coverme-security-scanner 3.7.1 → 3.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/commands/coverme.md +17 -29
  2. package/package.json +1 -1
package/commands/coverme.md CHANGED
@@ -1,48 +1,36 @@
1
- # Security Assessment - Automated Scan
1
+ # Security Assessment
2
2
 
3
- Run a comprehensive security assessment on this codebase. Execute ALL steps automatically without asking for confirmation.
3
+ You MUST follow these steps exactly. Do NOT deviate. Do NOT ask questions. Execute automatically.
4
4
 
5
- ## Step 1: Setup
6
- Run this command using Bash:
5
+ ## Step 1: Create directory
7
6
  ```bash
8
7
  mkdir -p .coverme
9
8
  ```
10
9
 
11
- ## Step 2: Launch 7 Security Agents in Parallel
12
- Launch ALL 7 agents simultaneously using the Task tool with subagent_type="general-purpose". Do NOT wait between launches - send all 7 in a single response.
10
+ ## Step 2: Launch 7 agents IN PARALLEL
13
11
 
14
- **Agent 1 - Executive Summary:**
15
- Analyze this codebase architecture and security posture. Identify tech stack, components, trust boundaries. Write findings to .coverme/partial-01-executive.json as valid JSON with fields: project (string), date (YYYY-MM-DD), executiveSummary (string), architecture (object with overview string, components array of {name, technology, description}, trustBoundaries array of {id, boundary, trustLevel, description}), topPriorities array of {finding, severity, action}.
12
+ You MUST use the Task tool 7 times in a SINGLE message. Each Task MUST have subagent_type="general-purpose" (NOT Explore).
16
13
 
17
- **Agent 2 - Attack Surface:**
18
- Map all API endpoints, entry points, unauthenticated routes, admin interfaces. Write to .coverme/partial-02-surface.json as valid JSON with: network (object with diagram string, ports array, externalDeps array of {service, endpoint, auth, risk}), findings array.
14
+ Task 1: description="Security Executive", subagent_type="general-purpose", prompt="Analyze codebase architecture and security posture. Then use the Write tool to create .coverme/partial-01-executive.json with this exact structure: {\"project\":\"<name>\",\"date\":\"2026-02-19\",\"executiveSummary\":\"<summary>\",\"architecture\":{\"overview\":\"<text>\",\"components\":[{\"name\":\"\",\"technology\":\"\",\"description\":\"\"}],\"trustBoundaries\":[{\"id\":\"\",\"boundary\":\"\",\"trustLevel\":\"\",\"description\":\"\"}]},\"topPriorities\":[{\"finding\":\"\",\"severity\":\"\",\"action\":\"\"}]}"
19
15
 
20
- **Agent 3 - Vulnerability Hunter:**
21
- Hunt for security vulnerabilities: hardcoded secrets, SQL injection, XSS, command injection, auth bypass. Include actual code snippets. Write to .coverme/partial-03-vulns.json as valid JSON with findings array containing: id, title, severity (critical/high/medium/low/info), file, line, issue, why, fix, cwe, codeEvidence array of {file, startLine, endLine, code, annotation}, proofOfConcept.
16
+ Task 2: description="Attack Surface", subagent_type="general-purpose", prompt="Map API endpoints and entry points. Then use the Write tool to create .coverme/partial-02-surface.json with: {\"network\":{\"diagram\":\"\",\"ports\":[],\"externalDeps\":[]},\"findings\":[]}"
22
17
 
23
- **Agent 4 - Attack Chains:**
24
- Identify how vulnerabilities combine for greater impact. Map attack scenarios. Write to .coverme/partial-04-chains.json as valid JSON with: attackChains array of {id, name, description, likelihood, impact, steps array of {order, findingId, action, outcome}, mitigationStrategy}, riskMatrix array of {category, currentRisk, residualRisk, trend}.
18
+ Task 3: description="Vulnerability Scan", subagent_type="general-purpose", prompt="Find security vulnerabilities with code evidence. Then use the Write tool to create .coverme/partial-03-vulns.json with: {\"findings\":[{\"id\":\"\",\"title\":\"\",\"severity\":\"\",\"file\":\"\",\"line\":0,\"issue\":\"\",\"why\":\"\",\"fix\":\"\",\"cwe\":\"\",\"codeEvidence\":[],\"proofOfConcept\":\"\"}]}"
25
19
 
26
- **Agent 5 - Business Logic:**
27
- Find business logic flaws: race conditions, workflow bypass, privilege escalation. Write to .coverme/partial-05-business.json as valid JSON with: findings array, threatModel array of {id, severity, dread, status, finding}.
20
+ Task 4: description="Attack Chains", subagent_type="general-purpose", prompt="Identify attack chains. Then use the Write tool to create .coverme/partial-04-chains.json with: {\"attackChains\":[{\"id\":\"\",\"name\":\"\",\"description\":\"\",\"likelihood\":\"\",\"impact\":\"\",\"steps\":[],\"mitigationStrategy\":\"\"}],\"riskMatrix\":[]}"
28
21
 
29
- **Agent 6 - Infrastructure:**
30
- Check Docker, K8s, CI/CD, secrets management, dependencies. Write to .coverme/partial-06-infra.json as valid JSON with: findings array, qualityReview object with deadCode/dryViolations/deprecated arrays.
22
+ Task 5: description="Business Logic", subagent_type="general-purpose", prompt="Find business logic flaws. Then use the Write tool to create .coverme/partial-05-business.json with: {\"findings\":[],\"threatModel\":[]}"
31
23
 
32
- **Agent 7 - Compliance:**
33
- Map findings to SOC2, PCI-DSS, GDPR. Identify positive practices. Write to .coverme/partial-07-compliance.json as valid JSON with: complianceMapping array of {framework, controls array}, remediation object with p0/p1/p2/p3 arrays of {action, finding, owner}, positiveObservations array of {title, description}, privacyAnalysis array.
24
+ Task 6: description="Infrastructure", subagent_type="general-purpose", prompt="Check Docker, CI/CD, dependencies. Then use the Write tool to create .coverme/partial-06-infra.json with: {\"findings\":[],\"qualityReview\":{}}"
34
25
 
35
- ## Step 3: Wait for All Agents
36
- After launching all 7 agents, wait for them to complete using AgentOutputTool.
26
+ Task 7: description="Compliance", subagent_type="general-purpose", prompt="Map to compliance frameworks. Then use the Write tool to create .coverme/partial-07-compliance.json with: {\"complianceMapping\":[],\"remediation\":{\"p0\":[],\"p1\":[],\"p2\":[],\"p3\":[]},\"positiveObservations\":[],\"privacyAnalysis\":[]}"
37
27
 
38
- ## Step 4: Generate Report
39
- After all agents complete, run this command using Bash:
28
+ ## Step 3: Wait for agents
29
+ Use AgentOutputTool to wait for all 7 agents to complete.
30
+
31
+ ## Step 4: Generate PDF
40
32
  ```bash
41
33
  coverme-merge .coverme && coverme .coverme/scan.json security-report.pdf && open security-report.pdf
42
34
  ```
43
35
 
44
- ## IMPORTANT INSTRUCTIONS
45
- - Execute ALL steps automatically - do not ask for confirmation
46
- - Launch all 7 agents in PARALLEL (single message with 7 Task tool calls)
47
- - Wait for ALL agents to complete before running the final command
48
- - The PDF will open automatically when done
36
+ CRITICAL: Use subagent_type="general-purpose" for ALL agents. They MUST write JSON files using the Write tool.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "coverme-security-scanner",
3
- "version": "3.7.1",
3
+ "version": "3.7.2",
4
4
  "description": "AI-powered security assessment reports with beautiful PDF output",
5
5
  "type": "module",
6
6
  "bin": {