xploitscan 1.0.16 → 1.0.17

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 VibeCheck
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/index.js

@@ -1702,6 +1702,161 @@ async function filterFalsePositives(findings, fileContents) {
     totalBefore
   };
 }
+function shannonEntropy(str) {
+  const freq = {};
+  for (const ch of str) {
+    freq[ch] = (freq[ch] || 0) + 1;
+  }
+  const len = str.length;
+  let entropy = 0;
+  for (const count of Object.values(freq)) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+var SAFE_PATTERNS = [
+  // UUIDs (v1-v5)
+  /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,
+  // Git commit hashes (long and short)
+  /^[0-9a-f]{40}$/i,
+  /^[0-9a-f]{7,8}$/i,
+  // Hex colors
+  /^#?[0-9a-fA-F]{3,8}$/,
+  // Small base64 (< 20 chars can't be a real key anyway)
+  /^[A-Za-z0-9+/]{1,19}={0,2}$/,
+  // Package versions
+  /^\d+\.\d+\.\d+/,
+  // Integrity-hash prefix (sha256-, sha512-, ...)
+  /^sha\d+-/i,
+  // URLs without credentials in them
+  /^https?:\/\/[^:@]*$/,
+  /^https?:\/\/registry\.npmjs\.org\//,
+  /^https?:\/\/registry\.yarnpkg\.com\//,
+  // Full package integrity hash (sha512-[base64]=)
+  /^sha\d+-[A-Za-z0-9+/=]+$/,
+  // Package tarball URLs
+  /\.tgz$/,
+  /registry.*\/-\/.*\.tgz$/,
+  // ISO dates / times
+  /^\d{4}-\d{2}-\d{2}/,
+  // Locale tags
+  /^[a-z]{2}-[A-Z]{2}$/,
+  // Text encodings
+  /^utf-?8|ascii|latin|iso-8859/i,
+  // MIME types
+  /^(?:application|text|image|audio|video)\//,
+  // CSS keyword values
+  /^(?:inherit|none|auto|block|flex|grid|absolute|relative|fixed|px|em|rem|%)/,
+  // Developer-placeholder tokens
+  /^(?:test|example|sample|demo|placeholder|temp|tmp|foo|bar|baz|lorem|ipsum)/i,
+  // XML / DTD markers
+  /DTD|DOCTYPE|w3\.org|apple\.com\/DTDs/i,
+  /xmlns|schema|xsd|xsi/i,
+  // NEW — added in Wave 3.2 for context-aware FP reduction
+  // ──────────────────────────────────────────────────────
+  // Tailwind JIT / CSS-in-JS class-name fingerprints, e.g. "css-2kx3yr8",
+  // "tw-abc12def", "jss-1a2b3c4d". Typically prefix + 6-12 hex-ish chars.
+  /^(?:css|tw|jss|emotion|styled|mui|chakra)-[a-z0-9]{4,14}$/i,
+  // SVG path data — starts with a path command letter followed by coords.
+  // These can get very long and high-entropy but are never secrets.
+  /^[MmLlHhVvCcSsQqTtAaZz][\d.,\s\-MmLlHhVvCcSsQqTtAaZz]{10,}$/,
+  // Next.js / Vite / webpack content-addressed asset filenames, e.g.
+  // "main.4e5f6a78.js", "chunk-2a3b.js", "_next/static/chunks/pages-xyz".
+  /\.[0-9a-f]{6,16}\.(?:js|css|mjs|woff2?|ttf|png|jpg|svg)(?:\?.*)?$/i,
+  /^_next\//,
+  // Publishable / client-side keys from common vendors. Flagged by their
+  // own service-specific rules if they look wrong, but entropy should NOT
+  // double-flag these. They are designed to ship to the browser.
+  /^pk_(?:live|test|[a-z0-9]+)_/,
+  // Stripe / Clerk publishable
+  /^NEXT_PUBLIC_|^VITE_|^REACT_APP_/,
+  // Build-time public env vars
+  /^pub_/,
+  // Segment etc.
+  /^ey[A-Za-z0-9_-]+\.ey[A-Za-z0-9_-]+\./,
+  // JWT header.payload prefix — don't flag solely on entropy
+  // Content-Security-Policy hashes / nonces in HTML/JSON
+  /^'sha\d+-/,
+  /^nonce-/i,
+  // Embedded data URIs
+  /^data:[a-z]+\//i
+];
+var SKIP_FILES = /\.(css|scss|less|svg|md|txt|html?|xml|yml|yaml|toml|lock|map|woff2?|ttf|eot|ico|png|jpg|gif|webp)$/i;
+var SKIP_FILENAMES = /(?:package-lock\.json|pnpm-lock\.yaml|yarn\.lock|composer\.lock|Gemfile\.lock|Cargo\.lock|poetry\.lock|Pipfile\.lock|shrinkwrap\.json)$/i;
+var SAFE_VAR_NAMES = /(?:description|message|text|label|title|content|template|html|svg|css|style|class(?:Name)?|query|mutation|schema|regex|pattern|format|placeholder|comment|url|path|route|endpoint|href|src|alt|name|type|version|encoding|charset|locale|translation|copy|prose|markdown|slug|handle)/i;
+var HASH_LIKE_VAR_NAMES = /(?:^|[^a-z])(?:hash|digest|checksum|fingerprint|etag|crc|md5|sha1|sha256|sha512|contenthash|buildid|revision|commit|sri|integrity|cacheKey|fileHash|assetId|versionId)(?:$|[^a-z])/i;
+var HASH_PREFIX_RE = /^(?:sha\d+|md5|crc32|base64|bcrypt|argon2|pbkdf2|blake2b?)[:_]/i;
+var SECRET_VAR_NAMES = /(?:^|[^a-z])(?:key|secret|token|password|passwd|pwd|api[_-]?key|auth|credential|private|signing|bearer|access[_-]?token|refresh[_-]?token|session[_-]?id)(?:$|[^a-z])/i;
+function getSnippet22(content, line) {
+  const lines = content.split("\n");
+  const start = Math.max(0, line - 2);
+  const end = Math.min(lines.length, line + 2);
+  return lines.slice(start, end).map((l, i) => {
+    const lineNum = start + i + 1;
+    const prefix = lineNum === line ? ">" : " ";
+    return `${prefix} ${String(lineNum).padStart(5)} | ${l}`;
+  }).join("\n");
+}
+function scanEntropy(files) {
+  const findings = [];
+  for (const { path: filePath, content } of files) {
+    if (SKIP_FILES.test(filePath)) continue;
+    if (SKIP_FILENAMES.test(filePath)) continue;
+    const basename = filePath.split("/").pop() || "";
+    if (SKIP_FILENAMES.test(basename)) continue;
+    if (filePath.includes("node_modules")) continue;
+    if (filePath.includes(".min.")) continue;
+    if (/pro-rules-bundle|\.bundle\.|\.chunk\./i.test(filePath)) continue;
+    if (/(?:\.test\.|\.spec\.|__tests__|__mocks__|fixtures?\/)/i.test(filePath)) continue;
+    const lines = content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const trimmed = line.trimStart();
+      if (trimmed.startsWith("//") || trimmed.startsWith("#") || trimmed.startsWith("*") || trimmed.startsWith("/*")) continue;
+      const stringPattern = /(?:[:=]\s*)(["'`])([^"'`\n]{20,120})\1/g;
+      let match;
+      while ((match = stringPattern.exec(line)) !== null) {
+        const value = match[2];
+        if (SAFE_PATTERNS.some((p) => p.test(value))) continue;
+        if (HASH_PREFIX_RE.test(value)) continue;
+        const beforeAssign = line.substring(0, match.index);
+        if (SAFE_VAR_NAMES.test(beforeAssign)) continue;
+        if (/^https?:\/\/[^:@]*$/.test(value)) continue;
+        if ((value.match(/\s/g) || []).length > 2) continue;
+        const isHex = /^[0-9a-fA-F]+$/.test(value);
+        const isBase64 = /^[A-Za-z0-9+/]+=*$/.test(value);
+        let threshold = 4;
+        if (isHex) threshold = 3;
+        else if (isBase64) threshold = 4.5;
+        if (value.length < 20) continue;
+        const entropy = shannonEntropy(value);
+        if (entropy < threshold) continue;
+        const varName = beforeAssign.match(/(\w+)\s*[:=]\s*$/)?.[1] || "";
+        if (HASH_LIKE_VAR_NAMES.test(varName) && (isHex || isBase64)) continue;
+        const isLikelySecret = SECRET_VAR_NAMES.test(varName);
+        if (entropy < 4.5 && !isLikelySecret) continue;
+        const masked = value.substring(0, 6) + "..." + value.substring(value.length - 4);
+        findings.push({
+          id: `ENTROPY-${filePath}:${i + 1}`,
+          rule: "ENTROPY",
+          severity: isLikelySecret ? "critical" : "high",
+          title: "High-Entropy String Detected (Possible Secret)",
+          description: `Found a high-entropy string (${entropy.toFixed(1)} bits) that may be a hardcoded secret or API key: "${masked}"`,
+          file: filePath,
+          line: i + 1,
+          snippet: getSnippet22(content, i + 1),
+          fix: "If this is a secret, move it to an environment variable. If it's not a secret (e.g., hash, encoded data), add it to .xploitscanignore.",
+          category: "Secrets",
+          source: "custom",
+          owasp: "A02:2021",
+          cwe: "CWE-798"
+        });
+      }
+    }
+  }
+  return findings;
+}
 
 // src/scanners/semgrep.ts
 import { execFile } from "child_process";
@@ -2625,138 +2780,8 @@ async function scanDependenciesOsv(files, alreadyFoundByRule) {
   return findings;
 }
 
-// src/scanners/entropy-scanner.ts
-function shannonEntropy(str) {
-  const freq = {};
-  for (const ch of str) {
-    freq[ch] = (freq[ch] || 0) + 1;
-  }
-  const len = str.length;
-  let entropy = 0;
-  for (const count of Object.values(freq)) {
-    const p = count / len;
-    entropy -= p * Math.log2(p);
-  }
-  return entropy;
-}
-var SAFE_PATTERNS = [
-  // UUIDs
-  /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,
-  // Git commit hashes
-  /^[0-9a-f]{40}$/i,
-  // Short git hashes
-  /^[0-9a-f]{7,8}$/i,
-  // Hex colors
-  /^#?[0-9a-fA-F]{3,8}$/,
-  // Base64 encoded small data (< 20 chars)
-  /^[A-Za-z0-9+/]{1,19}={0,2}$/,
-  // Package versions
-  /^\d+\.\d+\.\d+/,
-  // File hashes (integrity)
-  /^sha\d+-/i,
-  // URLs without credentials
-  /^https?:\/\/[^:@]*$/,
-  // Date/time strings
-  /^\d{4}-\d{2}-\d{2}/,
-  // Locale strings
-  /^[a-z]{2}-[A-Z]{2}$/,
-  // Common encodings
-  /^utf-?8|ascii|latin|iso-8859/i,
-  // MIME types
-  /^(?:application|text|image|audio|video)\//,
-  // CSS/HTML values
-  /^(?:inherit|none|auto|block|flex|grid|absolute|relative|fixed|px|em|rem|%)/,
-  // Common placeholder/test values
-  /^(?:test|example|sample|demo|placeholder|temp|tmp|foo|bar|baz|lorem|ipsum)/i,
-  // DOCTYPE/DTD URLs
-  /DTD|DOCTYPE|w3\.org|apple\.com\/DTDs/i,
-  // XML namespaces
-  /xmlns|schema|xsd|xsi/i,
-  // npm/package registry URLs
-  /^https?:\/\/registry\.npmjs\.org\//,
-  /^https?:\/\/registry\.yarnpkg\.com\//,
-  // Package integrity hashes (sha512-..., sha256-...)
-  /^sha\d+-[A-Za-z0-9+/=]+$/,
-  // Resolved package URLs (.tgz)
-  /\.tgz$/,
-  // npm resolved URLs (any registry URL with package tarball)
-  /registry.*\/-\/.*\.tgz$/
-];
-var SKIP_FILES = /\.(css|scss|less|svg|md|txt|html?|xml|yml|yaml|toml|lock|map|woff2?|ttf|eot|ico|png|jpg|gif|webp)$/i;
-var SKIP_FILENAMES = /(?:package-lock\.json|pnpm-lock\.yaml|yarn\.lock|composer\.lock|Gemfile\.lock|Cargo\.lock|poetry\.lock|Pipfile\.lock|shrinkwrap\.json)$/i;
-var SAFE_VAR_NAMES = /(?:description|message|text|label|title|content|template|html|svg|css|style|class|query|mutation|schema|regex|pattern|format|placeholder|comment|url|path|route|endpoint|href|src|alt|name|type|version|encoding|charset)/i;
-function getSnippet4(content, line) {
-  const lines = content.split("\n");
-  const start = Math.max(0, line - 2);
-  const end = Math.min(lines.length, line + 2);
-  return lines.slice(start, end).map((l, i) => {
-    const lineNum = start + i + 1;
-    const prefix = lineNum === line ? ">" : " ";
-    return `${prefix} ${String(lineNum).padStart(5)} | ${l}`;
-  }).join("\n");
-}
-function scanEntropy(files) {
-  const findings = [];
-  for (const { path: filePath, content } of files) {
-    if (SKIP_FILES.test(filePath)) continue;
-    if (SKIP_FILENAMES.test(filePath)) continue;
-    const basename = filePath.split("/").pop() || "";
-    if (SKIP_FILENAMES.test(basename)) continue;
-    if (filePath.includes("node_modules")) continue;
-    if (filePath.includes(".min.")) continue;
-    if (/pro-rules-bundle|\.bundle\.|\.chunk\./i.test(filePath)) continue;
-    if (/(?:\.test\.|\.spec\.|__tests__|__mocks__|fixtures?\/)/i.test(filePath)) continue;
-    const lines = content.split("\n");
-    for (let i = 0; i < lines.length; i++) {
-      const line = lines[i];
-      const trimmed = line.trimStart();
-      if (trimmed.startsWith("//") || trimmed.startsWith("#") || trimmed.startsWith("*") || trimmed.startsWith("/*")) continue;
-      const stringPattern = /(?:[:=]\s*)(["'`])([^"'`\n]{20,120})\1/g;
-      let match;
-      while ((match = stringPattern.exec(line)) !== null) {
-        const value = match[2];
-        if (SAFE_PATTERNS.some((p) => p.test(value))) continue;
-        const beforeAssign = line.substring(0, match.index);
-        if (SAFE_VAR_NAMES.test(beforeAssign)) continue;
-        if (/^https?:\/\/[^:@]*$/.test(value)) continue;
-        if ((value.match(/\s/g) || []).length > 2) continue;
-        const entropy = shannonEntropy(value);
-        const isHex = /^[0-9a-fA-F]+$/.test(value);
-        const isBase64 = /^[A-Za-z0-9+/]+=*$/.test(value);
-        let threshold = 4;
-        if (isHex) threshold = 3;
-        else if (isBase64) threshold = 4.5;
-        if (value.length < 20) continue;
-        if (entropy >= threshold) {
-          const varName = beforeAssign.match(/(\w+)\s*[:=]\s*$/)?.[1] || "";
-          const isLikelySecret = /(?:key|secret|token|password|passwd|pwd|api_?key|auth|credential|private|signing)/i.test(varName);
-          if (entropy >= 4.5 || isLikelySecret) {
-            const masked = value.substring(0, 6) + "..." + value.substring(value.length - 4);
-            findings.push({
-              id: `ENTROPY-${filePath}:${i + 1}`,
-              rule: "ENTROPY",
-              severity: isLikelySecret ? "critical" : "high",
-              title: "High-Entropy String Detected (Possible Secret)",
-              description: `Found a high-entropy string (${entropy.toFixed(1)} bits) that may be a hardcoded secret or API key: "${masked}"`,
-              file: filePath,
-              line: i + 1,
-              snippet: getSnippet4(content, i + 1),
-              fix: "If this is a secret, move it to an environment variable. If it's not a secret (e.g., hash, encoded data), add it to .xploitscanignore.",
-              category: "Secrets",
-              source: "custom",
-              owasp: "A02:2021",
-              cwe: "CWE-798"
-            });
-          }
-        }
-      }
-    }
-  }
-  return findings;
-}
-
 // src/scanners/config-analyzer.ts
-function getSnippet5(content, line) {
+function getSnippet4(content, line) {
   const lines = content.split("\n");
   const start = Math.max(0, line - 2);
   const end = Math.min(lines.length, line + 2);
@@ -2782,10 +2807,10 @@ var CONFIG_CHECKS = [
       try {
         if (/"strict"\s*:\s*false/.test(content)) {
           const line = content.split("\n").findIndex((l) => /strict/.test(l)) + 1;
-          return { line, snippet: getSnippet5(content, line) };
+          return { line, snippet: getSnippet4(content, line) };
         }
         if (!/"strict"\s*:\s*true/.test(content) && /"compilerOptions"/.test(content)) {
-          return { line: 1, snippet: getSnippet5(content, 1) };
+          return { line: 1, snippet: getSnippet4(content, 1) };
         }
       } catch {
       }
@@ -2805,7 +2830,7 @@ var CONFIG_CHECKS = [
     check(content) {
       if (/"allowJs"\s*:\s*true/.test(content) && !/"checkJs"\s*:\s*true/.test(content)) {
         const line = content.split("\n").findIndex((l) => /allowJs/.test(l)) + 1;
-        return { line, snippet: getSnippet5(content, line) };
+        return { line, snippet: getSnippet4(content, line) };
       }
       return null;
     }
@@ -2823,7 +2848,7 @@ var CONFIG_CHECKS = [
     filePattern: /next\.config\.(js|mjs|ts)$/,
     check(content) {
       if (!/headers\s*\(/.test(content) && !/securityHeaders|security-headers/.test(content)) {
-        return { line: 1, snippet: getSnippet5(content, 1) };
+        return { line: 1, snippet: getSnippet4(content, 1) };
       }
       return null;
     }
@@ -2840,7 +2865,7 @@ var CONFIG_CHECKS = [
     filePattern: /next\.config\.(js|mjs|ts)$/,
     check(content) {
       if (!/poweredByHeader\s*:\s*false/.test(content)) {
-        return { line: 1, snippet: getSnippet5(content, 1) };
+        return { line: 1, snippet: getSnippet4(content, 1) };
       }
       return null;
     }
@@ -2860,7 +2885,7 @@ var CONFIG_CHECKS = [
       const lines = content.split("\n");
       for (let i = 0; i < lines.length; i++) {
         if (/^FROM\s+\S+:latest/i.test(lines[i].trim()) || /^FROM\s+\w+\s*$/i.test(lines[i].trim())) {
-          return { line: i + 1, snippet: getSnippet5(content, i + 1) };
+          return { line: i + 1, snippet: getSnippet4(content, i + 1) };
         }
       }
       return null;
@@ -2879,7 +2904,7 @@ var CONFIG_CHECKS = [
     check(content) {
       const fromCount = (content.match(/^FROM\s/gmi) || []).length;
       if (fromCount <= 1 && content.includes("npm") && content.length > 200) {
-        return { line: 1, snippet: getSnippet5(content, 1) };
+        return { line: 1, snippet: getSnippet4(content, 1) };
       }
       return null;
     }
@@ -2898,7 +2923,7 @@ var CONFIG_CHECKS = [
       const lines = content.split("\n");
       for (let i = 0; i < lines.length; i++) {
         if (/^COPY\s.*\.env\b/i.test(lines[i].trim())) {
-          return { line: i + 1, snippet: getSnippet5(content, i + 1) };
+          return { line: i + 1, snippet: getSnippet4(content, i + 1) };
         }
       }
       return null;
@@ -2919,7 +2944,7 @@ var CONFIG_CHECKS = [
       const lines = content.split("\n");
       for (let i = 0; i < lines.length; i++) {
         if (/permissions\s*:\s*write-all/i.test(lines[i])) {
-          return { line: i + 1, snippet: getSnippet5(content, i + 1) };
+          return { line: i + 1, snippet: getSnippet4(content, i + 1) };
         }
       }
       return null;
@@ -2939,7 +2964,7 @@ var CONFIG_CHECKS = [
       const lines = content.split("\n");
       for (let i = 0; i < lines.length; i++) {
         if (/uses:\s*\S+@(?:main|master|dev|latest)\s*$/i.test(lines[i])) {
-          return { line: i + 1, snippet: getSnippet5(content, i + 1) };
+          return { line: i + 1, snippet: getSnippet4(content, i + 1) };
         }
       }
       return null;
@@ -2960,7 +2985,7 @@ var CONFIG_CHECKS = [
       const lines = content.split("\n");
       for (let i = 0; i < lines.length; i++) {
         if (/host\s*:\s*true/.test(lines[i]) || /host\s*:\s*['"]0\.0\.0\.0['"]/.test(lines[i])) {
-          return { line: i + 1, snippet: getSnippet5(content, i + 1) };
+          return { line: i + 1, snippet: getSnippet4(content, i + 1) };
         }
       }
       return null;
@@ -2981,7 +3006,7 @@ var CONFIG_CHECKS = [
       const lines = content.split("\n");
       for (let i = 0; i < lines.length; i++) {
         if (/_authToken|_auth=|\/\/registry.*:_password/.test(lines[i])) {
-          return { line: i + 1, snippet: getSnippet5(content, i + 1) };
+          return { line: i + 1, snippet: getSnippet4(content, i + 1) };
         }
       }
       return null;
@@ -3002,7 +3027,7 @@ var CONFIG_CHECKS = [
       const lines = content.split("\n");
       for (let i = 0; i < lines.length; i++) {
         if (/no-eval|no-implied-eval|no-new-func|no-script-url|security\/detect/i.test(lines[i]) && /["']off["']|:\s*0/.test(lines[i])) {
-          return { line: i + 1, snippet: getSnippet5(content, i + 1) };
+          return { line: i + 1, snippet: getSnippet4(content, i + 1) };
         }
       }
       return null;
@@ -3038,7 +3063,7 @@ function scanConfigs(files) {
 }
 
 // src/scanners/multi-file-analyzer.ts
-function getSnippet6(content, line) {
+function getSnippet5(content, line) {
   const lines = content.split("\n");
   const start = Math.max(0, line - 2);
   const end = Math.min(lines.length, line + 2);
@@ -3079,7 +3104,7 @@ function scanMultiFile(files) {
           description: "This API route file has no authentication checks and no auth middleware was detected in the project.",
           file: f.path,
           line,
-          snippet: getSnippet6(f.content, line),
+          snippet: getSnippet5(f.content, line),
           fix: "Add authentication middleware or import your auth module. If using Next.js, create middleware.ts in your app root.",
           category: "Authentication",
           source: "custom",
@@ -3101,7 +3126,7 @@ function scanMultiFile(files) {
         description: "An .env file exists in the project but .gitignore doesn't exclude it. Secrets may be committed.",
         file: ".gitignore",
         line: 1,
-        snippet: getSnippet6(gitignore.content, 1),
+        snippet: getSnippet5(gitignore.content, 1),
         fix: "Add .env to .gitignore: echo '.env' >> .gitignore",
         category: "Secrets",
         source: "custom",
@@ -3125,7 +3150,7 @@ function scanMultiFile(files) {
           description: "Creating a new PrismaClient on every request leaks database connections. Use a singleton pattern.",
           file: f.path,
           line,
-          snippet: getSnippet6(f.content, line),
+          snippet: getSnippet5(f.content, line),
           fix: "Use singleton: globalThis.prisma = globalThis.prisma || new PrismaClient(). This prevents connection exhaustion in serverless.",
           category: "Configuration",
           source: "custom",
@@ -3150,7 +3175,7 @@ function scanMultiFile(files) {
           description: "CORS origin is hardcoded to localhost. This will block requests from your production frontend.",
           file: f.path,
           line,
-          snippet: getSnippet6(f.content, line),
+          snippet: getSnippet5(f.content, line),
           fix: "Use environment variable: origin: process.env.FRONTEND_URL || 'http://localhost:3000'",
           category: "Configuration",
           source: "custom",
@@ -3186,7 +3211,7 @@ function scanMultiFile(files) {
         description: `These environment variables are used in code but missing from .env.example: ${undocumented.slice(0, 5).join(", ")}${undocumented.length > 5 ? ` (+${undocumented.length - 5} more)` : ""}`,
         file: envExample.path,
         line: 1,
-        snippet: getSnippet6(envExample.content, 1),
+        snippet: getSnippet5(envExample.content, 1),
         fix: "Add missing variables to .env.example so team members know which env vars are needed.",
         category: "Configuration",
         source: "custom",
@@ -3209,7 +3234,7 @@ function scanMultiFile(files) {
         description: `Fetching from ${m[1].substring(0, 40)}... over HTTP exposes data to interception.`,
         file: f.path,
         line,
-        snippet: getSnippet6(f.content, line),
+        snippet: getSnippet5(f.content, line),
         fix: "Use HTTPS for all API calls in production.",
         category: "Configuration",
         source: "custom",