xploitscan 0.4.0 → 0.6.0

package/dist/index.js

@@ -335,15 +335,21 @@ var hardcodedSecrets = {
     ];
     const matches = [];
     for (const pattern of patterns) {
-      matches.push(
-        ...findMatches(
-          content,
-          pattern,
-          hardcodedSecrets,
-          filePath,
-          () => "Move this secret to an environment variable and add it to .env (not committed to git). Use .env.example to document the required variables."
-        )
+      const rawMatches = findMatches(
+        content,
+        pattern,
+        hardcodedSecrets,
+        filePath,
+        () => "Move this secret to an environment variable and add it to .env (not committed to git). Use .env.example to document the required variables."
       );
+      for (const rm3 of rawMatches) {
+        const lineText = content.split("\n")[rm3.line - 1] || "";
+        const trimmed = lineText.trimStart();
+        if (trimmed.startsWith("//") || trimmed.startsWith("#")) continue;
+        const secretMatch = lineText.match(/[:=]\s*["'`]([^"'`]*)["'`]/);
+        if (secretMatch && secretMatch[1].length < 12) continue;
+        matches.push(rm3);
+      }
     }
     return matches;
   }
@@ -524,6 +530,7 @@ var xssVulnerability = {
   check(content, filePath) {
     if (/(?:sanitize|purify|escape|xss)/i.test(filePath)) return [];
     if (/DOMPurify\.sanitize|sanitizeHtml|xss\(|escapeHtml/i.test(content)) return [];
+    if (/(?:import|require)\s*\(?.*(?:DOMPurify|dompurify|sanitize|sanitizer)/i.test(content)) return [];
     const patterns = [
       // React dangerouslySetInnerHTML
       /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:/g,
@@ -765,6 +772,7 @@ var evalUsage = {
         const lineEnd = content.indexOf("\n", lineStart + 1);
         const lineText = content.substring(lineStart, lineEnd === -1 ? content.length : lineEnd);
         if (/devtool|source-map/i.test(lineText)) continue;
+        if (/(?:description|title|message)\s*[:=]/i.test(lineText)) continue;
         matches.push(rm3);
       }
     }
@@ -963,9 +971,9 @@ var unsanitizedHTMLExport = {
   description: "Generating HTML from user content without sanitization (e.g., DOMPurify) allows stored XSS attacks. Malicious content saved in documents could execute scripts when exported or previewed.",
   check(content, filePath) {
     if (isTestFile(filePath)) return [];
-    if (/import.*DOMPurify|require.*DOMPurify|from\s+['"]dompurify/i.test(content)) return [];
+    if (/DOMPurify|dompurify/i.test(content)) return [];
     if (filePath.match(/\.(jsx|tsx|vue|svelte)$/) && !/innerHTML|document\.write|\.html\s*=/i.test(content)) return [];
-    const hasSanitizer = /DOMPurify|sanitize|escapeHtml|escapeHTML|xss|htmlEncode|purify/i.test(content);
+    const hasSanitizer = /sanitize|escapeHtml|escapeHTML|xss|htmlEncode|purify/i.test(content);
     if (hasSanitizer) return [];
     if (!/(?:export|download|save|write|send).*(?:html|HTML)|\.innerHTML\s*=|document\.write|res\.send\s*\(/i.test(content)) return [];
     const matches = [];
@@ -1336,13 +1344,19 @@ var insecureRandomness = {
     if (!/Math\.random\s*\(\s*\)/i.test(content)) return [];
     const matches = [];
     const securityContext = /(?:token|secret|session|password|otp|nonce|salt|csrf|auth)\s*[:=]\s*.*Math\.random/gi;
-    matches.push(...findMatches(
+    const rawMatches = findMatches(
       content,
       securityContext,
       insecureRandomness,
       filePath,
       () => "Use crypto.randomUUID() or crypto.getRandomValues() for security-sensitive values. Math.random() is predictable."
-    ));
+    );
+    const nonSecurityVarNames = /(?:id|key|color|index|delay|position|size|width|height|offset|opacity|rotation|animation|random(?!.*(?:token|secret|key|password)))\s*[:=]\s*.*Math\.random/i;
+    for (const rm3 of rawMatches) {
+      const lineText = content.split("\n")[rm3.line - 1] || "";
+      if (nonSecurityVarNames.test(lineText)) continue;
+      matches.push(rm3);
+    }
     return matches;
   }
 };
@@ -1380,14 +1394,17 @@ var missingErrorBoundary = {
   category: "Configuration",
   description: "React apps without error boundaries display raw stack traces and component tree info to users when crashes occur, leaking internal details.",
   check(content, filePath) {
-    if (!filePath.match(/(?:layout|_app|main|index)\.[jt]sx?$/) || filePath.match(/App\.[jt]sx?$/)) return [];
+    const basename = filePath.split("/").pop() || "";
+    if (!/^[Aa]pp\.[jt]sx$/i.test(basename)) return [];
+    if (filePath.match(/\.ts$/)) return [];
+    if (!/<[A-Z]/.test(content)) return [];
     if (/(?:BrowserWindow|electron|ipcMain|app\.on\s*\(\s*["']ready)/i.test(content)) return [];
-    if (/(?:main\/main|main\.ts$|main\.js$)/.test(filePath) && /(?:electron|BrowserWindow)/i.test(content)) return [];
+    if (/\/main\//.test(filePath) && !/react-dom|createRoot/i.test(content)) return [];
     if (!/(?:import.*react|from\s+['"]react|require.*react)/i.test(content)) return [];
-    if (!/(?:React|react-dom|createRoot|ReactDOM|jsx|tsx)/i.test(content)) return [];
+    if (!/(?:createRoot|ReactDOM\.render)/i.test(content)) return [];
     const hasErrorBoundary = /ErrorBoundary|componentDidCatch|getDerivedStateFromError|error-boundary/i.test(content);
     if (hasErrorBoundary) return [];
-    if (/createRoot|ReactDOM\.render|<[A-Z]/i.test(content)) {
+    if (/createRoot|ReactDOM\.render/i.test(content)) {
       return [{
         rule: "VC036",
         title: missingErrorBoundary.title,
@@ -1517,13 +1534,23 @@ var ssrfVulnerability = {
     const hasValidation = /allowedHosts|allowedDomains|allowedUrls|safeDomain|whitelist|urlValidator|new URL.*hostname.*includes|isAllowedUrl|validateUrl|isValidUrl/i.test(content);
     if (hasValidation) return [];
     for (const p of patterns) {
-      matches.push(...findMatches(
+      const rawMatches = findMatches(
         content,
         p,
         ssrfVulnerability,
         filePath,
         () => "Validate URLs against an allowlist before fetching. Block internal IPs: 127.0.0.1, 10.x, 172.16-31.x, 192.168.x, 169.254.169.254 (cloud metadata). Use: const url = new URL(input); if (!ALLOWED_HOSTS.includes(url.hostname)) throw new Error('Blocked');"
-      ));
+      );
+      for (const rm3 of rawMatches) {
+        const lineText = content.split("\n")[rm3.line - 1] || "";
+        const varMatch = lineText.match(/(?:fetch|axios\.\w+|got|request|https?\.get)\s*\(\s*(\w+)/);
+        if (varMatch) {
+          const varName = varMatch[1];
+          const constDef = new RegExp(`const\\s+${varName}\\s*=\\s*["'\`]https?://`, "i");
+          if (constDef.test(content)) continue;
+        }
+        matches.push(rm3);
+      }
     }
     return matches;
   }
@@ -1630,13 +1657,21 @@ var weakPasswordRequirements = {
     if (hasValidation) return [];
     const hasPasswordHandling = /(?:password|pwd)\s*[:=]\s*(?:req\.body|body|input|params|args)\./i.test(content);
     if (!hasPasswordHandling) return [];
-    return findMatches(
+    const rawMatches = findMatches(
       content,
       /(?:password|pwd)\s*[:=]\s*(?:req\.body|body|input|params|args)\./gi,
       weakPasswordRequirements,
       filePath,
       () => "Enforce minimum password requirements: at least 8 characters, mix of letters/numbers/symbols. Use a library like zxcvbn for strength estimation."
     );
+    const lines = content.split("\n");
+    const validationPattern = /\.length|minLength|minlength|min_length|match|test|regex|pattern|validate|schema|zxcvbn|isStrongPassword/i;
+    return rawMatches.filter((rm3) => {
+      const start = Math.max(0, rm3.line - 1 - 10);
+      const end = Math.min(lines.length, rm3.line - 1 + 10);
+      const nearby = lines.slice(start, end).join("\n");
+      return !validationPattern.test(nearby);
+    });
   }
 };
 var sessionFixation = {
@@ -1867,6 +1902,7 @@ var sensitiveLocalStorage = {
   check(content, filePath) {
     if (!filePath.match(/\.(jsx?|tsx?|vue|svelte)$/)) return [];
     if (isTestFile(filePath)) return [];
+    if (/mock|spec/i.test(filePath)) return [];
     if (!/localStorage\.setItem|localStorage\[/i.test(content)) return [];
     const matches = [];
     const patterns = [
@@ -3132,7 +3168,547 @@ var complianceMap = {
   VC095: { owasp: "A05:2021", cwe: "CWE-942" },
   VC096: { owasp: "A02:2021", cwe: "CWE-319" }
 };
-var allRules = [
+var consoleLogProduction = {
+  id: "VC097",
+  title: "Console.log Left in Production Code",
+  severity: "medium",
+  category: "Performance",
+  description: "console.log statements left in production code can leak sensitive data, slow down rendering, and clutter browser consoles.",
+  check(content, filePath) {
+    if (filePath.match(/test|spec|mock|__tests__|fixture|\.test\.|\.spec\./i)) return [];
+    if (!/console\.log\s*\(/g.test(content)) return [];
+    const lines = content.split("\n");
+    const matches = [];
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i].trim();
+      if (/console\.log\s*\(/.test(line) && !line.startsWith("//") && !line.startsWith("*") && !/if\s*\(\s*(?:debug|process\.env)/i.test(lines[Math.max(0, i - 1)] + line)) {
+        matches.push({ rule: "VC097", title: consoleLogProduction.title, severity: "medium", category: "Performance", file: filePath, line: i + 1, snippet: getSnippet(content, i + 1), fix: "Remove console.log or use a logger that can be disabled in production." });
+      }
+    }
+    return matches.slice(0, 3);
+  }
+};
+var syncFileOps = {
+  id: "VC098",
+  title: "Synchronous File Operations",
+  severity: "medium",
+  category: "Performance",
+  description: "Synchronous file operations (readFileSync, writeFileSync) block the event loop, causing all other requests to wait.",
+  check(content, filePath) {
+    if (filePath.match(/test|spec|mock|__tests__|fixture|config|\.config\./i)) return [];
+    return findMatches(
+      content,
+      /(?:readFileSync|writeFileSync|appendFileSync|mkdirSync|rmdirSync|statSync)\s*\(/g,
+      syncFileOps,
+      filePath,
+      () => "Use async file operations (readFile, writeFile) to avoid blocking the event loop."
+    );
+  }
+};
+var eventListenerLeak = {
+  id: "VC099",
+  title: "Memory Leak: Event Listener Not Cleaned Up",
+  severity: "high",
+  category: "Performance",
+  description: "Adding event listeners in React useEffect without a cleanup function causes memory leaks as listeners accumulate on re-renders.",
+  check(content, filePath) {
+    if (!filePath.match(/\.(jsx|tsx)$/)) return [];
+    if (!/addEventListener/i.test(content)) return [];
+    if (/removeEventListener/i.test(content)) return [];
+    if (!/useEffect/i.test(content)) return [];
+    return findMatches(
+      content,
+      /addEventListener\s*\(/g,
+      eventListenerLeak,
+      filePath,
+      () => "Return a cleanup function from useEffect: useEffect(() => { window.addEventListener('resize', fn); return () => window.removeEventListener('resize', fn); }, []);"
+    );
+  }
+};
+var nPlusOneQuery = {
+  id: "VC100",
+  title: "N+1 Query Pattern Detected",
+  severity: "medium",
+  category: "Performance",
+  description: "Database queries inside loops cause N+1 performance problems \u2014 one query per iteration instead of a single batch query.",
+  check(content, filePath) {
+    if (filePath.match(/test|spec|mock/i)) return [];
+    const hasLoopWithQuery = /(?:for\s*\(|\.forEach\s*\(|\.map\s*\(|while\s*\()[^}]*(?:\.find\(|\.findOne\(|\.findById\(|\.query\(|\.execute\(|SELECT\s)/is.test(content);
+    if (!hasLoopWithQuery) return [];
+    return findMatches(
+      content,
+      /(?:for\s*\(|\.forEach\s*\(|\.map\s*\(|while\s*\()/g,
+      nPlusOneQuery,
+      filePath,
+      () => "Fetch all data in a single query using WHERE IN, JOIN, or batch operations instead of querying per item in a loop."
+    ).slice(0, 2);
+  }
+};
+var largeBundleImport = {
+  id: "VC101",
+  title: "Importing Entire Library (Large Bundle)",
+  severity: "medium",
+  category: "Performance",
+  description: "Importing entire libraries like lodash or moment.js adds hundreds of KB to your bundle. Import only the functions you need.",
+  check(content, filePath) {
+    if (!filePath.match(/\.(jsx?|tsx?)$/)) return [];
+    const matches = [];
+    const patterns = [
+      /import\s+_\s+from\s+['"]lodash['"]/g,
+      /import\s+\*\s+as\s+_\s+from\s+['"]lodash['"]/g,
+      /import\s+moment\s+from\s+['"]moment['"]/g,
+      /const\s+_\s*=\s*require\s*\(\s*['"]lodash['"]\s*\)/g,
+      /const\s+moment\s*=\s*require\s*\(\s*['"]moment['"]\s*\)/g
+    ];
+    for (const p of patterns) {
+      matches.push(...findMatches(
+        content,
+        p,
+        largeBundleImport,
+        filePath,
+        () => "Import only what you need: import { debounce } from 'lodash/debounce'. Or switch to lighter alternatives like date-fns instead of moment."
+      ));
+    }
+    return matches;
+  }
+};
+var blockingMainThread = {
+  id: "VC102",
+  title: "Blocking Main Thread with Heavy Computation",
+  severity: "medium",
+  category: "Performance",
+  description: "Infinite loops or deeply nested iterations on the main thread freeze the UI and cause unresponsiveness.",
+  check(content, filePath) {
+    if (filePath.match(/worker|test|spec|mock/i)) return [];
+    const matches = [];
+    if (/while\s*\(\s*true\s*\)/g.test(content)) {
+      matches.push(...findMatches(
+        content,
+        /while\s*\(\s*true\s*\)/g,
+        blockingMainThread,
+        filePath,
+        () => "Avoid while(true) on the main thread. Use Web Workers for heavy computation or requestIdleCallback for non-urgent work."
+      ));
+    }
+    return matches;
+  }
+};
+var todoLeftInCode = {
+  id: "VC103",
+  title: "TODO/FIXME Left in Code",
+  severity: "low",
+  category: "Code Quality",
+  description: "TODO, FIXME, HACK, and XXX comments indicate unfinished work that should be resolved before shipping to production.",
+  check(content, filePath) {
+    if (filePath.match(/test|spec|mock|__tests__|fixture|node_modules/i)) return [];
+    return findMatches(
+      content,
+      /\/\/\s*(?:TODO|FIXME|HACK|XXX)\b/gi,
+      todoLeftInCode,
+      filePath,
+      () => "Resolve TODO/FIXME comments before shipping. If it's intentional tech debt, track it in your issue tracker instead."
+    ).slice(0, 5);
+  }
+};
+var emptyCatchBlock = {
+  id: "VC104",
+  title: "Empty Catch Block",
+  severity: "medium",
+  category: "Code Quality",
+  description: "Empty catch blocks silently swallow errors, making bugs impossible to diagnose. At minimum, log the error.",
+  check(content, filePath) {
+    if (filePath.match(/test|spec|mock/i)) return [];
+    return findMatches(
+      content,
+      /catch\s*(?:\([^)]*\))?\s*\{\s*\}/g,
+      emptyCatchBlock,
+      filePath,
+      () => "Handle errors in catch blocks: catch(err) { console.error('Operation failed:', err); } or re-throw if appropriate."
+    );
+  }
+};
+var callbackHell = {
+  id: "VC105",
+  title: "Deeply Nested Callbacks (Promise Chain)",
+  severity: "medium",
+  category: "Code Quality",
+  description: "Long .then() chains or deeply nested callbacks are hard to read, debug, and maintain. Refactor to async/await.",
+  check(content, filePath) {
+    if (filePath.match(/test|spec|mock/i)) return [];
+    return findMatches(
+      content,
+      /\.then\s*\([^)]*\)\s*\.then\s*\([^)]*\)\s*\.then/g,
+      callbackHell,
+      filePath,
+      () => "Refactor .then() chains to async/await for cleaner, more readable code."
+    );
+  }
+};
+var magicNumbers = {
+  id: "VC106",
+  title: "Magic Numbers in Code",
+  severity: "low",
+  category: "Code Quality",
+  description: "Unnamed numeric constants in conditions or calculations make code hard to understand. Extract them into named constants.",
+  check(content, filePath) {
+    if (filePath.match(/test|spec|mock|config|\.config\.|constant|enum|migration/i)) return [];
+    if (!filePath.match(/\.(jsx?|tsx?)$/)) return [];
+    const matches = [];
+    const lines = content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i].trim();
+      if (line.startsWith("//") || line.startsWith("*")) continue;
+      if (/(?:===|!==|>=?|<=?)\s*\d{3,}/.test(line) || /(?:setTimeout|setInterval)\s*\([^,]+,\s*\d{4,}/.test(line)) {
+        matches.push({ rule: "VC106", title: magicNumbers.title, severity: "low", category: "Code Quality", file: filePath, line: i + 1, snippet: getSnippet(content, i + 1), fix: "Extract magic numbers into named constants: const MAX_RETRIES = 3; const TIMEOUT_MS = 5000;" });
+      }
+    }
+    return matches.slice(0, 3);
+  }
+};
+var s3BucketNoEncryption = {
+  id: "VC107",
+  title: "S3 Bucket Without Encryption",
+  severity: "high",
+  category: "Infrastructure",
+  description: "AWS S3 buckets without server-side encryption leave data at rest unprotected. Enable encryption to protect sensitive data.",
+  check(content, filePath) {
+    if (!filePath.match(/\.tf$/)) return [];
+    if (!/resource\s+"aws_s3_bucket"/.test(content)) return [];
+    const matches = [];
+    const bucketPattern = /resource\s+"aws_s3_bucket"\s+"(\w+)"/g;
+    let m;
+    while ((m = bucketPattern.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const blockEnd = Math.min(m.index + 2e3, content.length);
+      const blockContent = content.substring(m.index, blockEnd);
+      if (!/server_side_encryption/.test(blockContent)) {
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        matches.push({
+          rule: "VC107",
+          title: s3BucketNoEncryption.title,
+          severity: "high",
+          category: "Infrastructure",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Enable S3 bucket encryption: server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } } }"
+        });
+      }
+    }
+    return matches;
+  }
+};
+var securityGroupAllInbound = {
+  id: "VC108",
+  title: "Security Group Allows All Inbound",
+  severity: "critical",
+  category: "Infrastructure",
+  description: "Security groups allowing all inbound traffic (0.0.0.0/0 on all ports) expose resources to the entire internet.",
+  check(content, filePath) {
+    if (!filePath.match(/\.(tf|json|yaml|yml)$/)) return [];
+    const matches = [];
+    if (filePath.match(/\.tf$/)) {
+      const ingressPattern = /ingress\s*\{[^}]*cidr_blocks\s*=\s*\[\s*"0\.0\.0\.0\/0"\s*\][^}]*\}/gs;
+      let m;
+      while ((m = ingressPattern.exec(content)) !== null) {
+        if (isCommentLine(content, m.index)) continue;
+        if (/from_port\s*=\s*0/.test(m[0]) || !/from_port/.test(m[0])) {
+          const lineNum = content.substring(0, m.index).split("\n").length;
+          matches.push({
+            rule: "VC108",
+            title: securityGroupAllInbound.title,
+            severity: "critical",
+            category: "Infrastructure",
+            file: filePath,
+            line: lineNum,
+            snippet: getSnippet(content, lineNum),
+            fix: "Restrict security group ingress to specific IP ranges and ports."
+          });
+        }
+      }
+    }
+    if (filePath.match(/\.(json|yaml|yml)$/)) {
+      const cfnPattern = /AWS::EC2::SecurityGroup/g;
+      if (cfnPattern.test(content) && /CidrIp\s*:\s*["']?0\.0\.0\.0\/0/.test(content)) {
+        matches.push(...findMatches(
+          content,
+          /CidrIp\s*:\s*["']?0\.0\.0\.0\/0/g,
+          securityGroupAllInbound,
+          filePath,
+          () => "Restrict security group ingress to specific IP ranges and ports."
+        ));
+      }
+    }
+    return matches;
+  }
+};
+var rdsPubliclyAccessible = {
+  id: "VC109",
+  title: "RDS Instance Publicly Accessible",
+  severity: "critical",
+  category: "Infrastructure",
+  description: "RDS instances with publicly_accessible = true are exposed to the internet, risking unauthorized database access.",
+  check(content, filePath) {
+    if (!filePath.match(/\.tf$/)) return [];
+    if (!/resource\s+"aws_db_instance"/.test(content)) return [];
+    return findMatches(
+      content,
+      /publicly_accessible\s*=\s*true/g,
+      rdsPubliclyAccessible,
+      filePath,
+      () => "Set publicly_accessible = false. Access RDS through VPC private subnets."
+    );
+  }
+};
+var missingCloudTrail = {
+  id: "VC110",
+  title: "Missing CloudTrail Logging",
+  severity: "high",
+  category: "Infrastructure",
+  description: "AWS environments without CloudTrail lack audit logging of API calls, making it difficult to detect unauthorized activity.",
+  check(content, filePath) {
+    if (!filePath.match(/\.tf$/)) return [];
+    if (!/provider\s+"aws"/.test(content)) return [];
+    if (/aws_cloudtrail/.test(content)) return [];
+    const lineNum = content.substring(0, content.search(/provider\s+"aws"/)).split("\n").length;
+    return [{
+      rule: "VC110",
+      title: missingCloudTrail.title,
+      severity: "high",
+      category: "Infrastructure",
+      file: filePath,
+      line: lineNum,
+      snippet: getSnippet(content, lineNum),
+      fix: "Enable CloudTrail for audit logging of all AWS API calls."
+    }];
+  }
+};
+var lambdaWithoutVPC = {
+  id: "VC111",
+  title: "Lambda Without VPC",
+  severity: "medium",
+  category: "Infrastructure",
+  description: "Lambda functions not placed in a VPC lack network isolation and cannot access VPC-only resources securely.",
+  check(content, filePath) {
+    if (!filePath.match(/\.tf$/)) return [];
+    if (!/resource\s+"aws_lambda_function"/.test(content)) return [];
+    const matches = [];
+    const lambdaPattern = /resource\s+"aws_lambda_function"\s+"(\w+)"/g;
+    let m;
+    while ((m = lambdaPattern.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const blockEnd = Math.min(m.index + 2e3, content.length);
+      const blockContent = content.substring(m.index, blockEnd);
+      if (!/vpc_config\s*\{/.test(blockContent)) {
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        matches.push({
+          rule: "VC111",
+          title: lambdaWithoutVPC.title,
+          severity: "medium",
+          category: "Infrastructure",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Place Lambda functions in a VPC for network isolation."
+        });
+      }
+    }
+    return matches;
+  }
+};
+var dockerLatestTag = {
+  id: "VC112",
+  title: "Docker Image Using Latest Tag",
+  severity: "high",
+  category: "Configuration",
+  description: "Using :latest or no tag in Docker FROM directives leads to non-reproducible builds and potential security regressions.",
+  check(content, filePath) {
+    if (!filePath.match(/Dockerfile$/i)) return [];
+    const matches = [];
+    const fromPattern = /^FROM\s+(?!scratch)(\S+?)(?:\s+AS\s+\S+)?\s*$/gm;
+    let m;
+    while ((m = fromPattern.exec(content)) !== null) {
+      const image = m[1];
+      if (image.endsWith(":latest") || !image.includes(":") && !image.startsWith("$")) {
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        matches.push({
+          rule: "VC112",
+          title: dockerLatestTag.title,
+          severity: "high",
+          category: "Configuration",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Pin Docker image versions: FROM node:20-alpine instead of FROM node:latest"
+        });
+      }
+    }
+    return matches;
+  }
+};
+var dockerCopySensitive = {
+  id: "VC113",
+  title: "Docker COPY With Sensitive Files",
+  severity: "high",
+  category: "Configuration",
+  description: "Using COPY . . or ADD . . without a .dockerignore can leak .env files, .git history, and other sensitive data into the Docker image.",
+  check(content, filePath) {
+    if (!filePath.match(/Dockerfile$/i)) return [];
+    if (!/(?:COPY|ADD)\s+\.\s+\./.test(content)) return [];
+    return findMatches(
+      content,
+      /(?:COPY|ADD)\s+\.\s+\./g,
+      dockerCopySensitive,
+      filePath,
+      () => "Use .dockerignore to exclude .env, .git, node_modules, and sensitive files from the Docker build context."
+    );
+  }
+};
+var dockerTooManyPorts = {
+  id: "VC114",
+  title: "Docker Exposing Too Many Ports",
+  severity: "medium",
+  category: "Configuration",
+  description: "Exposing many ports or wide port ranges increases the attack surface of a container.",
+  check(content, filePath) {
+    if (!filePath.match(/Dockerfile$/i)) return [];
+    const matches = [];
+    const rangePattern = /^EXPOSE\s+\d+-\d+/gm;
+    matches.push(...findMatches(
+      content,
+      rangePattern,
+      dockerTooManyPorts,
+      filePath,
+      () => "Only expose necessary ports. Each EXPOSE should have a clear purpose."
+    ));
+    const exposeLines = content.split("\n").filter((l) => /^\s*EXPOSE\s+/.test(l));
+    if (exposeLines.length > 3) {
+      const firstExpose = content.search(/^\s*EXPOSE\s+/m);
+      if (firstExpose >= 0) {
+        const lineNum = content.substring(0, firstExpose).split("\n").length;
+        matches.push({
+          rule: "VC114",
+          title: dockerTooManyPorts.title,
+          severity: "medium",
+          category: "Configuration",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Only expose necessary ports. Each EXPOSE should have a clear purpose."
+        });
+      }
+    }
+    return matches;
+  }
+};
+var k8sSecretNotEncrypted = {
+  id: "VC115",
+  title: "Kubernetes Secret Not Encrypted",
+  severity: "high",
+  category: "Infrastructure",
+  description: "Kubernetes Secrets stored as plain base64 in manifests are not encrypted and can be trivially decoded. Use sealed-secrets or external-secrets.",
+  check(content, filePath) {
+    if (!filePath.match(/\.(yaml|yml)$/)) return [];
+    if (!/kind\s*:\s*Secret/i.test(content)) return [];
+    if (/sealedsecrets\.bitnami\.com|external-secrets\.io/i.test(content)) return [];
+    return findMatches(
+      content,
+      /kind\s*:\s*Secret/g,
+      k8sSecretNotEncrypted,
+      filePath,
+      () => "Use sealed-secrets or external-secrets-operator. Never store plain secrets in manifests."
+    );
+  }
+};
+var k8sNoResourceLimits = {
+  id: "VC116",
+  title: "Kubernetes Pod Without Resource Limits",
+  severity: "medium",
+  category: "Infrastructure",
+  description: "Pods or deployments without resource limits can consume excessive CPU/memory, causing cluster instability.",
+  check(content, filePath) {
+    if (!filePath.match(/\.(yaml|yml)$/)) return [];
+    if (!/kind\s*:\s*(?:Pod|Deployment|StatefulSet|DaemonSet|Job|CronJob)/i.test(content)) return [];
+    if (/resources\s*:\s*\n\s+limits\s*:/m.test(content)) return [];
+    if (/resources\s*:.*limits/i.test(content)) return [];
+    const kindMatch = content.match(/kind\s*:\s*(?:Pod|Deployment|StatefulSet|DaemonSet|Job|CronJob)/i);
+    if (!kindMatch) return [];
+    const lineNum = content.substring(0, kindMatch.index).split("\n").length;
+    return [{
+      rule: "VC116",
+      title: k8sNoResourceLimits.title,
+      severity: "medium",
+      category: "Infrastructure",
+      file: filePath,
+      line: lineNum,
+      snippet: getSnippet(content, lineNum),
+      fix: "Set resource limits to prevent pods from consuming excessive CPU/memory."
+    }];
+  }
+};
+var freeRules = [
+  hardcodedSecrets,
+  // VC001
+  exposedEnvFile,
+  // VC002
+  missingAuthMiddleware,
+  // VC003
+  supabaseNoRLS,
+  // VC004
+  stripeWebhookUnprotected,
+  // VC005
+  sqlInjection,
+  // VC006
+  xssVulnerability,
+  // VC007
+  noRateLimiting,
+  // VC008
+  corsWildcard,
+  // VC009
+  clientSideAuth,
+  // VC010
+  nextPublicSecret,
+  // VC011
+  envNotGitignored,
+  // VC014
+  evalUsage,
+  // VC015
+  unvalidatedRedirect,
+  // VC016
+  insecureCookies,
+  // VC017
+  exposedAuthSecret,
+  // VC018
+  missingCSP,
+  // VC020
+  hardcodedJWTSecret,
+  // VC031
+  missingHTTPS,
+  // VC032
+  exposedDebugMode,
+  // VC033
+  insecureRandomness,
+  // VC034
+  missingErrorBoundary,
+  // VC036
+  exposedStackTraces,
+  // VC037
+  missingLockFile,
+  // VC039
+  dangerousInnerHTML,
+  // VC063
+  consoleLogProduction,
+  // VC097
+  emptyCatchBlock,
+  // VC104
+  todoLeftInCode,
+  // VC103
+  weakHashing,
+  // VC060
+  disabledTLSVerification
+  // VC061
+];
+var proRules = [
   hardcodedSecrets,
   exposedEnvFile,
   missingAuthMiddleware,
@@ -3228,14 +3804,35 @@ var allRules = [
   unprotectedDownload,
   commandInjection,
   corsLocalhost,
-  insecureGRPC
+  insecureGRPC,
+  consoleLogProduction,
+  syncFileOps,
+  eventListenerLeak,
+  nPlusOneQuery,
+  largeBundleImport,
+  blockingMainThread,
+  todoLeftInCode,
+  emptyCatchBlock,
+  callbackHell,
+  magicNumbers,
+  s3BucketNoEncryption,
+  securityGroupAllInbound,
+  rdsPubliclyAccessible,
+  missingCloudTrail,
+  lambdaWithoutVPC,
+  dockerLatestTag,
+  dockerCopySensitive,
+  dockerTooManyPorts,
+  k8sSecretNotEncrypted,
+  k8sNoResourceLimits
 ];
-function runCustomRules(content, filePath, disabledRules = []) {
+function runCustomRules(content, filePath, disabledRules = [], tier = "free") {
   const findings = [];
   if (/function runScan\(files\)|export function runCustomRules/.test(content) && /const (?:rules|allRules)\s*[:=]/.test(content) && /findMatches/.test(content)) {
     return findings;
   }
-  for (const rule of allRules) {
+  const ruleset = tier === "pro" ? proRules : freeRules;
+  for (const rule of ruleset) {
     if (disabledRules.includes(rule.id)) continue;
     const matches = rule.check(content, filePath);
     const compliance = complianceMap[rule.id];
@@ -4060,9 +4657,19 @@ var SAFE_PATTERNS = [
   // DOCTYPE/DTD URLs
   /DTD|DOCTYPE|w3\.org|apple\.com\/DTDs/i,
   // XML namespaces
-  /xmlns|schema|xsd|xsi/i
+  /xmlns|schema|xsd|xsi/i,
+  // npm/package registry URLs
+  /^https?:\/\/registry\.npmjs\.org\//,
+  /^https?:\/\/registry\.yarnpkg\.com\//,
+  // Package integrity hashes (sha512-..., sha256-...)
+  /^sha\d+-[A-Za-z0-9+/=]+$/,
+  // Resolved package URLs (.tgz)
+  /\.tgz$/,
+  // npm resolved URLs (any registry URL with package tarball)
+  /registry.*\/-\/.*\.tgz$/
 ];
 var SKIP_FILES = /\.(css|scss|less|svg|md|txt|html?|xml|yml|yaml|toml|lock|map|woff2?|ttf|eot|ico|png|jpg|gif|webp)$/i;
+var SKIP_FILENAMES = /(?:package-lock\.json|pnpm-lock\.yaml|yarn\.lock|composer\.lock|Gemfile\.lock|Cargo\.lock|poetry\.lock|Pipfile\.lock|shrinkwrap\.json)$/i;
 var SAFE_VAR_NAMES = /(?:description|message|text|label|title|content|template|html|svg|css|style|class|query|mutation|schema|regex|pattern|format|placeholder|comment|url|path|route|endpoint|href|src|alt|name|type|version|encoding|charset)/i;
 function getSnippet3(content, line) {
   const lines = content.split("\n");
@@ -4078,6 +4685,7 @@ function scanEntropy(files) {
   const findings = [];
   for (const { path: filePath, content } of files) {
     if (SKIP_FILES.test(filePath)) continue;
+    if (SKIP_FILENAMES.test(filePath)) continue;
     if (filePath.includes("node_modules")) continue;
     if (filePath.includes(".min.")) continue;
     if (/(?:\.test\.|\.spec\.|__tests__|__mocks__|fixtures?\/)/i.test(filePath)) continue;