ast/cors-credentials-with-any-origin
CORS misconfiguration: credentials enabled with permissive origin
What it detects
A `cors(...)` config sets origin to '*' or `true` while also enabling `credentials: true`. Even if the browser blocks the exact spec violation, the deployment is one config drift away from echoing the request Origin header back as Access-Control-Allow-Origin — at which point any site can read authenticated responses. Set an explicit origin allow-list (`origin: ['https://app.example.com']`) or a function that validates against one.
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.