detection rules

What TriageRook checks for

Every detection rule that runs against your repo. Open source, with CWE mapping and a plain-language description on each. Use the layer grouping below to see how each finding gets to your dashboard.

235 rules total77 critical107 high+ dependency CVE lookup via npm + OSV (not listed; dynamic)

SARIF export → upload findings to GitHub Code Scanning

AST28 rules

TypeScript Compiler API walkers. Detect user input flowing into dangerous sinks across hops the regex layer can't see.

Code regex34 rules

High-confidence single-line regex rules — fast, language-tagged, tied to a CWE. Bias toward few false positives over coverage.

Secret pattern80 rules

Curated patterns for common credential formats: cloud keys, OAuth tokens, payment provider keys, database URIs. Plus an entropy fallback for env-shaped values.

Sensitive file18 rules

Files that should never be committed (.pem, .env, .pfx, .keystore, database dumps). Detected by path / extension / content header, not regex over content.

Dockerfile9 rules

Dockerfile hygiene checks: USER root, latest tags, ADD instead of COPY, unsafe shell escapes.

GitHub Actions5 rules

GitHub Actions workflow checks: pull_request_target with PR checkout, third-party actions pinned by tag instead of SHA, secrets in expressions.

Terraform7 rules

Terraform/HCL misconfiguration checks: public S3 buckets, security groups open to 0.0.0.0/0, wildcard IAM actions/resources, unencrypted or publicly accessible storage.

CloudFormation7 rules

CloudFormation template checks (YAML + JSON): public S3 buckets, security groups open to 0.0.0.0/0, wildcard IAM actions/resources, unencrypted or publicly accessible storage. Self-guards on AWSTemplateFormatVersion / Resources + AWS:: so non-template YAML/JSON is skipped.

Kubernetes6 rules

Kubernetes manifest checks: privileged containers, host namespaces, privilege escalation, running as root, mutable image tags, dangerous Linux capabilities. Helm-templated lines are skipped.

Helm5 rules

Helm chart values.yaml checks: insecure defaults that flow into rendered workloads — privileged containers, run-as-root, host namespaces, privilege escalation, mutable image tags. Runs on values*.yaml, which the Kubernetes scanner skips because they aren't rendered manifests.

Cloud IAM10 rules

Cloud IAM-in-code checks: AWS IAM policy documents with wildcard actions/resources or a public principal, GCP primitive roles (roles/owner, roles/editor), Azure RBAC Owner/Contributor assignments + wildcard custom roles, and over-broad GitHub OAuth/PAT scopes (delete_repo, admin:org, …). Scans JSON/YAML/source; HCL is covered by the Terraform layer.

Framework-aware12 rules

Context-aware rules that only fire when the repo actually uses the framework (Next.js, Express, NestJS, Django, Flask, FastAPI, Spring, Laravel, Rails). Catches framework-specific misconfig — DEBUG on, CSRF disabled, wildcard CORS — without false positives on unrelated code.

Business logic9 rules

Broken-access-control and business-logic flaws: IDOR (records fetched by client id with no ownership check), mass assignment (the whole request body written to an ORM), privilege escalation (role/admin set from input), and payment tampering (charge amount taken from the client). Framed as 'verify there's a check here' — conservative, because the authorization check may live a few lines away.

AI-generated code5 rules

Tell-tale signs of LLM-scaffolded code shipped without hardening: placeholder credentials left in literals, security controls deferred with a TODO, "not for production" disclaimers next to the missing check, and swallowed exceptions (bare except: pass / empty catch {}). Reads comment lines too; low/medium severity so these hygiene tells don't drown out real vulnerabilities.

Want a rule we don't have? Open an issue on GitHub.