@rahul-sch/vibeguard 1.0.0

package/dist/github/comment-formatter.js

@@ -0,0 +1,65 @@
+import { isFixable } from '../fix/index.js';
+export function formatPRComment(result) {
+    const critical = result.findings.filter(f => f.severity === 'critical');
+    const warning = result.findings.filter(f => f.severity === 'warning');
+    const fixable = result.findings.filter(f => isFixable(f));
+    const sections = [];
+    // Header
+    sections.push('## 🛡️ VibeGuard Security Scan\n');
+    // Summary table
+    sections.push('| Severity | Count |');
+    sections.push('|----------|-------|');
+    sections.push(`| 🔴 Critical | ${critical.length} |`);
+    sections.push(`| 🟡 Warning | ${warning.length} |`);
+    sections.push('');
+    // Auto-fixable callout
+    if (fixable.length > 0) {
+        sections.push(`### ✅ Auto-fixable: ${fixable.length} issues`);
+        sections.push('React with 👍 to this comment to automatically apply fixes.\n');
+    }
+    // Critical issues (expanded)
+    if (critical.length > 0) {
+        sections.push('### 🔴 Critical Issues\n');
+        critical.forEach(f => {
+            sections.push(`- **${f.ruleId}** \`${f.file}:${f.line}\``);
+            sections.push(`  ${f.message}`);
+            if (isFixable(f)) {
+                sections.push(`  ✅ *Auto-fixable*`);
+            }
+            sections.push('');
+        });
+    }
+    // Warning issues (collapsed)
+    if (warning.length > 0) {
+        sections.push('<details>');
+        sections.push('<summary>🟡 View warnings</summary>\n');
+        warning.forEach(f => {
+            sections.push(`- **${f.ruleId}** \`${f.file}:${f.line}\` - ${f.message}`);
+        });
+        sections.push('\n</details>\n');
+    }
+    // Footer
+    sections.push('---');
+    sections.push('<sub>Powered by [VibeGuard](https://github.com/vibeguard/vibeguard)</sub>');
+    return sections.join('\n');
+}
+export function formatInlineComment(finding) {
+    const lines = [];
+    lines.push(`🔴 **${finding.ruleId}**: ${finding.message}\n`);
+    if (finding.snippet) {
+        lines.push('```');
+        lines.push(finding.snippet);
+        lines.push('```\n');
+    }
+    if (finding.remediation) {
+        lines.push(`**Fix:** ${finding.remediation}\n`);
+    }
+    if (finding.cwe) {
+        const cweNum = finding.cwe.replace('CWE-', '');
+        lines.push(`[${finding.cwe}](https://cwe.mitre.org/data/definitions/${cweNum}.html)`);
+    }
+    if (isFixable(finding)) {
+        lines.push('\n✅ *This issue can be auto-fixed. React with 👍 to the PR comment to apply.*');
+    }
+    return lines.join('\n');
+}

package/dist/github/index.d.ts

@@ -0,0 +1,5 @@
+export * from './types.js';
+export * from './client.js';
+export * from './comment-formatter.js';
+export * from './workflow-generator.js';
+export * from './installer.js';

package/dist/github/index.js

@@ -0,0 +1,5 @@
+export * from './types.js';
+export * from './client.js';
+export * from './comment-formatter.js';
+export * from './workflow-generator.js';
+export * from './installer.js';

package/dist/github/installer.d.ts

@@ -0,0 +1,2 @@
+import type { InstallOptions } from './types.js';
+export declare function installGitHubWorkflow(projectPath: string, options: InstallOptions): void;

package/dist/github/installer.js

@@ -0,0 +1,41 @@
+import { writeFileSync, mkdirSync, existsSync } from 'fs';
+import { join } from 'path';
+import { execSync } from 'child_process';
+import { generateWorkflowYAML } from './workflow-generator.js';
+export function installGitHubWorkflow(projectPath, options) {
+    const workflowDir = join(projectPath, '.github', 'workflows');
+    const workflowFile = join(workflowDir, 'vibeguard.yml');
+    // Create directory if needed
+    if (!existsSync(workflowDir)) {
+        mkdirSync(workflowDir, { recursive: true });
+    }
+    // Check if workflow already exists
+    if (existsSync(workflowFile)) {
+        throw new Error('VibeGuard workflow already exists. Remove .github/workflows/vibeguard.yml first.');
+    }
+    // Generate workflow content
+    const workflow = generateWorkflowYAML(options);
+    // Write workflow file
+    writeFileSync(workflowFile, workflow);
+    console.log('✓ Created .github/workflows/vibeguard.yml');
+    // Try to detect repo
+    try {
+        const remoteUrl = execSync('git config --get remote.origin.url', {
+            cwd: projectPath,
+            encoding: 'utf-8',
+            stdio: ['pipe', 'pipe', 'pipe']
+        }).trim();
+        const repoMatch = remoteUrl.match(/github\.com[:/]([^/]+\/[^/.]+)/);
+        if (repoMatch) {
+            console.log(`\n📋 Next steps:`);
+            console.log(`   1. Commit and push: git add .github/workflows/vibeguard.yml && git commit -m "chore: add VibeGuard workflow" && git push`);
+            console.log(`   2. Open a test PR to see VibeGuard in action`);
+            if (options.autoFix) {
+                console.log(`   3. React with 👍 to the VibeGuard comment to auto-fix issues`);
+            }
+        }
+    }
+    catch {
+        console.log('\n📋 Next steps: Commit .github/workflows/vibeguard.yml and push to trigger on PRs');
+    }
+}

package/dist/github/types.d.ts

@@ -0,0 +1,40 @@
+export interface GitHubConfig {
+    token: string;
+    repo: string;
+}
+export interface InstallOptions {
+    autoFix: boolean;
+    severityThreshold: 'critical' | 'warning' | 'info';
+    aiVerify: boolean;
+}
+export interface PR {
+    number: number;
+    title: string;
+    state: string;
+    head: {
+        ref: string;
+        sha: string;
+    };
+    base: {
+        ref: string;
+        sha: string;
+    };
+}
+export interface PRFile {
+    filename: string;
+    status: string;
+    additions: number;
+    deletions: number;
+    changes: number;
+    patch?: string;
+}
+export interface ReviewInput {
+    event: 'APPROVE' | 'REQUEST_CHANGES' | 'COMMENT';
+    body?: string;
+    comments?: ReviewComment[];
+}
+export interface ReviewComment {
+    path: string;
+    line: number;
+    body: string;
+}

package/dist/github/types.js

@@ -0,0 +1 @@
+export {};

package/dist/github/workflow-generator.d.ts

@@ -0,0 +1,2 @@
+import type { InstallOptions } from './types.js';
+export declare function generateWorkflowYAML(options: InstallOptions): string;

package/dist/github/workflow-generator.js

@@ -0,0 +1,108 @@
+export function generateWorkflowYAML(options) {
+    const autoFixJob = options.autoFix ? `
+  auto-fix:
+    if: |
+      github.event_name == 'issue_comment' &&
+      github.event.issue.pull_request &&
+      contains(github.event.comment.body, '👍')
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: refs/pull/\${{ github.event.issue.number }}/head
+          token: \${{ secrets.GITHUB_TOKEN }}
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install VibeGuard
+        run: npm install -g vibeguard
+
+      - name: Apply fixes
+        run: vibeguard fix --yes
+
+      - name: Commit fixes
+        run: |
+          git config user.name "VibeGuard Bot"
+          git config user.email "bot@vibeguard.dev"
+          git add -A
+          git commit -m "fix(security): apply VibeGuard auto-fixes" || echo "No changes"
+          git push` : '';
+    const aiVerifyFlag = options.aiVerify ? ' --ai' : '';
+    return `name: VibeGuard Security Scan
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]${options.autoFix ? `
+  issue_comment:
+    types: [created]` : ''}
+
+permissions:
+  contents: ${options.autoFix ? 'write' : 'read'}
+  pull-requests: write
+  issues: write
+
+jobs:
+  scan:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: \${{ github.event.pull_request.head.ref }}
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install VibeGuard
+        run: npm install -g vibeguard
+
+      - name: Scan for security issues
+        id: scan
+        run: |
+          vibeguard scan --json${aiVerifyFlag} --severity ${options.severityThreshold} > scan-results.json || true
+          echo "findings=\$(jq -r '.findings | length' scan-results.json)" >> $GITHUB_OUTPUT
+
+      - name: Post PR comment
+        if: steps.scan.outputs.findings != '0'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const results = JSON.parse(fs.readFileSync('scan-results.json'));
+
+            const critical = results.findings.filter(f => f.severity === 'critical').length;
+            const warning = results.findings.filter(f => f.severity === 'warning').length;
+            const fixable = results.findings.filter(f => f.fixable).length;
+
+            const body = \`## 🛡️ VibeGuard Security Scan
+
+| Severity | Count |
+|----------|-------|
+| 🔴 Critical | \${critical} |
+| 🟡 Warning | \${warning} |
+
+\${fixable > 0 ? \`### ✅ Auto-fixable: \${fixable} issues
+
+React with 👍 to this comment to automatically apply fixes.
+\` : ''}
+<details>
+<summary>View all findings</summary>
+
+\${results.findings.map(f => \`- **\${f.ruleId}** \\\`\${f.file}:\${f.line}\\\` - \${f.message}\`).join('\\n')}
+
+</details>
+
+---
+<sub>Powered by [VibeGuard](https://github.com/vibeguard/vibeguard)</sub>\`;
+
+            await github.rest.issues.createComment({
+              ...context.repo,
+              issue_number: context.issue.number,
+              body
+            });
+${autoFixJob}
+`;
+}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+export declare const VERSION = "1.0.0";
+export declare const NAME = "vibeguard";

package/dist/index.js

@@ -0,0 +1,2 @@
+export const VERSION = '1.0.0';
+export const NAME = 'vibeguard';

package/dist/reporters/console.d.ts

@@ -0,0 +1,9 @@
+import type { ScanResult } from '../rules/types.js';
+import type { Reporter } from './types.js';
+export declare class ConsoleReporter implements Reporter {
+    private noColor;
+    constructor(noColor?: boolean);
+    report(result: ScanResult): string;
+    private formatFinding;
+    private style;
+}

package/dist/reporters/console.js

@@ -0,0 +1,76 @@
+import chalk from 'chalk';
+export class ConsoleReporter {
+    noColor;
+    constructor(noColor = false) {
+        this.noColor = noColor;
+    }
+    report(result) {
+        const lines = [];
+        lines.push('');
+        lines.push(this.style('  VibeGuard v1.0.0', 'bold'));
+        lines.push('');
+        lines.push(`  Scanning complete`);
+        lines.push(`  Files: ${result.scannedFiles} scanned, ${result.skippedFiles} skipped`);
+        lines.push('');
+        if (result.findings.length === 0) {
+            lines.push(this.style('  ✓ No issues found', 'green'));
+        }
+        else {
+            const sorted = [...result.findings].sort((a, b) => {
+                const severityOrder = { critical: 0, warning: 1, info: 2 };
+                return severityOrder[a.severity] - severityOrder[b.severity];
+            });
+            for (const finding of sorted) {
+                lines.push(this.formatFinding(finding));
+                lines.push('');
+            }
+        }
+        lines.push('  ' + '─'.repeat(40));
+        lines.push(`  Summary: ${this.style(String(result.criticalCount) + ' critical', 'red')}, ` +
+            `${this.style(String(result.warningCount) + ' warnings', 'yellow')}, ` +
+            `${result.infoCount} info`);
+        lines.push(`  Duration: ${(result.duration / 1000).toFixed(1)}s`);
+        lines.push('');
+        return lines.join('\n');
+    }
+    formatFinding(finding) {
+        const lines = [];
+        const severityLabel = finding.severity.toUpperCase();
+        const severityStyled = finding.severity === 'critical'
+            ? this.style(severityLabel, 'redBold')
+            : finding.severity === 'warning'
+                ? this.style(severityLabel, 'yellow')
+                : this.style(severityLabel, 'blue');
+        lines.push(`  ${severityStyled}  ${this.style(finding.file + ':' + finding.line + ':' + finding.column, 'cyan')}`);
+        lines.push(`  ${this.style(finding.ruleId, 'dim')}  ${finding.title}`);
+        lines.push(`  → ${finding.snippet}`);
+        if (finding.remediation) {
+            lines.push(`  ${this.style('Remediation:', 'dim')} ${finding.remediation}`);
+        }
+        return lines.join('\n');
+    }
+    style(text, style) {
+        if (this.noColor)
+            return text;
+        switch (style) {
+            case 'bold':
+                return chalk.bold(text);
+            case 'red':
+                return chalk.red(text);
+            case 'redBold':
+                return chalk.red.bold(text);
+            case 'yellow':
+                return chalk.yellow(text);
+            case 'blue':
+                return chalk.blue(text);
+            case 'cyan':
+                return chalk.cyan(text);
+            case 'dim':
+                return chalk.dim(text);
+            case 'green':
+                return chalk.green(text);
+            default:
+                return text;
+        }
+    }
+}

package/dist/reporters/index.d.ts

@@ -0,0 +1,6 @@
+import type { Reporter, ReporterType } from './types.js';
+export declare function createReporter(type: ReporterType, noColor?: boolean): Reporter;
+export { type Reporter, type ReporterType } from './types.js';
+export { ConsoleReporter } from './console.js';
+export { JsonReporter } from './json.js';
+export { SarifReporter } from './sarif.js';

package/dist/reporters/index.js

@@ -0,0 +1,17 @@
+import { ConsoleReporter } from './console.js';
+import { JsonReporter } from './json.js';
+import { SarifReporter } from './sarif.js';
+export function createReporter(type, noColor = false) {
+    switch (type) {
+        case 'json':
+            return new JsonReporter();
+        case 'sarif':
+            return new SarifReporter();
+        case 'console':
+        default:
+            return new ConsoleReporter(noColor);
+    }
+}
+export { ConsoleReporter } from './console.js';
+export { JsonReporter } from './json.js';
+export { SarifReporter } from './sarif.js';

package/dist/reporters/json.d.ts

@@ -0,0 +1,5 @@
+import type { ScanResult } from '../rules/types.js';
+import type { Reporter } from './types.js';
+export declare class JsonReporter implements Reporter {
+    report(result: ScanResult): string;
+}

package/dist/reporters/json.js

@@ -0,0 +1,32 @@
+import { VERSION } from '../index.js';
+export class JsonReporter {
+    report(result) {
+        const output = {
+            version: VERSION,
+            timestamp: result.timestamp,
+            summary: {
+                scannedFiles: result.scannedFiles,
+                skippedFiles: result.skippedFiles,
+                critical: result.criticalCount,
+                warning: result.warningCount,
+                info: result.infoCount,
+                duration: result.duration,
+            },
+            findings: result.findings.map((f) => ({
+                ruleId: f.ruleId,
+                title: f.title,
+                severity: f.severity,
+                category: f.category,
+                file: f.file,
+                line: f.line,
+                column: f.column,
+                snippet: f.snippet,
+                message: f.message,
+                remediation: f.remediation,
+                cwe: f.cwe,
+                owasp: f.owasp,
+            })),
+        };
+        return JSON.stringify(output, null, 2);
+    }
+}

package/dist/reporters/sarif.d.ts

@@ -0,0 +1,9 @@
+import type { ScanResult } from '../rules/types.js';
+import type { Reporter } from './types.js';
+export declare class SarifReporter implements Reporter {
+    report(result: ScanResult): string;
+    private buildRules;
+    private buildResults;
+    private mapSeverity;
+    private getSeverityScore;
+}

package/dist/reporters/sarif.js

@@ -0,0 +1,78 @@
+import { VERSION } from '../index.js';
+import { allRules } from '../rules/index.js';
+export class SarifReporter {
+    report(result) {
+        const rules = this.buildRules(result.findings);
+        const results = this.buildResults(result.findings);
+        const sarif = {
+            $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+            version: '2.1.0',
+            runs: [
+                {
+                    tool: {
+                        driver: {
+                            name: 'VibeGuard',
+                            version: VERSION,
+                            informationUri: 'https://github.com/vibeguard/vibeguard',
+                            rules,
+                        },
+                    },
+                    results,
+                },
+            ],
+        };
+        return JSON.stringify(sarif, null, 2);
+    }
+    buildRules(findings) {
+        const ruleIds = [...new Set(findings.map((f) => f.ruleId))];
+        return ruleIds.map((id) => {
+            const rule = allRules.find((r) => r.id === id);
+            const finding = findings.find((f) => f.ruleId === id);
+            return {
+                id,
+                name: rule?.title || finding?.title || id,
+                shortDescription: { text: rule?.message || finding?.message || '' },
+                fullDescription: rule?.remediation ? { text: rule.remediation } : undefined,
+                properties: {
+                    security_severity: this.getSeverityScore(finding?.severity || 'info'),
+                    tags: rule?.cwe ? [rule.cwe] : [],
+                },
+            };
+        });
+    }
+    buildResults(findings) {
+        return findings.map((f) => ({
+            ruleId: f.ruleId,
+            level: this.mapSeverity(f.severity),
+            message: { text: `${f.message}\n\nSnippet: ${f.snippet}` },
+            locations: [
+                {
+                    physicalLocation: {
+                        artifactLocation: { uri: f.file },
+                        region: { startLine: f.line, startColumn: f.column },
+                    },
+                },
+            ],
+        }));
+    }
+    mapSeverity(severity) {
+        switch (severity) {
+            case 'critical':
+                return 'error';
+            case 'warning':
+                return 'warning';
+            default:
+                return 'note';
+        }
+    }
+    getSeverityScore(severity) {
+        switch (severity) {
+            case 'critical':
+                return '9.0';
+            case 'warning':
+                return '6.0';
+            default:
+                return '3.0';
+        }
+    }
+}

package/dist/reporters/types.d.ts

@@ -0,0 +1,5 @@
+import type { ScanResult } from '../rules/types.js';
+export interface Reporter {
+    report(result: ScanResult): string;
+}
+export type ReporterType = 'console' | 'json' | 'sarif';

package/dist/reporters/types.js

@@ -0,0 +1 @@
+export {};

package/dist/rules/config.d.ts

@@ -0,0 +1,2 @@
+import type { DetectionRule } from './types.js';
+export declare const configRules: DetectionRule[];

package/dist/rules/config.js

@@ -0,0 +1,31 @@
+export const configRules = [
+    {
+        id: 'VG-CFG-001',
+        title: 'Service Bound to 0.0.0.0',
+        severity: 'warning',
+        category: 'config',
+        languages: ['node', 'typescript', 'python'],
+        filePatterns: ['*.js', '*.ts', '*.mjs', '*.cjs', '*.py'],
+        pattern: /(?:host\s*[:=]\s*['"]0\.0\.0\.0['"]|\.listen\s*\([^)]*['"]0\.0\.0\.0['"])/g,
+        message: 'Service binds to all interfaces. May expose internal services externally.',
+        remediation: 'Bind to 127.0.0.1 for local-only services. Use reverse proxy for external access.',
+        confidence: 'medium',
+        cwe: 'CWE-668',
+        owasp: 'A05:2021',
+        aiVerification: { enabled: true },
+    },
+    {
+        id: 'VG-CFG-002',
+        title: 'Public S3 Bucket ACL',
+        severity: 'critical',
+        category: 'config',
+        languages: ['node', 'typescript', 'python', 'yaml', 'json'],
+        filePatterns: ['*.js', '*.ts', '*.py', '*.yml', '*.yaml', '*.json', '*.tf'],
+        pattern: /(?:ACL['":\s]+public-read|"Principal"\s*:\s*"\*")/g,
+        message: 'S3 bucket configured for public access. Data exposed to internet.',
+        remediation: 'Remove public-read ACL. Use private buckets with signed URLs.',
+        confidence: 'high',
+        cwe: 'CWE-732',
+        owasp: 'A01:2021',
+    },
+];

package/dist/rules/dependencies.d.ts

@@ -0,0 +1,2 @@
+import type { DetectionRule } from './types.js';
+export declare const dependencyRules: DetectionRule[];

package/dist/rules/dependencies.js

@@ -0,0 +1,32 @@
+export const dependencyRules = [
+    {
+        id: 'VG-DEP-001',
+        title: 'Ghost Dependency (PyPI)',
+        severity: 'critical',
+        category: 'dependency',
+        languages: ['python'],
+        filePatterns: ['*.py', 'requirements.txt', 'Pipfile', 'pyproject.toml'],
+        pattern: /(?:from|import)\s+(secure[-_]|enterprise[-_]|flask[-_]admin[-_]|langchain[a-z]+)/g,
+        message: 'Potentially hallucinated package name. Attacker may have registered malicious package.',
+        remediation: 'Verify package exists on PyPI. Check package ownership and downloads.',
+        confidence: 'medium',
+        cwe: 'CWE-829',
+        owasp: 'A06:2021',
+        aiVerification: { enabled: true },
+    },
+    {
+        id: 'VG-DEP-002',
+        title: 'Ghost Dependency (npm)',
+        severity: 'critical',
+        category: 'dependency',
+        languages: ['node', 'typescript'],
+        filePatterns: ['*.js', '*.ts', '*.mjs', '*.cjs', 'package.json'],
+        pattern: /(?:require|import)\s*\(?['"](?:huggingface[-_]|@enterprise\/|react[-_]native[-_]toolkit)/g,
+        message: 'Potentially hallucinated package name. Attacker may have registered malicious package.',
+        remediation: 'Verify package exists on npm. Check package ownership and weekly downloads.',
+        confidence: 'medium',
+        cwe: 'CWE-829',
+        owasp: 'A06:2021',
+        aiVerification: { enabled: true },
+    },
+];

package/dist/rules/docker.d.ts

@@ -0,0 +1,2 @@
+import type { DetectionRule } from './types.js';
+export declare const dockerRules: DetectionRule[];

package/dist/rules/docker.js

@@ -0,0 +1,44 @@
+export const dockerRules = [
+    {
+        id: 'VG-DOCK-001',
+        title: 'Container Running as Root',
+        severity: 'warning',
+        category: 'docker',
+        languages: ['docker'],
+        filePatterns: ['Dockerfile', '*.dockerfile', 'Dockerfile.*'],
+        pattern: /^(?!.*\bUSER\b).*$/gm,
+        message: 'Dockerfile has no USER directive. Container runs as root by default.',
+        remediation: 'Add USER directive to run as non-root. Example: USER 1000:1000',
+        confidence: 'medium',
+        cwe: 'CWE-250',
+        owasp: 'A05:2021',
+    },
+    {
+        id: 'VG-DOCK-002',
+        title: 'Docker Socket Exposed',
+        severity: 'critical',
+        category: 'docker',
+        languages: ['docker', 'yaml'],
+        filePatterns: ['docker-compose.yml', 'docker-compose.yaml', '*.yml', '*.yaml'],
+        pattern: /\/var\/run\/docker\.sock/g,
+        message: 'Docker socket mounted into container. Grants full host control.',
+        remediation: 'Remove docker.sock mount. Use Docker API over TCP with TLS if needed.',
+        confidence: 'high',
+        cwe: 'CWE-269',
+        owasp: 'A05:2021',
+    },
+    {
+        id: 'VG-DOCK-003',
+        title: 'Privileged Container',
+        severity: 'critical',
+        category: 'docker',
+        languages: ['docker', 'yaml', 'kubernetes'],
+        filePatterns: ['docker-compose.yml', 'docker-compose.yaml', '*.yml', '*.yaml'],
+        pattern: /(?:--privileged|privileged\s*:\s*true)/g,
+        message: 'Privileged container has full host access. Attacker can escape container.',
+        remediation: 'Remove privileged flag. Use specific capabilities if needed.',
+        confidence: 'high',
+        cwe: 'CWE-250',
+        owasp: 'A05:2021',
+    },
+];