{ "generated_at": "2026-04-30T05:55:10.696108956Z", "findings": [ { "id": "5d2d6990d7f5", "title": "Shell command execution", "severity": "high", "status": "suspected", "file": "PROMPT.md", "line_hint": "419", "evidence": "- `exec(`", "reason": "Direct subprocess/shell invocation. Confirm inputs are sanitized; prefer typed APIs over string-built commands.", "source": "static", "confidence": 0.6, "check_id": "static.shell_execution" }, { "id": "ade02702c129", "title": "Shell command execution", "severity": "high", "status": "suspected", "file": "PROMPT.md", "line_hint": "420", "evidence": "- `spawn(`", "reason": "Direct subprocess/shell invocation. Confirm inputs are sanitized; prefer typed APIs over string-built commands.", "source": "static", "confidence": 0.6, "check_id": "static.shell_execution" }, { "id": "a15313bf5fac", "title": "Shell command execution", "severity": "high", "status": "suspected", "file": "PROMPT.md", "line_hint": "421", "evidence": "- `Command::new`", "reason": "Direct subprocess/shell invocation. Confirm inputs are sanitized; prefer typed APIs over string-built commands.", "source": "static", "confidence": 0.6, "check_id": "static.shell_execution" }, { "id": "08acbf12529d", "title": "Raw SQL interpolation", "severity": "high", "status": "suspected", "file": "PROMPT.md", "line_hint": "423", "evidence": "- `format!(\"SELECT`", "reason": "SQL assembled via string formatting/concatenation rather than parameterized query. Verify inputs aren't user-controlled.", "suggested_fix": "Use parameterized queries / prepared statements; pass values via driver placeholders, not string interpolation.", "source": "static", "confidence": 0.6, "check_id": "static.raw_sql_interpolation" }, { "id": "6a7008d0004a", "title": "Wildcard CORS", "severity": "high", "status": "suspected", "file": "PROMPT.md", "line_hint": "429", "evidence": "- `Access-Control-Allow-Origin: *`", "reason": "Access-Control-Allow-Origin: * permits cross-origin reads from any domain. Narrow to an explicit allowlist unless this endpoint is intentionally public.", "source": "static", "confidence": 0.85, "check_id": "static.broad_cors" }, { "id": "7708bce04aa7", "title": "Shell command execution", "severity": "high", "status": "suspected", "file": "internal/analyzers/checks.go", "line_hint": "89", "evidence": "// === 2. shell execution (exec, spawn, Command::new, subprocess) ===", "reason": "Direct subprocess/shell invocation. Confirm inputs are sanitized; prefer typed APIs over string-built commands.", "source": "static", "confidence": 0.6, "check_id": "static.shell_execution" }, { "id": "0b78dca77fb3", "title": "Shell command execution", "severity": "high", "status": "suspected", "file": "internal/analyzers/checks.go", "line_hint": "101", "evidence": "`Command::new|` + // Rust", "reason": "Direct subprocess/shell invocation. Confirm inputs are sanitized; prefer typed APIs over string-built commands.", "source": "static", "confidence": 0.6, "check_id": "static.shell_execution" }, { "id": "3729ed9168dd", "title": "Raw SQL interpolation", "severity": "high", "status": "suspected", "file": "internal/analyzers/checks.go", "line_hint": "140", "evidence": "rawSQLFmtRe = regexp.MustCompile(`(?i)(?:format!|fmt\\.Sprintf|String::from|f\"|f')[^\\n]{0,80}?(?:SELECT|INSERT|UPDATE|DELETE|DROP)\\b`)", "reason": "SQL assembled via string formatting/concatenation rather than parameterized query. Verify inputs aren't user-controlled.", "suggested_fix": "Use parameterized queries / prepared statements; pass values via driver placeholders, not string interpolation.", "source": "static", "confidence": 0.6, "check_id": "static.raw_sql_interpolation" }, { "id": "4ed58fa58f04", "title": "Raw SQL interpolation", "severity": "high", "status": "suspected", "file": "internal/analyzers/checks.go", "line_hint": "143", "evidence": "rawSQLConcatRe = regexp.MustCompile(`(?i)(?:SELECT|INSERT|UPDATE|DELETE)\\b[^\\n]{0,40}(?:\\+\\s*\\w|%s|%v|\\$\\{|` + \"`\" + `\\$\\{)`)", "reason": "SQL assembled via string formatting/concatenation rather than parameterized query. Verify inputs aren't user-controlled.", "suggested_fix": "Use parameterized queries / prepared statements; pass values via driver placeholders, not string interpolation.", "source": "static", "confidence": 0.6, "check_id": "static.raw_sql_interpolation" }, { "id": "174c7276677f", "title": "Wildcard CORS", "severity": "high", "status": "suspected", "file": "internal/analyzers/checks.go", "line_hint": "177", "evidence": "// styles: Express's res.setHeader(\"Access-Control-Allow-Origin\", \"*\"),", "reason": "Access-Control-Allow-Origin: * permits cross-origin reads from any domain. Narrow to an explicit allowlist unless this endpoint is intentionally public.", "source": "static", "confidence": 0.85, "check_id": "static.broad_cors" }, { "id": "e9beee52079c", "title": "Wildcard CORS", "severity": "high", "status": "suspected", "file": "internal/analyzers/checks.go", "line_hint": "180", "evidence": "var corsAnyRe = regexp.MustCompile(`Access-Control-Allow-Origin[^\\n]{0,40}\\*`)", "reason": "Access-Control-Allow-Origin: * permits cross-origin reads from any domain. Narrow to an explicit allowlist unless this endpoint is intentionally public.", "source": "static", "confidence": 0.85, "check_id": "static.broad_cors" }, { "id": "14fa8051e73c", "title": "Wildcard CORS", "severity": "high", "status": "suspected", "file": "internal/analyzers/checks.go", "line_hint": "194", "evidence": "Reason: \"Access-Control-Allow-Origin: * permits cross-origin reads from any domain. Narrow to an explicit allowlist unless this endpoint is intentionally public.\",", "reason": "Access-Control-Allow-Origin: * permits cross-origin reads from any domain. Narrow to an explicit allowlist unless this endpoint is intentionally public.", "source": "static", "confidence": 0.85, "check_id": "static.broad_cors" }, { "id": "5ccf0d1f8491", "title": "Large file", "severity": "medium", "status": "suspected", "file": "review-harness", "line_hint": "1-18860", "evidence": "18860 lines (limit: 800)", "reason": "File exceeds the configured size threshold. Long files are a refactor target — split by responsibility.", "source": "static", "confidence": 1, "check_id": "static.large_files" }, { "id": "5703eb1ba5fe", "title": "Environment file in source tree", "severity": "high", "status": "confirmed", "file": "tests/fixtures/insecure-repo/.env", "evidence": "filename=.env", "reason": ".env files commonly hold real secrets and should not be tracked. If this is a sample, rename to .env.example with placeholder values.", "suggested_fix": "Rename to .env.example with placeholders; add .env to .gitignore; rotate any committed secrets.", "source": "static", "confidence": 0.9, "check_id": "static.env_file_committed" }, { "id": "144fc5f2981e", "title": "Hardcoded absolute path", "severity": "medium", "status": "suspected", "file": "tests/fixtures/insecure-repo/src/handler.go", "line_hint": "10", "evidence": "const HARDCODED_PATH = \"/home/profit/secrets/key.pem\"", "reason": "Absolute path encoded in source — couples the binary to one filesystem layout. Move to config or env var.", "source": "static", "confidence": 0.7, "check_id": "static.hardcoded_paths" }, { "id": "fe1d54ec5045", "title": "Shell command execution", "severity": "high", "status": "suspected", "file": "tests/fixtures/insecure-repo/src/handler.go", "line_hint": "19", "evidence": "exec.Command(\"bash\", \"-c\", cmd).Run()", "reason": "Direct subprocess/shell invocation. Confirm inputs are sanitized; prefer typed APIs over string-built commands.", "source": "static", "confidence": 0.6, "check_id": "static.shell_execution" }, { "id": "e00ebc0ac661", "title": "Raw SQL interpolation", "severity": "high", "status": "suspected", "file": "tests/fixtures/insecure-repo/src/handler.go", "line_hint": "14", "evidence": "q := fmt.Sprintf(\"SELECT * FROM users WHERE name = '%s'\", name)", "reason": "SQL assembled via string formatting/concatenation rather than parameterized query. Verify inputs aren't user-controlled.", "suggested_fix": "Use parameterized queries / prepared statements; pass values via driver placeholders, not string interpolation.", "source": "static", "confidence": 0.6, "check_id": "static.raw_sql_interpolation" }, { "id": "66b494571e04", "title": "Possible secret committed to source", "severity": "critical", "status": "suspected", "file": "tests/fixtures/insecure-repo/src/handler.go", "line_hint": "23", "evidence": "const API_KEY = \"sk-1234567890abcdefABCDEFGHIJKLMNOPQRSTUV\"", "reason": "OpenAI/OpenRouter-shaped key detected. If real, rotate immediately and move to a secret store.", "suggested_fix": "Move secret to env var / secret manager; commit the .env.example with a placeholder; rotate the leaked credential.", "source": "static", "confidence": 0.75, "check_id": "static.secret_patterns" }, { "id": "66b494571e04", "title": "Possible secret committed to source", "severity": "critical", "status": "suspected", "file": "tests/fixtures/insecure-repo/src/handler.go", "line_hint": "23", "evidence": "const API_KEY = \"sk-1234567890abcdefABCDEFGHIJKLMNOPQRSTUV\"", "reason": "Hardcoded credential pattern detected. If real, rotate immediately and move to a secret store.", "suggested_fix": "Move secret to env var / secret manager; commit the .env.example with a placeholder; rotate the leaked credential.", "source": "static", "confidence": 0.75, "check_id": "static.secret_patterns" }, { "id": "5b886708c3b5", "title": "TODO/FIXME comment", "severity": "low", "status": "suspected", "file": "tests/fixtures/insecure-repo/src/handler.go", "line_hint": "9", "evidence": "// TODO: rotate this and move to env", "reason": "Inline marker for deferred work. Audit whether the deferred concern is now blocking.", "source": "static", "confidence": 0.95, "check_id": "static.todo_comments" }, { "id": "1e61962f010a", "title": "TODO/FIXME comment", "severity": "low", "status": "suspected", "file": "tests/fixtures/insecure-repo/src/handler.go", "line_hint": "22", "evidence": "// FIXME: hardcoded creds", "reason": "Inline marker for deferred work. Audit whether the deferred concern is now blocking.", "source": "static", "confidence": 0.95, "check_id": "static.todo_comments" }, { "id": "2c5c4350c263", "title": "Hardcoded private-network IP", "severity": "medium", "status": "suspected", "file": "tests/fixtures/insecure-repo/src/handler.go", "line_hint": "11", "evidence": "const SERVER_IP = \"192.168.1.176\"", "reason": "RFC 1918 / link-local IP literal in source. Move to config so the binary isn't tied to one network.", "source": "static", "confidence": 0.7, "check_id": "static.hardcoded_local_ip" }, { "id": "3756dd35d39d", "title": "Large file", "severity": "medium", "status": "suspected", "file": "tests/fixtures/insecure-repo/src/huge.go", "line_hint": "1-901", "evidence": "901 lines (limit: 800)", "reason": "File exceeds the configured size threshold. Long files are a refactor target — split by responsibility.", "source": "static", "confidence": 1, "check_id": "static.large_files" }, { "id": "6b5c4b19d770", "title": "Wildcard CORS", "severity": "high", "status": "suspected", "file": "tests/fixtures/insecure-repo/src/server.js", "line_hint": "2", "evidence": "res.setHeader(\"Access-Control-Allow-Origin\", \"*\");", "reason": "Access-Control-Allow-Origin: * permits cross-origin reads from any domain. Narrow to an explicit allowlist unless this endpoint is intentionally public.", "source": "static", "confidence": 0.85, "check_id": "static.broad_cors" }, { "id": "0df161625ead", "title": "Possible secret committed to source", "severity": "critical", "status": "suspected", "file": "tests/fixtures/insecure-repo/src/server.js", "line_hint": "5", "evidence": "const AWS_KEY = \"AKIAIOSFODNN7EXAMPLE\";", "reason": "AWS access key ID detected. If real, rotate immediately and move to a secret store.", "suggested_fix": "Move secret to env var / secret manager; commit the .env.example with a placeholder; rotate the leaked credential.", "source": "static", "confidence": 0.75, "check_id": "static.secret_patterns" }, { "id": "6dd9b338f734", "title": "TODO/FIXME comment", "severity": "low", "status": "suspected", "file": "tests/fixtures/insecure-repo/src/server.js", "line_hint": "1", "evidence": "// HACK: open CORS for now", "reason": "Inline marker for deferred work. Audit whether the deferred concern is now blocking.", "source": "static", "confidence": 0.95, "check_id": "static.todo_comments" }, { "id": "4a3098b9af2c", "title": "Mutation route in file with no visible auth", "severity": "medium", "status": "suspected", "file": "tests/fixtures/insecure-repo/src/server.js", "line_hint": "7", "evidence": "app.post(\"/api/users\", function(req, res) { /* no auth */ });", "reason": "POST/PUT/DELETE/PATCH route registered in a file with no visible auth middleware. May still be auth'd at a higher layer — confirm.", "source": "static", "confidence": 0.4, "check_id": "static.exposed_mutation_endpoint" }, { "id": "44d91c0668c0", "title": "Mutation route in file with no visible auth", "severity": "medium", "status": "suspected", "file": "tests/fixtures/insecure-repo/src/server.js", "line_hint": "8", "evidence": "app.delete(\"/api/admin\", function(req, res) { /* no auth */ });", "reason": "POST/PUT/DELETE/PATCH route registered in a file with no visible auth middleware. May still be auth'd at a higher layer — confirm.", "source": "static", "confidence": 0.4, "check_id": "static.exposed_mutation_endpoint" } ], "summary": { "total": 28, "confirmed": 1, "suspected": 27, "rejected": 0, "critical": 3, "high": 16, "medium": 6, "low": 3, "by_source": { "static": 28 }, "by_check": { "static.broad_cors": 5, "static.env_file_committed": 1, "static.exposed_mutation_endpoint": 2, "static.hardcoded_local_ip": 1, "static.hardcoded_paths": 1, "static.large_files": 2, "static.raw_sql_interpolation": 4, "static.secret_patterns": 3, "static.shell_execution": 6, "static.todo_comments": 3 } } }