@rahul-sch/vibeguard 1.0.0

package/README.md

@@ -0,0 +1,162 @@
+# VibeGuard
+
+Regex-first security scanner for AI-generated ("vibe-coded") projects.
+
+## Features
+
+- **23 detection rules** covering secrets, injection, Docker, Kubernetes, Python, Node.js
+- **Fast regex scanning** - no AST parsing, works on any codebase size
+- **Multiple output formats** - console (colored), JSON, SARIF (GitHub Code Scanning)
+- **Optional AI verification** - reduce false positives with LLM verification (BYOK)
+- **Zero config** - works out of the box with sensible defaults
+
+## Installation
+
+```bash
+npm install -g vibeguard
+```
+
+## Usage
+
+```bash
+# Scan current directory
+vibeguard
+
+# Scan specific path
+vibeguard ./src
+
+# Show only critical issues
+vibeguard --severity critical
+
+# Output as JSON
+vibeguard --json
+
+# Output as SARIF (for GitHub Code Scanning)
+vibeguard --sarif > report.sarif
+
+# Enable AI verification
+vibeguard --ai --ai-key sk-xxx
+```
+
+## CLI Options
+
+| Option | Description |
+|--------|-------------|
+| `-s, --severity <level>` | Minimum severity: `critical`, `warning`, `info` (default: `warning`) |
+| `-f, --format <type>` | Output format: `console`, `json`, `sarif` (default: `console`) |
+| `--json` | Shorthand for `--format json` |
+| `--sarif` | Shorthand for `--format sarif` |
+| `-i, --ignore <pattern>` | Additional ignore patterns (can repeat) |
+| `--max-file-size <bytes>` | Skip files larger than this (default: 1MB) |
+| `--no-color` | Disable colored output |
+| `-v, --verbose` | Show debug information |
+| `--ai` | Enable AI verification |
+| `--ai-key <key>` | API key for AI provider |
+| `--ai-provider <name>` | AI provider: `openai`, `anthropic`, `groq` |
+| `-c, --config <path>` | Path to config file |
+
+## Exit Codes
+
+| Code | Meaning |
+|------|---------|
+| 0 | No issues found (or only info-level) |
+| 1 | Warning-level issues found |
+| 2 | Critical-level issues found |
+
+## Detection Rules
+
+### Secrets & Injection
+- `VG-SEC-001` - Dynamic code execution (eval)
+- `VG-SEC-002` - SQL string concatenation
+- `VG-SEC-003` - Hardcoded secrets/credentials
+- `VG-SEC-004` - Secret logged to console
+- `VG-SEC-005` - Secret in API response
+
+### Python
+- `VG-PY-001` - Shell command exec (shell=True)
+- `VG-PY-002` - OS system call
+- `VG-PY-003` - Unsafe YAML load
+- `VG-PY-004` - Insecure pickle deserialization
+- `VG-PY-005` - Flask debug mode enabled
+- `VG-PY-006` - Disabled SSL verification
+
+### Node.js
+- `VG-NODE-001` - Child process exec
+- `VG-NODE-002` - Spawn with shell
+- `VG-NODE-003` - Unsafe HTML rendering (React)
+- `VG-NODE-004` - Disabled TLS verification
+- `VG-NODE-005` - TLS reject env bypass
+
+### Docker
+- `VG-DOCK-001` - Container running as root
+- `VG-DOCK-002` - Docker socket exposed
+- `VG-DOCK-003` - Privileged container
+
+### Kubernetes
+- `VG-K8S-001` - Cluster-admin role binding
+- `VG-K8S-002` - Open ingress rules (0.0.0.0/0)
+- `VG-K8S-003` - Missing runAsNonRoot
+
+### Configuration
+- `VG-CFG-001` - Service bound to 0.0.0.0
+- `VG-CFG-002` - Public S3 bucket ACL
+
+## GitHub Actions
+
+```yaml
+name: Security Scan
+
+on: [push, pull_request]
+
+jobs:
+  vibeguard:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install VibeGuard
+        run: npm install -g vibeguard
+
+      - name: Run security scan
+        run: vibeguard --sarif > results.sarif
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+```
+
+## Configuration File
+
+Create `vibeguard.config.json` in your project root:
+
+```json
+{
+  "severity": "warning",
+  "ignore": ["**/test/**", "**/fixtures/**"],
+  "format": "console"
+}
+```
+
+## AI Verification
+
+VibeGuard supports optional AI verification to reduce false positives. Set your API key:
+
+```bash
+export VIBEGUARD_AI_KEY=sk-xxx
+vibeguard --ai
+```
+
+Supported providers:
+- OpenAI (default)
+- Anthropic (`sk-ant-*` keys auto-detected)
+- Groq (`gsk_*` keys auto-detected)
+
+## License
+
+MIT

package/bin/vibeguard.js

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+import '../dist/cli/index.js';

package/dist/ai/cache.d.ts

@@ -0,0 +1,5 @@
+import type { VerifyResponse } from './types.js';
+export declare function getCacheKey(ruleId: string, snippet: string): string;
+export declare function getCached(key: string): VerifyResponse | undefined;
+export declare function setCache(key: string, response: VerifyResponse): void;
+export declare function clearCache(): void;

package/dist/ai/cache.js

@@ -0,0 +1,20 @@
+import { LRUCache } from 'lru-cache';
+import { createHash } from 'node:crypto';
+const cache = new LRUCache({
+    max: 1000,
+    ttl: 1000 * 60 * 60 * 24, // 24h TTL
+});
+export function getCacheKey(ruleId, snippet) {
+    return createHash('sha256')
+        .update(ruleId + snippet)
+        .digest('hex');
+}
+export function getCached(key) {
+    return cache.get(key);
+}
+export function setCache(key, response) {
+    cache.set(key, response);
+}
+export function clearCache() {
+    cache.clear();
+}

package/dist/ai/index.d.ts

@@ -0,0 +1,9 @@
+import type { Finding, DetectionRule } from '../rules/types.js';
+import type { AIConfig, VerifyResponse } from './types.js';
+export interface AIVerifier {
+    verify(finding: Finding, rule: DetectionRule): Promise<VerifyResponse>;
+}
+export declare function createAIVerifier(config: AIConfig): AIVerifier;
+export declare function verifyFindings(findings: Finding[], rules: Map<string, DetectionRule>, config: AIConfig, verbose?: boolean): Promise<Finding[]>;
+export declare function detectProvider(apiKey: string): string;
+export { type AIConfig, type VerifyRequest, type VerifyResponse } from './types.js';

package/dist/ai/index.js

@@ -0,0 +1,71 @@
+import { createProvider } from './provider.js';
+import { getCacheKey, getCached, setCache } from './cache.js';
+import { basename } from 'node:path';
+export function createAIVerifier(config) {
+    const provider = createProvider(config);
+    return {
+        async verify(finding, rule) {
+            // Check cache first
+            const cacheKey = getCacheKey(finding.ruleId, finding.snippet);
+            const cached = getCached(cacheKey);
+            if (cached) {
+                return cached;
+            }
+            // Build request with minimal context
+            const request = {
+                snippet: truncate(finding.snippet, 500),
+                ruleId: rule.id,
+                ruleTitle: rule.title,
+                ruleDescription: rule.message,
+                fileContext: `File: ${basename(finding.file)}, Language: ${rule.languages[0] || 'unknown'}`,
+            };
+            const response = await provider.verify(request);
+            // Cache the result
+            setCache(cacheKey, response);
+            return response;
+        },
+    };
+}
+function truncate(str, maxLen) {
+    if (str.length <= maxLen)
+        return str;
+    return str.slice(0, maxLen - 3) + '...';
+}
+export async function verifyFindings(findings, rules, config, verbose = false) {
+    const verifier = createAIVerifier(config);
+    const verified = [];
+    for (const finding of findings) {
+        const rule = rules.get(finding.ruleId);
+        if (!rule) {
+            verified.push(finding);
+            continue;
+        }
+        // Only verify rules that have AI verification enabled
+        if (!rule.aiVerification?.enabled) {
+            verified.push(finding);
+            continue;
+        }
+        if (verbose) {
+            console.error(`AI verifying: ${finding.ruleId} at ${finding.file}:${finding.line}`);
+        }
+        try {
+            const response = await verifier.verify(finding, rule);
+            verified.push({
+                ...finding,
+                aiVerdict: response,
+            });
+        }
+        catch {
+            // On error, keep finding without AI verdict
+            verified.push(finding);
+        }
+    }
+    return verified;
+}
+export function detectProvider(apiKey) {
+    if (apiKey.startsWith('sk-ant-'))
+        return 'anthropic';
+    if (apiKey.startsWith('gsk_'))
+        return 'groq';
+    return 'openai';
+}

package/dist/ai/prompts.d.ts

@@ -0,0 +1,7 @@
+import type { VerifyRequest } from './types.js';
+export declare function buildVerificationPrompt(request: VerifyRequest): string;
+export declare function parseVerificationResponse(text: string): {
+    verdict: 'true_positive' | 'false_positive' | 'unsure';
+    confidence: number;
+    rationale: string;
+};

package/dist/ai/prompts.js

@@ -0,0 +1,65 @@
+export function buildVerificationPrompt(request) {
+    return `You are a security code reviewer. Analyze the following code snippet for a potential security issue.
+
+Rule: ${request.ruleId} - ${request.ruleTitle}
+Issue: ${request.ruleDescription}
+File: ${request.fileContext}
+
+Code snippet:
+\`\`\`
+${request.snippet}
+\`\`\`
+
+Determine if this is a TRUE security issue or a FALSE POSITIVE.
+
+Consider:
+- Is this test/example code that won't run in production?
+- Is the flagged pattern used safely with proper sanitization?
+- Is there context that makes this safe (e.g., constants, trusted data)?
+- Could this realistically be exploited?
+
+Respond in JSON format:
+{
+  "verdict": "true_positive" | "false_positive" | "unsure",
+  "confidence": 0.0-1.0,
+  "rationale": "Brief explanation"
+}
+
+JSON response:`;
+}
+export function parseVerificationResponse(text) {
+    // Try to extract JSON from response
+    const jsonMatch = text.match(/\{[\s\S]*\}/);
+    if (!jsonMatch) {
+        return {
+            verdict: 'unsure',
+            confidence: 0.5,
+            rationale: 'Failed to parse AI response',
+        };
+    }
+    try {
+        const parsed = JSON.parse(jsonMatch[0]);
+        // Validate verdict
+        const validVerdicts = ['true_positive', 'false_positive', 'unsure'];
+        const verdict = validVerdicts.includes(parsed.verdict)
+            ? parsed.verdict
+            : 'unsure';
+        // Validate confidence
+        let confidence = parseFloat(parsed.confidence);
+        if (isNaN(confidence) || confidence < 0 || confidence > 1) {
+            confidence = 0.5;
+        }
+        return {
+            verdict,
+            confidence,
+            rationale: String(parsed.rationale || 'No rationale provided'),
+        };
+    }
+    catch {
+        return {
+            verdict: 'unsure',
+            confidence: 0.5,
+            rationale: 'Failed to parse AI response JSON',
+        };
+    }
+}

package/dist/ai/provider.d.ts

@@ -0,0 +1,12 @@
+import type { AIProvider, AIConfig, VerifyRequest, VerifyResponse } from './types.js';
+export declare class OpenAICompatibleProvider implements AIProvider {
+    name: string;
+    private apiKey;
+    private model;
+    private baseUrl;
+    constructor(config: AIConfig);
+    verify(request: VerifyRequest): Promise<VerifyResponse>;
+    private callOpenAI;
+    private callAnthropic;
+}
+export declare function createProvider(config: AIConfig): AIProvider;

package/dist/ai/provider.js

@@ -0,0 +1,93 @@
+import { buildVerificationPrompt, parseVerificationResponse } from './prompts.js';
+export class OpenAICompatibleProvider {
+    name;
+    apiKey;
+    model;
+    baseUrl;
+    constructor(config) {
+        this.apiKey = config.apiKey;
+        this.name = config.provider;
+        // Set defaults based on provider
+        switch (config.provider) {
+            case 'anthropic':
+                this.baseUrl = 'https://api.anthropic.com/v1/messages';
+                this.model = config.model || 'claude-3-haiku-20240307';
+                break;
+            case 'groq':
+                this.baseUrl = 'https://api.groq.com/openai/v1/chat/completions';
+                this.model = config.model || 'llama-3.1-8b-instant';
+                break;
+            case 'openai':
+            default:
+                this.baseUrl = 'https://api.openai.com/v1/chat/completions';
+                this.model = config.model || 'gpt-4o-mini';
+                break;
+        }
+    }
+    async verify(request) {
+        const prompt = buildVerificationPrompt(request);
+        try {
+            let responseText;
+            if (this.name === 'anthropic') {
+                responseText = await this.callAnthropic(prompt);
+            }
+            else {
+                responseText = await this.callOpenAI(prompt);
+            }
+            return parseVerificationResponse(responseText);
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : 'Unknown error';
+            return {
+                verdict: 'unsure',
+                confidence: 0,
+                rationale: `AI verification failed: ${message}`,
+            };
+        }
+    }
+    async callOpenAI(prompt) {
+        const response = await fetch(this.baseUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                Authorization: `Bearer ${this.apiKey}`,
+            },
+            body: JSON.stringify({
+                model: this.model,
+                messages: [{ role: 'user', content: prompt }],
+                max_tokens: 500,
+                temperature: 0.1,
+            }),
+        });
+        if (!response.ok) {
+            const text = await response.text();
+            throw new Error(`API error ${response.status}: ${text}`);
+        }
+        const data = (await response.json());
+        return data.choices[0]?.message?.content || '';
+    }
+    async callAnthropic(prompt) {
+        const response = await fetch(this.baseUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'x-api-key': this.apiKey,
+                'anthropic-version': '2023-06-01',
+            },
+            body: JSON.stringify({
+                model: this.model,
+                max_tokens: 500,
+                messages: [{ role: 'user', content: prompt }],
+            }),
+        });
+        if (!response.ok) {
+            const text = await response.text();
+            throw new Error(`API error ${response.status}: ${text}`);
+        }
+        const data = (await response.json());
+        return data.content[0]?.text || '';
+    }
+}
+export function createProvider(config) {
+    return new OpenAICompatibleProvider(config);
+}

package/dist/ai/types.d.ts

@@ -0,0 +1,21 @@
+export interface VerifyRequest {
+    snippet: string;
+    ruleId: string;
+    ruleTitle: string;
+    ruleDescription: string;
+    fileContext: string;
+}
+export interface VerifyResponse {
+    verdict: 'true_positive' | 'false_positive' | 'unsure';
+    confidence: number;
+    rationale: string;
+}
+export interface AIProvider {
+    name: string;
+    verify(request: VerifyRequest): Promise<VerifyResponse>;
+}
+export interface AIConfig {
+    provider: string;
+    apiKey: string;
+    model?: string;
+}

package/dist/ai/types.js

@@ -0,0 +1 @@
+export {};

package/dist/cli/commands/fix.d.ts

@@ -0,0 +1,7 @@
+import { type CLIOptions } from '../../config/index.js';
+export interface FixCommandOptions extends CLIOptions {
+    dryRun?: boolean;
+    yes?: boolean;
+    git?: boolean;
+}
+export declare function fixCommand(targetPath: string | undefined, options: FixCommandOptions): Promise<void>;

package/dist/cli/commands/fix.js

@@ -0,0 +1,140 @@
+import { resolve } from 'node:path';
+import { execSync } from 'node:child_process';
+import { createInterface } from 'node:readline';
+import { scan } from '../../engine/index.js';
+import { resolveConfig } from '../../config/index.js';
+import { getFixableFindings, generateFix, printDiff, applyFixes, } from '../../fix/index.js';
+async function promptConfirm(message) {
+    const rl = createInterface({
+        input: process.stdin,
+        output: process.stderr,
+    });
+    return new Promise((resolve) => {
+        rl.question(`${message} [y/N] `, (answer) => {
+            rl.close();
+            resolve(answer.toLowerCase() === 'y' || answer.toLowerCase() === 'yes');
+        });
+    });
+}
+export async function fixCommand(targetPath = '.', options) {
+    const resolvedPath = resolve(targetPath);
+    const config = resolveConfig(resolvedPath, options);
+    if (config.verbose) {
+        console.error(`VibeGuard fix: ${config.targetPath}`);
+    }
+    // First, scan to find issues
+    const result = await scan(config);
+    if (result.findings.length === 0) {
+        console.log('No issues found.');
+        return;
+    }
+    // Filter to fixable findings
+    const fixable = getFixableFindings(result.findings);
+    if (fixable.length === 0) {
+        console.log(`Found ${result.findings.length} issues, but none are auto-fixable.`);
+        return;
+    }
+    console.log(`Found ${result.findings.length} issues, ${fixable.length} are auto-fixable:\n`);
+    // Generate fixes
+    const fixResults = [];
+    const validFixes = [];
+    for (const finding of fixable) {
+        const fixResult = generateFix(finding, resolvedPath);
+        fixResults.push({ finding, result: fixResult });
+        if (fixResult.success && fixResult.fix) {
+            validFixes.push(fixResult.fix);
+        }
+    }
+    // Show what we found
+    for (const { finding, result: fixResult } of fixResults) {
+        const status = fixResult.success ? '\x1b[32m✓\x1b[0m' : '\x1b[31m✗\x1b[0m';
+        console.log(`  ${status} ${finding.ruleId} ${finding.file}:${finding.line}`);
+        if (!fixResult.success && fixResult.error) {
+            console.log(`      \x1b[33m${fixResult.error}\x1b[0m`);
+        }
+    }
+    if (validFixes.length === 0) {
+        console.log('\nNo fixes could be generated.');
+        return;
+    }
+    console.log(`\n${validFixes.length} fixes ready to apply.`);
+    // Dry run mode - just show diffs
+    if (options.dryRun) {
+        console.log('\n--dry-run: Showing diffs only:\n');
+        for (const fix of validFixes) {
+            console.log(printDiff(fix));
+        }
+        console.log('\nNo changes were made (dry-run mode).');
+        return;
+    }
+    // If not --yes, prompt for confirmation
+    if (!options.yes) {
+        console.log('\nDiffs:');
+        for (const fix of validFixes) {
+            console.log(printDiff(fix));
+        }
+        const confirmed = await promptConfirm('\nApply these fixes?');
+        if (!confirmed) {
+            console.log('Aborted.');
+            return;
+        }
+    }
+    // Group fixes by file
+    const byFile = new Map();
+    for (const fix of validFixes) {
+        const existing = byFile.get(fix.file) || [];
+        existing.push(fix);
+        byFile.set(fix.file, existing);
+    }
+    // Apply fixes
+    let successCount = 0;
+    let failCount = 0;
+    const modifiedFiles = [];
+    for (const [file, fileFixes] of byFile) {
+        const result = applyFixes(file, fileFixes);
+        if (result.applied) {
+            successCount += result.fixes.length;
+            modifiedFiles.push(file);
+        }
+        else if (result.error) {
+            console.error(`\x1b[31mError fixing ${file}: ${result.error}\x1b[0m`);
+            failCount += fileFixes.length;
+        }
+    }
+    console.log(`\n\x1b[32m✓ ${successCount} fixes applied\x1b[0m`);
+    if (failCount > 0) {
+        console.log(`\x1b[31m✗ ${failCount} fixes failed\x1b[0m`);
+    }
+    // Git staging if requested
+    if (options.git && modifiedFiles.length > 0) {
+        try {
+            for (const file of modifiedFiles) {
+                execSync(`git add "${file}"`, { stdio: 'pipe' });
+            }
+            console.log('\nChanges staged for commit.');
+        }
+        catch (error) {
+            console.error('\x1b[33mWarning: Could not stage files with git.\x1b[0m');
+        }
+    }
+    // Show verification
+    console.log('\nRe-scanning to verify fixes...');
+    const verifyResult = await scan(config);
+    const remainingFixable = getFixableFindings(verifyResult.findings);
+    if (remainingFixable.length === 0) {
+        console.log('\x1b[32m✓ All fixable issues have been resolved!\x1b[0m');
+    }
+    else {
+        console.log(`\x1b[33m${remainingFixable.length} fixable issues remain.\x1b[0m`);
+    }
+    // Exit code based on remaining issues
+    if (verifyResult.criticalCount > 0) {
+        process.exitCode = 2;
+    }
+    else if (verifyResult.warningCount > 0) {
+        process.exitCode = 1;
+    }
+    else {
+        process.exitCode = 0;
+    }
+}

package/dist/cli/commands/github.d.ts

@@ -0,0 +1,6 @@
+export interface GitHubCommandOptions {
+    autoFix?: boolean;
+    severity?: 'critical' | 'warning' | 'info';
+    aiVerify?: boolean;
+}
+export declare function githubCommand(action: string, targetPath: string | undefined, options: GitHubCommandOptions): Promise<void>;

package/dist/cli/commands/github.js

@@ -0,0 +1,24 @@
+import { resolve } from 'node:path';
+import { installGitHubWorkflow } from '../../github/installer.js';
+export async function githubCommand(action, targetPath = '.', options) {
+    const resolvedPath = resolve(targetPath);
+    if (action === 'install') {
+        try {
+            installGitHubWorkflow(resolvedPath, {
+                autoFix: options.autoFix ?? true,
+                severityThreshold: options.severity ?? 'warning',
+                aiVerify: options.aiVerify ?? false,
+            });
+        }
+        catch (error) {
+            const err = error;
+            console.error(`Error: ${err.message}`);
+            process.exitCode = 1;
+        }
+    }
+    else {
+        console.error(`Unknown github action: ${action}`);
+        console.error('Usage: vibeguard github install [path]');
+        process.exitCode = 1;
+    }
+}

package/dist/cli/commands/scan.d.ts

@@ -0,0 +1,5 @@
+import { type CLIOptions } from '../../config/index.js';
+export interface ScanCommandOptions extends CLIOptions {
+    color?: boolean;
+}
+export declare function scanCommand(targetPath: string | undefined, options: ScanCommandOptions): Promise<void>;