coverme-scanner 1.2.0 → 1.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +44 -4
- package/dist/cli/index.js +110 -0
- package/dist/cli/index.js.map +1 -1
- package/dist/cli/init.d.ts.map +1 -1
- package/dist/cli/init.js +12 -6
- package/dist/cli/init.js.map +1 -1
- package/dist/prompts/orchestration.md +160 -2
- package/dist/prompts/runtime-verify.md +353 -0
- package/package.json +1 -1
- package/src/cli/index.ts +127 -0
- package/src/cli/init.ts +12 -6
- package/src/prompts/orchestration.md +160 -2
- package/src/prompts/runtime-verify.md +353 -0
package/README.md
CHANGED
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
|
|
5
5
|
### The Most Comprehensive AI Security Scanner for Your Codebase
|
|
6
6
|
|
|
7
|
-
**
|
|
7
|
+
**22 AI Agents | Auto-Detection | Runtime Verification | Zero Config**
|
|
8
8
|
|
|
9
9
|
[](https://www.npmjs.com/package/coverme-scanner)
|
|
10
10
|
[](https://opensource.org/licenses/MIT)
|
|
@@ -47,7 +47,7 @@ coverme init
|
|
|
47
47
|
/coverme
|
|
48
48
|
```
|
|
49
49
|
|
|
50
|
-
**That's it.** Watch
|
|
50
|
+
**That's it.** Watch 22 AI agents analyze your entire codebase and generate a beautiful HTML report.
|
|
51
51
|
|
|
52
52
|
---
|
|
53
53
|
|
|
@@ -76,7 +76,7 @@ Agents that aren't relevant to your project **automatically skip**:
|
|
|
76
76
|
|
|
77
77
|
---
|
|
78
78
|
|
|
79
|
-
##
|
|
79
|
+
## 22 Specialized Agents
|
|
80
80
|
|
|
81
81
|
<details>
|
|
82
82
|
<summary><b>Security Agents (Click to expand)</b></summary>
|
|
@@ -118,6 +118,7 @@ Agents that aren't relevant to your project **automatically skip**:
|
|
|
118
118
|
| **Testing & Reliability** | Test coverage gaps, missing health checks |
|
|
119
119
|
| **Duplicate Scanner** | Finds existing solutions in your codebase |
|
|
120
120
|
| **Executive Summary** | Generates high-level risk overview |
|
|
121
|
+
| **Runtime Verification** | SSH to compare actual runtime vs code config |
|
|
121
122
|
|
|
122
123
|
</details>
|
|
123
124
|
|
|
@@ -180,6 +181,45 @@ Findings by Owner:
|
|
|
180
181
|
|
|
181
182
|
---
|
|
182
183
|
|
|
184
|
+
## Runtime Verification (SSH)
|
|
185
|
+
|
|
186
|
+
**The killer feature**: CoverMe can SSH into your servers and compare the **actual runtime** against your **code configuration**.
|
|
187
|
+
|
|
188
|
+
### Why?
|
|
189
|
+
|
|
190
|
+
Your Dockerfile says `USER appuser`, but the container runs as `root`. Why? Because docker-compose overrides it. **This is why vulnerabilities become exploitable.**
|
|
191
|
+
|
|
192
|
+
### Setup
|
|
193
|
+
|
|
194
|
+
```bash
|
|
195
|
+
# Add your server (one-time)
|
|
196
|
+
coverme verify setup --host deploy@production.example.com --name production
|
|
197
|
+
|
|
198
|
+
# That's it! Now /coverme will automatically:
|
|
199
|
+
# 1. Scan your code
|
|
200
|
+
# 2. SSH to production
|
|
201
|
+
# 3. Compare expected vs actual
|
|
202
|
+
# 4. Report any mismatches
|
|
203
|
+
```
|
|
204
|
+
|
|
205
|
+
### What It Catches
|
|
206
|
+
|
|
207
|
+
| Issue | Example |
|
|
208
|
+
|-------|---------|
|
|
209
|
+
| **User Mismatch** | Dockerfile: `USER appuser` → Runtime: `root` |
|
|
210
|
+
| **Security Context Ignored** | K8s: `runAsNonRoot: true` → Pod runs as root |
|
|
211
|
+
| **Ports Exposed** | Code expects 3000 → Runtime has 3000, 6379, 5432 |
|
|
212
|
+
| **Permissions Wrong** | Expected: 755 → Actual: 777 |
|
|
213
|
+
|
|
214
|
+
### Manage Environments
|
|
215
|
+
|
|
216
|
+
```bash
|
|
217
|
+
coverme verify list # List all configured servers
|
|
218
|
+
coverme verify remove production # Remove an environment
|
|
219
|
+
```
|
|
220
|
+
|
|
221
|
+
---
|
|
222
|
+
|
|
183
223
|
## Custom Agents
|
|
184
224
|
|
|
185
225
|
Add your own specialized agents in seconds:
|
|
@@ -333,7 +373,7 @@ Add to `.coverme/config.json`:
|
|
|
333
373
|
<details>
|
|
334
374
|
<summary><b>How long does a scan take?</b></summary>
|
|
335
375
|
|
|
336
|
-
Typically 2-5 minutes depending on codebase size. All
|
|
376
|
+
Typically 2-5 minutes depending on codebase size. All 22 agents run in parallel.
|
|
337
377
|
|
|
338
378
|
</details>
|
|
339
379
|
|
package/dist/cli/index.js
CHANGED
|
@@ -105,5 +105,115 @@ agentCmd
|
|
|
105
105
|
(0, fs_1.writeFileSync)(agentsPath, JSON.stringify(agents, null, 2));
|
|
106
106
|
console.log(`Removed agent "${removed.name}"`);
|
|
107
107
|
});
|
|
108
|
+
// Runtime verification commands
|
|
109
|
+
const verifyCmd = program
|
|
110
|
+
.command('verify')
|
|
111
|
+
.description('Verify runtime environment matches code expectations');
|
|
112
|
+
verifyCmd
|
|
113
|
+
.command('setup')
|
|
114
|
+
.description('Configure SSH access for runtime verification')
|
|
115
|
+
.option('-h, --host <host>', 'SSH host (e.g., user@server.com)')
|
|
116
|
+
.option('-p, --port <port>', 'SSH port', '22')
|
|
117
|
+
.option('-k, --key <path>', 'Path to SSH private key')
|
|
118
|
+
.option('-n, --name <name>', 'Environment name (e.g., production, staging)')
|
|
119
|
+
.action((options) => {
|
|
120
|
+
const covermeDir = (0, path_1.join)(process.cwd(), '.coverme');
|
|
121
|
+
const configPath = (0, path_1.join)(covermeDir, 'runtime.json');
|
|
122
|
+
if (!(0, fs_1.existsSync)(covermeDir)) {
|
|
123
|
+
(0, fs_1.mkdirSync)(covermeDir, { recursive: true });
|
|
124
|
+
}
|
|
125
|
+
let config = { environments: [] };
|
|
126
|
+
if ((0, fs_1.existsSync)(configPath)) {
|
|
127
|
+
config = JSON.parse((0, fs_1.readFileSync)(configPath, 'utf-8'));
|
|
128
|
+
if (!config.environments)
|
|
129
|
+
config.environments = [];
|
|
130
|
+
}
|
|
131
|
+
if (!options.host) {
|
|
132
|
+
console.log('\nRuntime Verification Setup');
|
|
133
|
+
console.log('==========================\n');
|
|
134
|
+
console.log('This feature allows CoverMe to SSH into your servers and compare');
|
|
135
|
+
console.log('the actual runtime environment against your code configuration.\n');
|
|
136
|
+
console.log('Usage:');
|
|
137
|
+
console.log(' coverme verify setup --host user@server.com --name production');
|
|
138
|
+
console.log(' coverme verify setup --host deploy@staging.example.com --key ~/.ssh/id_rsa --name staging\n');
|
|
139
|
+
console.log('Options:');
|
|
140
|
+
console.log(' -h, --host <host> SSH host (required)');
|
|
141
|
+
console.log(' -n, --name <name> Environment name (default: from host)');
|
|
142
|
+
console.log(' -p, --port <port> SSH port (default: 22)');
|
|
143
|
+
console.log(' -k, --key <path> Path to SSH private key\n');
|
|
144
|
+
if (config.environments.length > 0) {
|
|
145
|
+
console.log('Configured environments:');
|
|
146
|
+
config.environments.forEach((env, i) => {
|
|
147
|
+
console.log(` ${i + 1}. ${env.name}: ${env.host}:${env.port}`);
|
|
148
|
+
});
|
|
149
|
+
}
|
|
150
|
+
return;
|
|
151
|
+
}
|
|
152
|
+
const envName = options.name || options.host.split('@')[1]?.split('.')[0] || 'default';
|
|
153
|
+
// Remove existing with same name
|
|
154
|
+
config.environments = config.environments.filter((e) => e.name !== envName);
|
|
155
|
+
config.environments.push({
|
|
156
|
+
name: envName,
|
|
157
|
+
host: options.host,
|
|
158
|
+
port: parseInt(options.port || '22'),
|
|
159
|
+
keyPath: options.key || null,
|
|
160
|
+
addedAt: new Date().toISOString()
|
|
161
|
+
});
|
|
162
|
+
(0, fs_1.writeFileSync)(configPath, JSON.stringify(config, null, 2));
|
|
163
|
+
console.log(`\nAdded environment "${envName}"`);
|
|
164
|
+
console.log(` Host: ${options.host}`);
|
|
165
|
+
console.log(` Port: ${options.port || '22'}`);
|
|
166
|
+
if (options.key)
|
|
167
|
+
console.log(` Key: ${options.key}`);
|
|
168
|
+
console.log('\nRun verification with:');
|
|
169
|
+
console.log(` /coverme-verify ${envName}`);
|
|
170
|
+
console.log('\nOr in Claude Code:');
|
|
171
|
+
console.log(` /coverme --verify ${envName}`);
|
|
172
|
+
});
|
|
173
|
+
verifyCmd
|
|
174
|
+
.command('list')
|
|
175
|
+
.description('List configured environments')
|
|
176
|
+
.action(() => {
|
|
177
|
+
const configPath = (0, path_1.join)(process.cwd(), '.coverme', 'runtime.json');
|
|
178
|
+
if (!(0, fs_1.existsSync)(configPath)) {
|
|
179
|
+
console.log('No environments configured.');
|
|
180
|
+
console.log('Run: coverme verify setup --host user@server.com --name production');
|
|
181
|
+
return;
|
|
182
|
+
}
|
|
183
|
+
const config = JSON.parse((0, fs_1.readFileSync)(configPath, 'utf-8'));
|
|
184
|
+
if (!config.environments || config.environments.length === 0) {
|
|
185
|
+
console.log('No environments configured.');
|
|
186
|
+
return;
|
|
187
|
+
}
|
|
188
|
+
console.log('\nConfigured Environments:\n');
|
|
189
|
+
config.environments.forEach((env, i) => {
|
|
190
|
+
console.log(` ${i + 1}. ${env.name}`);
|
|
191
|
+
console.log(` Host: ${env.host}:${env.port}`);
|
|
192
|
+
if (env.keyPath)
|
|
193
|
+
console.log(` Key: ${env.keyPath}`);
|
|
194
|
+
console.log(` Added: ${new Date(env.addedAt).toLocaleDateString()}`);
|
|
195
|
+
console.log('');
|
|
196
|
+
});
|
|
197
|
+
});
|
|
198
|
+
verifyCmd
|
|
199
|
+
.command('remove')
|
|
200
|
+
.description('Remove an environment')
|
|
201
|
+
.argument('<name>', 'Environment name')
|
|
202
|
+
.action((name) => {
|
|
203
|
+
const configPath = (0, path_1.join)(process.cwd(), '.coverme', 'runtime.json');
|
|
204
|
+
if (!(0, fs_1.existsSync)(configPath)) {
|
|
205
|
+
console.error('No environments configured.');
|
|
206
|
+
return;
|
|
207
|
+
}
|
|
208
|
+
const config = JSON.parse((0, fs_1.readFileSync)(configPath, 'utf-8'));
|
|
209
|
+
const idx = config.environments.findIndex((e) => e.name.toLowerCase() === name.toLowerCase());
|
|
210
|
+
if (idx === -1) {
|
|
211
|
+
console.error(`Environment "${name}" not found`);
|
|
212
|
+
return;
|
|
213
|
+
}
|
|
214
|
+
const removed = config.environments.splice(idx, 1)[0];
|
|
215
|
+
(0, fs_1.writeFileSync)(configPath, JSON.stringify(config, null, 2));
|
|
216
|
+
console.log(`Removed environment "${removed.name}"`);
|
|
217
|
+
});
|
|
108
218
|
program.parse();
|
|
109
219
|
//# sourceMappingURL=index.js.map
|
package/dist/cli/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";;;AAEA,yCAAoC;AACpC,uCAAiC;AACjC,uCAAiC;AACjC,iDAAoD;AACpD,2BAAsF;AACtF,+BAA4B;AAE5B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAY,EAAC,IAAA,WAAI,EAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;AAE3F,MAAM,OAAO,GAAG,IAAI,mBAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,SAAS,CAAC;KACf,WAAW,CAAC,uEAAuE,CAAC;KACpF,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AAExB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,wDAAwD,CAAC;KACrE,MAAM,CAAC,cAAc,EAAE,yCAAyC,CAAC;KACjE,MAAM,CAAC,cAAI,CAAC,CAAC;AAEhB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,gDAAgD,CAAC;KAC7D,QAAQ,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,CAAC;KACvC,MAAM,CAAC,uBAAuB,EAAE,oCAAoC,EAAE,KAAK,CAAC;KAC5E,MAAM,CAAC,0BAA0B,EAAE,kBAAkB,CAAC;KACtD,MAAM,CAAC,yBAAyB,EAAE,qDAAqD,EAAE,KAAK,CAAC;KAC/F,MAAM,CAAC,wBAAwB,EAAE,iDAAiD,EAAE,KAAK,CAAC;KAC1F,MAAM,CAAC,eAAe,EAAE,gBAAgB,CAAC;KACzC,MAAM,CAAC,sBAAsB,EAAE,2BAA2B,EAAE,GAAG,CAAC;KAChE,MAAM,CAAC,cAAI,CAAC,CAAC;AAEhB,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,yCAAyC,CAAC;KACtD,QAAQ,CAAC,aAAa,EAAE,gCAAgC,CAAC;KACzD,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,CAAC;KACjD,MAAM,CAAC,uBAAuB,EAAE,0BAA0B,EAAE,KAAK,CAAC;KAClE,MAAM,CAAC,KAAK,EAAE,QAAgB,EAAE,OAAqD,EAAE,EAAE;IACxF,MAAM,IAAA,yBAAc,EAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC;AAC1E,CAAC,CAAC,CAAC;AAEL,4BAA4B;AAC5B,MAAM,QAAQ,GAAG,OAAO;KACrB,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,sBAAsB,CAAC,CAAC;AAEvC,QAAQ;KACL,OAAO,CAAC,KAAK,CAAC;KACd,WAAW,CAAC,wBAAwB,CAAC;KACrC,QAAQ,CAAC,QAAQ,EAAE,2BAA2B,CAAC;KAC/C,QAAQ,CAAC,QAAQ,EAAE,0BAA0B,CAAC;KAC9C,MAAM,CAAC,CAAC,IAAY,EAAE,IAAY,EAAE,EAAE;IACrC,MAAM,UAAU,GAAG,IAAA,WAAI,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CAAC;IACnD,MAAM,UAAU,GAAG,IAAA,WAAI,EAAC,UAAU,EAAE,aAAa,CAAC,CAAC;IAEnD,IAAI,CAAC,IAAA,eAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,IAAA,cAAS,EAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,IAAI,MAAM,GAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IACjC,IAAI,IAAA,eAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC3B,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAY,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;QACvD,IAAI,CAAC,MAAM,CAAC,MAAM;YAAE,MAAM,CAAC,MAAM,GAAG,EAAE,CAAC;IACzC,CAAC;IAED,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;IACnC,IAAA,kBAAa,EAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3D,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,GAAG,CAAC,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;AAC/B,CAAC,CAAC,CAAC;AAEL,QAAQ;KACL,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,wBAAwB,CAAC;KACrC,MAAM,CAAC,GAAG,EAAE;IACX,MAAM,UAAU,GAAG,IAAA,WAAI,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;IAClE,IAAI,CAAC,IAAA,eAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,yFAAyF,CAAC,CAAC;QACvG,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAY,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;IAC7D,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjD,OAAO,CAAC,GAAG,CAAC,yFAAyF,CAAC,CAAC;QACvG,OAAO;IACT,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,KAAU,EAAE,CAAS,EAAE,EAAE;QAC9C,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QACzC,OAAO,CAAC,GAAG,CAAC,cAAc,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEL,QAAQ;KACL,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,uBAAuB,CAAC;KACpC,QAAQ,CAAC,QAAQ,EAAE,sBAAsB,CAAC;KAC1C,MAAM,CAAC,CAAC,IAAY,EAAE,EAAE;IACvB,MAAM,UAAU,GAAG,IAAA,WAAI,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;IAClE,IAAI,CAAC,IAAA,eAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,OAAO,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACtC,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAY,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;IAC7D,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;IAC7F,IAAI,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,UAAU,IAAI,aAAa,CAAC,CAAC;QAC3C,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,IAAA,kBAAa,EAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3D,OAAO,CAAC,GAAG,CAAC,kBAAkB,OAAO,CAAC,IAAI,GAAG,CAAC,CAAC;AACjD,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,EAAE,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";;;AAEA,yCAAoC;AACpC,uCAAiC;AACjC,uCAAiC;AACjC,iDAAoD;AACpD,2BAAsF;AACtF,+BAA4B;AAE5B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAY,EAAC,IAAA,WAAI,EAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;AAE3F,MAAM,OAAO,GAAG,IAAI,mBAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,SAAS,CAAC;KACf,WAAW,CAAC,uEAAuE,CAAC;KACpF,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AAExB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,wDAAwD,CAAC;KACrE,MAAM,CAAC,cAAc,EAAE,yCAAyC,CAAC;KACjE,MAAM,CAAC,cAAI,CAAC,CAAC;AAEhB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,gDAAgD,CAAC;KAC7D,QAAQ,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,CAAC;KACvC,MAAM,CAAC,uBAAuB,EAAE,oCAAoC,EAAE,KAAK,CAAC;KAC5E,MAAM,CAAC,0BAA0B,EAAE,kBAAkB,CAAC;KACtD,MAAM,CAAC,yBAAyB,EAAE,qDAAqD,EAAE,KAAK,CAAC;KAC/F,MAAM,CAAC,wBAAwB,EAAE,iDAAiD,EAAE,KAAK,CAAC;KAC1F,MAAM,CAAC,eAAe,EAAE,gBAAgB,CAAC;KACzC,MAAM,CAAC,sBAAsB,EAAE,2BAA2B,EAAE,GAAG,CAAC;KAChE,MAAM,CAAC,cAAI,CAAC,CAAC;AAEhB,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,yCAAyC,CAAC;KACtD,QAAQ,CAAC,aAAa,EAAE,gCAAgC,CAAC;KACzD,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,CAAC;KACjD,MAAM,CAAC,uBAAuB,EAAE,0BAA0B,EAAE,KAAK,CAAC;KAClE,MAAM,CAAC,KAAK,EAAE,QAAgB,EAAE,OAAqD,EAAE,EAAE;IACxF,MAAM,IAAA,yBAAc,EAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC;AAC1E,CAAC,CAAC,CAAC;AAEL,4BAA4B;AAC5B,MAAM,QAAQ,GAAG,OAAO;KACrB,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,sBAAsB,CAAC,CAAC;AAEvC,QAAQ;KACL,OAAO,CAAC,KAAK,CAAC;KACd,WAAW,CAAC,wBAAwB,CAAC;KACrC,QAAQ,CAAC,QAAQ,EAAE,2BAA2B,CAAC;KAC/C,QAAQ,CAAC,QAAQ,EAAE,0BAA0B,CAAC;KAC9C,MAAM,CAAC,CAAC,IAAY,EAAE,IAAY,EAAE,EAAE;IACrC,MAAM,UAAU,GAAG,IAAA,WAAI,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CAAC;IACnD,MAAM,UAAU,GAAG,IAAA,WAAI,EAAC,UAAU,EAAE,aAAa,CAAC,CAAC;IAEnD,IAAI,CAAC,IAAA,eAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,IAAA,cAAS,EAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,IAAI,MAAM,GAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IACjC,IAAI,IAAA,eAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC3B,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAY,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;QACvD,IAAI,CAAC,MAAM,CAAC,MAAM;YAAE,MAAM,CAAC,MAAM,GAAG,EAAE,CAAC;IACzC,CAAC;IAED,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;IACnC,IAAA,kBAAa,EAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3D,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,GAAG,CAAC,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;AAC/B,CAAC,CAAC,CAAC;AAEL,QAAQ;KACL,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,wBAAwB,CAAC;KACrC,MAAM,CAAC,GAAG,EAAE;IACX,MAAM,UAAU,GAAG,IAAA,WAAI,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;IAClE,IAAI,CAAC,IAAA,eAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,yFAAyF,CAAC,CAAC;QACvG,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAY,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;IAC7D,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjD,OAAO,CAAC,GAAG,CAAC,yFAAyF,CAAC,CAAC;QACvG,OAAO;IACT,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAClC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,KAAU,EAAE,CAAS,EAAE,EAAE;QAC9C,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QACzC,OAAO,CAAC,GAAG,CAAC,cAAc,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEL,QAAQ;KACL,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,uBAAuB,CAAC;KACpC,QAAQ,CAAC,QAAQ,EAAE,sBAAsB,CAAC;KAC1C,MAAM,CAAC,CAAC,IAAY,EAAE,EAAE;IACvB,MAAM,UAAU,GAAG,IAAA,WAAI,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;IAClE,IAAI,CAAC,IAAA,eAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,OAAO,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACtC,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAY,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;IAC7D,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;IAC7F,IAAI,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,UAAU,IAAI,aAAa,CAAC,CAAC;QAC3C,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,IAAA,kBAAa,EAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3D,OAAO,CAAC,GAAG,CAAC,kBAAkB,OAAO,CAAC,IAAI,GAAG,CAAC,CAAC;AACjD,CAAC,CAAC,CAAC;AAEL,gCAAgC;AAChC,MAAM,SAAS,GAAG,OAAO;KACtB,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,sDAAsD,CAAC,CAAC;AAEvE,SAAS;KACN,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,+CAA+C,CAAC;KAC5D,MAAM,CAAC,mBAAmB,EAAE,kCAAkC,CAAC;KAC/D,MAAM,CAAC,mBAAmB,EAAE,UAAU,EAAE,IAAI,CAAC;KAC7C,MAAM,CAAC,kBAAkB,EAAE,yBAAyB,CAAC;KACrD,MAAM,CAAC,mBAAmB,EAAE,8CAA8C,CAAC;KAC3E,MAAM,CAAC,CAAC,OAAsE,EAAE,EAAE;IACjF,MAAM,UAAU,GAAG,IAAA,WAAI,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CAAC;IACnD,MAAM,UAAU,GAAG,IAAA,WAAI,EAAC,UAAU,EAAE,cAAc,CAAC,CAAC;IAEpD,IAAI,CAAC,IAAA,eAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,IAAA,cAAS,EAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,IAAI,MAAM,GAAQ,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;IACvC,IAAI,IAAA,eAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC3B,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAY,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;QACvD,IAAI,CAAC,MAAM,CAAC,YAAY;YAAE,MAAM,CAAC,YAAY,GAAG,EAAE,CAAC;IACrD,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClB,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,kEAAkE,CAAC,CAAC;QAChF,OAAO,CAAC,GAAG,CAAC,mEAAmE,CAAC,CAAC;QACjF,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACtB,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAC;QAC/E,OAAO,CAAC,GAAG,CAAC,+FAA+F,CAAC,CAAC;QAC7G,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;QAC3D,OAAO,CAAC,GAAG,CAAC,gDAAgD,CAAC,CAAC;QAE9D,IAAI,MAAM,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnC,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;YACxC,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,GAAQ,EAAE,CAAS,EAAE,EAAE;gBAClD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;YAClE,CAAC,CAAC,CAAC;QACL,CAAC;QACD,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC;IAEvF,iCAAiC;IACjC,MAAM,CAAC,YAAY,GAAG,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,OAAO,CAAC,CAAC;IAEjF,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC;QACvB,IAAI,EAAE,OAAO;QACb,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,IAAI,EAAE,QAAQ,CAAC,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC;QACpC,OAAO,EAAE,OAAO,CAAC,GAAG,IAAI,IAAI;QAC5B,OAAO,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KAClC,CAAC,CAAC;IAEH,IAAA,kBAAa,EAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3D,OAAO,CAAC,GAAG,CAAC,wBAAwB,OAAO,GAAG,CAAC,CAAC;IAChD,OAAO,CAAC,GAAG,CAAC,WAAW,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IACvC,OAAO,CAAC,GAAG,CAAC,WAAW,OAAO,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC;IAC/C,IAAI,OAAO,CAAC,GAAG;QAAE,OAAO,CAAC,GAAG,CAAC,UAAU,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IACtD,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;IACxC,OAAO,CAAC,GAAG,CAAC,qBAAqB,OAAO,EAAE,CAAC,CAAC;IAC5C,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IACpC,OAAO,CAAC,GAAG,CAAC,uBAAuB,OAAO,EAAE,CAAC,CAAC;AAChD,CAAC,CAAC,CAAC;AAEL,SAAS;KACN,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,8BAA8B,CAAC;KAC3C,MAAM,CAAC,GAAG,EAAE;IACX,MAAM,UAAU,GAAG,IAAA,WAAI,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;IAEnE,IAAI,CAAC,IAAA,eAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;QAC3C,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;QAClF,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAY,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;IAE7D,IAAI,CAAC,MAAM,CAAC,YAAY,IAAI,MAAM,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7D,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;QAC3C,OAAO;IACT,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;IAC5C,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,GAAQ,EAAE,CAAS,EAAE,EAAE;QAClD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;QACvC,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;QAClD,IAAI,GAAG,CAAC,OAAO;YAAE,OAAO,CAAC,GAAG,CAAC,aAAa,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QACzD,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC;QACzE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEL,SAAS;KACN,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,uBAAuB,CAAC;KACpC,QAAQ,CAAC,QAAQ,EAAE,kBAAkB,CAAC;KACtC,MAAM,CAAC,CAAC,IAAY,EAAE,EAAE;IACvB,MAAM,UAAU,GAAG,IAAA,WAAI,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;IAEnE,IAAI,CAAC,IAAA,eAAU,EAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;QAC7C,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAY,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;IAC7D,MAAM,GAAG,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;IAEnG,IAAI,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,gBAAgB,IAAI,aAAa,CAAC,CAAC;QACjD,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACtD,IAAA,kBAAa,EAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3D,OAAO,CAAC,GAAG,CAAC,wBAAwB,OAAO,CAAC,IAAI,GAAG,CAAC,CAAC;AACvD,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,EAAE,CAAC"}
|
package/dist/cli/init.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/cli/init.ts"],"names":[],"mappings":"AAIA,UAAU,WAAW;IACnB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAihBD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,
|
|
1
|
+
{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/cli/init.ts"],"names":[],"mappings":"AAIA,UAAU,WAAW;IACnB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAihBD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CA8I9D"}
|
package/dist/cli/init.js
CHANGED
|
@@ -631,6 +631,7 @@ async function init(options) {
|
|
|
631
631
|
"Bash(git ls-files:*)",
|
|
632
632
|
"Bash(git log:*)",
|
|
633
633
|
"Bash(grep:*)",
|
|
634
|
+
"Bash(ssh:*)",
|
|
634
635
|
"Read(.coverme/*)",
|
|
635
636
|
"Write(.coverme/*)",
|
|
636
637
|
"Edit(.coverme/*)"
|
|
@@ -668,7 +669,7 @@ async function init(options) {
|
|
|
668
669
|
Usage:
|
|
669
670
|
1. Open Claude Code in your project
|
|
670
671
|
2. Type /coverme and press Enter
|
|
671
|
-
3. Wait for the scan to complete
|
|
672
|
+
3. Wait for the scan to complete (22 AI agents!)
|
|
672
673
|
4. Report opens automatically in your browser
|
|
673
674
|
|
|
674
675
|
Reports saved to: .coverme/
|
|
@@ -676,13 +677,18 @@ Reports saved to: .coverme/
|
|
|
676
677
|
- scan_YYYY-MM-DD_HH-MM-SS.json
|
|
677
678
|
|
|
678
679
|
Custom Agents:
|
|
679
|
-
Add your own experts to the scan:
|
|
680
|
-
|
|
681
680
|
coverme agent add "John" "Check all .env files for exposed secrets"
|
|
682
|
-
coverme agent
|
|
681
|
+
coverme agent list
|
|
682
|
+
coverme agent remove "John"
|
|
683
|
+
|
|
684
|
+
Runtime Verification (Optional):
|
|
685
|
+
Compare your actual runtime environment against code configuration.
|
|
686
|
+
Catches issues like "Dockerfile says USER appuser but container runs as root"
|
|
687
|
+
|
|
688
|
+
coverme verify setup --host user@server.com --name production
|
|
689
|
+
coverme verify list
|
|
683
690
|
|
|
684
|
-
|
|
685
|
-
Remove agent: coverme agent remove "John"
|
|
691
|
+
Once configured, /coverme will automatically SSH and verify runtime.
|
|
686
692
|
|
|
687
693
|
The .coverme/ folder is automatically added to .gitignore
|
|
688
694
|
|
package/dist/cli/init.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"init.js","sourceRoot":"","sources":["../../src/cli/init.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuhBA,
|
|
1
|
+
{"version":3,"file":"init.js","sourceRoot":"","sources":["../../src/cli/init.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuhBA,oBA8IC;AArqBD,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AAMzB,MAAM,aAAa,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6gBrB,CAAC;AAEK,KAAK,UAAU,IAAI,CAAC,OAAoB;IAC7C,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM;QAC9B,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,UAAU,CAAC;QAChD,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;IAEpD,OAAO,CAAC,GAAG,CAAC,oCAAoC,SAAS,EAAE,CAAC,CAAC;IAE7D,6BAA6B;IAC7B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC7C,OAAO,CAAC,GAAG,CAAC,sBAAsB,SAAS,EAAE,CAAC,CAAC;IACjD,CAAC;IAED,0BAA0B;IAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;IACvD,EAAE,CAAC,aAAa,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;IAC7C,OAAO,CAAC,GAAG,CAAC,YAAY,WAAW,EAAE,CAAC,CAAC;IAEvC,wCAAwC;IACxC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CAAC;IACxD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,YAAY,UAAU,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,4BAA4B;IAC5B,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IACxD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACjC,MAAM,YAAY,GAAG;YACnB,WAAW,EAAE,EAAE;YACf,QAAQ,EAAE,EAAE;YACZ,QAAQ,EAAE,EAAE;YACZ,oBAAoB,EAAE,EAAE;YACxB,YAAY,EAAE,CAAC;YACf,UAAU,EAAE,CAAC;SACd,CAAC;QACF,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACtE,OAAO,CAAC,GAAG,CAAC,YAAY,YAAY,EAAE,CAAC,CAAC;IAC1C,CAAC;IAED,kDAAkD;IAClD,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,YAAY,CAAC,CAAC;IAC7D,MAAM,aAAa,GAAG,uCAAuC,CAAC;IAE9D,IAAI,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QACjC,MAAM,gBAAgB,GAAG,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QACjE,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YAC3C,EAAE,CAAC,cAAc,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;YAChD,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;SAAM,CAAC;QACN,EAAE,CAAC,aAAa,CAAC,aAAa,EAAE,aAAa,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC;QAC7D,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;IACnD,CAAC;IAED,kEAAkE;IAClE,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;IACxD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,qBAAqB,CAAC,CAAC;IACnE,MAAM,kBAAkB,GAAG;QACzB,WAAW,EAAE;YACX,KAAK,EAAE;gBACL,eAAe;gBACf,YAAY;gBACZ,aAAa;gBACb,YAAY;gBACZ,cAAc;gBACd,sBAAsB;gBACtB,8BAA8B;gBAC9B,cAAc;gBACd,sBAAsB;gBACtB,iBAAiB;gBACjB,cAAc;gBACd,aAAa;gBACb,kBAAkB;gBAClB,mBAAmB;gBACnB,kBAAkB;aACnB;SACF;KACF,CAAC;IAEF,0CAA0C;IAC1C,IAAI,gBAAgB,GAAQ,EAAE,CAAC;IAC/B,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAChC,IAAI,CAAC;YACH,gBAAgB,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC;QACxE,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,sCAAsC;QACxC,CAAC;IACH,CAAC;IAED,oBAAoB;IACpB,MAAM,cAAc,GAAG;QACrB,GAAG,gBAAgB;QACnB,WAAW,EAAE;YACX,GAAG,gBAAgB,CAAC,WAAW;YAC/B,KAAK,EAAE;gBACL,GAAG,CAAC,gBAAgB,CAAC,WAAW,EAAE,KAAK,IAAI,EAAE,CAAC;gBAC9C,GAAG,kBAAkB,CAAC,WAAW,CAAC,KAAK;aACxC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;SACpD;KACF,CAAC;IAEF,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACxE,OAAO,CAAC,GAAG,CAAC,oBAAoB,YAAY,2BAA2B,CAAC,CAAC;IAEzE,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgCb,CAAC,CAAC;AACH,CAAC"}
|
|
@@ -2,11 +2,11 @@
|
|
|
2
2
|
|
|
3
3
|
**Ultrathink** - Analyze deeply, consider edge cases, trace data flows completely.
|
|
4
4
|
|
|
5
|
-
Execute this
|
|
5
|
+
Execute this 22-agent security scan with cross-validation.
|
|
6
6
|
|
|
7
7
|
---
|
|
8
8
|
|
|
9
|
-
## PHASE 0: PROJECT DISCOVERY
|
|
9
|
+
## PHASE 0: PROJECT DISCOVERY & RUNTIME CHECK
|
|
10
10
|
|
|
11
11
|
Before scanning, understand what you're scanning:
|
|
12
12
|
|
|
@@ -34,6 +34,21 @@ Create a **Project Overview** to include in the report:
|
|
|
34
34
|
|
|
35
35
|
This context helps readers understand the security findings in context.
|
|
36
36
|
|
|
37
|
+
### Step 3: Check for Runtime Verification (SSH)
|
|
38
|
+
|
|
39
|
+
```bash
|
|
40
|
+
cat .coverme/runtime.json 2>/dev/null || echo "NO_RUNTIME_CONFIG"
|
|
41
|
+
```
|
|
42
|
+
|
|
43
|
+
**IF runtime.json exists with environments:**
|
|
44
|
+
- Runtime verification is ENABLED
|
|
45
|
+
- Store the SSH details for use in AGENT 22 (Runtime Verification)
|
|
46
|
+
- The agent will SSH to compare actual runtime vs code expectations
|
|
47
|
+
|
|
48
|
+
**IF NO runtime.json:**
|
|
49
|
+
- Runtime verification is DISABLED (skip AGENT 22)
|
|
50
|
+
- This is normal - many projects don't need runtime verification
|
|
51
|
+
|
|
37
52
|
---
|
|
38
53
|
|
|
39
54
|
## CRITICAL OUTPUT FORMAT
|
|
@@ -1215,6 +1230,149 @@ After all other agents complete, generate an executive summary.
|
|
|
1215
1230
|
|
|
1216
1231
|
---
|
|
1217
1232
|
|
|
1233
|
+
### AGENT 22: Runtime Verification Scanner (ID prefix: RUNTIME)
|
|
1234
|
+
|
|
1235
|
+
**CONDITIONAL AGENT** - Only runs if SSH is configured in Phase 0.
|
|
1236
|
+
|
|
1237
|
+
Check if runtime.json was found in Phase 0:
|
|
1238
|
+
- If NO runtime.json → Skip this agent entirely
|
|
1239
|
+
- If runtime.json exists → Proceed with runtime verification
|
|
1240
|
+
|
|
1241
|
+
**PURPOSE**: Find dangerous mismatches between code configuration and actual runtime environment.
|
|
1242
|
+
|
|
1243
|
+
**Example of what this catches:**
|
|
1244
|
+
> The code says `USER appuser` in Dockerfile, but the container actually runs as `root`.
|
|
1245
|
+
> This is why a DuckDB file read vulnerability could access /etc/passwd!
|
|
1246
|
+
|
|
1247
|
+
---
|
|
1248
|
+
|
|
1249
|
+
**STEP 1: Gather Code Expectations**
|
|
1250
|
+
|
|
1251
|
+
Analyze configuration files to understand EXPECTED runtime state:
|
|
1252
|
+
|
|
1253
|
+
```bash
|
|
1254
|
+
# Dockerfile
|
|
1255
|
+
grep -E "^USER|^EXPOSE|^ENV" Dockerfile 2>/dev/null
|
|
1256
|
+
|
|
1257
|
+
# Docker Compose
|
|
1258
|
+
grep -E "user:|ports:|environment:" docker-compose*.yml 2>/dev/null
|
|
1259
|
+
|
|
1260
|
+
# Kubernetes
|
|
1261
|
+
grep -E "runAsUser|runAsNonRoot|readOnlyRootFilesystem|securityContext" k8s/*.yaml helm/**/values.yaml 2>/dev/null
|
|
1262
|
+
|
|
1263
|
+
# PM2
|
|
1264
|
+
grep -E "user|uid|cwd" ecosystem.config.js pm2.config.js 2>/dev/null
|
|
1265
|
+
|
|
1266
|
+
# Systemd
|
|
1267
|
+
grep -E "^User=|^Group=" *.service 2>/dev/null
|
|
1268
|
+
```
|
|
1269
|
+
|
|
1270
|
+
Build expected state:
|
|
1271
|
+
```json
|
|
1272
|
+
{
|
|
1273
|
+
"expected": {
|
|
1274
|
+
"user": "appuser",
|
|
1275
|
+
"uid": 1000,
|
|
1276
|
+
"runAsRoot": false,
|
|
1277
|
+
"readOnlyFs": true,
|
|
1278
|
+
"ports": [3000],
|
|
1279
|
+
"source": "Dockerfile:15 - USER appuser"
|
|
1280
|
+
}
|
|
1281
|
+
}
|
|
1282
|
+
```
|
|
1283
|
+
|
|
1284
|
+
---
|
|
1285
|
+
|
|
1286
|
+
**STEP 2: SSH and Check Actual Runtime**
|
|
1287
|
+
|
|
1288
|
+
Use the SSH configuration from runtime.json:
|
|
1289
|
+
|
|
1290
|
+
```bash
|
|
1291
|
+
# Build SSH command (from runtime.json)
|
|
1292
|
+
# host: user@server.com, port: 22, keyPath: ~/.ssh/id_rsa
|
|
1293
|
+
|
|
1294
|
+
# Check who is running the process
|
|
1295
|
+
ssh user@server.com "ps -eo user,pid,cmd | grep -E 'node|python|java|pm2' | head -5"
|
|
1296
|
+
|
|
1297
|
+
# Check Docker container user
|
|
1298
|
+
ssh user@server.com "docker ps -q | head -1 | xargs -I {} docker exec {} id"
|
|
1299
|
+
|
|
1300
|
+
# Check Kubernetes pod user
|
|
1301
|
+
ssh user@server.com "kubectl get pods -o name | head -1 | xargs -I {} kubectl exec {} -- id"
|
|
1302
|
+
|
|
1303
|
+
# Check file permissions
|
|
1304
|
+
ssh user@server.com "ls -la /app/ 2>/dev/null | head -10"
|
|
1305
|
+
|
|
1306
|
+
# Check listening ports
|
|
1307
|
+
ssh user@server.com "ss -tlnp | grep -E ':3000|:8080|:6379'"
|
|
1308
|
+
```
|
|
1309
|
+
|
|
1310
|
+
Build actual state:
|
|
1311
|
+
```json
|
|
1312
|
+
{
|
|
1313
|
+
"actual": {
|
|
1314
|
+
"user": "root",
|
|
1315
|
+
"uid": 0,
|
|
1316
|
+
"runAsRoot": true,
|
|
1317
|
+
"readOnlyFs": false,
|
|
1318
|
+
"ports": [3000, 6379],
|
|
1319
|
+
"evidence": "uid=0(root) gid=0(root)"
|
|
1320
|
+
}
|
|
1321
|
+
}
|
|
1322
|
+
```
|
|
1323
|
+
|
|
1324
|
+
---
|
|
1325
|
+
|
|
1326
|
+
**STEP 3: Compare and Generate Findings**
|
|
1327
|
+
|
|
1328
|
+
| Mismatch | Severity | ID |
|
|
1329
|
+
|----------|----------|-----|
|
|
1330
|
+
| Code says non-root, runs as root | CRITICAL | RUNTIME-001 |
|
|
1331
|
+
| Dockerfile USER ignored | CRITICAL | RUNTIME-002 |
|
|
1332
|
+
| K8s runAsNonRoot:true but runs as root | HIGH | RUNTIME-003 |
|
|
1333
|
+
| ReadOnlyRootFilesystem not enforced | HIGH | RUNTIME-004 |
|
|
1334
|
+
| Unexpected ports exposed | MEDIUM | RUNTIME-005 |
|
|
1335
|
+
| File permissions too open (777) | MEDIUM | RUNTIME-006 |
|
|
1336
|
+
| Environment variables mismatch | LOW | RUNTIME-007 |
|
|
1337
|
+
|
|
1338
|
+
**Output Format:**
|
|
1339
|
+
```json
|
|
1340
|
+
{
|
|
1341
|
+
"id": "RUNTIME-001",
|
|
1342
|
+
"title": "Container running as root despite USER directive",
|
|
1343
|
+
"severity": "critical",
|
|
1344
|
+
"category": "runtime-mismatch",
|
|
1345
|
+
"fixOwner": "devops",
|
|
1346
|
+
"fixType": "infrastructure",
|
|
1347
|
+
|
|
1348
|
+
"expected": {
|
|
1349
|
+
"value": "appuser (uid 1000)",
|
|
1350
|
+
"source": "Dockerfile:15",
|
|
1351
|
+
"code": "USER appuser"
|
|
1352
|
+
},
|
|
1353
|
+
|
|
1354
|
+
"actual": {
|
|
1355
|
+
"value": "root (uid 0)",
|
|
1356
|
+
"command": "docker exec container id",
|
|
1357
|
+
"evidence": "uid=0(root) gid=0(root)"
|
|
1358
|
+
},
|
|
1359
|
+
|
|
1360
|
+
"description": "The Dockerfile specifies USER appuser, but the container runs as root. This likely means docker-compose or K8s overrides the user.",
|
|
1361
|
+
|
|
1362
|
+
"impact": "Running as root means any code vulnerability can access ALL system files. The DuckDB read_text() issue could read /etc/shadow, SSH keys, or any file on the system.",
|
|
1363
|
+
|
|
1364
|
+
"recommendation": "1. Remove user: root from docker-compose.yml\n2. Add securityContext.runAsNonRoot: true to K8s deployment\n3. Verify no --user root in docker run commands",
|
|
1365
|
+
|
|
1366
|
+
"verification": {
|
|
1367
|
+
"codeFile": "Dockerfile:15",
|
|
1368
|
+
"sshCommand": "docker exec container_name id",
|
|
1369
|
+
"sshOutput": "uid=0(root) gid=0(root)"
|
|
1370
|
+
}
|
|
1371
|
+
}
|
|
1372
|
+
```
|
|
1373
|
+
|
|
1374
|
+
---
|
|
1375
|
+
|
|
1218
1376
|
## PHASE 2: DUPLICATE & EXISTING SOLUTIONS CHECK
|
|
1219
1377
|
|
|
1220
1378
|
### AGENT 21: Duplicate & Existing Solutions Scanner (ID prefix: DUP)
|