Lines 26-66javascript
26 { pattern: /sk_test_[a-zA-Z0-9]{24,}/g, type: 'Stripe test key', severity: 'MEDIUM' },
27 { pattern: /sq0atp-[a-zA-Z0-9_-]{22}/g, type: 'Square access token', severity: 'HIGH' },
28 { pattern: /AIza[a-zA-Z0-9_-]{35}/g, type: 'Google API key', severity: 'MEDIUM' },
29 { pattern: /[a-f0-9]{32}-us\d+/g, type: 'Mailchimp API key', severity: 'MEDIUM' },
30 { pattern: /key-[a-zA-Z0-9]{32}/g, type: 'Mailgun API key', severity: 'MEDIUM' },
31 { pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/g, type: 'SendGrid API key', severity: 'HIGH' },
32 { pattern: /-----BEGIN (RSA |DSA |EC |OPENSSH )?PRIVATE KEY-----/g, type: 'Private key', severity: 'CRITICAL' },
33 { pattern: /password\s*[=:]\s*['"][^'"]{8,}['"]/gi, type: 'Hardcoded password', severity: 'HIGH' },
34 { pattern: /api[_-]?key\s*[=:]\s*['"][^'"]{16,}['"]/gi, type: 'API key in code', severity: 'HIGH' },
35 { pattern: /bearer\s+[a-zA-Z0-9_-]{20,}/gi, type: 'Bearer token', severity: 'HIGH' },
36 { pattern: /basic\s+[a-zA-Z0-9+/=]{20,}/gi, type: 'Basic auth credentials', severity: 'HIGH' },
38 for (const { pattern, type, severity } of secretPatterns) {
39 const matches = input.match(pattern);
41 findings.push(`🔴 ${severity}: ${type} detected (${matches.length} occurrence${matches.length > 1 ? 's' : ''})`);
42 suggestions.push(`Remove ${type} and use environment variables or secrets manager`);
45 // Check for security anti-patterns
46 const antiPatterns = [
47 { pattern: /eval\s*\(/g, type: 'eval() usage', risk: 'Code injection vulnerability' },
48 { pattern: /innerHTML\s*=/g, type: 'innerHTML assignment', risk: 'XSS vulnerability' },
LowEval
Package source references a known benign dynamic code generation pattern.
dist/agents/security.jsView on unpkg · L46 49 { pattern: /document\.write/g, type: 'document.write usage', risk: 'XSS vulnerability' },
50 { pattern: /SELECT.*FROM.*WHERE.*\+/gi, type: 'String concatenation in SQL', risk: 'SQL injection' },
51 { pattern: /exec\s*\(/g, type: 'exec() usage', risk: 'Command injection' },
52 { pattern: /shell\s*=\s*True/g, type: 'shell=True in subprocess', risk: 'Command injection' },
53 { pattern: /verify\s*=\s*False/gi, type: 'SSL verification disabled', risk: 'MITM vulnerability' },
54 { pattern: /disable.*ssl|ssl.*disable/gi, type: 'SSL disabled', risk: 'MITM vulnerability' },
56 for (const { pattern, type, risk } of antiPatterns) {
57 if (pattern.test(input)) {
58 findings.push(`⚠️ ${type} - ${risk}`);
59 suggestions.push(`Review and fix: ${type}`);
62 // Check for PII patterns
64 { pattern: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g, type: 'Email addresses' },
65 { pattern: /\b\d{3}[-.]?\d{3}[-.]?\d{4}\b/g, type: 'Phone numbers' },
66 { pattern: /\b\d{3}[-]?\d{2}[-]?\d{4}\b/g, type: 'SSN-like numbers' },