fix(engine): eliminate false positives from invalid regex fallback (#24)

Go's RE2 does not support negative lookahead. Two rules (JS-014 and
K8S-003) used `(?!...)` patterns that failed to compile and fell back
to `$^`, which still matches empty strings, causing findings on every
blank line. Reported in issue #24 on plain Next.js config files.

- mustCompile: replace `$^` fallback with `[^\s\S]` (truly never matches)
- JS-014: rewrite using Pattern `.then(` + AntiPattern `.catch(`, reusing
  the existing AntiPattern mechanism
- K8S-003: remove the rule; its multi-line YAML check cannot be
  expressed in RE2 and the engine scans line-by-line. Will return when
  a YAML-aware check lands.

Closes #24

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: filipi86

internal/engine/engine.go

@@ -184,11 +184,13 @@ func buildSnippet(lines []string, lineNum, context int) string {
 	return strings.Join(lines[start:end], "\n")
 }
 
-// mustCompile compiles regex or returns a never-matching pattern on error
+// mustCompile compiles regex or returns a never-matching pattern on error.
+// The fallback uses [^\s\S] because `$^` still matches empty strings (blank
+// lines), which caused false positives for rules with invalid regex.
 func mustCompile(pattern string) *regexp.Regexp {
 	re, err := regexp.Compile(pattern)
 	if err != nil {
-		return regexp.MustCompile(`$^`) // never matches
+		return regexp.MustCompile(`[^\s\S]`) // truly never matches
 	}
 	return re
 }

internal/engine/rules_javascript.go

@@ -239,18 +239,21 @@ func javascriptRules() []Rule {
 			Remediation: "Remove sensitive data from logs. Use structured logging with field-level masking. Implement a centralized logging strategy.",
 		},
 
-		// A10:2025 - Unhandled promise rejection
+		// A10:2025 - Unhandled promise rejection.
+		// Go RE2 has no negative lookahead, so we detect `.then(` with Pattern
+		// and suppress when `.catch(` is present on the same line via AntiPattern.
 		{
 			ID:       "JS-014",
 			Language: config.LangJavaScript,
 			Severity: config.SeverityLow,
 			Title:    "Unhandled promise rejection",
 			Description: "Promise chains without .catch() or async functions without try/catch can " +
 				"cause unexpected application behavior and hide security errors.",
-			Pattern: mustCompile(`\.then\s*\([^)]+\)\s*(?!\.catch)`),
-			OWASP:   config.OWASP_A10_MishandlingExceptionalConditions,
-			CWE:     "CWE-390",
-			CVSS:    3.7,
+			Pattern:     mustCompile(`\.then\s*\(`),
+			AntiPattern: mustCompile(`\.catch\s*\(`),
+			OWASP:       config.OWASP_A10_MishandlingExceptionalConditions,
+			CWE:         "CWE-390",
+			CVSS:        3.7,
 			References: []string{
 				"https://cwe.mitre.org/data/definitions/390.html",
 			},

internal/engine/rules_other.go

@@ -349,15 +349,11 @@ func kubernetesRules() []Rule {
 			References:  []string{"https://cwe.mitre.org/data/definitions/250.html"},
 			Remediation: "Remove privileged: true. Use specific capabilities (add: [NET_BIND_SERVICE]) instead of full privileges.",
 		},
-		{
-			ID: "K8S-003", Language: config.LangKubernetes, Severity: config.SeverityMedium,
-			Title:       "Resource limits not set",
-			Description: "Containers without CPU/memory limits can be used for resource exhaustion DoS.",
-			Pattern:     mustCompile(`(?i)containers:\s*\n(?:(?!resources:)[\s\S]){1,500}image:`),
-			OWASP:       config.OWASP_A02_SecurityMisconfiguration, CWE: "CWE-770", CVSS: 5.3,
-			References:  []string{"https://cwe.mitre.org/data/definitions/770.html"},
-			Remediation: "Always set resources.limits.cpu and resources.limits.memory for all containers.",
-		},
+		// K8S-003 (Resource limits not set) was removed: the original pattern used
+		// a multi-line negative lookahead which RE2 does not support, and the
+		// engine scans line-by-line, so this check cannot be implemented as a
+		// regex. Proper detection requires a YAML parser and will be reintroduced
+		// when that support lands.
 		{
 			ID: "K8S-004", Language: config.LangKubernetes, Severity: config.SeverityHigh,
 			Title:       "Hardcoded secret in environment variable",

internal/leaks/detector.go

@@ -559,11 +559,13 @@ func (d *Detector) loadRules() {
 	}
 }
 
-// mustCompile compiles a regex or returns never-matching pattern
+// mustCompile compiles a regex or returns never-matching pattern.
+// `$^` still matches empty strings (blank lines), so we use [^\s\S]
+// which cannot match any character.
 func mustCompile(pattern string) *regexp.Regexp {
 	re, err := regexp.Compile(pattern)
 	if err != nil {
-		return regexp.MustCompile(`$^`)
+		return regexp.MustCompile(`[^\s\S]`)
 	}
 	return re
 }