xploitscan 1.0.7 → 1.0.9

package/README.md

@@ -5,7 +5,7 @@
 
 **Security scanner for AI-generated code.** Find vulnerabilities before attackers do.
 
-Built for developers shipping code via Cursor, Lovable, Bolt, Replit, and Claude Code. 131 security rules. Plain-English results. Copy-paste fixes.
+Built for developers shipping code via Cursor, Lovable, Bolt, Replit, and Claude Code. 151 security rules. Plain-English results. Copy-paste fixes.
 
 ## Quick Start
 
@@ -17,7 +17,7 @@ No install, no config, no account required. Your code stays 100% local.
 
 ## What It Catches
 
-131 rules across 15+ categories:
+151 rules across 15+ categories:
 
 | Category | Examples | Rules |
 |----------|---------|-------|
@@ -130,7 +130,7 @@ Scan via the web at [xploitscan.com](https://xploitscan.com):
 - SOC2/ISO27001 compliance mapping
 - Slack and Discord webhook notifications
 
-**Free**: 5 scans/day, 30 core rules. **Pro** ($29/mo): unlimited scans, all 131 rules, and all dashboard features. **Team** ($99/mo): everything in Pro plus 5 seats, shared scan history, RBAC, and portfolio reports. Annual plans save 20%.
+**Free**: 5 scans/day, 30 core rules. **Pro** ($29/mo): unlimited scans, all 151 rules, and all dashboard features. **Team** ($99/mo): everything in Pro plus 5 seats, shared scan history, RBAC, and portfolio reports. Annual plans save 20%.
 
 ## Supported Languages
 

package/dist/index.js

@@ -335,15 +335,20 @@ var hardcodedSecrets = {
       // Database URLs with credentials
       /(?:postgres|mysql|mongodb(?:\+srv)?):\/\/[^:]+:[^@]+@[^/\s"'`]+/gi
     ];
+    const fixMessages = [
+      "Move this API key to an environment variable. If this key has been committed, rotate it immediately \u2014 it may have already been scraped by bots.",
+      "AWS access key detected \u2014 may grant full account access (EC2, S3, IAM, billing). Rotate immediately in AWS Console \u2192 IAM \u2192 Security Credentials. Use IAM roles or environment variables instead.",
+      "Stripe key detected. sk_live_ keys can process real charges, issue refunds, and access customer payment data. sk_test_ keys are lower risk but should still not be committed. Rotate in Stripe Dashboard \u2192 Developers \u2192 API Keys.",
+      "Supabase key detected. Service role keys bypass Row Level Security and grant full database read/write access. Move to a server-side environment variable immediately.",
+      "OpenAI API key detected \u2014 grants full API access and can incur charges. Rotate at platform.openai.com \u2192 API Keys.",
+      "Hardcoded token or password detected. Move to an environment variable and rotate the credential if it has been committed to version control.",
+      "Private key found in source code. If this has been committed to version control, consider the key compromised \u2014 generate a new key pair and revoke the old one.",
+      "Database credentials in connection string. An attacker with this URL has full database access. Move to an environment variable, restrict network access, and rotate the password."
+    ];
     const matches = [];
-    for (const pattern of patterns) {
-      const rawMatches = findMatches(
-        content,
-        pattern,
-        hardcodedSecrets,
-        filePath,
-        () => "Move this secret to an environment variable and add it to .env (not committed to git). Use .env.example to document the required variables."
-      );
+    for (let pi = 0; pi < patterns.length; pi++) {
+      const pattern = patterns[pi];
+      const rawMatches = findMatches(content, pattern, hardcodedSecrets, filePath, () => fixMessages[pi]);
       for (const rm3 of rawMatches) {
         const lineText = content.split("\n")[rm3.line - 1] || "";
         const trimmed = lineText.trimStart();
@@ -393,7 +398,12 @@ var missingAuthMiddleware = {
       // Next.js API routes
       /export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|PATCH|DELETE)\s*\(/gi
     ];
-    if (filePath.includes("test") || filePath.includes("spec") || filePath.includes("mock")) return [];
+    if (isTestFile(filePath)) return [];
+    if (filePath.match(/\.(md|txt|rst|html|css|json|yaml|yml)$/)) return [];
+    const isAuthRoute = /\/auth\/|\/login|\/signup|\/register|\/logout|\/password\/|\/forgot|\/reset/i.test(filePath);
+    if (isAuthRoute) return [];
+    const isWebhookRoute = /\/webhook/i.test(filePath);
+    if (isWebhookRoute) return [];
     const authPatterns = [
       /auth/i,
       /session/i,
@@ -404,6 +414,8 @@ var missingAuthMiddleware = {
       /currentUser/i,
       /isAuthenticated/i,
       /requireAuth/i,
+      /requireUser/i,
+      /requireUserForApi/i,
       /clerk/i,
       /supabase\.auth/i,
       /getServerSession/i,
@@ -415,7 +427,10 @@ var missingAuthMiddleware = {
       /withAuth/i,
       /passport/i,
       /firebase\.auth/i,
-      /cognito/i
+      /cognito/i,
+      /verifyCronSecret/i,
+      /verifySecret/i,
+      /checkApiKey/i
     ];
     const hasAuth = authPatterns.some((p) => p.test(content));
     if (hasAuth) return [];
@@ -477,18 +492,33 @@ var stripeWebhookUnprotected = {
   category: "Payment Security",
   description: "Stripe webhook endpoints without signature verification allow attackers to fake payment events.",
   check(content, filePath) {
-    if (!/stripe|webhook/i.test(content)) return [];
-    const hasWebhookRoute = /webhook/i.test(filePath) || /(?:post|handler).*webhook/i.test(content);
-    if (!hasWebhookRoute) return [];
-    const hasVerification = /constructEvent|verifyHeader|stripe-signature|webhook_secret/i.test(content);
-    if (hasVerification) return [];
-    return findMatches(
-      content,
-      /webhook/gi,
-      stripeWebhookUnprotected,
-      filePath,
-      () => "Verify the Stripe webhook signature using stripe.webhooks.constructEvent(body, sig, webhookSecret) to prevent forged payment events."
-    );
+    if (!filePath.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) return [];
+    if (isTestFile(filePath)) return [];
+    if (!/stripe/i.test(content)) return [];
+    const hasStripeWebhookHandler = /(?:stripe.*webhook|webhook.*stripe)/i.test(content) || /(?:checkout\.session\.completed|invoice\.paid|payment_intent|customer\.subscription)/i.test(content);
+    if (!hasStripeWebhookHandler) return [];
+    if (/constructEvent|verifyHeader|stripe[_-]?signature|webhook[_-]?secret|STRIPE_WEBHOOK_SECRET/i.test(content)) return [];
+    const handlerPatterns = [
+      // POST handler that processes Stripe events
+      /export\s+(?:async\s+)?function\s+POST\s*\(/g,
+      // Express-style Stripe webhook route
+      /\.(post|all)\s*\(\s*["'`][^"'`]*(?:stripe|webhook)[^"'`]*["'`]/gi,
+      // Event type checking without prior verification
+      /(?:event\.type|req\.body\.type)\s*===?\s*["'`](?:checkout|invoice|payment|customer)\./g
+    ];
+    const matches = [];
+    for (const pattern of handlerPatterns) {
+      matches.push(
+        ...findMatches(
+          content,
+          pattern,
+          stripeWebhookUnprotected,
+          filePath,
+          () => "Verify the Stripe webhook signature using stripe.webhooks.constructEvent(body, sig, webhookSecret) to prevent forged payment events."
+        )
+      );
+    }
+    return matches;
   }
 };
 var sqlInjection = {
@@ -1114,16 +1144,31 @@ var dangerousInnerHTML = {
   description: "Using dangerouslySetInnerHTML without sanitization (DOMPurify) enables XSS attacks. User-controlled content injected as raw HTML can execute arbitrary JavaScript.",
   check(content, filePath) {
     if (!filePath.match(/\.(jsx|tsx)$/)) return [];
+    if (isTestFile(filePath)) return [];
     if (!/dangerouslySetInnerHTML/i.test(content)) return [];
     const hasSanitize = /DOMPurify|sanitize|purify|xss|sanitizeHtml|isomorphic-dompurify/i.test(content);
     if (hasSanitize) return [];
-    return findMatches(
-      content,
-      /dangerouslySetInnerHTML\s*=\s*\{\s*\{/g,
-      dangerousInnerHTML,
-      filePath,
-      () => "Sanitize HTML before using dangerouslySetInnerHTML: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}. Install: npm install dompurify"
-    );
+    const findings = [];
+    const re = /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*([^}]+)\}/g;
+    let m;
+    while ((m = re.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const value = m[1].trim();
+      if (/^[A-Z][A-Z0-9_]+$/.test(value)) continue;
+      if (/^["'`][^$]*["'`]$/.test(value)) continue;
+      const lineNum = content.substring(0, m.index).split("\n").length;
+      findings.push({
+        rule: "VC063",
+        title: dangerousInnerHTML.title,
+        severity: "critical",
+        category: "Injection",
+        file: filePath,
+        line: lineNum,
+        snippet: getSnippet(content, lineNum),
+        fix: "Sanitize HTML before using dangerouslySetInnerHTML: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(content) }}. Install: npm install dompurify"
+      });
+    }
+    return findings;
   }
 };
 function detectFramework(files) {
@@ -1144,51 +1189,52 @@ function detectFramework(files) {
   if (frameworks.size === 0) frameworks.add("unknown");
   return [...frameworks];
 }
-function calculateGrade(findings, totalFiles) {
+function calculateGrade(findings, _totalFiles) {
   if (findings.length === 0) {
-    return { grade: "A+", score: 100, summary: "No security issues detected. Excellent!" };
+    return { grade: "A+", score: 100, summary: "No security issues detected. Excellent." };
   }
-  let deductions = 0;
+  let critical = 0, high = 0, medium = 0, low = 0;
   for (const f of findings) {
-    switch (f.severity) {
-      case "critical":
-        deductions += 15;
-        break;
-      case "high":
-        deductions += 8;
-        break;
-      case "medium":
-        deductions += 4;
-        break;
-      case "low":
-        deductions += 1;
-        break;
-    }
-  }
-  const sizeBuffer = Math.min(Math.log2(Math.max(totalFiles, 1)) * 2, 15);
-  const score = Math.max(0, Math.min(100, 100 - deductions + sizeBuffer));
+    if (f.severity === "critical") critical++;
+    else if (f.severity === "high") high++;
+    else if (f.severity === "medium") medium++;
+    else if (f.severity === "low") low++;
+  }
+  const deductions = critical * 15 + high * 7 + medium * 3 + low * 1;
+  const rawScore = Math.max(0, 100 - deductions);
   let grade;
+  if (rawScore >= 97) grade = "A+";
+  else if (rawScore >= 90) grade = "A";
+  else if (rawScore >= 80) grade = "B";
+  else if (rawScore >= 70) grade = "C";
+  else if (rawScore >= 60) grade = "D";
+  else grade = "F";
+  const capGrade = (cap) => {
+    const order = ["A+", "A", "B", "C", "D", "F"];
+    return order.indexOf(grade) < order.indexOf(cap) ? cap : grade;
+  };
+  if (critical >= 1) grade = capGrade("D");
+  else if (high >= 3) grade = capGrade("D");
+  else if (high >= 1) grade = capGrade("B");
+  else if (medium >= 5) grade = capGrade("B");
+  else if (medium >= 1) grade = capGrade("A");
   let summary;
-  if (score >= 95) {
-    grade = "A+";
-    summary = "Excellent security posture with minimal issues.";
-  } else if (score >= 85) {
-    grade = "A";
-    summary = "Strong security with a few minor concerns.";
-  } else if (score >= 70) {
-    grade = "B";
-    summary = "Good security but some issues need attention.";
-  } else if (score >= 55) {
-    grade = "C";
-    summary = "Fair security \u2014 several vulnerabilities should be fixed.";
-  } else if (score >= 35) {
-    grade = "D";
-    summary = "Poor security \u2014 critical issues require immediate attention.";
+  if (critical > 0) {
+    summary = `${critical} critical ${critical === 1 ? "vulnerability" : "vulnerabilities"} require immediate attention.`;
+  } else if (high >= 3) {
+    summary = `${high} high-severity issues require urgent attention.`;
+  } else if (high > 0) {
+    summary = `${high} high-severity ${high === 1 ? "issue needs" : "issues need"} attention.`;
+  } else if (medium >= 5) {
+    summary = `${medium} medium-severity issues to address.`;
+  } else if (medium > 0) {
+    summary = `Clean of critical and high issues. ${medium} medium-severity ${medium === 1 ? "issue" : "issues"} to review.`;
+  } else if (low > 0) {
+    summary = `Clean of critical, high, and medium issues. ${low} low-severity best-practice ${low === 1 ? "note" : "notes"}.`;
   } else {
-    grade = "F";
-    summary = "Failing \u2014 serious vulnerabilities present. Fix critical issues immediately.";
+    summary = "No security issues detected.";
   }
-  return { grade, score: Math.round(score), summary };
+  return { grade, score: rawScore, summary };
 }
 var complianceMap = {
   VC001: { owasp: "A07:2021", cwe: "CWE-798" },
@@ -1321,7 +1367,29 @@ var complianceMap = {
   VC128: { owasp: "A05:2021", cwe: "CWE-444" },
   VC129: { owasp: "A02:2021", cwe: "CWE-311" },
   VC130: { owasp: "A07:2021", cwe: "CWE-307" },
-  VC131: { owasp: "A06:2021", cwe: "CWE-1104" }
+  VC131: { owasp: "A06:2021", cwe: "CWE-1104" },
+  // VC132–VC145: Service-specific API key detection
+  VC132: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC133: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC134: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC135: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC136: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC137: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC138: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC139: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC140: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC141: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC142: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC143: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC144: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC145: { owasp: "A07:2021", cwe: "CWE-798" },
+  // VC146–VC151: Secret exposure path analysis
+  VC146: { owasp: "A07:2021", cwe: "CWE-598" },
+  VC147: { owasp: "A09:2021", cwe: "CWE-532" },
+  VC148: { owasp: "A09:2021", cwe: "CWE-209" },
+  VC149: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC150: { owasp: "A07:2021", cwe: "CWE-615" },
+  VC151: { owasp: "A07:2021", cwe: "CWE-214" }
 };
 var consoleLogProduction = {
   id: "VC097",
@@ -2468,6 +2536,8 @@ function scanEntropy(files) {
   for (const { path: filePath, content } of files) {
     if (SKIP_FILES.test(filePath)) continue;
     if (SKIP_FILENAMES.test(filePath)) continue;
+    const basename = filePath.split("/").pop() || "";
+    if (SKIP_FILENAMES.test(basename)) continue;
     if (filePath.includes("node_modules")) continue;
     if (filePath.includes(".min.")) continue;
     if (/(?:\.test\.|\.spec\.|__tests__|__mocks__|fixtures?\/)/i.test(filePath)) continue;
@@ -3442,9 +3512,9 @@ async function scanCommand(directory, options) {
   if (tier === "free" && !isSilent) {
     console.log("");
     if (userPlan === "anonymous") {
-      console.log(chalk2.gray("  Scanned with 30 free rules.") + chalk2.cyan(" Log in to unlock all 131 rules \u2192") + chalk2.bold(" xploitscan auth login"));
+      console.log(chalk2.gray("  Scanned with 30 free rules.") + chalk2.cyan(" Log in to unlock all 151 rules \u2192") + chalk2.bold(" xploitscan auth login"));
     } else {
-      console.log(chalk2.gray("  Scanned with 30 rules.") + chalk2.cyan(" Upgrade to Pro for all 131 rules \u2192") + chalk2.bold(" xploitscan upgrade"));
+      console.log(chalk2.gray("  Scanned with 30 rules.") + chalk2.cyan(" Upgrade to Pro for all 151 rules \u2192") + chalk2.bold(" xploitscan upgrade"));
     }
     console.log("");
   }
@@ -3820,7 +3890,7 @@ async function cursorInstallCommand(opts = {}) {
 var program = new Command();
 program.name("xploitscan").description(
   "AI security scanner for vibe-coded apps. Find vulnerabilities before attackers do."
-).version("1.0.7");
+).version("1.0.8");
 program.command("scan").description("Scan a directory for security vulnerabilities").argument("[directory]", "Directory to scan", ".").option("--no-ai", "Skip AI-powered analysis").option("-f, --format <format>", "Output format: terminal, json, sarif", "terminal").option("-v, --verbose", "Show detailed output", false).option("--diff [base]", "Scan only files changed vs base branch (default: main)").option("-w, --watch", "Watch for file changes and re-scan automatically", false).action(async (directory, opts) => {
   await scanCommand(directory, {
     directory,