xploitscan 0.6.0 → 0.8.0

package/dist/index.js

@@ -1,6 +1,5 @@
 #!/usr/bin/env node
 import {
-  __require,
   checkUsage,
   clearToken,
   getStoredToken,
@@ -9,7 +8,7 @@ import {
   storeToken,
   syncUser,
   uploadScanResults
-} from "./chunk-47X3TUVR.js";
+} from "./chunk-CBDFSACC.js";
 
 // src/index.ts
 import { Command } from "commander";
@@ -3166,7 +3165,42 @@ var complianceMap = {
   VC093: { owasp: "A01:2021", cwe: "CWE-22" },
   VC094: { owasp: "A03:2021", cwe: "CWE-78" },
   VC095: { owasp: "A05:2021", cwe: "CWE-942" },
-  VC096: { owasp: "A02:2021", cwe: "CWE-319" }
+  VC096: { owasp: "A02:2021", cwe: "CWE-319" },
+  VC097: { owasp: "A09:2021", cwe: "CWE-532" },
+  VC098: { owasp: "A04:2021", cwe: "CWE-400" },
+  VC099: { owasp: "A04:2021", cwe: "CWE-401" },
+  VC100: { owasp: "A04:2021", cwe: "CWE-400" },
+  VC101: { owasp: "A04:2021", cwe: "CWE-400" },
+  VC102: { owasp: "A04:2021", cwe: "CWE-400" },
+  VC103: { owasp: "A04:2021", cwe: "CWE-710" },
+  VC104: { owasp: "A04:2021", cwe: "CWE-390" },
+  VC105: { owasp: "A04:2021", cwe: "CWE-710" },
+  VC106: { owasp: "A04:2021", cwe: "CWE-710" },
+  VC107: { owasp: "A02:2021", cwe: "CWE-311" },
+  VC108: { owasp: "A01:2021", cwe: "CWE-284" },
+  VC109: { owasp: "A01:2021", cwe: "CWE-284" },
+  VC110: { owasp: "A09:2021", cwe: "CWE-778" },
+  VC111: { owasp: "A05:2021", cwe: "CWE-16" },
+  VC112: { owasp: "A06:2021", cwe: "CWE-1104" },
+  VC113: { owasp: "A05:2021", cwe: "CWE-200" },
+  VC114: { owasp: "A05:2021", cwe: "CWE-16" },
+  VC115: { owasp: "A02:2021", cwe: "CWE-311" },
+  VC116: { owasp: "A05:2021", cwe: "CWE-770" },
+  VC117: { owasp: "A03:2021", cwe: "CWE-22" },
+  VC118: { owasp: "A09:2021", cwe: "CWE-532" },
+  VC119: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC120: { owasp: "A07:2021", cwe: "CWE-352" },
+  VC121: { owasp: "A06:2021", cwe: "CWE-1104" },
+  VC122: { owasp: "A02:2021", cwe: "CWE-326" },
+  VC123: { owasp: "A02:2021", cwe: "CWE-326" },
+  VC124: { owasp: "A02:2021", cwe: "CWE-327" },
+  VC125: { owasp: "A07:2021", cwe: "CWE-640" },
+  VC126: { owasp: "A05:2021", cwe: "CWE-200" },
+  VC127: { owasp: "A01:2021", cwe: "CWE-862" },
+  VC128: { owasp: "A05:2021", cwe: "CWE-444" },
+  VC129: { owasp: "A02:2021", cwe: "CWE-311" },
+  VC130: { owasp: "A07:2021", cwe: "CWE-307" },
+  VC131: { owasp: "A06:2021", cwe: "CWE-1104" }
 };
 var consoleLogProduction = {
   id: "VC097",
@@ -3646,6 +3680,526 @@ var k8sNoResourceLimits = {
     }];
   }
 };
+var pathTraversal = {
+  id: "VC117",
+  title: "Path Traversal Vulnerability",
+  severity: "critical",
+  category: "Injection",
+  description: "User input is used to construct file paths without sanitization, allowing attackers to read/write arbitrary files (e.g., ../../etc/passwd).",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|php|java)$/)) return [];
+    const findings = [];
+    const patterns = [
+      /(?:readFile|readFileSync|createReadStream|writeFile|writeFileSync|appendFile|unlink|unlinkSync|access|stat|statSync|existsSync)\s*\(\s*(?:req\.|request\.|ctx\.|params\.|query\.)/gi,
+      /(?:path\.join|path\.resolve)\s*\([^)]*(?:req\.|request\.|ctx\.|params\.|query\.)[^)]*\)/gi,
+      /(?:res\.sendFile|res\.download)\s*\([^)]*(?:req\.|request\.)/gi,
+      /open\s*\(\s*(?:request\.|params\[|args\.)/gi
+    ];
+    for (const pat of patterns) {
+      let m;
+      while ((m = pat.exec(content)) !== null) {
+        if (isCommentLine(content, m.index)) continue;
+        const surrounding = content.substring(Math.max(0, m.index - 200), m.index + 200);
+        if (/path\.normalize|sanitize|\.replace\(\s*['"]\.\./i.test(surrounding)) continue;
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        findings.push({
+          rule: "VC117",
+          title: pathTraversal.title,
+          severity: "critical",
+          category: "Injection",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Sanitize file paths: use path.normalize(), reject paths containing '..', and validate against an allowed base directory."
+        });
+      }
+    }
+    return findings;
+  }
+};
+var piiInLogs = {
+  id: "VC118",
+  title: "Personally Identifiable Information in Logs",
+  severity: "high",
+  category: "Information Leakage",
+  description: "Logging statements that include email addresses, passwords, SSNs, credit card numbers, or other PII can leak sensitive data to log aggregation systems.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) return [];
+    const findings = [];
+    const logPattern = /(?:console\.(?:log|info|warn|error|debug)|logger\.(?:info|warn|error|debug|log)|log\.(?:info|warn|error|debug)|logging\.(?:info|warn|error|debug))\s*\([^)]*(?:password|passwd|secret|ssn|social.?security|credit.?card|cardNumber|cvv|token|bearer|authorization)\b/gi;
+    let m;
+    while ((m = logPattern.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      if (isInsideFixMessage(content, m.index)) continue;
+      const lineNum = content.substring(0, m.index).split("\n").length;
+      findings.push({
+        rule: "VC118",
+        title: piiInLogs.title,
+        severity: "high",
+        category: "Information Leakage",
+        file: filePath,
+        line: lineNum,
+        snippet: getSnippet(content, lineNum),
+        fix: "Never log sensitive data. Redact or mask PII before logging: log('user login', { email: maskEmail(email) })."
+      });
+    }
+    return findings;
+  }
+};
+var hardcodedOAuthSecret = {
+  id: "VC119",
+  title: "Hardcoded OAuth Client Secret",
+  severity: "critical",
+  category: "Secrets",
+  description: "OAuth client secrets hardcoded in source code can be extracted and used to impersonate your application.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php|env|json|yaml|yml)$/)) return [];
+    if (/package-lock|yarn\.lock|pnpm-lock|composer\.lock/i.test(filePath)) return [];
+    const findings = [];
+    const patterns = [
+      /client[_-]?secret\s*[:=]\s*["'][a-zA-Z0-9_\-]{20,}["']/gi,
+      /GOOGLE_CLIENT_SECRET\s*[:=]\s*["'][^"']{10,}["']/gi,
+      /GITHUB_CLIENT_SECRET\s*[:=]\s*["'][^"']{10,}["']/gi,
+      /FACEBOOK_APP_SECRET\s*[:=]\s*["'][^"']{10,}["']/gi,
+      /AUTH0_CLIENT_SECRET\s*[:=]\s*["'][^"']{10,}["']/gi
+    ];
+    for (const pat of patterns) {
+      let m;
+      while ((m = pat.exec(content)) !== null) {
+        if (isCommentLine(content, m.index)) continue;
+        if (/process\.env|os\.environ|ENV\[|getenv|\$\{|<your|CHANGE_ME|xxx|placeholder/i.test(m[0])) continue;
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        findings.push({
+          rule: "VC119",
+          title: hardcodedOAuthSecret.title,
+          severity: "critical",
+          category: "Secrets",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Move OAuth client secrets to environment variables. Never commit secrets to source control."
+        });
+      }
+    }
+    return findings;
+  }
+};
+var missingOAuthState = {
+  id: "VC120",
+  title: "OAuth Flow Missing State Parameter",
+  severity: "high",
+  category: "Authentication",
+  description: "OAuth authorization requests without a state parameter are vulnerable to CSRF attacks, allowing attackers to link their account to a victim's session.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) return [];
+    const findings = [];
+    const oauthUrlPattern = /(?:authorize\?|\/oauth\/authorize|\/auth\?|authorization_endpoint)[^}]*(?:client_id|response_type)/gi;
+    let m;
+    while ((m = oauthUrlPattern.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const surrounding = content.substring(m.index, Math.min(content.length, m.index + 500));
+      if (/state\s*[=:]/i.test(surrounding)) continue;
+      const lineNum = content.substring(0, m.index).split("\n").length;
+      findings.push({
+        rule: "VC120",
+        title: missingOAuthState.title,
+        severity: "high",
+        category: "Authentication",
+        file: filePath,
+        line: lineNum,
+        snippet: getSnippet(content, lineNum),
+        fix: "Always include a cryptographically random 'state' parameter in OAuth authorization requests and validate it on callback."
+      });
+    }
+    return findings;
+  }
+};
+var unpinnedGitHubAction = {
+  id: "VC121",
+  title: "Unpinned GitHub Actions Version",
+  severity: "high",
+  category: "Supply Chain",
+  description: "GitHub Actions using branch references (@main, @master) instead of commit SHAs can be compromised via supply-chain attacks.",
+  check(content, filePath) {
+    if (!filePath.match(/\.github\/workflows\/.*\.(yml|yaml)$/)) return [];
+    const findings = [];
+    const usesPattern = /uses\s*:\s*[\w\-]+\/[\w\-]+@(main|master|dev|develop|latest)\b/gi;
+    let m;
+    while ((m = usesPattern.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const lineNum = content.substring(0, m.index).split("\n").length;
+      findings.push({
+        rule: "VC121",
+        title: unpinnedGitHubAction.title,
+        severity: "high",
+        category: "Supply Chain",
+        file: filePath,
+        line: lineNum,
+        snippet: getSnippet(content, lineNum),
+        fix: "Pin GitHub Actions to a specific commit SHA instead of a branch name: uses: owner/action@<full-sha>"
+      });
+    }
+    return findings;
+  }
+};
+var deprecatedTLS = {
+  id: "VC122",
+  title: "Deprecated TLS Version Configured",
+  severity: "high",
+  category: "Cryptography",
+  description: "TLS 1.0 and 1.1 are deprecated and have known vulnerabilities. Only TLS 1.2+ should be used.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|py|rb|go|java|yaml|yml|json|conf|cfg|xml)$/)) return [];
+    const findings = [];
+    const patterns = [
+      /(?:TLSv1_METHOD|TLSv1\.0|TLSv1\.1|ssl\.PROTOCOL_TLSv1|SSLv3|SSLv2|TLS_1_0|TLS_1_1|minVersion\s*[:=]\s*["']TLSv1(?:\.1)?["'])/gi,
+      /(?:tls\.DEFAULT_MIN_VERSION|secureProtocol)\s*[:=]\s*["'](?:TLSv1_method|TLSv1_1_method|SSLv3_method)["']/gi,
+      /ssl_protocols\s+.*(?:TLSv1(?:\.1)?(?:\s|;))/gi
+    ];
+    for (const pat of patterns) {
+      let m;
+      while ((m = pat.exec(content)) !== null) {
+        if (isCommentLine(content, m.index)) continue;
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        findings.push({
+          rule: "VC122",
+          title: deprecatedTLS.title,
+          severity: "high",
+          category: "Cryptography",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Use TLS 1.2 or higher. Set minVersion to 'TLSv1.2' and remove support for TLS 1.0/1.1."
+        });
+      }
+    }
+    return findings;
+  }
+};
+var weakRSAKeySize = {
+  id: "VC123",
+  title: "Weak RSA Key Size",
+  severity: "high",
+  category: "Cryptography",
+  description: "RSA keys smaller than 2048 bits are considered insecure and can be factored with modern hardware.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|py|rb|go|java|php)$/)) return [];
+    const findings = [];
+    const patterns = [
+      /generateKeyPair\s*\(\s*["']rsa["']\s*,\s*\{[^}]*modulusLength\s*:\s*(512|768|1024)\b/gi,
+      /RSA\.generate\s*\(\s*(512|768|1024)\b/gi,
+      /rsa\.GenerateKey\s*\([^,]*,\s*(512|768|1024)\b/gi,
+      /KeyPairGenerator.*initialize\s*\(\s*(512|768|1024)\b/gi
+    ];
+    for (const pat of patterns) {
+      let m;
+      while ((m = pat.exec(content)) !== null) {
+        if (isCommentLine(content, m.index)) continue;
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        findings.push({
+          rule: "VC123",
+          title: weakRSAKeySize.title,
+          severity: "high",
+          category: "Cryptography",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Use RSA key sizes of at least 2048 bits. 4096 bits is recommended for long-term security."
+        });
+      }
+    }
+    return findings;
+  }
+};
+var ecbModeEncryption = {
+  id: "VC124",
+  title: "Insecure ECB Mode Encryption",
+  severity: "high",
+  category: "Cryptography",
+  description: "ECB (Electronic Codebook) mode encrypts identical plaintext blocks to identical ciphertext, leaking patterns in the data.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|py|rb|go|java|php)$/)) return [];
+    const findings = [];
+    const patterns = [
+      /createCipher(?:iv)?\s*\(\s*["'](?:aes-(?:128|192|256)-ecb|des-ecb)["']/gi,
+      /AES\.(?:new|MODE_ECB)|MODE_ECB/gi,
+      /Cipher\.getInstance\s*\(\s*["']AES\/ECB/gi,
+      /aes\.NewCipher|cipher\.NewECBEncrypter/gi
+    ];
+    for (const pat of patterns) {
+      let m;
+      while ((m = pat.exec(content)) !== null) {
+        if (isCommentLine(content, m.index)) continue;
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        findings.push({
+          rule: "VC124",
+          title: ecbModeEncryption.title,
+          severity: "high",
+          category: "Cryptography",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Use AES-GCM or AES-CBC with HMAC instead of ECB mode. GCM provides both encryption and authentication."
+        });
+      }
+    }
+    return findings;
+  }
+};
+var insecurePasswordReset = {
+  id: "VC125",
+  title: "Insecure Password Reset Implementation",
+  severity: "high",
+  category: "Authentication",
+  description: "Password reset using predictable tokens, no expiration, or user-enumeration leaks can be exploited to take over accounts.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) return [];
+    if (!/(?:reset|forgot).*(?:password|passwd)/i.test(content)) return [];
+    const findings = [];
+    const weakTokens = /(?:reset|forgot).*(?:token|code)\s*[:=].*(?:Date\.now|Math\.random|uuid\(\)|nanoid\(\))/gi;
+    let m;
+    while ((m = weakTokens.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const lineNum = content.substring(0, m.index).split("\n").length;
+      findings.push({
+        rule: "VC125",
+        title: insecurePasswordReset.title,
+        severity: "high",
+        category: "Authentication",
+        file: filePath,
+        line: lineNum,
+        snippet: getSnippet(content, lineNum),
+        fix: "Use crypto.randomBytes(32).toString('hex') for reset tokens. Set expiration (15-60 minutes) and single-use enforcement."
+      });
+    }
+    const enumeration = /(?:user|email|account)\s*(?:not\s*found|does\s*not\s*exist|invalid)/gi;
+    while ((m = enumeration.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const surrounding = content.substring(Math.max(0, m.index - 500), m.index);
+      if (!/(?:reset|forgot).*password/i.test(surrounding)) continue;
+      const lineNum = content.substring(0, m.index).split("\n").length;
+      findings.push({
+        rule: "VC125",
+        title: insecurePasswordReset.title,
+        severity: "high",
+        category: "Authentication",
+        file: filePath,
+        line: lineNum,
+        snippet: getSnippet(content, lineNum),
+        fix: "Always return the same response regardless of whether the email exists. Say 'If an account exists, a reset link was sent.'"
+      });
+    }
+    return findings;
+  }
+};
+var terraformStateExposed = {
+  id: "VC126",
+  title: "Terraform State File Committed",
+  severity: "critical",
+  category: "Secrets",
+  description: "Terraform state files contain sensitive infrastructure details, secrets, and access credentials in plaintext. They must never be committed to version control.",
+  check(content, filePath) {
+    const findings = [];
+    if (/terraform\.tfstate(\.backup)?$/.test(filePath)) {
+      findings.push({
+        rule: "VC126",
+        title: terraformStateExposed.title,
+        severity: "critical",
+        category: "Secrets",
+        file: filePath,
+        line: 1,
+        snippet: getSnippet(content, 1),
+        fix: "Add '*.tfstate' and '*.tfstate.backup' to .gitignore. Use remote state backends (S3, GCS, Terraform Cloud) instead."
+      });
+    }
+    if (filePath.endsWith(".gitignore") && !content.includes("tfstate")) {
+      if (/\.tf$/.test(filePath) || content.includes(".tf")) {
+      }
+    }
+    return findings;
+  }
+};
+var insecureHTTPMethods = {
+  id: "VC127",
+  title: "Dangerous HTTP Methods Without Auth",
+  severity: "high",
+  category: "Authorization",
+  description: "DELETE, PUT, and PATCH endpoints without authentication checks allow unauthorized data modification or deletion.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) return [];
+    const findings = [];
+    const routePatterns = [
+      /(?:app|router|server)\.(delete|put|patch)\s*\(\s*["']/gi
+    ];
+    for (const pat of routePatterns) {
+      let m;
+      while ((m = pat.exec(content)) !== null) {
+        if (isCommentLine(content, m.index)) continue;
+        const handlerBlock = content.substring(m.index, Math.min(content.length, m.index + 500));
+        if (/auth|authenticate|authorize|requireAuth|isAuthenticated|protect|guard|middleware|session|jwt|verify|clerk|getAuth/i.test(handlerBlock)) continue;
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        findings.push({
+          rule: "VC127",
+          title: insecureHTTPMethods.title,
+          severity: "high",
+          category: "Authorization",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Add authentication middleware to DELETE, PUT, and PATCH routes. Verify the user has permission to modify the resource."
+        });
+      }
+    }
+    return findings;
+  }
+};
+var httpRequestSmuggling = {
+  id: "VC128",
+  title: "HTTP Request Smuggling Risk",
+  severity: "high",
+  category: "Configuration",
+  description: "Manually parsing Content-Length or Transfer-Encoding headers can lead to request smuggling when behind a reverse proxy.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|py|rb|go|java|php)$/)) return [];
+    const findings = [];
+    const patterns = [
+      /(?:headers?\[?|getHeader\s*\(\s*)["'](?:content-length|transfer-encoding)["']\s*\]?\s*\)/gi,
+      /parseInt\s*\(\s*(?:req|request)\.headers?\[?\s*["']content-length["']/gi
+    ];
+    for (const pat of patterns) {
+      let m;
+      while ((m = pat.exec(content)) !== null) {
+        if (isCommentLine(content, m.index)) continue;
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        findings.push({
+          rule: "VC128",
+          title: httpRequestSmuggling.title,
+          severity: "high",
+          category: "Configuration",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Let your framework handle Content-Length and Transfer-Encoding headers. Do not manually parse or trust these values."
+        });
+      }
+    }
+    return findings;
+  }
+};
+var unencryptedPII = {
+  id: "VC129",
+  title: "Sensitive Data Stored Without Encryption",
+  severity: "high",
+  category: "Information Leakage",
+  description: "Database schemas storing PII (SSN, credit cards, health records) in plaintext violate compliance requirements and expose data in breaches.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(sql|prisma|py|ts|js|rb)$/)) return [];
+    const findings = [];
+    const schemaPatterns = [
+      /(?:column|field|Column|Field)\s*\(\s*["'](?:ssn|social_security|tax_id|credit_card|card_number|cvv|passport|driver_license|bank_account|routing_number)["']\s*,\s*(?:String|TEXT|VARCHAR|Text|text)/gi,
+      /(?:ssn|social_security|tax_id|credit_card|card_number|cvv|passport_number|driver_license|bank_account|routing_number)\s+(?:TEXT|VARCHAR|String|text|character varying)/gi
+    ];
+    for (const pat of schemaPatterns) {
+      let m;
+      while ((m = pat.exec(content)) !== null) {
+        if (isCommentLine(content, m.index)) continue;
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        findings.push({
+          rule: "VC129",
+          title: unencryptedPII.title,
+          severity: "high",
+          category: "Information Leakage",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Encrypt sensitive fields at the application level before storing. Use field-level encryption with a KMS for SSN, credit cards, and health data."
+        });
+      }
+    }
+    return findings;
+  }
+};
+var missingAuthRateLimit = {
+  id: "VC130",
+  title: "Authentication Endpoint Without Rate Limiting",
+  severity: "high",
+  category: "Authentication",
+  description: "Login, registration, and password reset endpoints without rate limiting are vulnerable to credential stuffing and brute-force attacks.",
+  check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) return [];
+    const findings = [];
+    const authRoutePattern = /(?:app|router|server)\.(?:post|put)\s*\(\s*["'](?:\/(?:api\/)?(?:auth\/)?(?:login|signin|sign-in|register|signup|sign-up|forgot-password|reset-password))["']/gi;
+    let m;
+    while ((m = authRoutePattern.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const surrounding = content.substring(Math.max(0, m.index - 300), Math.min(content.length, m.index + 300));
+      if (/rateLimit|rateLimiter|throttle|slowDown|express-rate-limit|rate_limit|RateLimiter|limiter/i.test(surrounding)) continue;
+      const lineNum = content.substring(0, m.index).split("\n").length;
+      findings.push({
+        rule: "VC130",
+        title: missingAuthRateLimit.title,
+        severity: "high",
+        category: "Authentication",
+        file: filePath,
+        line: lineNum,
+        snippet: getSnippet(content, lineNum),
+        fix: "Add rate limiting to authentication endpoints. Limit to 5-10 attempts per minute per IP. Use express-rate-limit or similar."
+      });
+    }
+    return findings;
+  }
+};
+var vulnerableDependencies = {
+  id: "VC131",
+  title: "Potentially Vulnerable Dependency",
+  severity: "high",
+  category: "Supply Chain",
+  description: "Dependencies with known security issues that are commonly found in AI-generated codebases.",
+  check(content, filePath) {
+    if (!filePath.endsWith("package.json")) return [];
+    if (/node_modules|\.next|dist|build/.test(filePath)) return [];
+    const findings = [];
+    const vulnerablePackages = [
+      [/"jsonwebtoken"\s*:\s*"[\^~]?[0-7]\./g, "jsonwebtoken < 8.x has signature bypass vulnerabilities"],
+      [/"lodash"\s*:\s*"[\^~]?[0-3]\./g, "lodash < 4.x has prototype pollution vulnerabilities"],
+      [/"minimist"\s*:\s*"[\^~]?[01]\.[01]\./g, "minimist < 1.2.6 has prototype pollution"],
+      [/"node-fetch"\s*:\s*"[\^~]?[12]\./g, "node-fetch < 3.x has data exposure issues"],
+      [/"express"\s*:\s*"[\^~]?[0-3]\./g, "express < 4.x has multiple known vulnerabilities"],
+      [/"axios"\s*:\s*"[\^~]?0\.[0-9]\./g, "axios < 0.21 has SSRF vulnerabilities"],
+      [/"tar"\s*:\s*"[\^~]?[0-5]\./g, "tar < 6.x has path traversal vulnerabilities"],
+      [/"glob-parent"\s*:\s*"[\^~]?[0-4]\./g, "glob-parent < 5.1.2 has ReDoS vulnerability"]
+    ];
+    for (const [pat, message] of vulnerablePackages) {
+      let m;
+      while ((m = pat.exec(content)) !== null) {
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        findings.push({
+          rule: "VC131",
+          title: vulnerableDependencies.title,
+          severity: "high",
+          category: "Supply Chain",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: `${message}. Update to the latest version and run 'npm audit' regularly.`
+        });
+      }
+    }
+    return findings;
+  }
+};
 var freeRules = [
   hardcodedSecrets,
   // VC001
@@ -3824,7 +4378,37 @@ var proRules = [
   dockerCopySensitive,
   dockerTooManyPorts,
   k8sSecretNotEncrypted,
-  k8sNoResourceLimits
+  k8sNoResourceLimits,
+  pathTraversal,
+  // VC117
+  piiInLogs,
+  // VC118
+  hardcodedOAuthSecret,
+  // VC119
+  missingOAuthState,
+  // VC120
+  unpinnedGitHubAction,
+  // VC121
+  deprecatedTLS,
+  // VC122
+  weakRSAKeySize,
+  // VC123
+  ecbModeEncryption,
+  // VC124
+  insecurePasswordReset,
+  // VC125
+  terraformStateExposed,
+  // VC126
+  insecureHTTPMethods,
+  // VC127
+  httpRequestSmuggling,
+  // VC128
+  unencryptedPII,
+  // VC129
+  missingAuthRateLimit,
+  // VC130
+  vulnerableDependencies
+  // VC131
 ];
 function runCustomRules(content, filePath, disabledRules = [], tier = "free") {
   const findings = [];
@@ -5427,10 +6011,16 @@ async function scanCommand(directory, options) {
   const config = await loadConfig(dir);
   const useAI = (options.aiAnalysis ?? config.ai ?? true) && !!process.env.ANTHROPIC_API_KEY;
   const isSilent = format !== "terminal";
+  let tier = "free";
+  let userPlan = "anonymous";
   if (isAuthenticated()) {
     const usage = await checkUsage();
+    userPlan = usage.plan;
+    if (usage.plan === "pro") {
+      tier = "pro";
+    }
     if (!usage.allowed) {
-      console.log(chalk2.red("\nDaily scan limit reached (3/3 scans used)."));
+      console.log(chalk2.red("\nDaily scan limit reached."));
       console.log(chalk2.yellow("Upgrade to Pro for unlimited scans: ") + chalk2.bold("xploitscan upgrade"));
       console.log(chalk2.gray(`Resets tomorrow. Plan: ${usage.plan}
 `));
@@ -5481,7 +6071,7 @@ async function scanCommand(directory, options) {
     fileContentsForAnalysis.push({ path: filePath, content });
     const astCtx = buildASTContext(content, filePath);
     if (astCtx.isScannerFile) continue;
-    const findings = runCustomRules(content, filePath, config.disableRules);
+    const findings = runCustomRules(content, filePath, config.disableRules, tier);
     for (const f of findings) {
       if (astCtx.isTestFile) {
         f.confidence = "low";
@@ -5621,6 +6211,15 @@ async function scanCommand(directory, options) {
       renderTerminalReport(result, fileContentsForAnalysis);
       break;
   }
+  if (tier === "free" && !isSilent) {
+    console.log("");
+    if (userPlan === "anonymous") {
+      console.log(chalk2.gray("  Scanned with 30 free rules.") + chalk2.cyan(" Log in to unlock all 131 rules \u2192") + chalk2.bold(" xploitscan auth login"));
+    } else {
+      console.log(chalk2.gray("  Scanned with 30 rules.") + chalk2.cyan(" Upgrade to Pro for all 131 rules \u2192") + chalk2.bold(" xploitscan upgrade"));
+    }
+    console.log("");
+  }
   if (isAuthenticated()) {
     await Promise.allSettled([
       incrementUsage(),
@@ -5833,7 +6432,7 @@ Open this URL in your browser to log in:`));
 var program = new Command();
 program.name("xploitscan").description(
   "AI security scanner for vibe-coded apps. Find vulnerabilities before attackers do."
-).version("0.3.0");
+).version("0.8.0");
 program.command("scan").description("Scan a directory for security vulnerabilities").argument("[directory]", "Directory to scan", ".").option("--no-ai", "Skip AI-powered analysis").option("-f, --format <format>", "Output format: terminal, json, sarif", "terminal").option("-v, --verbose", "Show detailed output", false).option("--diff [base]", "Scan only files changed vs base branch (default: main)").option("-w, --watch", "Watch for file changes and re-scan automatically", false).action(async (directory, opts) => {
   await scanCommand(directory, {
     directory,
@@ -5849,7 +6448,7 @@ auth.command("login").description("Log in to your XploitScan account").action(lo
 auth.command("logout").description("Log out of your XploitScan account").action(logoutCommand);
 auth.command("whoami").description("Show current logged-in user").action(whoamiCommand);
 program.command("upgrade").description("Upgrade to XploitScan Pro for unlimited scans").action(async () => {
-  const { getStoredToken: getStoredToken2, getCheckoutUrl } = await import("./api-QTNXZY4O.js");
+  const { getStoredToken: getStoredToken2, getCheckoutUrl } = await import("./api-Z7VNGPT2.js");
   const chalk4 = (await import("chalk")).default;
   const token = getStoredToken2();
   if (!token) {
@@ -5862,7 +6461,7 @@ program.command("upgrade").description("Upgrade to XploitScan Pro for unlimited
     console.log(chalk4.green(`
 Open this URL to upgrade:`));
     console.log(chalk4.bold.underline(url));
-    const { execFile: execFile4 } = __require("child_process");
+    const { execFile: execFile4 } = await import("child_process");
     const openCmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
     execFile4(openCmd, [url], () => {
     });