npm - coverme-scanner - Versions diffs - 2.0.0 → 2.0.1 - Mend

coverme-scanner 2.0.0 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/prompts/coverme-command.md +37 -10
package/package.json +1 -1

package/dist/prompts/coverme-command.md CHANGED Viewed

@@ -336,6 +336,22 @@ grep -r "import.*database\|import.*db" src/controllers/ src/routes/
 Create `.coverme/scan.json` with this structure:
+### CRITICAL REQUIREMENT
+**YOU MUST CREATE DETAILED FINDINGS!**
+The `findings` array is **MANDATORY** and must contain:
+- Full finding objects with ALL fields (not just executiveSummary.topRisks)
+- businessImpact with financial/reputation/legal/operational breakdown
+- proofOfConcept with actual exploit code
+- attackChain with step-by-step exploitation
+- quickFix vs properFix with code examples
+- testing instructions (manual + automated)
+- detection methods (commands + indicators)
+- estimatedEffort (human vs claudeCode with ROI)
+**DO NOT** create only `executiveSummary.topRisks` - you **MUST** also create full finding objects in the `findings` array!
 ### Required Fields
 - `agentCount`: Always `1` (unified agent)
 - `scanDuration`: e.g., "8m 30s" or "512s"
@@ -1258,16 +1274,27 @@ Before finishing:
 ## REMEMBER
-1. **Silent failures are CRITICAL** - They hide production bugs in payments, auth, data
-2. **Read actual code** - Don't guess, read the files
-3. **Check git history** - Secrets may have been removed but still exposed
-4. **Think like an attacker** - How would you exploit this?
-5. **Be specific** - File:line, code snippets, attack chains
-6. **DREAD + Attack Chain** - Required for critical/high
-7. **Quality over quantity** - 10 solid findings > 50 vague ones
-8. **Architecture matters** - Trust boundaries, data flow, scalability
-9. **Performance impacts security** - N+1 queries → DoS, memory leaks → crashes
-10. **Run `coverme report`** - Not done until HTML opens!
+1. **CREATE DETAILED FINDINGS** - DO NOT just write executiveSummary! You MUST populate the `findings` array with full finding objects!
+2. **Silent failures are CRITICAL** - They hide production bugs in payments, auth, data
+3. **Read actual code** - Don't guess, read the files
+4. **Check git history** - Secrets may have been removed but still exposed
+5. **Think like an attacker** - How would you exploit this?
+6. **Be specific** - File:line, code snippets, attack chains
+7. **DREAD + Attack Chain** - Required for critical/high
+8. **Quality over quantity** - 10 solid findings > 50 vague ones
+9. **Architecture matters** - Trust boundaries, data flow, scalability
+10. **Performance impacts security** - N+1 queries → DoS, memory leaks → crashes
+11. **Include ROI estimates** - human vs claudeCode time for every finding
+12. **Run `coverme report`** - Not done until HTML opens!
+---
+⚠️ **FINAL CHECK BEFORE SUBMITTING scan.json:**
+- [ ] `findings` array contains at least 3-10 detailed finding objects (NOT empty!)
+- [ ] Each finding has businessImpact, proofOfConcept, attackChain, quickFix, properFix, testing, detection, estimatedEffort
+- [ ] executiveSummary.topRisks matches the findings in the findings array
+- [ ] summary counts (critical/high/medium/low) match the findings array length
 ---

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "coverme-scanner",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "AI-powered code scanner with multi-agent verification for Claude Code. One command scans everything.",
   "main": "dist/index.js",
   "files": [