npm - coverme-security-scanner - Versions diffs - 3.7.0 → 3.7.1 - Mend

coverme-security-scanner 3.7.0 → 3.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/bin/merge-reports.js CHANGED Viewed

@@ -226,6 +226,6 @@ if (args.length < 1) {
 }
 const inputDir = args[0];
-const outputFile = args[1] || 'scan.json';
+const outputFile = args[1] || join(inputDir, 'scan.json');
 mergeReports(inputDir, outputFile);

package/commands/coverme.md CHANGED Viewed

@@ -1,223 +1,48 @@
-# Security Assessment Generator v3
+# Security Assessment - Automated Scan
-Run a comprehensive security assessment on this codebase and generate a professional PDF report with deep analysis.
-## Instructions
-You are a senior security architect and penetration tester performing a pre-production security audit. Run 7 parallel security agents to analyze this codebase comprehensively.
-### Step 0: Setup (Run First!)
-Before starting the scan, create the output directory:
+Run a comprehensive security assessment on this codebase. Execute ALL steps automatically without asking for confirmation.
+## Step 1: Setup
+Run this command using Bash:
 ```bash
 mkdir -p .coverme
 ```
-### Step 1: Launch Parallel Agents
-Launch these 7 agents simultaneously using the Task tool. **IMPORTANT: Each agent must write its own partial JSON file immediately when done.**
-1. **Executive Summary Agent** (subagent_type: Explore)
-   - Understand what the system does
-   - Identify the tech stack and architecture
-   - Map trust boundaries and critical assets
-   - Determine overall risk level
-   - **When done: Write findings to `.coverme/partial-01-executive.json`**
-2. **Attack Surface Agent** (subagent_type: Explore)
-   - Map all entry points (APIs, webhooks, file uploads, CLI args)
-   - Identify unauthenticated endpoints
-   - Find admin/debug interfaces
-   - Document external dependencies and their trust level
-   - **When done: Write findings to `.coverme/partial-02-attack-surface.json`**
-3. **Vulnerability Hunter Agent** (subagent_type: Explore)
-   - OWASP Top 10 deep dive with CODE EVIDENCE
-   - For each finding: extract the EXACT vulnerable code snippet
-   - Authentication/authorization bypass paths
-   - Injection vulnerabilities (SQL, command, XSS, SSTI)
-   - Secrets in code, hardcoded credentials (show exact lines)
-   - **When done: Write findings to `.coverme/partial-03-vulnerabilities.json`**
-4. **Attack Chain Analyst Agent** (subagent_type: Explore)
-   - Identify how vulnerabilities COMBINE for greater impact
-   - Map realistic attack scenarios (entry -> pivot -> objective)
-   - Calculate blast radius for each chain
-   - **When done: Write findings to `.coverme/partial-04-attack-chains.json`**
-5. **Business Logic Agent** (subagent_type: Explore)
-   - Race conditions in critical flows (payments, credits, locks)
-   - Workflow bypass opportunities (skip steps, replay)
-   - Credit/billing manipulation vectors
-   - Privilege escalation paths
-   - **When done: Write findings to `.coverme/partial-05-business-logic.json`**
-6. **Infrastructure Agent** (subagent_type: Explore)
-   - Docker/Kubernetes security (securityContext, network policies)
-   - CI/CD pipeline security gates (or lack thereof)
-   - Secrets management (env vars, mounted secrets, hardcoded)
-   - Dependency vulnerabilities (npm audit, CVEs)
-   - **When done: Write findings to `.coverme/partial-06-infrastructure.json`**
-7. **Compliance & Impact Agent** (subagent_type: Explore)
-   - Map findings to compliance frameworks (SOC2, PCI-DSS, GDPR)
-   - Calculate business impact for each critical finding
-   - Estimate financial exposure ranges
-   - **When done: Write findings to `.coverme/partial-07-compliance.json`**
-### Agent Output Format
-Each agent should write a partial JSON with this structure (include only relevant fields):
-```json
-{
-  "project": "Project Name",
-  "date": "YYYY-MM-DD",
-  "branch": "branch-name",
-  "scope": "X files, ~Y lines",
-  "executiveSummary": "Summary paragraph...",
-  "topPriorities": [
-    { "finding": "Description", "severity": "critical", "action": "Action needed" }
-  ],
-  "architecture": {
-    "overview": "System description...",
-    "components": [
-      { "name": "Component", "technology": "Tech", "description": "Purpose" }
-    ],
-    "trustBoundaries": [
-      { "id": "TB-01", "boundary": "Name", "trustLevel": "untrusted", "description": "..." }
-    ]
-  },
-  "network": {
-    "diagram": "ASCII diagram...",
-    "ports": [
-      { "port": 443, "protocol": "HTTPS", "component": "API", "binding": "0.0.0.0", "purpose": "Public API" }
-    ]
-  },
+## Step 2: Launch 7 Security Agents in Parallel
+Launch ALL 7 agents simultaneously using the Task tool with subagent_type="general-purpose". Do NOT wait between launches - send all 7 in a single response.
-  "findings": [
-    {
-      "id": "CRIT-01",
-      "title": "Finding title",
-      "severity": "critical",
-      "file": "path/to/file.js",
-      "line": 123,
-      "issue": "What we found...",
-      "why": "Why it matters...",
-      "fix": "How to fix...",
-      "status": "open",
-      "dreadScore": 8.5,
-      "cwe": "CWE-89",
-      "codeEvidence": [{
-        "file": "src/file.js",
-        "startLine": 45,
-        "endLine": 50,
-        "code": "vulnerable code here",
-        "annotation": "Explanation"
-      }],
-      "proofOfConcept": "curl command or steps",
-      "relatedFindings": ["HIGH-02"]
-    }
-  ],
+**Agent 1 - Executive Summary:**
+Analyze this codebase architecture and security posture. Identify tech stack, components, trust boundaries. Write findings to .coverme/partial-01-executive.json as valid JSON with fields: project (string), date (YYYY-MM-DD), executiveSummary (string), architecture (object with overview string, components array of {name, technology, description}, trustBoundaries array of {id, boundary, trustLevel, description}), topPriorities array of {finding, severity, action}.
-  "attackChains": [
-    {
-      "id": "AC-01",
-      "name": "Chain name",
-      "description": "How vulnerabilities combine",
-      "likelihood": "high",
-      "impact": "critical",
-      "steps": [
-        { "order": 1, "findingId": "CRIT-01", "action": "What attacker does", "outcome": "Result" }
-      ],
-      "mitigationStrategy": "How to break the chain"
-    }
-  ],
+**Agent 2 - Attack Surface:**
+Map all API endpoints, entry points, unauthenticated routes, admin interfaces. Write to .coverme/partial-02-surface.json as valid JSON with: network (object with diagram string, ports array, externalDeps array of {service, endpoint, auth, risk}), findings array.
-  "riskMatrix": [
-    { "category": "Authentication", "currentRisk": "high", "residualRisk": "low", "trend": "stable" }
-  ],
+**Agent 3 - Vulnerability Hunter:**
+Hunt for security vulnerabilities: hardcoded secrets, SQL injection, XSS, command injection, auth bypass. Include actual code snippets. Write to .coverme/partial-03-vulns.json as valid JSON with findings array containing: id, title, severity (critical/high/medium/low/info), file, line, issue, why, fix, cwe, codeEvidence array of {file, startLine, endLine, code, annotation}, proofOfConcept.
-  "threatModel": [
-    { "id": "T-01", "severity": "high", "dread": 6.5, "status": "open", "finding": "Description" }
-  ],
+**Agent 4 - Attack Chains:**
+Identify how vulnerabilities combine for greater impact. Map attack scenarios. Write to .coverme/partial-04-chains.json as valid JSON with: attackChains array of {id, name, description, likelihood, impact, steps array of {order, findingId, action, outcome}, mitigationStrategy}, riskMatrix array of {category, currentRisk, residualRisk, trend}.
-  "positiveObservations": [
-    { "title": "Good Practice", "description": "What they did right..." }
-  ],
+**Agent 5 - Business Logic:**
+Find business logic flaws: race conditions, workflow bypass, privilege escalation. Write to .coverme/partial-05-business.json as valid JSON with: findings array, threatModel array of {id, severity, dread, status, finding}.
-  "complianceMapping": [
-    {
-      "framework": "SOC2",
-      "controls": [
-        { "controlId": "CC6.1", "name": "Logical Access", "status": "partial", "relatedFindings": ["HIGH-02"] }
-      ]
-    }
-  ],
+**Agent 6 - Infrastructure:**
+Check Docker, K8s, CI/CD, secrets management, dependencies. Write to .coverme/partial-06-infra.json as valid JSON with: findings array, qualityReview object with deadCode/dryViolations/deprecated arrays.
-  "remediation": {
-    "p0": [{ "action": "Do this NOW", "finding": "CRIT-01", "owner": "Security" }],
-    "p1": [{ "action": "Do this week", "finding": "HIGH-01", "owner": "Backend" }]
-  },
+**Agent 7 - Compliance:**
+Map findings to SOC2, PCI-DSS, GDPR. Identify positive practices. Write to .coverme/partial-07-compliance.json as valid JSON with: complianceMapping array of {framework, controls array}, remediation object with p0/p1/p2/p3 arrays of {action, finding, owner}, positiveObservations array of {title, description}, privacyAnalysis array.
-  "qualityReview": {
-    "deadCode": [{ "type": "dead-code", "action": "DELETE", "file": "path", "description": "..." }],
-    "dryViolations": [{ "type": "dry-violation", "action": "MERGE", "file": "path", "description": "..." }]
-  },
-  "privacyAnalysis": [
-    { "category": "Linkability", "risk": "medium", "description": "...", "mitigation": "..." }
-  ]
-}
-```
-### Step 2: Wait for All Agents and Verify
-After launching all agents, wait for them to complete. Then verify all partial files exist:
+## Step 3: Wait for All Agents
+After launching all 7 agents, wait for them to complete using AgentOutputTool.
+## Step 4: Generate Report
+After all agents complete, run this command using Bash:
 ```bash
-ls -la .coverme/partial-*.json
+coverme-merge .coverme && coverme .coverme/scan.json security-report.pdf && open security-report.pdf
 ```
-You should see 7 files (partial-01 through partial-07).
-### Step 3: Merge and Generate PDF
-Once all 7 partial files are written, merge them and generate the PDF:
-```bash
-coverme-merge .coverme && coverme .coverme/scan.json security-assessment-$(date +%Y-%m-%d).pdf && open security-assessment-$(date +%Y-%m-%d).pdf
-```
-This command:
-1. Merges all partial-*.json files into scan.json
-2. Generates the PDF report
-3. Opens it automatically
-### Quality Checklist
-Before generating the PDF, verify:
-- [ ] All 7 partial JSON files exist in .coverme/
-- [ ] Every CRITICAL/HIGH finding has codeEvidence with actual code
-- [ ] At least 2 attack chains are documented
-- [ ] CWE IDs are accurate for vulnerability types
-### Output
-The final deliverables are:
-1. `.coverme/partial-*.json` - Individual agent reports
-2. `.coverme/scan.json` - Merged comprehensive report
-3. `security-assessment-YYYY-MM-DD.pdf` - Professional PDF report
----
-Now begin the security assessment:
-1. Run `mkdir -p .coverme`
-2. Launch all 7 agents in parallel
-3. Each agent writes its own partial JSON when done
-4. After all complete, run the merge and PDF generation command
+## IMPORTANT INSTRUCTIONS
+- Execute ALL steps automatically - do not ask for confirmation
+- Launch all 7 agents in PARALLEL (single message with 7 Task tool calls)
+- Wait for ALL agents to complete before running the final command
+- The PDF will open automatically when done

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "coverme-security-scanner",
-  "version": "3.7.0",
+  "version": "3.7.1",
   "description": "AI-powered security assessment reports with beautiful PDF output",
   "type": "module",
   "bin": {