xploitscan 0.5.0 → 0.7.0

package/dist/index.js

@@ -1,6 +1,5 @@
 #!/usr/bin/env node
 import {
-  __require,
   checkUsage,
   clearToken,
   getStoredToken,
@@ -9,7 +8,7 @@ import {
   storeToken,
   syncUser,
   uploadScanResults
-} from "./chunk-47X3TUVR.js";
+} from "./chunk-CBDFSACC.js";
 
 // src/index.ts
 import { Command } from "commander";
@@ -3166,7 +3165,42 @@ var complianceMap = {
   VC093: { owasp: "A01:2021", cwe: "CWE-22" },
   VC094: { owasp: "A03:2021", cwe: "CWE-78" },
   VC095: { owasp: "A05:2021", cwe: "CWE-942" },
-  VC096: { owasp: "A02:2021", cwe: "CWE-319" }
+  VC096: { owasp: "A02:2021", cwe: "CWE-319" },
+  VC097: { owasp: "A09:2021", cwe: "CWE-532" },
+  VC098: { owasp: "A04:2021", cwe: "CWE-400" },
+  VC099: { owasp: "A04:2021", cwe: "CWE-401" },
+  VC100: { owasp: "A04:2021", cwe: "CWE-400" },
+  VC101: { owasp: "A04:2021", cwe: "CWE-400" },
+  VC102: { owasp: "A04:2021", cwe: "CWE-400" },
+  VC103: { owasp: "A04:2021", cwe: "CWE-710" },
+  VC104: { owasp: "A04:2021", cwe: "CWE-390" },
+  VC105: { owasp: "A04:2021", cwe: "CWE-710" },
+  VC106: { owasp: "A04:2021", cwe: "CWE-710" },
+  VC107: { owasp: "A02:2021", cwe: "CWE-311" },
+  VC108: { owasp: "A01:2021", cwe: "CWE-284" },
+  VC109: { owasp: "A01:2021", cwe: "CWE-284" },
+  VC110: { owasp: "A09:2021", cwe: "CWE-778" },
+  VC111: { owasp: "A05:2021", cwe: "CWE-16" },
+  VC112: { owasp: "A06:2021", cwe: "CWE-1104" },
+  VC113: { owasp: "A05:2021", cwe: "CWE-200" },
+  VC114: { owasp: "A05:2021", cwe: "CWE-16" },
+  VC115: { owasp: "A02:2021", cwe: "CWE-311" },
+  VC116: { owasp: "A05:2021", cwe: "CWE-770" },
+  VC117: { owasp: "A03:2021", cwe: "CWE-22" },
+  VC118: { owasp: "A09:2021", cwe: "CWE-532" },
+  VC119: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC120: { owasp: "A07:2021", cwe: "CWE-352" },
+  VC121: { owasp: "A06:2021", cwe: "CWE-1104" },
+  VC122: { owasp: "A02:2021", cwe: "CWE-326" },
+  VC123: { owasp: "A02:2021", cwe: "CWE-326" },
+  VC124: { owasp: "A02:2021", cwe: "CWE-327" },
+  VC125: { owasp: "A07:2021", cwe: "CWE-640" },
+  VC126: { owasp: "A05:2021", cwe: "CWE-200" },
+  VC127: { owasp: "A01:2021", cwe: "CWE-862" },
+  VC128: { owasp: "A05:2021", cwe: "CWE-444" },
+  VC129: { owasp: "A02:2021", cwe: "CWE-311" },
+  VC130: { owasp: "A07:2021", cwe: "CWE-307" },
+  VC131: { owasp: "A06:2021", cwe: "CWE-1104" }
 };
 var consoleLogProduction = {
   id: "VC097",
@@ -3365,7 +3399,870 @@ var magicNumbers = {
     return matches.slice(0, 3);
   }
 };
-var allRules = [
+var s3BucketNoEncryption = {
+  id: "VC107",
+  title: "S3 Bucket Without Encryption",
+  severity: "high",
+  category: "Infrastructure",
+  description: "AWS S3 buckets without server-side encryption leave data at rest unprotected. Enable encryption to protect sensitive data.",
+  check(content, filePath) {
+    if (!filePath.match(/\.tf$/)) return [];
+    if (!/resource\s+"aws_s3_bucket"/.test(content)) return [];
+    const matches = [];
+    const bucketPattern = /resource\s+"aws_s3_bucket"\s+"(\w+)"/g;
+    let m;
+    while ((m = bucketPattern.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const blockEnd = Math.min(m.index + 2e3, content.length);
+      const blockContent = content.substring(m.index, blockEnd);
+      if (!/server_side_encryption/.test(blockContent)) {
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        matches.push({
+          rule: "VC107",
+          title: s3BucketNoEncryption.title,
+          severity: "high",
+          category: "Infrastructure",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Enable S3 bucket encryption: server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } } }"
+        });
+      }
+    }
+    return matches;
+  }
+};
+var securityGroupAllInbound = {
+  id: "VC108",
+  title: "Security Group Allows All Inbound",
+  severity: "critical",
+  category: "Infrastructure",
+  description: "Security groups allowing all inbound traffic (0.0.0.0/0 on all ports) expose resources to the entire internet.",
+  check(content, filePath) {
+    if (!filePath.match(/\.(tf|json|yaml|yml)$/)) return [];
+    const matches = [];
+    if (filePath.match(/\.tf$/)) {
+      const ingressPattern = /ingress\s*\{[^}]*cidr_blocks\s*=\s*\[\s*"0\.0\.0\.0\/0"\s*\][^}]*\}/gs;
+      let m;
+      while ((m = ingressPattern.exec(content)) !== null) {
+        if (isCommentLine(content, m.index)) continue;
+        if (/from_port\s*=\s*0/.test(m[0]) || !/from_port/.test(m[0])) {
+          const lineNum = content.substring(0, m.index).split("\n").length;
+          matches.push({
+            rule: "VC108",
+            title: securityGroupAllInbound.title,
+            severity: "critical",
+            category: "Infrastructure",
+            file: filePath,
+            line: lineNum,
+            snippet: getSnippet(content, lineNum),
+            fix: "Restrict security group ingress to specific IP ranges and ports."
+          });
+        }
+      }
+    }
+    if (filePath.match(/\.(json|yaml|yml)$/)) {
+      const cfnPattern = /AWS::EC2::SecurityGroup/g;
+      if (cfnPattern.test(content) && /CidrIp\s*:\s*["']?0\.0\.0\.0\/0/.test(content)) {
+        matches.push(...findMatches(
+          content,
+          /CidrIp\s*:\s*["']?0\.0\.0\.0\/0/g,
+          securityGroupAllInbound,
+          filePath,
+          () => "Restrict security group ingress to specific IP ranges and ports."
+        ));
+      }
+    }
+    return matches;
+  }
+};
+var rdsPubliclyAccessible = {
+  id: "VC109",
+  title: "RDS Instance Publicly Accessible",
+  severity: "critical",
+  category: "Infrastructure",
+  description: "RDS instances with publicly_accessible = true are exposed to the internet, risking unauthorized database access.",
+  check(content, filePath) {
+    if (!filePath.match(/\.tf$/)) return [];
+    if (!/resource\s+"aws_db_instance"/.test(content)) return [];
+    return findMatches(
+      content,
+      /publicly_accessible\s*=\s*true/g,
+      rdsPubliclyAccessible,
+      filePath,
+      () => "Set publicly_accessible = false. Access RDS through VPC private subnets."
+    );
+  }
+};
+var missingCloudTrail = {
+  id: "VC110",
+  title: "Missing CloudTrail Logging",
+  severity: "high",
+  category: "Infrastructure",
+  description: "AWS environments without CloudTrail lack audit logging of API calls, making it difficult to detect unauthorized activity.",
+  check(content, filePath) {
+    if (!filePath.match(/\.tf$/)) return [];
+    if (!/provider\s+"aws"/.test(content)) return [];
+    if (/aws_cloudtrail/.test(content)) return [];
+    const lineNum = content.substring(0, content.search(/provider\s+"aws"/)).split("\n").length;
+    return [{
+      rule: "VC110",
+      title: missingCloudTrail.title,
+      severity: "high",
+      category: "Infrastructure",
+      file: filePath,
+      line: lineNum,
+      snippet: getSnippet(content, lineNum),
+      fix: "Enable CloudTrail for audit logging of all AWS API calls."
+    }];
+  }
+};
+var lambdaWithoutVPC = {
+  id: "VC111",
+  title: "Lambda Without VPC",
+  severity: "medium",
+  category: "Infrastructure",
+  description: "Lambda functions not placed in a VPC lack network isolation and cannot access VPC-only resources securely.",
+  check(content, filePath) {
+    if (!filePath.match(/\.tf$/)) return [];
+    if (!/resource\s+"aws_lambda_function"/.test(content)) return [];
+    const matches = [];
+    const lambdaPattern = /resource\s+"aws_lambda_function"\s+"(\w+)"/g;
+    let m;
+    while ((m = lambdaPattern.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const blockEnd = Math.min(m.index + 2e3, content.length);
+      const blockContent = content.substring(m.index, blockEnd);
+      if (!/vpc_config\s*\{/.test(blockContent)) {
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        matches.push({
+          rule: "VC111",
+          title: lambdaWithoutVPC.title,
+          severity: "medium",
+          category: "Infrastructure",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Place Lambda functions in a VPC for network isolation."
+        });
+      }
+    }
+    return matches;
+  }
+};
+var dockerLatestTag = {
+  id: "VC112",
+  title: "Docker Image Using Latest Tag",
+  severity: "high",
+  category: "Configuration",
+  description: "Using :latest or no tag in Docker FROM directives leads to non-reproducible builds and potential security regressions.",
+  check(content, filePath) {
+    if (!filePath.match(/Dockerfile$/i)) return [];
+    const matches = [];
+    const fromPattern = /^FROM\s+(?!scratch)(\S+?)(?:\s+AS\s+\S+)?\s*$/gm;
+    let m;
+    while ((m = fromPattern.exec(content)) !== null) {
+      const image = m[1];
+      if (image.endsWith(":latest") || !image.includes(":") && !image.startsWith("$")) {
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        matches.push({
+          rule: "VC112",
+          title: dockerLatestTag.title,
+          severity: "high",
+          category: "Configuration",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Pin Docker image versions: FROM node:20-alpine instead of FROM node:latest"
+        });
+      }
+    }
+    return matches;
+  }
+};
+var dockerCopySensitive = {
+  id: "VC113",
+  title: "Docker COPY With Sensitive Files",
+  severity: "high",
+  category: "Configuration",
+  description: "Using COPY . . or ADD . . without a .dockerignore can leak .env files, .git history, and other sensitive data into the Docker image.",
+  check(content, filePath) {
+    if (!filePath.match(/Dockerfile$/i)) return [];
+    if (!/(?:COPY|ADD)\s+\.\s+\./.test(content)) return [];
+    return findMatches(
+      content,
+      /(?:COPY|ADD)\s+\.\s+\./g,
+      dockerCopySensitive,
+      filePath,
+      () => "Use .dockerignore to exclude .env, .git, node_modules, and sensitive files from the Docker build context."
+    );
+  }
+};
+var dockerTooManyPorts = {
+  id: "VC114",
+  title: "Docker Exposing Too Many Ports",
+  severity: "medium",
+  category: "Configuration",
+  description: "Exposing many ports or wide port ranges increases the attack surface of a container.",
+  check(content, filePath) {
+    if (!filePath.match(/Dockerfile$/i)) return [];
+    const matches = [];
+    const rangePattern = /^EXPOSE\s+\d+-\d+/gm;
+    matches.push(...findMatches(
+      content,
+      rangePattern,
+      dockerTooManyPorts,
+      filePath,
+      () => "Only expose necessary ports. Each EXPOSE should have a clear purpose."
+    ));
+    const exposeLines = content.split("\n").filter((l) => /^\s*EXPOSE\s+/.test(l));
+    if (exposeLines.length > 3) {
+      const firstExpose = content.search(/^\s*EXPOSE\s+/m);
+      if (firstExpose >= 0) {
+        const lineNum = content.substring(0, firstExpose).split("\n").length;
+        matches.push({
+          rule: "VC114",
+          title: dockerTooManyPorts.title,
+          severity: "medium",
+          category: "Configuration",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Only expose necessary ports. Each EXPOSE should have a clear purpose."
+        });
+      }
+    }
+    return matches;
+  }
+};
+var k8sSecretNotEncrypted = {
+  id: "VC115",
+  title: "Kubernetes Secret Not Encrypted",
+  severity: "high",
+  category: "Infrastructure",
+  description: "Kubernetes Secrets stored as plain base64 in manifests are not encrypted and can be trivially decoded. Use sealed-secrets or external-secrets.",
+  check(content, filePath) {
+    if (!filePath.match(/\.(yaml|yml)$/)) return [];
+    if (!/kind\s*:\s*Secret/i.test(content)) return [];
+    if (/sealedsecrets\.bitnami\.com|external-secrets\.io/i.test(content)) return [];
+    return findMatches(
+      content,
+      /kind\s*:\s*Secret/g,
+      k8sSecretNotEncrypted,
+      filePath,
+      () => "Use sealed-secrets or external-secrets-operator. Never store plain secrets in manifests."
+    );
+  }
+};
+var k8sNoResourceLimits = {
+  id: "VC116",
+  title: "Kubernetes Pod Without Resource Limits",
+  severity: "medium",
+  category: "Infrastructure",
+  description: "Pods or deployments without resource limits can consume excessive CPU/memory, causing cluster instability.",
+  check(content, filePath) {
+    if (!filePath.match(/\.(yaml|yml)$/)) return [];
+    if (!/kind\s*:\s*(?:Pod|Deployment|StatefulSet|DaemonSet|Job|CronJob)/i.test(content)) return [];
+    if (/resources\s*:\s*\n\s+limits\s*:/m.test(content)) return [];
+    if (/resources\s*:.*limits/i.test(content)) return [];
+    const kindMatch = content.match(/kind\s*:\s*(?:Pod|Deployment|StatefulSet|DaemonSet|Job|CronJob)/i);
+    if (!kindMatch) return [];
+    const lineNum = content.substring(0, kindMatch.index).split("\n").length;
+    return [{
+      rule: "VC116",
+      title: k8sNoResourceLimits.title,
+      severity: "medium",
+      category: "Infrastructure",
+      file: filePath,
+      line: lineNum,
+      snippet: getSnippet(content, lineNum),
+      fix: "Set resource limits to prevent pods from consuming excessive CPU/memory."
+    }];
+  }
+};
+var pathTraversal = {
+  id: "VC117",
+  title: "Path Traversal Vulnerability",
+  severity: "critical",
+  category: "Injection",
+  description: "User input is used to construct file paths without sanitization, allowing attackers to read/write arbitrary files (e.g., ../../etc/passwd).",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|php|java)$/)) return [];
+    const findings = [];
+    const patterns = [
+      /(?:readFile|readFileSync|createReadStream|writeFile|writeFileSync|appendFile|unlink|unlinkSync|access|stat|statSync|existsSync)\s*\(\s*(?:req\.|request\.|ctx\.|params\.|query\.)/gi,
+      /(?:path\.join|path\.resolve)\s*\([^)]*(?:req\.|request\.|ctx\.|params\.|query\.)[^)]*\)/gi,
+      /(?:res\.sendFile|res\.download)\s*\([^)]*(?:req\.|request\.)/gi,
+      /open\s*\(\s*(?:request\.|params\[|args\.)/gi
+    ];
+    for (const pat of patterns) {
+      let m;
+      while ((m = pat.exec(content)) !== null) {
+        if (isCommentLine(content, m.index)) continue;
+        const surrounding = content.substring(Math.max(0, m.index - 200), m.index + 200);
+        if (/path\.normalize|sanitize|\.replace\(\s*['"]\.\./i.test(surrounding)) continue;
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        findings.push({
+          rule: "VC117",
+          title: pathTraversal.title,
+          severity: "critical",
+          category: "Injection",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Sanitize file paths: use path.normalize(), reject paths containing '..', and validate against an allowed base directory."
+        });
+      }
+    }
+    return findings;
+  }
+};
+var piiInLogs = {
+  id: "VC118",
+  title: "Personally Identifiable Information in Logs",
+  severity: "high",
+  category: "Information Leakage",
+  description: "Logging statements that include email addresses, passwords, SSNs, credit card numbers, or other PII can leak sensitive data to log aggregation systems.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) return [];
+    const findings = [];
+    const logPattern = /(?:console\.(?:log|info|warn|error|debug)|logger\.(?:info|warn|error|debug|log)|log\.(?:info|warn|error|debug)|logging\.(?:info|warn|error|debug))\s*\([^)]*(?:password|passwd|secret|ssn|social.?security|credit.?card|cardNumber|cvv|token|bearer|authorization)\b/gi;
+    let m;
+    while ((m = logPattern.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      if (isInsideFixMessage(content, m.index)) continue;
+      const lineNum = content.substring(0, m.index).split("\n").length;
+      findings.push({
+        rule: "VC118",
+        title: piiInLogs.title,
+        severity: "high",
+        category: "Information Leakage",
+        file: filePath,
+        line: lineNum,
+        snippet: getSnippet(content, lineNum),
+        fix: "Never log sensitive data. Redact or mask PII before logging: log('user login', { email: maskEmail(email) })."
+      });
+    }
+    return findings;
+  }
+};
+var hardcodedOAuthSecret = {
+  id: "VC119",
+  title: "Hardcoded OAuth Client Secret",
+  severity: "critical",
+  category: "Secrets",
+  description: "OAuth client secrets hardcoded in source code can be extracted and used to impersonate your application.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php|env|json|yaml|yml)$/)) return [];
+    if (/package-lock|yarn\.lock|pnpm-lock|composer\.lock/i.test(filePath)) return [];
+    const findings = [];
+    const patterns = [
+      /client[_-]?secret\s*[:=]\s*["'][a-zA-Z0-9_\-]{20,}["']/gi,
+      /GOOGLE_CLIENT_SECRET\s*[:=]\s*["'][^"']{10,}["']/gi,
+      /GITHUB_CLIENT_SECRET\s*[:=]\s*["'][^"']{10,}["']/gi,
+      /FACEBOOK_APP_SECRET\s*[:=]\s*["'][^"']{10,}["']/gi,
+      /AUTH0_CLIENT_SECRET\s*[:=]\s*["'][^"']{10,}["']/gi
+    ];
+    for (const pat of patterns) {
+      let m;
+      while ((m = pat.exec(content)) !== null) {
+        if (isCommentLine(content, m.index)) continue;
+        if (/process\.env|os\.environ|ENV\[|getenv|\$\{|<your|CHANGE_ME|xxx|placeholder/i.test(m[0])) continue;
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        findings.push({
+          rule: "VC119",
+          title: hardcodedOAuthSecret.title,
+          severity: "critical",
+          category: "Secrets",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Move OAuth client secrets to environment variables. Never commit secrets to source control."
+        });
+      }
+    }
+    return findings;
+  }
+};
+var missingOAuthState = {
+  id: "VC120",
+  title: "OAuth Flow Missing State Parameter",
+  severity: "high",
+  category: "Authentication",
+  description: "OAuth authorization requests without a state parameter are vulnerable to CSRF attacks, allowing attackers to link their account to a victim's session.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) return [];
+    const findings = [];
+    const oauthUrlPattern = /(?:authorize\?|\/oauth\/authorize|\/auth\?|authorization_endpoint)[^}]*(?:client_id|response_type)/gi;
+    let m;
+    while ((m = oauthUrlPattern.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const surrounding = content.substring(m.index, Math.min(content.length, m.index + 500));
+      if (/state\s*[=:]/i.test(surrounding)) continue;
+      const lineNum = content.substring(0, m.index).split("\n").length;
+      findings.push({
+        rule: "VC120",
+        title: missingOAuthState.title,
+        severity: "high",
+        category: "Authentication",
+        file: filePath,
+        line: lineNum,
+        snippet: getSnippet(content, lineNum),
+        fix: "Always include a cryptographically random 'state' parameter in OAuth authorization requests and validate it on callback."
+      });
+    }
+    return findings;
+  }
+};
+var unpinnedGitHubAction = {
+  id: "VC121",
+  title: "Unpinned GitHub Actions Version",
+  severity: "high",
+  category: "Supply Chain",
+  description: "GitHub Actions using branch references (@main, @master) instead of commit SHAs can be compromised via supply-chain attacks.",
+  check(content, filePath) {
+    if (!filePath.match(/\.github\/workflows\/.*\.(yml|yaml)$/)) return [];
+    const findings = [];
+    const usesPattern = /uses\s*:\s*[\w\-]+\/[\w\-]+@(main|master|dev|develop|latest)\b/gi;
+    let m;
+    while ((m = usesPattern.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const lineNum = content.substring(0, m.index).split("\n").length;
+      findings.push({
+        rule: "VC121",
+        title: unpinnedGitHubAction.title,
+        severity: "high",
+        category: "Supply Chain",
+        file: filePath,
+        line: lineNum,
+        snippet: getSnippet(content, lineNum),
+        fix: "Pin GitHub Actions to a specific commit SHA instead of a branch name: uses: owner/action@<full-sha>"
+      });
+    }
+    return findings;
+  }
+};
+var deprecatedTLS = {
+  id: "VC122",
+  title: "Deprecated TLS Version Configured",
+  severity: "high",
+  category: "Cryptography",
+  description: "TLS 1.0 and 1.1 are deprecated and have known vulnerabilities. Only TLS 1.2+ should be used.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|py|rb|go|java|yaml|yml|json|conf|cfg|xml)$/)) return [];
+    const findings = [];
+    const patterns = [
+      /(?:TLSv1_METHOD|TLSv1\.0|TLSv1\.1|ssl\.PROTOCOL_TLSv1|SSLv3|SSLv2|TLS_1_0|TLS_1_1|minVersion\s*[:=]\s*["']TLSv1(?:\.1)?["'])/gi,
+      /(?:tls\.DEFAULT_MIN_VERSION|secureProtocol)\s*[:=]\s*["'](?:TLSv1_method|TLSv1_1_method|SSLv3_method)["']/gi,
+      /ssl_protocols\s+.*(?:TLSv1(?:\.1)?(?:\s|;))/gi
+    ];
+    for (const pat of patterns) {
+      let m;
+      while ((m = pat.exec(content)) !== null) {
+        if (isCommentLine(content, m.index)) continue;
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        findings.push({
+          rule: "VC122",
+          title: deprecatedTLS.title,
+          severity: "high",
+          category: "Cryptography",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Use TLS 1.2 or higher. Set minVersion to 'TLSv1.2' and remove support for TLS 1.0/1.1."
+        });
+      }
+    }
+    return findings;
+  }
+};
+var weakRSAKeySize = {
+  id: "VC123",
+  title: "Weak RSA Key Size",
+  severity: "high",
+  category: "Cryptography",
+  description: "RSA keys smaller than 2048 bits are considered insecure and can be factored with modern hardware.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|py|rb|go|java|php)$/)) return [];
+    const findings = [];
+    const patterns = [
+      /generateKeyPair\s*\(\s*["']rsa["']\s*,\s*\{[^}]*modulusLength\s*:\s*(512|768|1024)\b/gi,
+      /RSA\.generate\s*\(\s*(512|768|1024)\b/gi,
+      /rsa\.GenerateKey\s*\([^,]*,\s*(512|768|1024)\b/gi,
+      /KeyPairGenerator.*initialize\s*\(\s*(512|768|1024)\b/gi
+    ];
+    for (const pat of patterns) {
+      let m;
+      while ((m = pat.exec(content)) !== null) {
+        if (isCommentLine(content, m.index)) continue;
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        findings.push({
+          rule: "VC123",
+          title: weakRSAKeySize.title,
+          severity: "high",
+          category: "Cryptography",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Use RSA key sizes of at least 2048 bits. 4096 bits is recommended for long-term security."
+        });
+      }
+    }
+    return findings;
+  }
+};
+var ecbModeEncryption = {
+  id: "VC124",
+  title: "Insecure ECB Mode Encryption",
+  severity: "high",
+  category: "Cryptography",
+  description: "ECB (Electronic Codebook) mode encrypts identical plaintext blocks to identical ciphertext, leaking patterns in the data.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|py|rb|go|java|php)$/)) return [];
+    const findings = [];
+    const patterns = [
+      /createCipher(?:iv)?\s*\(\s*["'](?:aes-(?:128|192|256)-ecb|des-ecb)["']/gi,
+      /AES\.(?:new|MODE_ECB)|MODE_ECB/gi,
+      /Cipher\.getInstance\s*\(\s*["']AES\/ECB/gi,
+      /aes\.NewCipher|cipher\.NewECBEncrypter/gi
+    ];
+    for (const pat of patterns) {
+      let m;
+      while ((m = pat.exec(content)) !== null) {
+        if (isCommentLine(content, m.index)) continue;
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        findings.push({
+          rule: "VC124",
+          title: ecbModeEncryption.title,
+          severity: "high",
+          category: "Cryptography",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Use AES-GCM or AES-CBC with HMAC instead of ECB mode. GCM provides both encryption and authentication."
+        });
+      }
+    }
+    return findings;
+  }
+};
+var insecurePasswordReset = {
+  id: "VC125",
+  title: "Insecure Password Reset Implementation",
+  severity: "high",
+  category: "Authentication",
+  description: "Password reset using predictable tokens, no expiration, or user-enumeration leaks can be exploited to take over accounts.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) return [];
+    if (!/(?:reset|forgot).*(?:password|passwd)/i.test(content)) return [];
+    const findings = [];
+    const weakTokens = /(?:reset|forgot).*(?:token|code)\s*[:=].*(?:Date\.now|Math\.random|uuid\(\)|nanoid\(\))/gi;
+    let m;
+    while ((m = weakTokens.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const lineNum = content.substring(0, m.index).split("\n").length;
+      findings.push({
+        rule: "VC125",
+        title: insecurePasswordReset.title,
+        severity: "high",
+        category: "Authentication",
+        file: filePath,
+        line: lineNum,
+        snippet: getSnippet(content, lineNum),
+        fix: "Use crypto.randomBytes(32).toString('hex') for reset tokens. Set expiration (15-60 minutes) and single-use enforcement."
+      });
+    }
+    const enumeration = /(?:user|email|account)\s*(?:not\s*found|does\s*not\s*exist|invalid)/gi;
+    while ((m = enumeration.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const surrounding = content.substring(Math.max(0, m.index - 500), m.index);
+      if (!/(?:reset|forgot).*password/i.test(surrounding)) continue;
+      const lineNum = content.substring(0, m.index).split("\n").length;
+      findings.push({
+        rule: "VC125",
+        title: insecurePasswordReset.title,
+        severity: "high",
+        category: "Authentication",
+        file: filePath,
+        line: lineNum,
+        snippet: getSnippet(content, lineNum),
+        fix: "Always return the same response regardless of whether the email exists. Say 'If an account exists, a reset link was sent.'"
+      });
+    }
+    return findings;
+  }
+};
+var terraformStateExposed = {
+  id: "VC126",
+  title: "Terraform State File Committed",
+  severity: "critical",
+  category: "Secrets",
+  description: "Terraform state files contain sensitive infrastructure details, secrets, and access credentials in plaintext. They must never be committed to version control.",
+  check(content, filePath) {
+    const findings = [];
+    if (/terraform\.tfstate(\.backup)?$/.test(filePath)) {
+      findings.push({
+        rule: "VC126",
+        title: terraformStateExposed.title,
+        severity: "critical",
+        category: "Secrets",
+        file: filePath,
+        line: 1,
+        snippet: getSnippet(content, 1),
+        fix: "Add '*.tfstate' and '*.tfstate.backup' to .gitignore. Use remote state backends (S3, GCS, Terraform Cloud) instead."
+      });
+    }
+    if (filePath.endsWith(".gitignore") && !content.includes("tfstate")) {
+      if (/\.tf$/.test(filePath) || content.includes(".tf")) {
+      }
+    }
+    return findings;
+  }
+};
+var insecureHTTPMethods = {
+  id: "VC127",
+  title: "Dangerous HTTP Methods Without Auth",
+  severity: "high",
+  category: "Authorization",
+  description: "DELETE, PUT, and PATCH endpoints without authentication checks allow unauthorized data modification or deletion.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) return [];
+    const findings = [];
+    const routePatterns = [
+      /(?:app|router|server)\.(delete|put|patch)\s*\(\s*["']/gi
+    ];
+    for (const pat of routePatterns) {
+      let m;
+      while ((m = pat.exec(content)) !== null) {
+        if (isCommentLine(content, m.index)) continue;
+        const handlerBlock = content.substring(m.index, Math.min(content.length, m.index + 500));
+        if (/auth|authenticate|authorize|requireAuth|isAuthenticated|protect|guard|middleware|session|jwt|verify|clerk|getAuth/i.test(handlerBlock)) continue;
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        findings.push({
+          rule: "VC127",
+          title: insecureHTTPMethods.title,
+          severity: "high",
+          category: "Authorization",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Add authentication middleware to DELETE, PUT, and PATCH routes. Verify the user has permission to modify the resource."
+        });
+      }
+    }
+    return findings;
+  }
+};
+var httpRequestSmuggling = {
+  id: "VC128",
+  title: "HTTP Request Smuggling Risk",
+  severity: "high",
+  category: "Configuration",
+  description: "Manually parsing Content-Length or Transfer-Encoding headers can lead to request smuggling when behind a reverse proxy.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|py|rb|go|java|php)$/)) return [];
+    const findings = [];
+    const patterns = [
+      /(?:headers?\[?|getHeader\s*\(\s*)["'](?:content-length|transfer-encoding)["']\s*\]?\s*\)/gi,
+      /parseInt\s*\(\s*(?:req|request)\.headers?\[?\s*["']content-length["']/gi
+    ];
+    for (const pat of patterns) {
+      let m;
+      while ((m = pat.exec(content)) !== null) {
+        if (isCommentLine(content, m.index)) continue;
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        findings.push({
+          rule: "VC128",
+          title: httpRequestSmuggling.title,
+          severity: "high",
+          category: "Configuration",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Let your framework handle Content-Length and Transfer-Encoding headers. Do not manually parse or trust these values."
+        });
+      }
+    }
+    return findings;
+  }
+};
+var unencryptedPII = {
+  id: "VC129",
+  title: "Sensitive Data Stored Without Encryption",
+  severity: "high",
+  category: "Information Leakage",
+  description: "Database schemas storing PII (SSN, credit cards, health records) in plaintext violate compliance requirements and expose data in breaches.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(sql|prisma|py|ts|js|rb)$/)) return [];
+    const findings = [];
+    const schemaPatterns = [
+      /(?:column|field|Column|Field)\s*\(\s*["'](?:ssn|social_security|tax_id|credit_card|card_number|cvv|passport|driver_license|bank_account|routing_number)["']\s*,\s*(?:String|TEXT|VARCHAR|Text|text)/gi,
+      /(?:ssn|social_security|tax_id|credit_card|card_number|cvv|passport_number|driver_license|bank_account|routing_number)\s+(?:TEXT|VARCHAR|String|text|character varying)/gi
+    ];
+    for (const pat of schemaPatterns) {
+      let m;
+      while ((m = pat.exec(content)) !== null) {
+        if (isCommentLine(content, m.index)) continue;
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        findings.push({
+          rule: "VC129",
+          title: unencryptedPII.title,
+          severity: "high",
+          category: "Information Leakage",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Encrypt sensitive fields at the application level before storing. Use field-level encryption with a KMS for SSN, credit cards, and health data."
+        });
+      }
+    }
+    return findings;
+  }
+};
+var missingAuthRateLimit = {
+  id: "VC130",
+  title: "Authentication Endpoint Without Rate Limiting",
+  severity: "high",
+  category: "Authentication",
+  description: "Login, registration, and password reset endpoints without rate limiting are vulnerable to credential stuffing and brute-force attacks.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) return [];
+    const findings = [];
+    const authRoutePattern = /(?:app|router|server)\.(?:post|put)\s*\(\s*["'](?:\/(?:api\/)?(?:auth\/)?(?:login|signin|sign-in|register|signup|sign-up|forgot-password|reset-password))["']/gi;
+    let m;
+    while ((m = authRoutePattern.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const surrounding = content.substring(Math.max(0, m.index - 300), Math.min(content.length, m.index + 300));
+      if (/rateLimit|rateLimiter|throttle|slowDown|express-rate-limit|rate_limit|RateLimiter|limiter/i.test(surrounding)) continue;
+      const lineNum = content.substring(0, m.index).split("\n").length;
+      findings.push({
+        rule: "VC130",
+        title: missingAuthRateLimit.title,
+        severity: "high",
+        category: "Authentication",
+        file: filePath,
+        line: lineNum,
+        snippet: getSnippet(content, lineNum),
+        fix: "Add rate limiting to authentication endpoints. Limit to 5-10 attempts per minute per IP. Use express-rate-limit or similar."
+      });
+    }
+    return findings;
+  }
+};
+var vulnerableDependencies = {
+  id: "VC131",
+  title: "Potentially Vulnerable Dependency",
+  severity: "high",
+  category: "Supply Chain",
+  description: "Dependencies with known security issues that are commonly found in AI-generated codebases.",
+  check(content, filePath) {
+    if (!filePath.endsWith("package.json")) return [];
+    if (/node_modules|\.next|dist|build/.test(filePath)) return [];
+    const findings = [];
+    const vulnerablePackages = [
+      [/"jsonwebtoken"\s*:\s*"[\^~]?[0-7]\./g, "jsonwebtoken < 8.x has signature bypass vulnerabilities"],
+      [/"lodash"\s*:\s*"[\^~]?[0-3]\./g, "lodash < 4.x has prototype pollution vulnerabilities"],
+      [/"minimist"\s*:\s*"[\^~]?[01]\.[01]\./g, "minimist < 1.2.6 has prototype pollution"],
+      [/"node-fetch"\s*:\s*"[\^~]?[12]\./g, "node-fetch < 3.x has data exposure issues"],
+      [/"express"\s*:\s*"[\^~]?[0-3]\./g, "express < 4.x has multiple known vulnerabilities"],
+      [/"axios"\s*:\s*"[\^~]?0\.[0-9]\./g, "axios < 0.21 has SSRF vulnerabilities"],
+      [/"tar"\s*:\s*"[\^~]?[0-5]\./g, "tar < 6.x has path traversal vulnerabilities"],
+      [/"glob-parent"\s*:\s*"[\^~]?[0-4]\./g, "glob-parent < 5.1.2 has ReDoS vulnerability"]
+    ];
+    for (const [pat, message] of vulnerablePackages) {
+      let m;
+      while ((m = pat.exec(content)) !== null) {
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        findings.push({
+          rule: "VC131",
+          title: vulnerableDependencies.title,
+          severity: "high",
+          category: "Supply Chain",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: `${message}. Update to the latest version and run 'npm audit' regularly.`
+        });
+      }
+    }
+    return findings;
+  }
+};
+var freeRules = [
+  hardcodedSecrets,
+  // VC001
+  exposedEnvFile,
+  // VC002
+  missingAuthMiddleware,
+  // VC003
+  supabaseNoRLS,
+  // VC004
+  stripeWebhookUnprotected,
+  // VC005
+  sqlInjection,
+  // VC006
+  xssVulnerability,
+  // VC007
+  noRateLimiting,
+  // VC008
+  corsWildcard,
+  // VC009
+  clientSideAuth,
+  // VC010
+  nextPublicSecret,
+  // VC011
+  envNotGitignored,
+  // VC014
+  evalUsage,
+  // VC015
+  unvalidatedRedirect,
+  // VC016
+  insecureCookies,
+  // VC017
+  exposedAuthSecret,
+  // VC018
+  missingCSP,
+  // VC020
+  hardcodedJWTSecret,
+  // VC031
+  missingHTTPS,
+  // VC032
+  exposedDebugMode,
+  // VC033
+  insecureRandomness,
+  // VC034
+  missingErrorBoundary,
+  // VC036
+  exposedStackTraces,
+  // VC037
+  missingLockFile,
+  // VC039
+  dangerousInnerHTML,
+  // VC063
+  consoleLogProduction,
+  // VC097
+  emptyCatchBlock,
+  // VC104
+  todoLeftInCode,
+  // VC103
+  weakHashing,
+  // VC060
+  disabledTLSVerification
+  // VC061
+];
+var proRules = [
   hardcodedSecrets,
   exposedEnvFile,
   missingAuthMiddleware,
@@ -3471,14 +4368,55 @@ var allRules = [
   todoLeftInCode,
   emptyCatchBlock,
   callbackHell,
-  magicNumbers
+  magicNumbers,
+  s3BucketNoEncryption,
+  securityGroupAllInbound,
+  rdsPubliclyAccessible,
+  missingCloudTrail,
+  lambdaWithoutVPC,
+  dockerLatestTag,
+  dockerCopySensitive,
+  dockerTooManyPorts,
+  k8sSecretNotEncrypted,
+  k8sNoResourceLimits,
+  pathTraversal,
+  // VC117
+  piiInLogs,
+  // VC118
+  hardcodedOAuthSecret,
+  // VC119
+  missingOAuthState,
+  // VC120
+  unpinnedGitHubAction,
+  // VC121
+  deprecatedTLS,
+  // VC122
+  weakRSAKeySize,
+  // VC123
+  ecbModeEncryption,
+  // VC124
+  insecurePasswordReset,
+  // VC125
+  terraformStateExposed,
+  // VC126
+  insecureHTTPMethods,
+  // VC127
+  httpRequestSmuggling,
+  // VC128
+  unencryptedPII,
+  // VC129
+  missingAuthRateLimit,
+  // VC130
+  vulnerableDependencies
+  // VC131
 ];
-function runCustomRules(content, filePath, disabledRules = []) {
+function runCustomRules(content, filePath, disabledRules = [], tier = "free") {
   const findings = [];
   if (/function runScan\(files\)|export function runCustomRules/.test(content) && /const (?:rules|allRules)\s*[:=]/.test(content) && /findMatches/.test(content)) {
     return findings;
   }
-  for (const rule of allRules) {
+  const ruleset = tier === "pro" ? proRules : freeRules;
+  for (const rule of ruleset) {
     if (disabledRules.includes(rule.id)) continue;
     const matches = rule.check(content, filePath);
     const compliance = complianceMap[rule.id];
@@ -5479,7 +6417,7 @@ Open this URL in your browser to log in:`));
 var program = new Command();
 program.name("xploitscan").description(
   "AI security scanner for vibe-coded apps. Find vulnerabilities before attackers do."
-).version("0.3.0");
+).version("0.7.0");
 program.command("scan").description("Scan a directory for security vulnerabilities").argument("[directory]", "Directory to scan", ".").option("--no-ai", "Skip AI-powered analysis").option("-f, --format <format>", "Output format: terminal, json, sarif", "terminal").option("-v, --verbose", "Show detailed output", false).option("--diff [base]", "Scan only files changed vs base branch (default: main)").option("-w, --watch", "Watch for file changes and re-scan automatically", false).action(async (directory, opts) => {
   await scanCommand(directory, {
     directory,
@@ -5495,7 +6433,7 @@ auth.command("login").description("Log in to your XploitScan account").action(lo
 auth.command("logout").description("Log out of your XploitScan account").action(logoutCommand);
 auth.command("whoami").description("Show current logged-in user").action(whoamiCommand);
 program.command("upgrade").description("Upgrade to XploitScan Pro for unlimited scans").action(async () => {
-  const { getStoredToken: getStoredToken2, getCheckoutUrl } = await import("./api-QTNXZY4O.js");
+  const { getStoredToken: getStoredToken2, getCheckoutUrl } = await import("./api-Z7VNGPT2.js");
   const chalk4 = (await import("chalk")).default;
   const token = getStoredToken2();
   if (!token) {
@@ -5508,7 +6446,7 @@ program.command("upgrade").description("Upgrade to XploitScan Pro for unlimited
     console.log(chalk4.green(`
 Open this URL to upgrade:`));
     console.log(chalk4.bold.underline(url));
-    const { execFile: execFile4 } = __require("child_process");
+    const { execFile: execFile4 } = await import("child_process");
     const openCmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
     execFile4(openCmd, [url], () => {
     });