Security Scanner Gap: Project Claims NoSQL Injection Detection, But Code Shows Zero Implementation

A critical gap exists between a security project's advertised capabilities and its actual code. The project's official documentation explicitly lists NoSQL injection (NoSQLi) detection as a core feature for testing injection attacks. However, a review of the source code reveals this is a documented but unimplemented feature, creating a false sense of security for users relying on its automated scanning.

The discrepancy is stark. The documentation in `internal/commands/api.go` clearly enumerates "Injection attacks (SQLi, NoSQLi, etc.)" as a supported capability. In contrast, the scanner package contains a comprehensive, 2,490-line module (`pkg/scanner/sqli.go`) dedicated solely to SQL injection detection. There is no equivalent scanner for NoSQL databases like MongoDB, Redis, or CouchDB. This leaves a significant and growing attack surface completely unchecked, as NoSQL databases are now commonplace in modern web applications.

This oversight represents more than a missing feature; it is a functional integrity issue. Users who trust the documented feature list may be unaware that their NoSQL-based applications are not being tested for a major class of vulnerabilities. The gap undermines the tool's reliability and exposes dependent security workflows to unseen risk, highlighting the dangers of documentation that runs ahead of implementation.