npm - coverme-scanner - Versions diffs - 1.5.1 → 1.5.2 - Mend

coverme-scanner 1.5.1 → 1.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/prompts/coverme-command.md +31 -18
package/package.json +1 -1

package/dist/prompts/coverme-command.md CHANGED Viewed

@@ -60,6 +60,18 @@ cat .coverme/runtime.json 2>/dev/null || echo "NO_RUNTIME_CONFIG"
 Launch ALL agents IN PARALLEL using the Task tool with `run_in_background: true`.
+**CRITICAL FOR CONTEXT MANAGEMENT**: Each agent MUST return ONLY a compact JSON array of findings.
+- NO explanatory text before or after the JSON
+- NO tool output summaries
+- ONLY the final JSON array
+- Keep descriptions short (max 100 chars)
+- If no findings, return: `[]`
+Example agent output format:
+```json
+[{"id":"SEC-001","title":"SQL Injection","severity":"critical","file":"src/db.ts","line":45,"description":"User input concatenated into query","recommendation":"Use parameterized queries"}]
+```
 ### Agent 1: Security Core Scanner (SEC)
 ```
 Scan for OWASP Top 10 and common vulnerabilities:
@@ -109,7 +121,8 @@ DATABASE-SPECIFIC DANGEROUS FUNCTIONS:
 - MongoDB: $where with user input, mapReduce with user functions
 - Redis: EVAL/EVALSHA with user input, CONFIG, DEBUG commands
-Output JSON: [{id: "SEC-XXX", title, severity, category, file, line, code, description, impact, recommendation, cwe, confidence, fixOwner, fixType, dread: {damage, reproducibility, exploitability, affectedUsers, discoverability, score}}]
+RETURN ONLY THIS JSON (no other text):
+[{"id":"SEC-001","title":"...","severity":"critical|high|medium|low","file":"path","line":N,"description":"max 100 chars","recommendation":"max 100 chars"}]
 ```
 ### Agent 2: Auth & Session Scanner (AUTH)
@@ -154,7 +167,7 @@ TIMING ATTACKS:
 - Non-constant-time string comparison for tokens/secrets
 - Early return on auth failure leaking valid usernames
-Output JSON: [{id: "AUTH-XXX", ...full format with DREAD}]
+RETURN ONLY JSON: [{"id":"AUTH-001","title":"...","severity":"...","file":"...","line":N,"description":"...","recommendation":"..."}]
 ```
 ### Agent 3: API Security Scanner (API)
@@ -191,7 +204,7 @@ WEBHOOKS:
 - SSRF via webhook URLs
 - No webhook replay protection
-Output JSON: [{id: "API-XXX", ...full format with DREAD}]
+RETURN ONLY JSON: [{"id":"API-001","title":"...","severity":"...","file":"...","line":N,"description":"...","recommendation":"..."}]
 ```
 ### Agent 4: Infrastructure Scanner (INFRA)
@@ -230,7 +243,7 @@ DEPENDENCY SECURITY (HIGH if missing):
 - Dependabot/Renovate configuration
 - SBOM generation
-Output JSON: [{id: "INFRA-XXX", ...full format with DREAD}]
+RETURN ONLY JSON: [{"id":"INFRA-001","title":"...","severity":"...","file":"...","line":N,"description":"...","recommendation":"..."}]
 ```
 ### Agent 5: Data & Privacy Scanner (DATA)
@@ -261,7 +274,7 @@ SECRETS:
 - Secrets in environment files committed
 - .env files not in .gitignore
-Output JSON: [{id: "DATA-XXX", ...full format with DREAD}]
+RETURN ONLY JSON: [{"id":"DATA-001","title":"...","severity":"...","file":"...","line":N,"description":"...","recommendation":"..."}]
 ```
 ### Agent 6: AI/LLM Security Scanner (AI)
@@ -289,7 +302,7 @@ SUPPLY CHAIN:
 - CDN imports without Subresource Integrity (SRI)
 - Unpinned AI model versions
-Output JSON: [{id: "AI-XXX", ...full format with DREAD}]
+RETURN ONLY JSON (no other text): []
 ```
 ### Agent 7: Performance & DoS Scanner (PERF)
@@ -319,7 +332,7 @@ DANGEROUS DATABASE OPERATIONS IN HOT PATHS:
 - MongoDB find() without limit
 - SQL SELECT without LIMIT
-Output JSON: [{id: "PERF-XXX", ...full format with DREAD}]
+RETURN ONLY JSON (no other text): []
 ```
 ### Agent 8: Business Logic Scanner (BIZ)
@@ -343,7 +356,7 @@ FINANCIAL:
 - Negative amount bypass
 - Discount stacking exploits
-Output JSON: [{id: "BIZ-XXX", ...full format with DREAD}]
+RETURN ONLY JSON (no other text): []
 ```
 ### Agent 9: Code Quality Scanner (QUAL)
@@ -374,7 +387,7 @@ DEAD CODE WITH SECURITY IMPLICATIONS:
 - Old/commented code that has BETTER security than current code
 - Deprecated functions with security controls not ported
-Output JSON: [{id: "QUAL-XXX", ...full format with DREAD}]
+RETURN ONLY JSON (no other text): []
 ```
 ### Agent 10: Testing & Reliability Scanner (TEST)
@@ -399,7 +412,7 @@ RELIABILITY:
 - No circuit breakers for external calls
 - Missing retry logic with backoff
-Output JSON: [{id: "TEST-XXX", ...full format with DREAD}]
+RETURN ONLY JSON (no other text): []
 ```
 ### Agent 11: Redis & Cache Security Scanner (REDIS)
@@ -433,7 +446,7 @@ RACE CONDITIONS:
 - Missing WATCH/MULTI/EXEC for transactions
 - INCR + EXPIRE not atomic
-Output JSON: [{id: "REDIS-XXX", ...full format with DREAD}]
+RETURN ONLY JSON (no other text): []
 ```
 ### Agent 12: Resilience & Fallback Scanner (RESIL)
@@ -465,7 +478,7 @@ HEALTH CHECKS:
 - Health check that calls external dependencies
 - No distinction between liveness and readiness
-Output JSON: [{id: "RESIL-XXX", ...full format with DREAD}]
+RETURN ONLY JSON (no other text): []
 ```
 ### Agent 13: PII & Sensitive Data Scanner (PII)
@@ -501,7 +514,7 @@ SENSITIVE DATA TYPES TO FIND:
 - Health/medical information
 - Authentication credentials
-Output JSON: [{id: "PII-XXX", ...full format with DREAD}]
+RETURN ONLY JSON (no other text): []
 ```
 ### Agent 14: Dead Code & Unused Scanner (DEAD)
@@ -529,7 +542,7 @@ SECURITY IMPLICATIONS:
 - Unused auth middleware (was security removed?)
 - Dead validation code (security regression?)
-Output JSON: [{id: "DEAD-XXX", ...full format with DREAD}]
+RETURN ONLY JSON (no other text): []
 ```
 ### Agent 15: Database Security Scanner (DB)
@@ -572,7 +585,7 @@ ORM SPECIFIC:
 - TypeORM repository.query() with string concat - VULNERABLE
 - Mongoose User.find({ username: req.body.username }) - operator injection
-Output JSON: [{id: "DB-XXX", ...full format with DREAD}]
+RETURN ONLY JSON (no other text): []
 ```
 ### Agent 16: Network & Architecture Scanner (ARCH)
@@ -596,7 +609,7 @@ KUBERNETES/INFRASTRUCTURE:
 - LoadBalancer exposing internal services
 - Pod-to-pod communication without restrictions
-Output JSON: [{id: "ARCH-XXX", ...full format with notCodeFix: true if devops/architect}]
+RETURN ONLY JSON (no other text): []
 ```
 ### Agent 17: Design Decision Detector (DESIGN)
@@ -676,7 +689,7 @@ ENCLAVE REGISTRATION:
 - IP-based trust without cryptographic verification
 - Enclave secrets transmitted without encryption
-Output JSON: [{id: "ENC-XXX", ...full format with DREAD}]
+RETURN ONLY JSON (no other text): []
 ```
 ### Agent 20: Executive Summary Generator (EXEC)
@@ -770,7 +783,7 @@ STEP 3: Compare and Generate Findings
 | ReadOnlyRootFilesystem not enforced | HIGH |
 | Unexpected ports exposed | MEDIUM |
-Output JSON: [{id: "RUNTIME-XXX", expected: {...}, actual: {...}, ...full format}]
+RETURN ONLY JSON (no other text): []
 ```
 ---

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "coverme-scanner",
-  "version": "1.5.1",
+  "version": "1.5.2",
   "description": "AI-powered code scanner with multi-agent verification for Claude Code. One command scans everything.",
   "main": "dist/index.js",
   "files": [