omamori 0.1.1 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 047332a1b52e201377fafce4a1556aaff4653c6f8982914d35486b0ae6413f48
-  data.tar.gz: 2ae4023aec70fcd7242c035787787cf5ab0803bcb242ec93d347a8eb98daff70
+  metadata.gz: bafa258377208d15c678d88752804be6963159d28b83c13958de28bdd8bf8fa7
+  data.tar.gz: 9739ae26075e9e5c0f2f87eafd68f2ed6cce0baee719a4c31c1042e8b1c8abf9
 SHA512:
-  metadata.gz: 125dad0b11d11a647b943e4761049e34176f7b628ebb28487f4e30221aed3b967cedaf7f23f3ef547f3f5096c1a9bb38898213fa5e8cd97c641e5ecd26131df7
-  data.tar.gz: a972855f407359eaafee5e524e2b20d7ae303afc3dd2d8b972d2e385c45ed91ee5d84aa78007edd37c746d9e285c9958ebc205bb5008f575839632be31de07fa
+  metadata.gz: 373c41e264bc7548b3b4f37a526ed98fcefdd6a51fc6eaa8571b18d7688e131b4852c7e4ce839c7cdd43e540c3bf83b7466a1a66c29cea7c5d6e03dcd59f5cac
+  data.tar.gz: 102078caed02ab830885759ddf21bc8430b15c6a829a5f4ed7c1fcca99360ac707bb938ab19a8f2f9a5ed8ad2ccd86427acfaecc1da6d55a48c27338ae753454

data/Gemfile

@@ -4,6 +4,3 @@ source "https://rubygems.org"
 
 # Specify your gem's dependencies in omamori.gemspec
 gemspec
-gem "brakeman", "~> 7.0"
-
-gem "bundler-audit", "~> 0.9.2"

data/Gemfile.lock

@@ -1,9 +1,12 @@
 PATH
   remote: .
   specs:
-    omamori (0.1.0)
+    omamori (0.1.4)
+      brakeman (~> 7.0)
+      bundler-audit (~> 0.9.2)
       colorize (~> 0.8)
       dotenv (~> 2.0)
+      ruby-gemini-api (~> 0.1.1)
 
 GEM
   remote: https://rubygems.org/
@@ -15,7 +18,7 @@ GEM
       bundler (>= 1.2.0, < 3)
       thor (~> 1.0)
     colorize (0.8.1)
-    diff-lcs (1.6.1)
+    diff-lcs (1.6.2)
     dotenv (2.8.1)
     faraday (2.13.1)
       faraday-net_http (>= 2.0, < 3.5)
@@ -25,8 +28,8 @@ GEM
       multipart-post (~> 2.0)
     faraday-net_http (3.4.0)
       net-http (>= 0.5.0)
-    json (2.11.3)
-    language_server-protocol (3.17.0.4)
+    json (2.12.0)
+    language_server-protocol (3.17.0.5)
     lint_roller (1.1.0)
     logger (1.7.0)
     multipart-post (2.4.1)
@@ -47,14 +50,14 @@ GEM
       rspec-mocks (~> 3.13.0)
     rspec-core (3.13.3)
       rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.3)
+    rspec-expectations (3.13.4)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.2)
+    rspec-mocks (3.13.4)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-support (3.13.2)
-    rubocop (1.75.3)
+    rspec-support (3.13.3)
+    rubocop (1.75.6)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -68,7 +71,7 @@ GEM
     rubocop-ast (1.44.1)
       parser (>= 3.3.7.2)
       prism (~> 1.4)
-    ruby-gemini-api (0.1.0)
+    ruby-gemini-api (0.1.1)
       faraday (~> 2.0)
       faraday-multipart (~> 1.0)
       json (~> 2.0)
@@ -84,14 +87,11 @@ PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
-  brakeman (~> 7.0)
   bundler (~> 2.0)
-  bundler-audit (~> 0.9.2)
   omamori!
   rake (~> 13.0)
   rspec (~> 3.0)
   rubocop (~> 1.0)
-  ruby-gemini-api (~> 0.1.0)
 
 BUNDLED WITH
    2.5.17

data/README.md

@@ -15,11 +15,12 @@ Running the analysis multiple times may help reduce false negatives.
 
 ## Features
 
-- Scan staged changes (`git diff --staged`) or the entire codebase for security risks.
+- Scan staged changes (`git diff --staged`), the entire codebase, or specified files and directories for security risks.
 - Integrates with static analysis tools like Brakeman and Bundler-Audit.
 - Utilizes the Gemini API for advanced code analysis to detect vulnerabilities.
 - Supports multiple report formats (console, HTML, JSON).
 - Configurable via a `.omamorirc` file.
+- Exclusion of files and directories via a `.omamoriignore` file (except in `diff` mode).
 
 ## Installation
 
@@ -51,7 +52,7 @@ To generate an initial configuration file (`.omamorirc`), run:
 omamori init
 ```
 
-Edit the generated `.omamorirc` file to configure your Gemini API key, preferred model, checks to perform, and other settings.
+Edit the generated `.omamorirc` and `.omamoriignore` files to configure your Gemini API key, preferred model, checks to perform, and files/directories to exclude from scanning, and other settings.
 
 ### Scanning
 
@@ -66,6 +67,7 @@ Scan the entire codebase:
 ```bash
 omamori scan --all
 ```
+This mode respects the `.omamoriignore` file.
 
 Specify output format (console, html, json):
 
@@ -74,6 +76,22 @@ bundle exec omamori scan --format html
 bundle exec omamori scan --all --format json
 ```
 
+### Scan Specific Files/Directories
+
+You can specify particular files or directories to scan:
+
+```bash
+omamori scan <file_path1> <file_path2> ... <directory_path1> ...
+```
+
+Example:
+
+```bash
+omamori scan app/controllers/users_controller.rb app/models/user.rb config/routes.rb lib/
+```
+
+This mode respects the `.omamoriignore` file.
+
 ### AI Analysis Only
 
 To perform only AI analysis without running static analysis tools, use the `--ai` option:
@@ -96,7 +114,7 @@ Here's a detailed breakdown of the configuration options:
 # You can also set this via the GEMINI_API_KEY environment variable
 api_key: YOUR_GEMINI_API_KEY # Replace with your actual API key
 
-# Gemini Model to use (optional, default: gemini-1.5-pro-latest)
+# Gemini Model to use (optional, default: gemini-2.5-flash-preview-04-17)
 model: gemini-2.5-flash-preview-04-17
 
 # Security checks to enable (optional, default: all implemented checks)
@@ -128,7 +146,7 @@ model: gemini-2.5-flash-preview-04-17
 ```
 
 *   `api_key`: Your API key for accessing the Gemini API. Can also be set via the `GEMINI_API_KEY` environment variable.
-*   `model`: The Gemini model to use for AI analysis. Defaults to `gemini-1.5-pro-latest`.
+*   `model`: The Gemini model to use for AI analysis. Defaults to `gemini-2.5-flash-preview-04-17`.
 *   `checks`: Configure which types of security checks to enable. By default, all implemented checks are enabled. You can selectively enable/disable checks here (e.g., `xss: true`, `csrf: false`).
 *   `prompt_templates`: Define custom prompt templates for AI analysis.
 *   `report`: Configure report output settings.
@@ -139,6 +157,16 @@ model: gemini-2.5-flash-preview-04-17
     *   `bundler_audit`: Additional command-line options for Bundler-Audit.
 *   `language`: Language setting for the details provided in AI analysis reports. Defaults to English (`en`).
 
+## .omamoriignore File
+
+The `.omamoriignore` file allows you to exclude specific files and directories from the scan target. Its behavior is similar to a `.gitignore` file, but with the following considerations:
+
+*   **Effective Modes:** It is only effective in `--all` mode or when scanning specified files/directories.
+*   **Ineffective Mode:** In `diff` mode (i.e., `omamori scan` without arguments), the `.omamoriignore` file is ignored. This is because `diff` mode only targets changes retrieved by `git diff`.
+*   **Format:** Each line specifies one pattern. Lines starting with `#` are treated as comments. It is recommended to append a `/` to directory patterns (e.g., `vendor/`). Patterns are evaluated using simple prefix matching (e.g., `config/initializers` matches `config/initializers/devise.rb`). Wildcards (`*`) are not currently supported.
+
+When you run the `omamori init` command, a `.omamoriignore` file pre-filled with patterns for common files and directories to ignore in a Rails project will be generated. You can edit this file as needed.
+
 ## Demo Files
 
 The `demo` directory contains example files with known vulnerabilities that can be used to demonstrate Omamori's capabilities.

data/README_ja.md

@@ -13,11 +13,12 @@ AI解析は静的解析で診断できない脆弱性を発見することがで
 
 ## 特徴
 
-- ステージされた変更（`git diff --staged`）またはコードベース全体をスキャンしてセキュリティリスクを検出
+- ステージされた変更（`git diff --staged`）、コードベース全体、または指定されたファイルやディレクトリをスキャンしてセキュリティリスクを検出
 - BrakemanやBundler-Auditなどの静的解析ツールと連携
 - Gemini APIを活用し、AIによる高度なコード脆弱性検出
 - 複数のレポート形式に対応（コンソール、HTML、JSON）
 - `.omamorirc`ファイルによる柔軟な設定が可能
+- `.omamoriignore`ファイルによるスキャン対象からの除外機能（`diff`モードを除く）
 
 ## インストール
 
@@ -49,7 +50,7 @@ gem install omamori
 omamori init
 ```
 
-生成された`.omamorirc`ファイルを編集して、Gemini APIキー、使用するモデル、実行するチェック項目などを設定します。
+生成された`.omamorirc`ファイルと`.omamoriignore`ファイルを編集して、Gemini APIキー、使用するモデル、実行するチェック項目、スキャン対象から除外するファイル/ディレクトリなどを設定します。
 
 ### スキャン
 
@@ -64,6 +65,7 @@ omamori scan
 ```bash
 omamori scan --all
 ```
+このモードでは`.omamoriignore`ファイルが有効になります。
 
 出力形式を指定（コンソール、HTML、JSON）：
 
@@ -72,6 +74,22 @@ bundle exec omamori scan --format html
 bundle exec omamori scan --all --format json
 ```
 
+### ファイル/ディレクトリ指定スキャン
+
+特定のファイルやディレクトリを指定してスキャンを実行します。
+
+```bash
+omamori scan <ファイルパス1> <ファイルパス2> ... <ディレクトリパス1> ...
+```
+
+例:
+
+```bash
+omamori scan app/controllers/users_controller.rb app/models/user.rb config/routes.rb lib/
+```
+
+このモードでは`.omamoriignore`ファイルが有効になります。
+
 ### AI解析のみ実施
 
 静的解析ツールを使わず、AI解析のみを実行するには、`--ai`オプションを使用します：
@@ -94,7 +112,7 @@ omamori scan --ai
 # 環境変数GEMINI_API_KEYで設定することも可能
 api_key: YOUR_GEMINI_API_KEY # 実際のAPIキーに置き換えてください
 
-# 使用するGeminiモデル（任意、デフォルト: gemini-1.5-pro-latest）
+# 使用するGeminiモデル（任意、デフォルト: gemini-2.5-flash-preview-04-17）
 model: gemini-2.5-flash-preview-04-17
 
 # 有効化するセキュリティチェック（任意、デフォルトは全チェック）
@@ -126,7 +144,7 @@ model: gemini-2.5-flash-preview-04-17
 ```
 
 - `api_key`: Gemini APIへのアクセスキー。環境変数`GEMINI_API_KEY`でも設定可能。
-- `model`: AI解析に使用するGeminiモデル。デフォルトは`gemini-1.5-pro-latest`。
+- `model`: AI解析に使用するGeminiモデル。デフォルトは`gemini-2.5-flash-preview-04-17`。
 - `checks`: 実行するセキュリティチェックの設定。特定のチェックを有効/無効にできます（例：`xss: true`, `csrf: false`）。
 - `prompt_templates`: AI解析用のカスタムプロンプトテンプレートを設定。
 - `report`: レポート出力に関する設定。
@@ -135,6 +153,16 @@ model: gemini-2.5-flash-preview-04-17
 - `static_analysers`: 静的解析ツール（Brakeman、Bundler-Auditなど）の追加オプション設定。
 - `language`: AI解析結果の詳細説明文の言語設定。デフォルトは英語（`en`）。
 
+## .omamoriignore ファイル
+
+`.omamoriignore`ファイルを使用すると、特定のファイルやディレクトリをスキャン対象から除外できます。これは`.gitignore`ファイルと似たような働きをしますが、以下の点に注意してください。
+
+*   **有効なモード:** `--all` モード、またはファイル/ディレクトリを指定してスキャンする場合にのみ有効です。
+*   **無効なモード:** `diff` モード（引数なしの `omamori scan`）では、`.omamoriignore` ファイルは無視されます。これは、`git diff` で取得された変更点のみを対象とするためです。
+*   **書式:** 1行に1つのパターンを記述します。`#` で始まる行はコメントとして扱われます。ディレクトリを指定する場合は、末尾に `/` を付けることを推奨します (例: `vendor/`)。単純な前方一致で評価されます。 (例: `config/initializers` は `config/initializers/devise.rb` にマッチします)ワイルドカード (`*`) は現時点ではサポートされていません。
+
+`omamori init` コマンドを実行すると、一般的なRailsプロジェクトで無視すべきファイルやディレクトリのパターンが記述された`.omamoriignore`ファイルが生成されます。必要に応じてこのファイルを編集してください。
+
 ## デモファイル
 
 `demo`ディレクトリには、Omamoriの機能をデモンストレーションするための既知の脆弱性を含むサンプルファイルが置かれています。

data/lib/omamori/ai_analysis_engine/diff_splitter.rb

@@ -1,12 +1,8 @@
-# frozen_string_literal: true
+# lib/omamori/ai_analysis_engine/diff_splitter.rb
 
 module Omamori
   module AIAnalysisEngine
     class DiffSplitter
-      # TODO: Determine appropriate chunk size based on token limits
-      # Gemini 1.5 Pro has a large context window (1 million tokens),
-      # but splitting might still be necessary for very large inputs
-      # or to manage cost/latency.
       DEFAULT_CHUNK_SIZE = 8000 # Characters as a proxy for tokens
 
       def initialize(chunk_size: DEFAULT_CHUNK_SIZE)
@@ -17,8 +13,8 @@ module Omamori
         chunks = []
         current_chunk = ""
         content.each_line do |line|
-          if (current_chunk.length + line.length) > @chunk_size
-            chunks << current_chunk unless current_chunk.empty?
+          if (current_chunk.length + line.length) > @chunk_size && !current_chunk.empty?
+            chunks << current_chunk
             current_chunk = line
           else
             current_chunk += line
@@ -28,30 +24,29 @@ module Omamori
         chunks
       end
 
-      def process_in_chunks(content, gemini_client, json_schema, prompt_manager, risks_to_check, model: "gemini-1.5-pro-latest")
+      # Updated to accept file_path keyword argument
+      def process_in_chunks(content, gemini_client, json_schema, prompt_manager, risks_to_check, model: "gemini-2.5-flash-preview-04-17", file_path: nil)
         all_results = []
         chunks = split(content)
 
-        puts "Splitting content into #{chunks.size} chunks..."
+        puts "[DEBUG Omamori DiffSplitter] Splitting content into #{chunks.size} chunks for file: #{file_path || 'N/A'}"
 
         chunks.each_with_index do |chunk, index|
-          puts "Processing chunk #{index + 1}/#{chunks.size}..."
-          prompt = prompt_manager.build_prompt(chunk, risks_to_check, json_schema)
-          result = gemini_client.analyze(prompt, json_schema, model: model)
+          puts "[DEBUG Omamori DiffSplitter] Processing chunk #{index + 1}/#{chunks.size} for file: #{file_path || 'N/A'}"
+          # Pass file_path (potentially modified for chunks) to build_prompt
+          chunk_file_path_info = if file_path
+                                   chunks.size > 1 ? "#{file_path} (chunk #{index + 1}/#{chunks.size})" : file_path
+                                 end
+          prompt = prompt_manager.build_prompt(chunk, risks_to_check, json_schema, file_path: chunk_file_path_info)
+          result = gemini_client.analyze(prompt, json_schema, model: model) # This call to analyze is correct
           all_results << result
-          # TODO: Handle potential rate limits or errors between chunks
         end
-
-        # TODO: Combine results from all chunks
         combine_results(all_results)
       end
 
       private
 
       def combine_results(results)
-        # This is a placeholder. Combining results from multiple AI responses
-        # requires careful consideration of overlapping findings, context, etc.
-        # For now, just flatten the list of security risks.
         combined_risks = results.flat_map do |result|
           result && result["security_risks"] ? result["security_risks"] : []
         end
@@ -59,4 +54,4 @@ module Omamori
       end
     end
   end
-end
+end

data/lib/omamori/ai_analysis_engine/gemini_client.rb

@@ -10,15 +10,16 @@ module Omamori
         @client = nil # Initialize client later
       end
 
-      def analyze(prompt, json_schema, model: "gemini-1.5-pro-latest")
+      def analyze(prompt, json_schema, model: "gemini-2.5-flash-preview-04-17")
         # Ensure the client is initialized
         client
 
         begin
-          response = @client.generate_content(
+          response = client.generate_content(
             prompt,
             model: model,
-            response_schema: json_schema # Use response_schema for Structured Output
+            response_schema: json_schema, # Use response_schema for Structured Output
+            temperature: 0.0
           )
 
           # Debug: Inspect the response object

data/lib/omamori/ai_analysis_engine/prompt_manager.rb

@@ -1,60 +1,93 @@
-# frozen_string_literal: true
-
 module Omamori
   module AIAnalysisEngine
     class PromptManager
       # TODO: Load prompt templates from config file
     DEFAULT_PROMPT_TEMPLATE = <<~TEXT
-      You are a security expert specializing in Ruby. Analyze the following code and detect any potential security risks.
+      You are a security expert specializing in Ruby. Analyze the following code and detect any potential security risks. Think step by step.
       Focus particularly on identifying the following types of vulnerabilities: %{risk_list}
       Report any detected risks in the format specified by the following JSON Schema:
       %{json_schema}
       If no risks are found, output an empty list for the "security_risks" array.
       Please provide your response in %{language}.
+      #{"File context (if available): %{file_path}" if ENV['OMAMORI_DEBUG_PROMPT']}
 
       【Code to Analyze】:
       %{code_content}
     TEXT
 
+# dangerous_eval の説明、脆弱なRubyコード例、検出ステップ（導入文付き）を定義する文字列
+dangerous_eval_prompt = <<~PROMPT
+  Dangerous Code Execution (eval, exec): Dynamic code execution using untrusted input, allowing arbitrary code injection.
+
+  **Vulnerable Ruby Code Examples:**
+  ```ruby
+  # Direct eval of user input (e.g., from HTTP parameters like params[:user_code])
+  result = eval(params[:user_code])
+
+  # User input embedded in evaluated string (String interpolation)
+  log_message = "User action: \#{params[:action]}"
+  # Even if log_message seems harmless, injecting code like "'); malicious_code; # " might be possible
+  eval("log('\#{log_message}')") # Note: Interpolation inside eval string needs care with escaping
+
+  # OS Command injection via system() or backticks (`) using user input
+  # Assumes params[:directory] or params[:filename] comes directly from user input
+  output = `ls \#{params[:directory]}` # User input determines command executed
+  system("process_file.sh \#{params[:filename]}") # User input determines command argument
+
+  # Dynamic method invocation using send() or public_send() with user-controlled method names or arguments
+  # Assumes params[:method_name] or params[:argument] comes from user input
+  target_object = SomeClass.new
+  target_object.send(params[:method_name], params[:argument]) # User can potentially call dangerous methods
+
+  # Using instance_eval or class_eval with user-provided code strings
+  user_script = params[:custom_script]
+  some_object.instance_eval(user_script) # Executes arbitrary Ruby code in the object's context
+  To detect code vulnerable to Dangerous Code Execution like the examples provided above, perform the following detection steps:
+
+  Search for methods enabling dynamic code execution in Ruby code (e.g., eval, instance_eval, class_eval, send, public_send, system, exec, backticks `).
+  Check if arguments passed to these methods originate from or are directly influenced by external untrusted input (e.g., HTTP request parameters params, data from files, network responses). Look for patterns similar to the vulnerable Ruby examples shown above.
+  Verify if user input is rigorously sanitized or validated specifically to prevent code injection vectors before being used in these methods. Standard escaping for HTML (like XSS prevention) is not sufficient here. Check if execution is restricted only to a predefined, absolutely safe allowlist of commands or methods if dynamic execution cannot be avoided.
+  Assess if safer alternatives exist that can achieve the same functionality without dynamic code execution. Examples include using Hash lookups for dispatching actions, case statements based on input values, leveraging safe templating engines, or using specific library functions designed for the task instead of generic execution methods.
+  PROMPT
 
       RISK_PROMPTS = {
-        xss: "Cross-Site Scripting (XSS): A vulnerability where user input is not properly escaped and is embedded into HTML or JavaScript, leading to arbitrary script execution in the victim’s browser. Look for unsanitized input and missing output encoding.",
-        csrf: "Cross-Site Request Forgery (CSRF): An attack that forces an authenticated user to perform unwanted actions via forged requests. Detect missing CSRF tokens or absence of referer/origin validation.",
-        idor: "Insecure Direct Object Reference (IDOR): Occurs when object identifiers (e.g., IDs) are exposed and access control is missing, allowing unauthorized access to other users’ data.",
-        open_redirect: "Open Redirect: Redirecting users to external URLs based on user-supplied input without proper validation. Check for lack of domain or whitelist restrictions.",
-        ssrf: "Server-Side Request Forgery (SSRF): The server makes HTTP requests to an arbitrary destination supplied by the user, potentially exposing internal resources or metadata.",
-        session_fixation: "Session Fixation: The server accepts a pre-supplied session ID, allowing an attacker to hijack the session after authentication. Look for missing session ID regeneration after login.",
-        inappropriate_cookie_attributes: "Insecure Cookie Attributes: Missing HttpOnly, Secure, or SameSite flags, which may lead to session theft or CSRF.",
-        insufficient_encryption: "Insufficient Encryption: Use of weak algorithms (e.g., MD5, SHA1) or lack of encryption for sensitive data. Check for insecure hash functions or plain-text handling.",
-        insecure_deserialization_rce: "Insecure Deserialization leading to RCE: Deserializing untrusted data can lead to arbitrary code execution. Detect unsafe use of deserialization functions without validation.",
-        directory_traversal: "Directory Traversal: Allows attackers to access files outside the intended directory using ../ patterns. Check for path manipulation and missing canonicalization.",
-        dangerous_eval: "Dangerous Code Execution (eval, exec): Dynamic code execution using untrusted input, allowing arbitrary code injection.",
-        inappropriate_file_permissions: "Insecure File Permissions: Files or directories with overly permissive modes (e.g., 777), allowing unauthorized read/write/execute access.",
-        temporary_backup_file_leak: "Temporary or Backup File Exposure: Sensitive files like .bak, .tmp, or ~ versions are publicly accessible due to poor file handling.",
-        overly_detailed_errors: "Excessive Error Information Disclosure: Stack traces or internal error messages exposed to users, leaking implementation details.",
-        csp_not_set: "Missing Content Security Policy (CSP): Absence of CSP headers increases risk of XSS. Look for missing Content-Security-Policy header.",
-        mime_sniffing_vulnerability: "MIME Sniffing Vulnerability: Missing X-Content-Type-Options: nosniff header can allow browsers to misinterpret content types.",
-        clickjacking_vulnerability: "Clickjacking Protection Missing: Absence of X-Frame-Options or frame-ancestors directive allows malicious framing of pages.",
-        auto_index_exposure: "Auto Indexing Enabled: Directory listing is active, exposing files and internal structure to users.",
-        inappropriate_password_policy: "Weak Password Policy: Inadequate rules such as short length, lack of complexity, or missing brute-force protections.",
-        two_factor_auth_missing: "Missing Two-Factor Authentication (2FA): Lack of secondary authentication factor for sensitive operations.",
-        race_condition: "Race Condition: Concurrent access without proper locking can lead to inconsistent states or privilege escalation.",
-        server_error_information_exposure: "Server Error Information Exposure: Internal errors (e.g., 500) reveal stack traces or server information in responses.",
-        dependency_trojan_package: "Dependency Trojan Package Risk: Installation of malicious or typosquatted packages from untrusted sources.",
-        api_overexposure: "Excessive API Exposure: Public APIs exposed without authentication, leading to data leakage or unauthorized access.",
-        security_middleware_disabled: "Security Middleware Disabled: Important protections (e.g., CSRF tokens, input sanitization) are turned off or removed.",
-        security_header_inconsistency: "Security Header Inconsistency: Inconsistent or missing security headers across environments or routes.",
-        excessive_login_attempts: "Excessive Login Attempts Allowed: Lack of rate limiting allows brute-force login attempts.",
-        inappropriate_cache_settings: "Insecure Cache Settings: Sensitive pages are cached publicly (e.g., with Cache-Control: public), risking data leakage.",
-        secret_key_committed: "Secret Key Committed to Repository: Credentials, JWT secrets, or API keys are hardcoded or pushed to version control.",
-        third_party_script_validation_missing: "Missing Validation for Third-Party Scripts: External scripts are loaded without integrity checks (e.g., Subresource Integrity).",
-        over_logging: "Over-Logging: Logging sensitive information such as passwords, tokens, or personal data.",
-        fail_open_design: "Fail-Open Design: On error or exception, access is granted instead of safely denied.",
-        environment_differences: "Uncontrolled Environment Differences: Security settings differ between development and production without strict controls.",
-        audit_log_missing: "Missing Audit Logging: Lack of logging for critical actions or authorization checks prevents accountability.",
-        time_based_side_channel: "Time-Based Side Channel: Execution time differences can leak secrets (e.g., timing attacks in string comparison)."
+        xss: "Cross-Site Scripting (XSS): A vulnerability where user input is not properly escaped and is embedded into HTML or JavaScript, leading to arbitrary script execution in the victim's browser. Detection steps: 1) Identify where user input is output to HTML/JS context. 2) Check if proper encoding/escaping is applied (e.g., html_safe, raw, sanitize, escape_javascript). 3) Look for unsafe methods that bypass default Rails escaping (html_safe, raw, <%==). 4) Examine JavaScript that incorporates user input via template interpolation. 5) Check for improper content-type headers that might enable XSS. 6) Verify if user input is passed to eval(), setTimeout(), document.write() or DOM manipulation functions. 7) Look for attribute injection possibilities where user input sets HTML attributes.",
+        csrf: "Cross-Site Request Forgery (CSRF): An attack that forces an authenticated user to perform unwanted actions via forged requests. Detection steps: 1) Check if CSRF protection is disabled globally or for specific controllers/actions (skip_before_action :verify_authenticity_token). 2) Look for APIs or endpoints that handle state-changing operations (POST, PUT, DELETE methods). 3) Verify if authenticity tokens are properly validated for forms and AJAX requests. 4) Check if the application relies solely on cookies for authentication without additional CSRF protection. 5) Look for custom CSRF protection implementations that might be incomplete. 6) Verify if SameSite cookie attributes are properly set. 7) Check if the application validates the Origin or Referer header for cross-origin requests.",
+        idor: "Insecure Direct Object Reference (IDOR): Occurs when object identifiers (e.g., IDs) are exposed and access control is missing, allowing unauthorized access to other users' data. Detection steps: 1) Identify endpoints that access data using user-supplied identifiers (e.g., params[:id]). 2) Check if proper authorization checks exist before accessing the data (e.g., current_user.orders vs Order.find). 3) Look for functions retrieving data without verifying the current user's ownership or access rights. 4) Check for sequential or predictable IDs that can be enumerated. 5) Verify if sensitive operations verify resource ownership before modifications. 6) Look for authorization checks that can be bypassed through parameter manipulation. 7) Examine APIs that return data based on user-supplied identifiers.",
+        open_redirect: "Open Redirect: Redirecting users to external URLs based on user-supplied input without proper validation. Detection steps: 1) Identify redirect methods or functions (redirect_to, headers['Location'], response.redirect, etc.). 2) Check if the redirect URL or destination can be controlled by user input. 3) Verify if there is proper validation of the redirect URL to prevent external redirects. 4) Look for validation patterns that only check for URL prefixes that could be bypassed. 5) Check if the code restricts redirects to only allowed domains or uses relative paths. 6) Watch for URL manipulation techniques that might bypass validation (using //, additional domains in path, URL encoding).",
+        ssrf: "Server-Side Request Forgery (SSRF): The server makes HTTP requests to an arbitrary destination supplied by the user, potentially exposing internal resources or metadata. Detection steps: 1) Identify code that makes network requests (HTTP, TCP, etc.). 2) Check if the URL or destination can be influenced by user input. 3) Verify if there is proper validation of user-supplied URLs or IPs to prevent access to internal resources. 4) Look for use of libraries like Net::HTTP, open-uri, rest-client, faraday, or HTTP clients where the URL is constructed dynamically. 5) Check if the code restricts requests to only allowed domains or IP ranges.",
+        session_fixation: "Session Fixation: The server accepts a pre-supplied session ID, allowing an attacker to hijack the session after authentication. Detection steps: 1) Check if the application regenerates session IDs upon authentication (reset_session, new session creation). 2) Look for login methods that don't rotate session identifiers. 3) Examine session management code for proper session invalidation after login/logout. 4) Verify if the application accepts externally provided session identifiers. 5) Check if cookie settings include proper security flags (HttpOnly, Secure, SameSite). 6) Examine how session state is maintained across privilege changes (e.g., becoming admin). 7) Look for custom session handling that bypasses Rails' built-in protection mechanisms.",
+        inappropriate_cookie_attributes: "Insecure Cookie Attributes: Missing HttpOnly, Secure, or SameSite flags, which may lead to session theft or CSRF. Detection steps: 1) Examine cookie configuration in session store settings. 2) Check for explicit cookie setting in controllers with cookies[:name] assignments. 3) Verify if sensitive cookies have the HttpOnly flag to prevent JavaScript access. 4) Check if cookies transmitting sensitive data have the Secure flag to prevent transmission over HTTP. 5) Verify if cookies have appropriate SameSite attribute (Strict, Lax, or None with Secure) to prevent CSRF and information leakage. 6) Look for custom session management that might not set proper cookie attributes. 7) Check if cookie expiration times are appropriate for the sensitivity of the data they contain.",
+        insufficient_encryption: "Insufficient Encryption: Use of weak algorithms (e.g., MD5, SHA1) or lack of encryption for sensitive data. Check for insecure hash functions or plain-text handling. Detection steps: 1) Identify code handling sensitive data (passwords, API keys, PII). 2) Check if data at rest (database) or in transit (network) is encrypted. 3) Identify algorithms used for hashing/encryption (e.g., Digest::MD5, Digest::SHA1). 4) Verify if algorithms meet current security standards (e.g., bcrypt, scrypt, SHA-256+ for hashing; AES for encryption). 5) Check secure management of encryption keys.",
+        insecure_deserialization_rce: "Insecure Deserialization leading to RCE: Deserializing untrusted data can lead to arbitrary code execution. Detect unsafe use of deserialization functions without validation. Detection steps: 1) Locate code performing deserialization (e.g., Marshal.load, YAML.load, JSON.parse). 2) Determine if the input data comes from untrusted sources (user input, network). 3) Verify if the data is validated or sanitized before deserialization. 4) Check if safe alternatives are used (e.g., YAML.safe_load, JSON.parse with appropriate options). 5) Analyze custom deserializers for vulnerabilities.",
+        directory_traversal: "Directory Traversal: Allows attackers to access files outside the intended directory using ../ patterns. Check for path manipulation and missing canonicalization. Detection steps: 1) Identify code accessing the file system using paths derived from user input. 2) Check if user input influencing file paths is sanitized (e.g., removing '../'). 3) Verify if path canonicalization functions (e.g., File.expand_path, Pathname#cleanpath) are used correctly. 4) Ensure the final path is validated to be within the intended base directory before access.",
+        dangerous_eval: "Dangerous Code Execution (eval, exec): Dynamic code execution using untrusted input, allowing arbitrary code injection. Detection steps: 1) Search for methods enabling dynamic code execution (eval, instance_eval, class_eval, send, public_send, system, exec, ` ``). 2) Check if arguments passed to these methods originate from or are influenced by user input. 3) Verify if user input is rigorously sanitized or validated before use, or if execution is restricted to safe, predefined commands/methods. 4) Assess if safer alternatives can replace dynamic execution.",
+        inappropriate_file_permissions: "Insecure File Permissions: Files or directories with overly permissive modes (e.g., 777), allowing unauthorized read/write/execute access. Detection steps: 1) Find code that creates files/directories or changes permissions (e.g., FileUtils.chmod, File.chmod, Dir.mkdir with mode). 2) Examine the permission modes being set (e.g., 0777, 0666). 3) Evaluate if permissions follow the principle of least privilege, especially avoiding world-writable (o+w) or world-readable (o+r) for sensitive files. 4) Check permissions of configuration files, log files, and uploaded files.",
+        temporary_backup_file_leak: "Temporary or Backup File Exposure: Sensitive files like .bak, .tmp, or ~ versions are publicly accessible due to poor file handling. Detection steps: 1) Identify logic creating temporary or backup files. 2) Check if common backup extensions (.bak, .tmp, ~, .old) are used. 3) Verify these files are not created within web-accessible directories. 4) Ensure temporary/backup files are securely deleted after use. 5) Check if .gitignore excludes these file patterns.",
+        overly_detailed_errors: "Excessive Error Information Disclosure: Stack traces or internal error messages exposed to users, leaking implementation details. Detection steps: 1) Examine error handling code (rescue blocks, error page rendering). 2) Check error messages displayed to users in the production environment. 3) Verify that stack traces, internal paths, database queries, or configuration details are not included in user-facing errors. 4) Confirm framework settings disable detailed errors in production (e.g., Rails `config.consider_all_requests_local = false`). 5) Ensure generic errors are shown to users, while details are logged server-side.",
+        csp_not_set: "Missing Content Security Policy (CSP): Absence of CSP headers increases risk of XSS. Look for missing Content-Security-Policy header. Detection steps: 1) Identify code setting HTTP response headers (middleware, controllers). 2) Check for the presence of the `Content-Security-Policy` header. 3) If missing or policy is overly permissive (e.g., includes 'unsafe-inline', 'unsafe-eval', '*'), report as risk. 4) Check framework CSP configuration mechanisms (e.g., Rails `config.content_security_policy`).",
+        mime_sniffing_vulnerability: "MIME Sniffing Vulnerability: Missing X-Content-Type-Options: nosniff header can allow browsers to misinterpret content types. Detection steps: 1) Identify code setting HTTP response headers. 2) Check for the presence of the `X-Content-Type-Options` header. 3) If the header is missing or its value is not exactly `nosniff`, report as risk. 4) Check framework defaults or security middleware for automatic inclusion.",
+        clickjacking_vulnerability: "Clickjacking Protection Missing: Absence of X-Frame-Options or frame-ancestors directive allows malicious framing of pages. Detection steps: 1) Identify code setting HTTP response headers. 2) Check for the `X-Frame-Options` header (e.g., `DENY`, `SAMEORIGIN`). 3) Alternatively, check for the `frame-ancestors` directive in the `Content-Security-Policy` header (e.g., `'none'`, `'self'`). 4) If neither is present or configured securely, report as risk. 5) Check framework defaults or security middleware.",
+        auto_index_exposure: "Auto Indexing Enabled: Directory listing is active, exposing files and internal structure to users. Detection steps: 1) Review web server configuration files (Nginx, Apache). 2) Look for directives enabling directory listing (e.g., Apache `Options +Indexes`, Nginx `autoindex on`). 3) Check if directory listing is unintentionally enabled for specific locations. 4) If the application framework serves static files, ensure its directory listing feature is disabled.",
+        inappropriate_password_policy: "Weak Password Policy: Inadequate rules such as short length, lack of complexity, or missing brute-force protections. Detection steps: 1) Locate code related to password setting/changing. 2) Check validation logic for minimum length, complexity requirements (character types). 3) Verify if checks against common weak passwords (dictionaries, patterns) exist. 4) Look for enforcement of password history (reuse prevention) and expiration. 5) Check for related brute-force protection (see `excessive_login_attempts`).",
+        two_factor_auth_missing: "Missing Two-Factor Authentication (2FA): Lack of secondary authentication factor for sensitive operations. Detection steps: 1) Identify login process and code for sensitive operations (e.g., profile change, payment). 2) Check if a second factor (SMS, TOTP, key) is required beyond the password. 3) Look for 2FA setup and management features. 4) Determine if 2FA is mandatory or optional for users.",
+        race_condition: "Race Condition: Concurrent access without proper locking can lead to inconsistent states or privilege escalation. Detection steps: 1) Identify code accessing shared resources (database records, files, cache). 2) Find sections where multiple threads/processes might read/write concurrently. 3) Look for non-atomic check-then-act patterns. 4) Verify use of proper locking mechanisms (database transactions, Mutex, file locks). 5) Focus on critical operations like balance updates, inventory control.",
+        server_error_information_exposure: "Server Error Information Exposure: Internal errors (e.g., 500) reveal stack traces or server information in responses. Detection steps: 1) Examine error handling for server-side errors (e.g., HTTP 500). 2) Check the content of error responses sent to the client in production. 3) Verify that server-specific information (software type/version, OS details) is not included. 4) Check server configuration to suppress revealing headers (e.g., `Server` header; Nginx `server_tokens off;`). 5) Ensure detailed errors are logged only, with generic messages shown to users. (Similar to `overly_detailed_errors` but focusing on server info).",
+        dependency_trojan_package: "Dependency Trojan Package Risk: Installation of malicious or typosquatted packages from untrusted sources. Detection steps: 1) Review dependency files (`Gemfile`, `Gemfile.lock`). 2) Scan the list of Gems for typosquatting or unfamiliar names. 3) Check Gem sources (avoid untrusted Git repos if possible). 4) Investigate reputation and maintenance status of less-known Gems. 5) Ensure `Gemfile.lock` is committed to version control. 6) Check if dependency scanning tools (e.g., `bundler-audit`) are used.",
+        api_overexposure: "Excessive API Exposure: Public APIs exposed without authentication, leading to data leakage or unauthorized access. Detection steps: 1) Identify all API endpoint definitions. 2) Verify that appropriate authentication and authorization checks are applied to each endpoint. 3) Check if rate limiting or access controls are in place, even for public APIs. 4) Ensure sensitive data or internal-only information is not returned by unauthenticated endpoints. 5) Review API documentation for unintended exposure.",
+        security_middleware_disabled: "Security Middleware Disabled: Important protections (e.g., CSRF tokens, input sanitization) are turned off or removed. Detection steps: 1) Review framework initialization and configuration files. 2) Look for intentional disabling or removal of standard security middleware (e.g., CSRF protection, secure session handling). 3) Check for route-specific or controller-specific disabling of security features (e.g., `skip_before_action :verify_authenticity_token`) and evaluate the justification.",
+        security_header_inconsistency: "Security Header Inconsistency: Inconsistent or missing security headers across environments or routes. Detection steps: 1) Locate code setting security headers (CSP, X-Frame-Options, HSTS, etc.). 2) Compare header settings across different environments (dev, staging, prod), ensuring production is not weaker. 3) Verify consistent application of headers across different routes/pages within the application. 4) Check for conflicts if headers are set in multiple places (middleware, reverse proxy).",
+        excessive_login_attempts: "Excessive Login Attempts Allowed: Lack of rate limiting allows brute-force login attempts. Detection steps: 1) Identify the login authentication code. 2) Check for logic that counts and limits login attempts per account and/or IP address within a time window. 3) Verify that countermeasures (account lockout, CAPTCHA, delay) are triggered upon exceeding the limit. 4) Check configuration of rate-limiting libraries (e.g., `rack-attack`). 5) Ensure similar limits exist for password reset functions.",
+        inappropriate_cache_settings: "Insecure Cache Settings: Sensitive pages are cached publicly (e.g., with Cache-Control: public), risking data leakage. Detection steps: 1) Identify code setting `Cache-Control` or `Pragma` headers. 2) Locate code generating pages containing user-specific or sensitive data. 3) Ensure these pages have restrictive cache directives (`private`, `no-store`, `no-cache`). 4) Look for inappropriate use of `public` or long `max-age`. 5) Review framework caching (page, action, fragment) usage for sensitive content. 6) Consider cache settings in reverse proxies/CDNs.",
+        secret_key_committed: "Secret Key Committed to Repository: Credentials, JWT secrets, or API keys are hardcoded or pushed to version control. Detection steps: 1) Scan codebase for hardcoded secrets (passwords, API keys, tokens). 2) Review configuration files (`database.yml`, `secrets.yml`, `.env`) for secrets and ensure they are gitignored if present. 3) Verify secrets are loaded from environment variables or dedicated secret management systems. 4) Scan version control history for accidentally committed secrets (and rotate if found). 5) Consider using secret scanning tools (e.g., `truffleHog`, `gitleaks`).",
+        third_party_script_validation_missing: 'Missing Validation for Third-Party Scripts: External scripts are loaded without integrity checks (e.g., Subresource Integrity). Detection steps: 1) Find HTML templates loading external JS/CSS (`<script src="...">`, `<link href="...">`). 2) Check if these tags include the `integrity` attribute (for SRI). 3) Report as risk if `integrity` attribute is missing or empty. 4) Verify the `crossorigin="anonymous"` attribute is also present when using SRI. 5) Check dynamically loaded scripts for similar integrity validation mechanisms.',
+        over_logging: "Over-Logging: Logging sensitive information such as passwords, tokens, or personal data. Detection steps: 1) Identify all logging statements (`Rails.logger.*`, `puts`, etc.). 2) Examine the data being logged. 3) Check specifically for sensitive data like passwords, tokens, API keys, PII, credit card numbers. 4) Pay attention to logging of entire request parameters or exception objects. 5) Verify framework parameter filtering (e.g., Rails `config.filter_parameters`) is configured correctly to mask sensitive fields.",
+        fail_open_design: "Fail-Open Design: On error or exception, access is granted instead of safely denied. Detection steps: 1) Identify security check code (authentication, authorization, access control). 2) Examine behavior within exception handling blocks (`rescue`). 3) Verify that exceptions during security checks default to denying access (fail-close/fail-safe), not granting it. 4) Look for checks where an error state might be misinterpreted as permissive. 5) Ensure critical operations use transactions and roll back safely on error.",
+        environment_differences: "Uncontrolled Environment Differences: Security settings differ between development and production without strict controls. Detection steps: 1) Compare configuration files across environments (`environments/development.rb` vs `environments/production.rb`). 2) Identify differences in security settings (error reporting, SSL, headers, auth). 3) Evaluate if differences weaken security in production. 4) Check for a process to manage and review environment-specific configurations. 5) Consider potential infrastructure differences (firewalls, server settings).",
+        audit_log_missing: "Missing Audit Logging: Lack of logging for critical actions or authorization checks prevents accountability. Detection steps: 1) Identify code performing critical actions (login, permission change, sensitive data access/modification, config change). 2) Verify these actions generate logs including who (user), when (timestamp), what (action/resource), result (success/fail), and where (IP address). 3) Check if authentication successes/failures and authorization failures are logged. 4) Assess if logs are stored securely and retained appropriately. 5) Ensure log format is consistent and useful for monitoring.",
+        time_based_side_channel: "Time-Based Side Channel: Execution time differences can leak secrets (e.g., timing attacks in string comparison). Detection steps: 1) Locate code comparing secret values (passwords, tokens, API keys). 2) Check if standard comparison operators (`==`) are used for secrets. 3) Verify use of constant-time comparison functions (e.g., `ActiveSupport::SecurityUtils.secure_compare`, `Rack::Utils.secure_compare`). 4) Analyze cryptographic operations for potential timing leaks (may depend on library implementation). 5) Consider if database query times varying based on input could leak information."
       }.freeze
-      
+
 
       def initialize(config = {})
         # Load custom templates and language from config, merge with default
@@ -64,12 +97,30 @@ module Omamori
         @language = config.get("language", "en") # Get language from config, default to 'en'
       end
 
-      def build_prompt(code_content, risks_to_check, json_schema, template_key: :default)
-        # Use the template from @prompt_templates, defaulting to :default if template_key is not found
+      # Updated to accept file_path keyword argument
+      def build_prompt(code_content, risks_to_check, json_schema, template_key: :default, file_path: nil)
         template = @prompt_templates.fetch(template_key, @prompt_templates[:default])
         risk_list = risks_to_check.map { |risk_key| @risk_prompts[risk_key] }.compact.join(", ")
 
-        template % { risk_list: risk_list, code_content: code_content, json_schema: json_schema.to_json, language: @language}
+        prompt_variables = {
+          risk_list: risk_list,
+          code_content: code_content,
+          json_schema: json_schema.to_json,
+          language: @language
+        }
+        # Add file_path to variables if provided and template expects it
+        # Ensure your template string (DEFAULT_PROMPT_TEMPLATE or custom ones)
+        # actually uses %{file_path} if you want to include it.
+        prompt_variables[:file_path] = file_path if file_path && template.include?("%{file_path}")
+
+        # Handle cases where a key in prompt_variables might not be in the template string
+        # by selecting only keys present in the template.
+        final_variables = {}
+        template.scan(/%\{(\w+)\}/).flatten.uniq.each do |key_in_template|
+          final_variables[key_in_template.to_sym] = prompt_variables[key_in_template.to_sym]
+        end
+        
+        template % final_variables
       end
     end
   end

data/lib/omamori/config.rb

@@ -5,10 +5,14 @@ require 'yaml'
 module Omamori
   class Config
     DEFAULT_CONFIG_PATH = ".omamorirc"
+    DEFAULT_IGNORE_PATH = ".omamoriignore"
+
+    attr_reader :ignore_patterns
 
     def initialize(config_path = DEFAULT_CONFIG_PATH)
       @config_path = config_path
       @config = load_config
+      @ignore_patterns = load_ignore_patterns # Load ignore patterns
       validate_config # Add validation after loading
     end
 
@@ -128,6 +132,23 @@ module Omamori
       end
     end
 
+    # Load .omamoriignore file and return an array of ignore patterns
+    def load_ignore_patterns
+      ignore_path = DEFAULT_IGNORE_PATH
+      if File.exist?(ignore_path)
+        begin
+          File.readlines(ignore_path, chomp: true).reject do |line|
+            line.strip.empty? || line.strip.start_with?('#')
+          end
+        rescue => e
+          puts "Warning: Error reading .omamoriignore file #{ignore_path}: #{e.message}"
+          [] # Return empty array if reading fails
+        end
+      else
+        [] # Return empty array if file does not exist
+      end
+    end
+
     def load_config
       if File.exist?(@config_path)
         begin