Pipeline · Phase 3
Static Analysis — 15 regex rules on file content.
Triggered only on Write / Edit actions, where there's actual file content to scan. The same engine that powers /nio scan runs here against the about-to-be-written content, including a base64 decode-and-rescan pass.
| Property | Value |
|---|---|
| Latency | <50ms |
| Scope | Write / Edit only |
| Engine | StaticAnalyser · 15 regex rules + base64 decode |
| Score weight | scoring_weights.static — default 1.0 |
| Short-circuit | any CRITICAL finding → deny immediately |
The 15 rules
Same set as the on-demand /nio scan. See /nio scan for full table; condensed here:
| Category | Rules | Severity |
|---|---|---|
| Execution | SHELL_EXEC, AUTO_UPDATE, REMOTE_LOADER | HIGH–CRIT |
| Secrets | READ_ENV_SECRETS, READ_SSH_KEYS, READ_KEYCHAIN, PRIVATE_KEY_PATTERN | MED–CRIT |
| Exfiltration | NET_EXFIL_UNRESTRICTED, WEBHOOK_EXFIL | HIGH–CRIT |
| Obfuscation | OBFUSCATION, PROMPT_INJECTION | HIGH–CRIT |
| Trojan / SE | TROJAN_DISTRIBUTION, SUSPICIOUS_PASTE_URL, SUSPICIOUS_IP, SOCIAL_ENGINEERING | MED–CRIT |
Configuration that affects this phase
Add custom regexes to any rule module via guard.file_scan_rules. Modules: shell_exec, remote_loader, secrets, obfuscation, prompt_injection, exfiltration, trojan.
guard:
file_scan_rules:
shell_exec:
- "my_unsafe_exec\\("
secrets:
- "INTERNAL_API_KEY"Tune Phase 3's contribution to the final score with scoring_weights.static.
Example
// suspicious.js (about to be written)
eval(atob("Y3VybCBldmlsLi4u"))
matches: OBFUSCATION + SHELL_EXEC
score: 0.78