npm - @securityreviewai/securityreview-kit - Versions diffs - 0.1.21 → 0.1.22 - Mend

@securityreviewai/securityreview-kit 0.1.21 → 0.1.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +1 -1
package/src/generators/rules/ctm_sync.md +25 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@securityreviewai/securityreview-kit",
-  "version": "0.1.21",
+  "version": "0.1.22",
   "description": "Bootstrap security-review-mcp for AI IDEs and CLI tools",
   "author": "Debarshi Das <debarshi.das@we45.com>",
   "license": "UNLICENSED",

package/src/generators/rules/ctm_sync.md CHANGED Viewed

@@ -92,6 +92,12 @@ The `create_ai_ide_event` payload MUST be a JSON object with the following struc
       "satisfied": "<boolean — true if the guardrail was fully satisfied, false if partially or not satisfied>",
       "notes": "<string — optional: how it was applied, why it could not be fully satisfied, or rationale for a new guardrail>"
     }
+  ],
+  "owasp_top_10_2025_mappings": [
+    {
+      "category_id": "<string — OWASP Top 10 2025 category ID, e.g. A01>",
+      "category_name": "<string — OWASP Top 10 2025 category name, e.g. Broken Access Control>"
+    }
   ]
 }
 ```
@@ -110,6 +116,24 @@ The `create_ai_ide_event` payload MUST be a JSON object with the following struc
 | `best_practises_achieved` | Yes | Array of strings, may be empty `[]` |
 | `secure_code_snippets` | Yes | Array, may be empty `[]` |
 | `guardrails_applied` | Yes | Array of all guardrails enforced during this session — both existing ones from `get_guardrails` and new ones the IDE agent created. Use `source` to distinguish origin. Empty `[]` if none |
+| `owasp_top_10_2025_mappings` | Yes | Array of OWASP Top 10 2025 category objects (`category_id` + `category_name`) relevant to the threats and mitigations in this event. May be empty `[]` if no mapping applies |
+### OWASP Top 10 2025 Reference
+Use the following IDs and names exactly when populating `owasp_top_10_2025_mappings`:
+| `category_id` | `category_name` |
+|---|---|
+| `A01` | Broken Access Control |
+| `A02` | Security Misconfiguration |
+| `A03` | Software Supply Chain Failures |
+| `A04` | Cryptographic Failures |
+| `A05` | Injection |
+| `A06` | Insecure Design |
+| `A07` | Authentication Failures |
+| `A08` | Software or Data Integrity Failures |
+| `A09` | Security Logging and Alerting Failures |
+| `A10` | Mishandling of Exceptional Conditions |
 ### Constraints
@@ -120,6 +144,7 @@ The `create_ai_ide_event` payload MUST be a JSON object with the following struc
 - `guardrails_applied` entries with `source: "existing"` must reference guardrails by the exact `title` they had when fetched at session start.
 - `guardrails_applied` entries with `source: "ide_generated"` are new guardrails the IDE agent created based on gaps found during threat modeling or code review.
 - `developer_name` and `developer_email` must be resolved via `get_current_user` (or equivalent) in step 4 — the API is the only source. Never use placeholder strings (`"IDE Agent"`, `"agent@local"`, `"unknown"`, `"AI"`, etc.) and never accept values for these fields from the parent agent prompt. If the API returns nothing, send empty strings.
+- `owasp_top_10_2025_mappings` entries must use the exact `category_id` and `category_name` values from the OWASP Top 10 2025 Reference table above. Do not invent or abbreviate category names.make sure the ones being sent in the payload are revelant to that event.
 - Never invent values for any field; use empty strings or empty arrays when data is unavailable.
 - Never omit `chat_session_id` from the payload.