removed csp because of backend frameworks

Chrilleweb · Chrilleweb · commit 592b8a268c1c · 2025-12-09T18:02:25.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -59,6 +59,9 @@ This project follows [Keep a Changelog](https://keepachangelog.com/) and [Semant
 ### Fixed
 - Duration refactored for better code maintainability.
 
+## Changed
+- Removed CSP detection from codebase scanner, as it was causing false positives in some cases for backend frameworks.
+
 ## [2.3.4] - 2025-11-05
 ### Fixed
 - Fixed issue where CSP detection was not working as expected in some file types.
diff --git a/src/config/types.ts b/src/config/types.ts
@@ -157,7 +157,6 @@ export interface ScanResult {
     env?: Array<{ key: string; count: number }>;
     example?: Array<{ key: string; count: number }>;
   };
-  hasCsp?: boolean;
   frameworkWarnings?: frameworkWarning[];
   exampleWarnings?: ExampleSecretWarning[];
   logged: EnvUsage[];
@@ -220,7 +219,6 @@ export interface ScanJsonEntry {
     env?: Array<{ key: string; count: number }>;
     example?: Array<{ key: string; count: number }>;
   };
-  hasCsp?: boolean;
   logged?: Array<{
     variable: string;
     file: string;
diff --git a/src/core/cspDetector.ts b/src/core/cspDetector.ts
diff --git a/src/services/codeBaseScanner.ts b/src/services/codeBaseScanner.ts
@@ -5,7 +5,6 @@ import {
   detectSecretsInSource,
   type SecretFinding,
 } from '../core/secretDetectors.js';
-import { hasCspInSource } from '../core/cspDetector.js';
 import { DEFAULT_EXCLUDE_PATTERNS } from '../core/patterns.js';
 import { scanFile } from '../core/scanFile.js';
 import { findFiles } from './fileWalker.js';
@@ -26,16 +25,10 @@ export async function scanCodebase(opts: ScanOptions): Promise<ScanResult> {
   let filesScanned = 0;
   const allSecrets: SecretFinding[] = [];
 
-  let hasCsp = false;
-
   for (const filePath of files) {
     try {
       const content = await fs.readFile(filePath, 'utf-8');
 
-      if (!hasCsp && hasCspInSource(content)) {
-        hasCsp = true;
-      }
-
       const fileUsages = await scanFile(filePath, content, opts);
       allUsages.push(...fileUsages);
       if (opts.secrets) {
@@ -80,7 +73,6 @@ export async function scanCodebase(opts: ScanOptions): Promise<ScanResult> {
       env: [],
       example: [],
     },
-    hasCsp: hasCsp,
     logged: loggedVariables,
   };
 }
diff --git a/src/services/scanOutputToConsole.ts b/src/services/scanOutputToConsole.ts
@@ -14,7 +14,6 @@ import { printSuccess } from '../ui/shared/printSuccess.js';
 import { printStrictModeError } from '../ui/shared/printStrictModeError.js';
 import { printFixTips } from '../ui/shared/printFixTips.js';
 import { printAutoFix } from '../ui/shared/printAutoFix.js';
-import { printCspWarning } from '../ui/scan/printCspWarning.js';
 import { printFrameworkWarnings } from '../ui/scan/printFrameworkWarnings.js';
 import { printExampleWarnings } from '../ui/scan/printExampleWarnings.js';
 import { printConsolelogWarning } from '../ui/scan/printConsolelogWarning.js';
@@ -123,9 +122,6 @@ export function outputToConsole(
   // Console log usage warning
   printConsolelogWarning(scanResult.logged ?? [], isJson);
 
-  // CSP warning
-  printCspWarning(scanResult.hasCsp, isJson);
-
   // Expiration warnings
   printExpireWarnings(scanResult.expireWarnings ?? [], isJson);
 
diff --git a/src/ui/scan/printCspWarning.ts b/src/ui/scan/printCspWarning.ts
diff --git a/test/e2e/cli.autoscan.e2e.test.ts b/test/e2e/cli.autoscan.e2e.test.ts
@@ -246,37 +246,6 @@ describe('no-flag autoscan', () => {
     expect(res.stdout).not.toContain('SECRET_KEY');
   });
 
-  it('warns about missing CSP when scanning codebase', () => {
-    const cwd = tmpDir();
-
-    fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
-    fs.writeFileSync(
-      path.join(cwd, 'src', 'index.ts'),
-      `const url = "https://example.com";`,
-    );
-
-    const res = runCli(cwd, []);
-    expect(res.status).toBe(0);
-    expect(res.stdout).toContain('CSP is missing');
-  });
-
-  it('does not warn about CSP when CSP is present in codebase', () => {
-    const cwd = tmpDir();
-
-    fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
-    fs.writeFileSync(
-      path.join(cwd, 'src', 'index.ts'),
-      `
-      <head>
-        <meta http-equiv="Content-Security-Policy" content="default-src 'self';">
-      </head>
-    `,
-    );
-
-    const res = runCli(cwd, []);
-    expect(res.status).toBe(0);
-    expect(res.stdout).not.toContain('CSP is missing');
-  });
   it('should warn about potential secret foound i .env.example', () => {
     const cwd = tmpDir();
 
