ast/weak-cipher-mode-or-deprecated-api
Weak crypto: createCipher() or ECB mode
What it detects
crypto.createCipher() is deprecated since Node 10 — it derives the key from a password via EVP_BytesToKey with weak parameters and uses a zeroed IV, so two encryptions of the same plaintext are identical. Use crypto.createCipheriv() with a key from crypto.randomBytes and a fresh IV per message. Separately: createCipheriv('aes-???-ecb', ...) — ECB mode encrypts each block independently, so repeating plaintext blocks (e.g. fixed JSON structure) produce repeating ciphertext blocks — visually obvious in the famous Tux penguin demo. Use GCM or CBC with HMAC instead.
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.