reference
Detectors
TriageRook runs eleven independent detectors over a repo and aggregates the results into one prioritized report. This page is the map: what each detector finds, the real method behind it, and — just as important — what it does not catch. For the individual pattern-based rules, see the rule catalog.
Where the granular rules live
Detectors 1–3, 5, 7, and 8 are backed by an enumerable rule catalog at /docs/rules. Dependencies (6), posture (9), the IAM risk scanner (10), and licenses (11) are computed dynamically — from OSV / npm advisories, GitHub API signals, policy parsing, and registry metadata — so they have no fixed rule list.
1. Secrets in source code
- Detects
- Live-shaped credentials in text files: cloud keys (AWS/Azure/GCP and friends), SCM tokens (GitHub classic/fine-grained/OAuth/App, GitLab, Bitbucket), AI provider keys, payment keys, messaging and monitoring tokens, private-key blocks, and auth-bearing URIs.
- How
- High-confidence regex patterns, one per known credential format. The matched value is masked the instant it is found, before it is attached to a finding or persisted.
- Doesn't catch
- A credential in a format with no published pattern. Custom/corporate tokens with no fixed shape are the entropy detector's job (below); a value with a truly novel format may be missed by both.
2. Sensitive files committed to the repo
- Detects
- Files that should never be in version control regardless of contents: *.pem / *.key, *.pfx / .p12 / .jks / .keystore, SSH private keys, KeePass vaults, .env.production, cloud credential files, kubeconfig, .npmrc with auth, terraform.tfstate, database dumps, .git-credentials, .htpasswd.
- How
- Filename / path / extension / content-header matching — not a regex over the file body. Only the path is recorded, never the contents.
- Doesn't catch
- A sensitive file hidden under a non-standard name, or a secret embedded inside an otherwise-ordinary file (that is detectors 1 and 3).
3. High-entropy secrets in config files
- Detects
- Custom secrets in .env, .envrc, .ini, .toml, .yaml, .properties, and .conf files that no regex knows about.
- How
- Parses KEY=VALUE pairs, discards obvious placeholders (xxx, changeme, URLs, semver, IPs), and flags values with Shannon entropy at or above 4.0 bits/char whose key name looks secret-bearing (password, secret, api_key, token, …).
- Doesn't catch
- High-entropy values whose key name does not look like a secret, or secrets outside the recognized config file types. Tuned to favor few false positives over total coverage.
4. Secrets in recent git history
- Detects
- Credentials that were committed and later removed — still leaked, still in the history.
- How
- Replays up to the 30 most recent commits, extracts the added lines from each patch, and re-runs the full secret pattern library over them. Findings are deduplicated against the current tree so only history-exclusive matches surface, tagged with commit SHA + author + date.
- Doesn't catch
- Anything older than the 30-commit window, individual commit patches larger than 200 KB (skipped), or history that was rewritten away. Best-effort: if GitHub rate-limits the history pass it is skipped and reported, not assumed clean.
5. Code-level vulnerabilities (SAST)
- Detects
- Injection (SQL, command, NoSQL, SSTI, prototype pollution, XXE), XSS, SSRF / open redirect, auth/JWT mistakes, weak crypto, path traversal, dynamic eval, ReDoS, insecure transport, cookie/session hygiene, insecure deserialization, info disclosure — each mapped to a CWE.
- How
- Two layers run side by side: AST analysis via the TypeScript Compiler API (ts-morph) over JS/TS that tracks user input into dangerous sinks across property hops, plus conservative single-line regex rules for JS/TS and Python where AST would be overkill. A third framework-aware layer fires stack-specific checks only when it detects the framework (Next.js, Express, NestJS, Django, Flask, FastAPI, Spring, Laravel, Rails).
- Doesn't catch
- Deep cross-file/interprocedural dataflow. Coverage is primarily JavaScript/TypeScript; Python is covered by the regex layer; other languages are not analyzed for code vulns.
6. Vulnerable dependencies (SCA)
- Detects
- Known-vulnerable packages across npm, PyPI, Go, RubyGems, Maven/Gradle, and Composer, plus container-image OS-package CVEs. End-of-life Docker base images are flagged statically too.
- How
- Parses lockfiles/manifests and queries the npm advisory bulk API and OSV.dev, linking each finding to its GHSA/CVE. Container CVEs are ingested from a Trivy SARIF report you run in CI and commit. One shared OSV core, a 500-package cap, and a registry outage marks the detector skipped rather than failing the scan.
- Doesn't catch
- Vulnerabilities with no advisory published yet, versions that cannot be resolved statically (property-interpolated or dynamic ranges), and live image scanning — that is delegated to the Trivy report you provide.
7. Supply-chain attacks (typosquatting, install hooks, dependency confusion)
- Detects
- Malicious or hijacked dependencies before they run: typosquatted package names, install-time lifecycle-hook abuse in package.json scripts and Python setup.py / pyproject build hooks, and registry signals — dependency confusion (a declared name that 404s on the public registry), freshly-published packages, and suspicious-maintainer flags.
- How
- Typosquatting uses Damerau-Levenshtein edit distance against popular npm/PyPI names. Lifecycle hooks are pattern-matched for curl|sh, base64 decode-and-execute, env-var exfiltration, and destructive rm -rf chains. Registry signals come from public npm registry metadata.
- Doesn't catch
- Deep behavioral analysis of package source, or ecosystems beyond npm/PyPI for the registry-metadata signals.
8. Infrastructure & CI misconfiguration (IaC)
- Detects
- Dockerfile hygiene, risky GitHub Actions workflows (pull_request_target with PR checkout, unpinned third-party actions, script injection), Terraform / CloudFormation / Kubernetes / Helm misconfig, and over-privileged cloud IAM declared in code (AWS/GCP/Azure/GitHub scopes).
- How
- Line- and structure-based checks per file type, each self-guarding on file shape so non-matching YAML/JSON is skipped.
- Doesn't catch
- Misconfig in IaC formats not listed here, or runtime cloud state — these read your committed files, not your live cloud accounts.
9. Repository posture score
- Detects
- How the repo is set up rather than a specific bug: branch protection, governance docs, dependency-update hygiene, signed commits, org MFA, secret scanning, least-privilege workflow tokens, release provenance — 17 signals in four groups, graded A–F.
- How
- Reads repo metadata, files, branch protection / rulesets, and commit verification via the GitHub API, then scores the percentage of assessable signals earned. Signals it cannot inspect are reported as unknown and excluded from the math.
- Doesn't catch
- Penalize you for signals it cannot see (admin-only settings on a public scan show as unknown, not failed).
10. IAM risk scanner
- Detects
- Identity-and-access risk in the IAM policy documents you commit: GitHub Actions OIDC trust weaknesses (no Condition, wildcard repo/ref, pull_request trust), privilege-escalation patterns, and admin-equivalent grants.
- How
- Selects IAM-shaped files from the tree (Terraform, CloudFormation/SAM, JSON policy docs, serverless.yml), extracts policy statements, and runs the three check families over them. Findings deduct from a 100-point score that maps to a low/medium/high/critical level.
- Doesn't catch
- Inspect your live cloud accounts or org settings — it reads policy-as-code, not the AWS/GCP/Azure control plane. (Org MFA enforcement is a posture signal, detector 9, not part of this scanner.)
11. Open-source license / compliance risk
- Detects
- Legal rather than security risk: strong copyleft (GPL/AGPL/SSPL), weak copyleft (LGPL/MPL/EPL/CDDL), and proprietary/UNLICENSED dependencies in a project that redistributes them.
- How
- For npm, reads the license field already in package-lock.json (no network). For PyPI/Go/RubyGems it enriches via deps.dev, bounded to 200 packages. Dual licenses with a permissive escape are treated as acceptable; dev-only npm deps are skipped.
- Doesn't catch
- Give legal advice, or resolve license text that a registry does not record. It surfaces the risk; the call is yours.
On SAST depth — the honest version
Detector 5 is a fast first pass: TypeScript/JavaScript AST rules plus targeted regex for other languages. It is not a full dataflow engine. If you already run CodeQL or Snyk Code, keep them — they go deeper on cross-file code analysis. TriageRook aims to catch the high-confidence issues in one click with zero setup, not to replace a dedicated SAST product. The same honesty is on the comparison page.
Want a detector or rule we don't have? Open an issue.