npm - coverme-security-scanner - Versions diffs - 3.7.1 → 3.7.3 - Mend

coverme-security-scanner 3.7.1 → 3.7.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/commands/coverme.md +9 -36
package/package.json +1 -1

package/commands/coverme.md CHANGED Viewed

@@ -1,48 +1,21 @@
-# Security Assessment - Automated Scan
+# Security Assessment
-Run a comprehensive security assessment on this codebase. Execute ALL steps automatically without asking for confirmation.
+Run a security scan and generate a PDF report. Execute automatically without asking questions.
 ## Step 1: Setup
-Run this command using Bash:
 ```bash
 mkdir -p .coverme
 ```
-## Step 2: Launch 7 Security Agents in Parallel
-Launch ALL 7 agents simultaneously using the Task tool with subagent_type="general-purpose". Do NOT wait between launches - send all 7 in a single response.
+## Step 2: Run Security Scan
+Use ONE Task agent with subagent_type="general-purpose" to perform the full security assessment:
-**Agent 1 - Executive Summary:**
-Analyze this codebase architecture and security posture. Identify tech stack, components, trust boundaries. Write findings to .coverme/partial-01-executive.json as valid JSON with fields: project (string), date (YYYY-MM-DD), executiveSummary (string), architecture (object with overview string, components array of {name, technology, description}, trustBoundaries array of {id, boundary, trustLevel, description}), topPriorities array of {finding, severity, action}.
+prompt: "Perform a comprehensive security assessment of this codebase. Analyze: 1) Architecture and tech stack 2) API endpoints and attack surface 3) Security vulnerabilities (secrets, injection, XSS, auth issues) 4) Infrastructure (Docker, CI/CD, dependencies). When done, use the Write tool to create .coverme/scan.json with this structure: {\"project\":\"<name>\",\"date\":\"2026-02-19\",\"executiveSummary\":\"<summary>\",\"summary\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"total\":0},\"overallRiskLevel\":\"low|medium|high|critical\",\"findings\":[{\"id\":\"VULN-01\",\"title\":\"\",\"severity\":\"critical|high|medium|low\",\"file\":\"\",\"line\":0,\"issue\":\"\",\"why\":\"\",\"fix\":\"\",\"cwe\":\"\"}],\"architecture\":{\"overview\":\"\",\"components\":[]},\"positiveObservations\":[{\"title\":\"\",\"description\":\"\"}]}"
-**Agent 2 - Attack Surface:**
-Map all API endpoints, entry points, unauthenticated routes, admin interfaces. Write to .coverme/partial-02-surface.json as valid JSON with: network (object with diagram string, ports array, externalDeps array of {service, endpoint, auth, risk}), findings array.
+## Step 3: Wait for agent to complete
+Use AgentOutputTool to wait for the agent.
-**Agent 3 - Vulnerability Hunter:**
-Hunt for security vulnerabilities: hardcoded secrets, SQL injection, XSS, command injection, auth bypass. Include actual code snippets. Write to .coverme/partial-03-vulns.json as valid JSON with findings array containing: id, title, severity (critical/high/medium/low/info), file, line, issue, why, fix, cwe, codeEvidence array of {file, startLine, endLine, code, annotation}, proofOfConcept.
-**Agent 4 - Attack Chains:**
-Identify how vulnerabilities combine for greater impact. Map attack scenarios. Write to .coverme/partial-04-chains.json as valid JSON with: attackChains array of {id, name, description, likelihood, impact, steps array of {order, findingId, action, outcome}, mitigationStrategy}, riskMatrix array of {category, currentRisk, residualRisk, trend}.
-**Agent 5 - Business Logic:**
-Find business logic flaws: race conditions, workflow bypass, privilege escalation. Write to .coverme/partial-05-business.json as valid JSON with: findings array, threatModel array of {id, severity, dread, status, finding}.
-**Agent 6 - Infrastructure:**
-Check Docker, K8s, CI/CD, secrets management, dependencies. Write to .coverme/partial-06-infra.json as valid JSON with: findings array, qualityReview object with deadCode/dryViolations/deprecated arrays.
-**Agent 7 - Compliance:**
-Map findings to SOC2, PCI-DSS, GDPR. Identify positive practices. Write to .coverme/partial-07-compliance.json as valid JSON with: complianceMapping array of {framework, controls array}, remediation object with p0/p1/p2/p3 arrays of {action, finding, owner}, positiveObservations array of {title, description}, privacyAnalysis array.
-## Step 3: Wait for All Agents
-After launching all 7 agents, wait for them to complete using AgentOutputTool.
-## Step 4: Generate Report
-After all agents complete, run this command using Bash:
+## Step 4: Generate PDF
 ```bash
-coverme-merge .coverme && coverme .coverme/scan.json security-report.pdf && open security-report.pdf
+coverme .coverme/scan.json security-report.pdf && open security-report.pdf
 ```
-## IMPORTANT INSTRUCTIONS
-- Execute ALL steps automatically - do not ask for confirmation
-- Launch all 7 agents in PARALLEL (single message with 7 Task tool calls)
-- Wait for ALL agents to complete before running the final command
-- The PDF will open automatically when done

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "coverme-security-scanner",
-  "version": "3.7.1",
+  "version": "3.7.3",
   "description": "AI-powered security assessment reports with beautiful PDF output",
   "type": "module",
   "bin": {