npm - coverme-security-scanner - Versions diffs - 3.7.0 → 3.7.2 - Mend

coverme-security-scanner 3.7.0 → 3.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/bin/merge-reports.js CHANGED Viewed

@@ -226,6 +226,6 @@ if (args.length < 1) {
 }
 const inputDir = args[0];
-const outputFile = args[1] || 'scan.json';
+const outputFile = args[1] || join(inputDir, 'scan.json');
 mergeReports(inputDir, outputFile);

package/commands/coverme.md CHANGED Viewed

@@ -1,223 +1,36 @@
-# Security Assessment Generator v3
+# Security Assessment
-Run a comprehensive security assessment on this codebase and generate a professional PDF report with deep analysis.
-## Instructions
-You are a senior security architect and penetration tester performing a pre-production security audit. Run 7 parallel security agents to analyze this codebase comprehensively.
-### Step 0: Setup (Run First!)
-Before starting the scan, create the output directory:
+You MUST follow these steps exactly. Do NOT deviate. Do NOT ask questions. Execute automatically.
+## Step 1: Create directory
 ```bash
 mkdir -p .coverme
 ```
-### Step 1: Launch Parallel Agents
-Launch these 7 agents simultaneously using the Task tool. **IMPORTANT: Each agent must write its own partial JSON file immediately when done.**
-1. **Executive Summary Agent** (subagent_type: Explore)
-   - Understand what the system does
-   - Identify the tech stack and architecture
-   - Map trust boundaries and critical assets
-   - Determine overall risk level
-   - **When done: Write findings to `.coverme/partial-01-executive.json`**
-2. **Attack Surface Agent** (subagent_type: Explore)
-   - Map all entry points (APIs, webhooks, file uploads, CLI args)
-   - Identify unauthenticated endpoints
-   - Find admin/debug interfaces
-   - Document external dependencies and their trust level
-   - **When done: Write findings to `.coverme/partial-02-attack-surface.json`**
-3. **Vulnerability Hunter Agent** (subagent_type: Explore)
-   - OWASP Top 10 deep dive with CODE EVIDENCE
-   - For each finding: extract the EXACT vulnerable code snippet
-   - Authentication/authorization bypass paths
-   - Injection vulnerabilities (SQL, command, XSS, SSTI)
-   - Secrets in code, hardcoded credentials (show exact lines)
-   - **When done: Write findings to `.coverme/partial-03-vulnerabilities.json`**
-4. **Attack Chain Analyst Agent** (subagent_type: Explore)
-   - Identify how vulnerabilities COMBINE for greater impact
-   - Map realistic attack scenarios (entry -> pivot -> objective)
-   - Calculate blast radius for each chain
-   - **When done: Write findings to `.coverme/partial-04-attack-chains.json`**
-5. **Business Logic Agent** (subagent_type: Explore)
-   - Race conditions in critical flows (payments, credits, locks)
-   - Workflow bypass opportunities (skip steps, replay)
-   - Credit/billing manipulation vectors
-   - Privilege escalation paths
-   - **When done: Write findings to `.coverme/partial-05-business-logic.json`**
-6. **Infrastructure Agent** (subagent_type: Explore)
-   - Docker/Kubernetes security (securityContext, network policies)
-   - CI/CD pipeline security gates (or lack thereof)
-   - Secrets management (env vars, mounted secrets, hardcoded)
-   - Dependency vulnerabilities (npm audit, CVEs)
-   - **When done: Write findings to `.coverme/partial-06-infrastructure.json`**
-7. **Compliance & Impact Agent** (subagent_type: Explore)
-   - Map findings to compliance frameworks (SOC2, PCI-DSS, GDPR)
-   - Calculate business impact for each critical finding
-   - Estimate financial exposure ranges
-   - **When done: Write findings to `.coverme/partial-07-compliance.json`**
-### Agent Output Format
-Each agent should write a partial JSON with this structure (include only relevant fields):
-```json
-{
-  "project": "Project Name",
-  "date": "YYYY-MM-DD",
-  "branch": "branch-name",
-  "scope": "X files, ~Y lines",
-  "executiveSummary": "Summary paragraph...",
-  "topPriorities": [
-    { "finding": "Description", "severity": "critical", "action": "Action needed" }
-  ],
-  "architecture": {
-    "overview": "System description...",
-    "components": [
-      { "name": "Component", "technology": "Tech", "description": "Purpose" }
-    ],
-    "trustBoundaries": [
-      { "id": "TB-01", "boundary": "Name", "trustLevel": "untrusted", "description": "..." }
-    ]
-  },
+## Step 2: Launch 7 agents IN PARALLEL
-  "network": {
-    "diagram": "ASCII diagram...",
-    "ports": [
-      { "port": 443, "protocol": "HTTPS", "component": "API", "binding": "0.0.0.0", "purpose": "Public API" }
-    ]
-  },
+You MUST use the Task tool 7 times in a SINGLE message. Each Task MUST have subagent_type="general-purpose" (NOT Explore).
-  "findings": [
-    {
-      "id": "CRIT-01",
-      "title": "Finding title",
-      "severity": "critical",
-      "file": "path/to/file.js",
-      "line": 123,
-      "issue": "What we found...",
-      "why": "Why it matters...",
-      "fix": "How to fix...",
-      "status": "open",
-      "dreadScore": 8.5,
-      "cwe": "CWE-89",
-      "codeEvidence": [{
-        "file": "src/file.js",
-        "startLine": 45,
-        "endLine": 50,
-        "code": "vulnerable code here",
-        "annotation": "Explanation"
-      }],
-      "proofOfConcept": "curl command or steps",
-      "relatedFindings": ["HIGH-02"]
-    }
-  ],
+Task 1: description="Security Executive", subagent_type="general-purpose", prompt="Analyze codebase architecture and security posture. Then use the Write tool to create .coverme/partial-01-executive.json with this exact structure: {\"project\":\"<name>\",\"date\":\"2026-02-19\",\"executiveSummary\":\"<summary>\",\"architecture\":{\"overview\":\"<text>\",\"components\":[{\"name\":\"\",\"technology\":\"\",\"description\":\"\"}],\"trustBoundaries\":[{\"id\":\"\",\"boundary\":\"\",\"trustLevel\":\"\",\"description\":\"\"}]},\"topPriorities\":[{\"finding\":\"\",\"severity\":\"\",\"action\":\"\"}]}"
-  "attackChains": [
-    {
-      "id": "AC-01",
-      "name": "Chain name",
-      "description": "How vulnerabilities combine",
-      "likelihood": "high",
-      "impact": "critical",
-      "steps": [
-        { "order": 1, "findingId": "CRIT-01", "action": "What attacker does", "outcome": "Result" }
-      ],
-      "mitigationStrategy": "How to break the chain"
-    }
-  ],
+Task 2: description="Attack Surface", subagent_type="general-purpose", prompt="Map API endpoints and entry points. Then use the Write tool to create .coverme/partial-02-surface.json with: {\"network\":{\"diagram\":\"\",\"ports\":[],\"externalDeps\":[]},\"findings\":[]}"
-  "riskMatrix": [
-    { "category": "Authentication", "currentRisk": "high", "residualRisk": "low", "trend": "stable" }
-  ],
+Task 3: description="Vulnerability Scan", subagent_type="general-purpose", prompt="Find security vulnerabilities with code evidence. Then use the Write tool to create .coverme/partial-03-vulns.json with: {\"findings\":[{\"id\":\"\",\"title\":\"\",\"severity\":\"\",\"file\":\"\",\"line\":0,\"issue\":\"\",\"why\":\"\",\"fix\":\"\",\"cwe\":\"\",\"codeEvidence\":[],\"proofOfConcept\":\"\"}]}"
-  "threatModel": [
-    { "id": "T-01", "severity": "high", "dread": 6.5, "status": "open", "finding": "Description" }
-  ],
+Task 4: description="Attack Chains", subagent_type="general-purpose", prompt="Identify attack chains. Then use the Write tool to create .coverme/partial-04-chains.json with: {\"attackChains\":[{\"id\":\"\",\"name\":\"\",\"description\":\"\",\"likelihood\":\"\",\"impact\":\"\",\"steps\":[],\"mitigationStrategy\":\"\"}],\"riskMatrix\":[]}"
-  "positiveObservations": [
-    { "title": "Good Practice", "description": "What they did right..." }
-  ],
+Task 5: description="Business Logic", subagent_type="general-purpose", prompt="Find business logic flaws. Then use the Write tool to create .coverme/partial-05-business.json with: {\"findings\":[],\"threatModel\":[]}"
-  "complianceMapping": [
-    {
-      "framework": "SOC2",
-      "controls": [
-        { "controlId": "CC6.1", "name": "Logical Access", "status": "partial", "relatedFindings": ["HIGH-02"] }
-      ]
-    }
-  ],
+Task 6: description="Infrastructure", subagent_type="general-purpose", prompt="Check Docker, CI/CD, dependencies. Then use the Write tool to create .coverme/partial-06-infra.json with: {\"findings\":[],\"qualityReview\":{}}"
-  "remediation": {
-    "p0": [{ "action": "Do this NOW", "finding": "CRIT-01", "owner": "Security" }],
-    "p1": [{ "action": "Do this week", "finding": "HIGH-01", "owner": "Backend" }]
-  },
+Task 7: description="Compliance", subagent_type="general-purpose", prompt="Map to compliance frameworks. Then use the Write tool to create .coverme/partial-07-compliance.json with: {\"complianceMapping\":[],\"remediation\":{\"p0\":[],\"p1\":[],\"p2\":[],\"p3\":[]},\"positiveObservations\":[],\"privacyAnalysis\":[]}"
-  "qualityReview": {
-    "deadCode": [{ "type": "dead-code", "action": "DELETE", "file": "path", "description": "..." }],
-    "dryViolations": [{ "type": "dry-violation", "action": "MERGE", "file": "path", "description": "..." }]
-  },
-  "privacyAnalysis": [
-    { "category": "Linkability", "risk": "medium", "description": "...", "mitigation": "..." }
-  ]
-}
-```
-### Step 2: Wait for All Agents and Verify
-After launching all agents, wait for them to complete. Then verify all partial files exist:
+## Step 3: Wait for agents
+Use AgentOutputTool to wait for all 7 agents to complete.
+## Step 4: Generate PDF
 ```bash
-ls -la .coverme/partial-*.json
+coverme-merge .coverme && coverme .coverme/scan.json security-report.pdf && open security-report.pdf
 ```
-You should see 7 files (partial-01 through partial-07).
-### Step 3: Merge and Generate PDF
-Once all 7 partial files are written, merge them and generate the PDF:
-```bash
-coverme-merge .coverme && coverme .coverme/scan.json security-assessment-$(date +%Y-%m-%d).pdf && open security-assessment-$(date +%Y-%m-%d).pdf
-```
-This command:
-1. Merges all partial-*.json files into scan.json
-2. Generates the PDF report
-3. Opens it automatically
-### Quality Checklist
-Before generating the PDF, verify:
-- [ ] All 7 partial JSON files exist in .coverme/
-- [ ] Every CRITICAL/HIGH finding has codeEvidence with actual code
-- [ ] At least 2 attack chains are documented
-- [ ] CWE IDs are accurate for vulnerability types
-### Output
-The final deliverables are:
-1. `.coverme/partial-*.json` - Individual agent reports
-2. `.coverme/scan.json` - Merged comprehensive report
-3. `security-assessment-YYYY-MM-DD.pdf` - Professional PDF report
----
-Now begin the security assessment:
-1. Run `mkdir -p .coverme`
-2. Launch all 7 agents in parallel
-3. Each agent writes its own partial JSON when done
-4. After all complete, run the merge and PDF generation command
+CRITICAL: Use subagent_type="general-purpose" for ALL agents. They MUST write JSON files using the Write tool.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "coverme-security-scanner",
-  "version": "3.7.0",
+  "version": "3.7.2",
   "description": "AI-powered security assessment reports with beautiful PDF output",
   "type": "module",
   "bin": {