← 返回
未分类 Key 中文

regexguard

Regex safety & correctness analyzer -- detects catastrophic backtracking, portability errors, correctness bugs, maintainability issues, anchoring problems, a...
正则表达式安全与正确性分析器——检测灾难性回溯、可移植性错误、正确性缺陷、可维护性问题、锚定问题等...
suhteevah suhteevah 来源
未分类 clawhub v1.0.2 1 版本 100000 Key: 需要
★ 0
Stars
📥 309
下载
💾 0
安装
1
版本
#latest

概述

RegexGuard -- Regex Safety & Correctness Analyzer

RegexGuard scans codebases for regex anti-patterns: catastrophic backtracking (ReDoS), portability errors across engines, correctness bugs, maintainability issues, anchoring and boundary problems, and pattern injection risks. It uses regex-based pattern matching against 90 regex-specific patterns across 6 categories, lefthook for git hook integration, and produces markdown reports with actionable remediation guidance. 100% local. Zero telemetry.

Note: RegexGuard focuses on regex patterns found in source code (JavaScript, Python, Go, Java, Ruby, shell scripts, config files). It detects anti-patterns in how regexes are written, constructed, and used.

Commands

Free Tier (No license required)

regexguard scan [file|directory]

One-shot regex safety scan of files or directories.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target]

What it does:

  1. Accepts a file path or directory (defaults to current directory)
  2. Discovers all source files (skips .git, node_modules, binaries, images, .min.js)
  3. Runs 30 regex patterns against each file (free tier limit)
  4. Calculates a regex quality score (0-100) per file and overall
  5. Grades: A (90-100), B (80-89), C (70-79), D (60-69), F (<60)
  6. Outputs findings with: file, line number, check ID, severity, description, recommendation
  7. Exit code 0 if score >= 70, exit code 1 if regex quality is poor
  8. Free tier limited to first 30 patterns (CB + PE categories)

Example usage scenarios:

  • "Scan my code for regex issues" -> runs regexguard scan .
  • "Check this file for ReDoS vulnerabilities" -> runs regexguard scan src/validators.ts
  • "Find catastrophic backtracking patterns" -> runs regexguard scan src/
  • "Check for non-portable regex syntax" -> runs regexguard scan .
  • "Audit regex patterns for correctness" -> runs regexguard scan .

Pro Tier ($19/user/month -- requires REGEXGUARD_LICENSE_KEY)

regexguard scan --tier pro [file|directory]

Extended scan with 60 patterns covering backtracking, portability, correctness, and maintainability.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target] --tier pro

What it does:

  1. Validates Pro+ license
  2. Runs 60 regex patterns (CB, PE, CE, MA categories)
  3. Detects correctness bugs like unescaped dots, bad character class ranges
  4. Identifies maintainability issues: overly complex patterns, missing comments
  5. Full category breakdown reporting

regexguard scan --format json [directory]

Generate JSON output for CI/CD integration.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format json

regexguard scan --format html [directory]

Generate HTML report for browser viewing.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format html

regexguard scan --category CB [directory]

Filter scan to a specific check category (CB, PE, CE, MA, AN, PI).

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --category CB

Team Tier ($39/user/month -- requires REGEXGUARD_LICENSE_KEY with team tier)

regexguard scan --tier team [directory]

Full scan with all 90 patterns across all 6 categories including anchoring and injection.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --tier team

What it does:

  1. Validates Team+ license
  2. Runs all 90 patterns across 6 categories
  3. Includes anchoring checks (missing ^/$, multiline flag gaps, \b misuse)
  4. Includes pattern injection checks (unsanitized user input, DoS vectors)
  5. Full category breakdown with per-file results

regexguard scan --verbose [directory]

Verbose output showing every matched line and pattern details.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --verbose

regexguard status

Show license and configuration information.

bash "<SKILL_DIR>/scripts/dispatcher.sh" status

regexguard patterns

List all 90 detection patterns across all categories.

bash "<SKILL_DIR>/scripts/dispatcher.sh" patterns

Check Categories

RegexGuard detects 90 regex anti-patterns across 6 categories:

| Category | Code | Patterns | Description | Severity Range |

|----------|------|----------|-------------|----------------|

| Catastrophic Backtracking | CB | 15 | Nested quantifiers, exponential patterns, ReDoS vectors, overlapping greed | low -- critical |

| Portability Errors | PE | 15 | Non-POSIX features, engine-specific syntax, lookbehind gaps, Unicode escapes | low -- high |

| Correctness Errors | CE | 15 | Unescaped dots, bad character class ranges, greedy vs lazy, redundant quantifiers | low -- high |

| Maintainability Issues | MA | 15 | Overly complex patterns, missing comments, duplication, magic regex strings | low -- high |

| Anchoring & Boundaries | AN | 15 | Missing ^/$, \b misuse, multiline flag gaps, validation anchor bypass | low -- critical |

| Pattern Injection | PI | 15 | Unsanitized user input in regex, string concat into RegExp, DoS vectors | low -- critical |

Tier-Based Pattern Access

| Tier | Patterns | Categories |

|------|----------|------------|

| Free | 30 | CB, PE |

| Pro | 60 | CB, PE, CE, MA |

| Team | 90 | CB, PE, CE, MA, AN, PI |

| Enterprise | 90 | CB, PE, CE, MA, AN, PI + priority support |

Scoring

RegexGuard uses a deductive scoring system starting at 100 (perfect):

| Severity | Point Deduction | Description |

|----------|-----------------|-------------|

| Critical | -25 per finding | Severe risk (ReDoS, injection, missing validation anchors) |

| High | -15 per finding | Significant problem (portability bugs, correctness errors) |

| Medium | -8 per finding | Moderate concern (engine-specific features, maintainability) |

| Low | -3 per finding | Informational / best practice suggestion |

Grading Scale

| Grade | Score Range | Meaning |

|-------|-------------|---------|

| A | 90-100 | Excellent regex quality |

| B | 80-89 | Good patterns with minor issues |

| C | 70-79 | Acceptable but needs improvement |

| D | 60-69 | Poor regex quality |

| F | Below 60 | Critical regex problems |

  • Pass threshold: 70 (Grade C or better)
  • Exit code 0 = pass (score >= 70)
  • Exit code 1 = fail (score < 70)

Configuration

Users can configure RegexGuard in ~/.openclaw/openclaw.json:

{
  "skills": {
    "entries": {
      "regexguard": {
        "enabled": true,
        "apiKey": "YOUR_LICENSE_KEY_HERE",
        "config": {
          "severityThreshold": "medium",
          "ignorePatterns": ["**/test/**", "**/fixtures/**", "**/*.test.*"],
          "ignoreChecks": [],
          "reportFormat": "text"
        }
      }
    }
  }
}

Important Notes

  • Free tier works immediately with no configuration
  • All scanning happens locally -- no code is sent to external servers
  • License validation is offline -- no phone-home or network calls
  • Pattern matching only -- no AST parsing, no external dependencies beyond bash
  • Supports scanning all file types in a single pass
  • Git hooks use lefthook which must be installed (see install metadata above)
  • Exit codes: 0 = pass (score >= 70), 1 = fail (for CI/CD integration)
  • Output formats: text (default), json, html

Error Handling

  • If lefthook is not installed and user tries hooks, prompt to install it
  • If license key is invalid or expired, show clear message with link to https://regexguard.pages.dev/renew
  • If a file is binary, skip it automatically with no warning
  • If no scannable files found in target, report clean scan with info message
  • If an invalid category is specified with --category, show available categories

When to Use RegexGuard

The user might say things like:

  • "Scan my code for regex issues"
  • "Check for catastrophic backtracking"
  • "Find ReDoS vulnerabilities in my patterns"
  • "Check for non-portable regex syntax"
  • "Audit regex correctness in my codebase"
  • "Find regex injection risks"
  • "Check if my validation regex has proper anchors"
  • "Detect overly complex regex patterns"
  • "Scan for regex portability problems"
  • "Find unsafe dynamic regex construction"
  • "Run a regex quality audit"
  • "Generate a regex health report"
  • "Check for unescaped dots in my patterns"
  • "Find missing anchors in validation regex"
  • "Check for user input in regex constructors"

版本历史

共 1 个版本

  • v1.0.2 当前
    2026-05-07 21:26 安全 安全

安全检测

腾讯云安全 (Keen)

安全,无风险
查看报告

腾讯云安全 (Sanbu)

安全,无风险
查看报告

🔗 相关推荐

it-ops-security

1password

steipete
设置和使用 1Password CLI (op)。适用于:安装 CLI、启用桌面应用集成、登录(单/多账户)、通过 op 读取/注入/运行密钥。
★ 53 📥 31,999
it-ops-security

MoltGuard - Security & Antivirus & Guardrails

thomaslwang
MoltGuard — OpenClaw 安全守卫,由 OpenGuardrails 提供。安装后可防止您和您的用户受到提示注入、数据泄露及恶意行为的侵害。
★ 116 📥 31,047
dev-programming

DocSync

suhteevah
使用 git hooks 自动生成并同步文档;利用 tree‑sitter 解析和语义差异在本地检测并修复文档漂移。
★ 0 📥 1,432