guardvibe 0.9.5 → 0.10.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/data/rules/firebase.d.ts +3 -0
- package/build/data/rules/firebase.d.ts.map +1 -0
- package/build/data/rules/firebase.js +86 -0
- package/build/data/rules/firebase.js.map +1 -0
- package/build/data/rules/index.d.ts.map +1 -1
- package/build/data/rules/index.js +6 -0
- package/build/data/rules/index.js.map +1 -1
- package/build/data/rules/nextjs.js +3 -3
- package/build/data/rules/nextjs.js.map +1 -1
- package/build/data/rules/other-services.d.ts +3 -0
- package/build/data/rules/other-services.d.ts.map +1 -0
- package/build/data/rules/other-services.js +63 -0
- package/build/data/rules/other-services.js.map +1 -0
- package/build/data/rules/react-native.d.ts +3 -0
- package/build/data/rules/react-native.d.ts.map +1 -0
- package/build/data/rules/react-native.js +120 -0
- package/build/data/rules/react-native.js.map +1 -0
- package/build/index.js +1 -1
- package/build/index.js.map +1 -1
- package/package.json +2 -2
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"firebase.d.ts","sourceRoot":"","sources":["../../../src/data/rules/firebase.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,aAAa,EAAE,YAAY,EAoFvC,CAAC"}
|
|
@@ -0,0 +1,86 @@
|
|
|
1
|
+
export const firebaseRules = [
|
|
2
|
+
{
|
|
3
|
+
id: "VG750",
|
|
4
|
+
name: "Insecure Firestore Rules",
|
|
5
|
+
severity: "critical",
|
|
6
|
+
owasp: "A01:2025 Broken Access Control",
|
|
7
|
+
description: "Firestore security rules allow unrestricted read/write. Anyone can read or modify your entire database.",
|
|
8
|
+
pattern: /(?:allow\s+(?:read|write|get|list|create|update|delete)\s*:\s*if\s+true|match\s+\/\{document=\*\*\}\s*\{[\s\S]{0,100}?allow\s+read\s*,\s*write)/g,
|
|
9
|
+
languages: ["firestore"],
|
|
10
|
+
fix: "Always restrict Firestore rules. Require authentication and validate data.",
|
|
11
|
+
fixCode: 'rules_version = \'2\';\nservice cloud.firestore {\n match /databases/{database}/documents {\n match /users/{userId} {\n allow read, write: if request.auth != null && request.auth.uid == userId;\n }\n }\n}',
|
|
12
|
+
compliance: ["SOC2:CC6.1"],
|
|
13
|
+
},
|
|
14
|
+
{
|
|
15
|
+
id: "VG751",
|
|
16
|
+
name: "Firebase Admin SDK Client Exposure",
|
|
17
|
+
severity: "critical",
|
|
18
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
19
|
+
description: "Firebase Admin SDK or service account credentials exposed in client-side code. Admin SDK has full unrestricted access to all Firebase services.",
|
|
20
|
+
pattern: /["']use client["'][\s\S]{0,500}?(?:firebase-admin|@google-cloud\/firestore|serviceAccountKey|FIREBASE_SERVICE_ACCOUNT|FIREBASE_ADMIN)/g,
|
|
21
|
+
languages: ["javascript", "typescript"],
|
|
22
|
+
fix: "Firebase Admin SDK must only be used server-side. Never import it in client components.",
|
|
23
|
+
fixCode: '// Server-side only (API route or Server Action)\nimport { initializeApp, cert } from "firebase-admin/app";\ninitializeApp({ credential: cert(JSON.parse(process.env.FIREBASE_SERVICE_ACCOUNT_KEY!)) });',
|
|
24
|
+
compliance: ["SOC2:CC6.1"],
|
|
25
|
+
},
|
|
26
|
+
{
|
|
27
|
+
id: "VG752",
|
|
28
|
+
name: "Firebase Service Account Key Hardcoded",
|
|
29
|
+
severity: "critical",
|
|
30
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
31
|
+
description: "Firebase service account key or credentials JSON hardcoded in source code.",
|
|
32
|
+
pattern: /(?:service_account|serviceAccount|credential|cert)\s*[\(=:]\s*\{[\s\S]{0,500}?(?:"type"\s*:\s*"service_account"|"private_key"\s*:\s*"-----BEGIN)/g,
|
|
33
|
+
languages: ["javascript", "typescript", "json"],
|
|
34
|
+
fix: "Store service account JSON in environment variable and parse at runtime.",
|
|
35
|
+
fixCode: '// Store as env var (base64 or JSON string)\nconst serviceAccount = JSON.parse(process.env.FIREBASE_SERVICE_ACCOUNT_KEY!);\ninitializeApp({ credential: cert(serviceAccount) });',
|
|
36
|
+
compliance: ["SOC2:CC6.1"],
|
|
37
|
+
},
|
|
38
|
+
{
|
|
39
|
+
id: "VG753",
|
|
40
|
+
name: "Insecure Firebase Storage Rules",
|
|
41
|
+
severity: "critical",
|
|
42
|
+
owasp: "A01:2025 Broken Access Control",
|
|
43
|
+
description: "Firebase Storage rules allow unrestricted public access. Anyone can read/write/delete files.",
|
|
44
|
+
pattern: /(?:allow\s+read\s*,\s*write\s*:\s*if\s+true|match\s+\/\{allPaths=\*\*\}\s*\{[\s\S]{0,100}?allow\s+read\s*,\s*write)/g,
|
|
45
|
+
languages: ["firestore"],
|
|
46
|
+
fix: "Restrict Firebase Storage rules. Require authentication and limit file types/sizes.",
|
|
47
|
+
fixCode: 'service firebase.storage {\n match /b/{bucket}/o {\n match /users/{userId}/{allPaths=**} {\n allow read: if request.auth != null;\n allow write: if request.auth != null \n && request.auth.uid == userId\n && request.resource.size < 5 * 1024 * 1024;\n }\n }\n}',
|
|
48
|
+
compliance: ["SOC2:CC6.1"],
|
|
49
|
+
},
|
|
50
|
+
{
|
|
51
|
+
id: "VG754",
|
|
52
|
+
name: "Firebase Config Hardcoded",
|
|
53
|
+
severity: "medium",
|
|
54
|
+
owasp: "A05:2025 Security Misconfiguration",
|
|
55
|
+
description: "Firebase config object hardcoded with all values inline. While Firebase API keys are designed to be public, hardcoding makes it hard to manage across environments.",
|
|
56
|
+
pattern: /(?:firebaseConfig|firebase\.initializeApp)\s*[\(=]\s*\{[\s\S]{0,500}?apiKey\s*:\s*["']AIza[A-Za-z0-9_-]{30,}["']/g,
|
|
57
|
+
languages: ["javascript", "typescript"],
|
|
58
|
+
fix: "Use environment variables for Firebase config to manage different environments.",
|
|
59
|
+
fixCode: 'const firebaseConfig = {\n apiKey: process.env.NEXT_PUBLIC_FIREBASE_API_KEY,\n authDomain: process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN,\n projectId: process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID,\n};',
|
|
60
|
+
compliance: ["SOC2:CC6.1"],
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
id: "VG755",
|
|
64
|
+
name: "NEXT_PUBLIC Firebase Service Account",
|
|
65
|
+
severity: "critical",
|
|
66
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
67
|
+
description: "Firebase service account key or admin credentials exposed via NEXT_PUBLIC_ prefix.",
|
|
68
|
+
pattern: /NEXT_PUBLIC_\w*(?:FIREBASE_SERVICE_ACCOUNT|FIREBASE_ADMIN|FIREBASE_PRIVATE|FIREBASE_SECRET)\w*\s*=/gi,
|
|
69
|
+
languages: ["javascript", "typescript", "shell"],
|
|
70
|
+
fix: "Remove NEXT_PUBLIC_ prefix from Firebase admin/service account credentials. These must be server-side only.",
|
|
71
|
+
compliance: ["SOC2:CC6.1"],
|
|
72
|
+
},
|
|
73
|
+
{
|
|
74
|
+
id: "VG756",
|
|
75
|
+
name: "signInWithCustomToken Without Validation",
|
|
76
|
+
severity: "high",
|
|
77
|
+
owasp: "A07:2025 Identification and Authentication Failures",
|
|
78
|
+
description: "signInWithCustomToken used with unvalidated token source. Custom tokens must be generated and verified server-side.",
|
|
79
|
+
pattern: /signInWithCustomToken\s*\(\s*\w*\s*,\s*(?:req\.body|request\.body|params\.|searchParams|query\.|formData|url\.)/gi,
|
|
80
|
+
languages: ["javascript", "typescript"],
|
|
81
|
+
fix: "Generate custom tokens server-side with Firebase Admin SDK. Never accept custom tokens from client input.",
|
|
82
|
+
fixCode: '// Server-side: generate custom token\nimport { getAuth } from "firebase-admin/auth";\nconst customToken = await getAuth().createCustomToken(uid);\n\n// Client-side: only use tokens from your own server\nconst res = await fetch("/api/auth/custom-token");\nconst { token } = await res.json();\nawait signInWithCustomToken(auth, token);',
|
|
83
|
+
compliance: ["SOC2:CC6.1"],
|
|
84
|
+
},
|
|
85
|
+
];
|
|
86
|
+
//# sourceMappingURL=firebase.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"firebase.js","sourceRoot":"","sources":["../../../src/data/rules/firebase.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,aAAa,GAAmB;IAC3C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,yGAAyG;QACtH,OAAO,EAAE,kJAAkJ;QAC3J,SAAS,EAAE,CAAC,WAAW,CAAC;QACxB,GAAG,EAAE,4EAA4E;QACjF,OAAO,EAAE,2NAA2N;QACpO,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,iJAAiJ;QAC9J,OAAO,EAAE,wIAAwI;QACjJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yFAAyF;QAC9F,OAAO,EAAE,0MAA0M;QACnN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,4EAA4E;QACzF,OAAO,EAAE,mJAAmJ;QAC5J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,MAAM,CAAC;QAC/C,GAAG,EAAE,0EAA0E;QAC/E,OAAO,EAAE,kLAAkL;QAC3L,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,8FAA8F;QAC3G,OAAO,EAAE,sHAAsH;QAC/H,SAAS,EAAE,CAAC,WAAW,CAAC;QACxB,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EAAE,oSAAoS;QAC7S,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,qKAAqK;QAClL,OAAO,EAAE,mHAAmH;QAC5H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EAAE,2MAA2M;QACpN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sCAAsC;QAC5C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,oFAAoF;QACjG,OAAO,EAAE,sGAAsG;QAC/G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,6GAA6G;QAClH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0CAA0C;QAChD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,qDAAqD;QAC5D,WAAW,EAAE,qHAAqH;QAClI,OAAO,EAAE,mHAAmH;QAC5H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2GAA2G;QAChH,OAAO,EAAE,gVAAgV;QACzV,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAiB/C,eAAO,MAAM,UAAU,qCAgBtB,CAAC;AAGF,eAAO,MAAM,YAAY,qCAAa,CAAC"}
|
|
@@ -10,6 +10,9 @@ import { deploymentRules } from "./deployment.js";
|
|
|
10
10
|
import { paymentRules } from "./payments.js";
|
|
11
11
|
import { serviceRules } from "./services.js";
|
|
12
12
|
import { webSecurityRules } from "./web-security.js";
|
|
13
|
+
import { reactNativeRules } from "./react-native.js";
|
|
14
|
+
import { firebaseRules } from "./firebase.js";
|
|
15
|
+
import { otherServiceRules } from "./other-services.js";
|
|
13
16
|
export const owaspRules = [
|
|
14
17
|
...coreRules,
|
|
15
18
|
...goRules,
|
|
@@ -23,6 +26,9 @@ export const owaspRules = [
|
|
|
23
26
|
...paymentRules,
|
|
24
27
|
...serviceRules,
|
|
25
28
|
...webSecurityRules,
|
|
29
|
+
...reactNativeRules,
|
|
30
|
+
...firebaseRules,
|
|
31
|
+
...otherServiceRules,
|
|
26
32
|
];
|
|
27
33
|
// Alias for clarity — these are the built-in rules without plugins
|
|
28
34
|
export const builtinRules = owaspRules;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAExD,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,GAAG,SAAS;IACZ,GAAG,OAAO;IACV,GAAG,eAAe;IAClB,GAAG,SAAS;IACZ,GAAG,cAAc;IACjB,GAAG,WAAW;IACd,GAAG,SAAS;IACZ,GAAG,aAAa;IAChB,GAAG,eAAe;IAClB,GAAG,YAAY;IACf,GAAG,YAAY;IACf,GAAG,gBAAgB;IACnB,GAAG,gBAAgB;IACnB,GAAG,aAAa;IAChB,GAAG,iBAAiB;CACrB,CAAC;AAEF,mEAAmE;AACnE,MAAM,CAAC,MAAM,YAAY,GAAG,UAAU,CAAC"}
|
|
@@ -18,7 +18,7 @@ export const nextjsRules = [
|
|
|
18
18
|
severity: "high",
|
|
19
19
|
owasp: "A03:2025 Injection",
|
|
20
20
|
description: "Server Action processes form data without schema validation. Unvalidated input can lead to injection attacks.",
|
|
21
|
-
pattern: /["']use server["'][\s\S]{0,500}?formData\.get\s*\(/g,
|
|
21
|
+
pattern: /["']use server["'](?![\s\S]{0,500}?(?:z\.object|schema\.parse|\.safeParse|yup\.object|valibot\.|\.validate\s*\())[\s\S]{0,500}?formData\.get\s*\(/g,
|
|
22
22
|
languages: ["javascript", "typescript"],
|
|
23
23
|
fix: "Validate all inputs with a schema library (zod, yup, valibot) before processing.",
|
|
24
24
|
fixCode: '"use server";\nimport { z } from "zod";\n\nconst schema = z.object({ name: z.string().min(1), email: z.string().email() });\n\nexport async function createUser(formData: FormData) {\n const data = schema.parse(Object.fromEntries(formData));\n}',
|
|
@@ -30,7 +30,7 @@ export const nextjsRules = [
|
|
|
30
30
|
severity: "critical",
|
|
31
31
|
owasp: "A01:2025 Broken Access Control",
|
|
32
32
|
description: "Server Action performs data mutations without verifying user authentication. Anyone can invoke Server Actions directly via POST request.",
|
|
33
|
-
pattern: /["']use server["'][\s\S]{0,
|
|
33
|
+
pattern: /["']use server["'][\s\S]{0,500}?export\s+async\s+function\s+\w+\s*\([^)]*\)\s*\{(?![\s\S]{0,800}?(?:auth\s*\(|getServerSession|currentUser|getUser|requireAuth|clerkClient))/g,
|
|
34
34
|
languages: ["javascript", "typescript"],
|
|
35
35
|
fix: "Always verify authentication at the start of every Server Action.",
|
|
36
36
|
fixCode: '"use server";\nimport { auth } from "@clerk/nextjs/server";\n\nexport async function deleteItem(id: string) {\n const { userId } = await auth();\n if (!userId) throw new Error("Unauthorized");\n}',
|
|
@@ -138,7 +138,7 @@ export const nextjsRules = [
|
|
|
138
138
|
severity: "critical",
|
|
139
139
|
owasp: "A07:2025 Sensitive Data Exposure",
|
|
140
140
|
description: "Environment variable prefixed with NEXT_PUBLIC_ contains a secret keyword (SECRET, KEY, PASSWORD, TOKEN). NEXT_PUBLIC_ variables are embedded in the client bundle and visible to anyone.",
|
|
141
|
-
pattern: /NEXT_PUBLIC_\w*(?:SECRET|_KEY|PASSWORD|TOKEN|PRIVATE|CREDENTIAL)\w*\s*=/gi,
|
|
141
|
+
pattern: /NEXT_PUBLIC_(?!\w*PUBLISHABLE)\w*(?:SECRET|_KEY|PASSWORD|TOKEN|PRIVATE|CREDENTIAL)\w*\s*=/gi,
|
|
142
142
|
languages: ["javascript", "typescript", "shell"],
|
|
143
143
|
fix: "Remove NEXT_PUBLIC_ prefix from secret variables. Access them only server-side.",
|
|
144
144
|
fixCode: "# .env.local — WRONG\n# NEXT_PUBLIC_SECRET_KEY=sk_live_xxx\n\n# .env.local — CORRECT\nSECRET_KEY=sk_live_xxx\n# Access server-side only: process.env.SECRET_KEY",
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"nextjs.js","sourceRoot":"","sources":["../../../src/data/rules/nextjs.ts"],"names":[],"mappings":"AAEA,iDAAiD;AACjD,MAAM,CAAC,MAAM,WAAW,GAAmB;IACzC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4KAA4K;QAC9K,OAAO,EAAE,oEAAoE;QAC7E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sIAAsI;QAC3I,OAAO,EACL,uLAAuL;QACzL,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,+GAA+G;QACjH,OAAO,EACL,
|
|
1
|
+
{"version":3,"file":"nextjs.js","sourceRoot":"","sources":["../../../src/data/rules/nextjs.ts"],"names":[],"mappings":"AAEA,iDAAiD;AACjD,MAAM,CAAC,MAAM,WAAW,GAAmB;IACzC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4KAA4K;QAC9K,OAAO,EAAE,oEAAoE;QAC7E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sIAAsI;QAC3I,OAAO,EACL,uLAAuL;QACzL,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,+GAA+G;QACjH,OAAO,EACL,oJAAoJ;QACtJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kFAAkF;QACvF,OAAO,EACL,sPAAsP;QACxP,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,0IAA0I;QAC5I,OAAO,EACL,+KAA+K;QACjL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mEAAmE;QACxE,OAAO,EACL,uMAAuM;QACzM,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,uHAAuH;QACzH,OAAO,EACL,4GAA4G;QAC9G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gEAAgE;QACrE,OAAO,EACL,kLAAkL;QACpL,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,yGAAyG;QAC3G,OAAO,EAAE,yDAAyD;QAClE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2DAA2D;QAChE,OAAO,EACL,4GAA4G;QAC9G,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yCAAyC;QAC/C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,0HAA0H;QAC5H,OAAO,EACL,6EAA6E;QAC/E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4DAA4D;QACjE,OAAO,EACL,mTAAmT;QACrT,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,yHAAyH;QAC3H,OAAO,EACL,4JAA4J;QAC9J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EACL,+RAA+R;QACjS,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,+GAA+G;QACjH,OAAO,EACL,2FAA2F;QAC7F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oFAAoF;QACzF,OAAO,EACL,yNAAyN;QAC3N,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,uLAAuL;QACzL,OAAO,EAAE,qDAAqD;QAC9D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oFAAoF;QACzF,OAAO,EACL,oOAAoO;QACtO,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,qIAAqI;QACvI,OAAO,EACL,qFAAqF;QACvF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iEAAiE;QACtE,OAAO,EACL,+RAA+R;QACjS,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,yIAAyI;QAC3I,OAAO,EACL,0IAA0I;QAC5I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uEAAuE;QAC5E,OAAO,EACL,oRAAoR;QACtR,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,2LAA2L;QAC7L,OAAO,EACL,6FAA6F;QAC/F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,iKAAiK;QACnK,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;CACF,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"other-services.d.ts","sourceRoot":"","sources":["../../../src/data/rules/other-services.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,iBAAiB,EAAE,YAAY,EA6D3C,CAAC"}
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
export const otherServiceRules = [
|
|
2
|
+
{
|
|
3
|
+
id: "VG800",
|
|
4
|
+
name: "Sentry Auth Token Exposure",
|
|
5
|
+
severity: "critical",
|
|
6
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
7
|
+
description: "Sentry auth token exposed in client-side code or committed to source. Auth tokens grant full org access. Note: Sentry DSN is safe to expose publicly.",
|
|
8
|
+
pattern: /(?:SENTRY_AUTH_TOKEN\s*[:=]\s*["']?\w{10,}|["']sntrys_[A-Za-z0-9]{20,}["'])/g,
|
|
9
|
+
languages: ["javascript", "typescript", "shell"],
|
|
10
|
+
fix: "Use SENTRY_AUTH_TOKEN only in CI/CD environment. DSN is safe to be public.",
|
|
11
|
+
fixCode: '# .env.local (server only, for source maps upload)\nSENTRY_AUTH_TOKEN=sntrys_xxx\n\n# Safe to expose (DSN)\nNEXT_PUBLIC_SENTRY_DSN=https://abc@sentry.io/123',
|
|
12
|
+
compliance: ["SOC2:CC6.1"],
|
|
13
|
+
},
|
|
14
|
+
{
|
|
15
|
+
id: "VG801",
|
|
16
|
+
name: "Twilio Auth Token Exposure",
|
|
17
|
+
severity: "critical",
|
|
18
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
19
|
+
description: "Twilio auth token or API key hardcoded or exposed in client-side code. This allows sending SMS/calls from your account.",
|
|
20
|
+
pattern: /(?:["']use client["'][\s\S]{0,500}?(?:TWILIO_AUTH_TOKEN|TWILIO_API_SECRET)|(?:authToken|apiSecret)\s*[:=]\s*["'][a-f0-9]{32}["'])/g,
|
|
21
|
+
languages: ["javascript", "typescript"],
|
|
22
|
+
fix: "Use Twilio credentials server-side only. Validate phone numbers to prevent SMS injection.",
|
|
23
|
+
fixCode: '// Server-side only\nimport twilio from "twilio";\nconst client = twilio(process.env.TWILIO_ACCOUNT_SID, process.env.TWILIO_AUTH_TOKEN);\n\n// Validate phone number before sending\nconst phoneRegex = /^\\+[1-9]\\d{1,14}$/;\nif (!phoneRegex.test(to)) throw new Error("Invalid phone");',
|
|
24
|
+
compliance: ["SOC2:CC6.1"],
|
|
25
|
+
},
|
|
26
|
+
{
|
|
27
|
+
id: "VG802",
|
|
28
|
+
name: "Neon/Postgres Connection String Exposure",
|
|
29
|
+
severity: "critical",
|
|
30
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
31
|
+
description: "Neon or PostgreSQL connection string hardcoded in source code. Contains hostname, credentials, and database name.",
|
|
32
|
+
pattern: /(?:DATABASE_URL|connectionString|connection_string|pgConnectionString)\s*[:=]\s*["']postgres(?:ql)?:\/\/[^"'\s]{10,}["']/gi,
|
|
33
|
+
languages: ["javascript", "typescript"],
|
|
34
|
+
fix: "Use DATABASE_URL environment variable. Never hardcode connection strings.",
|
|
35
|
+
fixCode: 'import { neon } from "@neondatabase/serverless";\nconst sql = neon(process.env.DATABASE_URL!);',
|
|
36
|
+
compliance: ["SOC2:CC6.1"],
|
|
37
|
+
},
|
|
38
|
+
{
|
|
39
|
+
id: "VG803",
|
|
40
|
+
name: "Convex Deploy Key Exposure",
|
|
41
|
+
severity: "critical",
|
|
42
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
43
|
+
description: "Convex deploy key or admin key hardcoded or exposed in client-side code. Deploy keys grant write access to your Convex backend.",
|
|
44
|
+
pattern: /(?:CONVEX_DEPLOY_KEY|["']use client["'][\s\S]{0,500}?CONVEX_ADMIN_KEY|(?:deployKey|adminKey)\s*[:=]\s*["'](?:prod|dev):[\w]+:[\w]+["'])/g,
|
|
45
|
+
languages: ["javascript", "typescript", "shell"],
|
|
46
|
+
fix: "Use CONVEX_DEPLOY_KEY only in CI/CD. Client-side should only use the public CONVEX_URL.",
|
|
47
|
+
fixCode: '# Client-safe\nNEXT_PUBLIC_CONVEX_URL=https://xxx.convex.cloud\n\n# Server/CI only\nCONVEX_DEPLOY_KEY=prod:xxx:yyy',
|
|
48
|
+
compliance: ["SOC2:CC6.1"],
|
|
49
|
+
},
|
|
50
|
+
{
|
|
51
|
+
id: "VG804",
|
|
52
|
+
name: "MongoDB Connection String Exposure",
|
|
53
|
+
severity: "critical",
|
|
54
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
55
|
+
description: "MongoDB connection string hardcoded in source code. Contains credentials and cluster information.",
|
|
56
|
+
pattern: /(?:MONGODB_URI|MONGO_URL|mongoUri|mongoUrl|connectionString)\s*[:=]\s*["']mongodb(?:\+srv)?:\/\/[^"'\s]{10,}["']/gi,
|
|
57
|
+
languages: ["javascript", "typescript"],
|
|
58
|
+
fix: "Use MONGODB_URI environment variable. Never hardcode connection strings.",
|
|
59
|
+
fixCode: 'import { MongoClient } from "mongodb";\nconst client = new MongoClient(process.env.MONGODB_URI!);',
|
|
60
|
+
compliance: ["SOC2:CC6.1"],
|
|
61
|
+
},
|
|
62
|
+
];
|
|
63
|
+
//# sourceMappingURL=other-services.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"other-services.js","sourceRoot":"","sources":["../../../src/data/rules/other-services.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,iBAAiB,GAAmB;IAC/C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,uJAAuJ;QACpK,OAAO,EAAE,8EAA8E;QACvF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,4EAA4E;QACjF,OAAO,EAAE,8JAA8J;QACvK,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,yHAAyH;QACtI,OAAO,EAAE,oIAAoI;QAC7I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2FAA2F;QAChG,OAAO,EAAE,6RAA6R;QACtS,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0CAA0C;QAChD,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,mHAAmH;QAChI,OAAO,EAAE,4HAA4H;QACrI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2EAA2E;QAChF,OAAO,EAAE,gGAAgG;QACzG,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,iIAAiI;QAC9I,OAAO,EAAE,0IAA0I;QACnJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,yFAAyF;QAC9F,OAAO,EAAE,oHAAoH;QAC7H,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,mGAAmG;QAChH,OAAO,EAAE,oHAAoH;QAC7H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,0EAA0E;QAC/E,OAAO,EAAE,mGAAmG;QAC5G,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"react-native.d.ts","sourceRoot":"","sources":["../../../src/data/rules/react-native.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,gBAAgB,EAAE,YAAY,EAsH1C,CAAC"}
|
|
@@ -0,0 +1,120 @@
|
|
|
1
|
+
export const reactNativeRules = [
|
|
2
|
+
{
|
|
3
|
+
id: "VG700",
|
|
4
|
+
name: "AsyncStorage Sensitive Data",
|
|
5
|
+
severity: "critical",
|
|
6
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
7
|
+
description: "Storing secrets, tokens, or passwords in AsyncStorage. AsyncStorage is unencrypted plain text on device. Use expo-secure-store or react-native-keychain instead.",
|
|
8
|
+
pattern: /AsyncStorage\s*\.\s*(?:setItem|multiSet)\s*\(\s*["'][^"']*(?:token|secret|password|jwt|session|auth|apiKey|api_key|credential|refresh)["']/gi,
|
|
9
|
+
languages: ["javascript", "typescript"],
|
|
10
|
+
fix: "Use expo-secure-store (Expo) or react-native-keychain (bare RN) for sensitive data.",
|
|
11
|
+
fixCode: 'import * as SecureStore from "expo-secure-store";\nawait SecureStore.setItemAsync("authToken", token);',
|
|
12
|
+
compliance: ["SOC2:CC6.1", "HIPAA:§164.312(a)"],
|
|
13
|
+
},
|
|
14
|
+
{
|
|
15
|
+
id: "VG701",
|
|
16
|
+
name: "Deep Link Auth Bypass",
|
|
17
|
+
severity: "high",
|
|
18
|
+
owasp: "A07:2025 Identification and Authentication Failures",
|
|
19
|
+
description: "Deep link handler processes authentication parameters (token, code, session) without validation. Attackers can craft malicious deep links to bypass auth.",
|
|
20
|
+
pattern: /(?:Linking\.addEventListener|useURL|createURL|expo-linking)[\s\S]{0,500}?(?:url|event)[\s\S]{0,300}?(?:token|code|session|auth)/gi,
|
|
21
|
+
languages: ["javascript", "typescript"],
|
|
22
|
+
fix: "Validate deep link origin, verify tokens server-side, and never trust URL parameters for auth state.",
|
|
23
|
+
fixCode: '// Validate token from deep link server-side\nconst { token } = parseURL(url);\nconst res = await fetch("/api/verify-token", { method: "POST", body: JSON.stringify({ token }) });\nif (!res.ok) throw new Error("Invalid deep link token");',
|
|
24
|
+
compliance: ["SOC2:CC6.1"],
|
|
25
|
+
},
|
|
26
|
+
{
|
|
27
|
+
id: "VG702",
|
|
28
|
+
name: "Expo Push Token Exposure",
|
|
29
|
+
severity: "high",
|
|
30
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
31
|
+
description: "Expo push token logged or sent to client-side analytics. Push tokens can be abused to send spam notifications.",
|
|
32
|
+
pattern: /(?:console\.\w+|analytics|posthog|capture|track)\s*[\.\(][\s\S]{0,200}?(?:ExpoPushToken|expoPushToken|pushToken)/gi,
|
|
33
|
+
languages: ["javascript", "typescript"],
|
|
34
|
+
fix: "Never log push tokens. Send them only to your own server over HTTPS.",
|
|
35
|
+
fixCode: '// Send push token securely to your server\nawait fetch("/api/register-push", {\n method: "POST",\n headers: { Authorization: `Bearer ${authToken}` },\n body: JSON.stringify({ pushToken }),\n});',
|
|
36
|
+
compliance: ["SOC2:CC6.1"],
|
|
37
|
+
},
|
|
38
|
+
{
|
|
39
|
+
id: "VG703",
|
|
40
|
+
name: "Hardcoded Secrets in EAS Config",
|
|
41
|
+
severity: "critical",
|
|
42
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
43
|
+
description: "Hardcoded secrets, API keys, or tokens in eas.json or eas.config. These end up in version control.",
|
|
44
|
+
pattern: /(?:"env"|env\s*:\s*\{)[\s\S]{0,300}?(?:SECRET|TOKEN|API_KEY|PASSWORD|PRIVATE)\s*["']?\s*[:=]\s*["'][^"']{8,}["']/gi,
|
|
45
|
+
languages: ["json", "javascript", "typescript"],
|
|
46
|
+
fix: "Use EAS Secrets (eas secret:create) instead of hardcoding in eas.json.",
|
|
47
|
+
fixCode: '# Set secrets via EAS CLI\neas secret:create --name API_KEY --value "your-key" --scope project\n\n# Reference in eas.json\n{ "build": { "production": { "env": { "API_KEY": "eas-secret" } } } }',
|
|
48
|
+
compliance: ["SOC2:CC6.1"],
|
|
49
|
+
},
|
|
50
|
+
{
|
|
51
|
+
id: "VG704",
|
|
52
|
+
name: "WebView JavaScript Injection",
|
|
53
|
+
severity: "critical",
|
|
54
|
+
owasp: "A03:2025 Injection",
|
|
55
|
+
description: "WebView loading untrusted URLs or injecting unvalidated JavaScript. This allows XSS and data theft from the app context.",
|
|
56
|
+
pattern: /(?:WebView|webview)\s*[\s\S]{0,300}?(?:injectedJavaScript|source\s*=\s*\{\s*\{\s*uri\s*:\s*(?:user|params|route|input|req|data|body)[\s\S]{0,100}?\}|javaScriptEnabled\s*=\s*\{?\s*true)/gi,
|
|
57
|
+
languages: ["javascript", "typescript"],
|
|
58
|
+
fix: "Validate WebView URLs against an allowlist. Avoid injecting dynamic JavaScript. Disable JavaScript if not needed.",
|
|
59
|
+
fixCode: 'const ALLOWED_HOSTS = ["example.com", "docs.example.com"];\nconst url = new URL(inputUrl);\nif (!ALLOWED_HOSTS.includes(url.hostname)) throw new Error("Blocked URL");\n\n<WebView source={{ uri: url.toString() }} javaScriptEnabled={false} />',
|
|
60
|
+
compliance: ["SOC2:CC7.1"],
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
id: "VG705",
|
|
64
|
+
name: "Missing Certificate Pinning",
|
|
65
|
+
severity: "medium",
|
|
66
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
67
|
+
description: "Network requests to API without certificate pinning. On mobile, this allows man-in-the-middle attacks on compromised networks.",
|
|
68
|
+
pattern: /(?:fetch|axios|http)\s*[\.\(][\s\S]{0,200}?(?:api\.|\/api\/)[\s\S]{0,300}?(?:Authorization|Bearer|token)/gi,
|
|
69
|
+
languages: ["javascript", "typescript"],
|
|
70
|
+
fix: "Implement certificate pinning using react-native-ssl-pinning or expo-certificate-transparency.",
|
|
71
|
+
compliance: ["SOC2:CC6.1", "PCI-DSS:Req4"],
|
|
72
|
+
},
|
|
73
|
+
{
|
|
74
|
+
id: "VG706",
|
|
75
|
+
name: "Hardcoded API URL",
|
|
76
|
+
severity: "medium",
|
|
77
|
+
owasp: "A05:2025 Security Misconfiguration",
|
|
78
|
+
description: "API base URL hardcoded directly in source. This makes it hard to switch environments and may expose staging/internal endpoints.",
|
|
79
|
+
pattern: /(?:baseURL|apiUrl|API_URL|apiBase|BASE_URL)\s*[:=]\s*["']https?:\/\/(?!localhost)[^"']{5,}["']/gi,
|
|
80
|
+
languages: ["javascript", "typescript"],
|
|
81
|
+
fix: "Use environment variables or app config for API URLs.",
|
|
82
|
+
fixCode: 'import Constants from "expo-constants";\nconst API_URL = Constants.expoConfig?.extra?.apiUrl ?? process.env.EXPO_PUBLIC_API_URL;',
|
|
83
|
+
compliance: ["SOC2:CC6.1"],
|
|
84
|
+
},
|
|
85
|
+
{
|
|
86
|
+
id: "VG707",
|
|
87
|
+
name: "Disabled App Transport Security",
|
|
88
|
+
severity: "high",
|
|
89
|
+
owasp: "A05:2025 Security Misconfiguration",
|
|
90
|
+
description: "App Transport Security (ATS) disabled in iOS config, allowing insecure HTTP connections.",
|
|
91
|
+
pattern: /NSAppTransportSecurity[\s\S]{0,200}?NSAllowsArbitraryLoads[\s\S]{0,50}?(?:true|YES|<true\s*\/>)/gi,
|
|
92
|
+
languages: ["xml", "json", "javascript", "typescript"],
|
|
93
|
+
fix: "Do not disable ATS. If specific domains need HTTP, use NSExceptionDomains instead of blanket allow.",
|
|
94
|
+
compliance: ["SOC2:CC6.1", "PCI-DSS:Req4"],
|
|
95
|
+
},
|
|
96
|
+
{
|
|
97
|
+
id: "VG708",
|
|
98
|
+
name: "Sensitive Data in Expo Config",
|
|
99
|
+
severity: "critical",
|
|
100
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
101
|
+
description: "Secrets or API keys hardcoded in app.json, app.config.js, or app.config.ts. These are embedded in the app bundle and visible to anyone who decompiles the app.",
|
|
102
|
+
pattern: /(?:app\.json|app\.config\.[jt]s)[\s\S]{0,50}|(?:"extra"|extra\s*:\s*\{)[\s\S]{0,500}?(?:SECRET|PRIVATE_KEY|API_SECRET|DATABASE_URL|SERVICE_ACCOUNT)\s*[:=]\s*["'][^"']{8,}["']/gi,
|
|
103
|
+
languages: ["json", "javascript", "typescript"],
|
|
104
|
+
fix: "Use EXPO_PUBLIC_ prefix only for truly public values. Keep secrets server-side or in EAS Secrets.",
|
|
105
|
+
fixCode: '// app.config.ts — only public values in extra\nexport default {\n extra: {\n apiUrl: process.env.EXPO_PUBLIC_API_URL, // OK: public\n // NEVER: apiSecret: process.env.API_SECRET\n },\n};',
|
|
106
|
+
compliance: ["SOC2:CC6.1"],
|
|
107
|
+
},
|
|
108
|
+
{
|
|
109
|
+
id: "VG709",
|
|
110
|
+
name: "React Native Bridge Sensitive Data",
|
|
111
|
+
severity: "high",
|
|
112
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
113
|
+
description: "Sensitive data (tokens, keys, passwords) passed through React Native bridge/NativeModules without encryption. Bridge data can be intercepted on rooted/jailbroken devices.",
|
|
114
|
+
pattern: /NativeModules\.\w+\.\w+\s*\([\s\S]{0,200}?(?:token|secret|password|key|credential|jwt|session)/gi,
|
|
115
|
+
languages: ["javascript", "typescript"],
|
|
116
|
+
fix: "Encrypt sensitive data before passing through the bridge. Use native secure storage instead.",
|
|
117
|
+
compliance: ["SOC2:CC6.1"],
|
|
118
|
+
},
|
|
119
|
+
];
|
|
120
|
+
//# sourceMappingURL=react-native.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"react-native.js","sourceRoot":"","sources":["../../../src/data/rules/react-native.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,gBAAgB,GAAmB;IAC9C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,kKAAkK;QAC/K,OAAO,EAAE,8IAA8I;QACvJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EAAE,wGAAwG;QACjH,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,qDAAqD;QAC5D,WAAW,EAAE,2JAA2J;QACxK,OAAO,EAAE,mIAAmI;QAC5I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sGAAsG;QAC3G,OAAO,EAAE,8OAA8O;QACvP,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gHAAgH;QAC7H,OAAO,EAAE,oHAAoH;QAC7H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sEAAsE;QAC3E,OAAO,EAAE,uMAAuM;QAChN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,oGAAoG;QACjH,OAAO,EAAE,oHAAoH;QAC7H,SAAS,EAAE,CAAC,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QAC/C,GAAG,EAAE,wEAAwE;QAC7E,OAAO,EAAE,kMAAkM;QAC3M,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,0HAA0H;QACvI,OAAO,EAAE,4LAA4L;QACrM,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mHAAmH;QACxH,OAAO,EAAE,kPAAkP;QAC3P,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gIAAgI;QAC7I,OAAO,EAAE,4GAA4G;QACrH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gGAAgG;QACrG,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,iIAAiI;QAC9I,OAAO,EAAE,kGAAkG;QAC3G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uDAAuD;QAC5D,OAAO,EAAE,kIAAkI;QAC3I,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,0FAA0F;QACvG,OAAO,EAAE,mGAAmG;QAC5G,SAAS,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QACtD,GAAG,EAAE,qGAAqG;QAC1G,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gKAAgK;QAC7K,OAAO,EAAE,kLAAkL;QAC3L,SAAS,EAAE,CAAC,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QAC/C,GAAG,EAAE,mGAAmG;QACxG,OAAO,EAAE,qMAAqM;QAC9M,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,4KAA4K;QACzL,OAAO,EAAE,kGAAkG;QAC3G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8FAA8F;QACnG,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
package/build/index.js
CHANGED
|
@@ -18,7 +18,7 @@ import { builtinRules } from "./data/rules/index.js";
|
|
|
18
18
|
import { loadConfig } from "./utils/config.js";
|
|
19
19
|
const server = new McpServer({
|
|
20
20
|
name: "guardvibe",
|
|
21
|
-
version: "0.
|
|
21
|
+
version: "0.10.0",
|
|
22
22
|
});
|
|
23
23
|
// Tool 1: Analyze code for security vulnerabilities
|
|
24
24
|
server.tool("check_code", "Analyze code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Use this when reviewing or writing code to catch security issues early.", {
|
package/build/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAErD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE/C,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;IAC3B,IAAI,EAAE,WAAW;IACjB,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAErD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE/C,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;IAC3B,IAAI,EAAE,WAAW;IACjB,OAAO,EAAE,QAAQ;CAClB,CAAC,CAAC;AAEH,oDAAoD;AACpD,MAAM,CAAC,IAAI,CACT,YAAY,EACZ,0KAA0K,EAC1K;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,6BAA6B,CAAC;IACxD,QAAQ,EAAE,CAAC;SACR,IAAI,CAAC,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;SAC7G,QAAQ,CAAC,kCAAkC,CAAC;IAC/C,SAAS,EAAE,CAAC;SACT,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,QAAQ,CAAC,kEAAkE,CAAC;IAC/E,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE;IAC9C,MAAM,KAAK,GAAI,UAAkB,CAAC,iBAA+C,CAAC;IAClF,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IAC1F,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;KAC3C,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,2DAA2D;AAC3D,MAAM,CAAC,IAAI,CACT,eAAe,EACf,iKAAiK,EACjK;IACE,KAAK,EAAE,CAAC;SACL,KAAK,CACJ,CAAC,CAAC,MAAM,CAAC;QACP,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,sCAAsC,CAAC;QACjE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC;KACjD,CAAC,CACH;SACA,QAAQ,CAAC,0CAA0C,CAAC;IACvD,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE;IAC1B,MAAM,KAAK,GAAI,UAAkB,CAAC,iBAA+C,CAAC;IAClF,MAAM,OAAO,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IACnD,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;KAC3C,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,iFAAiF;AACjF,MAAM,CAAC,IAAI,CACT,mBAAmB,EACnB,8IAA8I,EAC9I;IACE,KAAK,EAAE,CAAC;SACL,MAAM,EAAE;SACR,QAAQ,CACP,mIAAmI,CACpI;CACJ,EACD,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;IAClB,MAAM,IAAI,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IACpC,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;KACxC,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,uDAAuD;AACvD,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,6CAA6C,CAAC;IACxE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,gCAAgC,CAAC;IAC9D,SAAS,EAAE,CAAC;SACT,IAAI,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;SAC3B,OAAO,CAAC,KAAK,CAAC;SACd,QAAQ,CAAC,mBAAmB,CAAC;CACjC,CAAC,CAAC;AAEH,MAAM,CAAC,IAAI,CACT,oBAAoB,EACpB,sKAAsK,EACtK;IACE,QAAQ,EAAE,CAAC,CAAC,UAAU,CACpB,CAAC,GAAG,EAAE,EAAE;QACN,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACzB,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,GAAG,CAAC;YACb,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,EACD,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,CACvB,CAAC,QAAQ,CAAC,yDAAyD,CAAC;CACtE,EACD,KAAK,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;IACrB,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAClD,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;KAC3C,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,0EAA0E;AAC1E,MAAM,CAAC,IAAI,CACT,gBAAgB,EAChB,gMAAgM,EAChM;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,4CAA4C,CAAC;IACvE,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,qBAAqB,CAAC;IAC/E,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,mCAAmC,CAAC;IACjG,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE;IAC7C,MAAM,KAAK,GAAI,UAAkB,CAAC,iBAA+C,CAAC;IAClF,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IACvE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,gEAAgE;AAChE,MAAM,CAAC,IAAI,CACT,mBAAmB,EACnB,mLAAmL,EACnL;IACE,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,2EAA2E,CAAC;IAC/G,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,aAAa,EAAE,MAAM,EAAE,EAAE,EAAE;IAClC,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;IAC9D,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,6DAA6D;AAC7D,MAAM,CAAC,IAAI,CACT,cAAc,EACd,mKAAmK,EACnK;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,gCAAgC,CAAC;IAC3D,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,qBAAqB,CAAC;IAC/E,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE;IACpC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IACrD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,kDAAkD;AAClD,MAAM,CAAC,IAAI,CACT,aAAa,EACb,+KAA+K,EAC/K;IACE,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;IACnB,MAAM,KAAK,GAAI,UAAkB,CAAC,iBAA+C,CAAC;IAClF,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IACzD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,sDAAsD;AACtD,MAAM,CAAC,IAAI,CACT,mBAAmB,EACnB,wJAAwJ,EACxJ;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,mBAAmB,CAAC;IAC9C,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,sBAAsB,CAAC;IACvF,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE;IACpC,MAAM,KAAK,GAAI,UAAkB,CAAC,iBAA+C,CAAC;IAClF,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IACjE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,sDAAsD;AACtD,MAAM,CAAC,IAAI,CACT,cAAc,EACd,uIAAuI,EACvI;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,mBAAmB,CAAC;CAC/C,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;IACjB,MAAM,KAAK,GAAI,UAAkB,CAAC,iBAA+C,CAAC;IAClF,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACzC,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,mDAAmD;AACnD,MAAM,CAAC,IAAI,CACT,sBAAsB,EACtB,8KAA8K,EAC9K;IACE,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,2EAA2E,CAAC;IACnH,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE;IAC7B,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC3D,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,KAAK,UAAU,IAAI;IACjB,eAAe;IACf,MAAM,MAAM,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IACzC,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;IAErE,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,OAAO,CAAC,KAAK,CAAC,sBAAsB,OAAO,CAAC,MAAM,CAAC,MAAM,eAAe,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACvG,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,OAAO,CAAC,KAAK,CAAC,+BAA+B,GAAG,EAAE,CAAC,CAAC;IACtD,CAAC;IAED,gCAAgC;IAChC,MAAM,QAAQ,GAAmB,CAAC,GAAG,YAAY,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;IAErE,wBAAwB;IACxB,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QACjC,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,IAAI,EACT,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,MAAa,EAClB,KAAK,EAAE,KAAU,EAAE,EAAE;YACnB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YACzC,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;QAChE,CAAC,CACF,CAAC;IACJ,CAAC;IAED,uCAAuC;IACtC,UAAkB,CAAC,iBAAiB,GAAG,QAAQ,CAAC;IAEjD,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,OAAO,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;AAClE,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;IACrB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC;IACrC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "0.
|
|
4
|
-
"description": "Security MCP for vibe coding.
|
|
3
|
+
"version": "0.10.0",
|
|
4
|
+
"description": "Security MCP for vibe coding. 149 rules for Next.js, React Native, Expo, Firebase, Supabase, Stripe, Clerk, Prisma, Vercel, and the full AI-generated web + mobile stack.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|
|
7
7
|
"guardvibe": "build/index.js",
|