coverme-scanner 1.0.19 → 1.0.21

package/.claude/commands/coverme.md

@@ -4,7 +4,15 @@ The most comprehensive AI-powered code scanner. 10 specialized agents + 3 valida
 
 $ARGUMENTS
 
-## IMPORTANT: Execute ALL phases automatically. Do NOT stop until the HTML report is open.
+## CRITICAL INSTRUCTIONS - READ FIRST!
+
+1. **DO NOT ASK ANY QUESTIONS** - Run the entire scan autonomously from start to finish
+2. **DO NOT STOP FOR CONFIRMATION** - Just keep going through all phases
+3. **DO NOT ASK ABOUT FILE CHANGES** - Automatically update/overwrite scan.json
+4. **DO NOT ASK TO OPEN REPORT** - Just open it automatically at the end
+5. **COMPLETE EVERYTHING IN ONE GO** - All 5 phases without interruption
+
+Execute ALL phases automatically. Do NOT stop until the HTML report is open.
 
 ---
 
@@ -471,7 +479,9 @@ Combine all results:
 
 ## Phase 4: Generate Report
 
-Update the existing `.coverme/scan.json` file with the scan results. The file already exists with the correct structure - just fill in the values:
+**DO NOT ASK - JUST OVERWRITE THE FILE!**
+
+Update `.coverme/scan.json` with the scan results. Overwrite any existing content without asking:
 
 - **projectName**: from package.json or folder name
 - **scanDate**: today's date
@@ -480,13 +490,15 @@ Update the existing `.coverme/scan.json` file with the scan results. The file al
 - **scanDuration**: time taken in ms
 - **agentCount**: 7
 
-Use the Edit tool to update `.coverme/scan.json` with the results.
+Use the Write tool to overwrite `.coverme/scan.json` with the results. Do not ask for confirmation.
 
 ---
 
 ## Phase 5: Generate HTML Report
 
-Generate the HTML report and open it:
+**DO NOT ASK - JUST RUN THE COMMANDS!**
+
+Generate the HTML report and open it automatically:
 ```bash
 TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
 npx coverme-scanner report .coverme/scan.json -f html -o ".coverme/report_$TIMESTAMP.html"
@@ -494,8 +506,12 @@ cp .coverme/scan.json ".coverme/scan_$TIMESTAMP.json"
 open ".coverme/report_$TIMESTAMP.html"
 ```
 
+Run these commands without asking for permission.
+
 ---
 
 ## DONE
 
-Tell the user: "Scan complete! Report saved to .coverme/ and opened in browser. Found X issues across Y categories. All scan history is in .coverme/ folder."
+Tell the user: "Scan complete! Report saved to .coverme/ and opened in browser."
+
+**REMINDER: You should have completed all 5 phases without asking ANY questions or stopping for confirmation.**

package/dist/prompts/cross-validator.md

@@ -223,4 +223,48 @@ Focus: Find what was MISSED
 - Don't ignore context from CLAUDE.md
 - Don't miss the forest for the trees
 
+## CRITICAL: Things That Are NOT False Positives
+
+### Command Injection from Config Files
+**DO NOT dismiss as false positive!**
+```javascript
+execSync(`pm2 start ${configValue}`)  // STILL VULNERABLE!
+```
+Even if the value comes from a config file (models.json, config.yaml), if that file is:
+- Writable by users (admin panel, API)
+- Not validated against a strict schema
+- Could be modified by an attacker with file access
+
+Then it IS a real command injection. The attack vector is just indirect.
+
+**Only dismiss if:**
+- Config file is hardcoded at build time (not runtime loaded)
+- Config values are validated against strict regex/enum
+- execFile() is used instead of execSync() with proper argument array
+
+### Secrets in Git History
+**DO NOT dismiss just because file is now gitignored!**
+If a secret file was EVER committed, it may still be in git history.
+```bash
+git log --all --full-history -- "**/secrets*" "**/credentials*" "**/*.env"
+```
+If this returns results, the secret is STILL EXPOSED even if currently gitignored.
+
+### CORS Without Whitelist
+**DO NOT dismiss as "internal only"!**
+```javascript
+res.header('Access-Control-Allow-Origin', req.headers.origin);  // VULNERABLE
+```
+This reflects ANY origin. Even if the server is "internal", browser-based attacks can still:
+- Steal data via malicious website
+- Perform CSRF-like attacks
+- Exfiltrate to attacker-controlled domains
+
+### Missing Security Configuration
+**These are real findings, not false positives:**
+- `helmet()` without custom CSP configuration
+- Missing `npm audit` in CI pipeline
+- No Dependabot/Renovate for dependency updates
+- Logs without rotation/retention policy
+
 START VALIDATION NOW. Be critical but fair.

package/dist/prompts/mitigation-validator.md

@@ -178,6 +178,74 @@ The finding is incorrect:
 3. Is it localhost/development credentials only?
 4. Is there environment variable loading that overrides?
 
+### Race Condition / TOCTOU Findings (CRITICAL - Often False Positives)
+**Check for atomic operations that FULLY mitigate the race:**
+
+1. **Redis Lua Scripts** = FULL MITIGATION
+   - `redis.call()` inside Lua script is atomic
+   - SETNX, GETSET, INCR are atomic
+   - Look for: `eval`, `evalsha`, `script load`
+   ```javascript
+   // This is ATOMIC - no race condition!
+   redis.eval(`
+     local current = redis.call('GET', key)
+     if current < limit then
+       redis.call('INCR', key)
+       return 1
+     end
+     return 0
+   `)
+   ```
+
+2. **Database Transactions** = FULL MITIGATION
+   - `BEGIN...COMMIT` with proper isolation
+   - `SELECT FOR UPDATE` locks rows
+   - Prisma `$transaction()`, TypeORM `transaction()`
+   - Look for: `transaction`, `FOR UPDATE`, `SERIALIZABLE`
+
+3. **Atomic Compare-and-Swap** = FULL MITIGATION
+   - `WATCH/MULTI/EXEC` in Redis
+   - `findOneAndUpdate` with conditions in MongoDB
+   - `UPDATE ... WHERE version = ?` (optimistic locking)
+
+4. **Mutex/Locking** = FULL MITIGATION
+   - `redis-lock`, `redlock`
+   - Database advisory locks
+   - File locks (flock)
+
+**If ANY of these patterns exist, mark as MITIGATED, not "partial"!**
+
+### Intentional Design Decisions (Check Comments!)
+**Before reporting, check if there are comments explaining WHY:**
+
+1. **Search for explanatory comments near the code:**
+   ```
+   grep -B5 -A5 "intentional|by design|deliberately|on purpose|security note" <file>
+   ```
+
+2. **Common patterns that are INTENTIONAL:**
+   - PKCE code reuse to prevent double-click race conditions
+   - Longer token expiry for better UX (with other mitigations)
+   - Allowing certain "unsafe" operations for admin users
+   - Development-only bypasses with environment checks
+
+3. **If comment explains the decision:**
+   ```json
+   {
+     "verdict": "false_positive",
+     "reason": "Intentional design decision documented in code",
+     "evidence": ["Comment at line 45: 'Intentionally allow reuse to prevent double-submit'"]
+   }
+   ```
+
+### Open Redirect Findings
+1. **Check for whitelist validation:**
+   ```
+   grep -r "isValidRedirect|allowedDomains|whitelist|validateUrl" <file>
+   ```
+2. If whitelist exists and covers the redirect parameter = MITIGATED
+3. Check if validation function is actually called before redirect
+
 ## Output Format
 
 ```json

package/dist/prompts/orchestration.md

@@ -158,6 +158,32 @@ CHECK FOR:
 - API versioning issues
 - Excessive data exposure in responses
 
+**CORS MISCONFIGURATION** (MEDIUM):
+Look for these vulnerable patterns:
+```javascript
+// VULNERABLE - reflects ANY origin
+res.header('Access-Control-Allow-Origin', req.headers.origin);
+res.header('Access-Control-Allow-Origin', '*');
+
+// VULNERABLE - no whitelist validation
+app.use(cors({ origin: true }));
+```
+Only mark as safe if there's explicit whitelist validation:
+```javascript
+const allowedOrigins = ['https://app.example.com'];
+if (allowedOrigins.includes(origin)) { ... }
+```
+
+**HELMET MISCONFIGURATION** (MEDIUM):
+```javascript
+app.use(helmet());  // Using defaults only - INSUFFICIENT!
+```
+Check that helmet() includes:
+- Custom `contentSecurityPolicy` with proper directives
+- `hsts: { maxAge: 31536000, includeSubDomains: true, preload: true }`
+- Proper `referrerPolicy`
+Report as MEDIUM if using only defaults without customization.
+
 **FAIL-OPEN vs FAIL-CLOSED PATTERNS** (CRITICAL):
 - IP whitelist empty/missing = allow all (should deny all)
 - Auth middleware errors = request passes through (should block)
@@ -207,6 +233,14 @@ CHECK FOR:
 - Ansible vault passwords in plaintext
 - CI/CD pipeline secrets in yaml files (.github/workflows, .gitlab-ci.yml)
 
+**SECRETS IN GIT HISTORY** (CRITICAL CHECK!):
+Run these commands to check if secrets were EVER committed:
+```bash
+git log --all --full-history -- "**/secrets*" "**/credentials*" "**/*.env"
+git log --all -p -S "AWS_SECRET" -S "PRIVATE_KEY" --source
+```
+If secrets appear in history, they are EXPOSED even if now gitignored!
+
 **PRIVILEGE ESCALATION RISKS**:
 - Containers/processes running as root
 - Missing securityContext in K8s (runAsNonRoot, readOnlyRootFilesystem)
@@ -220,6 +254,20 @@ CHECK FOR:
 - Missing config = silent fallback to insecure defaults
 - No validation of secret strength/format at startup
 
+**DEPENDENCY SECURITY** (HIGH if missing):
+Check for presence of:
+- `npm audit` or `yarn audit` in CI pipeline
+- Dependabot/Renovate configuration (.github/dependabot.yml, renovate.json)
+- SBOM generation (cyclonedx, syft)
+- Snyk/Trivy/Grype scanning
+Report as HIGH if NONE of these exist - supply chain risk!
+
+**LOGGING & MONITORING**:
+- Log rotation configured? (maxFiles, maxsize in Winston/Pino)
+- Log retention policy defined?
+- Sensitive data redacted from logs?
+Report as LOW if log rotation missing - disk exhaustion risk.
+
 For EACH finding, output the FULL JSON format.
 
 ---
@@ -577,63 +625,107 @@ Output as list of strings.
 
 ## PHASE 7: BUILD CONSENSUS & GENERATE OUTPUT
 
-1. **Apply Mitigation Results** (from Phase 3):
-   - Remove findings marked as `mitigated` or `false_positive`
-   - Adjust severity for findings marked as `partial`
-   - Add mitigation notes to confirmed findings
+### CRITICAL: Actually Remove False Positives!
 
-2. Calculate confidence: (confirmations / total_validators) * 100
-3. Remove findings with confidence < 50%
-4. Add missed issues from Validator C
-5. Sort: severity DESC, confidence DESC
+The final report should ONLY contain findings that are:
+1. **Confirmed** by mitigation validation (no existing protection found)
+2. **Partial** mitigations (some protection but incomplete)
 
-### Include Mitigation Summary
+**DO NOT INCLUDE** findings that are:
+- `mitigated` - full protection exists elsewhere
+- `false_positive` - not actually a vulnerability
+- Intentional design decisions with documented comments
+- Race conditions protected by atomic operations (Lua, transactions)
 
-For each finding that passed validation, include:
-```json
-{
-  "id": "SEC-001",
-  "mitigationStatus": "confirmed",
-  "mitigationChecks": [
-    "No input validation found between user input and SQL query",
-    "No ORM - raw SQL used",
-    "No middleware protection on this route"
-  ]
-}
-```
+### Step-by-Step Process:
 
-### SAVE OUTPUT AS JSON
+1. **Start with all Phase 1 findings**
+
+2. **Apply Mitigation Validator results (Phase 3):**
+   - `mitigated` → REMOVE from findings, add to `mitigatedFindings` array
+   - `false_positive` → REMOVE from findings, add to `falsePositives` array
+   - `partial` → KEEP but downgrade severity if specified
+   - `confirmed` → KEEP with original severity
+
+3. **Apply Cross-Validator results (Phase 4):**
+   - Additional false positives → REMOVE from findings
+   - Duplicates → Merge into single finding
+
+4. **Calculate final counts AFTER removals:**
+   - Only count findings that remain in the `findings` array
+   - Do NOT count mitigated or false positive findings
+
+5. **Add missed issues from Validator C**
+
+6. **Sort remaining findings:** severity DESC, confidence DESC
+
+### Final JSON Structure
 
 ```json
 {
   "projectName": "project-name",
   "scanDate": "{{SCAN_DATE}}",
   "summary": {
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "info": 0
+    "total": 10,
+    "critical": 1,
+    "high": 3,
+    "medium": 4,
+    "low": 2,
+    "info": 0,
+    "mitigatedCount": 5,
+    "falsePositiveCount": 3
   },
   "findings": [
-    "all findings with full fields including mitigationStatus"
+    "ONLY confirmed and partial findings - NOT mitigated or false positives!"
   ],
   "mitigatedFindings": [
-    {"id": "SEC-005", "reason": "Protected by Zod schema validation", "originalSeverity": "high"}
+    {
+      "id": "SEC-005",
+      "title": "Original finding title",
+      "originalSeverity": "high",
+      "reason": "Protected by Zod schema validation at src/routes/user.ts:23",
+      "mitigationType": "input_validation"
+    }
+  ],
+  "falsePositives": [
+    {
+      "id": "BIZ-004",
+      "title": "TOCTOU Race Condition",
+      "reason": "Redis Lua script provides atomic operation - no race condition possible",
+      "evidence": ["Lua script at src/services/rate-limit.js:95-113"]
+    },
+    {
+      "id": "AUTH-003",
+      "title": "PKCE Code Reuse",
+      "reason": "Intentional design decision documented in code comment",
+      "evidence": ["Comment: 'Allow reuse to prevent double-click race condition'"]
+    }
   ],
   "positiveObservations": [
     "Good pattern 1",
     "Good pattern 2"
   ],
-  "falsePositives": [
-    {"id": "...", "reason": "..."}
-  ],
+  "validationSummary": {
+    "totalInitialFindings": 18,
+    "mitigated": 5,
+    "falsePositives": 3,
+    "confirmed": 8,
+    "partial": 2,
+    "accuracy": "Only 56% of initial findings were actual issues"
+  },
   "agentsUsed": ["Security Core", "Auth & Session", "Mitigation Validator"],
   "scanDuration": 0
 }
 ```
 
+### Sanity Check Before Saving
+
+Before saving, verify:
+1. `findings` array does NOT contain any item from `mitigatedFindings` or `falsePositives`
+2. `summary.total` equals `findings.length`
+3. Severity counts match actual findings in array
+4. No duplicate IDs across findings/mitigated/falsePositives
+
 Save as: .coverme/scan.json
 
 Then generate PDF report:

package/dist/prompts/security-scanner.md

@@ -145,12 +145,21 @@ Before reporting ANY secret/credential finding as critical or high:
    - If file matches .gitignore patterns = NOT exposed in repo
    - Mark as "info" severity, not "critical"
 
-3. **Identify environment context**:
+3. **CRITICAL: Check git HISTORY for secrets!**
+   Even if a file is currently gitignored, it may have been committed in the past:
+   ```bash
+   git log --all --full-history -- "**/secrets*" "**/credentials*" "**/*.env"
+   git log --all -p -S "AWS_SECRET" --source --all
+   ```
+   If the secret was EVER committed, it's CRITICAL - secrets in git history are exposed!
+
+4. **Identify environment context**:
    - `localhost`, `127.0.0.1`, `example.com` = development/example credentials
    - `.env.example`, `*.example.json` = template files, not real secrets
    - Mark these as "info" with note: "Development/example credentials"
 
-4. **Severity mapping for secrets**:
+5. **Severity mapping for secrets**:
+   - In git history (even if now removed) = CRITICAL
    - Tracked in git + real credentials = CRITICAL
    - Tracked in git + example/dev credentials = LOW
    - NOT tracked (gitignored) + real credentials = INFO (local only)
@@ -161,10 +170,62 @@ Always include in finding:
 {
   "gitTracked": true/false,
   "gitignored": true/false,
+  "inGitHistory": true/false,
   "appearsToBeDev": true/false
 }
 ```
 
+## Command Injection: Config Files Are NOT Safe!
+
+**DO NOT assume config file values are safe:**
+```javascript
+// STILL VULNERABLE even though pm2Name comes from config!
+const pm2Name = config.models[modelId].pm2Name;
+execSync(`pm2 start ${pm2Name}`);  // Command injection!
+```
+
+Config files (models.json, config.yaml) are attack vectors if:
+- File can be modified via admin panel/API
+- File permissions allow non-root writes
+- No schema validation on config values
+
+**Only mark as safe if:**
+- Using execFile() with argument array (not string interpolation)
+- Config values validated against strict whitelist/regex
+- Config is hardcoded at build time (not runtime loaded)
+
+## Security Misconfiguration Checks
+
+### Helmet Without Proper CSP
+```javascript
+app.use(helmet());  // Defaults only - NOT sufficient!
+```
+Report as MEDIUM if helmet() is called without:
+- Custom `contentSecurityPolicy` configuration
+- `hsts: { preload: true }` for HTTPS enforcement
+- Proper `referrerPolicy`
+
+### CORS Without Whitelist
+```javascript
+// VULNERABLE - reflects any origin!
+res.header('Access-Control-Allow-Origin', req.headers.origin);
+res.header('Access-Control-Allow-Origin', '*');
+```
+Report as MEDIUM unless there's explicit domain whitelist validation.
+
+### Missing Dependency Security
+Check for absence of:
+- `npm audit` in CI/CD pipeline (.github/workflows, .gitlab-ci.yml)
+- Dependabot/Renovate configuration
+- SBOM generation
+Report as HIGH if none exist - supply chain attacks are critical.
+
+### Missing Log Rotation
+Check Winston/Pino/Bunyan configs for:
+- `maxFiles` or `maxsize` settings
+- Log retention policy
+Report as LOW if missing - can lead to disk exhaustion.
+
 ## Files to Focus On
 
 Priority order:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coverme-scanner",
-  "version": "1.0.19",
+  "version": "1.0.21",
   "description": "AI-powered code scanner with multi-agent verification for Claude Code. One command scans everything.",
   "main": "dist/index.js",
   "bin": {

package/src/prompts/cross-validator.md

@@ -223,4 +223,48 @@ Focus: Find what was MISSED
 - Don't ignore context from CLAUDE.md
 - Don't miss the forest for the trees
 
+## CRITICAL: Things That Are NOT False Positives
+
+### Command Injection from Config Files
+**DO NOT dismiss as false positive!**
+```javascript
+execSync(`pm2 start ${configValue}`)  // STILL VULNERABLE!
+```
+Even if the value comes from a config file (models.json, config.yaml), if that file is:
+- Writable by users (admin panel, API)
+- Not validated against a strict schema
+- Could be modified by an attacker with file access
+
+Then it IS a real command injection. The attack vector is just indirect.
+
+**Only dismiss if:**
+- Config file is hardcoded at build time (not runtime loaded)
+- Config values are validated against strict regex/enum
+- execFile() is used instead of execSync() with proper argument array
+
+### Secrets in Git History
+**DO NOT dismiss just because file is now gitignored!**
+If a secret file was EVER committed, it may still be in git history.
+```bash
+git log --all --full-history -- "**/secrets*" "**/credentials*" "**/*.env"
+```
+If this returns results, the secret is STILL EXPOSED even if currently gitignored.
+
+### CORS Without Whitelist
+**DO NOT dismiss as "internal only"!**
+```javascript
+res.header('Access-Control-Allow-Origin', req.headers.origin);  // VULNERABLE
+```
+This reflects ANY origin. Even if the server is "internal", browser-based attacks can still:
+- Steal data via malicious website
+- Perform CSRF-like attacks
+- Exfiltrate to attacker-controlled domains
+
+### Missing Security Configuration
+**These are real findings, not false positives:**
+- `helmet()` without custom CSP configuration
+- Missing `npm audit` in CI pipeline
+- No Dependabot/Renovate for dependency updates
+- Logs without rotation/retention policy
+
 START VALIDATION NOW. Be critical but fair.

package/src/prompts/mitigation-validator.md

@@ -178,6 +178,74 @@ The finding is incorrect:
 3. Is it localhost/development credentials only?
 4. Is there environment variable loading that overrides?
 
+### Race Condition / TOCTOU Findings (CRITICAL - Often False Positives)
+**Check for atomic operations that FULLY mitigate the race:**
+
+1. **Redis Lua Scripts** = FULL MITIGATION
+   - `redis.call()` inside Lua script is atomic
+   - SETNX, GETSET, INCR are atomic
+   - Look for: `eval`, `evalsha`, `script load`
+   ```javascript
+   // This is ATOMIC - no race condition!
+   redis.eval(`
+     local current = redis.call('GET', key)
+     if current < limit then
+       redis.call('INCR', key)
+       return 1
+     end
+     return 0
+   `)
+   ```
+
+2. **Database Transactions** = FULL MITIGATION
+   - `BEGIN...COMMIT` with proper isolation
+   - `SELECT FOR UPDATE` locks rows
+   - Prisma `$transaction()`, TypeORM `transaction()`
+   - Look for: `transaction`, `FOR UPDATE`, `SERIALIZABLE`
+
+3. **Atomic Compare-and-Swap** = FULL MITIGATION
+   - `WATCH/MULTI/EXEC` in Redis
+   - `findOneAndUpdate` with conditions in MongoDB
+   - `UPDATE ... WHERE version = ?` (optimistic locking)
+
+4. **Mutex/Locking** = FULL MITIGATION
+   - `redis-lock`, `redlock`
+   - Database advisory locks
+   - File locks (flock)
+
+**If ANY of these patterns exist, mark as MITIGATED, not "partial"!**
+
+### Intentional Design Decisions (Check Comments!)
+**Before reporting, check if there are comments explaining WHY:**
+
+1. **Search for explanatory comments near the code:**
+   ```
+   grep -B5 -A5 "intentional|by design|deliberately|on purpose|security note" <file>
+   ```
+
+2. **Common patterns that are INTENTIONAL:**
+   - PKCE code reuse to prevent double-click race conditions
+   - Longer token expiry for better UX (with other mitigations)
+   - Allowing certain "unsafe" operations for admin users
+   - Development-only bypasses with environment checks
+
+3. **If comment explains the decision:**
+   ```json
+   {
+     "verdict": "false_positive",
+     "reason": "Intentional design decision documented in code",
+     "evidence": ["Comment at line 45: 'Intentionally allow reuse to prevent double-submit'"]
+   }
+   ```
+
+### Open Redirect Findings
+1. **Check for whitelist validation:**
+   ```
+   grep -r "isValidRedirect|allowedDomains|whitelist|validateUrl" <file>
+   ```
+2. If whitelist exists and covers the redirect parameter = MITIGATED
+3. Check if validation function is actually called before redirect
+
 ## Output Format
 
 ```json

package/src/prompts/orchestration.md

@@ -158,6 +158,32 @@ CHECK FOR:
 - API versioning issues
 - Excessive data exposure in responses
 
+**CORS MISCONFIGURATION** (MEDIUM):
+Look for these vulnerable patterns:
+```javascript
+// VULNERABLE - reflects ANY origin
+res.header('Access-Control-Allow-Origin', req.headers.origin);
+res.header('Access-Control-Allow-Origin', '*');
+
+// VULNERABLE - no whitelist validation
+app.use(cors({ origin: true }));
+```
+Only mark as safe if there's explicit whitelist validation:
+```javascript
+const allowedOrigins = ['https://app.example.com'];
+if (allowedOrigins.includes(origin)) { ... }
+```
+
+**HELMET MISCONFIGURATION** (MEDIUM):
+```javascript
+app.use(helmet());  // Using defaults only - INSUFFICIENT!
+```
+Check that helmet() includes:
+- Custom `contentSecurityPolicy` with proper directives
+- `hsts: { maxAge: 31536000, includeSubDomains: true, preload: true }`
+- Proper `referrerPolicy`
+Report as MEDIUM if using only defaults without customization.
+
 **FAIL-OPEN vs FAIL-CLOSED PATTERNS** (CRITICAL):
 - IP whitelist empty/missing = allow all (should deny all)
 - Auth middleware errors = request passes through (should block)
@@ -207,6 +233,14 @@ CHECK FOR:
 - Ansible vault passwords in plaintext
 - CI/CD pipeline secrets in yaml files (.github/workflows, .gitlab-ci.yml)
 
+**SECRETS IN GIT HISTORY** (CRITICAL CHECK!):
+Run these commands to check if secrets were EVER committed:
+```bash
+git log --all --full-history -- "**/secrets*" "**/credentials*" "**/*.env"
+git log --all -p -S "AWS_SECRET" -S "PRIVATE_KEY" --source
+```
+If secrets appear in history, they are EXPOSED even if now gitignored!
+
 **PRIVILEGE ESCALATION RISKS**:
 - Containers/processes running as root
 - Missing securityContext in K8s (runAsNonRoot, readOnlyRootFilesystem)
@@ -220,6 +254,20 @@ CHECK FOR:
 - Missing config = silent fallback to insecure defaults
 - No validation of secret strength/format at startup
 
+**DEPENDENCY SECURITY** (HIGH if missing):
+Check for presence of:
+- `npm audit` or `yarn audit` in CI pipeline
+- Dependabot/Renovate configuration (.github/dependabot.yml, renovate.json)
+- SBOM generation (cyclonedx, syft)
+- Snyk/Trivy/Grype scanning
+Report as HIGH if NONE of these exist - supply chain risk!
+
+**LOGGING & MONITORING**:
+- Log rotation configured? (maxFiles, maxsize in Winston/Pino)
+- Log retention policy defined?
+- Sensitive data redacted from logs?
+Report as LOW if log rotation missing - disk exhaustion risk.
+
 For EACH finding, output the FULL JSON format.
 
 ---
@@ -577,63 +625,107 @@ Output as list of strings.
 
 ## PHASE 7: BUILD CONSENSUS & GENERATE OUTPUT
 
-1. **Apply Mitigation Results** (from Phase 3):
-   - Remove findings marked as `mitigated` or `false_positive`
-   - Adjust severity for findings marked as `partial`
-   - Add mitigation notes to confirmed findings
+### CRITICAL: Actually Remove False Positives!
 
-2. Calculate confidence: (confirmations / total_validators) * 100
-3. Remove findings with confidence < 50%
-4. Add missed issues from Validator C
-5. Sort: severity DESC, confidence DESC
+The final report should ONLY contain findings that are:
+1. **Confirmed** by mitigation validation (no existing protection found)
+2. **Partial** mitigations (some protection but incomplete)
 
-### Include Mitigation Summary
+**DO NOT INCLUDE** findings that are:
+- `mitigated` - full protection exists elsewhere
+- `false_positive` - not actually a vulnerability
+- Intentional design decisions with documented comments
+- Race conditions protected by atomic operations (Lua, transactions)
 
-For each finding that passed validation, include:
-```json
-{
-  "id": "SEC-001",
-  "mitigationStatus": "confirmed",
-  "mitigationChecks": [
-    "No input validation found between user input and SQL query",
-    "No ORM - raw SQL used",
-    "No middleware protection on this route"
-  ]
-}
-```
+### Step-by-Step Process:
 
-### SAVE OUTPUT AS JSON
+1. **Start with all Phase 1 findings**
+
+2. **Apply Mitigation Validator results (Phase 3):**
+   - `mitigated` → REMOVE from findings, add to `mitigatedFindings` array
+   - `false_positive` → REMOVE from findings, add to `falsePositives` array
+   - `partial` → KEEP but downgrade severity if specified
+   - `confirmed` → KEEP with original severity
+
+3. **Apply Cross-Validator results (Phase 4):**
+   - Additional false positives → REMOVE from findings
+   - Duplicates → Merge into single finding
+
+4. **Calculate final counts AFTER removals:**
+   - Only count findings that remain in the `findings` array
+   - Do NOT count mitigated or false positive findings
+
+5. **Add missed issues from Validator C**
+
+6. **Sort remaining findings:** severity DESC, confidence DESC
+
+### Final JSON Structure
 
 ```json
 {
   "projectName": "project-name",
   "scanDate": "{{SCAN_DATE}}",
   "summary": {
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "info": 0
+    "total": 10,
+    "critical": 1,
+    "high": 3,
+    "medium": 4,
+    "low": 2,
+    "info": 0,
+    "mitigatedCount": 5,
+    "falsePositiveCount": 3
   },
   "findings": [
-    "all findings with full fields including mitigationStatus"
+    "ONLY confirmed and partial findings - NOT mitigated or false positives!"
   ],
   "mitigatedFindings": [
-    {"id": "SEC-005", "reason": "Protected by Zod schema validation", "originalSeverity": "high"}
+    {
+      "id": "SEC-005",
+      "title": "Original finding title",
+      "originalSeverity": "high",
+      "reason": "Protected by Zod schema validation at src/routes/user.ts:23",
+      "mitigationType": "input_validation"
+    }
+  ],
+  "falsePositives": [
+    {
+      "id": "BIZ-004",
+      "title": "TOCTOU Race Condition",
+      "reason": "Redis Lua script provides atomic operation - no race condition possible",
+      "evidence": ["Lua script at src/services/rate-limit.js:95-113"]
+    },
+    {
+      "id": "AUTH-003",
+      "title": "PKCE Code Reuse",
+      "reason": "Intentional design decision documented in code comment",
+      "evidence": ["Comment: 'Allow reuse to prevent double-click race condition'"]
+    }
   ],
   "positiveObservations": [
     "Good pattern 1",
     "Good pattern 2"
   ],
-  "falsePositives": [
-    {"id": "...", "reason": "..."}
-  ],
+  "validationSummary": {
+    "totalInitialFindings": 18,
+    "mitigated": 5,
+    "falsePositives": 3,
+    "confirmed": 8,
+    "partial": 2,
+    "accuracy": "Only 56% of initial findings were actual issues"
+  },
   "agentsUsed": ["Security Core", "Auth & Session", "Mitigation Validator"],
   "scanDuration": 0
 }
 ```
 
+### Sanity Check Before Saving
+
+Before saving, verify:
+1. `findings` array does NOT contain any item from `mitigatedFindings` or `falsePositives`
+2. `summary.total` equals `findings.length`
+3. Severity counts match actual findings in array
+4. No duplicate IDs across findings/mitigated/falsePositives
+
 Save as: .coverme/scan.json
 
 Then generate PDF report:

package/src/prompts/security-scanner.md

@@ -145,12 +145,21 @@ Before reporting ANY secret/credential finding as critical or high:
    - If file matches .gitignore patterns = NOT exposed in repo
    - Mark as "info" severity, not "critical"
 
-3. **Identify environment context**:
+3. **CRITICAL: Check git HISTORY for secrets!**
+   Even if a file is currently gitignored, it may have been committed in the past:
+   ```bash
+   git log --all --full-history -- "**/secrets*" "**/credentials*" "**/*.env"
+   git log --all -p -S "AWS_SECRET" --source --all
+   ```
+   If the secret was EVER committed, it's CRITICAL - secrets in git history are exposed!
+
+4. **Identify environment context**:
    - `localhost`, `127.0.0.1`, `example.com` = development/example credentials
    - `.env.example`, `*.example.json` = template files, not real secrets
    - Mark these as "info" with note: "Development/example credentials"
 
-4. **Severity mapping for secrets**:
+5. **Severity mapping for secrets**:
+   - In git history (even if now removed) = CRITICAL
    - Tracked in git + real credentials = CRITICAL
    - Tracked in git + example/dev credentials = LOW
    - NOT tracked (gitignored) + real credentials = INFO (local only)
@@ -161,10 +170,62 @@ Always include in finding:
 {
   "gitTracked": true/false,
   "gitignored": true/false,
+  "inGitHistory": true/false,
   "appearsToBeDev": true/false
 }
 ```
 
+## Command Injection: Config Files Are NOT Safe!
+
+**DO NOT assume config file values are safe:**
+```javascript
+// STILL VULNERABLE even though pm2Name comes from config!
+const pm2Name = config.models[modelId].pm2Name;
+execSync(`pm2 start ${pm2Name}`);  // Command injection!
+```
+
+Config files (models.json, config.yaml) are attack vectors if:
+- File can be modified via admin panel/API
+- File permissions allow non-root writes
+- No schema validation on config values
+
+**Only mark as safe if:**
+- Using execFile() with argument array (not string interpolation)
+- Config values validated against strict whitelist/regex
+- Config is hardcoded at build time (not runtime loaded)
+
+## Security Misconfiguration Checks
+
+### Helmet Without Proper CSP
+```javascript
+app.use(helmet());  // Defaults only - NOT sufficient!
+```
+Report as MEDIUM if helmet() is called without:
+- Custom `contentSecurityPolicy` configuration
+- `hsts: { preload: true }` for HTTPS enforcement
+- Proper `referrerPolicy`
+
+### CORS Without Whitelist
+```javascript
+// VULNERABLE - reflects any origin!
+res.header('Access-Control-Allow-Origin', req.headers.origin);
+res.header('Access-Control-Allow-Origin', '*');
+```
+Report as MEDIUM unless there's explicit domain whitelist validation.
+
+### Missing Dependency Security
+Check for absence of:
+- `npm audit` in CI/CD pipeline (.github/workflows, .gitlab-ci.yml)
+- Dependabot/Renovate configuration
+- SBOM generation
+Report as HIGH if none exist - supply chain attacks are critical.
+
+### Missing Log Rotation
+Check Winston/Pino/Bunyan configs for:
+- `maxFiles` or `maxsize` settings
+- Log retention policy
+Report as LOW if missing - can lead to disk exhaustion.
+
 ## Files to Focus On
 
 Priority order: