ast/weak-crypto-hash-for-secrets
Weak crypto: MD5 / SHA-1 used for security-sensitive hashing
What it detects
Node crypto.createHash() was called with a broken algorithm (md5 / sha1 / md4 / md2 / sha-224) and the hashed value carries a security-related identifier (password / token / secret / session / api_key / etc). These algorithms have no preimage or collision resistance for the security use cases people most often grab them for. For password storage use bcrypt/scrypt/argon2; for tokens use a CSPRNG output via crypto.randomBytes; for HMAC use SHA-256+. If the use case is non-security (file content hash, cache key) suppress via .repoguardignore.
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.