161
|
+
cwe: string;
|
|
162
|
+
}>;
|
|
163
|
+
declare const consoleLogProduction: CustomRule;
|
|
164
|
+
declare const syncFileOps: CustomRule;
|
|
165
|
+
declare const eventListenerLeak: CustomRule;
|
|
166
|
+
declare const nPlusOneQuery: CustomRule;
|
|
167
|
+
declare const largeBundleImport: CustomRule;
|
|
168
|
+
declare const blockingMainThread: CustomRule;
|
|
169
|
+
declare const todoLeftInCode: CustomRule;
|
|
170
|
+
declare const emptyCatchBlock: CustomRule;
|
|
171
|
+
declare const callbackHell: CustomRule;
|
|
172
|
+
declare const magicNumbers: CustomRule;
|
|
173
|
+
declare const s3BucketNoEncryption: CustomRule;
|
|
174
|
+
declare const securityGroupAllInbound: CustomRule;
|
|
175
|
+
declare const rdsPubliclyAccessible: CustomRule;
|
|
176
|
+
declare const missingCloudTrail: CustomRule;
|
|
177
|
+
declare const lambdaWithoutVPC: CustomRule;
|
|
178
|
+
declare const dockerLatestTag: CustomRule;
|
|
179
|
+
declare const dockerCopySensitive: CustomRule;
|
|
180
|
+
declare const dockerTooManyPorts: CustomRule;
|
|
181
|
+
declare const k8sSecretNotEncrypted: CustomRule;
|
|
182
|
+
declare const k8sNoResourceLimits: CustomRule;
|
|
183
|
+
declare const pathTraversal: CustomRule;
|
|
184
|
+
declare const piiInLogs: CustomRule;
|
|
185
|
+
declare const hardcodedOAuthSecret: CustomRule;
|
|
186
|
+
declare const missingOAuthState: CustomRule;
|
|
187
|
+
declare const unpinnedGitHubAction: CustomRule;
|
|
188
|
+
declare const deprecatedTLS: CustomRule;
|
|
189
|
+
declare const weakRSAKeySize: CustomRule;
|
|
190
|
+
declare const ecbModeEncryption: CustomRule;
|
|
191
|
+
declare const insecurePasswordReset: CustomRule;
|
|
192
|
+
declare const terraformStateExposed: CustomRule;
|
|
193
|
+
declare const insecureHTTPMethods: CustomRule;
|
|
194
|
+
declare const httpRequestSmuggling: CustomRule;
|
|
195
|
+
declare const unencryptedPII: CustomRule;
|
|
196
|
+
declare const missingAuthRateLimit: CustomRule;
|
|
197
|
+
declare const vulnerableDependencies: CustomRule;
|
|
198
|
+
declare const hardcodedAnthropicKey: CustomRule;
|
|
199
|
+
declare const hardcodedGitHubPAT: CustomRule;
|
|
200
|
+
declare const hardcodedSendGridKey: CustomRule;
|
|
201
|
+
declare const hardcodedSlackToken: CustomRule;
|
|
202
|
+
declare const hardcodedGCPServiceAccount: CustomRule;
|
|
203
|
+
declare const hardcodedShopifyToken: CustomRule;
|
|
204
|
+
declare const hardcodedGitLabToken: CustomRule;
|
|
205
|
+
declare const hardcodedTwilioKey: CustomRule;
|
|
206
|
+
declare const hardcodedMailgunKey: CustomRule;
|
|
207
|
+
declare const hardcodedDatadogKey: CustomRule;
|
|
208
|
+
declare const hardcodedVercelToken: CustomRule;
|
|
209
|
+
declare const hardcodedSupabaseServiceRole: CustomRule;
|
|
210
|
+
declare const hardcodedVaultToken: CustomRule;
|
|
211
|
+
declare const hardcodedPineconeKey: CustomRule;
|
|
212
|
+
declare const secretInURLParam: CustomRule;
|
|
213
|
+
declare const secretLoggedToConsole: CustomRule;
|
|
214
|
+
declare const secretInErrorResponse: CustomRule;
|
|
215
|
+
declare const secretInBundleConfig: CustomRule;
|
|
216
|
+
declare const secretInHTMLAttribute: CustomRule;
|
|
217
|
+
declare const secretInCLIArgument: CustomRule;
|
|
218
|
+
declare const webhookSignatureVerification: CustomRule;
|
|
219
|
+
declare const reflectedCORSOrigin: CustomRule;
|
|
220
|
+
declare const missingRequestValidation: CustomRule;
|
|
221
|
+
declare const missingAIRateLimit: CustomRule;
|
|
222
|
+
declare const missingPagination: CustomRule;
|
|
223
|
+
declare const exposedDatabaseStudio: CustomRule;
|
|
224
|
+
declare const insecureDirectObjectReference: CustomRule;
|
|
225
|
+
declare const freeRules: CustomRule[];
|
|
226
|
+
declare const allRules: CustomRule[];
|
|
227
|
+
declare const allCustomRules: CustomRule[];
|
|
228
|
+
declare function runCustomRules(content: string, filePath: string, disabledRules?: string[], tier?: "free" | "pro", extraRules?: CustomRule[]): Finding[];
|
|
229
|
+
|
|
230
|
+
interface FilteredFinding {
|
|
231
|
+
finding: Finding;
|
|
232
|
+
reason: string;
|
|
233
|
+
}
|
|
234
|
+
interface AIFilterResult {
|
|
235
|
+
findings: Finding[];
|
|
236
|
+
filteredFindings: FilteredFinding[];
|
|
237
|
+
aiReviewed: boolean;
|
|
238
|
+
removedCount: number;
|
|
239
|
+
totalBefore: number;
|
|
240
|
+
}
|
|
241
|
+
/**
|
|
242
|
+
* Filter false positives from findings using Claude Haiku.
|
|
243
|
+
*
|
|
244
|
+
* Returns filtered findings, the removed findings with AI reasons,
|
|
245
|
+
* and metadata about what the AI did.
|
|
246
|
+
*/
|
|
247
|
+
declare function filterFalsePositives(findings: Finding[], fileContents: Map<string, string>): Promise<AIFilterResult>;
|
|
248
|
+
|
|
249
|
+
export { type AIFilterResult, type Confidence, type CustomRule, type DetectedFramework, type FilteredFinding, type Finding, type GradeResult, type RuleMatch, type SecurityGrade, type Severity, allCustomRules, allRules, androidDebuggable, blockingMainThread, calculateGrade, callbackHell, clickjacking, clientComponentSecret, clientSideAuth, commandInjection, complianceMap, consoleLogProduction, corsLocalhost, corsServerless, corsWildcard, dangerousInnerHTML, deprecatedTLS, detectFramework, disabledTLSVerification, djangoDebug, dockerCopySensitive, dockerLatestTag, dockerRunAsRoot, dockerTooManyPorts, ecbModeEncryption, electronNavigationUnrestricted, emptyCatchBlock, envNotGitignored, evalUsage, eventListenerLeak, exposedAdminRoutes, exposedAuthSecret, exposedDBCredentials, exposedDatabaseStudio, exposedDebugMode, exposedDockerPorts, exposedEnvFile, exposedGitDir, exposedServerActions, exposedSourceMaps, exposedStackTraces, filterFalsePositives, firebaseClientConfig, flaskSecretKey, freeRules, getSnippet, githubActionsInjection, graphqlIntrospection, hardcodedAnthropicKey, hardcodedDatadogKey, hardcodedEncryptionKey, hardcodedGCPServiceAccount, hardcodedGitHubPAT, hardcodedGitLabToken, hardcodedIPAllowlist, hardcodedJWTSecret, hardcodedMailgunKey, hardcodedOAuthSecret, hardcodedPineconeKey, hardcodedSecrets, hardcodedSendGridKey, hardcodedShopifyToken, hardcodedSlackToken, hardcodedSupabaseServiceRole, hardcodedTwilioKey, hardcodedVaultToken, hardcodedVercelToken, hostHeaderRedirect, httpRequestSmuggling, insecureCookies, insecureDeepLink, insecureDeserialization, insecureDirectObjectReference, insecureElectronWindow, insecureFileUpload, insecureGRPC, insecureHTTPMethods, insecurePasswordReset, insecureRandomness, insecureWebSocket, ipcPathTraversal, javaDeserialization, jwtAlgConfusion, k8sNoResourceLimits, k8sPrivileged, k8sSecretNotEncrypted, lambdaWithoutVPC, largeBundleImport, logInjection, magicNumbers, massAssignment, missingAIRateLimit, missingAuthMiddleware, missingAuthRateLimit, missingBruteForce, missingCSP, missingCSRF, missingCertPinning, missingCloudTrail, missingContentDisposition, missingDBEncryption, missingErrorBoundary, missingFileSizeLimits, missingHSTS, missingHTTPS, missingLockFile, missingOAuthState, missingPagination, missingRequestSizeLimit, missingRequestValidation, missingSRI, missingSecurityMeta, nPlusOneQuery, nextPublicSecret, noRateLimiting, nosqlInjection, openRedirectParams, overlyPermissiveIAM, pathTraversal, pickleDeserialization, piiInLogs, prototypePollution, raceCondition, rdsPubliclyAccessible, reflectedCORSOrigin, regexDos, runCustomRules, s3BucketNoEncryption, secretInBundleConfig, secretInCLIArgument, secretInErrorResponse, secretInHTMLAttribute, secretInURLParam, secretLoggedToConsole, secretsInCI, securityGroupAllInbound, sensitiveAsyncStorage, sensitiveLocalStorage, sensitiveURLParams, sessionFixation, sqlInjection, ssrfVulnerability, ssti, stripeWebhookUnprotected, supabaseAnonAdmin, supabaseNoRLS, syncFileOps, terraformStateExposed, timingAttack, todoLeftInCode, unencryptedPII, unpinnedGitHubAction, unprotectedAPIRoutes, unprotectedDownload, unsafeObjectAssign, unsanitizedFilenames, unsanitizedHTMLExport, unvalidatedAPIParams, unvalidatedEventData, unvalidatedRedirect, vulnerableDependencies, weakHashing, weakPasswordRequirements, weakRSAKeySize, webhookSignatureVerification, xssVulnerability, xxeVulnerability };
|