feat(audit): white-box code audit suite (sinks/endpoints/hotspots)

.gitignore

@@ -12,6 +12,10 @@ proxy-*/
 .vscode/
 .idea/
 
+# Python (audit-hotspots + tests)
+__pycache__/
+*.pyc
+
 # OS
 .DS_Store
 Thumbs.db

.pre-commit-config.yaml

@@ -7,6 +7,7 @@ repos:
         entry: shellcheck -x
         language: system
         files: '^(bin/dotsec|bin/dotsec-build|lib/.*\.sh|tests/integration-smoke\.sh|tests/stubs/.*|\.github/scripts/.*\.sh|exegol/my-resources/bin/[^/]+|exegol/my-resources/deploy\.sh)$'
+        exclude: '^exegol/my-resources/bin/audit-hotspots$'
       - id: bats
         name: bats
         entry: bats tests/

Makefile

@@ -131,7 +131,7 @@ test:  ## Run bats tests
 	@bats tests/
 
 lint:  ## shellcheck all bash (uses .shellcheckrc)
-	@shellcheck -x bin/dotsec bin/dotsec-build lib/*.sh tests/integration-smoke.sh exegol/my-resources/bin/* exegol/my-resources/deploy.sh && echo "[+] shellcheck clean"
+	@shellcheck -x bin/dotsec bin/dotsec-build lib/*.sh tests/integration-smoke.sh $$(ls exegol/my-resources/bin/* | grep -v '/audit-hotspots$$') exegol/my-resources/deploy.sh && echo "[+] shellcheck clean"
 
 smoke:  ## Docker integration smoke (requires docker + make build)
 	@bash tests/integration-smoke.sh

README.md

@@ -151,7 +151,7 @@ via `make exegol-setup` (also run by `make install`).
 The bundle includes:
 - **recon** scripts: `recon-subs`, `recon-alive`, `recon-fingerprint`, `recon-portscan`, `recon-screenshot`, `recon-crawl`, `recon-urls`, `recon-loot`, `recon-extract`, `recon-sourcemaps`, `recon-full`, `dl`
 - **scan** scripts: `scan-nuclei` (vuln scan), `scan-takeover` (dangling CNAME; subzy → nuclei fallback)
-- **audit** scripts: `audit-code` (trufflehog + gitleaks + semgrep + osv-scanner over the `code/` zone)
+- **audit** scripts: `audit-code` (secrets/SAST/SCA), `audit-sinks` (dangerous functions), `audit-endpoints` (routes + JS surface), `audit-hotspots` (ranked candidates), `audit-full`
 - Shell aliases and preloaded history
 - `load_user_setup.sh`: idempotent installer for the tools the scripts need that the base image lacks (xnLinkFinder, waymore, sourcemapper, osv-scanner, …)
 
@@ -167,6 +167,7 @@ recon-full       # discovery → portscan → screenshots → crawl → loot →
 scan-nuclei      # vulnerability scan of the alive hosts (routed through the proxy)
 scan-takeover    # subdomain takeover check
 audit-code       # white-box audit of recovered source / sourcemaps
+audit-full       # full white-box pass: secrets + SCA + sinks + endpoints + ranked hotspots
 ```
 
 On first container start, Exegol auto-runs `/opt/my-resources/setup/load_user_setup.sh`.