@rahul-sch/vibeguard 1.0.0

package/dist/rules/index.d.ts

@@ -0,0 +1,5 @@
+import type { DetectionRule } from './types.js';
+export declare const allRules: DetectionRule[];
+export declare const ruleById: Map<string, DetectionRule>;
+export declare const rulesByLanguage: Map<string, DetectionRule[]>;
+export { type DetectionRule, type Finding, type ScanConfig, type ScanResult } from './types.js';

package/dist/rules/index.js

@@ -0,0 +1,25 @@
+import { secretsRules } from './secrets.js';
+import { pythonRules } from './python.js';
+import { nodeRules } from './node.js';
+import { dockerRules } from './docker.js';
+import { kubernetesRules } from './kubernetes.js';
+import { configRules } from './config.js';
+import { dependencyRules } from './dependencies.js';
+export const allRules = [
+    ...secretsRules,
+    ...pythonRules,
+    ...nodeRules,
+    ...dockerRules,
+    ...kubernetesRules,
+    ...configRules,
+    ...dependencyRules,
+];
+export const ruleById = new Map(allRules.map((r) => [r.id, r]));
+export const rulesByLanguage = new Map();
+for (const rule of allRules) {
+    for (const lang of rule.languages) {
+        const existing = rulesByLanguage.get(lang) || [];
+        existing.push(rule);
+        rulesByLanguage.set(lang, existing);
+    }
+}

package/dist/rules/kubernetes.d.ts

@@ -0,0 +1,2 @@
+import type { DetectionRule } from './types.js';
+export declare const kubernetesRules: DetectionRule[];

package/dist/rules/kubernetes.js

@@ -0,0 +1,44 @@
+export const kubernetesRules = [
+    {
+        id: 'VG-K8S-001',
+        title: 'Cluster-Admin Role Binding',
+        severity: 'critical',
+        category: 'kubernetes',
+        languages: ['kubernetes', 'yaml'],
+        filePatterns: ['*.yml', '*.yaml'],
+        pattern: /cluster-?admin/gi,
+        message: 'cluster-admin role grants full cluster access. Compromised pod = compromised cluster.',
+        remediation: 'Use least-privilege RBAC. Create specific roles for required permissions.',
+        confidence: 'high',
+        cwe: 'CWE-250',
+        owasp: 'A01:2021',
+    },
+    {
+        id: 'VG-K8S-002',
+        title: 'Open Ingress Rules (0.0.0.0/0)',
+        severity: 'critical',
+        category: 'kubernetes',
+        languages: ['kubernetes', 'yaml'],
+        filePatterns: ['*.yml', '*.yaml'],
+        pattern: /(?:0\.0\.0\.0\/0|::\/0)/g,
+        message: 'Network policy allows traffic from any IP. Service exposed to entire internet.',
+        remediation: 'Restrict ingress to specific CIDR blocks or pod selectors.',
+        confidence: 'high',
+        cwe: 'CWE-284',
+        owasp: 'A01:2021',
+    },
+    {
+        id: 'VG-K8S-003',
+        title: 'Missing runAsNonRoot',
+        severity: 'warning',
+        category: 'kubernetes',
+        languages: ['kubernetes', 'yaml'],
+        filePatterns: ['*.yml', '*.yaml'],
+        pattern: /securityContext:(?:(?!runAsNonRoot\s*:\s*true)[\s\S])*?(?=securityContext:|$)/g,
+        message: 'Pod security context missing runAsNonRoot:true. Container may run as root.',
+        remediation: 'Add securityContext.runAsNonRoot: true to pod spec.',
+        confidence: 'medium',
+        cwe: 'CWE-250',
+        owasp: 'A05:2021',
+    },
+];

package/dist/rules/node.d.ts

@@ -0,0 +1,2 @@
+import type { DetectionRule } from './types.js';
+export declare const nodeRules: DetectionRule[];

package/dist/rules/node.js

@@ -0,0 +1,72 @@
+export const nodeRules = [
+    {
+        id: 'VG-NODE-001',
+        title: 'Child Process Exec',
+        severity: 'critical',
+        category: 'injection',
+        languages: ['node', 'typescript'],
+        filePatterns: ['*.js', '*.ts', '*.mjs', '*.cjs'],
+        pattern: /(?:child_process\.)?exec(?:Sync)?\s*\(`/g,
+        message: 'child_process.exec() runs commands in a shell. Untrusted input leads to command injection.',
+        remediation: 'Use child_process.spawn() or execFile() with argument arrays. Never pass user input to shell.',
+        confidence: 'high',
+        cwe: 'CWE-78',
+        owasp: 'A03:2021',
+    },
+    {
+        id: 'VG-NODE-002',
+        title: 'Spawn with Shell',
+        severity: 'critical',
+        category: 'injection',
+        languages: ['node', 'typescript'],
+        filePatterns: ['*.js', '*.ts', '*.mjs', '*.cjs'],
+        pattern: /spawn\s*\([^)]*\{\s*[^}]*shell\s*:\s*true/g,
+        message: 'spawn() with shell:true enables command injection via untrusted arguments.',
+        remediation: 'Remove shell:true. Pass commands and args separately.',
+        confidence: 'high',
+        cwe: 'CWE-78',
+        owasp: 'A03:2021',
+    },
+    {
+        id: 'VG-NODE-003',
+        title: 'Unsafe HTML Rendering (React)',
+        severity: 'critical',
+        category: 'injection',
+        languages: ['node', 'typescript'],
+        filePatterns: ['*.jsx', '*.tsx', '*.js', '*.ts'],
+        pattern: /dangerouslySetInnerHTML\s*=\s*\{\s*\{?\s*__html\s*:/g,
+        message: 'dangerouslySetInnerHTML renders raw HTML. User input causes XSS.',
+        remediation: 'Sanitize HTML with DOMPurify before rendering, or avoid raw HTML entirely.',
+        confidence: 'high',
+        cwe: 'CWE-79',
+        owasp: 'A03:2021',
+    },
+    {
+        id: 'VG-NODE-004',
+        title: 'Disabled TLS Verification',
+        severity: 'critical',
+        category: 'crypto',
+        languages: ['node', 'typescript'],
+        filePatterns: ['*.js', '*.ts', '*.mjs', '*.cjs'],
+        pattern: /rejectUnauthorized\s*:\s*false/g,
+        message: 'TLS certificate verification disabled. Vulnerable to MITM attacks.',
+        remediation: 'Remove rejectUnauthorized:false. Fix certificate chain issues properly.',
+        confidence: 'high',
+        cwe: 'CWE-295',
+        owasp: 'A02:2021',
+    },
+    {
+        id: 'VG-NODE-005',
+        title: 'TLS Reject Env Bypass',
+        severity: 'critical',
+        category: 'crypto',
+        languages: ['node', 'typescript'],
+        filePatterns: ['*.js', '*.ts', '*.mjs', '*.cjs'],
+        pattern: /NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"]?0/g,
+        message: 'NODE_TLS_REJECT_UNAUTHORIZED=0 disables all TLS verification globally.',
+        remediation: 'Never disable TLS verification. Fix certificate issues at the source.',
+        confidence: 'high',
+        cwe: 'CWE-295',
+        owasp: 'A02:2021',
+    },
+];

package/dist/rules/python.d.ts

@@ -0,0 +1,2 @@
+import type { DetectionRule } from './types.js';
+export declare const pythonRules: DetectionRule[];

package/dist/rules/python.js

@@ -0,0 +1,91 @@
+export const pythonRules = [
+    {
+        id: 'VG-PY-001',
+        title: 'Shell Command Exec (shell=True)',
+        severity: 'critical',
+        category: 'injection',
+        languages: ['python'],
+        filePatterns: ['*.py'],
+        pattern: /subprocess\.\w+\s*\([^)]*shell\s*=\s*True/g,
+        message: 'subprocess with shell=True allows command injection if input is untrusted.',
+        remediation: 'Use shell=False and pass arguments as a list. Validate/sanitize all inputs.',
+        confidence: 'high',
+        cwe: 'CWE-78',
+        owasp: 'A03:2021',
+        fixable: true,
+        fixStrategy: 'shell-true-to-false',
+    },
+    {
+        id: 'VG-PY-002',
+        title: 'OS System Call',
+        severity: 'critical',
+        category: 'injection',
+        languages: ['python'],
+        filePatterns: ['*.py'],
+        pattern: /os\.system\s*\(/g,
+        message: 'os.system() executes shell commands. Vulnerable to command injection.',
+        remediation: 'Use subprocess.run() with shell=False and argument list.',
+        confidence: 'high',
+        cwe: 'CWE-78',
+        owasp: 'A03:2021',
+    },
+    {
+        id: 'VG-PY-003',
+        title: 'Unsafe YAML Load',
+        severity: 'critical',
+        category: 'deserialization',
+        languages: ['python'],
+        filePatterns: ['*.py'],
+        pattern: /yaml\.load\s*\([^)]*(?!Loader\s*=\s*yaml\.SafeLoader)/g,
+        allowPatterns: [/yaml\.safe_load/],
+        message: 'yaml.load() without SafeLoader can execute arbitrary Python objects.',
+        remediation: 'Use yaml.safe_load() or yaml.load(data, Loader=yaml.SafeLoader).',
+        confidence: 'high',
+        cwe: 'CWE-502',
+        owasp: 'A08:2021',
+    },
+    {
+        id: 'VG-PY-004',
+        title: 'Insecure Pickle Deserialization',
+        severity: 'critical',
+        category: 'deserialization',
+        languages: ['python'],
+        filePatterns: ['*.py'],
+        pattern: /pickle\.loads?\s*\(/g,
+        message: 'pickle deserializes arbitrary Python objects. Malicious payloads achieve RCE.',
+        remediation: 'Use JSON or other safe serialization. Never unpickle untrusted data.',
+        confidence: 'high',
+        cwe: 'CWE-502',
+        owasp: 'A08:2021',
+    },
+    {
+        id: 'VG-PY-005',
+        title: 'Flask Debug Mode Enabled',
+        severity: 'critical',
+        category: 'config',
+        languages: ['python'],
+        filePatterns: ['*.py'],
+        pattern: /app\.run\s*\([^)]*debug\s*=\s*True/g,
+        message: 'Flask debug mode exposes interactive debugger. Attackers can execute code via Werkzeug console.',
+        remediation: 'Set debug=False in production. Use environment variables for config.',
+        confidence: 'high',
+        cwe: 'CWE-489',
+        owasp: 'A05:2021',
+    },
+    {
+        id: 'VG-PY-006',
+        title: 'Disabled SSL Verification',
+        severity: 'critical',
+        category: 'crypto',
+        languages: ['python'],
+        filePatterns: ['*.py'],
+        pattern: /requests\.(?:get|post|put|delete|patch|head|options)\s*\([^)]*verify\s*=\s*False/g,
+        message: 'SSL verification disabled. Vulnerable to man-in-the-middle attacks.',
+        remediation: 'Remove verify=False. Fix certificate issues properly.',
+        confidence: 'high',
+        cwe: 'CWE-295',
+        owasp: 'A02:2021',
+        fixable: true,
+        fixStrategy: 'remove-verify-false',
+    },
+];

package/dist/rules/secrets.d.ts

@@ -0,0 +1,2 @@
+import type { DetectionRule } from './types.js';
+export declare const secretsRules: DetectionRule[];

package/dist/rules/secrets.js

@@ -0,0 +1,82 @@
+export const secretsRules = [
+    {
+        id: 'VG-SEC-001',
+        title: 'Dynamic Code Execution (eval)',
+        severity: 'critical',
+        category: 'injection',
+        languages: ['node', 'typescript', 'python'],
+        filePatterns: ['*.js', '*.ts', '*.jsx', '*.tsx', '*.mjs', '*.cjs', '*.py'],
+        pattern: /\beval\s*\(/g,
+        message: 'eval() executes arbitrary code. Attacker-controlled input leads to RCE.',
+        remediation: 'Use JSON.parse() for data, or a sandboxed interpreter if dynamic execution is required.',
+        confidence: 'high',
+        cwe: 'CWE-95',
+        owasp: 'A03:2021',
+        aiVerification: { enabled: true },
+        fixable: true,
+        fixStrategy: 'eval-to-json-parse',
+    },
+    {
+        id: 'VG-SEC-002',
+        title: 'SQL String Concatenation',
+        severity: 'critical',
+        category: 'injection',
+        languages: ['node', 'typescript', 'python'],
+        filePatterns: ['*.js', '*.ts', '*.jsx', '*.tsx', '*.mjs', '*.cjs', '*.py'],
+        pattern: /(?:SELECT|INSERT|UPDATE|DELETE|FROM|WHERE)[\s\S]{0,50}(?:\+\s*\w+|\$\{|f['"])/gi,
+        message: 'SQL query built with string concatenation. Vulnerable to SQL injection.',
+        remediation: 'Use parameterized queries or prepared statements.',
+        confidence: 'medium',
+        cwe: 'CWE-89',
+        owasp: 'A03:2021',
+        aiVerification: { enabled: true },
+    },
+    {
+        id: 'VG-SEC-003',
+        title: 'Hardcoded Secret/Credential',
+        severity: 'critical',
+        category: 'secrets',
+        languages: ['node', 'typescript', 'python'],
+        filePatterns: ['*.js', '*.ts', '*.jsx', '*.tsx', '*.mjs', '*.cjs', '*.py', '*.json', '*.yaml', '*.yml'],
+        pattern: /(?:api[_-]?key|secret|password|token|auth[_-]?token|private[_-]?key)\s*[:=]\s*['"][A-Za-z0-9+/=_-]{16,}['"]/gi,
+        allowPatterns: [/example|placeholder|your[_-]?|changeme|xxx|test|dummy/i],
+        message: 'Hardcoded credential detected. Secrets in source code can be extracted from version control.',
+        remediation: 'Use environment variables or a secrets manager (AWS Secrets Manager, HashiCorp Vault).',
+        confidence: 'high',
+        cwe: 'CWE-798',
+        owasp: 'A07:2021',
+        aiVerification: { enabled: true },
+        fixable: true,
+        fixStrategy: 'hardcoded-to-env',
+    },
+    {
+        id: 'VG-SEC-004',
+        title: 'Secret Logged to Console',
+        severity: 'warning',
+        category: 'secrets',
+        languages: ['node', 'typescript', 'python'],
+        filePatterns: ['*.js', '*.ts', '*.jsx', '*.tsx', '*.mjs', '*.cjs', '*.py'],
+        pattern: /(?:console\.log|print)\s*\([^)]*(?:key|token|password|secret|credential|api[_-]?key)/gi,
+        message: 'Potentially logging sensitive data. Logs may be accessible to unauthorized parties.',
+        remediation: 'Remove secret logging or redact sensitive values before logging.',
+        confidence: 'medium',
+        cwe: 'CWE-532',
+        owasp: 'A09:2021',
+        aiVerification: { enabled: true },
+    },
+    {
+        id: 'VG-SEC-005',
+        title: 'Secret in API Response',
+        severity: 'warning',
+        category: 'secrets',
+        languages: ['node', 'typescript', 'python'],
+        filePatterns: ['*.js', '*.ts', '*.jsx', '*.tsx', '*.mjs', '*.cjs', '*.py'],
+        pattern: /(?:res\.json|jsonify|return\s*\{)[^}]*(?:api_key|password|secret|token|private_key)\s*:/gi,
+        message: 'API response may include sensitive fields. Secrets exposed to clients.',
+        remediation: 'Filter sensitive fields before sending response. Use DTOs or serializers.',
+        confidence: 'medium',
+        cwe: 'CWE-200',
+        owasp: 'A01:2021',
+        aiVerification: { enabled: true },
+    },
+];

package/dist/rules/types.d.ts

@@ -0,0 +1,75 @@
+export type RuleSeverity = 'critical' | 'warning' | 'info';
+export type RuleCategory = 'secrets' | 'injection' | 'deserialization' | 'config' | 'crypto' | 'docker' | 'kubernetes' | 'dependency';
+export type Language = 'node' | 'typescript' | 'python' | 'docker' | 'kubernetes' | 'yaml' | 'json';
+export interface DetectionRule {
+    id: string;
+    title: string;
+    severity: RuleSeverity;
+    category: RuleCategory;
+    languages: Language[];
+    filePatterns: string[];
+    pattern: RegExp;
+    allowPatterns?: RegExp[];
+    pathExclude?: string[];
+    message: string;
+    remediation?: string;
+    references?: string[];
+    confidence: 'high' | 'medium' | 'low';
+    cwe?: string;
+    owasp?: string;
+    aiVerification?: {
+        enabled: boolean;
+        promptTemplate?: string;
+    };
+    fixable?: boolean;
+    fixStrategy?: string;
+}
+export interface Finding {
+    ruleId: string;
+    title: string;
+    severity: RuleSeverity;
+    category: RuleCategory;
+    file: string;
+    line: number;
+    column: number;
+    endLine?: number;
+    endColumn?: number;
+    snippet: string;
+    match: string;
+    matchOffset?: number;
+    message: string;
+    remediation?: string;
+    cwe?: string;
+    owasp?: string;
+    aiVerdict?: {
+        verdict: 'true_positive' | 'false_positive' | 'unsure';
+        confidence: number;
+        rationale: string;
+    };
+}
+export interface ScanConfig {
+    targetPath: string;
+    ignorePatterns: string[];
+    maxFileSize: number;
+    includeSeverities: RuleSeverity[];
+    includeCategories?: RuleCategory[];
+    ruleIds?: string[];
+    format: 'console' | 'json' | 'sarif';
+    noColor: boolean;
+    verbose: boolean;
+    aiVerify: boolean;
+    aiProvider?: string;
+    aiApiKey?: string;
+    aiModel?: string;
+}
+export interface ScanResult {
+    scannedFiles: number;
+    skippedFiles: number;
+    totalFindings: number;
+    criticalCount: number;
+    warningCount: number;
+    infoCount: number;
+    findings: Finding[];
+    duration: number;
+    timestamp: string;
+}

package/dist/rules/types.js

@@ -0,0 +1 @@
+export {};

package/dist/utils/binary-check.d.ts

@@ -0,0 +1 @@
+export declare function isBinaryBuffer(buffer: Buffer): boolean;

package/dist/utils/binary-check.js

@@ -0,0 +1,10 @@
+const BINARY_CHECK_SIZE = 8192;
+export function isBinaryBuffer(buffer) {
+    const checkSize = Math.min(buffer.length, BINARY_CHECK_SIZE);
+    for (let i = 0; i < checkSize; i++) {
+        if (buffer[i] === 0) {
+            return true;
+        }
+    }
+    return false;
+}

package/dist/utils/line-mapper.d.ts

@@ -0,0 +1,6 @@
+export declare function buildLineIndex(content: string): number[];
+export declare function offsetToLineCol(offset: number, lineStarts: number[]): {
+    line: number;
+    column: number;
+};
+export declare function extractSnippet(content: string, line: number, lineStarts: number[], maxLength?: number): string;

package/dist/utils/line-mapper.js

@@ -0,0 +1,40 @@
+export function buildLineIndex(content) {
+    const starts = [0];
+    for (let i = 0; i < content.length; i++) {
+        if (content[i] === '\n') {
+            starts.push(i + 1);
+        }
+    }
+    return starts;
+}
+export function offsetToLineCol(offset, lineStarts) {
+    let low = 0;
+    let high = lineStarts.length - 1;
+    while (low < high) {
+        const mid = Math.floor((low + high + 1) / 2);
+        if (lineStarts[mid] <= offset) {
+            low = mid;
+        }
+        else {
+            high = mid - 1;
+        }
+    }
+    return {
+        line: low + 1,
+        column: offset - lineStarts[low] + 1,
+    };
+}
+export function extractSnippet(content, line, lineStarts, maxLength = 200) {
+    const lineIndex = line - 1;
+    if (lineIndex < 0 || lineIndex >= lineStarts.length) {
+        return '';
+    }
+    const start = lineStarts[lineIndex];
+    const end = lineIndex + 1 < lineStarts.length
+        ? lineStarts[lineIndex + 1] - 1
+        : content.length;
+    const snippet = content.slice(start, end).trim();
+    return snippet.length > maxLength
+        ? snippet.slice(0, maxLength - 3) + '...'
+        : snippet;
+}

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@rahul-sch/vibeguard",
+  "version": "1.0.0",
+  "description": "Regex-first security scanner for AI-generated code",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "bin": {
+    "vibeguard": "bin/vibeguard.js"
+  },
+  "files": [
+    "dist",
+    "bin"
+  ],
+  "scripts": {
+    "prepublishOnly": "npm run build",
+    "build": "tsc",
+    "dev": "tsx src/index.ts",
+    "lint": "eslint src --ext .ts",
+    "format": "prettier --write src",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  },
+  "keywords": [
+    "security",
+    "scanner",
+    "cli",
+    "vibe-coding",
+    "static-analysis"
+  ],
+  "author": "",
+  "license": "MIT",
+  "dependencies": {
+    "chalk": "^5.3.0",
+    "commander": "^12.1.0",
+    "fast-glob": "^3.3.2",
+    "lru-cache": "^10.4.3"
+  },
+  "devDependencies": {
+    "@types/node": "^20.14.0",
+    "@typescript-eslint/eslint-plugin": "^7.13.0",
+    "@typescript-eslint/parser": "^7.13.0",
+    "eslint": "^8.57.0",
+    "prettier": "^3.3.2",
+    "tsx": "^4.15.6",
+    "typescript": "^5.4.5",
+    "vitest": "^1.6.0"
+  },
+  "engines": {
+    "node": ">=18"
+  }
+}