coverme-security-scanner 3.6.0 → 3.7.1

package/bin/merge-reports.js

@@ -0,0 +1,231 @@
+#!/usr/bin/env node
+
+/**
+ * Merge multiple partial security reports into a single comprehensive report
+ * Usage: coverme-merge .coverme/partial-*.json -o scan.json
+ */
+
+import { readFileSync, writeFileSync, readdirSync } from 'fs';
+import { join, dirname } from 'path';
+
+function mergeReports(inputDir, outputFile) {
+  const files = readdirSync(inputDir).filter(f => f.startsWith('partial-') && f.endsWith('.json'));
+
+  if (files.length === 0) {
+    console.error('No partial-*.json files found in', inputDir);
+    process.exit(1);
+  }
+
+  console.log(`Merging ${files.length} partial reports...`);
+
+  // Initialize merged report
+  const merged = {
+    project: '',
+    date: new Date().toISOString().split('T')[0],
+    branch: '',
+    scope: '',
+    methodology: '7 parallel security agents with attack chain analysis',
+    summary: { critical: 0, high: 0, medium: 0, low: 0, total: 0 },
+    overallRiskLevel: 'low',
+    executiveSummary: '',
+    topPriorities: [],
+    attackChains: [],
+    riskMatrix: [],
+    architecture: { overview: '', components: [], trustBoundaries: [] },
+    network: { diagram: '', ports: [], externalDeps: [] },
+    findings: [],
+    threatModel: [],
+    positiveObservations: [],
+    complianceMapping: [],
+    remediation: { p0: [], p1: [], p2: [], p3: [] },
+    qualityReview: { deadCode: [], dryViolations: [], deprecated: [] },
+    resolvedIssues: [],
+    privacyAnalysis: []
+  };
+
+  // Process each partial file
+  for (const file of files) {
+    const filePath = join(inputDir, file);
+    console.log(`  Processing: ${file}`);
+
+    try {
+      const partial = JSON.parse(readFileSync(filePath, 'utf-8'));
+
+      // Merge simple fields (take first non-empty value)
+      if (partial.project && !merged.project) merged.project = partial.project;
+      if (partial.date) merged.date = partial.date;
+      if (partial.branch && !merged.branch) merged.branch = partial.branch;
+      if (partial.scope && !merged.scope) merged.scope = partial.scope;
+      if (partial.executiveSummary && !merged.executiveSummary) {
+        merged.executiveSummary = partial.executiveSummary;
+      }
+
+      // Merge arrays (deduplicate by id where applicable)
+      if (partial.findings) {
+        for (const f of partial.findings) {
+          if (!merged.findings.find(x => x.id === f.id)) {
+            merged.findings.push(f);
+          }
+        }
+      }
+
+      if (partial.attackChains) {
+        for (const ac of partial.attackChains) {
+          if (!merged.attackChains.find(x => x.id === ac.id)) {
+            merged.attackChains.push(ac);
+          }
+        }
+      }
+
+      if (partial.topPriorities) {
+        merged.topPriorities.push(...partial.topPriorities);
+      }
+
+      if (partial.riskMatrix) {
+        for (const rm of partial.riskMatrix) {
+          if (!merged.riskMatrix.find(x => x.category === rm.category)) {
+            merged.riskMatrix.push(rm);
+          }
+        }
+      }
+
+      if (partial.architecture) {
+        if (partial.architecture.overview && !merged.architecture.overview) {
+          merged.architecture.overview = partial.architecture.overview;
+        }
+        if (partial.architecture.components) {
+          merged.architecture.components.push(...partial.architecture.components);
+        }
+        if (partial.architecture.trustBoundaries) {
+          merged.architecture.trustBoundaries.push(...partial.architecture.trustBoundaries);
+        }
+      }
+
+      if (partial.network) {
+        if (partial.network.diagram && !merged.network.diagram) {
+          merged.network.diagram = partial.network.diagram;
+        }
+        if (partial.network.ports) {
+          for (const p of partial.network.ports) {
+            if (!merged.network.ports.find(x => x.port === p.port)) {
+              merged.network.ports.push(p);
+            }
+          }
+        }
+        if (partial.network.externalDeps) {
+          merged.network.externalDeps.push(...partial.network.externalDeps);
+        }
+      }
+
+      if (partial.threatModel) {
+        for (const tm of partial.threatModel) {
+          if (!merged.threatModel.find(x => x.id === tm.id)) {
+            merged.threatModel.push(tm);
+          }
+        }
+      }
+
+      if (partial.positiveObservations) {
+        merged.positiveObservations.push(...partial.positiveObservations);
+      }
+
+      if (partial.complianceMapping) {
+        for (const cm of partial.complianceMapping) {
+          const existing = merged.complianceMapping.find(x => x.framework === cm.framework);
+          if (existing) {
+            existing.controls.push(...cm.controls);
+          } else {
+            merged.complianceMapping.push(cm);
+          }
+        }
+      }
+
+      if (partial.remediation) {
+        if (partial.remediation.p0) merged.remediation.p0.push(...partial.remediation.p0);
+        if (partial.remediation.p1) merged.remediation.p1.push(...partial.remediation.p1);
+        if (partial.remediation.p2) merged.remediation.p2.push(...partial.remediation.p2);
+        if (partial.remediation.p3) merged.remediation.p3.push(...partial.remediation.p3);
+      }
+
+      if (partial.qualityReview) {
+        if (partial.qualityReview.deadCode) {
+          merged.qualityReview.deadCode.push(...partial.qualityReview.deadCode);
+        }
+        if (partial.qualityReview.dryViolations) {
+          merged.qualityReview.dryViolations.push(...partial.qualityReview.dryViolations);
+        }
+        if (partial.qualityReview.deprecated) {
+          merged.qualityReview.deprecated.push(...partial.qualityReview.deprecated);
+        }
+      }
+
+      if (partial.resolvedIssues) {
+        merged.resolvedIssues.push(...partial.resolvedIssues);
+      }
+
+      if (partial.privacyAnalysis) {
+        merged.privacyAnalysis.push(...partial.privacyAnalysis);
+      }
+
+    } catch (e) {
+      console.error(`  Error parsing ${file}:`, e.message);
+    }
+  }
+
+  // Calculate summary counts
+  merged.summary.critical = merged.findings.filter(f => f.severity === 'critical').length;
+  merged.summary.high = merged.findings.filter(f => f.severity === 'high').length;
+  merged.summary.medium = merged.findings.filter(f => f.severity === 'medium').length;
+  merged.summary.low = merged.findings.filter(f => f.severity === 'low').length;
+  merged.summary.total = merged.findings.length;
+
+  // Determine overall risk level
+  if (merged.summary.critical > 0) {
+    merged.overallRiskLevel = 'critical';
+  } else if (merged.summary.high > 2) {
+    merged.overallRiskLevel = 'high';
+  } else if (merged.summary.high > 0 || merged.summary.medium > 3) {
+    merged.overallRiskLevel = 'medium';
+  } else {
+    merged.overallRiskLevel = 'low';
+  }
+
+  // Deduplicate top priorities (keep first 5)
+  const seenPriorities = new Set();
+  merged.topPriorities = merged.topPriorities.filter(p => {
+    if (seenPriorities.has(p.finding)) return false;
+    seenPriorities.add(p.finding);
+    return true;
+  }).slice(0, 5);
+
+  // Remove empty arrays
+  if (merged.qualityReview.deadCode.length === 0 &&
+      merged.qualityReview.dryViolations.length === 0 &&
+      merged.qualityReview.deprecated.length === 0) {
+    delete merged.qualityReview;
+  }
+  if (merged.resolvedIssues.length === 0) delete merged.resolvedIssues;
+  if (merged.privacyAnalysis.length === 0) delete merged.privacyAnalysis;
+
+  // Write merged report
+  writeFileSync(outputFile, JSON.stringify(merged, null, 2));
+  console.log(`\nMerged report written to: ${outputFile}`);
+  console.log(`  Total findings: ${merged.summary.total}`);
+  console.log(`  Critical: ${merged.summary.critical}, High: ${merged.summary.high}, Medium: ${merged.summary.medium}, Low: ${merged.summary.low}`);
+  console.log(`  Attack chains: ${merged.attackChains.length}`);
+  console.log(`  Overall risk: ${merged.overallRiskLevel.toUpperCase()}`);
+}
+
+// CLI
+const args = process.argv.slice(2);
+if (args.length < 1) {
+  console.log('Usage: coverme-merge <input-dir> [output-file]');
+  console.log('  input-dir: Directory containing partial-*.json files');
+  console.log('  output-file: Output file (default: scan.json)');
+  process.exit(1);
+}
+
+const inputDir = args[0];
+const outputFile = args[1] || join(inputDir, 'scan.json');
+
+mergeReports(inputDir, outputFile);

package/commands/coverme.md

@@ -1,350 +1,48 @@
-# Security Assessment Generator v2
+# Security Assessment - Automated Scan
 
-Run a comprehensive security assessment on this codebase and generate a professional PDF report with deep analysis.
-
-## Instructions
-
-You are a senior security architect and penetration tester performing a pre-production security audit. Run 7 parallel security agents to analyze this codebase comprehensively.
-
-### Step 0: Setup (Run First!)
-
-Before starting the scan, create the output directory:
+Run a comprehensive security assessment on this codebase. Execute ALL steps automatically without asking for confirmation.
 
+## Step 1: Setup
+Run this command using Bash:
 ```bash
 mkdir -p .coverme
 ```
 
-This prevents errors when saving the scan results.
-
-### Step 1: Launch Parallel Agents
-
-Launch these 7 agents simultaneously using the Task tool:
-
-1. **Executive Summary Agent** (subagent_type: Explore)
-   - Understand what the system does
-   - Identify the tech stack and architecture
-   - Map trust boundaries and critical assets
-   - Determine overall risk level
-   - Identify the crown jewels (most valuable assets)
-
-2. **Attack Surface Agent** (subagent_type: Explore)
-   - Map all entry points (APIs, webhooks, file uploads, CLI args)
-   - Identify unauthenticated endpoints
-   - Find admin/debug interfaces
-   - Check for exposed internal services
-   - Document external dependencies and their trust level
-
-3. **Vulnerability Hunter Agent** (subagent_type: Explore)
-   - OWASP Top 10 deep dive with CODE EVIDENCE
-   - For each finding: extract the EXACT vulnerable code snippet
-   - Authentication/authorization bypass paths
-   - Injection vulnerabilities (SQL, command, XSS, SSTI)
-   - Secrets in code, hardcoded credentials (show exact lines)
-   - Insecure deserialization, SSRF, XXE
-   - Rate limiting gaps, brute force opportunities
-
-4. **Attack Chain Analyst Agent** (subagent_type: Explore)
-   - Identify how vulnerabilities COMBINE for greater impact
-   - Map realistic attack scenarios (entry -> pivot -> objective)
-   - Calculate blast radius for each chain
-   - Example: "Unauthenticated API + hardcoded secret = full DB access"
-   - Prioritize chains by likelihood and impact
-
-5. **Business Logic Agent** (subagent_type: Explore)
-   - Race conditions in critical flows (payments, credits, locks)
-   - Workflow bypass opportunities (skip steps, replay)
-   - Credit/billing manipulation vectors
-   - Data validation gaps at business boundaries
-   - PII handling and data residency violations
-   - Privilege escalation paths
-
-6. **Infrastructure Agent** (subagent_type: Explore)
-   - Docker/Kubernetes security (securityContext, network policies)
-   - CI/CD pipeline security gates (or lack thereof)
-   - Secrets management (env vars, mounted secrets, hardcoded)
-   - Cloud configuration (IAM, S3 buckets, security groups)
-   - Database security (encryption, access controls)
-   - Dependency vulnerabilities (npm audit, CVEs)
-
-7. **Compliance & Impact Agent** (subagent_type: Explore)
-   - Map findings to compliance frameworks (SOC2, PCI-DSS, GDPR, HIPAA)
-   - Calculate business impact for each critical finding
-   - Estimate financial exposure ranges
-   - Identify SLA/availability risks
-   - Determine data breach notification requirements
-
-### Step 2: Deep Dive on Findings
-
-For EVERY critical and high finding, ensure you have:
-
-1. **Code Evidence** - The EXACT vulnerable code snippet:
-   ```
-   "codeEvidence": [{
-     "file": "src/auth/login.js",
-     "startLine": 45,
-     "endLine": 52,
-     "code": "const user = await db.query(`SELECT * FROM users WHERE id = ${req.params.id}`);",
-     "annotation": "User input directly interpolated into SQL query"
-   }]
-   ```
-
-2. **Exploitability Assessment**:
-   ```
-   "exploitability": {
-     "skillLevel": "novice",           // novice/intermediate/expert
-     "accessRequired": "network",       // network/adjacent/local/physical
-     "authRequired": "none",            // none/low/high
-     "userInteraction": "none",         // none/required
-     "hasPublicExploit": true,          // Known PoC exists?
-     "exploitMaturity": "weaponized",   // theoretical/poc/weaponized
-     "automatable": true                // Can be mass-exploited?
-   }
-   ```
-
-3. **Blast Radius**:
-   ```
-   "blastRadius": {
-     "affectedUsers": "all",            // none/single/subset/all
-     "affectedData": ["PII", "credentials", "financial"],
-     "affectedServices": ["auth", "payments"],
-     "cascadeRisk": true,               // Leads to further compromise?
-     "containment": "system"            // isolated/component/system/infrastructure
-   }
-   ```
-
-4. **Business Impact**:
-   ```
-   "businessImpact": {
-     "confidentiality": "high",
-     "integrity": "high",
-     "availability": "low",
-     "financialExposure": "$100k-$1M potential fraud",
-     "complianceViolations": ["PCI-DSS 6.5.1", "SOC2 CC6.1"],
-     "reputationalRisk": "high",
-     "slaImpact": "99.9% SLA at risk"
-   }
-   ```
-
-5. **Proof of Concept** (safe, non-destructive):
-   ```
-   "proofOfConcept": "curl -X POST /api/admin/users -H 'X-Admin: true' -d '{\"role\":\"admin\"}'"
-   ```
-
-### Step 3: Build Attack Chains
-
-Identify 2-5 realistic attack chains that combine multiple vulnerabilities:
-
-```json
-"attackChains": [
-  {
-    "id": "AC-01",
-    "name": "Credential Theft to Full Infrastructure Compromise",
-    "description": "Attacker chains unauthenticated endpoint access with hardcoded secrets to gain full system control",
-    "likelihood": "high",
-    "impact": "critical",
-    "steps": [
-      { "order": 1, "findingId": "HIGH-02", "action": "Access unauthenticated /enclave/register endpoint", "outcome": "Register malicious enclave with attacker-controlled keys" },
-      { "order": 2, "findingId": "HIGH-01", "action": "Use leaked tracker API key from Helm values", "outcome": "Gain access to usage analytics and user activity" },
-      { "order": 3, "findingId": "CRIT-01", "action": "Pivot using AWS credentials from .env", "outcome": "Full AWS account access, S3 data exfiltration" }
-    ],
-    "mitigationStrategy": "Breaking any link stops the chain. Priority: rotate AWS credentials immediately."
-  }
-]
-```
-
-### Step 4: Compile Results
-
-After all agents complete, compile their findings into a JSON file with this enhanced schema:
-
-```json
-{
-  "project": "Project Name",
-  "date": "YYYY-MM-DD",
-  "branch": "branch-name",
-  "scope": "X files, ~Y lines",
-  "methodology": "7 parallel security agents with attack chain analysis",
-
-  "summary": {
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "total": 0
-  },
-
-  "overallRiskLevel": "critical|high|medium|low",
-  "executiveSummary": "2-3 paragraphs: what the system does, key findings, recommended actions...",
+## Step 2: Launch 7 Security Agents in Parallel
+Launch ALL 7 agents simultaneously using the Task tool with subagent_type="general-purpose". Do NOT wait between launches - send all 7 in a single response.
 
-  "topPriorities": [
-    { "finding": "Description", "severity": "critical", "action": "Immediate action required" }
-  ],
+**Agent 1 - Executive Summary:**
+Analyze this codebase architecture and security posture. Identify tech stack, components, trust boundaries. Write findings to .coverme/partial-01-executive.json as valid JSON with fields: project (string), date (YYYY-MM-DD), executiveSummary (string), architecture (object with overview string, components array of {name, technology, description}, trustBoundaries array of {id, boundary, trustLevel, description}), topPriorities array of {finding, severity, action}.
 
-  "attackChains": [
-    {
-      "id": "AC-01",
-      "name": "Chain name",
-      "description": "How vulnerabilities combine",
-      "likelihood": "high",
-      "impact": "critical",
-      "steps": [
-        { "order": 1, "findingId": "CRIT-01", "action": "What attacker does", "outcome": "What they achieve" }
-      ],
-      "mitigationStrategy": "How to break the chain"
-    }
-  ],
+**Agent 2 - Attack Surface:**
+Map all API endpoints, entry points, unauthenticated routes, admin interfaces. Write to .coverme/partial-02-surface.json as valid JSON with: network (object with diagram string, ports array, externalDeps array of {service, endpoint, auth, risk}), findings array.
 
-  "riskMatrix": [
-    { "category": "Authentication", "currentRisk": "high", "residualRisk": "low", "trend": "stable" },
-    { "category": "Data Protection", "currentRisk": "medium", "residualRisk": "low", "trend": "improving" }
-  ],
+**Agent 3 - Vulnerability Hunter:**
+Hunt for security vulnerabilities: hardcoded secrets, SQL injection, XSS, command injection, auth bypass. Include actual code snippets. Write to .coverme/partial-03-vulns.json as valid JSON with findings array containing: id, title, severity (critical/high/medium/low/info), file, line, issue, why, fix, cwe, codeEvidence array of {file, startLine, endLine, code, annotation}, proofOfConcept.
 
-  "architecture": {
-    "overview": "System description...",
-    "components": [
-      { "name": "Component", "technology": "Tech", "description": "Purpose" }
-    ],
-    "trustBoundaries": [
-      { "id": "TB-01", "boundary": "Internet/DMZ", "trustLevel": "untrusted", "description": "Public API surface" }
-    ]
-  },
+**Agent 4 - Attack Chains:**
+Identify how vulnerabilities combine for greater impact. Map attack scenarios. Write to .coverme/partial-04-chains.json as valid JSON with: attackChains array of {id, name, description, likelihood, impact, steps array of {order, findingId, action, outcome}, mitigationStrategy}, riskMatrix array of {category, currentRisk, residualRisk, trend}.
 
-  "network": {
-    "diagram": "ASCII diagram...",
-    "ports": [
-      { "port": 443, "protocol": "HTTPS", "component": "API", "binding": "0.0.0.0", "purpose": "Public API" }
-    ],
-    "externalDeps": [
-      { "service": "Stripe", "endpoint": "api.stripe.com", "auth": "API key", "risk": "PCI scope" }
-    ]
-  },
+**Agent 5 - Business Logic:**
+Find business logic flaws: race conditions, workflow bypass, privilege escalation. Write to .coverme/partial-05-business.json as valid JSON with: findings array, threatModel array of {id, severity, dread, status, finding}.
 
-  "findings": [
-    {
-      "id": "CRIT-01",
-      "title": "Finding title",
-      "severity": "critical",
-      "file": "path/to/file.js",
-      "line": 123,
-      "issue": "What we found...",
-      "why": "Why it matters...",
-      "fix": "How to fix...",
-      "status": "open",
-      "dreadScore": 8.5,
-      "cwe": "CWE-89",
-      "cvssScore": 9.1,
-      "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
-      "codeEvidence": [
-        {
-          "file": "src/db/query.js",
-          "startLine": 45,
-          "endLine": 48,
-          "code": "db.query(`SELECT * FROM users WHERE id = ${userId}`)",
-          "annotation": "Unsanitized user input in SQL query"
-        }
-      ],
-      "exploitability": {
-        "skillLevel": "novice",
-        "accessRequired": "network",
-        "authRequired": "none",
-        "userInteraction": "none",
-        "hasPublicExploit": true,
-        "exploitMaturity": "weaponized",
-        "automatable": true
-      },
-      "blastRadius": {
-        "affectedUsers": "all",
-        "affectedData": ["PII", "credentials"],
-        "affectedServices": ["database", "auth"],
-        "cascadeRisk": true,
-        "containment": "system"
-      },
-      "businessImpact": {
-        "confidentiality": "high",
-        "integrity": "high",
-        "availability": "none",
-        "financialExposure": "$500k-$5M breach costs",
-        "complianceViolations": ["GDPR Art 32", "SOC2 CC6.1"],
-        "reputationalRisk": "high"
-      },
-      "proofOfConcept": "curl '/api/users/1 OR 1=1--'",
-      "relatedFindings": ["HIGH-02", "HIGH-03"],
-      "attackChainPosition": "entry",
-      "references": ["https://owasp.org/Top10/A03_2021-Injection/"]
-    }
-  ],
+**Agent 6 - Infrastructure:**
+Check Docker, K8s, CI/CD, secrets management, dependencies. Write to .coverme/partial-06-infra.json as valid JSON with: findings array, qualityReview object with deadCode/dryViolations/deprecated arrays.
 
-  "threatModel": [
-    {
-      "id": "T-01",
-      "severity": "high",
-      "dread": 6.5,
-      "status": "open",
-      "finding": "STRIDE threat description"
-    }
-  ],
+**Agent 7 - Compliance:**
+Map findings to SOC2, PCI-DSS, GDPR. Identify positive practices. Write to .coverme/partial-07-compliance.json as valid JSON with: complianceMapping array of {framework, controls array}, remediation object with p0/p1/p2/p3 arrays of {action, finding, owner}, positiveObservations array of {title, description}, privacyAnalysis array.
 
-  "positiveObservations": [
-    { "title": "Good Practice", "description": "What they did right..." }
-  ],
+## Step 3: Wait for All Agents
+After launching all 7 agents, wait for them to complete using AgentOutputTool.
 
-  "complianceMapping": [
-    {
-      "framework": "SOC2",
-      "controls": [
-        { "controlId": "CC6.1", "name": "Logical Access", "status": "partial", "relatedFindings": ["HIGH-02"] }
-      ]
-    }
-  ],
-
-  "remediation": {
-    "p0": [{ "action": "Do this NOW", "finding": "CRIT-01", "owner": "Security" }],
-    "p1": [{ "action": "Do this week", "finding": "HIGH-01", "owner": "Backend" }],
-    "p2": [],
-    "p3": []
-  }
-}
-```
-
-### Step 5: Save and Generate PDF
-
-**IMPORTANT: Write the JSON using the Write tool, NOT bash heredoc.**
-
-1. **Create the output directory first:**
+## Step 4: Generate Report
+After all agents complete, run this command using Bash:
 ```bash
-mkdir -p .coverme
+coverme-merge .coverme && coverme .coverme/scan.json security-report.pdf && open security-report.pdf
 ```
 
-2. **Use the Write tool to save `.coverme/scan.json`** with ALL findings from the agents.
-   Include everything: all codeEvidence, exploitability, blastRadius, businessImpact.
-   The more detail, the better the report.
-
-3. **Generate the PDF:**
-```bash
-coverme .coverme/scan.json security-assessment-$(date +%Y-%m-%d).pdf && open security-assessment-$(date +%Y-%m-%d).pdf
-```
-
-**IMPORTANT:** You MUST run this command to generate and open the PDF. Do not skip this step.
-
-### Quality Checklist
-
-Before generating the PDF, verify:
-- [ ] Every CRITICAL/HIGH finding has codeEvidence with actual code
-- [ ] Every CRITICAL/HIGH finding has exploitability assessment
-- [ ] Every CRITICAL/HIGH finding has blastRadius defined
-- [ ] At least 2 attack chains are documented
-- [ ] Top priorities match the most impactful attack chains
-- [ ] Proof of concepts are safe and non-destructive
-- [ ] CWE IDs are accurate for vulnerability types
-- [ ] Compliance violations are specific (e.g., "PCI-DSS 6.5.1" not just "PCI-DSS")
-
-### Output
-
-The final deliverable is:
-1. `.coverme/scan.json` - Enhanced findings data with attack chains
-2. `security-assessment-YYYY-MM-DD.pdf` - Professional PDF report (auto-opened)
-
----
-
-Now begin the security assessment. Launch all 7 agents in parallel.
-
-**CRITICAL REMINDER:** After completing the scan and saving scan.json, you MUST run the PDF generation command in Step 5. The assessment is NOT complete until the PDF is generated and opened.
+## IMPORTANT INSTRUCTIONS
+- Execute ALL steps automatically - do not ask for confirmation
+- Launch all 7 agents in PARALLEL (single message with 7 Task tool calls)
+- Wait for ALL agents to complete before running the final command
+- The PDF will open automatically when done

package/package.json

@@ -1,10 +1,11 @@
 {
   "name": "coverme-security-scanner",
-  "version": "3.6.0",
+  "version": "3.7.1",
   "description": "AI-powered security assessment reports with beautiful PDF output",
   "type": "module",
   "bin": {
     "coverme": "./bin/coverme.js",
+    "coverme-merge": "./bin/merge-reports.js",
     "coverme-install": "./bin/install-command.js"
   },
   "main": "./dist/index.js",