Lines 64-104javascript
66 { id: 'IAC-TF-001', name: 'Open SSH Access (22)', re: /ingress\s*\{[^}]*from_port\s*=\s*22[^}]*to_port\s*=\s*22[^}]*cidr_blocks\s*=\s*\[\s*["']0\.0\.0\.0\/0["']\s*\]/gi, sev: 'critical' },
67 { id: 'IAC-TF-002', name: 'S3 Public Read Allowed', re: /acl\s*=\s*["']public-read["']/gi, sev: 'high' },
68 { id: 'IAC-K8S-001', name: 'Privileged Container Escalation', re: /privileged:\s*true/gi, sev: 'high' },
69 { id: 'IAC-K8S-002', name: 'Running as Root User', re: /runAsNonRoot:\s*false/gi, sev: 'medium' }
72const CONTAINER_RULES = [
73 { id: 'DOCKER-LINT-001', name: 'Missing USER specification (Running as Root)', re: /FROM\s+\S+(?:[\s\S](?!USER))*$/gi, sev: 'high' },
74 { id: 'DOCKER-LINT-002', name: 'Using latest tag', re: /FROM\s+\S+:latest/gi, sev: 'medium' },
75 { id: 'DOCKER-LINT-003', name: 'Secrets Leaked in ENV', re: /ENV\s+(?:AWS_|API_KEY|PASSWORD|TOKEN|SECRET)\S*\s*=/gi, sev: 'critical' }
79 { id: 'SAST-SQL-001', name: 'SQL Injection', re: /(?:execute|query)\s*\([^)]*(?:SELECT|INSERT|UPDATE|DELETE)[^)]*\+/gi, sev: 'critical' },
80 { id: 'SAST-XSS-001', name: 'XSS via innerHTML', re: /\.innerHTML\s*[+]?=\s*[^"';\n]{1,80}(?:req\.|request\.|params\.|\$\{)/gm, sev: 'high' },
81 { id: 'SAST-CMD-001', name: 'Command Injection', re: /(?:child_process\.exec|execSync|os\.system)\s*\([^)]*(?:req\.|request\.|query\.)/gi, sev: 'critical' },
82 { id: 'SAST-DESER-001', name: 'Unsafe Deserialization', re: /pickle\.loads?\s*\(/g, sev: 'critical' },
83 { id: 'SAST-JWT-001', name: 'JWT Algorithm None', re: /algorithm[s]?\s*[:=]\s*["']none["']/gi, sev: 'critical' },
84 { id: 'SAST-CRYPTO-001', name: 'Weak Hash MD5', re: /createHash\s*\(\s*["']md5["']/gi, sev: 'high' },
85 { id: 'SAST-EVAL-001', name: 'eval() Usage', re: /\beval\s*\(/g, sev: 'high' },
86 { id: 'SAST-PATH-001', name: 'Path Traversal', re: /\.\.\/|path\.join\([^)]*req\.|path\.join\([^)]*params\./gi, sev: 'high' }
LowEval
Package source references a known benign dynamic code generation pattern.
src/index.jsView on unpkg · L84 89const VULN_DEPENDENCIES = [
90 { name: 'lodash', maxVersion: '4.17.20', vuln: 'Prototype Pollution (CVE-2020-8203)', sev: 'high' },
91 { name: 'axios', maxVersion: '1.5.1', vuln: 'Server-Side Request Forgery (CVE-2023-45857)', sev: 'high' },
92 { name: 'semver', maxVersion: '7.5.1', vuln: 'Regular Expression Denial of Service (CVE-2023-37263)', sev: 'medium' },
93 { name: 'log4j', maxVersion: '2.14.1', vuln: 'Log4Shell Remote Code Execution (CVE-2021-44228)', sev: 'critical' }
96const SKIP_FP = /(?:test|example|sample|placeholder|changeme|your[-_]?api|xxx|<|>|\$\{|\$\(|foobar|00000000)/i
97const SKIP_COMMENT = /^\s*(\/\/|#|\*|<!--)/
98const SKIP_DIRS = new Set(['node_modules', '.git', 'dist', 'build', '__pycache__', '.venv', 'vendor', 'coverage'])
99const SCAN_EXTS = new Set(['.js', '.jsx', '.ts', '.tsx', '.py', '.java', '.go', '.rb', '.php', '.cs', '.rs', '.swift', '.kt', '.scala', '.c', '.cpp', '.h', '.env', '.yaml', '.yml', '.json'
100const SEVERITY_ORDER = { critical: 4, high: 3, medium: 2, low: 1, info: 0 }
102function localScan(filePath, content) {
104 const lines = content.split('\n')