npm - guardvibe - Versions diffs - 0.4.0 → 0.5.0 - Mend

guardvibe 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

package/README.md +35 -14
package/build/cli.js +1 -1
package/build/data/framework-guides.d.ts.map +1 -1
package/build/data/framework-guides.js +289 -0
package/build/data/framework-guides.js.map +1 -1
package/build/data/rules/cicd.d.ts +3 -0
package/build/data/rules/cicd.d.ts.map +1 -0
package/build/data/rules/cicd.js +47 -0
package/build/data/rules/cicd.js.map +1 -0
package/build/data/rules/core.d.ts.map +1 -1
package/build/data/rules/core.js +26 -1
package/build/data/rules/core.js.map +1 -1
package/build/data/rules/dockerfile.d.ts +3 -0
package/build/data/rules/dockerfile.d.ts.map +1 -0
package/build/data/rules/dockerfile.js +58 -0
package/build/data/rules/dockerfile.js.map +1 -0
package/build/data/rules/go.d.ts.map +1 -1
package/build/data/rules/go.js +6 -0
package/build/data/rules/go.js.map +1 -1
package/build/data/rules/index.d.ts.map +1 -1
package/build/data/rules/index.js +4 -0
package/build/data/rules/index.js.map +1 -1
package/build/data/rules/java.d.ts.map +1 -1
package/build/data/rules/java.js +6 -0
package/build/data/rules/java.js.map +1 -1
package/build/data/rules/php.d.ts.map +1 -1
package/build/data/rules/php.js +5 -0
package/build/data/rules/php.js.map +1 -1
package/build/data/rules/ruby.d.ts.map +1 -1
package/build/data/rules/ruby.js +5 -0
package/build/data/rules/ruby.js.map +1 -1
package/build/data/rules/types.d.ts +1 -0
package/build/data/rules/types.d.ts.map +1 -1
package/build/index.js +8 -2
package/build/index.js.map +1 -1
package/build/tools/check-code.d.ts +2 -2
package/build/tools/check-code.d.ts.map +1 -1
package/build/tools/check-code.js +10 -5
package/build/tools/check-code.js.map +1 -1
package/build/tools/check-project.d.ts.map +1 -1
package/build/tools/check-project.js +10 -3
package/build/tools/check-project.js.map +1 -1
package/build/tools/scan-directory.d.ts.map +1 -1
package/build/tools/scan-directory.js +13 -4
package/build/tools/scan-directory.js.map +1 -1
package/build/tools/scan-staged.d.ts +2 -0
package/build/tools/scan-staged.d.ts.map +1 -0
package/build/tools/scan-staged.js +119 -0
package/build/tools/scan-staged.js.map +1 -0
package/package.json +1 -1
package/build/data/owasp-rules.d.ts +0 -12
package/build/data/owasp-rules.d.ts.map +0 -1
package/build/data/owasp-rules.js +0 -469
package/build/data/owasp-rules.js.map +0 -1

package/README.md CHANGED Viewed

@@ -6,15 +6,19 @@ Stop shipping vulnerable code. GuardVibe checks your code against OWASP Top 10,
 ## Features
-- **Code Security Analysis** — Scans code for 45+ vulnerability patterns (SQL injection, XSS, hardcoded secrets, cloud API keys, CORS misconfig, and more)
-- **Directory Scanning** — Scan your entire project directory directly from the filesystem with security scoring (A-F grade)
-- **Secret Detection** — Pattern + entropy-based detection of leaked API keys, tokens, and credentials in code and config files
-- **Dependency CVE Check** — Parse lockfiles (package.json, requirements.txt, go.mod, Gemfile.lock, Cargo.lock) and batch-query Google's OSV database
-- **False Positive Suppression** — `// guardvibe-ignore VG001` comments to suppress known false positives
-- **Security Documentation** — Instant best-practice guides for Express, Next.js, FastAPI, React, and more
-- **8 Languages** — JavaScript, TypeScript, Python, Go, Java, PHP, Ruby, and more
-- **OWASP Top 10:2025** — All rules mapped to the latest OWASP standards
-- **Zero-Config Setup** — `npx guardvibe init claude` sets up everything automatically
+- **Code Security Analysis** — 55+ vulnerability patterns with auto-fix code snippets
+- **Directory Scanning** — Scan your entire project directly from the filesystem (A-F security score)
+- **Pre-Commit Scanning** — Scan only git-staged files before committing
+- **Secret Detection** — Pattern + entropy-based detection of leaked API keys, tokens, and credentials
+- **Dockerfile Scanning** — Detect root containers, exposed secrets, unpinned images, COPY ordering
+- **CI/CD Scanning** — GitHub Actions security: secrets in run steps, unpinned actions, permissions
+- **Dependency CVE Check** — Parse lockfiles and batch-query Google's OSV database
+- **Auto-Fix Code** — Every finding includes copy-paste-ready secure code
+- **False Positive Suppression** — `// guardvibe-ignore VG001` comments
+- **14 Security Guides** — Express, Next.js, FastAPI, Django, NestJS, Hono, Supabase, tRPC, React, and more
+- **8 Languages + Dockerfile + YAML** — JS, TS, Python, Go, Java, PHP, Ruby, Dockerfile, GitHub Actions
+- **OWASP Top 10:2025** — All rules mapped to latest standards
+- **Zero-Config Setup** — `npx guardvibe init claude`
 ## Quick Start
@@ -85,6 +89,14 @@ Input: { topic: "express authentication" | "sql injection" | "nextjs csrf" | ...
 Output: Markdown guide with code examples
 ```
+### `scan_staged`
+Scan git-staged files before committing. No input needed.
+```
+Input: {} (automatic — reads git staged files)
+Output: Pre-commit security report with A-F score
+```
 ### `scan_directory`
 Scan an entire project directory directly from the filesystem. No need to pass file contents.
@@ -131,8 +143,13 @@ Output: Vulnerability report with CVE IDs, severity, and fix versions
 | XSS | DOM sanitization, CSP, React escaping |
 | Authentication | bcrypt, JWT, OAuth, session security |
 | Environment Variables | .env management, Vercel, secret rotation |
+| Django | CSRF, ORM, settings, ALLOWED_HOSTS, password hashing |
+| NestJS | Guards, Helmet, ValidationPipe, rate limiting |
+| Hono | Middleware auth, CORS, zod validation, secure headers |
+| Supabase | Row Level Security, anon vs service key, auth |
+| tRPC | Input validation, auth middleware, rate limiting |
-## Security Rules (45+ patterns)
+## Security Rules (55+ patterns)
 ### Core Rules (All supported languages)
@@ -157,6 +174,8 @@ Output: Vulnerability report with CVE IDs, severity, and fix versions
 | VG120-VG125 | Java | SQL concat, Runtime.exec, JSP XSS, Spring auth, MessageDigest, @CrossOrigin |
 | VG130-VG134 | PHP | $_GET/$_POST SQL injection, shell_exec, echo XSS, md5/sha1, eval |
 | VG140-VG144 | Ruby | String interpolation SQL, backtick injection, html_safe XSS, route auth, Digest |
+| VG200-VG204 | Dockerfile | Root container, COPY ordering, latest tag, secrets in ENV, ADD vs COPY |
+| VG210-VG213 | GitHub Actions | Secrets in run steps, pull_request_target, unpinned actions, permissions |
 ## Suppressing False Positives
@@ -180,11 +199,13 @@ Supports `//`, `#`, and `<!-- -->` comment styles.
 GuardVibe runs as a local MCP server (stdio transport). When your AI assistant needs security guidance, it calls GuardVibe's tools:
-1. **Writing code?** → `check_code` scans for vulnerability patterns
+1. **Writing code?** → `check_code` scans for vulnerability patterns with auto-fix
 2. **Reviewing a project?** → `scan_directory` scans your entire codebase
-3. **Adding a package?** → `scan_dependencies` checks your lockfile for CVEs
-4. **Worried about leaks?** → `scan_secrets` detects API keys and tokens
-5. **Need guidance?** → `get_security_docs` returns best practices
+3. **About to commit?** → `scan_staged` checks only staged files
+4. **Adding a package?** → `scan_dependencies` checks your lockfile for CVEs
+5. **Worried about leaks?** → `scan_secrets` detects API keys and tokens
+6. **Building Docker?** → `check_code` with language `dockerfile` scans your Dockerfile
+7. **Need guidance?** → `get_security_docs` for 14 framework guides
 No API keys needed. No cloud dependency. Runs entirely on your machine.

package/build/cli.js CHANGED Viewed

@@ -57,7 +57,7 @@ function setupPlatform(name) {
         // Create new config
         writeJsonFile(platform.path, {
             mcpServers: {
-                vibeguard: GUARDVIBE_MCP_CONFIG,
+                guardvibe: GUARDVIBE_MCP_CONFIG,
             },
         });
     }

package/build/data/framework-guides.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"framework-guides.d.ts","sourceRoot":"","sources":["../../src/data/framework-guides.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB;AAKD,eAAO,MAAM,eAAe,EAAE,aAAa,~~EAwf1C~~,CAAC"}
1	+ {"version":3,"file":"framework-guides.d.ts","sourceRoot":"","sources":["../../src/data/framework-guides.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,aAAa;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB;AAKD,eAAO,MAAM,eAAe,EAAE,aAAa,EA8xB1C,CAAC"}

package/build/data/framework-guides.js CHANGED Viewed

@@ -496,5 +496,294 @@ When your AI generates code with hardcoded secrets:
 3. Add .env to .gitignore
 4. Tell your AI: "Use environment variables for secrets"`,
     },
+    {
+        topic: "django",
+        title: "Django Security Best Practices",
+        keywords: ["django", "python", "csrf", "orm", "settings", "allowed_hosts"],
+        content: `# Django Security Best Practices
+## Critical Settings
+\`\`\`python
+# settings.py
+DEBUG = False  # NEVER True in production
+SECRET_KEY = os.environ['DJANGO_SECRET_KEY']  # Never hardcode
+ALLOWED_HOSTS = ['myapp.com']  # Never use ['*']
+SECURE_SSL_REDIRECT = True
+SESSION_COOKIE_SECURE = True
+CSRF_COOKIE_SECURE = True
+SECURE_HSTS_SECONDS = 31536000
+\`\`\`
+## CSRF Protection
+Django includes CSRF middleware by default. Never disable it.
+\`\`\`python
+# Views that modify data need @csrf_protect or use CsrfViewMiddleware
+from django.views.decorators.csrf import csrf_protect
+@csrf_protect
+def update_profile(request):
+    pass
+\`\`\`
+## ORM Injection Prevention
+Always use Django ORM — avoid raw SQL:
+\`\`\`python
+# Safe - ORM parameterizes automatically
+User.objects.filter(name=user_input)
+# Dangerous - raw SQL with interpolation
+User.objects.raw(f"SELECT * FROM users WHERE name = '{user_input}'")
+# If raw SQL needed, use params:
+User.objects.raw("SELECT * FROM users WHERE name = %s", [user_input])
+\`\`\`
+## Authentication
+\`\`\`python
+from django.contrib.auth.decorators import login_required
+@login_required
+def dashboard(request):
+    pass
+\`\`\`
+## Password Hashing
+Django uses PBKDF2 by default. Upgrade to Argon2:
+\`\`\`python
+# settings.py
+PASSWORD_HASHERS = [
+    'django.contrib.auth.hashers.Argon2PasswordHasher',
+    'django.contrib.auth.hashers.PBKDF2PasswordHasher',
+]
+\`\`\`
+`,
+    },
+    {
+        topic: "nestjs",
+        title: "NestJS Security Best Practices",
+        keywords: ["nestjs", "nest", "guard", "pipe", "helmet", "validation"],
+        content: `# NestJS Security Best Practices
+## Helmet
+\`\`\`typescript
+import helmet from 'helmet';
+app.use(helmet());
+\`\`\`
+## CORS
+\`\`\`typescript
+app.enableCors({
+  origin: ['https://myapp.com'],
+  credentials: true,
+});
+\`\`\`
+## Validation Pipe (Global)
+\`\`\`typescript
+app.useGlobalPipes(new ValidationPipe({
+  whitelist: true,       // Strip unknown properties
+  forbidNonWhitelisted: true,
+  transform: true,
+}));
+\`\`\`
+## Auth Guard
+\`\`\`typescript
+@Injectable()
+export class AuthGuard implements CanActivate {
+  canActivate(context: ExecutionContext): boolean {
+    const request = context.switchToHttp().getRequest();
+    return validateToken(request.headers.authorization);
+  }
+}
+// Apply globally or per-route
+@UseGuards(AuthGuard)
+@Controller('api')
+export class ApiController {}
+\`\`\`
+## Rate Limiting
+\`\`\`typescript
+import { ThrottlerModule } from '@nestjs/throttler';
+@Module({
+  imports: [ThrottlerModule.forRoot({ ttl: 60, limit: 10 })],
+})
+\`\`\`
+## Environment Variables
+\`\`\`typescript
+import { ConfigModule } from '@nestjs/config';
+@Module({
+  imports: [ConfigModule.forRoot({ isGlobal: true })],
+})
+// Use: configService.get('DATABASE_URL')
+\`\`\`
+`,
+    },
+    {
+        topic: "hono",
+        title: "Hono Security Best Practices",
+        keywords: ["hono", "edge", "middleware", "cloudflare", "bun"],
+        content: `# Hono Security Best Practices
+## CORS
+\`\`\`typescript
+import { cors } from 'hono/cors';
+app.use('*', cors({
+  origin: ['https://myapp.com'],
+  credentials: true,
+}));
+\`\`\`
+## Auth Middleware
+\`\`\`typescript
+import { bearerAuth } from 'hono/bearer-auth';
+app.use('/api/*', bearerAuth({ token: process.env.API_TOKEN! }));
+// Or custom JWT auth:
+app.use('/api/*', async (c, next) => {
+  const token = c.req.header('Authorization')?.replace('Bearer ', '');
+  if (!token || !verifyJwt(token)) return c.json({ error: 'Unauthorized' }, 401);
+  await next();
+});
+\`\`\`
+## Input Validation
+\`\`\`typescript
+import { zValidator } from '@hono/zod-validator';
+import { z } from 'zod';
+app.post('/api/users', zValidator('json', z.object({
+  email: z.string().email(),
+  name: z.string().min(1).max(100),
+})), async (c) => {
+  const data = c.req.valid('json');
+});
+\`\`\`
+## Rate Limiting
+\`\`\`typescript
+import { rateLimiter } from 'hono-rate-limiter';
+app.use(rateLimiter({ windowMs: 15 * 60 * 1000, limit: 100 }));
+\`\`\`
+## Secure Headers
+\`\`\`typescript
+import { secureHeaders } from 'hono/secure-headers';
+app.use('*', secureHeaders());
+\`\`\`
+`,
+    },
+    {
+        topic: "supabase",
+        title: "Supabase Security Best Practices",
+        keywords: ["supabase", "rls", "row level security", "postgres", "auth"],
+        content: `# Supabase Security Best Practices
+## Row Level Security (RLS) — CRITICAL
+Always enable RLS on every table:
+\`\`\`sql
+ALTER TABLE profiles ENABLE ROW LEVEL SECURITY;
+-- Users can only read their own profile
+CREATE POLICY "Users read own profile"
+  ON profiles FOR SELECT
+  USING (auth.uid() = user_id);
+-- Users can only update their own profile
+CREATE POLICY "Users update own profile"
+  ON profiles FOR UPDATE
+  USING (auth.uid() = user_id);
+\`\`\`
+## Anon Key vs Service Key
+\`\`\`typescript
+// Client-side: use anon key (safe to expose, RLS enforced)
+const supabase = createClient(url, process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!);
+// Server-side only: service key (bypasses RLS!)
+const admin = createClient(url, process.env.SUPABASE_SERVICE_KEY!);
+// NEVER expose service key to the client
+\`\`\`
+## Auth
+\`\`\`typescript
+// Always check auth on server
+const { data: { user } } = await supabase.auth.getUser();
+if (!user) throw new Error('Unauthorized');
+\`\`\`
+## API Security
+\`\`\`typescript
+// Validate input before database operations
+const schema = z.object({ title: z.string().max(200) });
+const input = schema.parse(body);
+await supabase.from('posts').insert(input);
+\`\`\`
+`,
+    },
+    {
+        topic: "trpc",
+        title: "tRPC Security Best Practices",
+        keywords: ["trpc", "procedure", "middleware", "zod", "typesafe"],
+        content: `# tRPC Security Best Practices
+## Input Validation
+Always validate with zod:
+\`\`\`typescript
+export const appRouter = router({
+  createUser: publicProcedure
+    .input(z.object({
+      email: z.string().email(),
+      name: z.string().min(1).max(100),
+    }))
+    .mutation(async ({ input }) => {
+      // input is validated and typed
+    }),
+});
+\`\`\`
+## Auth Middleware
+\`\`\`typescript
+const isAuthed = t.middleware(({ ctx, next }) => {
+  if (!ctx.session?.user) {
+    throw new TRPCError({ code: 'UNAUTHORIZED' });
+  }
+  return next({ ctx: { user: ctx.session.user } });
+});
+const protectedProcedure = t.procedure.use(isAuthed);
+// Use for protected routes
+export const appRouter = router({
+  getProfile: protectedProcedure.query(({ ctx }) => {
+    return db.user.findUnique({ where: { id: ctx.user.id } });
+  }),
+});
+\`\`\`
+## Rate Limiting
+\`\`\`typescript
+const rateLimiter = t.middleware(async ({ ctx, next }) => {
+  const ip = ctx.req.headers['x-forwarded-for'] || 'unknown';
+  const { success } = await ratelimit.limit(ip);
+  if (!success) throw new TRPCError({ code: 'TOO_MANY_REQUESTS' });
+  return next();
+});
+\`\`\`
+## Error Handling
+Never expose internal errors:
+\`\`\`typescript
+// tRPC automatically masks internal errors in production
+// Only TRPCError messages are sent to client
+throw new TRPCError({
+  code: 'BAD_REQUEST',
+  message: 'Invalid input', // Safe user-facing message
+});
+\`\`\`
+`,
+    },
 ];
 //# sourceMappingURL=framework-guides.js.map

package/build/data/framework-guides.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"framework-guides.js","sourceRoot":"","sources":["../../src/data/framework-guides.ts"],"names":[],"mappings":"AAOA,iFAAiF;AACjF,kFAAkF;AAElF,MAAM,CAAC,MAAM,eAAe,GAAoB;IAC9C;QACE,KAAK,EAAE,OAAO;QACd,QAAQ,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,cAAc,EAAE,wBAAwB,CAAC;QAChF,KAAK,EAAE,qCAAqC;QAC5C,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;wDAwB2C;KACrD;IAED;QACE,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,CAAC,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;QAC9E,KAAK,EAAE,oCAAoC;QAC3C,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA6EN;KACJ;IAED;QACE,KAAK,EAAE,QAAQ;QACf,QAAQ,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,YAAY,CAAC;QAC1F,KAAK,EAAE,iCAAiC;QACxC,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;2DAwE8C;KACxD;IAED;QACE,KAAK,EAAE,eAAe;QACtB,QAAQ,EAAE,CAAC,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,CAAC;QACvG,KAAK,EAAE,gCAAgC;QACvC,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;oEAsCuD;KACjE;IAED;QACE,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,CAAC,KAAK,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,CAAC;QACjF,KAAK,EAAE,uCAAuC;QAC9C,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;2DAsC8C;KACxD;IAED;QACE,KAAK,EAAE,gBAAgB;QACvB,QAAQ,EAAE,CAAC,MAAM,EAAE,gBAAgB,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC;QACvG,KAAK,EAAE,+BAA+B;QACtC,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAoDN;KACJ;IAED;QACE,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,CAAC,SAAS,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,CAAC;QAC/D,KAAK,EAAE,iCAAiC;QACxC,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA6DN;KACJ;IAED;QACE,KAAK,EAAE,OAAO;QACd,QAAQ,EAAE,CAAC,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,CAAC;QACvF,KAAK,EAAE,+BAA+B;QACtC,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4CN;KACJ;IAED;QACE,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,CAAC,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,CAAC;QACpG,KAAK,EAAE,4CAA4C;QACnD,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yDAmC4C;KACtD;CACF,CAAC"}
1	+ {"version":3,"file":"framework-guides.js","sourceRoot":"","sources":["../../src/data/framework-guides.ts"],"names":[],"mappings":"AAOA,iFAAiF;AACjF,kFAAkF;AAElF,MAAM,CAAC,MAAM,eAAe,GAAoB;IAC9C;QACE,KAAK,EAAE,OAAO;QACd,QAAQ,EAAE,CAAC,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,cAAc,EAAE,wBAAwB,CAAC;QAChF,KAAK,EAAE,qCAAqC;QAC5C,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;wDAwB2C;KACrD;IAED;QACE,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,CAAC,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,CAAC;QAC9E,KAAK,EAAE,oCAAoC;QAC3C,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA6EN;KACJ;IAED;QACE,KAAK,EAAE,QAAQ;QACf,QAAQ,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,mBAAmB,EAAE,YAAY,CAAC;QAC1F,KAAK,EAAE,iCAAiC;QACxC,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;2DAwE8C;KACxD;IAED;QACE,KAAK,EAAE,eAAe;QACtB,QAAQ,EAAE,CAAC,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,CAAC;QACvG,KAAK,EAAE,gCAAgC;QACvC,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;oEAsCuD;KACjE;IAED;QACE,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,CAAC,KAAK,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,CAAC;QACjF,KAAK,EAAE,uCAAuC;QAC9C,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;2DAsC8C;KACxD;IAED;QACE,KAAK,EAAE,gBAAgB;QACvB,QAAQ,EAAE,CAAC,MAAM,EAAE,gBAAgB,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC;QACvG,KAAK,EAAE,+BAA+B;QACtC,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAoDN;KACJ;IAED;QACE,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,CAAC,SAAS,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,WAAW,CAAC;QAC/D,KAAK,EAAE,iCAAiC;QACxC,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA6DN;KACJ;IAED;QACE,KAAK,EAAE,OAAO;QACd,QAAQ,EAAE,CAAC,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE,QAAQ,CAAC;QACvF,KAAK,EAAE,+BAA+B;QACtC,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4CN;KACJ;IAED;QACE,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,CAAC,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,CAAC;QACpG,KAAK,EAAE,4CAA4C;QACnD,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;yDAmC4C;KACtD;IAED;QACE,KAAK,EAAE,QAAQ;QACf,KAAK,EAAE,gCAAgC;QACvC,QAAQ,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,eAAe,CAAC;QAC1E,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAwDZ;KACE;IAED;QACE,KAAK,EAAE,QAAQ;QACf,KAAK,EAAE,gCAAgC;QACvC,QAAQ,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,CAAC;QACrE,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAyDZ;KACE;IAED;QACE,KAAK,EAAE,MAAM;QACb,KAAK,EAAE,8BAA8B;QACrC,QAAQ,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,YAAY,EAAE,KAAK,CAAC;QAC7D,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgDZ;KACE;IAED;QACE,KAAK,EAAE,UAAU;QACjB,KAAK,EAAE,kCAAkC;QACzC,QAAQ,EAAE,CAAC,UAAU,EAAE,KAAK,EAAE,oBAAoB,EAAE,UAAU,EAAE,MAAM,CAAC;QACvE,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA0CZ;KACE;IAED;QACE,KAAK,EAAE,MAAM;QACb,KAAK,EAAE,8BAA8B;QACrC,QAAQ,EAAE,CAAC,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,KAAK,EAAE,UAAU,CAAC;QAChE,OAAO,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAwDZ;KACE;CACF,CAAC"}

package/build/data/rules/cicd.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { SecurityRule } from "./types.js";
+export declare const cicdRules: SecurityRule[];
+//# sourceMappingURL=cicd.d.ts.map

package/build/data/rules/cicd.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"cicd.d.ts","sourceRoot":"","sources":["../../../src/data/rules/cicd.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,SAAS,EAAE,YAAY,EA6CnC,CAAC"}

package/build/data/rules/cicd.js ADDED Viewed

@@ -0,0 +1,47 @@
+export const cicdRules = [
+    {
+        id: "VG210",
+        name: "Secrets interpolated in run step",
+        severity: "critical",
+        owasp: "A01:2025 Broken Access Control",
+        description: "GitHub Actions secrets interpolated directly in run steps can leak via process logs or error messages.",
+        pattern: /run:\s*.*\$\{\{\s*secrets\./gi,
+        languages: ["yaml"],
+        fix: "Pass secrets as environment variables instead of interpolating in run steps.",
+        fixCode: "# Pass secrets via env, not interpolation\nsteps:\n  - run: echo \"deploying\"\n    env:\n      MY_SECRET: ${{ secrets.MY_SECRET }}",
+    },
+    {
+        id: "VG211",
+        name: "pull_request_target with checkout",
+        severity: "critical",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Using pull_request_target with actions/checkout allows untrusted PR code to access secrets.",
+        pattern: /pull_request_target[\s\S]*?actions\/checkout/gi,
+        languages: ["yaml"],
+        fix: "Use pull_request trigger instead, or avoid checking out PR code with pull_request_target.",
+        fixCode: "# Use pull_request instead of pull_request_target\non:\n  pull_request:\n    branches: [main]",
+    },
+    {
+        id: "VG212",
+        name: "Unpinned action version",
+        severity: "medium",
+        owasp: "A03:2025 Software Supply Chain Failures",
+        description: "Using @main or @master for GitHub Actions allows untested code changes to affect your pipeline.",
+        pattern: /uses:\s*\S+@(?:main|master)\s/gi,
+        languages: ["yaml"],
+        fix: "Pin actions to a specific commit SHA or version tag.",
+        fixCode: "# Pin to specific version or SHA\nuses: actions/checkout@v4\n# Or pin to commit SHA:\n# uses: actions/checkout@abc123def456",
+    },
+    {
+        id: "VG213",
+        name: "Overly permissive permissions",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "write-all permissions give the workflow full access to the repository. Use least-privilege permissions.",
+        pattern: /permissions:\s*write-all/gi,
+        languages: ["yaml"],
+        fix: "Specify minimum required permissions for each job.",
+        fixCode: "# Use least-privilege permissions\npermissions:\n  contents: read\n  pull-requests: write",
+    },
+];
+//# sourceMappingURL=cicd.js.map

package/build/data/rules/cicd.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"cicd.js","sourceRoot":"","sources":["../../../src/data/rules/cicd.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,SAAS,GAAmB;IACvC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,wGAAwG;QACrH,OAAO,EAAE,+BAA+B;QACxC,SAAS,EAAE,CAAC,MAAM,CAAC;QACnB,GAAG,EAAE,8EAA8E;QACnF,OAAO,EAAE,qIAAqI;KAC/I;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,6FAA6F;QAC1G,OAAO,EAAE,gDAAgD;QACzD,SAAS,EAAE,CAAC,MAAM,CAAC;QACnB,GAAG,EAAE,2FAA2F;QAChG,OAAO,EAAE,+FAA+F;KACzG;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,yCAAyC;QAChD,WAAW,EAAE,iGAAiG;QAC9G,OAAO,EAAE,iCAAiC;QAC1C,SAAS,EAAE,CAAC,MAAM,CAAC;QACnB,GAAG,EAAE,sDAAsD;QAC3D,OAAO,EAAE,6HAA6H;KACvI;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,yGAAyG;QACtH,OAAO,EAAE,4BAA4B;QACrC,SAAS,EAAE,CAAC,MAAM,CAAC;QACnB,GAAG,EAAE,oDAAoD;QACzD,OAAO,EAAE,2FAA2F;KACrG;CACF,CAAC"}

package/build/data/rules/core.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"core.d.ts","sourceRoot":"","sources":["../../../src/data/rules/core.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAI/C,eAAO,MAAM,SAAS,EAAE,YAAY,~~EAmRnC~~,CAAC"}
1	+ {"version":3,"file":"core.d.ts","sourceRoot":"","sources":["../../../src/data/rules/core.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAI/C,eAAO,MAAM,SAAS,EAAE,YAAY,EA4SnC,CAAC"}