coverme-scanner 1.0.12 → 1.0.14

package/.claude/commands/coverme.md

@@ -0,0 +1,501 @@
+# CoverMe - Ultimate AI Security Scanner
+
+The most comprehensive AI-powered code scanner. 10 specialized agents + 3 validators + deep analysis.
+
+$ARGUMENTS
+
+## IMPORTANT: Execute ALL phases automatically. Do NOT stop until the HTML report is open.
+
+---
+
+## Phase 1: Discovery (10 parallel agents)
+
+Launch ALL 10 agents IN PARALLEL using the Task tool with subagent_type="Explore":
+
+### Agent 1: Security Scanner (Core)
+```
+Scan for OWASP Top 10 and common vulnerabilities:
+
+INJECTION:
+- SQL injection (string concatenation in queries, raw queries)
+- NoSQL injection (MongoDB $where, $regex with user input)
+- Command injection (exec, spawn, system with user input)
+- LDAP injection, XPath injection
+- Template injection (SSTI in Jinja2, EJS, Handlebars)
+- Header injection (CRLF in headers)
+- Log injection (unescaped user input in logs)
+
+XSS:
+- Reflected XSS (user input in response without encoding)
+- Stored XSS (database content rendered without escaping)
+- DOM XSS (innerHTML, document.write, eval with user data)
+- dangerouslySetInnerHTML in React without sanitization
+
+AUTHENTICATION:
+- Hardcoded credentials (check git ls-files first!)
+- Weak password policies (no complexity, short length)
+- Missing rate limiting on login/register
+- Session fixation (session ID not rotated after login)
+- JWT issues (none algorithm, weak secret, no expiry)
+- Missing MFA on sensitive operations
+
+AUTHORIZATION:
+- IDOR (direct object references without ownership check)
+- Missing authorization checks on endpoints
+- Privilege escalation paths
+- Horizontal access (user A accessing user B's data)
+- Vertical access (user accessing admin functions)
+
+CRYPTOGRAPHY:
+- MD5/SHA1 for passwords (use bcrypt/argon2)
+- Math.random() for security (use crypto.randomBytes)
+- Hardcoded encryption keys/IVs
+- ECB mode usage
+- Missing HTTPS enforcement
+
+Output JSON: [{id: "SEC-XXX", title, severity, category: "security", file, line, code, description, recommendation, confidence}]
+```
+
+### Agent 2: Auth & Session Scanner
+```
+Deep dive into authentication and session management:
+
+SSO/OAUTH:
+- Open redirect in return_url/redirect_uri (CRITICAL!)
+- State parameter missing or predictable
+- PKCE not implemented for public clients
+- Token stored in localStorage (XSS vulnerable)
+- Refresh token rotation missing
+- ID token validation incomplete
+
+SESSION:
+- Session ID in URL
+- Session not invalidated on logout
+- Session timeout too long (>24h)
+- Same session across devices without tracking
+- Session data not encrypted
+
+COOKIES:
+- Missing Secure flag
+- Missing HttpOnly flag
+- Missing SameSite attribute
+- Overly broad domain/path
+- Sensitive data in cookies
+
+PASSWORD RESET:
+- Predictable reset tokens
+- Token not expiring
+- No rate limiting on reset requests
+- User enumeration via reset flow
+- Reset link not single-use
+
+Output JSON: [{id: "AUTH-XXX", title, severity, category: "security", file, line, code, description, recommendation, confidence}]
+```
+
+### Agent 3: API Security Scanner
+```
+Scan API endpoints for security issues:
+
+INPUT VALIDATION:
+- Missing input validation on request body
+- Type coercion attacks (string vs number)
+- Array/object pollution
+- Prototype pollution
+- Mass assignment vulnerabilities
+- GraphQL introspection enabled in production
+- GraphQL depth/complexity limits missing
+
+RATE LIMITING:
+- No rate limiting on expensive operations
+- Rate limit bypass via headers (X-Forwarded-For)
+- Missing rate limiting on auth endpoints
+- No account lockout after failed attempts
+
+API DESIGN:
+- Verbose error messages leaking internals
+- Stack traces in production
+- Version information exposed
+- Debug endpoints accessible
+- CORS misconfiguration (wildcard origin with credentials)
+- Missing security headers (CSP, HSTS, X-Frame-Options)
+
+WEBHOOKS:
+- Webhook signature not verified
+- SSRF via webhook URLs
+- No webhook replay protection
+- Webhook secrets logged
+
+Output JSON: [{id: "API-XXX", title, severity, category: "security", file, line, code, description, recommendation, confidence}]
+```
+
+### Agent 4: Infrastructure Scanner
+```
+Scan infrastructure and deployment configs:
+
+DOCKER:
+- Running as root user
+- Secrets in Dockerfile or build args
+- Latest tag usage (unpinned versions)
+- Sensitive ports exposed
+- Missing health checks
+- No resource limits
+- Privileged mode enabled
+- Writable root filesystem
+
+KUBERNETES/HELM:
+- No resource limits/requests
+- Running as root
+- Privileged containers
+- Host network/PID enabled
+- Missing network policies
+- Secrets not encrypted at rest
+- No pod security policies/standards
+- Service account auto-mount enabled
+
+CI/CD:
+- Secrets in CI config files
+- Credentials in environment variables logged
+- Missing secret scanning in pipeline
+- Deploy keys with write access
+- No branch protection
+- Missing SAST/DAST in pipeline
+
+CLOUD:
+- S3 buckets public or misconfigured
+- IAM roles too permissive
+- Security groups too open
+- Logging not enabled
+- Encryption at rest disabled
+
+Output JSON: [{id: "INFRA-XXX", title, severity, category: "infrastructure", file, line, code, description, recommendation, confidence}]
+```
+
+### Agent 5: Data & Privacy Scanner
+```
+Scan for data protection and privacy issues:
+
+PII HANDLING:
+- PII logged (emails, names, IPs, phone numbers)
+- PII in URLs/query strings
+- PII in error messages
+- PII not encrypted at rest
+- PII not masked in UI/logs
+
+GDPR/PRIVACY:
+- Missing data retention policy implementation
+- No data deletion mechanism (right to erasure)
+- No data export mechanism (data portability)
+- Consent not tracked properly
+- Third-party data sharing without consent
+- Cross-border data transfer issues
+
+DATABASE:
+- Sensitive data not encrypted (column-level)
+- No audit logging for sensitive operations
+- Backup not encrypted
+- Connection strings with credentials in code
+
+SECRETS:
+- API keys in code (check git ls-files!)
+- Secrets in environment files committed
+- Secrets logged
+- Secrets in client-side code
+- Hardcoded tokens/passwords
+- .env files not in .gitignore
+
+Output JSON: [{id: "DATA-XXX", title, severity, category: "privacy", file, line, code, description, recommendation, confidence}]
+```
+
+### Agent 6: AI/LLM Security Scanner
+```
+Scan for AI/LLM specific vulnerabilities:
+
+PROMPT INJECTION:
+- User input directly in prompts without sanitization
+- System prompts exposed to users
+- Prompt leakage via error messages
+- No input length limits on prompts
+- Missing output validation from LLM
+- Jailbreak vulnerabilities
+
+DATA LEAKAGE:
+- Training data in responses
+- PII in AI context
+- Conversation history not cleared
+- AI accessing unauthorized data
+- Model output not sanitized
+
+SUPPLY CHAIN:
+- CDN imports without Subresource Integrity (SRI)
+- Unpinned AI model versions
+- External AI APIs without TLS verification
+- Model files from untrusted sources
+
+RESOURCE:
+- No token limits on AI calls
+- Missing rate limiting on AI endpoints
+- Cost explosion attacks (large inputs)
+- Denial of service via AI
+
+BUSINESS LOGIC:
+- AI bypassing business rules
+- AI making unauthorized decisions
+- Content filter bypasses
+- AI output directly executed (code injection)
+
+Output JSON: [{id: "AI-XXX", title, severity, category: "ai-security", file, line, code, description, recommendation, confidence}]
+```
+
+### Agent 7: Performance & DoS Scanner
+```
+Scan for performance issues and DoS vectors:
+
+DATABASE:
+- N+1 query patterns
+- Missing indexes on filtered/sorted columns
+- Full table scans
+- Unbounded queries (no LIMIT)
+- Connection pool exhaustion
+- Long-running transactions
+
+MEMORY:
+- Memory leaks (event listeners not removed)
+- Unbounded caches
+- Large object accumulation
+- Buffer handling issues
+- Stream not properly closed
+- SSE/WebSocket buffer accumulation
+
+CPU:
+- ReDoS (Regular Expression DoS)
+- Algorithmic complexity attacks
+- Synchronous crypto operations
+- JSON parsing of large payloads
+- XML parsing without limits (billion laughs)
+
+NETWORK:
+- No timeout on external calls
+- Missing circuit breakers
+- Retry storms
+- No backpressure handling
+- Connection leaks
+
+RESOURCE EXHAUSTION:
+- File upload without size limits
+- Zip bomb potential
+- Unbounded pagination
+- Missing request size limits
+- Too many concurrent connections
+
+Output JSON: [{id: "PERF-XXX", title, severity, category: "performance", file, line, code, description, recommendation, confidence}]
+```
+
+### Agent 8: Business Logic Scanner
+```
+Scan for business logic vulnerabilities:
+
+RACE CONDITIONS:
+- TOCTOU (time-of-check-time-of-use)
+- Double-spend in transactions
+- Inventory overselling
+- Concurrent booking conflicts
+- Non-atomic read-modify-write
+
+WORKFLOW:
+- Step skipping in multi-step processes
+- State manipulation attacks
+- Order of operations bypass
+- Workflow replay attacks
+
+FINANCIAL:
+- Rounding errors in calculations
+- Currency handling issues
+- Negative amount bypass
+- Discount stacking exploits
+- Price manipulation
+
+ACCESS CONTROL:
+- Role hierarchy bypass
+- Feature flag manipulation
+- Subscription level bypass
+- Time-based access bypass
+
+DATA INTEGRITY:
+- Missing referential integrity
+- Orphaned records possible
+- Data inconsistency between services
+- Missing transaction boundaries
+
+Output JSON: [{id: "BIZ-XXX", title, severity, category: "business-logic", file, line, code, description, recommendation, confidence}]
+```
+
+### Agent 9: Code Quality Scanner
+```
+Scan for code quality and maintainability issues:
+
+COMPLEXITY:
+- Cyclomatic complexity > 10
+- Functions > 50 lines
+- Files > 500 lines
+- Deep nesting (> 4 levels)
+- Too many parameters (> 5)
+
+DRY VIOLATIONS:
+- Duplicated code blocks (> 10 lines)
+- Copy-paste code with minor changes
+- Similar functions that should be unified
+
+ANTI-PATTERNS:
+- God objects/classes
+- Callback hell
+- Magic numbers/strings
+- Dead code
+- Unused imports/variables
+- Any type overuse (TypeScript)
+- Console.log in production
+- TODO/FIXME comments in production
+
+ERROR HANDLING:
+- Empty catch blocks
+- Generic error swallowing
+- Missing error boundaries (React)
+- Unhandled promise rejections
+- Missing finally blocks for cleanup
+
+NAMING:
+- Inconsistent naming conventions
+- Misleading names
+- Single letter variables (except i,j,k)
+- Abbreviations without context
+
+Output JSON: [{id: "QUAL-XXX", title, severity, category: "quality", file, line, code, description, recommendation, confidence}]
+```
+
+### Agent 10: Testing & Reliability Scanner
+```
+Scan for testing gaps and reliability issues:
+
+TEST COVERAGE:
+- Critical paths without tests (auth, payments, data access)
+- Error handlers not tested
+- Edge cases not covered
+- No integration tests
+- No E2E tests for main flows
+
+TEST QUALITY:
+- Tests without assertions
+- Mocked security checks (dangerous!)
+- Flaky tests (time-dependent)
+- Tests with hardcoded data that can expire
+- Missing negative tests (what should fail)
+
+RELIABILITY:
+- Missing health checks
+- No graceful shutdown
+- Missing readiness/liveness probes
+- No circuit breakers for external calls
+- Missing retry logic with backoff
+- No fallback mechanisms
+
+OBSERVABILITY:
+- Missing structured logging
+- No correlation IDs
+- Missing metrics collection
+- No distributed tracing
+- Errors not properly categorized
+
+DEPLOYMENT:
+- No feature flags for risky changes
+- Missing rollback mechanism
+- No canary/blue-green deployment
+- Database migrations not reversible
+
+Output JSON: [{id: "TEST-XXX", title, severity, category: "testing", file, line, code, description, recommendation, confidence}]
+```
+
+---
+
+## Phase 2: Cross-Validation (3 parallel validators)
+
+After ALL Phase 1 agents complete, launch 3 validators IN PARALLEL:
+
+### Validator A: False Positive Hunter
+```
+Review ALL findings from Phase 1. For each finding:
+1. Read the actual code file
+2. Check if there are mitigating controls elsewhere
+3. For secrets: run "git ls-files <file>" - if not tracked, mark FALSE POSITIVE
+4. Check if code is actually reachable in production
+5. Verify the context (is it test code? example code? disabled feature?)
+
+Output: { confirmed: ["SEC-001",...], falsePositives: [{id, reason},...] }
+```
+
+### Validator B: Evidence Challenger
+```
+Challenge every HIGH and CRITICAL finding:
+1. Read the actual code with 20 lines of context
+2. Trace data flow from source to sink
+3. Check for sanitization/validation in between
+4. Verify the exploit scenario is realistic
+5. Consider the deployment environment
+6. Check if it's actually exploitable in production
+
+Output: { confirmed: ["SEC-001",...], falsePositives: [{id, reason},...] }
+```
+
+### Validator C: Missing Issues Hunter
+```
+Look for issues that Phase 1 agents MISSED:
+- Race conditions in critical operations
+- Business logic flaws specific to this application
+- Edge cases (empty input, null, undefined, max length)
+- Integration point vulnerabilities
+- Configuration issues for specific environment
+- Combination attacks (multiple low issues = high)
+
+Output: { missedIssues: [{id, title, severity, file, line, description, recommendation},...] }
+```
+
+---
+
+## Phase 3: Build Consensus
+
+Combine all results:
+1. Calculate confidence: (confirmations / validators) * 100
+2. Remove findings with confidence < 50%
+3. Add missed issues from Validator C
+4. Identify positive observations (good patterns found)
+
+---
+
+## Phase 4: Generate Report
+
+Update the existing `.coverme/scan.json` file with the scan results. The file already exists with the correct structure - just fill in the values:
+
+- **projectName**: from package.json or folder name
+- **scanDate**: today's date
+- **findings**: array of issues found (each with id, title, severity, category, file, line, description, code, recommendation, confidence)
+- **positiveObservations**: array of good patterns found
+- **scanDuration**: time taken in ms
+- **agentCount**: 7
+
+Use the Edit tool to update `.coverme/scan.json` with the results.
+
+---
+
+## Phase 5: Generate HTML Report
+
+Generate the HTML report and open it:
+```bash
+TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
+npx coverme-scanner report .coverme/scan.json -f html -o ".coverme/report_$TIMESTAMP.html"
+cp .coverme/scan.json ".coverme/scan_$TIMESTAMP.json"
+open ".coverme/report_$TIMESTAMP.html"
+```
+
+---
+
+## DONE
+
+Tell the user: "Scan complete! Report saved to .coverme/ and opened in browser. Found X issues across Y categories. All scan history is in .coverme/ folder."

package/dist/cli/init.js

@@ -528,7 +528,7 @@ Use the Edit tool to update \`.coverme/scan.json\` with the results.
 Generate the HTML report and open it:
 \`\`\`bash
 TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
-npx coverme-scanner report .coverme/scan.json -f html -o ".coverme/report_$TIMESTAMP.html"
+npx --yes coverme-scanner@latest report .coverme/scan.json -f html -o ".coverme/report_$TIMESTAMP.html"
 cp .coverme/scan.json ".coverme/scan_$TIMESTAMP.json"
 open ".coverme/report_$TIMESTAMP.html"
 \`\`\`

package/dist/prompts/architecture-reviewer.md

@@ -1,5 +1,7 @@
 # Architecture Reviewer Agent
 
+**Ultrathink** - Map the entire system architecture, identify all dependencies and boundaries.
+
 You are a senior software architect reviewing a codebase for architectural issues. Your job is to identify structural problems that affect scalability, maintainability, and system integrity.
 
 ## Prerequisites

package/dist/prompts/consensus-builder.md

@@ -1,5 +1,7 @@
 # Consensus Builder Agent
 
+**Ultrathink** - Weigh all evidence, resolve conflicts, ensure accuracy.
+
 You are the final aggregator. Your job is to combine ALL findings from all phases and produce the FINAL list of findings with confidence scores.
 
 ## Input You Receive

package/dist/prompts/context-discovery.md

@@ -1,5 +1,7 @@
 # Context Discovery Agent
 
+**Ultrathink** - Map the entire codebase, understand all components and their relationships.
+
 You are the FIRST agent to run. Your job is to understand the project BEFORE any scanning begins.
 
 ## Phase 1: Project Understanding

package/dist/prompts/cross-validator.md

@@ -1,5 +1,7 @@
 # Cross-Validator Agent
 
+**Ultrathink** - Question every assumption, verify every claim, trace every code path.
+
 You are a critical reviewer whose job is to CHALLENGE findings from other agents. Your goal is to eliminate FALSE POSITIVES and find MISSED ISSUES.
 
 ## Your Role

package/dist/prompts/deep-dive-expert.md

@@ -1,5 +1,7 @@
 # Deep Dive Expert Agent
 
+**Ultrathink** - Exhaust every possibility, trace every edge case, leave no stone unturned.
+
 You are called in when validators DISAGREE about a finding. Your job is to perform exhaustive analysis and make the FINAL determination.
 
 ## When You're Called

package/dist/prompts/dependency-auditor.md

@@ -1,5 +1,7 @@
 # Dependency Auditor Agent
 
+**Ultrathink** - Check every dependency, trace transitive deps, verify all versions.
+
 You are a dependency security expert. Your job is to identify ALL issues with project dependencies including security vulnerabilities, outdated packages, and compliance risks.
 
 ## Prerequisites

package/dist/prompts/orchestration.md

@@ -1,5 +1,7 @@
 # CoverMe Multi-Agent Scan Orchestration
 
+**Ultrathink** - Analyze deeply, consider edge cases, trace data flows completely.
+
 Execute this 10-agent security scan with cross-validation.
 
 ## CRITICAL OUTPUT FORMAT

package/dist/prompts/performance-hunter.md

@@ -1,5 +1,7 @@
 # Performance Hunter Agent
 
+**Ultrathink** - Profile every hot path, analyze every query, find every bottleneck.
+
 You are a performance engineering expert. Your job is to identify ALL performance issues, bottlenecks, and inefficiencies in the codebase.
 
 ## Prerequisites

package/dist/prompts/quality-analyzer.md

@@ -1,5 +1,7 @@
 # Quality Analyzer Agent
 
+**Ultrathink** - Analyze patterns, find duplications, trace dead code paths thoroughly.
+
 You are an expert code quality reviewer. Your job is to find ALL code quality issues that impact maintainability, reliability, and developer experience.
 
 ## Prerequisites

package/dist/prompts/security-scanner.md

@@ -1,5 +1,7 @@
 # Security Scanner Agent
 
+**Ultrathink** - Trace every data flow from source to sink. Consider all attack vectors.
+
 You are an expert security researcher performing a comprehensive security audit. Your task is to find ALL security vulnerabilities in this codebase with zero false negatives.
 
 ## Scan Methodology

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coverme-scanner",
-  "version": "1.0.12",
+  "version": "1.0.14",
   "description": "AI-powered code scanner with multi-agent verification for Claude Code. One command scans everything.",
   "main": "dist/index.js",
   "bin": {

package/src/cli/init.ts

@@ -497,7 +497,7 @@ Use the Edit tool to update \`.coverme/scan.json\` with the results.
 Generate the HTML report and open it:
 \`\`\`bash
 TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
-npx coverme-scanner report .coverme/scan.json -f html -o ".coverme/report_$TIMESTAMP.html"
+npx --yes coverme-scanner@latest report .coverme/scan.json -f html -o ".coverme/report_$TIMESTAMP.html"
 cp .coverme/scan.json ".coverme/scan_$TIMESTAMP.json"
 open ".coverme/report_$TIMESTAMP.html"
 \`\`\`

package/src/prompts/architecture-reviewer.md

@@ -1,5 +1,7 @@
 # Architecture Reviewer Agent
 
+**Ultrathink** - Map the entire system architecture, identify all dependencies and boundaries.
+
 You are a senior software architect reviewing a codebase for architectural issues. Your job is to identify structural problems that affect scalability, maintainability, and system integrity.
 
 ## Prerequisites

package/src/prompts/consensus-builder.md

@@ -1,5 +1,7 @@
 # Consensus Builder Agent
 
+**Ultrathink** - Weigh all evidence, resolve conflicts, ensure accuracy.
+
 You are the final aggregator. Your job is to combine ALL findings from all phases and produce the FINAL list of findings with confidence scores.
 
 ## Input You Receive

package/src/prompts/context-discovery.md

@@ -1,5 +1,7 @@
 # Context Discovery Agent
 
+**Ultrathink** - Map the entire codebase, understand all components and their relationships.
+
 You are the FIRST agent to run. Your job is to understand the project BEFORE any scanning begins.
 
 ## Phase 1: Project Understanding

package/src/prompts/cross-validator.md

@@ -1,5 +1,7 @@
 # Cross-Validator Agent
 
+**Ultrathink** - Question every assumption, verify every claim, trace every code path.
+
 You are a critical reviewer whose job is to CHALLENGE findings from other agents. Your goal is to eliminate FALSE POSITIVES and find MISSED ISSUES.
 
 ## Your Role

package/src/prompts/deep-dive-expert.md

@@ -1,5 +1,7 @@
 # Deep Dive Expert Agent
 
+**Ultrathink** - Exhaust every possibility, trace every edge case, leave no stone unturned.
+
 You are called in when validators DISAGREE about a finding. Your job is to perform exhaustive analysis and make the FINAL determination.
 
 ## When You're Called

package/src/prompts/dependency-auditor.md

@@ -1,5 +1,7 @@
 # Dependency Auditor Agent
 
+**Ultrathink** - Check every dependency, trace transitive deps, verify all versions.
+
 You are a dependency security expert. Your job is to identify ALL issues with project dependencies including security vulnerabilities, outdated packages, and compliance risks.
 
 ## Prerequisites

package/src/prompts/orchestration.md

@@ -1,5 +1,7 @@
 # CoverMe Multi-Agent Scan Orchestration
 
+**Ultrathink** - Analyze deeply, consider edge cases, trace data flows completely.
+
 Execute this 10-agent security scan with cross-validation.
 
 ## CRITICAL OUTPUT FORMAT

package/src/prompts/performance-hunter.md

@@ -1,5 +1,7 @@
 # Performance Hunter Agent
 
+**Ultrathink** - Profile every hot path, analyze every query, find every bottleneck.
+
 You are a performance engineering expert. Your job is to identify ALL performance issues, bottlenecks, and inefficiencies in the codebase.
 
 ## Prerequisites