xploitscan-shared-rules 1.2.1 → 1.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +1 -1
- package/README.md +58 -0
- package/dist/index.cjs +2837 -313
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +163 -1
- package/dist/index.d.ts +163 -1
- package/dist/index.js +2781 -313
- package/dist/index.js.map +1 -1
- package/package.json +10 -3
package/LICENSE
CHANGED
package/README.md
ADDED
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
# xploitscan-shared-rules
|
|
2
|
+
|
|
3
|
+
Shared XploitScan rule definitions, helpers, compliance mappings, the AI false-positive filter, and the entropy-based secret scanner.
|
|
4
|
+
|
|
5
|
+
This package is the source of truth for XploitScan's detection logic. It's consumed by the [XploitScan CLI](https://www.npmjs.com/package/xploitscan), the [XploitScan MCP server](https://www.npmjs.com/package/xploitscan-mcp), the web scan API at [xploitscan.com](https://xploitscan.com), and the [XploitScan GitHub Action](https://github.com/marketplace/actions/xploitscan-security-scanner) — so detection behavior can't drift between surfaces.
|
|
6
|
+
|
|
7
|
+
## What's in here
|
|
8
|
+
|
|
9
|
+
- **206 security rules** — pattern + AST-based detection for hardcoded secrets, SQL injection, XSS, SSRF, prototype pollution, crypto misuse, deserialization, JWT alg confusion, and more.
|
|
10
|
+
- **Compliance mappings** — each rule tagged with the SOC2, ISO 27001, and OWASP Top 10 controls it covers.
|
|
11
|
+
- **AI false-positive filter** — optional Claude Haiku integration that re-evaluates findings to suppress benign matches before reporting.
|
|
12
|
+
- **Entropy-based secret scanner** — detects high-entropy strings that look like credentials but don't match a known service-key pattern.
|
|
13
|
+
|
|
14
|
+
## Installation
|
|
15
|
+
|
|
16
|
+
```bash
|
|
17
|
+
npm install xploitscan-shared-rules
|
|
18
|
+
# or
|
|
19
|
+
pnpm add xploitscan-shared-rules
|
|
20
|
+
```
|
|
21
|
+
|
|
22
|
+
## Usage
|
|
23
|
+
|
|
24
|
+
```ts
|
|
25
|
+
import { getAllRules, scanContent, calculateGrade } from "xploitscan-shared-rules";
|
|
26
|
+
|
|
27
|
+
const rules = getAllRules();
|
|
28
|
+
const findings = scanContent(sourceCode, filePath, rules);
|
|
29
|
+
const { grade, score } = calculateGrade(findings);
|
|
30
|
+
```
|
|
31
|
+
|
|
32
|
+
For the full API surface, see the TypeScript definitions in `dist/index.d.ts` (shipped with the package).
|
|
33
|
+
|
|
34
|
+
## Most users want the CLI, not this package
|
|
35
|
+
|
|
36
|
+
If you're scanning code, install the CLI instead:
|
|
37
|
+
|
|
38
|
+
```bash
|
|
39
|
+
npx xploitscan scan .
|
|
40
|
+
```
|
|
41
|
+
|
|
42
|
+
This package is published as a building block for the official XploitScan surfaces and for advanced users who want to call the detection engine directly from their own tooling.
|
|
43
|
+
|
|
44
|
+
## Links
|
|
45
|
+
|
|
46
|
+
- **[XploitScan website](https://xploitscan.com)**
|
|
47
|
+
- [Documentation](https://xploitscan.com/docs)
|
|
48
|
+
- [Detection benchmark](https://xploitscan.com/benchmark) — live precision/recall numbers vs Semgrep and Bearer
|
|
49
|
+
- [CLI on npm](https://www.npmjs.com/package/xploitscan)
|
|
50
|
+
- [Changelog](https://xploitscan.com/changelog)
|
|
51
|
+
|
|
52
|
+
## License
|
|
53
|
+
|
|
54
|
+
MIT — see [LICENSE](./LICENSE).
|
|
55
|
+
|
|
56
|
+
---
|
|
57
|
+
|
|
58
|
+
Built by [Cipherline LLC](https://xploitscan.com) — [admin@xploitscan.com](mailto:admin@xploitscan.com)
|