guardvibe 0.8.2 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. package/build/data/rules/index.d.ts.map +1 -1
  2. package/build/data/rules/index.js +6 -0
  3. package/build/data/rules/index.js.map +1 -1
  4. package/build/data/rules/payments.d.ts +3 -0
  5. package/build/data/rules/payments.d.ts.map +1 -0
  6. package/build/data/rules/payments.js +111 -0
  7. package/build/data/rules/payments.js.map +1 -0
  8. package/build/data/rules/services.d.ts +3 -0
  9. package/build/data/rules/services.d.ts.map +1 -0
  10. package/build/data/rules/services.js +135 -0
  11. package/build/data/rules/services.js.map +1 -0
  12. package/build/data/rules/web-security.d.ts +3 -0
  13. package/build/data/rules/web-security.d.ts.map +1 -0
  14. package/build/data/rules/web-security.js +169 -0
  15. package/build/data/rules/web-security.js.map +1 -0
  16. package/build/index.js +1 -1
  17. package/package.json +1 -1
package/build/data/rules/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAW/C,eAAO,MAAM,UAAU,qCAUtB,CAAC;AAGF,eAAO,MAAM,YAAY,qCAAa,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAc/C,eAAO,MAAM,UAAU,qCAatB,CAAC;AAGF,eAAO,MAAM,YAAY,qCAAa,CAAC"}
package/build/data/rules/index.js CHANGED
@@ -7,6 +7,9 @@ import { nextjsRules } from "./nextjs.js";
7
7
  import { authRules } from "./auth.js";
8
8
  import { databaseRules } from "./database.js";
9
9
  import { deploymentRules } from "./deployment.js";
10
+ import { paymentRules } from "./payments.js";
11
+ import { serviceRules } from "./services.js";
12
+ import { webSecurityRules } from "./web-security.js";
10
13
  export const owaspRules = [
11
14
  ...coreRules,
12
15
  ...goRules,
@@ -17,6 +20,9 @@ export const owaspRules = [
17
20
  ...authRules,
18
21
  ...databaseRules,
19
22
  ...deploymentRules,
23
+ ...paymentRules,
24
+ ...serviceRules,
25
+ ...webSecurityRules,
20
26
  ];
21
27
  // Alias for clarity — these are the built-in rules without plugins
22
28
  export const builtinRules = owaspRules;
package/build/data/rules/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,GAAG,SAAS;IACZ,GAAG,OAAO;IACV,GAAG,eAAe;IAClB,GAAG,SAAS;IACZ,GAAG,cAAc;IACjB,GAAG,WAAW;IACd,GAAG,SAAS;IACZ,GAAG,aAAa;IAChB,GAAG,eAAe;CACnB,CAAC;AAEF,mEAAmE;AACnE,MAAM,CAAC,MAAM,YAAY,GAAG,UAAU,CAAC"}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAErD,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,GAAG,SAAS;IACZ,GAAG,OAAO;IACV,GAAG,eAAe;IAClB,GAAG,SAAS;IACZ,GAAG,cAAc;IACjB,GAAG,WAAW;IACd,GAAG,SAAS;IACZ,GAAG,aAAa;IAChB,GAAG,eAAe;IAClB,GAAG,YAAY;IACf,GAAG,YAAY;IACf,GAAG,gBAAgB;CACpB,CAAC;AAEF,mEAAmE;AACnE,MAAM,CAAC,MAAM,YAAY,GAAG,UAAU,CAAC"}
package/build/data/rules/payments.d.ts ADDED
@@ -0,0 +1,3 @@
1
+ import type { SecurityRule } from "./types.js";
2
+ export declare const paymentRules: SecurityRule[];
3
+ //# sourceMappingURL=payments.d.ts.map
package/build/data/rules/payments.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"payments.d.ts","sourceRoot":"","sources":["../../../src/data/rules/payments.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,YAAY,EAAE,YAAY,EAiItC,CAAC"}
package/build/data/rules/payments.js ADDED
@@ -0,0 +1,111 @@
1
+ export const paymentRules = [
2
+ // Stripe
3
+ {
4
+ id: "VG600",
5
+ name: "Stripe Secret Key Client Exposure",
6
+ severity: "critical",
7
+ owasp: "A07:2025 Sensitive Data Exposure",
8
+ description: "Stripe secret key (sk_live_ or sk_test_) exposed in client-side code. This key can charge any amount to any card.",
9
+ pattern: /["']use client["'][\s\S]{0,500}?sk_(?:live|test)_/g,
10
+ languages: ["javascript", "typescript"],
11
+ fix: "Never use Stripe secret keys in client code. Use them only in server-side API routes.",
12
+ fixCode: "// Server-side only (API route or Server Action)\nimport Stripe from 'stripe';\nconst stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);",
13
+ compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
14
+ },
15
+ {
16
+ id: "VG601",
17
+ name: "Stripe Webhook Missing Signature Verification",
18
+ severity: "critical",
19
+ owasp: "A01:2025 Broken Access Control",
20
+ description: "Stripe webhook endpoint processes events without verifying the webhook signature. Anyone can send fake payment events.",
21
+ pattern: /(?:\/api\/webhook|\/api\/stripe|webhook.*stripe)[\s\S]*?(?:req\.body|request\.json|JSON\.parse)[\s\S]{0,300}?(?![\s\S]{0,300}?(?:constructEvent|verifyHeader|stripe\.webhooks))/g,
22
+ languages: ["javascript", "typescript"],
23
+ fix: "Always verify Stripe webhook signatures using stripe.webhooks.constructEvent().",
24
+ fixCode: "// Verify webhook signature\nconst sig = request.headers.get('stripe-signature')!;\nconst event = stripe.webhooks.constructEvent(\n body, sig, process.env.STRIPE_WEBHOOK_SECRET!\n);",
25
+ compliance: ["SOC2:CC6.6", "PCI-DSS:Req6.5.10"],
26
+ },
27
+ {
28
+ id: "VG602",
29
+ name: "Stripe Price Amount Client-Side",
30
+ severity: "high",
31
+ owasp: "A04:2025 Insecure Design",
32
+ description: "Price amount sent from client to server for payment. Users can modify the amount in browser DevTools.",
33
+ pattern: /(?:amount|price|total)\s*[:=]\s*(?:req\.body|request\.body|body\.)[\s\S]{0,100}?(?:stripe|payment|checkout|charge)/gi,
34
+ languages: ["javascript", "typescript"],
35
+ fix: "Always calculate prices server-side. Use Stripe Price IDs or calculate from your database, never trust client-sent amounts.",
36
+ fixCode: "// Use Stripe Price IDs, not client amounts\nconst session = await stripe.checkout.sessions.create({\n line_items: [{ price: 'price_xxx', quantity: 1 }], // Price ID from Stripe dashboard\n});",
37
+ compliance: ["PCI-DSS:Req6.5.1"],
38
+ },
39
+ {
40
+ id: "VG603",
41
+ name: "Hardcoded Stripe Key",
42
+ severity: "critical",
43
+ owasp: "A07:2025 Sensitive Data Exposure",
44
+ description: "Stripe API key hardcoded in source code instead of environment variable.",
45
+ pattern: /(?:stripe|Stripe)\s*\(\s*["']sk_(?:live|test)_[A-Za-z0-9]{10,}["']/g,
46
+ languages: ["javascript", "typescript"],
47
+ fix: "Use environment variables for Stripe keys.",
48
+ fixCode: "const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);",
49
+ compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
50
+ },
51
+ {
52
+ id: "VG604",
53
+ name: "NEXT_PUBLIC Stripe Secret Key",
54
+ severity: "critical",
55
+ owasp: "A07:2025 Sensitive Data Exposure",
56
+ description: "Stripe secret key exposed via NEXT_PUBLIC_ prefix. Only the publishable key (pk_) should be public.",
57
+ pattern: /NEXT_PUBLIC_\w*STRIPE\w*SECRET/gi,
58
+ languages: ["javascript", "typescript", "shell"],
59
+ fix: "Remove NEXT_PUBLIC_ prefix from Stripe secret key. Only NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY should be public.",
60
+ fixCode: "# .env.local\nSTRIPE_SECRET_KEY=sk_live_xxx # server only\nNEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_live_xxx # safe to expose",
61
+ compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
62
+ },
63
+ // LemonSqueezy
64
+ {
65
+ id: "VG605",
66
+ name: "LemonSqueezy API Key Exposure",
67
+ severity: "critical",
68
+ owasp: "A07:2025 Sensitive Data Exposure",
69
+ description: "LemonSqueezy API key exposed in client-side code.",
70
+ pattern: /["']use client["'][\s\S]{0,500}?(?:LEMONSQUEEZY_API_KEY|LEMON_SQUEEZY_API_KEY)/g,
71
+ languages: ["javascript", "typescript"],
72
+ fix: "Use LemonSqueezy API key only in server-side code.",
73
+ compliance: ["SOC2:CC6.1"],
74
+ },
75
+ {
76
+ id: "VG606",
77
+ name: "LemonSqueezy Webhook Missing Signature",
78
+ severity: "high",
79
+ owasp: "A01:2025 Broken Access Control",
80
+ description: "LemonSqueezy webhook processes events without verifying the X-Signature header.",
81
+ pattern: /(?:lemonsqueezy|lemon.?squeezy)[\s\S]{0,500}?(?:req\.body|request\.json)[\s\S]{0,300}?(?![\s\S]{0,300}?(?:verify|signature|x-signature|hmac|crypto))/gi,
82
+ languages: ["javascript", "typescript"],
83
+ fix: "Verify the X-Signature header using HMAC-SHA256 with your webhook secret.",
84
+ fixCode: "// Verify LemonSqueezy webhook\nimport crypto from 'crypto';\nconst sig = request.headers.get('x-signature');\nconst hash = crypto.createHmac('sha256', process.env.LEMON_SQUEEZY_WEBHOOK_SECRET!)\n .update(body).digest('hex');\nif (sig !== hash) return new Response('Invalid', { status: 401 });",
85
+ compliance: ["SOC2:CC6.6"],
86
+ },
87
+ // Polar.sh
88
+ {
89
+ id: "VG607",
90
+ name: "Polar API Key Exposure",
91
+ severity: "critical",
92
+ owasp: "A07:2025 Sensitive Data Exposure",
93
+ description: "Polar.sh API key or access token exposed in client-side code.",
94
+ pattern: /["']use client["'][\s\S]{0,500}?(?:POLAR_ACCESS_TOKEN|POLAR_API_KEY|polar.*(?:access_token|api_key))/gi,
95
+ languages: ["javascript", "typescript"],
96
+ fix: "Use Polar API keys only in server-side code.",
97
+ compliance: ["SOC2:CC6.1"],
98
+ },
99
+ {
100
+ id: "VG608",
101
+ name: "Payment Webhook Missing Auth",
102
+ severity: "high",
103
+ owasp: "A01:2025 Broken Access Control",
104
+ description: "Payment webhook endpoint has no signature verification or authentication. Attackers can fake payment confirmations.",
105
+ pattern: /(?:\/api\/webhook|\/api\/payment|\/api\/checkout)[\s\S]*?export\s+(?:async\s+)?function\s+POST\s*\([^)]*\)\s*\{(?:(?!verify|signature|constructEvent|hmac|crypto\.createHmac|webhookSecret)[\s\S])*?\}/g,
106
+ languages: ["javascript", "typescript"],
107
+ fix: "Always verify webhook signatures before processing payment events.",
108
+ compliance: ["SOC2:CC6.6", "PCI-DSS:Req6.5.10"],
109
+ },
110
+ ];
111
+ //# sourceMappingURL=payments.js.map
package/build/data/rules/payments.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"payments.js","sourceRoot":"","sources":["../../../src/data/rules/payments.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,YAAY,GAAmB;IAC1C,SAAS;IACT;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,mHAAmH;QACrH,OAAO,EAAE,oDAAoD;QAC7D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uFAAuF;QAC5F,OAAO,EACL,4IAA4I;QAC9I,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+CAA+C;QACrD,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,wHAAwH;QAC1H,OAAO,EACL,kLAAkL;QACpL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,wLAAwL;QAC1L,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,0BAA0B;QACjC,WAAW,EACT,uGAAuG;QACzG,OAAO,EACL,sHAAsH;QACxH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,6HAA6H;QAClI,OAAO,EACL,mMAAmM;QACrM,UAAU,EAAE,CAAC,kBAAkB,CAAC;KACjC;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0EAA0E;QAC5E,OAAO,EAAE,qEAAqE;QAC9E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4CAA4C;QACjD,OAAO,EAAE,4DAA4D;QACrE,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,qGAAqG;QACvG,OAAO,EAAE,kCAAkC;QAC3C,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,8GAA8G;QACnH,OAAO,EACL,sIAAsI;QACxI,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IAED,eAAe;IACf;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,mDAAmD;QAChE,OAAO,EACL,iFAAiF;QACnF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oDAAoD;QACzD,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,iFAAiF;QACnF,OAAO,EACL,wJAAwJ;QAC1J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2EAA2E;QAChF,OAAO,EACL,wSAAwS;QAC1S,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,WAAW;IACX;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,+DAA+D;QAC5E,OAAO,EACL,wGAAwG;QAC1G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8CAA8C;QACnD,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,qHAAqH;QACvH,OAAO,EACL,yMAAyM;QAC3M,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oEAAoE;QACzE,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;CACF,CAAC"}
package/build/data/rules/services.d.ts ADDED
@@ -0,0 +1,3 @@
1
+ import type { SecurityRule } from "./types.js";
2
+ export declare const serviceRules: SecurityRule[];
3
+ //# sourceMappingURL=services.d.ts.map
package/build/data/rules/services.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"services.d.ts","sourceRoot":"","sources":["../../../src/data/rules/services.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,YAAY,EAAE,YAAY,EAyItC,CAAC"}
package/build/data/rules/services.js ADDED
@@ -0,0 +1,135 @@
1
+ export const serviceRules = [
2
+ // Resend Email
3
+ {
4
+ id: "VG620",
5
+ name: "Resend API Key Client Exposure",
6
+ severity: "critical",
7
+ owasp: "A07:2025 Sensitive Data Exposure",
8
+ description: "Resend API key exposed in client-side code. This allows anyone to send emails from your account.",
9
+ pattern: /["']use client["'][\s\S]{0,500}?(?:RESEND_API_KEY|re_[A-Za-z0-9]{20,})/g,
10
+ languages: ["javascript", "typescript"],
11
+ fix: "Use Resend API key only in server-side code (API routes or Server Actions).",
12
+ fixCode: '"use server";\nimport { Resend } from "resend";\nconst resend = new Resend(process.env.RESEND_API_KEY);',
13
+ compliance: ["SOC2:CC6.1"],
14
+ },
15
+ {
16
+ id: "VG621",
17
+ name: "Hardcoded Resend API Key",
18
+ severity: "critical",
19
+ owasp: "A07:2025 Sensitive Data Exposure",
20
+ description: "Resend API key hardcoded in source code.",
21
+ pattern: /(?:Resend|resend)\s*\(\s*["']re_[A-Za-z0-9]{10,}["']/g,
22
+ languages: ["javascript", "typescript"],
23
+ fix: "Use environment variable for Resend API key.",
24
+ fixCode: 'const resend = new Resend(process.env.RESEND_API_KEY);',
25
+ compliance: ["SOC2:CC6.1"],
26
+ },
27
+ {
28
+ id: "VG622",
29
+ name: "Email Content Injection",
30
+ severity: "high",
31
+ owasp: "A03:2025 Injection",
32
+ description: "User input directly used in email headers (to, from, subject, cc, bcc) without validation. Can be used for email injection/spam.",
33
+ pattern: /(?:resend|sendgrid|nodemailer)[\s\S]{0,300}?(?:to|from|cc|bcc|subject)\s*:\s*(?:req\.body|request\.body|body\.|formData\.get|params\.)/gi,
34
+ languages: ["javascript", "typescript"],
35
+ fix: "Validate and sanitize all email fields. Use allowlists for recipient addresses when possible.",
36
+ fixCode: '// Validate email before sending\nimport { z } from "zod";\nconst schema = z.object({ to: z.string().email(), subject: z.string().max(200) });\nconst data = schema.parse(input);',
37
+ compliance: ["SOC2:CC7.1"],
38
+ },
39
+ // Upstash Redis
40
+ {
41
+ id: "VG625",
42
+ name: "Upstash Redis URL Client Exposure",
43
+ severity: "critical",
44
+ owasp: "A07:2025 Sensitive Data Exposure",
45
+ description: "Upstash Redis REST URL or token exposed in client-side code. This gives full access to your Redis database.",
46
+ pattern: /["']use client["'][\s\S]{0,500}?(?:UPSTASH_REDIS_REST_URL|UPSTASH_REDIS_REST_TOKEN|KV_REST_API_URL|KV_REST_API_TOKEN)/g,
47
+ languages: ["javascript", "typescript"],
48
+ fix: "Use Upstash Redis only in server-side code.",
49
+ fixCode: '// Server-side only\nimport { Redis } from "@upstash/redis";\nconst redis = Redis.fromEnv(); // reads from env automatically',
50
+ compliance: ["SOC2:CC6.1"],
51
+ },
52
+ {
53
+ id: "VG626",
54
+ name: "Hardcoded Redis Connection String",
55
+ severity: "critical",
56
+ owasp: "A07:2025 Sensitive Data Exposure",
57
+ description: "Redis connection URL or token hardcoded in source code.",
58
+ pattern: /(?:redis|Redis|upstash)[\s\S]{0,100}?(?:url|token)\s*[:=]\s*["'](?:https?:\/\/|redis:\/\/|rediss:\/\/)[^"']{10,}["']/gi,
59
+ languages: ["javascript", "typescript"],
60
+ fix: "Use environment variables for Redis connection details.",
61
+ compliance: ["SOC2:CC6.1"],
62
+ },
63
+ {
64
+ id: "VG627",
65
+ name: "NEXT_PUBLIC Redis Credentials",
66
+ severity: "critical",
67
+ owasp: "A07:2025 Sensitive Data Exposure",
68
+ description: "Redis credentials exposed via NEXT_PUBLIC_ prefix.",
69
+ pattern: /NEXT_PUBLIC_\w*(?:REDIS|UPSTASH|KV)\w*(?:URL|TOKEN|SECRET)\s*=/gi,
70
+ languages: ["javascript", "typescript", "shell"],
71
+ fix: "Remove NEXT_PUBLIC_ prefix from Redis credentials. Access them only server-side.",
72
+ compliance: ["SOC2:CC6.1"],
73
+ },
74
+ // Pinecone
75
+ {
76
+ id: "VG630",
77
+ name: "Pinecone API Key Client Exposure",
78
+ severity: "critical",
79
+ owasp: "A07:2025 Sensitive Data Exposure",
80
+ description: "Pinecone API key exposed in client-side code. This gives full access to your vector database.",
81
+ pattern: /["']use client["'][\s\S]{0,500}?PINECONE_API_KEY/g,
82
+ languages: ["javascript", "typescript"],
83
+ fix: "Use Pinecone API key only in server-side code.",
84
+ compliance: ["SOC2:CC6.1"],
85
+ },
86
+ {
87
+ id: "VG631",
88
+ name: "NEXT_PUBLIC Pinecone Key",
89
+ severity: "critical",
90
+ owasp: "A07:2025 Sensitive Data Exposure",
91
+ description: "Pinecone API key exposed via NEXT_PUBLIC_ prefix.",
92
+ pattern: /NEXT_PUBLIC_\w*PINECONE\w*(?:KEY|SECRET|TOKEN)\s*=/gi,
93
+ languages: ["javascript", "typescript", "shell"],
94
+ fix: "Remove NEXT_PUBLIC_ prefix. Pinecone keys must be server-side only.",
95
+ compliance: ["SOC2:CC6.1"],
96
+ },
97
+ // PostHog
98
+ {
99
+ id: "VG635",
100
+ name: "PostHog Secret API Key Exposure",
101
+ severity: "critical",
102
+ owasp: "A07:2025 Sensitive Data Exposure",
103
+ description: "PostHog personal/secret API key exposed in client-side code. The project API key is safe to expose, but personal API keys grant full access.",
104
+ pattern: /["']use client["'][\s\S]{0,500}?(?:POSTHOG_PERSONAL_API_KEY|phx_[A-Za-z0-9]{20,})/g,
105
+ languages: ["javascript", "typescript"],
106
+ fix: "Only the PostHog project API key (phc_) should be in client code. Personal API keys (phx_) must be server-side only.",
107
+ fixCode: "# Safe to expose (project key)\nNEXT_PUBLIC_POSTHOG_KEY=phc_xxx\n\n# Server-side only (personal key)\nPOSTHOG_PERSONAL_API_KEY=phx_xxx",
108
+ compliance: ["SOC2:CC6.1"],
109
+ },
110
+ {
111
+ id: "VG636",
112
+ name: "Analytics PII Data Exposure",
113
+ severity: "high",
114
+ owasp: "A07:2025 Sensitive Data Exposure",
115
+ description: "Personally identifiable information (email, phone, SSN, credit card) sent to analytics. This violates GDPR/CCPA and platform terms.",
116
+ pattern: /(?:posthog|analytics|gtag|ga)\s*[\.\(][\s\S]{0,200}?(?:capture|track|identify|event|send)\s*\([\s\S]{0,300}?(?:email|phone|ssn|creditCard|password|socialSecurity)/gi,
117
+ languages: ["javascript", "typescript"],
118
+ fix: "Never send PII to analytics. Hash or anonymize user identifiers.",
119
+ fixCode: "// Anonymize before tracking\nposthog.identify(hashedUserId); // not email\nposthog.capture('purchase', { plan: 'pro', amount: 29 }); // no PII",
120
+ compliance: ["SOC2:CC6.1", "HIPAA:§164.312(a)"],
121
+ },
122
+ // Google Analytics
123
+ {
124
+ id: "VG637",
125
+ name: "Google Analytics PII Tracking",
126
+ severity: "high",
127
+ owasp: "A07:2025 Sensitive Data Exposure",
128
+ description: "PII data sent to Google Analytics. This violates Google's ToS and privacy regulations.",
129
+ pattern: /(?:gtag|ga|dataLayer\.push)\s*\([\s\S]{0,300}?(?:email|user_email|phone|ssn|password)/gi,
130
+ languages: ["javascript", "typescript"],
131
+ fix: "Never send PII to Google Analytics. Use anonymous IDs.",
132
+ compliance: ["SOC2:CC6.1"],
133
+ },
134
+ ];
135
+ //# sourceMappingURL=services.js.map
package/build/data/rules/services.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"services.js","sourceRoot":"","sources":["../../../src/data/rules/services.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,YAAY,GAAmB;IAC1C,eAAe;IACf;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,kGAAkG;QAC/G,OAAO,EAAE,yEAAyE;QAClF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,6EAA6E;QAClF,OAAO,EAAE,yGAAyG;QAClH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,0CAA0C;QACvD,OAAO,EAAE,uDAAuD;QAChE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8CAA8C;QACnD,OAAO,EAAE,wDAAwD;QACjE,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,kIAAkI;QAC/I,OAAO,EAAE,0IAA0I;QACnJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,+FAA+F;QACpG,OAAO,EAAE,mLAAmL;QAC5L,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,gBAAgB;IAChB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,6GAA6G;QAC1H,OAAO,EAAE,wHAAwH;QACjI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,6CAA6C;QAClD,OAAO,EAAE,8HAA8H;QACvI,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,yDAAyD;QACtE,OAAO,EAAE,wHAAwH;QACjI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yDAAyD;QAC9D,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,oDAAoD;QACjE,OAAO,EAAE,kEAAkE;QAC3E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,kFAAkF;QACvF,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,WAAW;IACX;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,+FAA+F;QAC5G,OAAO,EAAE,mDAAmD;QAC5D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gDAAgD;QACrD,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,mDAAmD;QAChE,OAAO,EAAE,sDAAsD;QAC/D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,qEAAqE;QAC1E,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,UAAU;IACV;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,8IAA8I;QAC3J,OAAO,EAAE,oFAAoF;QAC7F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sHAAsH;QAC3H,OAAO,EAAE,wIAAwI;QACjJ,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,qIAAqI;QAClJ,OAAO,EAAE,sKAAsK;QAC/K,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kEAAkE;QACvE,OAAO,EAAE,iJAAiJ;QAC1J,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IAED,mBAAmB;IACnB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,wFAAwF;QACrG,OAAO,EAAE,yFAAyF;QAClG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,wDAAwD;QAC7D,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
package/build/data/rules/web-security.d.ts ADDED
@@ -0,0 +1,3 @@
1
+ import type { SecurityRule } from "./types.js";
2
+ export declare const webSecurityRules: SecurityRule[];
3
+ //# sourceMappingURL=web-security.d.ts.map
package/build/data/rules/web-security.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"web-security.d.ts","sourceRoot":"","sources":["../../../src/data/rules/web-security.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,gBAAgB,EAAE,YAAY,EA4K1C,CAAC"}
package/build/data/rules/web-security.js ADDED
@@ -0,0 +1,169 @@
1
+ export const webSecurityRules = [
2
+ // Webhook Security
3
+ {
4
+ id: "VG650",
5
+ name: "Webhook Missing Signature Verification",
6
+ severity: "high",
7
+ owasp: "A01:2025 Broken Access Control",
8
+ description: "Webhook endpoint processes incoming events without verifying the request signature. Attackers can send forged events.",
9
+ pattern: /(?:\/api\/webhook|\/webhook)[\s\S]*?export\s+(?:async\s+)?function\s+POST\s*\([^)]*\)\s*\{(?:(?!verify|signature|hmac|crypto|constructEvent|svix|webhookSecret)[\s\S])*?\}/g,
10
+ languages: ["javascript", "typescript"],
11
+ fix: "Always verify webhook signatures before processing events.",
12
+ fixCode: "// Verify webhook signature\nimport crypto from 'crypto';\nconst sig = request.headers.get('x-webhook-signature');\nconst expected = crypto.createHmac('sha256', process.env.WEBHOOK_SECRET!)\n .update(body).digest('hex');\nif (sig !== expected) return new Response('Unauthorized', { status: 401 });",
13
+ compliance: ["SOC2:CC6.6"],
14
+ },
15
+ {
16
+ id: "VG651",
17
+ name: "Webhook Secret Hardcoded",
18
+ severity: "critical",
19
+ owasp: "A07:2025 Sensitive Data Exposure",
20
+ description: "Webhook signing secret hardcoded in source code.",
21
+ pattern: /(?:webhook_?secret|signing_?secret|whsec_)\s*[:=]\s*["'][A-Za-z0-9_\-]{12,}["']/gi,
22
+ languages: ["javascript", "typescript"],
23
+ fix: "Use environment variables for webhook secrets.",
24
+ compliance: ["SOC2:CC6.1"],
25
+ },
26
+ // .env Security
27
+ {
28
+ id: "VG655",
29
+ name: "Sensitive Env Var in NEXT_PUBLIC",
30
+ severity: "critical",
31
+ owasp: "A07:2025 Sensitive Data Exposure",
32
+ description: "A sensitive service credential is exposed via NEXT_PUBLIC_ prefix. NEXT_PUBLIC_ variables are embedded in the client JavaScript bundle.",
33
+ pattern: /NEXT_PUBLIC_\w*(?:SECRET|PRIVATE|SERVICE_ROLE|API_KEY|ACCESS_TOKEN|AUTH_TOKEN|SIGNING|WEBHOOK)\w*\s*=/gi,
34
+ languages: ["shell", "javascript", "typescript"],
35
+ fix: "Remove NEXT_PUBLIC_ prefix from sensitive credentials. Access them only in server-side code.",
36
+ compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
37
+ },
38
+ {
39
+ id: "VG656",
40
+ name: ".env File Committed to Git",
41
+ severity: "critical",
42
+ owasp: "A07:2025 Sensitive Data Exposure",
43
+ description: ".env file with secrets appears to be tracked by git. Secrets will be visible in repository history.",
44
+ pattern: /^(?:SUPABASE_SERVICE_ROLE_KEY|STRIPE_SECRET_KEY|DATABASE_URL|RESEND_API_KEY|OPENAI_API_KEY|ANTHROPIC_API_KEY|CLERK_SECRET_KEY|AUTH_SECRET|NEXTAUTH_SECRET)\s*=\s*\S{10,}/gm,
45
+ languages: ["shell"],
46
+ fix: "Add .env* to .gitignore immediately. Rotate any exposed secrets.",
47
+ fixCode: "# .gitignore\n.env\n.env.*\n.env.local\n!.env.example",
48
+ compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3", "HIPAA:§164.312(a)"],
49
+ },
50
+ {
51
+ id: "VG657",
52
+ name: ".env.example Contains Real Secrets",
53
+ severity: "high",
54
+ owasp: "A07:2025 Sensitive Data Exposure",
55
+ description: ".env.example file contains what appears to be real secret values instead of placeholders.",
56
+ pattern: /(?:SECRET|KEY|TOKEN|PASSWORD)\w*\s*=\s*(?:sk_live_|sk_test_|re_|whsec_|phx_|AKIA|ghp_|gho_)[A-Za-z0-9]{10,}/g,
57
+ languages: ["shell"],
58
+ fix: "Replace real values in .env.example with placeholders.",
59
+ fixCode: "# .env.example — use placeholders\nSTRIPE_SECRET_KEY=sk_test_your_key_here\nRESEND_API_KEY=re_your_key_here",
60
+ compliance: ["SOC2:CC6.1"],
61
+ },
62
+ // SEO / Meta Security
63
+ {
64
+ id: "VG660",
65
+ name: "Open Redirect in Meta Tags",
66
+ severity: "medium",
67
+ owasp: "A01:2025 Broken Access Control",
68
+ description: "Dynamic user input used in meta refresh or og:url tags. Can be used for phishing via open redirect.",
69
+ pattern: /(?:meta.*?(?:refresh|og:url)|(?:openGraph|twitter)[\s\S]{0,200}?url)\s*[:=]\s*(?:params|searchParams|query|req\.|request\.)/gi,
70
+ languages: ["javascript", "typescript"],
71
+ fix: "Validate and sanitize URLs used in meta tags. Use allowlists for domains.",
72
+ compliance: ["SOC2:CC6.6"],
73
+ },
74
+ {
75
+ id: "VG661",
76
+ name: "Sensitive Path in robots.txt",
77
+ severity: "medium",
78
+ owasp: "A05:2025 Security Misconfiguration",
79
+ description: "robots.txt disallows sensitive paths, revealing their existence to attackers. Disallow does not prevent access.",
80
+ pattern: /Disallow:\s*\/(?:admin|dashboard|internal|staging|debug|phpMyAdmin|\.env|backup|api\/internal)/gi,
81
+ languages: ["shell"],
82
+ fix: "Don't rely on robots.txt for security. Use authentication to protect sensitive paths. robots.txt is publicly readable.",
83
+ compliance: ["SOC2:CC6.6"],
84
+ },
85
+ {
86
+ id: "VG662",
87
+ name: "Source Map Publicly Accessible",
88
+ severity: "medium",
89
+ owasp: "A05:2025 Security Misconfiguration",
90
+ description: "Source maps are generated for production builds, exposing original source code.",
91
+ pattern: /productionBrowserSourceMaps\s*:\s*true/g,
92
+ languages: ["javascript", "typescript"],
93
+ fix: "Set productionBrowserSourceMaps to false in next.config.",
94
+ fixCode: "// next.config.ts\nmodule.exports = {\n productionBrowserSourceMaps: false,\n};",
95
+ compliance: ["SOC2:CC6.1"],
96
+ },
97
+ // GitHub / Git Security
98
+ {
99
+ id: "VG665",
100
+ name: "GitHub Token Hardcoded",
101
+ severity: "critical",
102
+ owasp: "A07:2025 Sensitive Data Exposure",
103
+ description: "GitHub personal access token or app token hardcoded in source code.",
104
+ pattern: /(?:github_?token|gh_?token|GITHUB_TOKEN)\s*[:=]\s*["'](?:ghp_|gho_|ghu_|ghs_|ghr_|github_pat_)[A-Za-z0-9_]{10,}["']/gi,
105
+ languages: ["javascript", "typescript", "python", "shell"],
106
+ fix: "Use environment variables for GitHub tokens.",
107
+ compliance: ["SOC2:CC6.1"],
108
+ },
109
+ // Cloudflare
110
+ {
111
+ id: "VG670",
112
+ name: "Cloudflare API Token Client Exposure",
113
+ severity: "critical",
114
+ owasp: "A07:2025 Sensitive Data Exposure",
115
+ description: "Cloudflare API token or key exposed in client-side code.",
116
+ pattern: /["']use client["'][\s\S]{0,500}?(?:CLOUDFLARE_API_TOKEN|CF_API_TOKEN|CLOUDFLARE_API_KEY)/g,
117
+ languages: ["javascript", "typescript"],
118
+ fix: "Use Cloudflare API tokens only in server-side code.",
119
+ compliance: ["SOC2:CC6.1"],
120
+ },
121
+ {
122
+ id: "VG671",
123
+ name: "NEXT_PUBLIC Cloudflare Credentials",
124
+ severity: "critical",
125
+ owasp: "A07:2025 Sensitive Data Exposure",
126
+ description: "Cloudflare API credentials exposed via NEXT_PUBLIC_ prefix.",
127
+ pattern: /NEXT_PUBLIC_\w*(?:CLOUDFLARE|CF)\w*(?:API|TOKEN|KEY|SECRET)\s*=/gi,
128
+ languages: ["javascript", "typescript", "shell"],
129
+ fix: "Remove NEXT_PUBLIC_ prefix from Cloudflare credentials.",
130
+ compliance: ["SOC2:CC6.1"],
131
+ },
132
+ // OpenAI / AI Keys
133
+ {
134
+ id: "VG675",
135
+ name: "AI API Key Client Exposure",
136
+ severity: "critical",
137
+ owasp: "A07:2025 Sensitive Data Exposure",
138
+ description: "AI provider API key (OpenAI, Anthropic, Google AI) exposed in client-side code. These keys have direct cost implications.",
139
+ pattern: /["']use client["'][\s\S]{0,500}?(?:OPENAI_API_KEY|ANTHROPIC_API_KEY|GOOGLE_AI_API_KEY|GOOGLE_GENERATIVE_AI_API_KEY)/g,
140
+ languages: ["javascript", "typescript"],
141
+ fix: "Use AI API keys only in server-side code. Use API routes to proxy AI requests.",
142
+ fixCode: "// Server-side only (API route)\nimport OpenAI from 'openai';\nconst openai = new OpenAI(); // reads OPENAI_API_KEY from env",
143
+ compliance: ["SOC2:CC6.1"],
144
+ },
145
+ {
146
+ id: "VG676",
147
+ name: "NEXT_PUBLIC AI API Key",
148
+ severity: "critical",
149
+ owasp: "A07:2025 Sensitive Data Exposure",
150
+ description: "AI provider API key exposed via NEXT_PUBLIC_ prefix. Anyone can use your AI credits.",
151
+ pattern: /NEXT_PUBLIC_\w*(?:OPENAI|ANTHROPIC|GOOGLE_AI|GEMINI|COHERE|REPLICATE)\w*(?:KEY|TOKEN|SECRET)\s*=/gi,
152
+ languages: ["javascript", "typescript", "shell"],
153
+ fix: "Remove NEXT_PUBLIC_ prefix from AI API keys. Route AI requests through server-side API routes.",
154
+ compliance: ["SOC2:CC6.1"],
155
+ },
156
+ {
157
+ id: "VG677",
158
+ name: "Hardcoded AI API Key",
159
+ severity: "critical",
160
+ owasp: "A07:2025 Sensitive Data Exposure",
161
+ description: "AI provider API key hardcoded in source code.",
162
+ pattern: /(?:openai|OpenAI|anthropic|Anthropic)\s*\(\s*\{\s*apiKey\s*:\s*["'](?:sk-|sk-ant-)[A-Za-z0-9\-]{10,}["']/g,
163
+ languages: ["javascript", "typescript"],
164
+ fix: "Use environment variables for AI API keys.",
165
+ fixCode: "// Reads from OPENAI_API_KEY env automatically\nconst openai = new OpenAI();",
166
+ compliance: ["SOC2:CC6.1"],
167
+ },
168
+ ];
169
+ //# sourceMappingURL=web-security.js.map
package/build/data/rules/web-security.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"web-security.js","sourceRoot":"","sources":["../../../src/data/rules/web-security.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,gBAAgB,GAAmB;IAC9C,mBAAmB;IACnB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,uHAAuH;QACpI,OAAO,EAAE,6KAA6K;QACtL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4DAA4D;QACjE,OAAO,EAAE,4SAA4S;QACrT,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,kDAAkD;QAC/D,OAAO,EAAE,mFAAmF;QAC5F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gDAAgD;QACrD,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,gBAAgB;IAChB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,yIAAyI;QACtJ,OAAO,EAAE,yGAAyG;QAClH,SAAS,EAAE,CAAC,OAAO,EAAE,YAAY,EAAE,YAAY,CAAC;QAChD,GAAG,EAAE,8FAA8F;QACnG,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,qGAAqG;QAClH,OAAO,EAAE,4KAA4K;QACrL,SAAS,EAAE,CAAC,OAAO,CAAC;QACpB,GAAG,EAAE,kEAAkE;QACvE,OAAO,EAAE,uDAAuD;QAChE,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,2FAA2F;QACxG,OAAO,EAAE,8GAA8G;QACvH,SAAS,EAAE,CAAC,OAAO,CAAC;QACpB,GAAG,EAAE,wDAAwD;QAC7D,OAAO,EAAE,6GAA6G;QACtH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,sBAAsB;IACtB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,qGAAqG;QAClH,OAAO,EAAE,+HAA+H;QACxI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2EAA2E;QAChF,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,iHAAiH;QAC9H,OAAO,EAAE,kGAAkG;QAC3G,SAAS,EAAE,CAAC,OAAO,CAAC;QACpB,GAAG,EAAE,wHAAwH;QAC7H,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,iFAAiF;QAC9F,OAAO,EAAE,yCAAyC;QAClD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,0DAA0D;QAC/D,OAAO,EAAE,kFAAkF;QAC3F,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,wBAAwB;IACxB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,qEAAqE;QAClF,OAAO,EAAE,uHAAuH;QAChI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,OAAO,CAAC;QAC1D,GAAG,EAAE,8CAA8C;QACnD,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,aAAa;IACb;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sCAAsC;QAC5C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,0DAA0D;QACvE,OAAO,EAAE,2FAA2F;QACpG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qDAAqD;QAC1D,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,6DAA6D;QAC1E,OAAO,EAAE,mEAAmE;QAC5E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,yDAAyD;QAC9D,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,mBAAmB;IACnB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,2HAA2H;QACxI,OAAO,EAAE,sHAAsH;QAC/H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gFAAgF;QACrF,OAAO,EAAE,8HAA8H;QACvI,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,sFAAsF;QACnG,OAAO,EAAE,oGAAoG;QAC7G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,gGAAgG;QACrG,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,+CAA+C;QAC5D,OAAO,EAAE,2GAA2G;QACpH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4CAA4C;QACjD,OAAO,EAAE,8EAA8E;QACvF,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
package/build/index.js CHANGED
@@ -18,7 +18,7 @@ import { builtinRules } from "./data/rules/index.js";
18
18
  import { loadConfig } from "./utils/config.js";
19
19
  const server = new McpServer({
20
20
  name: "guardvibe",
21
- version: "0.8.2",
21
+ version: "0.9.0",
22
22
  });
23
23
  // Tool 1: Analyze code for security vulnerabilities
24
24
  server.tool("check_code", "Analyze code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Use this when reviewing or writing code to catch security issues early.", {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "guardvibe",
3
- "version": "0.8.2",
3
+ "version": "0.9.0",
4
4
  "description": "Local-first security MCP for vibe coding. Focused on TypeScript, JavaScript, Python, Go, Dockerfile, YAML, and Terraform.",
5
5
  "type": "module",
6
6
  "bin": {