chore(deps-dev): bump flatted from 3.4.1 to 3.4.2#5
Open
dependabot[bot] wants to merge 78 commits intomainfrom
Open
chore(deps-dev): bump flatted from 3.4.1 to 3.4.2#5dependabot[bot] wants to merge 78 commits intomainfrom
dependabot[bot] wants to merge 78 commits intomainfrom
Conversation
Three critical bugs prevented detection of known-malicious agent skills: 1. 18 prompt-injection rules used (?i) PCRE flags unsupported by JS RegExp, silently returning zero matches. Added inline flag extraction in patterns.ts. 2. 8 double-escaped YAML regex patterns (e.g., '\\.aws' matching literal backslash instead of dot). Fixed in credential-harvesting.yaml and suspicious-behavior.yaml. 3. Confidence model (matchedWeight/totalWeight) rejected valid single-pattern matches. Added hybrid model using max(ratio, maxSinglePatternWeight). Known-malicious detection: 0/6 → 6/6 (100%). Note: hybrid model causes FP explosion in large skill sets — needs three-tier refinement in next sprint. Includes comprehensive security audit report at docs/SCANNER-AUDIT-2026-02-16.md.
- Add validateRegexPattern() export for pre-compilation checks - Warn on regex compile failure in matchRegex() when FIRMIS_VERBOSE=1 - Validate regex patterns during rule loading with console.warn - Enhance validate command: --built-in flag, regex compilation check - Support validating both custom and built-in rules
- Add SUSPICIOUS/LIKELY/CONFIRMED confidence tiers to Threat type - Add known-malicious, malware-distribution, agent-memory-poisoning categories - Apply 0.3x weight multiplier for documentation files (fixes FP explosion) - SKILL.md excluded from documentation discount - Tier assignment: confirmed for 3+ patterns/80%+ ratio/known-malicious, likely for 2+ patterns/90+ weight, suspicious for single pattern match
Seed 11 rules from Snyk ToxicSkills, Koi Security ClawHavoc, Snyk Credential Leaks, and The Register research reports: - mal-skill-001..005: Exact skill name blocklists (zaycv, Aslaep123, pepe276, ClawHavoc campaign, YouTube imitations) - mal-author-001: Known malicious author detection - mal-typo-001: ClawHub typosquatting patterns - mal-updater-001: Fake auto-updater masquerade detection - mal-infra-001..002: Known C2/exfil infrastructure (91.92.242.30, webhook.site, glot.io, aztr0nutzs/NET_NiNjA) All rules confidence 95+ (confirmed malicious indicators).
rules/malware-distribution.yaml (6 rules): - malware-001: Remote archive downloads (curl/wget .zip/.tar.gz) - malware-002: Password-protected archive extraction - malware-003: Base64-encoded command execution - malware-004: Remote script piping (curl | sh) - malware-005: System service manipulation (persistence) - malware-006: Fake prerequisite installation instructions rules/agent-memory-poisoning.yaml (4 rules): - mem-001: Writing to agent memory files (MEMORY.md, .memories/) - mem-002: Reading session/conversation log files - mem-003: Agent config file modification (.openclaw/, mcp.json) - mem-004: Time-delayed execution (>30s setTimeout, cron patterns) Total rules: 99 (from 79 baseline)
Include the MCP config file (mcp.json, claude_desktop_config.json) in the list of files returned by analyze(), so the rule engine can detect credentials (AWS keys, API tokens, database passwords) embedded directly in MCP server configurations. Previously the config was only used for server discovery but never scanned for credential patterns, resulting in 0 config-level findings.
- Add targetPath to FirmisConfig - Wire CLI [path] argument through to config (was previously _unused) - Add discoverAtPath() to PlatformDiscovery: bypasses detect() and feeds the target path directly as basePath to platform analyzers - Works for all platforms: openclaw, mcp, crewai, claude, etc. Usage: firmis scan /some/path --platform openclaw Previously: /some/path was silently ignored
Unit tests (71 new): - patterns-validation.test.ts (10): validateRegexPattern(), inline flags, edge cases - confidence-tiers.test.ts (12): three-tier model, doc weighting, SKILL.md exception - known-malicious.test.ts (18): IOC detection, skill names, authors, C2 infra, typosquats - new-rules.test.ts (31): malware distribution, memory poisoning, safe content checks Integration tests (44 new): - sprint1-openclaw.test.ts (6): malicious/safe skill scanning with path override - sprint1-mcp.test.ts (8): config credential detection, AWS/GH/OpenAI keys - sprint1-patterns.test.ts (12): curl pipe, base64, systemctl, memory writes - sprint1-validate.test.ts (18): rule loading, regex compilation, category validation Fixtures: openclaw-malicious/, openclaw-safe/, mcp-config-vulnerable/, mcp-config-safe/, malware-patterns/, memory-poisoning/, documentation-fp/ Total: 157 tests passing (was 42), 14 test files (was 6)
- Add MatchContext type: code_execution, documentation, string_literal, config - Add matchContext field to PatternMatch for transparency - Add detectMatchContext() — classifies files by extension/path - CONTEXT_MULTIPLIERS: code=1.0x, config=1.0x, string=0.7x, docs=0.3x - SKILL.md exception: not treated as documentation - Replaces old isDocumentationFile() with granular context system
- --quiet: suppress terminal output, exit code only (CI/CD mode) - --ignore <rules>: skip specific rule IDs (comma-separated) - --fail-on <severity>: exit non-zero only at this severity or above - Filter ignored rules in ScanEngine.scanComponent() - Quiet mode works with --json/--sarif/--html for silent report generation
- Create FirmisIgnore class with load/shouldIgnore/parseIgnoreFile - Support three formats: rule ID, file glob, rule:file combo - Glob matching: **, *, ? patterns - Searches: project root, cwd, ~/.firmis/ - Integrate into ScanEngine: filter threats after collection - 17 unit tests + 1 integration test
Add 12 Python patterns to existing rule files: - credential-harvesting: os.environ, os.getenv, open(.ssh/) - data-exfiltration: requests.post/put, urllib, file uploads - suspicious-behavior: new sus-016 (exec, eval, pickle, yaml.unsafe_load, __import__) - privilege-escalation: subprocess.run/Popen, os.system, os.popen Extends coverage to CrewAI, MCP Python servers without AST.
Create rules/supply-chain.yaml with 5 rules: - supply-001: Known malicious NPM packages (event-stream, node-ipc, etc.) - supply-002: NPM typosquatting patterns (lodash, express, react, axios) - supply-003: Overly permissive version ranges (*, latest, >=) - supply-004: Dangerous postinstall scripts (curl, wget, node -e) - supply-005: Known malicious Python packages (colourama, jeIlyfish) Add 'supply-chain' and 'permission-overgrant' threat categories. Include 9 unit tests (7 active, 2 skipped for future Python parser).
Create rules/permission-overgrant.yaml with 3 rules: - perm-001: Wildcard permissions (shell:*, filesystem:*, network:*) - perm-002: Maximum blast radius combo (shell+network+filesystem) - perm-003: Dangerous tool declarations (shell, bash, exec tools) Targets OpenClaw skills with excessive permission requests.
- Add SecurityGrade type (A/B/C/D/F) and computeSecurityGrade() - A=no threats, B=LOW only, C=MEDIUM, D=HIGH, F=CRITICAL - Compute score in ScanEngine and include in ScanResult - Display colored grade in terminal reporter before summary - Automatically included in JSON/SARIF output
- 12 tests for permission-overgrant rules (wildcard, blast radius, tools, platform scoping) - 11 tests for security score A-F grading (all severity levels, edge cases, precedence) - Fixed SKILL.md path handling in tests (context detection requires /SKILL.md suffix) - Total: 205 tests passing (up from 182)
…sting 1. mem-004 cron pattern: double-escaped \\* in YAML matched empty strings, causing 17,874 false positives. Fixed escaping and required string context. 2. supply-005: request[sz] matched the English word "requests" (112 FPs). Changed to requestz only (actual typosquat). 3. supply-003: >= version range matched engine requirements like "node": ">=18". Narrowed to only match inside dependencies/devDependencies blocks. 4. prompt-010: <script> matched Vue <script setup> tags (52 FPs). Narrowed to only match <script> with external src attribute. 5. Added cred-011: API key detection for GitHub PATs, OpenAI/Anthropic keys, database connection strings, and Slack tokens. Before: 2770 threats across 3 platforms (2705 Claude FPs) After: 447 threats across 3 platforms (84% reduction)
- P0-1: Add { schema: JSON_SCHEMA } to openclaw.ts yaml.load() to prevent
code execution via YAML deserialization
- P0-2: Rule loader now warns and continues on file failure instead of
throwing and halting all rule loading
- P0-3: Track filesAnalyzed/filesNotAnalyzed in ComponentResult and
ScanSummary, cap grade at B when >20% files unanalyzable,
add runtimeRisksNotCovered disclaimer to ScanResult,
update terminal and HTML reporters to show coverage info
PM0-1: Create src/version.ts, fix 5 hardcoded version strings (terminal.ts, html.ts, sarif.ts, telemetry.ts, connector.ts) PM0-2: Add 'secret-detection' and 'tool-poisoning' to ThreatCategory PM0-3: Remove langchain/custom from PlatformType and PLATFORM_ANALYZERS, add .vscode/mcp.json to MCP configPaths PM0-4: Refactor patterns.ts (450 lines) into matchers/ modules (regex-matcher.ts, ast-matcher.ts, network-matcher.ts, index.ts) PM0-5: Refactor html.ts (495 lines) into html-styles.ts + html-sections.ts
…eport M0.1: Secret detection rules (60 rules, 156 regex patterns) - Covers Azure, Stripe, Square, PayPal, Twilio, SendGrid, Discord, Telegram, Firebase, Algolia, Datadog, HashiCorp Vault, Cloudflare, JWT, Hugging Face, Replicate, Supabase, and 40+ other platforms - Severity: 8 critical (payment/infra), ~30 high (cloud/API), ~22 medium M0.2: OSV vulnerability scanner integration - Native fetch to OSV.dev batch API with 10-second timeout - Parses package.json, requirements.txt, pyproject.toml - Maps CVEs to Firmis Threat objects (category: supply-chain, confidence: 100) - Graceful network failure handling (warn and continue) M0.3: Enhanced HTML report - A-F grade badge in header with color-coded circular display - Dark/light theme toggle with localStorage persistence - "Copy for Claude" button on each threat for AI-assisted remediation - Animated severity distribution bars - Runtime risks section for items not covered by static analysis - "Scanned by Firmis" footer badge
9 bugs found and fixed during matrix testing across all platforms: - F1: Fix SECURITY INVOKER false positive in Supabase AST parser (ast-sql-parser.ts checked existence not value of security option) - F2: Skip regex matches inside SQL/JS/shell comments (regex-matcher.ts) - F3: Lower documentation context multiplier 0.3→0.15 to eliminate FPs - F4+F5: Restructure malware-patterns and memory-poisoning into skill subdirectories so OpenClaw scanner discovers them - F6: Support JSON output to stdout (no --output required for --json) - F8: Fix supabase-secure USING(true) FP on public SELECT policy - F9: Fix MCP scanner to discover config files within directories Test suite: 228 pass, 11 skip, 0 fail (up from 219) - Un-skip documentation FP golden path test - Add supabase-secure grade A, codex-plugins grade A golden paths - Add malware-patterns, memory-poisoning, MCP directory must-catch tests - Track all test fixtures in git (remove overly broad gitignore)
Real-world testing against actual platform installs (MCP, OpenClaw,
Claude skills, Cursor extensions) revealed critical issues:
H1: sec-035 Vault token FP — legacy pattern `s.[A-Za-z0-9]{24}` matched
minified JS everywhere (540 false positives). Replaced with targeted
pattern requiring vault_token variable context.
H2: MCP threat duplication — same config file scanned per-server
(5 servers x 3 = 15 identical threats). Added dedup via
analyzedConfigFiles Set, reset per discover() cycle.
H3: `firmis scan <path>` without --platform ignored the path entirely,
scanning HOME directories instead. Now tries all platform analyzers
against the specified target path.
H4: Documentation 0.15x multiplier suppressed secrets in .md files.
Secret-detection rules now exempt from doc context multiplier
(a leaked API key in README.md IS a real finding).
H5: Added cloud metadata (IMDS) exfiltration rules — 169.254.169.254,
metadata.google.internal, Azure IMDS. Critical SSRF vector.
Added WebSocket exfiltration detection.
H8: Fixed Nanobot parseAgentMd() unsafe YAML loading — was using
yaml.load() without JSON_SCHEMA, enabling code execution via
malicious agent frontmatter.
Impact: real-world scan 1273 → 726 threats (-43%), sec-035: 540 → 0,
critical severity: 575 → 35 (-94%), MCP: 15 → 3 unique findings.
…arnings Supabase RLS/auth/storage scanning is infrastructure security, not agentic security. Removed the standalone platform scanner to focus on agent code, configs, dependencies, and behavior. Removed: - src/scanner/platforms/supabase/ (5 files) - src/scanner/platforms/supabase-deep/ (2 files) - src/cli/commands/supabase.ts - src/types/supabase.ts - rules/supabase-*.yaml (5 files) - 3 test files, 3 fixture directories - src/cloud/ (unused module) Updated: - PlatformType: 8 platforms (removed 'supabase') - engine.ts: removed SupabaseSemanticAnalyzer - UNIFIED-PLAN-v5.md -> v5.1: reflects v1.2.0 state - SCANNER-AUDIT: marked Supabase findings as historical Kept: - SUPABASE_SERVICE_ROLE_KEY detection in secret-detection.yaml 199 tests pass, 0 fail.
Sprint A (immediate): tool-poisoning rules, network-abuse rules, file-system-abuse rules, comment filter fix, YARA matcher. Sprint B (next): supply chain expansion, Python cred paths, multilingual prompt injection. Maps all FN audit findings to specific sprint tasks.
…se + expanded cred/memory rules - New rules/tool-poisoning.yaml: 5 rules (tp-001 through tp-005) for MCP tool description injection, prompt override, tool shadowing, config injection, sensitive params - New rules/network-abuse.yaml: 5 rules (net-001 through net-005) for bind shells, raw sockets, SSH tunneling, proxy/Tor, DNS covert channels - New rules/file-system-abuse.yaml: 6 rules (fs-001 through fs-006) for /proc enumeration, log manipulation, system account files, symlink attacks, kernel memory, insecure permissions - Extended agent-memory-poisoning.yaml: +3 rules (mem-005/006/007) for Copilot instructions, AGENTS.md, .aider/ config - Extended credential-harvesting.yaml: +4 rules (cred-012/013/014/015) for Azure CLI, AWS SSO cache, Vault tokens, container env theft - Fixed comment filter in regex-matcher.ts that suppressed real detections (FN-HIGH-1) - All 3 previously empty threat categories now have active rules - 199 tests pass, 0 regressions
- New src/rules/matchers/yara-matcher.ts: Pure TS YARA-like engine - Text string matching with case-insensitive modifier - Hex byte patterns with ?? wildcards - Regex string matching - Condition evaluator: "any of", "all of", "N of", prefix groups ($prefix*) - New rules/malware-signatures.yaml: 6 YARA rules - yara-001: Obfuscated base64 payloads (multi-layer encoding + eval) - yara-002: Reverse shell patterns (bash/python/nc/perl/php/ruby/node) - yara-003: Credential stealer signatures (cred access + exfil correlation) - yara-004: Package.json hijacking (install hooks + encoded payloads) - yara-005: Coin miner signatures (stratum, pool, wallet, binary refs) - yara-006: RAT/backdoor patterns (C2 polling, keylogger, persistence) - Added 'yara' to PatternType union, YaraPattern/YaraString types - Wired into pattern dispatcher and evidence type mapper - 20 new tests: unit (text/hex/regex/conditions) + integration (all 6 rules) - 219 tests pass, 0 regressions
- New `firmis discover` CLI command for full agent stack inventory - AI dependency detector (24 npm + 22 pip packages across 4 categories) - Model file detector (GGUF, SafeTensors, ONNX, PyTorch, Ollama, HuggingFace) - Structured JSON output with platform, component, and metadata details - 52 new unit tests for discover, dep-detector, and model-detector modules
- New `firmis bom` CLI command generating CycloneDX 1.7 ML-BOM JSON - Zero new dependencies — generates valid CycloneDX JSON directly - firmis:agent:* property namespace for risk-score, permissions, model metadata - Component types: application, library, machine-learning-model - PURL support for npm and pip dependencies - Dependency graph with root → platform components → libraries - 10 unit tests for BOM generator
…tiplier fix - Add 3 new rule files: agent-autonomy-abuse, agent-config-integrity, multi-agent-threats - Update suspicious-behavior and tool-poisoning rules with tighter context matching - Add cross-agent-propagation threat category and supabase platform type - Add SupabaseAnalyzer platform with config.toml detection - Add content size cap (MAX_CONTENT_SIZE) and file limit constants - Update regex-matcher with test_file context detection (0.15x multiplier) - Update yara-matcher with Agent of Chaos attack vector patterns - Move malicious test fixtures to samples/ to avoid test_file confidence suppression - Add 10 new unit test files covering new rules and detection capabilities
Add rule to never include Co-Authored-By trailers in public repo commits.
License was incorrectly shown as MIT in badge and footer. Updated example output versions from v1.0.0/v1.1.0 to v1.4.1.
- Script computes rule count, platform count, category count, and version from source files and patches README markers - GitHub Action runs on push to main when rules, package.json, or platform files change - Updates hero description, feature table, diff comparison, and example versions
Bumps [esbuild](https://github.com/evanw/esbuild) to 0.27.3 and updates ancestor dependencies [esbuild](https://github.com/evanw/esbuild), [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) and [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). These dependencies need to be updated together. Updates `esbuild` from 0.21.5 to 0.27.3 - [Release notes](https://github.com/evanw/esbuild/releases) - [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2024.md) - [Commits](evanw/esbuild@v0.21.5...v0.27.3) Updates `@vitest/coverage-v8` from 1.6.1 to 4.0.18 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.0.18/packages/coverage-v8) Updates `vitest` from 1.6.1 to 4.0.18 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.0.18/packages/vitest) --- updated-dependencies: - dependency-name: esbuild dependency-version: 0.27.3 dependency-type: indirect - dependency-name: "@vitest/coverage-v8" dependency-version: 4.0.18 dependency-type: direct:development - dependency-name: vitest dependency-version: 4.0.18 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [devalue](https://github.com/sveltejs/devalue) from 5.6.3 to 5.6.4. - [Release notes](https://github.com/sveltejs/devalue/releases) - [Changelog](https://github.com/sveltejs/devalue/blob/main/CHANGELOG.md) - [Commits](sveltejs/devalue@v5.6.3...v5.6.4) --- updated-dependencies: - dependency-name: devalue dependency-version: 5.6.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
- README: new "Scan Any Agent Framework" section - AGENTS.md: generic scanning subsection, fix rule count 212→227 - docs-site: new guide for scanning any agent framework Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
All references updated to reflect the new GitHub organization.
…negative weights - Separate BOM (U+FEFF) into its own pattern with weight 75 (may be benign at offset 0) - Zero-width space/non-joiner pattern description clarified - Loader now allows negative weights (down to -50) for suppression patterns
…te/devalue-5.6.4 chore(deps): bump devalue from 5.6.3 to 5.6.4 in /docs-site
…2e68fba97 chore(deps): bump esbuild, @vitest/coverage-v8 and vitest
- Package name: firmis-scanner to firmis-cli in all install commands - GitHub org: riteshkew/ to firmislabs/ in all URLs - Rule count: standardized to 227 (was 209/212/245 in various places) - Threat categories: standardized to 17 - Badge color: violet to emerald (#059669) - Em dashes removed from all copy - MDX build error fixed (curly braces in built-in-rules source YAML) - Platform counts: removed hardcoded numbers
Documentation now lives at https://github.com/firmislabs/firmis-labs-landing/docs-site Deployed to docs.firmislabs.com from the landing repo.
… total) New categories: third-party-content (6 rules), credential-extraction (3), permission-bypass (3), unsupervised-execution (3). Synced from firmis-engine.
Bumps [flatted](https://github.com/WebReflection/flatted) from 3.4.1 to 3.4.2. - [Commits](WebReflection/flatted@v3.4.1...v3.4.2) --- updated-dependencies: - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps flatted from 3.4.1 to 3.4.2.
Commits
3bf09093.4.2885ddccfix CWE-13210bdba70added flatted-view to the benchmarkDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.