xploitscan 1.0.14 → 1.0.16

package/dist/index.js

@@ -270,7 +270,18 @@ async function loadConfig(directory) {
   return config;
 }
 
-// src/scanners/custom-rules.ts
+// ../shared-rules/dist/index.js
+import Anthropic from "@anthropic-ai/sdk";
+function getSnippet2(content, line, contextLines = 2) {
+  const lines = content.split("\n");
+  const start = Math.max(0, line - 1 - contextLines);
+  const end = Math.min(lines.length, line + contextLines);
+  return lines.slice(start, end).map((l, i) => {
+    const lineNum = start + i + 1;
+    const marker = lineNum === line ? ">" : " ";
+    return `${marker} ${lineNum.toString().padStart(4)} | ${l}`;
+  }).join("\n");
+}
 var TEST_FILE_PATTERN = /(?:\.test\.|\.spec\.|__tests__|__mocks__|\.stories\.|\.story\.|\/test\/|\/tests\/|\/fixtures?\/|\/mocks?\/|\.mock\.|test-utils|testing|\.cy\.|\.e2e\.)/i;
 function isTestFile(filePath) {
   return TEST_FILE_PATTERN.test(filePath);
@@ -301,7 +312,7 @@ function findMatches(content, pattern, rule, filePath, fixTemplate) {
       category: rule.category,
       file: filePath,
       line: lineNum,
-      snippet: getSnippet(content, lineNum),
+      snippet: getSnippet2(content, lineNum),
       fix: fixTemplate?.(m)
     });
   }
@@ -378,7 +389,7 @@ var exposedEnvFile = {
       category: "Secrets",
       file: filePath,
       line: 1,
-      snippet: getSnippet(content, 1),
+      snippet: getSnippet2(content, 1),
       fix: 'Add ".env*" to your .gitignore file and remove this file from git history with: git rm --cached ' + filePath
     }];
   }
@@ -614,7 +625,7 @@ var noRateLimiting = {
       category: "Availability",
       file: filePath,
       line: 1,
-      snippet: getSnippet(content, 1),
+      snippet: getSnippet2(content, 1),
       fix: "Add rate limiting middleware to your server. For Express: npm install express-rate-limit. For other frameworks, check their rate limiting plugins."
     }];
   }
@@ -727,7 +738,7 @@ var envNotGitignored = {
       category: "Secrets",
       file: filePath,
       line: 1,
-      snippet: getSnippet(content, 1),
+      snippet: getSnippet2(content, 1),
       fix: 'Add ".env*" to your .gitignore file to prevent committing secrets.'
     }];
   }
@@ -885,7 +896,7 @@ var missingCSP = {
           category: "Configuration",
           file: filePath,
           line: 1,
-          snippet: getSnippet(content, 1),
+          snippet: getSnippet2(content, 1),
           fix: `Add a CSP meta tag: <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'">`
         }];
       }
@@ -1034,7 +1045,7 @@ var missingErrorBoundary = {
         category: "Configuration",
         file: filePath,
         line: 1,
-        snippet: getSnippet(content, 1),
+        snippet: getSnippet2(content, 1),
         fix: "Wrap your app in an ErrorBoundary component to catch rendering errors gracefully. Use react-error-boundary or create a class component with componentDidCatch."
       }];
     }
@@ -1179,7 +1190,7 @@ var dangerousInnerHTML = {
         category: "Injection",
         file: filePath,
         line: lineNum,
-        snippet: getSnippet(content, lineNum),
+        snippet: getSnippet2(content, lineNum),
         fix: "Sanitize HTML before using dangerouslySetInnerHTML: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}. Install: npm install dompurify"
       });
     }
@@ -1431,7 +1442,7 @@ var consoleLogProduction = {
     for (let i = 0; i < lines.length; i++) {
       const line = lines[i].trim();
       if (/console\.log\s*\(/.test(line) && !line.startsWith("//") && !line.startsWith("*") && !/if\s*\(\s*(?:debug|process\.env)/i.test(lines[Math.max(0, i - 1)] + line)) {
-        matches.push({ rule: "VC097", title: consoleLogProduction.title, severity: "low", category: "Performance", file: filePath, line: i + 1, snippet: getSnippet(content, i + 1), fix: "Remove console.log or use a structured logger that can be disabled in production." });
+        matches.push({ rule: "VC097", title: consoleLogProduction.title, severity: "low", category: "Performance", file: filePath, line: i + 1, snippet: getSnippet2(content, i + 1), fix: "Remove console.log or use a structured logger that can be disabled in production." });
       }
     }
     return matches.slice(0, 1);
@@ -1566,6 +1577,131 @@ function runCustomRules(content, filePath, disabledRules = [], tier = "free", ex
   }
   return findings;
 }
+var REVIEW_SYSTEM_PROMPT = `You are reviewing security scan findings for false positives. Your job is to look at each finding and the surrounding code to determine if it's a REAL security vulnerability or a FALSE POSITIVE.
+
+Common false positive patterns you should catch:
+- Auth check exists inside the function body (requireUser, requireUserForApi, getSession, etc.) but the scanner only checked the function signature
+- The flagged pattern is in example/documentation/tutorial code, not production code
+- The variable is developer-controlled (constants, config values, static strings), not user input
+- The flagged function is a database method (conn.exec, db.exec, prisma.$executeRaw) not a shell command (child_process.exec)
+- The comparison is a type check (typeof x === "string") not a secret comparison
+- The file is a test, mock, or fixture file
+- The "secret" is a publishable/public key (pk_test_, NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY) designed to be client-side
+- The innerHTML/dangerouslySetInnerHTML uses a static constant or JSON.stringify, not user input
+- The redirect URL has already been validated (isAllowedRedirect, validateRedirect)
+- The webhook endpoint is for a non-Stripe service but flagged as "Stripe webhook"
+- The "sensitive data in URL" is in a comment or documentation, not actual code
+- Package-lock.json URLs flagged as secrets (they're npm registry URLs, not secrets)
+
+For each finding, respond ONLY with a JSON array. No other text.
+Each element: {"index": <number>, "verdict": "real" or "fp", "reason": "<1 sentence>"}`;
+var MAX_FINDINGS_PER_BATCH = 15;
+var MAX_CONTEXT_LINES = 10;
+var MAX_TOTAL_FINDINGS = 50;
+function getExpandedContext(content, line, contextLines = MAX_CONTEXT_LINES) {
+  const lines = content.split("\n");
+  const start = Math.max(0, line - 1 - contextLines);
+  const end = Math.min(lines.length, line + contextLines);
+  return lines.slice(start, end).map((l, i) => {
+    const lineNum = start + i + 1;
+    const marker = lineNum === line ? ">>>" : "   ";
+    return `${marker} ${lineNum} | ${l}`;
+  }).join("\n");
+}
+function buildReviewPrompt(findings, fileContent) {
+  const parts = [];
+  for (let i = 0; i < findings.length; i++) {
+    const f = findings[i];
+    const context = getExpandedContext(fileContent, f.line);
+    parts.push(`--- Finding ${i} ---
+Rule: ${f.rule} (${f.title})
+Severity: ${f.severity}
+File: ${f.file}
+Line: ${f.line}
+Description: ${f.description}
+Suggested fix: ${f.fix || "N/A"}
+
+Code context:
+${context}
+`);
+  }
+  return `Review these ${findings.length} security scan findings. For each one, determine if it's a real vulnerability or a false positive based on the code context.
+
+${parts.join("\n")}`;
+}
+function parseReviewResponse(text) {
+  try {
+    const cleaned = text.replace(/```json\n?/g, "").replace(/```\n?/g, "").trim();
+    const parsed = JSON.parse(cleaned);
+    if (!Array.isArray(parsed)) return [];
+    return parsed.filter(
+      (r) => typeof r === "object" && r !== null && "index" in r && "verdict" in r && (r.verdict === "real" || r.verdict === "fp")
+    );
+  } catch {
+    return [];
+  }
+}
+async function filterFalsePositives(findings, fileContents) {
+  const empty = { findings, filteredFindings: [], aiReviewed: false, removedCount: 0, totalBefore: findings.length };
+  if (!process.env.ANTHROPIC_API_KEY) return empty;
+  if (findings.length === 0) return empty;
+  const toReview = findings.slice(0, MAX_TOTAL_FINDINGS);
+  const overflow = findings.slice(MAX_TOTAL_FINDINGS);
+  const totalBefore = findings.length;
+  const byFile = /* @__PURE__ */ new Map();
+  for (const f of toReview) {
+    const group = byFile.get(f.file) || [];
+    group.push(f);
+    byFile.set(f.file, group);
+  }
+  let client;
+  try {
+    client = new Anthropic();
+  } catch {
+    return empty;
+  }
+  const fpMap = /* @__PURE__ */ new Map();
+  for (const [file, fileFindings] of byFile) {
+    const content = fileContents.get(file);
+    if (!content) continue;
+    for (let i = 0; i < fileFindings.length; i += MAX_FINDINGS_PER_BATCH) {
+      const batch = fileFindings.slice(i, i + MAX_FINDINGS_PER_BATCH);
+      const prompt = buildReviewPrompt(batch, content);
+      try {
+        const response = await client.messages.create({
+          model: "claude-haiku-4-5-20251001",
+          max_tokens: 1024,
+          system: REVIEW_SYSTEM_PROMPT,
+          messages: [{ role: "user", content: prompt }]
+        });
+        const text = response.content.filter((b) => b.type === "text").map((b) => b.text).join("");
+        const results = parseReviewResponse(text);
+        for (const r of results) {
+          if (r.verdict === "fp" && r.index >= 0 && r.index < batch.length) {
+            const globalIndex = toReview.indexOf(batch[r.index]);
+            if (globalIndex !== -1) {
+              fpMap.set(globalIndex, r.reason);
+            }
+          }
+        }
+      } catch {
+        continue;
+      }
+    }
+  }
+  const filtered = toReview.filter((_, i) => !fpMap.has(i));
+  const filteredFindings = [];
+  for (const [idx, reason] of fpMap) {
+    filteredFindings.push({ finding: toReview[idx], reason });
+  }
+  return {
+    findings: [...filtered, ...overflow],
+    filteredFindings,
+    aiReviewed: true,
+    removedCount: fpMap.size,
+    totalBefore
+  };
+}
 
 // src/scanners/semgrep.ts
 import { execFile } from "child_process";
@@ -1791,7 +1927,7 @@ async function runGitleaks(directory) {
 }
 
 // src/scanners/ai-analyzer.ts
-import Anthropic from "@anthropic-ai/sdk";
+import Anthropic2 from "@anthropic-ai/sdk";
 var SYSTEM_PROMPT = `You are a security auditor specializing in code generated by AI tools (Cursor, Lovable, Bolt, Replit, Claude). Your audience is non-expert developers who may not understand security jargon.
 
 Analyze the provided code for security vulnerabilities. Focus on issues that AI code generators commonly introduce:
@@ -1825,7 +1961,7 @@ Rules:
 async function analyzeWithAI(files, existingFindings) {
   const apiKey = process.env.ANTHROPIC_API_KEY;
   if (!apiKey) return [];
-  const client = new Anthropic();
+  const client = new Anthropic2();
   const existingRules = new Set(
     existingFindings.map((f) => `${f.file}:${f.line}:${f.rule}`)
   );
@@ -1916,134 +2052,6 @@ function chunkFiles(files, maxChars) {
   return chunks;
 }
 
-// src/scanners/ai-fp-filter.ts
-import Anthropic2 from "@anthropic-ai/sdk";
-var REVIEW_SYSTEM_PROMPT = `You are reviewing security scan findings for false positives. Your job is to look at each finding and the surrounding code to determine if it's a REAL security vulnerability or a FALSE POSITIVE.
-
-Common false positive patterns you should catch:
-- Auth check exists inside the function body (requireUser, requireUserForApi, getSession, etc.) but the scanner only checked the function signature
-- The flagged pattern is in example/documentation/tutorial code, not production code
-- The variable is developer-controlled (constants, config values, static strings), not user input
-- The flagged function is a database method (conn.exec, db.exec, prisma.$executeRaw) not a shell command (child_process.exec)
-- The comparison is a type check (typeof x === "string") not a secret comparison
-- The file is a test, mock, or fixture file
-- The "secret" is a publishable/public key (pk_test_, NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY) designed to be client-side
-- The innerHTML/dangerouslySetInnerHTML uses a static constant or JSON.stringify, not user input
-- The redirect URL has already been validated (isAllowedRedirect, validateRedirect)
-- The webhook endpoint is for a non-Stripe service but flagged as "Stripe webhook"
-- The "sensitive data in URL" is in a comment or documentation, not actual code
-- Package-lock.json URLs flagged as secrets (they're npm registry URLs, not secrets)
-
-For each finding, respond ONLY with a JSON array. No other text.
-Each element: {"index": <number>, "verdict": "real" or "fp", "reason": "<1 sentence>"}`;
-var MAX_FINDINGS_PER_BATCH = 15;
-var MAX_CONTEXT_LINES = 10;
-var MAX_TOTAL_FINDINGS = 50;
-function getExpandedContext(content, line, contextLines = MAX_CONTEXT_LINES) {
-  const lines = content.split("\n");
-  const start = Math.max(0, line - 1 - contextLines);
-  const end = Math.min(lines.length, line + contextLines);
-  return lines.slice(start, end).map((l, i) => {
-    const lineNum = start + i + 1;
-    const marker = lineNum === line ? ">>>" : "   ";
-    return `${marker} ${lineNum} | ${l}`;
-  }).join("\n");
-}
-function buildReviewPrompt(findings, fileContent) {
-  const parts = [];
-  for (let i = 0; i < findings.length; i++) {
-    const f = findings[i];
-    const context = getExpandedContext(fileContent, f.line);
-    parts.push(`--- Finding ${i} ---
-Rule: ${f.rule} (${f.title})
-Severity: ${f.severity}
-File: ${f.file}
-Line: ${f.line}
-Description: ${f.description}
-Suggested fix: ${f.fix || "N/A"}
-
-Code context:
-${context}
-`);
-  }
-  return `Review these ${findings.length} security scan findings. For each one, determine if it's a real vulnerability or a false positive based on the code context.
-
-${parts.join("\n")}`;
-}
-function parseReviewResponse(text) {
-  try {
-    const cleaned = text.replace(/```json\n?/g, "").replace(/```\n?/g, "").trim();
-    const parsed = JSON.parse(cleaned);
-    if (!Array.isArray(parsed)) return [];
-    return parsed.filter(
-      (r) => typeof r === "object" && r !== null && "index" in r && "verdict" in r && (r.verdict === "real" || r.verdict === "fp")
-    );
-  } catch {
-    return [];
-  }
-}
-async function filterFalsePositives(findings, fileContents) {
-  const empty = { findings, filteredFindings: [], aiReviewed: false, removedCount: 0, totalBefore: findings.length };
-  if (!process.env.ANTHROPIC_API_KEY) return empty;
-  if (findings.length === 0) return empty;
-  const toReview = findings.slice(0, MAX_TOTAL_FINDINGS);
-  const overflow = findings.slice(MAX_TOTAL_FINDINGS);
-  const totalBefore = findings.length;
-  const byFile = /* @__PURE__ */ new Map();
-  for (const f of toReview) {
-    const group = byFile.get(f.file) || [];
-    group.push(f);
-    byFile.set(f.file, group);
-  }
-  let client;
-  try {
-    client = new Anthropic2();
-  } catch {
-    return empty;
-  }
-  const fpMap = /* @__PURE__ */ new Map();
-  for (const [file, fileFindings] of byFile) {
-    const content = fileContents.get(file);
-    if (!content) continue;
-    for (let i = 0; i < fileFindings.length; i += MAX_FINDINGS_PER_BATCH) {
-      const batch = fileFindings.slice(i, i + MAX_FINDINGS_PER_BATCH);
-      const prompt = buildReviewPrompt(batch, content);
-      try {
-        const response = await client.messages.create({
-          model: "claude-haiku-4-5-20251001",
-          max_tokens: 1024,
-          system: REVIEW_SYSTEM_PROMPT,
-          messages: [{ role: "user", content: prompt }]
-        });
-        const text = response.content.filter((b) => b.type === "text").map((b) => b.text).join("");
-        const results = parseReviewResponse(text);
-        for (const r of results) {
-          if (r.verdict === "fp" && r.index >= 0 && r.index < batch.length) {
-            const globalIndex = toReview.indexOf(batch[r.index]);
-            if (globalIndex !== -1) {
-              fpMap.set(globalIndex, r.reason);
-            }
-          }
-        }
-      } catch {
-        continue;
-      }
-    }
-  }
-  const filtered = toReview.filter((_, i) => !fpMap.has(i));
-  const filteredFindings = [];
-  for (const [idx, reason] of fpMap) {
-    filteredFindings.push({ finding: toReview[idx], reason });
-  }
-  return {
-    findings: [...filtered, ...overflow],
-    filteredFindings,
-    aiReviewed: true,
-    removedCount: fpMap.size,
-    totalBefore
-  };
-}
-
 // src/scanners/ast-analyzer.ts
 function stripComments(content) {
   let result = "";
@@ -2430,7 +2438,7 @@ function compareVersions(v1, v2) {
   }
   return 0;
 }
-function getSnippet2(content, line) {
+function getSnippet3(content, line) {
   const lines = content.split("\n");
   const start = Math.max(0, line - 2);
   const end = Math.min(lines.length, line + 2);
@@ -2462,7 +2470,7 @@ function scanDependencies(files) {
                 description: vuln.description,
                 file: filePath,
                 line,
-                snippet: getSnippet2(content, line),
+                snippet: getSnippet3(content, line),
                 fix: vuln.fix,
                 category: "Dependencies",
                 source: "custom",
@@ -2495,7 +2503,7 @@ function scanDependencies(files) {
               description: vuln.description,
               file: filePath,
               line: i + 1,
-              snippet: getSnippet2(content, i + 1),
+              snippet: getSnippet3(content, i + 1),
               fix: vuln.fix,
               category: "Dependencies",
               source: "custom",
@@ -2516,7 +2524,7 @@ function scanDependencies(files) {
           description: pattern.description,
           file: filePath,
           line: 1,
-          snippet: getSnippet2(content, 1),
+          snippet: getSnippet3(content, 1),
           fix: pattern.fix,
           category: "Dependencies",
           source: "custom",
@@ -2604,7 +2612,7 @@ async function scanDependenciesOsv(files, alreadyFoundByRule) {
           description: description.slice(0, 500),
           file: lookup.file,
           line: lookup.line,
-          snippet: getSnippet2(lookup.content, lookup.line),
+          snippet: getSnippet3(lookup.content, lookup.line),
           fix: `Upgrade ${lookup.name} to a version that resolves ${vuln.id}. See https://osv.dev/vulnerability/${vuln.id}`,
           category: "Dependencies",
           source: "custom",
@@ -2677,7 +2685,7 @@ var SAFE_PATTERNS = [
 var SKIP_FILES = /\.(css|scss|less|svg|md|txt|html?|xml|yml|yaml|toml|lock|map|woff2?|ttf|eot|ico|png|jpg|gif|webp)$/i;
 var SKIP_FILENAMES = /(?:package-lock\.json|pnpm-lock\.yaml|yarn\.lock|composer\.lock|Gemfile\.lock|Cargo\.lock|poetry\.lock|Pipfile\.lock|shrinkwrap\.json)$/i;
 var SAFE_VAR_NAMES = /(?:description|message|text|label|title|content|template|html|svg|css|style|class|query|mutation|schema|regex|pattern|format|placeholder|comment|url|path|route|endpoint|href|src|alt|name|type|version|encoding|charset)/i;
-function getSnippet3(content, line) {
+function getSnippet4(content, line) {
   const lines = content.split("\n");
   const start = Math.max(0, line - 2);
   const end = Math.min(lines.length, line + 2);
@@ -2732,7 +2740,7 @@ function scanEntropy(files) {
               description: `Found a high-entropy string (${entropy.toFixed(1)} bits) that may be a hardcoded secret or API key: "${masked}"`,
               file: filePath,
               line: i + 1,
-              snippet: getSnippet3(content, i + 1),
+              snippet: getSnippet4(content, i + 1),
               fix: "If this is a secret, move it to an environment variable. If it's not a secret (e.g., hash, encoded data), add it to .xploitscanignore.",
               category: "Secrets",
               source: "custom",
@@ -2748,7 +2756,7 @@ function scanEntropy(files) {
 }
 
 // src/scanners/config-analyzer.ts
-function getSnippet4(content, line) {
+function getSnippet5(content, line) {
   const lines = content.split("\n");
   const start = Math.max(0, line - 2);
   const end = Math.min(lines.length, line + 2);
@@ -2774,10 +2782,10 @@ var CONFIG_CHECKS = [
       try {
         if (/"strict"\s*:\s*false/.test(content)) {
           const line = content.split("\n").findIndex((l) => /strict/.test(l)) + 1;
-          return { line, snippet: getSnippet4(content, line) };
+          return { line, snippet: getSnippet5(content, line) };
         }
         if (!/"strict"\s*:\s*true/.test(content) && /"compilerOptions"/.test(content)) {
-          return { line: 1, snippet: getSnippet4(content, 1) };
+          return { line: 1, snippet: getSnippet5(content, 1) };
         }
       } catch {
       }
@@ -2797,7 +2805,7 @@ var CONFIG_CHECKS = [
     check(content) {
       if (/"allowJs"\s*:\s*true/.test(content) && !/"checkJs"\s*:\s*true/.test(content)) {
         const line = content.split("\n").findIndex((l) => /allowJs/.test(l)) + 1;
-        return { line, snippet: getSnippet4(content, line) };
+        return { line, snippet: getSnippet5(content, line) };
       }
       return null;
     }
@@ -2815,7 +2823,7 @@ var CONFIG_CHECKS = [
     filePattern: /next\.config\.(js|mjs|ts)$/,
     check(content) {
       if (!/headers\s*\(/.test(content) && !/securityHeaders|security-headers/.test(content)) {
-        return { line: 1, snippet: getSnippet4(content, 1) };
+        return { line: 1, snippet: getSnippet5(content, 1) };
       }
       return null;
     }
@@ -2832,7 +2840,7 @@ var CONFIG_CHECKS = [
     filePattern: /next\.config\.(js|mjs|ts)$/,
     check(content) {
       if (!/poweredByHeader\s*:\s*false/.test(content)) {
-        return { line: 1, snippet: getSnippet4(content, 1) };
+        return { line: 1, snippet: getSnippet5(content, 1) };
       }
       return null;
     }
@@ -2852,7 +2860,7 @@ var CONFIG_CHECKS = [
       const lines = content.split("\n");
       for (let i = 0; i < lines.length; i++) {
         if (/^FROM\s+\S+:latest/i.test(lines[i].trim()) || /^FROM\s+\w+\s*$/i.test(lines[i].trim())) {
-          return { line: i + 1, snippet: getSnippet4(content, i + 1) };
+          return { line: i + 1, snippet: getSnippet5(content, i + 1) };
         }
       }
       return null;
@@ -2871,7 +2879,7 @@ var CONFIG_CHECKS = [
     check(content) {
       const fromCount = (content.match(/^FROM\s/gmi) || []).length;
       if (fromCount <= 1 && content.includes("npm") && content.length > 200) {
-        return { line: 1, snippet: getSnippet4(content, 1) };
+        return { line: 1, snippet: getSnippet5(content, 1) };
       }
       return null;
     }
@@ -2890,7 +2898,7 @@ var CONFIG_CHECKS = [
       const lines = content.split("\n");
       for (let i = 0; i < lines.length; i++) {
         if (/^COPY\s.*\.env\b/i.test(lines[i].trim())) {
-          return { line: i + 1, snippet: getSnippet4(content, i + 1) };
+          return { line: i + 1, snippet: getSnippet5(content, i + 1) };
         }
       }
       return null;
@@ -2911,7 +2919,7 @@ var CONFIG_CHECKS = [
       const lines = content.split("\n");
       for (let i = 0; i < lines.length; i++) {
         if (/permissions\s*:\s*write-all/i.test(lines[i])) {
-          return { line: i + 1, snippet: getSnippet4(content, i + 1) };
+          return { line: i + 1, snippet: getSnippet5(content, i + 1) };
         }
       }
       return null;
@@ -2931,7 +2939,7 @@ var CONFIG_CHECKS = [
       const lines = content.split("\n");
       for (let i = 0; i < lines.length; i++) {
         if (/uses:\s*\S+@(?:main|master|dev|latest)\s*$/i.test(lines[i])) {
-          return { line: i + 1, snippet: getSnippet4(content, i + 1) };
+          return { line: i + 1, snippet: getSnippet5(content, i + 1) };
         }
       }
       return null;
@@ -2952,7 +2960,7 @@ var CONFIG_CHECKS = [
       const lines = content.split("\n");
       for (let i = 0; i < lines.length; i++) {
         if (/host\s*:\s*true/.test(lines[i]) || /host\s*:\s*['"]0\.0\.0\.0['"]/.test(lines[i])) {
-          return { line: i + 1, snippet: getSnippet4(content, i + 1) };
+          return { line: i + 1, snippet: getSnippet5(content, i + 1) };
         }
       }
       return null;
@@ -2973,7 +2981,7 @@ var CONFIG_CHECKS = [
       const lines = content.split("\n");
       for (let i = 0; i < lines.length; i++) {
         if (/_authToken|_auth=|\/\/registry.*:_password/.test(lines[i])) {
-          return { line: i + 1, snippet: getSnippet4(content, i + 1) };
+          return { line: i + 1, snippet: getSnippet5(content, i + 1) };
         }
       }
       return null;
@@ -2994,7 +3002,7 @@ var CONFIG_CHECKS = [
       const lines = content.split("\n");
       for (let i = 0; i < lines.length; i++) {
         if (/no-eval|no-implied-eval|no-new-func|no-script-url|security\/detect/i.test(lines[i]) && /["']off["']|:\s*0/.test(lines[i])) {
-          return { line: i + 1, snippet: getSnippet4(content, i + 1) };
+          return { line: i + 1, snippet: getSnippet5(content, i + 1) };
         }
       }
       return null;
@@ -3030,7 +3038,7 @@ function scanConfigs(files) {
 }
 
 // src/scanners/multi-file-analyzer.ts
-function getSnippet5(content, line) {
+function getSnippet6(content, line) {
   const lines = content.split("\n");
   const start = Math.max(0, line - 2);
   const end = Math.min(lines.length, line + 2);
@@ -3071,7 +3079,7 @@ function scanMultiFile(files) {
           description: "This API route file has no authentication checks and no auth middleware was detected in the project.",
           file: f.path,
           line,
-          snippet: getSnippet5(f.content, line),
+          snippet: getSnippet6(f.content, line),
           fix: "Add authentication middleware or import your auth module. If using Next.js, create middleware.ts in your app root.",
           category: "Authentication",
           source: "custom",
@@ -3093,7 +3101,7 @@ function scanMultiFile(files) {
         description: "An .env file exists in the project but .gitignore doesn't exclude it. Secrets may be committed.",
         file: ".gitignore",
         line: 1,
-        snippet: getSnippet5(gitignore.content, 1),
+        snippet: getSnippet6(gitignore.content, 1),
         fix: "Add .env to .gitignore: echo '.env' >> .gitignore",
         category: "Secrets",
         source: "custom",
@@ -3117,7 +3125,7 @@ function scanMultiFile(files) {
           description: "Creating a new PrismaClient on every request leaks database connections. Use a singleton pattern.",
           file: f.path,
           line,
-          snippet: getSnippet5(f.content, line),
+          snippet: getSnippet6(f.content, line),
           fix: "Use singleton: globalThis.prisma = globalThis.prisma || new PrismaClient(). This prevents connection exhaustion in serverless.",
           category: "Configuration",
           source: "custom",
@@ -3142,7 +3150,7 @@ function scanMultiFile(files) {
           description: "CORS origin is hardcoded to localhost. This will block requests from your production frontend.",
           file: f.path,
           line,
-          snippet: getSnippet5(f.content, line),
+          snippet: getSnippet6(f.content, line),
           fix: "Use environment variable: origin: process.env.FRONTEND_URL || 'http://localhost:3000'",
           category: "Configuration",
           source: "custom",
@@ -3178,7 +3186,7 @@ function scanMultiFile(files) {
         description: `These environment variables are used in code but missing from .env.example: ${undocumented.slice(0, 5).join(", ")}${undocumented.length > 5 ? ` (+${undocumented.length - 5} more)` : ""}`,
         file: envExample.path,
         line: 1,
-        snippet: getSnippet5(envExample.content, 1),
+        snippet: getSnippet6(envExample.content, 1),
         fix: "Add missing variables to .env.example so team members know which env vars are needed.",
         category: "Configuration",
         source: "custom",
@@ -3201,7 +3209,7 @@ function scanMultiFile(files) {
         description: `Fetching from ${m[1].substring(0, 40)}... over HTTP exposes data to interception.`,
         file: f.path,
         line,
-        snippet: getSnippet5(f.content, line),
+        snippet: getSnippet6(f.content, line),
         fix: "Use HTTPS for all API calls in production.",
         category: "Configuration",
         source: "custom",