guardvibe 0.9.4 → 0.10.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -4
- package/build/data/rules/auth.d.ts.map +1 -1
- package/build/data/rules/auth.js +84 -0
- package/build/data/rules/auth.js.map +1 -1
- package/build/data/rules/firebase.d.ts +3 -0
- package/build/data/rules/firebase.d.ts.map +1 -0
- package/build/data/rules/firebase.js +86 -0
- package/build/data/rules/firebase.js.map +1 -0
- package/build/data/rules/index.d.ts.map +1 -1
- package/build/data/rules/index.js +6 -0
- package/build/data/rules/index.js.map +1 -1
- package/build/data/rules/nextjs.js +3 -3
- package/build/data/rules/nextjs.js.map +1 -1
- package/build/data/rules/other-services.d.ts +3 -0
- package/build/data/rules/other-services.d.ts.map +1 -0
- package/build/data/rules/other-services.js +63 -0
- package/build/data/rules/other-services.js.map +1 -0
- package/build/data/rules/react-native.d.ts +3 -0
- package/build/data/rules/react-native.d.ts.map +1 -0
- package/build/data/rules/react-native.js +120 -0
- package/build/data/rules/react-native.js.map +1 -0
- package/build/index.js +1 -1
- package/build/index.js.map +1 -1
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# GuardVibe
|
|
2
2
|
|
|
3
|
-
**The security MCP built for vibe coding.**
|
|
3
|
+
**The security MCP built for vibe coding.** 127 security rules covering the entire vibe coder journey — from first line of code to production deployment.
|
|
4
4
|
|
|
5
5
|
Works with **Claude Code, Cursor, Gemini CLI, Codex, Windsurf**, and any MCP-compatible coding agent.
|
|
6
6
|
|
|
@@ -8,7 +8,7 @@ Works with **Claude Code, Cursor, Gemini CLI, Codex, Windsurf**, and any MCP-com
|
|
|
8
8
|
|
|
9
9
|
Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
|
|
10
10
|
|
|
11
|
-
- **
|
|
11
|
+
- **127 security rules** purpose-built for the stacks AI agents generate
|
|
12
12
|
- **Zero setup friction** — `npx guardvibe` and you're scanning
|
|
13
13
|
- **No account required** — runs 100% locally, no API keys, no cloud
|
|
14
14
|
- **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
|
|
@@ -21,7 +21,7 @@ Most security tools are built for enterprise security teams. GuardVibe is built
|
|
|
21
21
|
Next.js App Router, Server Actions, Server Components, React, Express, FastAPI, Go
|
|
22
22
|
|
|
23
23
|
### Authentication
|
|
24
|
-
Clerk, Auth.js (NextAuth), Supabase Auth — middleware checks, secret exposure, session handling
|
|
24
|
+
Clerk, Auth.js (NextAuth), Supabase Auth — middleware checks, secret exposure, session handling, SSR cookie auth, admin method protection, email confirmation, callback code exchange
|
|
25
25
|
|
|
26
26
|
### Database
|
|
27
27
|
Supabase (RLS, anon vs service role), Prisma (raw query injection), Drizzle (SQL injection)
|
|
@@ -108,7 +108,7 @@ All scanning tools support `format: "json"` for machine-readable output.
|
|
|
108
108
|
|----------|-------|----------|
|
|
109
109
|
| Core OWASP | 20 | SQL injection, XSS, CSRF, command injection, eval, CORS, SSRF |
|
|
110
110
|
| Next.js App Router | 12 | Server Actions, secret exposure, auth bypass, redirects |
|
|
111
|
-
| Auth (Clerk / Auth.js) |
|
|
111
|
+
| Auth (Clerk / Auth.js / Supabase Auth) | 14 | Middleware, secret keys, session storage, role checks, SSR cookies, admin protection, email confirmation |
|
|
112
112
|
| Database (Supabase / Prisma / Drizzle) | 7 | Raw queries, client exposure, service role leaks |
|
|
113
113
|
| Deployment Config | 16 | Vercel, Next.js config, Docker Compose, Fly, Render, Netlify |
|
|
114
114
|
| Payments (Stripe / Polar / Lemon) | 9 | Webhook signatures, key exposure, price manipulation |
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/data/rules/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,SAAS,EAAE,YAAY,
|
|
1
|
+
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/data/rules/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,SAAS,EAAE,YAAY,EA4MnC,CAAC"}
|
package/build/data/rules/auth.js
CHANGED
|
@@ -87,5 +87,89 @@ export const authRules = [
|
|
|
87
87
|
fixCode: '// CORRECT: validates with Auth server\nconst { data: { user }, error } = await supabase.auth.getUser();\nif (error || !user) throw new Error("Unauthorized");',
|
|
88
88
|
compliance: ["SOC2:CC6.6"],
|
|
89
89
|
},
|
|
90
|
+
// Supabase Auth specific rules
|
|
91
|
+
{
|
|
92
|
+
id: "VG440",
|
|
93
|
+
name: "Supabase Auth Signup Without Email Confirmation",
|
|
94
|
+
severity: "high",
|
|
95
|
+
owasp: "A01:2025 Broken Access Control",
|
|
96
|
+
description: "Supabase signUp is called but the app may not enforce email confirmation. Without it, anyone can sign up with a fake email and access the app.",
|
|
97
|
+
pattern: /supabase\.auth\.signUp\s*\(\s*\{[\s\S]{0,300}?(?![\s\S]{0,300}?(?:emailConfirm|email_confirm|confirmEmail|emailRedirectTo))/g,
|
|
98
|
+
languages: ["javascript", "typescript"],
|
|
99
|
+
fix: "Enable email confirmation in Supabase dashboard (Authentication > Settings > Enable email confirmations) and handle the confirmation flow.",
|
|
100
|
+
fixCode: '// Sign up with email redirect for confirmation\nconst { data, error } = await supabase.auth.signUp({\n email,\n password,\n options: {\n emailRedirectTo: `${origin}/auth/callback`,\n },\n});',
|
|
101
|
+
compliance: ["SOC2:CC6.6"],
|
|
102
|
+
},
|
|
103
|
+
{
|
|
104
|
+
id: "VG441",
|
|
105
|
+
name: "Supabase Auth Callback Missing Code Exchange",
|
|
106
|
+
severity: "high",
|
|
107
|
+
owasp: "A01:2025 Broken Access Control",
|
|
108
|
+
description: "Supabase Auth callback route does not exchange the auth code for a session. Without this, OAuth and magic link logins will not work correctly.",
|
|
109
|
+
pattern: /\/auth\/callback[\s\S]*?export\s+(?:async\s+)?function\s+GET\s*\([^)]*\)\s*\{(?:(?!exchangeCodeForSession|code)[\s\S])*?\}/g,
|
|
110
|
+
languages: ["javascript", "typescript"],
|
|
111
|
+
fix: "Exchange the auth code for a session in your callback route.",
|
|
112
|
+
fixCode: '// app/auth/callback/route.ts\nimport { createClient } from "@/utils/supabase/server";\nimport { NextResponse } from "next/server";\n\nexport async function GET(request: Request) {\n const { searchParams, origin } = new URL(request.url);\n const code = searchParams.get("code");\n if (code) {\n const supabase = await createClient();\n await supabase.auth.exchangeCodeForSession(code);\n }\n return NextResponse.redirect(`${origin}/dashboard`);\n}',
|
|
113
|
+
compliance: ["SOC2:CC6.6"],
|
|
114
|
+
},
|
|
115
|
+
{
|
|
116
|
+
id: "VG442",
|
|
117
|
+
name: "Supabase createClient Without SSR Cookie Handling",
|
|
118
|
+
severity: "high",
|
|
119
|
+
owasp: "A01:2025 Broken Access Control",
|
|
120
|
+
description: "Using @supabase/supabase-js createClient directly in Next.js server code instead of @supabase/ssr. Without cookie-based auth, the server has no access to the user session.",
|
|
121
|
+
pattern: /import\s*\{[^}]*createClient[^}]*\}\s*from\s*["']@supabase\/supabase-js["'][\s\S]{0,300}?(?:cookies|headers|NextRequest|NextResponse|getServerSession)/g,
|
|
122
|
+
languages: ["javascript", "typescript"],
|
|
123
|
+
fix: "Use @supabase/ssr for server-side Supabase client in Next.js. It handles cookie-based auth automatically.",
|
|
124
|
+
fixCode: '// utils/supabase/server.ts\nimport { createServerClient } from "@supabase/ssr";\nimport { cookies } from "next/headers";\n\nexport async function createClient() {\n const cookieStore = await cookies();\n return createServerClient(\n process.env.NEXT_PUBLIC_SUPABASE_URL!,\n process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!,\n { cookies: { getAll: () => cookieStore.getAll(), setAll: (c) => c.forEach(({ name, value, options }) => cookieStore.set(name, value, options)) } }\n );\n}',
|
|
125
|
+
compliance: ["SOC2:CC6.6"],
|
|
126
|
+
},
|
|
127
|
+
{
|
|
128
|
+
id: "VG443",
|
|
129
|
+
name: "Supabase Auth Admin Methods in Client Code",
|
|
130
|
+
severity: "critical",
|
|
131
|
+
owasp: "A01:2025 Broken Access Control",
|
|
132
|
+
description: "Supabase admin auth methods (admin.deleteUser, admin.listUsers, admin.createUser) are used in client-side code. These require the service role key and should never run in the browser.",
|
|
133
|
+
pattern: /["']use client["'][\s\S]{0,500}?supabase\.auth\.admin\.\w+\s*\(/g,
|
|
134
|
+
languages: ["javascript", "typescript"],
|
|
135
|
+
fix: "Use Supabase admin auth methods only in server-side code with the service role key.",
|
|
136
|
+
fixCode: '// Server-side only (API route or Server Action)\nconst supabaseAdmin = createClient(url, process.env.SUPABASE_SERVICE_ROLE_KEY!);\nawait supabaseAdmin.auth.admin.deleteUser(userId);',
|
|
137
|
+
compliance: ["SOC2:CC6.6", "HIPAA:§164.312(d)"],
|
|
138
|
+
},
|
|
139
|
+
{
|
|
140
|
+
id: "VG444",
|
|
141
|
+
name: "Supabase Auth Password in URL",
|
|
142
|
+
severity: "high",
|
|
143
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
144
|
+
description: "Password sent via URL query parameter to Supabase auth. Passwords in URLs are logged by browsers, proxies, and servers.",
|
|
145
|
+
pattern: /(?:signInWithPassword|signUp)[\s\S]{0,200}?(?:searchParams|query|req\.query|params)[\s\S]{0,100}?password/gi,
|
|
146
|
+
languages: ["javascript", "typescript"],
|
|
147
|
+
fix: "Always send passwords via POST request body, never in URL parameters.",
|
|
148
|
+
compliance: ["SOC2:CC6.1", "PCI-DSS:Req8"],
|
|
149
|
+
},
|
|
150
|
+
{
|
|
151
|
+
id: "VG445",
|
|
152
|
+
name: "Supabase Auth Token Stored in localStorage",
|
|
153
|
+
severity: "high",
|
|
154
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
155
|
+
description: "Manually storing Supabase auth tokens in localStorage instead of letting the Supabase client handle storage. This is vulnerable to XSS attacks.",
|
|
156
|
+
pattern: /localStorage\.setItem\s*\([\s\S]{0,100}?(?:supabase|sb_|access_token|refresh_token)[\s\S]{0,100}?(?:session|token|access|refresh)/gi,
|
|
157
|
+
languages: ["javascript", "typescript"],
|
|
158
|
+
fix: "Let the Supabase client handle token storage automatically. For SSR, use @supabase/ssr with cookie-based auth.",
|
|
159
|
+
fixCode: "// Don't manually store tokens\n// The Supabase client handles this automatically\nconst supabase = createBrowserClient(\n process.env.NEXT_PUBLIC_SUPABASE_URL!,\n process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!\n);",
|
|
160
|
+
compliance: ["SOC2:CC6.1"],
|
|
161
|
+
},
|
|
162
|
+
{
|
|
163
|
+
id: "VG446",
|
|
164
|
+
name: "Supabase Auth Missing Middleware",
|
|
165
|
+
severity: "high",
|
|
166
|
+
owasp: "A01:2025 Broken Access Control",
|
|
167
|
+
description: "Next.js project uses Supabase Auth but middleware.ts/proxy.ts does not refresh the Supabase session. Without this, sessions expire and users get unexpectedly logged out.",
|
|
168
|
+
pattern: /(?:middleware|proxy)\.(?:ts|js)[\s\S]*?export\s+(?:async\s+)?function\s+middleware[\s\S]*?(?![\s\S]*?(?:supabase|createServerClient|updateSession))/g,
|
|
169
|
+
languages: ["javascript", "typescript"],
|
|
170
|
+
fix: "Add Supabase session refresh to your middleware.",
|
|
171
|
+
fixCode: '// middleware.ts\nimport { createServerClient } from "@supabase/ssr";\nimport { NextResponse, type NextRequest } from "next/server";\n\nexport async function middleware(request: NextRequest) {\n const response = NextResponse.next();\n const supabase = createServerClient(url, anonKey, {\n cookies: { /* cookie handlers */ }\n });\n await supabase.auth.getUser(); // refreshes session\n return response;\n}',
|
|
172
|
+
compliance: ["SOC2:CC6.6"],
|
|
173
|
+
},
|
|
90
174
|
];
|
|
91
175
|
//# sourceMappingURL=auth.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/data/rules/auth.ts"],"names":[],"mappings":"AAEA,+DAA+D;AAC/D,MAAM,CAAC,MAAM,SAAS,GAAmB;IACvC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,8FAA8F;QAChG,OAAO,EACL,kPAAkP;QACpP,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kFAAkF;QACvF,OAAO,EACL,iOAAiO;QACnO,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD,8EAA8E;IAC9E,mFAAmF;IACnF,uEAAuE;IACvE;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0GAA0G;QAC5G,OAAO,EAAE,mDAAmD;QAC5D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sFAAsF;QAC3F,OAAO,EACL,gIAAgI;QAClI,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,2GAA2G;QAC7G,OAAO,EAAE,6DAA6D;QACtE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4EAA4E;QACjF,OAAO,EACL,yHAAyH;QAC3H,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,8IAA8I;QAChJ,OAAO,EACL,4FAA4F;QAC9F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,iKAAiK;QACnK,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gIAAgI;QAClI,OAAO,EACL,6GAA6G;QAC/G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iEAAiE;QACtE,OAAO,EACL,+MAA+M;QACjN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4EAA4E;QAC9E,OAAO,EACL,uNAAuN;QACzN,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2DAA2D;QAChE,OAAO,EACL,8NAA8N;QAChO,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,6JAA6J;QAC/J,OAAO,EAAE,kCAAkC;QAC3C,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iDAAiD;QACtD,OAAO,EACL,gKAAgK;QAClK,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
1
|
+
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/data/rules/auth.ts"],"names":[],"mappings":"AAEA,+DAA+D;AAC/D,MAAM,CAAC,MAAM,SAAS,GAAmB;IACvC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,8FAA8F;QAChG,OAAO,EACL,kPAAkP;QACpP,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kFAAkF;QACvF,OAAO,EACL,iOAAiO;QACnO,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD,8EAA8E;IAC9E,mFAAmF;IACnF,uEAAuE;IACvE;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0GAA0G;QAC5G,OAAO,EAAE,mDAAmD;QAC5D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sFAAsF;QAC3F,OAAO,EACL,gIAAgI;QAClI,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,2GAA2G;QAC7G,OAAO,EAAE,6DAA6D;QACtE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4EAA4E;QACjF,OAAO,EACL,yHAAyH;QAC3H,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,8IAA8I;QAChJ,OAAO,EACL,4FAA4F;QAC9F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,iKAAiK;QACnK,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gIAAgI;QAClI,OAAO,EACL,6GAA6G;QAC/G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iEAAiE;QACtE,OAAO,EACL,+MAA+M;QACjN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4EAA4E;QAC9E,OAAO,EACL,uNAAuN;QACzN,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2DAA2D;QAChE,OAAO,EACL,8NAA8N;QAChO,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,6JAA6J;QAC/J,OAAO,EAAE,kCAAkC;QAC3C,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iDAAiD;QACtD,OAAO,EACL,gKAAgK;QAClK,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,+BAA+B;IAC/B;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iDAAiD;QACvD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gJAAgJ;QAClJ,OAAO,EAAE,8HAA8H;QACvI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4IAA4I;QACjJ,OAAO,EACL,wMAAwM;QAC1M,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8CAA8C;QACpD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gJAAgJ;QAClJ,OAAO,EAAE,6HAA6H;QACtI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8DAA8D;QACnE,OAAO,EACL,4cAA4c;QAC9c,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mDAAmD;QACzD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,6KAA6K;QAC/K,OAAO,EAAE,yJAAyJ;QAClK,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2GAA2G;QAChH,OAAO,EACL,yeAAye;QAC3e,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4CAA4C;QAClD,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,yLAAyL;QAC3L,OAAO,EAAE,kEAAkE;QAC3E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EACL,wLAAwL;QAC1L,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,yHAAyH;QAC3H,OAAO,EAAE,6GAA6G;QACtH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uEAAuE;QAC5E,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4CAA4C;QAClD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,iJAAiJ;QACnJ,OAAO,EAAE,qIAAqI;QAC9I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gHAAgH;QACrH,OAAO,EACL,sNAAsN;QACxN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,2KAA2K;QAC7K,OAAO,EAAE,sJAAsJ;QAC/J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kDAAkD;QACvD,OAAO,EACL,+ZAA+Z;QACja,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"firebase.d.ts","sourceRoot":"","sources":["../../../src/data/rules/firebase.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,aAAa,EAAE,YAAY,EAoFvC,CAAC"}
|
|
@@ -0,0 +1,86 @@
|
|
|
1
|
+
export const firebaseRules = [
|
|
2
|
+
{
|
|
3
|
+
id: "VG750",
|
|
4
|
+
name: "Insecure Firestore Rules",
|
|
5
|
+
severity: "critical",
|
|
6
|
+
owasp: "A01:2025 Broken Access Control",
|
|
7
|
+
description: "Firestore security rules allow unrestricted read/write. Anyone can read or modify your entire database.",
|
|
8
|
+
pattern: /(?:allow\s+(?:read|write|get|list|create|update|delete)\s*:\s*if\s+true|match\s+\/\{document=\*\*\}\s*\{[\s\S]{0,100}?allow\s+read\s*,\s*write)/g,
|
|
9
|
+
languages: ["firestore"],
|
|
10
|
+
fix: "Always restrict Firestore rules. Require authentication and validate data.",
|
|
11
|
+
fixCode: 'rules_version = \'2\';\nservice cloud.firestore {\n match /databases/{database}/documents {\n match /users/{userId} {\n allow read, write: if request.auth != null && request.auth.uid == userId;\n }\n }\n}',
|
|
12
|
+
compliance: ["SOC2:CC6.1"],
|
|
13
|
+
},
|
|
14
|
+
{
|
|
15
|
+
id: "VG751",
|
|
16
|
+
name: "Firebase Admin SDK Client Exposure",
|
|
17
|
+
severity: "critical",
|
|
18
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
19
|
+
description: "Firebase Admin SDK or service account credentials exposed in client-side code. Admin SDK has full unrestricted access to all Firebase services.",
|
|
20
|
+
pattern: /["']use client["'][\s\S]{0,500}?(?:firebase-admin|@google-cloud\/firestore|serviceAccountKey|FIREBASE_SERVICE_ACCOUNT|FIREBASE_ADMIN)/g,
|
|
21
|
+
languages: ["javascript", "typescript"],
|
|
22
|
+
fix: "Firebase Admin SDK must only be used server-side. Never import it in client components.",
|
|
23
|
+
fixCode: '// Server-side only (API route or Server Action)\nimport { initializeApp, cert } from "firebase-admin/app";\ninitializeApp({ credential: cert(JSON.parse(process.env.FIREBASE_SERVICE_ACCOUNT_KEY!)) });',
|
|
24
|
+
compliance: ["SOC2:CC6.1"],
|
|
25
|
+
},
|
|
26
|
+
{
|
|
27
|
+
id: "VG752",
|
|
28
|
+
name: "Firebase Service Account Key Hardcoded",
|
|
29
|
+
severity: "critical",
|
|
30
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
31
|
+
description: "Firebase service account key or credentials JSON hardcoded in source code.",
|
|
32
|
+
pattern: /(?:service_account|serviceAccount|credential|cert)\s*[\(=:]\s*\{[\s\S]{0,500}?(?:"type"\s*:\s*"service_account"|"private_key"\s*:\s*"-----BEGIN)/g,
|
|
33
|
+
languages: ["javascript", "typescript", "json"],
|
|
34
|
+
fix: "Store service account JSON in environment variable and parse at runtime.",
|
|
35
|
+
fixCode: '// Store as env var (base64 or JSON string)\nconst serviceAccount = JSON.parse(process.env.FIREBASE_SERVICE_ACCOUNT_KEY!);\ninitializeApp({ credential: cert(serviceAccount) });',
|
|
36
|
+
compliance: ["SOC2:CC6.1"],
|
|
37
|
+
},
|
|
38
|
+
{
|
|
39
|
+
id: "VG753",
|
|
40
|
+
name: "Insecure Firebase Storage Rules",
|
|
41
|
+
severity: "critical",
|
|
42
|
+
owasp: "A01:2025 Broken Access Control",
|
|
43
|
+
description: "Firebase Storage rules allow unrestricted public access. Anyone can read/write/delete files.",
|
|
44
|
+
pattern: /(?:allow\s+read\s*,\s*write\s*:\s*if\s+true|match\s+\/\{allPaths=\*\*\}\s*\{[\s\S]{0,100}?allow\s+read\s*,\s*write)/g,
|
|
45
|
+
languages: ["firestore"],
|
|
46
|
+
fix: "Restrict Firebase Storage rules. Require authentication and limit file types/sizes.",
|
|
47
|
+
fixCode: 'service firebase.storage {\n match /b/{bucket}/o {\n match /users/{userId}/{allPaths=**} {\n allow read: if request.auth != null;\n allow write: if request.auth != null \n && request.auth.uid == userId\n && request.resource.size < 5 * 1024 * 1024;\n }\n }\n}',
|
|
48
|
+
compliance: ["SOC2:CC6.1"],
|
|
49
|
+
},
|
|
50
|
+
{
|
|
51
|
+
id: "VG754",
|
|
52
|
+
name: "Firebase Config Hardcoded",
|
|
53
|
+
severity: "medium",
|
|
54
|
+
owasp: "A05:2025 Security Misconfiguration",
|
|
55
|
+
description: "Firebase config object hardcoded with all values inline. While Firebase API keys are designed to be public, hardcoding makes it hard to manage across environments.",
|
|
56
|
+
pattern: /(?:firebaseConfig|firebase\.initializeApp)\s*[\(=]\s*\{[\s\S]{0,500}?apiKey\s*:\s*["']AIza[A-Za-z0-9_-]{30,}["']/g,
|
|
57
|
+
languages: ["javascript", "typescript"],
|
|
58
|
+
fix: "Use environment variables for Firebase config to manage different environments.",
|
|
59
|
+
fixCode: 'const firebaseConfig = {\n apiKey: process.env.NEXT_PUBLIC_FIREBASE_API_KEY,\n authDomain: process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN,\n projectId: process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID,\n};',
|
|
60
|
+
compliance: ["SOC2:CC6.1"],
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
id: "VG755",
|
|
64
|
+
name: "NEXT_PUBLIC Firebase Service Account",
|
|
65
|
+
severity: "critical",
|
|
66
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
67
|
+
description: "Firebase service account key or admin credentials exposed via NEXT_PUBLIC_ prefix.",
|
|
68
|
+
pattern: /NEXT_PUBLIC_\w*(?:FIREBASE_SERVICE_ACCOUNT|FIREBASE_ADMIN|FIREBASE_PRIVATE|FIREBASE_SECRET)\w*\s*=/gi,
|
|
69
|
+
languages: ["javascript", "typescript", "shell"],
|
|
70
|
+
fix: "Remove NEXT_PUBLIC_ prefix from Firebase admin/service account credentials. These must be server-side only.",
|
|
71
|
+
compliance: ["SOC2:CC6.1"],
|
|
72
|
+
},
|
|
73
|
+
{
|
|
74
|
+
id: "VG756",
|
|
75
|
+
name: "signInWithCustomToken Without Validation",
|
|
76
|
+
severity: "high",
|
|
77
|
+
owasp: "A07:2025 Identification and Authentication Failures",
|
|
78
|
+
description: "signInWithCustomToken used with unvalidated token source. Custom tokens must be generated and verified server-side.",
|
|
79
|
+
pattern: /signInWithCustomToken\s*\(\s*\w*\s*,\s*(?:req\.body|request\.body|params\.|searchParams|query\.|formData|url\.)/gi,
|
|
80
|
+
languages: ["javascript", "typescript"],
|
|
81
|
+
fix: "Generate custom tokens server-side with Firebase Admin SDK. Never accept custom tokens from client input.",
|
|
82
|
+
fixCode: '// Server-side: generate custom token\nimport { getAuth } from "firebase-admin/auth";\nconst customToken = await getAuth().createCustomToken(uid);\n\n// Client-side: only use tokens from your own server\nconst res = await fetch("/api/auth/custom-token");\nconst { token } = await res.json();\nawait signInWithCustomToken(auth, token);',
|
|
83
|
+
compliance: ["SOC2:CC6.1"],
|
|
84
|
+
},
|
|
85
|
+
];
|
|
86
|
+
//# sourceMappingURL=firebase.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"firebase.js","sourceRoot":"","sources":["../../../src/data/rules/firebase.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,aAAa,GAAmB;IAC3C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,yGAAyG;QACtH,OAAO,EAAE,kJAAkJ;QAC3J,SAAS,EAAE,CAAC,WAAW,CAAC;QACxB,GAAG,EAAE,4EAA4E;QACjF,OAAO,EAAE,2NAA2N;QACpO,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,iJAAiJ;QAC9J,OAAO,EAAE,wIAAwI;QACjJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yFAAyF;QAC9F,OAAO,EAAE,0MAA0M;QACnN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,4EAA4E;QACzF,OAAO,EAAE,mJAAmJ;QAC5J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,MAAM,CAAC;QAC/C,GAAG,EAAE,0EAA0E;QAC/E,OAAO,EAAE,kLAAkL;QAC3L,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,8FAA8F;QAC3G,OAAO,EAAE,sHAAsH;QAC/H,SAAS,EAAE,CAAC,WAAW,CAAC;QACxB,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EAAE,oSAAoS;QAC7S,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,qKAAqK;QAClL,OAAO,EAAE,mHAAmH;QAC5H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EAAE,2MAA2M;QACpN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sCAAsC;QAC5C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,oFAAoF;QACjG,OAAO,EAAE,sGAAsG;QAC/G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,6GAA6G;QAClH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0CAA0C;QAChD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,qDAAqD;QAC5D,WAAW,EAAE,qHAAqH;QAClI,OAAO,EAAE,mHAAmH;QAC5H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2GAA2G;QAChH,OAAO,EAAE,gVAAgV;QACzV,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAiB/C,eAAO,MAAM,UAAU,qCAgBtB,CAAC;AAGF,eAAO,MAAM,YAAY,qCAAa,CAAC"}
|
|
@@ -10,6 +10,9 @@ import { deploymentRules } from "./deployment.js";
|
|
|
10
10
|
import { paymentRules } from "./payments.js";
|
|
11
11
|
import { serviceRules } from "./services.js";
|
|
12
12
|
import { webSecurityRules } from "./web-security.js";
|
|
13
|
+
import { reactNativeRules } from "./react-native.js";
|
|
14
|
+
import { firebaseRules } from "./firebase.js";
|
|
15
|
+
import { otherServiceRules } from "./other-services.js";
|
|
13
16
|
export const owaspRules = [
|
|
14
17
|
...coreRules,
|
|
15
18
|
...goRules,
|
|
@@ -23,6 +26,9 @@ export const owaspRules = [
|
|
|
23
26
|
...paymentRules,
|
|
24
27
|
...serviceRules,
|
|
25
28
|
...webSecurityRules,
|
|
29
|
+
...reactNativeRules,
|
|
30
|
+
...firebaseRules,
|
|
31
|
+
...otherServiceRules,
|
|
26
32
|
];
|
|
27
33
|
// Alias for clarity — these are the built-in rules without plugins
|
|
28
34
|
export const builtinRules = owaspRules;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAExD,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,GAAG,SAAS;IACZ,GAAG,OAAO;IACV,GAAG,eAAe;IAClB,GAAG,SAAS;IACZ,GAAG,cAAc;IACjB,GAAG,WAAW;IACd,GAAG,SAAS;IACZ,GAAG,aAAa;IAChB,GAAG,eAAe;IAClB,GAAG,YAAY;IACf,GAAG,YAAY;IACf,GAAG,gBAAgB;IACnB,GAAG,gBAAgB;IACnB,GAAG,aAAa;IAChB,GAAG,iBAAiB;CACrB,CAAC;AAEF,mEAAmE;AACnE,MAAM,CAAC,MAAM,YAAY,GAAG,UAAU,CAAC"}
|
|
@@ -18,7 +18,7 @@ export const nextjsRules = [
|
|
|
18
18
|
severity: "high",
|
|
19
19
|
owasp: "A03:2025 Injection",
|
|
20
20
|
description: "Server Action processes form data without schema validation. Unvalidated input can lead to injection attacks.",
|
|
21
|
-
pattern: /["']use server["'][\s\S]{0,500}?formData\.get\s*\(/g,
|
|
21
|
+
pattern: /["']use server["'](?![\s\S]{0,500}?(?:z\.object|schema\.parse|\.safeParse|yup\.object|valibot\.|\.validate\s*\())[\s\S]{0,500}?formData\.get\s*\(/g,
|
|
22
22
|
languages: ["javascript", "typescript"],
|
|
23
23
|
fix: "Validate all inputs with a schema library (zod, yup, valibot) before processing.",
|
|
24
24
|
fixCode: '"use server";\nimport { z } from "zod";\n\nconst schema = z.object({ name: z.string().min(1), email: z.string().email() });\n\nexport async function createUser(formData: FormData) {\n const data = schema.parse(Object.fromEntries(formData));\n}',
|
|
@@ -30,7 +30,7 @@ export const nextjsRules = [
|
|
|
30
30
|
severity: "critical",
|
|
31
31
|
owasp: "A01:2025 Broken Access Control",
|
|
32
32
|
description: "Server Action performs data mutations without verifying user authentication. Anyone can invoke Server Actions directly via POST request.",
|
|
33
|
-
pattern: /["']use server["'][\s\S]{0,
|
|
33
|
+
pattern: /["']use server["'][\s\S]{0,500}?export\s+async\s+function\s+\w+\s*\([^)]*\)\s*\{(?![\s\S]{0,800}?(?:auth\s*\(|getServerSession|currentUser|getUser|requireAuth|clerkClient))/g,
|
|
34
34
|
languages: ["javascript", "typescript"],
|
|
35
35
|
fix: "Always verify authentication at the start of every Server Action.",
|
|
36
36
|
fixCode: '"use server";\nimport { auth } from "@clerk/nextjs/server";\n\nexport async function deleteItem(id: string) {\n const { userId } = await auth();\n if (!userId) throw new Error("Unauthorized");\n}',
|
|
@@ -138,7 +138,7 @@ export const nextjsRules = [
|
|
|
138
138
|
severity: "critical",
|
|
139
139
|
owasp: "A07:2025 Sensitive Data Exposure",
|
|
140
140
|
description: "Environment variable prefixed with NEXT_PUBLIC_ contains a secret keyword (SECRET, KEY, PASSWORD, TOKEN). NEXT_PUBLIC_ variables are embedded in the client bundle and visible to anyone.",
|
|
141
|
-
pattern: /NEXT_PUBLIC_\w*(?:SECRET|_KEY|PASSWORD|TOKEN|PRIVATE|CREDENTIAL)\w*\s*=/gi,
|
|
141
|
+
pattern: /NEXT_PUBLIC_(?!\w*PUBLISHABLE)\w*(?:SECRET|_KEY|PASSWORD|TOKEN|PRIVATE|CREDENTIAL)\w*\s*=/gi,
|
|
142
142
|
languages: ["javascript", "typescript", "shell"],
|
|
143
143
|
fix: "Remove NEXT_PUBLIC_ prefix from secret variables. Access them only server-side.",
|
|
144
144
|
fixCode: "# .env.local — WRONG\n# NEXT_PUBLIC_SECRET_KEY=sk_live_xxx\n\n# .env.local — CORRECT\nSECRET_KEY=sk_live_xxx\n# Access server-side only: process.env.SECRET_KEY",
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"nextjs.js","sourceRoot":"","sources":["../../../src/data/rules/nextjs.ts"],"names":[],"mappings":"AAEA,iDAAiD;AACjD,MAAM,CAAC,MAAM,WAAW,GAAmB;IACzC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4KAA4K;QAC9K,OAAO,EAAE,oEAAoE;QAC7E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sIAAsI;QAC3I,OAAO,EACL,uLAAuL;QACzL,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,+GAA+G;QACjH,OAAO,EACL,
|
|
1
|
+
{"version":3,"file":"nextjs.js","sourceRoot":"","sources":["../../../src/data/rules/nextjs.ts"],"names":[],"mappings":"AAEA,iDAAiD;AACjD,MAAM,CAAC,MAAM,WAAW,GAAmB;IACzC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4KAA4K;QAC9K,OAAO,EAAE,oEAAoE;QAC7E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sIAAsI;QAC3I,OAAO,EACL,uLAAuL;QACzL,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,+GAA+G;QACjH,OAAO,EACL,oJAAoJ;QACtJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kFAAkF;QACvF,OAAO,EACL,sPAAsP;QACxP,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,0IAA0I;QAC5I,OAAO,EACL,+KAA+K;QACjL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mEAAmE;QACxE,OAAO,EACL,uMAAuM;QACzM,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,uHAAuH;QACzH,OAAO,EACL,4GAA4G;QAC9G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gEAAgE;QACrE,OAAO,EACL,kLAAkL;QACpL,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,yGAAyG;QAC3G,OAAO,EAAE,yDAAyD;QAClE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2DAA2D;QAChE,OAAO,EACL,4GAA4G;QAC9G,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yCAAyC;QAC/C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,0HAA0H;QAC5H,OAAO,EACL,6EAA6E;QAC/E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4DAA4D;QACjE,OAAO,EACL,mTAAmT;QACrT,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,yHAAyH;QAC3H,OAAO,EACL,4JAA4J;QAC9J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EACL,+RAA+R;QACjS,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,+GAA+G;QACjH,OAAO,EACL,2FAA2F;QAC7F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oFAAoF;QACzF,OAAO,EACL,yNAAyN;QAC3N,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,uLAAuL;QACzL,OAAO,EAAE,qDAAqD;QAC9D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oFAAoF;QACzF,OAAO,EACL,oOAAoO;QACtO,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,qIAAqI;QACvI,OAAO,EACL,qFAAqF;QACvF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iEAAiE;QACtE,OAAO,EACL,+RAA+R;QACjS,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,yIAAyI;QAC3I,OAAO,EACL,0IAA0I;QAC5I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uEAAuE;QAC5E,OAAO,EACL,oRAAoR;QACtR,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,2LAA2L;QAC7L,OAAO,EACL,6FAA6F;QAC/F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,iKAAiK;QACnK,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;CACF,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"other-services.d.ts","sourceRoot":"","sources":["../../../src/data/rules/other-services.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,iBAAiB,EAAE,YAAY,EA6D3C,CAAC"}
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
export const otherServiceRules = [
|
|
2
|
+
{
|
|
3
|
+
id: "VG800",
|
|
4
|
+
name: "Sentry Auth Token Exposure",
|
|
5
|
+
severity: "critical",
|
|
6
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
7
|
+
description: "Sentry auth token exposed in client-side code or committed to source. Auth tokens grant full org access. Note: Sentry DSN is safe to expose publicly.",
|
|
8
|
+
pattern: /(?:SENTRY_AUTH_TOKEN\s*[:=]\s*["']?\w{10,}|["']sntrys_[A-Za-z0-9]{20,}["'])/g,
|
|
9
|
+
languages: ["javascript", "typescript", "shell"],
|
|
10
|
+
fix: "Use SENTRY_AUTH_TOKEN only in CI/CD environment. DSN is safe to be public.",
|
|
11
|
+
fixCode: '# .env.local (server only, for source maps upload)\nSENTRY_AUTH_TOKEN=sntrys_xxx\n\n# Safe to expose (DSN)\nNEXT_PUBLIC_SENTRY_DSN=https://abc@sentry.io/123',
|
|
12
|
+
compliance: ["SOC2:CC6.1"],
|
|
13
|
+
},
|
|
14
|
+
{
|
|
15
|
+
id: "VG801",
|
|
16
|
+
name: "Twilio Auth Token Exposure",
|
|
17
|
+
severity: "critical",
|
|
18
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
19
|
+
description: "Twilio auth token or API key hardcoded or exposed in client-side code. This allows sending SMS/calls from your account.",
|
|
20
|
+
pattern: /(?:["']use client["'][\s\S]{0,500}?(?:TWILIO_AUTH_TOKEN|TWILIO_API_SECRET)|(?:authToken|apiSecret)\s*[:=]\s*["'][a-f0-9]{32}["'])/g,
|
|
21
|
+
languages: ["javascript", "typescript"],
|
|
22
|
+
fix: "Use Twilio credentials server-side only. Validate phone numbers to prevent SMS injection.",
|
|
23
|
+
fixCode: '// Server-side only\nimport twilio from "twilio";\nconst client = twilio(process.env.TWILIO_ACCOUNT_SID, process.env.TWILIO_AUTH_TOKEN);\n\n// Validate phone number before sending\nconst phoneRegex = /^\\+[1-9]\\d{1,14}$/;\nif (!phoneRegex.test(to)) throw new Error("Invalid phone");',
|
|
24
|
+
compliance: ["SOC2:CC6.1"],
|
|
25
|
+
},
|
|
26
|
+
{
|
|
27
|
+
id: "VG802",
|
|
28
|
+
name: "Neon/Postgres Connection String Exposure",
|
|
29
|
+
severity: "critical",
|
|
30
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
31
|
+
description: "Neon or PostgreSQL connection string hardcoded in source code. Contains hostname, credentials, and database name.",
|
|
32
|
+
pattern: /(?:DATABASE_URL|connectionString|connection_string|pgConnectionString)\s*[:=]\s*["']postgres(?:ql)?:\/\/[^"'\s]{10,}["']/gi,
|
|
33
|
+
languages: ["javascript", "typescript"],
|
|
34
|
+
fix: "Use DATABASE_URL environment variable. Never hardcode connection strings.",
|
|
35
|
+
fixCode: 'import { neon } from "@neondatabase/serverless";\nconst sql = neon(process.env.DATABASE_URL!);',
|
|
36
|
+
compliance: ["SOC2:CC6.1"],
|
|
37
|
+
},
|
|
38
|
+
{
|
|
39
|
+
id: "VG803",
|
|
40
|
+
name: "Convex Deploy Key Exposure",
|
|
41
|
+
severity: "critical",
|
|
42
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
43
|
+
description: "Convex deploy key or admin key hardcoded or exposed in client-side code. Deploy keys grant write access to your Convex backend.",
|
|
44
|
+
pattern: /(?:CONVEX_DEPLOY_KEY|["']use client["'][\s\S]{0,500}?CONVEX_ADMIN_KEY|(?:deployKey|adminKey)\s*[:=]\s*["'](?:prod|dev):[\w]+:[\w]+["'])/g,
|
|
45
|
+
languages: ["javascript", "typescript", "shell"],
|
|
46
|
+
fix: "Use CONVEX_DEPLOY_KEY only in CI/CD. Client-side should only use the public CONVEX_URL.",
|
|
47
|
+
fixCode: '# Client-safe\nNEXT_PUBLIC_CONVEX_URL=https://xxx.convex.cloud\n\n# Server/CI only\nCONVEX_DEPLOY_KEY=prod:xxx:yyy',
|
|
48
|
+
compliance: ["SOC2:CC6.1"],
|
|
49
|
+
},
|
|
50
|
+
{
|
|
51
|
+
id: "VG804",
|
|
52
|
+
name: "MongoDB Connection String Exposure",
|
|
53
|
+
severity: "critical",
|
|
54
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
55
|
+
description: "MongoDB connection string hardcoded in source code. Contains credentials and cluster information.",
|
|
56
|
+
pattern: /(?:MONGODB_URI|MONGO_URL|mongoUri|mongoUrl|connectionString)\s*[:=]\s*["']mongodb(?:\+srv)?:\/\/[^"'\s]{10,}["']/gi,
|
|
57
|
+
languages: ["javascript", "typescript"],
|
|
58
|
+
fix: "Use MONGODB_URI environment variable. Never hardcode connection strings.",
|
|
59
|
+
fixCode: 'import { MongoClient } from "mongodb";\nconst client = new MongoClient(process.env.MONGODB_URI!);',
|
|
60
|
+
compliance: ["SOC2:CC6.1"],
|
|
61
|
+
},
|
|
62
|
+
];
|
|
63
|
+
//# sourceMappingURL=other-services.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"other-services.js","sourceRoot":"","sources":["../../../src/data/rules/other-services.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,iBAAiB,GAAmB;IAC/C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,uJAAuJ;QACpK,OAAO,EAAE,8EAA8E;QACvF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,4EAA4E;QACjF,OAAO,EAAE,8JAA8J;QACvK,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,yHAAyH;QACtI,OAAO,EAAE,oIAAoI;QAC7I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2FAA2F;QAChG,OAAO,EAAE,6RAA6R;QACtS,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0CAA0C;QAChD,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,mHAAmH;QAChI,OAAO,EAAE,4HAA4H;QACrI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2EAA2E;QAChF,OAAO,EAAE,gGAAgG;QACzG,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,iIAAiI;QAC9I,OAAO,EAAE,0IAA0I;QACnJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,yFAAyF;QAC9F,OAAO,EAAE,oHAAoH;QAC7H,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,mGAAmG;QAChH,OAAO,EAAE,oHAAoH;QAC7H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,0EAA0E;QAC/E,OAAO,EAAE,mGAAmG;QAC5G,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"react-native.d.ts","sourceRoot":"","sources":["../../../src/data/rules/react-native.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,gBAAgB,EAAE,YAAY,EAsH1C,CAAC"}
|
|
@@ -0,0 +1,120 @@
|
|
|
1
|
+
export const reactNativeRules = [
|
|
2
|
+
{
|
|
3
|
+
id: "VG700",
|
|
4
|
+
name: "AsyncStorage Sensitive Data",
|
|
5
|
+
severity: "critical",
|
|
6
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
7
|
+
description: "Storing secrets, tokens, or passwords in AsyncStorage. AsyncStorage is unencrypted plain text on device. Use expo-secure-store or react-native-keychain instead.",
|
|
8
|
+
pattern: /AsyncStorage\s*\.\s*(?:setItem|multiSet)\s*\(\s*["'][^"']*(?:token|secret|password|jwt|session|auth|apiKey|api_key|credential|refresh)["']/gi,
|
|
9
|
+
languages: ["javascript", "typescript"],
|
|
10
|
+
fix: "Use expo-secure-store (Expo) or react-native-keychain (bare RN) for sensitive data.",
|
|
11
|
+
fixCode: 'import * as SecureStore from "expo-secure-store";\nawait SecureStore.setItemAsync("authToken", token);',
|
|
12
|
+
compliance: ["SOC2:CC6.1", "HIPAA:§164.312(a)"],
|
|
13
|
+
},
|
|
14
|
+
{
|
|
15
|
+
id: "VG701",
|
|
16
|
+
name: "Deep Link Auth Bypass",
|
|
17
|
+
severity: "high",
|
|
18
|
+
owasp: "A07:2025 Identification and Authentication Failures",
|
|
19
|
+
description: "Deep link handler processes authentication parameters (token, code, session) without validation. Attackers can craft malicious deep links to bypass auth.",
|
|
20
|
+
pattern: /(?:Linking\.addEventListener|useURL|createURL|expo-linking)[\s\S]{0,500}?(?:url|event)[\s\S]{0,300}?(?:token|code|session|auth)/gi,
|
|
21
|
+
languages: ["javascript", "typescript"],
|
|
22
|
+
fix: "Validate deep link origin, verify tokens server-side, and never trust URL parameters for auth state.",
|
|
23
|
+
fixCode: '// Validate token from deep link server-side\nconst { token } = parseURL(url);\nconst res = await fetch("/api/verify-token", { method: "POST", body: JSON.stringify({ token }) });\nif (!res.ok) throw new Error("Invalid deep link token");',
|
|
24
|
+
compliance: ["SOC2:CC6.1"],
|
|
25
|
+
},
|
|
26
|
+
{
|
|
27
|
+
id: "VG702",
|
|
28
|
+
name: "Expo Push Token Exposure",
|
|
29
|
+
severity: "high",
|
|
30
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
31
|
+
description: "Expo push token logged or sent to client-side analytics. Push tokens can be abused to send spam notifications.",
|
|
32
|
+
pattern: /(?:console\.\w+|analytics|posthog|capture|track)\s*[\.\(][\s\S]{0,200}?(?:ExpoPushToken|expoPushToken|pushToken)/gi,
|
|
33
|
+
languages: ["javascript", "typescript"],
|
|
34
|
+
fix: "Never log push tokens. Send them only to your own server over HTTPS.",
|
|
35
|
+
fixCode: '// Send push token securely to your server\nawait fetch("/api/register-push", {\n method: "POST",\n headers: { Authorization: `Bearer ${authToken}` },\n body: JSON.stringify({ pushToken }),\n});',
|
|
36
|
+
compliance: ["SOC2:CC6.1"],
|
|
37
|
+
},
|
|
38
|
+
{
|
|
39
|
+
id: "VG703",
|
|
40
|
+
name: "Hardcoded Secrets in EAS Config",
|
|
41
|
+
severity: "critical",
|
|
42
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
43
|
+
description: "Hardcoded secrets, API keys, or tokens in eas.json or eas.config. These end up in version control.",
|
|
44
|
+
pattern: /(?:"env"|env\s*:\s*\{)[\s\S]{0,300}?(?:SECRET|TOKEN|API_KEY|PASSWORD|PRIVATE)\s*["']?\s*[:=]\s*["'][^"']{8,}["']/gi,
|
|
45
|
+
languages: ["json", "javascript", "typescript"],
|
|
46
|
+
fix: "Use EAS Secrets (eas secret:create) instead of hardcoding in eas.json.",
|
|
47
|
+
fixCode: '# Set secrets via EAS CLI\neas secret:create --name API_KEY --value "your-key" --scope project\n\n# Reference in eas.json\n{ "build": { "production": { "env": { "API_KEY": "eas-secret" } } } }',
|
|
48
|
+
compliance: ["SOC2:CC6.1"],
|
|
49
|
+
},
|
|
50
|
+
{
|
|
51
|
+
id: "VG704",
|
|
52
|
+
name: "WebView JavaScript Injection",
|
|
53
|
+
severity: "critical",
|
|
54
|
+
owasp: "A03:2025 Injection",
|
|
55
|
+
description: "WebView loading untrusted URLs or injecting unvalidated JavaScript. This allows XSS and data theft from the app context.",
|
|
56
|
+
pattern: /(?:WebView|webview)\s*[\s\S]{0,300}?(?:injectedJavaScript|source\s*=\s*\{\s*\{\s*uri\s*:\s*(?:user|params|route|input|req|data|body)[\s\S]{0,100}?\}|javaScriptEnabled\s*=\s*\{?\s*true)/gi,
|
|
57
|
+
languages: ["javascript", "typescript"],
|
|
58
|
+
fix: "Validate WebView URLs against an allowlist. Avoid injecting dynamic JavaScript. Disable JavaScript if not needed.",
|
|
59
|
+
fixCode: 'const ALLOWED_HOSTS = ["example.com", "docs.example.com"];\nconst url = new URL(inputUrl);\nif (!ALLOWED_HOSTS.includes(url.hostname)) throw new Error("Blocked URL");\n\n<WebView source={{ uri: url.toString() }} javaScriptEnabled={false} />',
|
|
60
|
+
compliance: ["SOC2:CC7.1"],
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
id: "VG705",
|
|
64
|
+
name: "Missing Certificate Pinning",
|
|
65
|
+
severity: "medium",
|
|
66
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
67
|
+
description: "Network requests to API without certificate pinning. On mobile, this allows man-in-the-middle attacks on compromised networks.",
|
|
68
|
+
pattern: /(?:fetch|axios|http)\s*[\.\(][\s\S]{0,200}?(?:api\.|\/api\/)[\s\S]{0,300}?(?:Authorization|Bearer|token)/gi,
|
|
69
|
+
languages: ["javascript", "typescript"],
|
|
70
|
+
fix: "Implement certificate pinning using react-native-ssl-pinning or expo-certificate-transparency.",
|
|
71
|
+
compliance: ["SOC2:CC6.1", "PCI-DSS:Req4"],
|
|
72
|
+
},
|
|
73
|
+
{
|
|
74
|
+
id: "VG706",
|
|
75
|
+
name: "Hardcoded API URL",
|
|
76
|
+
severity: "medium",
|
|
77
|
+
owasp: "A05:2025 Security Misconfiguration",
|
|
78
|
+
description: "API base URL hardcoded directly in source. This makes it hard to switch environments and may expose staging/internal endpoints.",
|
|
79
|
+
pattern: /(?:baseURL|apiUrl|API_URL|apiBase|BASE_URL)\s*[:=]\s*["']https?:\/\/(?!localhost)[^"']{5,}["']/gi,
|
|
80
|
+
languages: ["javascript", "typescript"],
|
|
81
|
+
fix: "Use environment variables or app config for API URLs.",
|
|
82
|
+
fixCode: 'import Constants from "expo-constants";\nconst API_URL = Constants.expoConfig?.extra?.apiUrl ?? process.env.EXPO_PUBLIC_API_URL;',
|
|
83
|
+
compliance: ["SOC2:CC6.1"],
|
|
84
|
+
},
|
|
85
|
+
{
|
|
86
|
+
id: "VG707",
|
|
87
|
+
name: "Disabled App Transport Security",
|
|
88
|
+
severity: "high",
|
|
89
|
+
owasp: "A05:2025 Security Misconfiguration",
|
|
90
|
+
description: "App Transport Security (ATS) disabled in iOS config, allowing insecure HTTP connections.",
|
|
91
|
+
pattern: /NSAppTransportSecurity[\s\S]{0,200}?NSAllowsArbitraryLoads[\s\S]{0,50}?(?:true|YES|<true\s*\/>)/gi,
|
|
92
|
+
languages: ["xml", "json", "javascript", "typescript"],
|
|
93
|
+
fix: "Do not disable ATS. If specific domains need HTTP, use NSExceptionDomains instead of blanket allow.",
|
|
94
|
+
compliance: ["SOC2:CC6.1", "PCI-DSS:Req4"],
|
|
95
|
+
},
|
|
96
|
+
{
|
|
97
|
+
id: "VG708",
|
|
98
|
+
name: "Sensitive Data in Expo Config",
|
|
99
|
+
severity: "critical",
|
|
100
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
101
|
+
description: "Secrets or API keys hardcoded in app.json, app.config.js, or app.config.ts. These are embedded in the app bundle and visible to anyone who decompiles the app.",
|
|
102
|
+
pattern: /(?:app\.json|app\.config\.[jt]s)[\s\S]{0,50}|(?:"extra"|extra\s*:\s*\{)[\s\S]{0,500}?(?:SECRET|PRIVATE_KEY|API_SECRET|DATABASE_URL|SERVICE_ACCOUNT)\s*[:=]\s*["'][^"']{8,}["']/gi,
|
|
103
|
+
languages: ["json", "javascript", "typescript"],
|
|
104
|
+
fix: "Use EXPO_PUBLIC_ prefix only for truly public values. Keep secrets server-side or in EAS Secrets.",
|
|
105
|
+
fixCode: '// app.config.ts — only public values in extra\nexport default {\n extra: {\n apiUrl: process.env.EXPO_PUBLIC_API_URL, // OK: public\n // NEVER: apiSecret: process.env.API_SECRET\n },\n};',
|
|
106
|
+
compliance: ["SOC2:CC6.1"],
|
|
107
|
+
},
|
|
108
|
+
{
|
|
109
|
+
id: "VG709",
|
|
110
|
+
name: "React Native Bridge Sensitive Data",
|
|
111
|
+
severity: "high",
|
|
112
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
113
|
+
description: "Sensitive data (tokens, keys, passwords) passed through React Native bridge/NativeModules without encryption. Bridge data can be intercepted on rooted/jailbroken devices.",
|
|
114
|
+
pattern: /NativeModules\.\w+\.\w+\s*\([\s\S]{0,200}?(?:token|secret|password|key|credential|jwt|session)/gi,
|
|
115
|
+
languages: ["javascript", "typescript"],
|
|
116
|
+
fix: "Encrypt sensitive data before passing through the bridge. Use native secure storage instead.",
|
|
117
|
+
compliance: ["SOC2:CC6.1"],
|
|
118
|
+
},
|
|
119
|
+
];
|
|
120
|
+
//# sourceMappingURL=react-native.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"react-native.js","sourceRoot":"","sources":["../../../src/data/rules/react-native.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,gBAAgB,GAAmB;IAC9C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,kKAAkK;QAC/K,OAAO,EAAE,8IAA8I;QACvJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EAAE,wGAAwG;QACjH,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,qDAAqD;QAC5D,WAAW,EAAE,2JAA2J;QACxK,OAAO,EAAE,mIAAmI;QAC5I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sGAAsG;QAC3G,OAAO,EAAE,8OAA8O;QACvP,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gHAAgH;QAC7H,OAAO,EAAE,oHAAoH;QAC7H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sEAAsE;QAC3E,OAAO,EAAE,uMAAuM;QAChN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,oGAAoG;QACjH,OAAO,EAAE,oHAAoH;QAC7H,SAAS,EAAE,CAAC,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QAC/C,GAAG,EAAE,wEAAwE;QAC7E,OAAO,EAAE,kMAAkM;QAC3M,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,0HAA0H;QACvI,OAAO,EAAE,4LAA4L;QACrM,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mHAAmH;QACxH,OAAO,EAAE,kPAAkP;QAC3P,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gIAAgI;QAC7I,OAAO,EAAE,4GAA4G;QACrH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gGAAgG;QACrG,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,iIAAiI;QAC9I,OAAO,EAAE,kGAAkG;QAC3G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uDAAuD;QAC5D,OAAO,EAAE,kIAAkI;QAC3I,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,0FAA0F;QACvG,OAAO,EAAE,mGAAmG;QAC5G,SAAS,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QACtD,GAAG,EAAE,qGAAqG;QAC1G,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gKAAgK;QAC7K,OAAO,EAAE,kLAAkL;QAC3L,SAAS,EAAE,CAAC,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QAC/C,GAAG,EAAE,mGAAmG;QACxG,OAAO,EAAE,qMAAqM;QAC9M,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,4KAA4K;QACzL,OAAO,EAAE,kGAAkG;QAC3G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8FAA8F;QACnG,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
package/build/index.js
CHANGED
|
@@ -18,7 +18,7 @@ import { builtinRules } from "./data/rules/index.js";
|
|
|
18
18
|
import { loadConfig } from "./utils/config.js";
|
|
19
19
|
const server = new McpServer({
|
|
20
20
|
name: "guardvibe",
|
|
21
|
-
version: "0.
|
|
21
|
+
version: "0.10.0",
|
|
22
22
|
});
|
|
23
23
|
// Tool 1: Analyze code for security vulnerabilities
|
|
24
24
|
server.tool("check_code", "Analyze code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Use this when reviewing or writing code to catch security issues early.", {
|
package/build/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAErD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE/C,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;IAC3B,IAAI,EAAE,WAAW;IACjB,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAErD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE/C,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;IAC3B,IAAI,EAAE,WAAW;IACjB,OAAO,EAAE,QAAQ;CAClB,CAAC,CAAC;AAEH,oDAAoD;AACpD,MAAM,CAAC,IAAI,CACT,YAAY,EACZ,0KAA0K,EAC1K;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,6BAA6B,CAAC;IACxD,QAAQ,EAAE,CAAC;SACR,IAAI,CAAC,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;SAC7G,QAAQ,CAAC,kCAAkC,CAAC;IAC/C,SAAS,EAAE,CAAC;SACT,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,QAAQ,CAAC,kEAAkE,CAAC;IAC/E,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE;IAC9C,MAAM,KAAK,GAAI,UAAkB,CAAC,iBAA+C,CAAC;IAClF,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IAC1F,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;KAC3C,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,2DAA2D;AAC3D,MAAM,CAAC,IAAI,CACT,eAAe,EACf,iKAAiK,EACjK;IACE,KAAK,EAAE,CAAC;SACL,KAAK,CACJ,CAAC,CAAC,MAAM,CAAC;QACP,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,sCAAsC,CAAC;QACjE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC;KACjD,CAAC,CACH;SACA,QAAQ,CAAC,0CAA0C,CAAC;IACvD,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE;IAC1B,MAAM,KAAK,GAAI,UAAkB,CAAC,iBAA+C,CAAC;IAClF,MAAM,OAAO,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IACnD,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;KAC3C,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,iFAAiF;AACjF,MAAM,CAAC,IAAI,CACT,mBAAmB,EACnB,8IAA8I,EAC9I;IACE,KAAK,EAAE,CAAC;SACL,MAAM,EAAE;SACR,QAAQ,CACP,mIAAmI,CACpI;CACJ,EACD,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;IAClB,MAAM,IAAI,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IACpC,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;KACxC,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,uDAAuD;AACvD,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,6CAA6C,CAAC;IACxE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,gCAAgC,CAAC;IAC9D,SAAS,EAAE,CAAC;SACT,IAAI,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;SAC3B,OAAO,CAAC,KAAK,CAAC;SACd,QAAQ,CAAC,mBAAmB,CAAC;CACjC,CAAC,CAAC;AAEH,MAAM,CAAC,IAAI,CACT,oBAAoB,EACpB,sKAAsK,EACtK;IACE,QAAQ,EAAE,CAAC,CAAC,UAAU,CACpB,CAAC,GAAG,EAAE,EAAE;QACN,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACzB,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,GAAG,CAAC;YACb,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,EACD,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,CACvB,CAAC,QAAQ,CAAC,yDAAyD,CAAC;CACtE,EACD,KAAK,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;IACrB,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAClD,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;KAC3C,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,0EAA0E;AAC1E,MAAM,CAAC,IAAI,CACT,gBAAgB,EAChB,gMAAgM,EAChM;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,4CAA4C,CAAC;IACvE,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,qBAAqB,CAAC;IAC/E,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,mCAAmC,CAAC;IACjG,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE;IAC7C,MAAM,KAAK,GAAI,UAAkB,CAAC,iBAA+C,CAAC;IAClF,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IACvE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,gEAAgE;AAChE,MAAM,CAAC,IAAI,CACT,mBAAmB,EACnB,mLAAmL,EACnL;IACE,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,2EAA2E,CAAC;IAC/G,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,aAAa,EAAE,MAAM,EAAE,EAAE,EAAE;IAClC,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;IAC9D,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,6DAA6D;AAC7D,MAAM,CAAC,IAAI,CACT,cAAc,EACd,mKAAmK,EACnK;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,gCAAgC,CAAC;IAC3D,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,qBAAqB,CAAC;IAC/E,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE;IACpC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IACrD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,kDAAkD;AAClD,MAAM,CAAC,IAAI,CACT,aAAa,EACb,+KAA+K,EAC/K;IACE,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;IACnB,MAAM,KAAK,GAAI,UAAkB,CAAC,iBAA+C,CAAC;IAClF,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IACzD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,sDAAsD;AACtD,MAAM,CAAC,IAAI,CACT,mBAAmB,EACnB,wJAAwJ,EACxJ;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,mBAAmB,CAAC;IAC9C,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,sBAAsB,CAAC;IACvF,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE;IACpC,MAAM,KAAK,GAAI,UAAkB,CAAC,iBAA+C,CAAC;IAClF,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IACjE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,sDAAsD;AACtD,MAAM,CAAC,IAAI,CACT,cAAc,EACd,uIAAuI,EACvI;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,mBAAmB,CAAC;CAC/C,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;IACjB,MAAM,KAAK,GAAI,UAAkB,CAAC,iBAA+C,CAAC;IAClF,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACzC,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,mDAAmD;AACnD,MAAM,CAAC,IAAI,CACT,sBAAsB,EACtB,8KAA8K,EAC9K;IACE,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,2EAA2E,CAAC;IACnH,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE;IAC7B,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC3D,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,KAAK,UAAU,IAAI;IACjB,eAAe;IACf,MAAM,MAAM,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IACzC,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;IAErE,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,OAAO,CAAC,KAAK,CAAC,sBAAsB,OAAO,CAAC,MAAM,CAAC,MAAM,eAAe,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACvG,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,OAAO,CAAC,KAAK,CAAC,+BAA+B,GAAG,EAAE,CAAC,CAAC;IACtD,CAAC;IAED,gCAAgC;IAChC,MAAM,QAAQ,GAAmB,CAAC,GAAG,YAAY,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;IAErE,wBAAwB;IACxB,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QACjC,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,IAAI,EACT,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,MAAa,EAClB,KAAK,EAAE,KAAU,EAAE,EAAE;YACnB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YACzC,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;QAChE,CAAC,CACF,CAAC;IACJ,CAAC;IAED,uCAAuC;IACtC,UAAkB,CAAC,iBAAiB,GAAG,QAAQ,CAAC;IAEjD,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,OAAO,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;AAClE,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;IACrB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC;IACrC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "0.
|
|
4
|
-
"description": "Security MCP for vibe coding.
|
|
3
|
+
"version": "0.10.0",
|
|
4
|
+
"description": "Security MCP for vibe coding. 149 rules for Next.js, React Native, Expo, Firebase, Supabase, Stripe, Clerk, Prisma, Vercel, and the full AI-generated web + mobile stack.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|
|
7
7
|
"guardvibe": "build/index.js",
|