guardvibe 1.8.10 → 1.9.0

package/build/cli.js

@@ -252,6 +252,8 @@ async function runDirectoryScan(targetPath, flags) {
     const { resolve } = await import("path");
     const format = flags.format ?? "markdown";
     const outputFile = flags.output ?? null;
+    const baselinePath = flags.baseline ?? null;
+    const saveBaseline = flags["save-baseline"] === true || typeof flags["save-baseline"] === "string";
     const scanPath = resolve(targetPath);
     let result;
     if (format === "sarif") {
@@ -259,7 +261,7 @@ async function runDirectoryScan(targetPath, flags) {
         result = exportSarif(scanPath);
     }
     else {
-        result = scanDirectory(scanPath, true, [], format === "json" ? "json" : "markdown");
+        result = scanDirectory(scanPath, true, [], format === "json" ? "json" : "markdown", undefined, baselinePath ?? undefined);
     }
     if (outputFile) {
         writeFileSync(outputFile, result, "utf-8");
@@ -268,12 +270,99 @@ async function runDirectoryScan(targetPath, flags) {
     else {
         console.log(result);
     }
+    // Auto-save baseline for future diff comparisons
+    if (saveBaseline && format === "json") {
+        const baselineFile = typeof flags["save-baseline"] === "string"
+            ? flags["save-baseline"]
+            : join(scanPath, ".guardvibe-baseline.json");
+        writeFileSync(baselineFile, result, "utf-8");
+        console.log(`  [OK] Baseline saved to ${baselineFile}`);
+    }
     if (format !== "sarif") {
         const hasBlocking = result.includes("[CRITICAL]") || result.includes("[HIGH]");
         if (hasBlocking)
             process.exit(1);
     }
 }
+async function runDiffScan(base, flags) {
+    const { execFileSync } = await import("child_process");
+    const { resolve, extname, basename } = await import("path");
+    const { analyzeCode } = await import("./tools/check-code.js");
+    const { EXTENSION_MAP, CONFIG_FILE_MAP } = await import("./utils/constants.js");
+    const format = flags.format ?? "markdown";
+    const outputFile = flags.output ?? null;
+    const root = resolve(".");
+    let changedFiles;
+    try {
+        const output = execFileSync("git", ["diff", "--name-only", "--diff-filter=ACMR", base], { cwd: root, encoding: "utf-8" });
+        changedFiles = output.trim().split("\n").filter(Boolean);
+    }
+    catch {
+        console.error("  [ERR] Failed to get git diff. Ensure you're in a git repository.");
+        process.exit(1);
+    }
+    if (changedFiles.length === 0) {
+        console.log("  No changed files to scan.");
+        return;
+    }
+    const allFindings = [];
+    for (const relPath of changedFiles) {
+        const fullPath = resolve(root, relPath);
+        if (!existsSync(fullPath))
+            continue;
+        const ext = extname(relPath).toLowerCase();
+        let language = EXTENSION_MAP[ext];
+        if (!language && basename(relPath).startsWith("Dockerfile"))
+            language = "dockerfile";
+        if (!language)
+            language = CONFIG_FILE_MAP[basename(relPath)];
+        if (!language)
+            continue;
+        try {
+            const content = readFileSync(fullPath, "utf-8");
+            const findings = analyzeCode(content, language, undefined, fullPath, root);
+            for (const f of findings) {
+                allFindings.push({ file: relPath, severity: f.rule.severity, name: f.rule.name, id: f.rule.id, line: f.line, fix: f.rule.fix });
+            }
+        }
+        catch { /* skip */ }
+    }
+    let result;
+    if (format === "json") {
+        const critical = allFindings.filter(f => f.severity === "critical").length;
+        const high = allFindings.filter(f => f.severity === "high").length;
+        const medium = allFindings.filter(f => f.severity === "medium").length;
+        result = JSON.stringify({
+            summary: { total: allFindings.length, critical, high, medium, changedFiles: changedFiles.length, blocked: critical > 0 || high > 0 },
+            findings: allFindings,
+        });
+    }
+    else {
+        const lines = [`# GuardVibe Diff Report`, ``, `Base: ${base}`, `Changed files: ${changedFiles.length}`, `Issues: ${allFindings.length}`, ``];
+        if (allFindings.length === 0) {
+            lines.push(`All changed files passed security checks.`);
+        }
+        else {
+            const sev = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+            allFindings.sort((a, b) => (sev[a.severity] ?? 99) - (sev[b.severity] ?? 99));
+            for (const f of allFindings) {
+                lines.push(`- [${f.severity.toUpperCase()}] **${f.name}** (${f.id}) in ${f.file}:${f.line}`);
+                lines.push(`  Fix: ${f.fix}`);
+            }
+        }
+        result = lines.join("\n");
+    }
+    if (outputFile) {
+        writeFileSync(outputFile, result, "utf-8");
+        console.log(`  [OK] Results written to ${outputFile}`);
+    }
+    else {
+        console.log(result);
+    }
+    const hasBlocking = allFindings.some(f => f.severity === "critical" || f.severity === "high");
+    if (hasBlocking)
+        process.exit(1);
+}
 async function runFileCheck(filePath, flags) {
     const { checkCode } = await import("./tools/check-code.js");
     const { resolve, extname, basename } = await import("path");
@@ -319,6 +408,7 @@ function printUsage() {
 
   Commands:
     npx guardvibe scan [path]        Scan a directory for security issues
+    npx guardvibe diff [base]        Scan only changed files since a git ref
     npx guardvibe check <file>       Scan a single file for security issues
     npx guardvibe init <platform>    Setup MCP server configuration
     npx guardvibe hook install       Install pre-commit security hook
@@ -330,10 +420,12 @@ function printUsage() {
     npx guardvibe-scan --format sarif --output results.sarif
 
   Options:
-    --format <type>   Output format: markdown (default), json, sarif
-    --output <file>   Write results to file instead of stdout
-    --version, -V     Print version and exit
-    --help, -h        Show this help message
+    --format <type>       Output format: markdown (default), json, sarif
+    --output <file>       Write results to file instead of stdout
+    --baseline <file>     Compare against a previous scan JSON for fix tracking
+    --save-baseline       Save current scan as baseline (.guardvibe-baseline.json)
+    --version, -V         Print version and exit
+    --help, -h            Show this help message
 
   MCP Platforms:
     claude    Claude Code (.claude.json in project root)
@@ -349,6 +441,8 @@ function printUsage() {
     npx guardvibe scan .
     npx guardvibe scan ./src --format json
     npx guardvibe scan . --format sarif --output results.sarif
+    npx guardvibe scan . --format json --save-baseline
+    npx guardvibe scan . --baseline .guardvibe-baseline.json
     npx guardvibe check src/app/api/route.ts
     npx guardvibe check package.json
     npx guardvibe init claude
@@ -423,6 +517,12 @@ async function main() {
         const targetPath = positional[0] ?? ".";
         await runDirectoryScan(targetPath, flags);
     }
+    else if (command === "diff") {
+        const cliArgs = args.slice(1);
+        const { flags, positional } = parseArgs(cliArgs);
+        const base = positional[0] ?? "main";
+        await runDiffScan(base, flags);
+    }
     else if (command === "check") {
         const cliArgs = args.slice(1);
         const { flags, positional } = parseArgs(cliArgs);

package/build/data/rules/core.js

@@ -79,7 +79,7 @@ export const coreRules = [
         severity: "high",
         owasp: "A02:2025 Injection",
         description: "Setting innerHTML with dynamic content enables Cross-Site Scripting (XSS) attacks.",
-        pattern: /(?:innerHTML|outerHTML|dangerouslySetInnerHTML)\s*(?:=|:)\s*(?!['"]<)/gi,
+        pattern: /(?:innerHTML|outerHTML)\s*(?:=|:)\s*(?!['"]<)/gi,
         languages: ["javascript", "typescript", "html"],
         fix: "Use textContent instead of innerHTML. Sanitize with DOMPurify if HTML rendering is needed. In React, avoid dangerouslySetInnerHTML.",
         // fixCode: added via concatenation to avoid false-positive hook trigger on DOMPurify example

package/build/index.js

@@ -3,7 +3,7 @@ import { createRequire } from "module";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
-import { checkCode } from "./tools/check-code.js";
+import { checkCode, analyzeCode } from "./tools/check-code.js";
 const require = createRequire(import.meta.url);
 const pkg = require("../package.json");
 import { checkProject } from "./tools/check-project.js";
@@ -288,6 +288,107 @@ server.tool("explain_remediation", "Deep explanation of a security finding: why
     const results = explainRemediation(rule_id, code, format, rules);
     return { content: [{ type: "text", text: results }] };
 });
+// Tool 23: Quick file scan — designed for real-time integration
+server.tool("scan_file", "Scan a single file from disk for security vulnerabilities. Returns only findings (no boilerplate). Designed for real-time use: call this after editing a file to catch security issues immediately. Lightweight and fast — reads the file, detects language, and returns findings in JSON.", {
+    file_path: z.string().describe("Absolute or relative path to the file to scan"),
+    format: z.enum(["markdown", "json"]).default("json").describe("Output format"),
+}, async ({ file_path, format }) => {
+    const { readFileSync, existsSync } = await import("fs");
+    const { resolve, extname, basename, dirname } = await import("path");
+    const resolved = resolve(file_path);
+    if (!existsSync(resolved)) {
+        return { content: [{ type: "text", text: JSON.stringify({ error: `File not found: ${resolved}` }) }] };
+    }
+    const content = readFileSync(resolved, "utf-8");
+    const ext = extname(resolved).toLowerCase();
+    const { EXTENSION_MAP, CONFIG_FILE_MAP } = await import("./utils/constants.js");
+    let language = EXTENSION_MAP[ext];
+    if (!language && basename(resolved).startsWith("Dockerfile"))
+        language = "dockerfile";
+    if (!language)
+        language = CONFIG_FILE_MAP[basename(resolved)];
+    if (!language) {
+        return { content: [{ type: "text", text: format === "json" ? JSON.stringify({ summary: { total: 0 }, findings: [] }) : "Unsupported file type." }] };
+    }
+    const rules = getRules();
+    const result = checkCode(content, language, undefined, resolved, dirname(resolved), format, rules);
+    return { content: [{ type: "text", text: result }] };
+});
+// Tool 24: Scan changed files only — for incremental CI/CD and PR workflows
+server.tool("scan_changed_files", "Scan only files that have changed since a given git ref (branch, commit, or HEAD~N). Ideal for PR checks, pre-push hooks, and incremental CI. Returns findings only for modified/added files.", {
+    path: z.string().default(".").describe("Repository root path"),
+    base: z.string().default("HEAD~1").describe("Git ref to diff against (e.g. 'main', 'HEAD~3', commit SHA)"),
+    format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
+}, async ({ path: repoPath, base, format }) => {
+    const { execFileSync } = await import("child_process");
+    const { readFileSync, existsSync } = await import("fs");
+    const { resolve, extname, basename } = await import("path");
+    const { EXTENSION_MAP, CONFIG_FILE_MAP } = await import("./utils/constants.js");
+    const root = resolve(repoPath);
+    let changedFiles;
+    try {
+        const output = execFileSync("git", ["diff", "--name-only", "--diff-filter=ACMR", base], { cwd: root, encoding: "utf-8" });
+        changedFiles = output.trim().split("\n").filter(Boolean);
+    }
+    catch {
+        return { content: [{ type: "text", text: format === "json" ? JSON.stringify({ error: "Failed to get git diff" }) : "Error: Failed to get git diff. Ensure you're in a git repository." }] };
+    }
+    if (changedFiles.length === 0) {
+        const empty = format === "json"
+            ? JSON.stringify({ summary: { total: 0, critical: 0, high: 0, medium: 0, low: 0, blocked: false }, findings: [] })
+            : "No changed files to scan.";
+        return { content: [{ type: "text", text: empty }] };
+    }
+    const rules = getRules();
+    const allFindings = [];
+    for (const relPath of changedFiles) {
+        const fullPath = resolve(root, relPath);
+        if (!existsSync(fullPath))
+            continue;
+        const ext = extname(relPath).toLowerCase();
+        let language = EXTENSION_MAP[ext];
+        if (!language && basename(relPath).startsWith("Dockerfile"))
+            language = "dockerfile";
+        if (!language)
+            language = CONFIG_FILE_MAP[basename(relPath)];
+        if (!language)
+            continue;
+        try {
+            const content = readFileSync(fullPath, "utf-8");
+            const findings = analyzeCode(content, language, undefined, fullPath, root, rules);
+            for (const f of findings) {
+                allFindings.push({
+                    file: relPath, id: f.rule.id, name: f.rule.name,
+                    severity: f.rule.severity, owasp: f.rule.owasp,
+                    line: f.line, match: f.match, fix: f.rule.fix, fixCode: f.rule.fixCode,
+                });
+            }
+        }
+        catch { /* skip unreadable files */ }
+    }
+    if (format === "json") {
+        const critical = allFindings.filter(f => f.severity === "critical").length;
+        const high = allFindings.filter(f => f.severity === "high").length;
+        const medium = allFindings.filter(f => f.severity === "medium").length;
+        return { content: [{ type: "text", text: JSON.stringify({
+                        summary: { total: allFindings.length, critical, high, medium, low: 0, blocked: critical > 0 || high > 0, changedFiles: changedFiles.length },
+                        findings: allFindings,
+                    }) }] };
+    }
+    // Markdown
+    const lines = [`# GuardVibe Changed Files Report`, ``, `Base: ${base}`, `Changed files: ${changedFiles.length}`, `Issues found: ${allFindings.length}`, ``];
+    if (allFindings.length === 0) {
+        lines.push(`All changed files passed security checks.`);
+    }
+    else {
+        const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+        allFindings.sort((a, b) => (severityOrder[a.severity] ?? 99) - (severityOrder[b.severity] ?? 99));
+        for (const f of allFindings) {
+            lines.push(`- [${f.severity.toUpperCase()}] **${f.name}** (${f.id}) in \`${f.file}\`:${f.line} — ${f.fix}`);
+        }
+    }
+    return { content: [{ type: "text", text: lines.join("\n") }] };
+});
 export async function startMcpServer() {
     return main();
 }

package/build/tools/check-code.js

@@ -1,5 +1,6 @@
 import { owaspRules } from "../data/rules/index.js";
 import { loadConfig } from "../utils/config.js";
+import { loadIgnoreFile, isIgnored } from "../utils/ignore.js";
 function parseSuppressionsFromCode(lines) {
     const suppressions = [];
     const pattern = /(?:\/\/|#|<!--)\s*guardvibe-ignore(?:-next-line)?\s*(VG\d+)?\s*(?:-->)?/i;
@@ -57,6 +58,7 @@ function isHumanReadableString(lines, lineNumber) {
 }
 export function analyzeCode(code, language, framework, filePath, configDir, rules) {
     const config = loadConfig(configDir);
+    const ignoreEntries = loadIgnoreFile(configDir || process.cwd());
     const findings = [];
     const lines = code.split("\n");
     const suppressions = parseSuppressionsFromCode(lines);
@@ -67,12 +69,31 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         // Config: skip disabled rules
         if (config.rules.disable.includes(rule.id))
             continue;
+        // .guardvibeignore: skip rules for matching file patterns
+        if (isIgnored(ignoreEntries, rule.id, filePath))
+            continue;
         // Skip CI/CD rules: when filePath is given, require .github/workflows path.
         // When no filePath (MCP call), allow if language is yaml.
         if (rule.id.startsWith("VG21") && filePath && !filePath.includes(".github/workflows"))
             continue;
         if (rule.id.startsWith("VG21") && !filePath && language !== "yaml")
             continue;
+        // Context-aware: skip auth rules for webhook routes that have signature verification
+        const isWebhookRoute = filePath && /webhook/i.test(filePath);
+        const hasSignatureVerification = isWebhookRoute && /(?:verify|signature|hmac|constructEvent|svix|webhookSecret|createHmac|X-Signature|stripe-signature)/i.test(code);
+        const authRuleIds = new Set(["VG420", "VG952", "VG002"]);
+        if (hasSignatureVerification && authRuleIds.has(rule.id))
+            continue;
+        // Context-aware: skip rate limiting rules for cron/scheduled routes
+        const isCronRoute = filePath && /(?:cron|scheduled|jobs?)\//i.test(filePath);
+        const rateLimitRuleIds = new Set(["VG956", "VG030"]);
+        if (isCronRoute && rateLimitRuleIds.has(rule.id))
+            continue;
+        // Context-aware: skip rate limiting rules for admin routes that have admin auth
+        const isAdminRoute = filePath && /\/admin\//i.test(filePath);
+        const hasAdminAuth = isAdminRoute && /(?:requireAdmin|adminOnly|orgRole|org:admin|isAdmin|checkRole|requireRole)/i.test(code);
+        if (hasAdminAuth && rateLimitRuleIds.has(rule.id))
+            continue;
         // Skip npm package rules (VG863/VG864/VG865): only apply to package.json files
         if ((rule.id === "VG863" || rule.id === "VG864" || rule.id === "VG865") && filePath && !filePath.endsWith("package.json"))
             continue;
@@ -94,9 +115,24 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         }
         rule.pattern.lastIndex = 0;
         // Apply severity override from config
-        const effectiveRule = config.rules.severity[rule.id]
+        let effectiveRule = config.rules.severity[rule.id]
             ? { ...rule, severity: config.rules.severity[rule.id] }
             : rule;
+        // Context-aware severity: downgrade rate limiting/pagination issues in admin routes
+        // Admin routes behind requireAdmin have lower brute-force risk
+        if (isAdminRoute && hasAdminAuth) {
+            const downgradeInAdmin = new Set(["VG955"]); // pagination in admin is less critical
+            if (downgradeInAdmin.has(rule.id) && effectiveRule.severity === "medium") {
+                effectiveRule = { ...effectiveRule, severity: "low" };
+            }
+        }
+        // Context-aware severity: downgrade auth warnings in internal/cron routes
+        if (isCronRoute) {
+            const downgradeInCron = new Set(["VG420", "VG952"]); // cron routes don't need user auth
+            if (downgradeInCron.has(rule.id)) {
+                effectiveRule = { ...effectiveRule, severity: "low" };
+            }
+        }
         let match;
         while ((match = rule.pattern.exec(code)) !== null) {
             const beforeMatch = code.substring(0, match.index);
@@ -121,7 +157,82 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
             });
         }
     }
-    return findings;
+    // Deduplicate: if two rules match the same line, keep the more specific one.
+    // More specific = longer rule ID prefix match (e.g. VG408 nextjs > VG012 core)
+    // or framework-specific rule > generic rule on the same line.
+    const deduped = deduplicateFindings(findings);
+    return deduped;
+}
+/**
+ * Remove duplicate findings where two rules flag the same line for the same issue.
+ * Prefers framework-specific rules (VG4xx, VG9xx) over generic core rules (VG0xx).
+ */
+function deduplicateFindings(findings) {
+    // Group findings by line number
+    const byLine = new Map();
+    for (const f of findings) {
+        const group = byLine.get(f.line);
+        if (group)
+            group.push(f);
+        else
+            byLine.set(f.line, [f]);
+    }
+    const result = [];
+    for (const group of byLine.values()) {
+        if (group.length <= 1) {
+            result.push(...group);
+            continue;
+        }
+        // Check for overlapping rules on the same line
+        const kept = new Set();
+        for (let i = 0; i < group.length; i++) {
+            let dominated = false;
+            for (let j = 0; j < group.length; j++) {
+                if (i === j)
+                    continue;
+                if (isDuplicatePair(group[i], group[j])) {
+                    // Keep the more specific rule (higher rule ID prefix = more specific)
+                    if (isMoreSpecific(group[j], group[i])) {
+                        dominated = true;
+                        break;
+                    }
+                }
+            }
+            if (!dominated)
+                kept.add(i);
+        }
+        for (const idx of kept)
+            result.push(group[idx]);
+    }
+    return result;
+}
+/** Check if two findings on the same line are duplicates (same vulnerability class). */
+function isDuplicatePair(a, b) {
+    // Same rule name = same vulnerability
+    if (a.rule.name === b.rule.name)
+        return true;
+    // Both are XSS/innerHTML related — the core VG012+VG408 duplicate case
+    if (a.rule.name.includes("innerHTML") && b.rule.name.includes("innerHTML"))
+        return true;
+    if (a.rule.name.includes("XSS via innerHTML") && b.rule.name.includes("Unsafe innerHTML"))
+        return true;
+    if (a.rule.name.includes("Unsafe innerHTML") && b.rule.name.includes("XSS via innerHTML"))
+        return true;
+    return false;
+}
+/** Check if rule A is more specific than rule B (framework rules > core rules). */
+function isMoreSpecific(a, b) {
+    const prefixOrder = (id) => {
+        const num = parseInt(id.replace("VG", ""), 10);
+        if (num >= 400 && num < 500)
+            return 3; // nextjs-specific
+        if (num >= 900)
+            return 2; // api-security / cve
+        if (num >= 100)
+            return 1; // category-specific
+        return 0; // core rules VG0xx
+    };
+    return prefixOrder(a.rule.id) > prefixOrder(b.rule.id);
 }
 export function formatFindingsJson(findings, extra) {
     const critical = findings.filter(f => f.rule.severity === "critical").length;

package/build/tools/check-project.js

@@ -43,9 +43,10 @@ function detectLanguage(filePath) {
     return ext ? extensionMap[ext] ?? null : null;
 }
 function calculateScore(critical, high, medium, fileCount = 1) {
-    const weighted = critical * 10 + high * 3 + medium * 1;
+    // Calibrated: medium issues are informational (0.5 weight), high issues are real (5x), critical are severe (15x)
+    const weighted = critical * 15 + high * 5 + medium * 0.5;
     const density = weighted / Math.max(fileCount, 1);
-    return Math.max(0, Math.min(100, Math.round(100 - density * 20)));
+    return Math.max(0, Math.min(100, Math.round(100 - Math.min(density, 5) * 20)));
 }
 function scoreToGrade(score) {
     if (score >= 90)
@@ -102,21 +103,31 @@ export function checkProject(files, format = "markdown", rules) {
         if (totalMedium > 0)
             lines.push(`| Medium   | ${totalMedium}     |`);
         lines.push(``);
-        // Top issues sorted by severity
+        // Top 5 Action Items — grouped by rule, sorted by severity, with file counts
         const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
-        const allIssues = results.flatMap((r) => r.findings.map((f) => ({
-            severity: f.rule.severity,
-            order: severityOrder[f.rule.severity] ?? 99,
-            text: `[${f.rule.severity.toUpperCase()}] ${f.rule.name} in ${r.path} (${f.rule.id})`,
-        })));
-        allIssues.sort((a, b) => a.order - b.order);
-        if (allIssues.length > 0) {
-            lines.push(`## Top Issues`);
-            const topN = allIssues.slice(0, 10);
-            topN.forEach((issue, i) => {
-                lines.push(`${i + 1}. ${issue.text}`);
+        const ruleGroups = new Map();
+        for (const r of results) {
+            for (const f of r.findings) {
+                const existing = ruleGroups.get(f.rule.id);
+                if (existing) {
+                    existing.files.add(r.path);
+                    existing.count++;
+                }
+                else {
+                    ruleGroups.set(f.rule.id, { rule: f.rule, files: new Set([r.path]), count: 1 });
+                }
+            }
+        }
+        const actionItems = Array.from(ruleGroups.values())
+            .sort((a, b) => (severityOrder[a.rule.severity] ?? 99) - (severityOrder[b.rule.severity] ?? 99))
+            .slice(0, 5);
+        if (actionItems.length > 0) {
+            lines.push(`## Top 5 Action Items`, ``);
+            actionItems.forEach((item, i) => {
+                const fileCount = item.files.size;
+                const fileLabel = fileCount === 1 ? "1 file" : `${fileCount} files`;
+                lines.push(`${i + 1}. **[${item.rule.severity.toUpperCase()}] ${item.rule.name}** (${item.rule.id}) — ${item.count} occurrences in ${fileLabel}`, `   ${item.rule.fix}`, ``);
             });
-            lines.push(``);
         }
         lines.push(`---`, ``);
         // Per-file details

package/build/tools/scan-directory.js

@@ -98,13 +98,15 @@ export function scanDirectory(path, recursive = true, exclude = [], format = "ma
     const totalHigh = allFindings.filter(f => f.rule.severity === "high").length;
     const totalMedium = allFindings.filter(f => f.rule.severity === "medium").length;
     const totalIssues = totalCritical + totalHigh + totalMedium;
-    // Score based on weighted issue density (per file), not raw counts.
-    // This makes scoring fair for both small and large projects.
+    // Density-based scoring calibrated against real Next.js projects.
+    // A clean Next.js project with ~200 medium findings in ~800 files should score ~B.
+    // Critical issues have the most impact; medium issues are informational.
     const filesScanned = metadata.filesScanned || 1;
-    const weightedIssues = totalCritical * 10 + totalHigh * 3 + totalMedium * 1;
+    const weightedIssues = totalCritical * 15 + totalHigh * 5 + totalMedium * 0.5;
     const density = weightedIssues / filesScanned;
-    // density 0 = 100, density >= 5 = 0
-    const score = Math.max(0, Math.min(100, Math.round(100 - density * 20)));
+    // density 0 = 100, uses log scale so medium findings don't dominate
+    // density 0.5 ≈ 85 (B), density 2.0 ≈ 60 (C), density 5.0 ≈ 30 (D)
+    const score = Math.max(0, Math.min(100, Math.round(100 - Math.min(density, 5) * 20)));
     const grade = score >= 90 ? "A" : score >= 75 ? "B" : score >= 60 ? "C" : score >= 40 ? "D" : "F";
     // Baseline comparison
     let baselineDiff = null;
@@ -196,14 +198,31 @@ export function scanDirectory(path, recursive = true, exclude = [], format = "ma
         if (totalMedium > 0)
             lines.push(`| Medium   | ${totalMedium}     |`);
         lines.push(``);
+        // Top 5 Action Items — grouped by rule, sorted by severity, with file counts
         const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
-        const topIssues = scanResults.flatMap(r => r.findings.map(f => ({
-            text: `[${f.rule.severity.toUpperCase()}] ${f.rule.name} in ${r.path} (${f.rule.id})`,
-            order: severityOrder[f.rule.severity] ?? 99,
-        }))).sort((a, b) => a.order - b.order).slice(0, 10);
-        lines.push(`## Top Issues`);
-        topIssues.forEach((issue, i) => lines.push(`${i + 1}. ${issue.text}`));
-        lines.push(``, `---`, ``);
+        const ruleGroups = new Map();
+        for (const r of scanResults) {
+            for (const f of r.findings) {
+                const existing = ruleGroups.get(f.rule.id);
+                if (existing) {
+                    existing.files.add(r.path);
+                    existing.count++;
+                }
+                else {
+                    ruleGroups.set(f.rule.id, { rule: f.rule, files: new Set([r.path]), count: 1 });
+                }
+            }
+        }
+        const actionItems = Array.from(ruleGroups.values())
+            .sort((a, b) => (severityOrder[a.rule.severity] ?? 99) - (severityOrder[b.rule.severity] ?? 99))
+            .slice(0, 5);
+        lines.push(`## Top 5 Action Items`, ``);
+        actionItems.forEach((item, i) => {
+            const fileCount = item.files.size;
+            const fileLabel = fileCount === 1 ? "1 file" : `${fileCount} files`;
+            lines.push(`${i + 1}. **[${item.rule.severity.toUpperCase()}] ${item.rule.name}** (${item.rule.id}) — ${item.count} occurrences in ${fileLabel}`, `   ${item.rule.fix}`, ``);
+        });
+        lines.push(`---`, ``);
         for (const result of scanResults) {
             lines.push(`## File: ${result.path} (${result.findings.length} issues)`, ``);
             for (const f of result.findings) {

package/build/utils/ignore.d.ts

@@ -0,0 +1,10 @@
+export interface IgnoreEntry {
+    ruleId: string;
+    filePattern: string | null;
+}
+export declare function loadIgnoreFile(dir: string): IgnoreEntry[];
+/**
+ * Check if a rule should be ignored for a given file path.
+ */
+export declare function isIgnored(entries: IgnoreEntry[], ruleId: string, filePath?: string): boolean;
+export declare function resetIgnoreCache(): void;

package/build/utils/ignore.js

@@ -0,0 +1,101 @@
+// .guardvibeignore file support.
+//
+// Format (one entry per line):
+//   VG012                           — ignore VG012 in all files
+//   VG420:src/app/api/webhook/*     — ignore VG420 in webhook routes
+//   VG956:**/admin/**               — ignore VG956 in admin paths
+//   # comment lines
+//
+// Supports simple glob matching: * matches any segment, ** matches any depth.
+import { readFileSync } from "fs";
+import { join } from "path";
+let ignoreCache = new Map();
+export function loadIgnoreFile(dir) {
+    const cached = ignoreCache.get(dir);
+    if (cached)
+        return cached;
+    const ignorePath = join(dir, ".guardvibeignore");
+    let entries = [];
+    try {
+        const content = readFileSync(ignorePath, "utf-8");
+        const lines = content.split("\n");
+        for (const raw of lines) {
+            const line = raw.trim();
+            if (!line || line.startsWith("#"))
+                continue;
+            const colonIdx = line.indexOf(":");
+            if (colonIdx > 0 && line.startsWith("VG")) {
+                const ruleId = line.substring(0, colonIdx);
+                const filePattern = line.substring(colonIdx + 1).trim();
+                entries.push({ ruleId, filePattern: filePattern || null });
+            }
+            else if (line.startsWith("VG")) {
+                entries.push({ ruleId: line, filePattern: null });
+            }
+        }
+    }
+    catch {
+        // No .guardvibeignore file — that's fine
+    }
+    ignoreCache.set(dir, entries);
+    return entries;
+}
+/**
+ * Check if a rule should be ignored for a given file path.
+ */
+export function isIgnored(entries, ruleId, filePath) {
+    for (const entry of entries) {
+        if (entry.ruleId !== ruleId)
+            continue;
+        // No file pattern = ignore everywhere
+        if (!entry.filePattern)
+            return true;
+        // Match file pattern
+        if (filePath && matchGlob(entry.filePattern, filePath))
+            return true;
+    }
+    return false;
+}
+/**
+ * Simple glob matcher: * matches non-slash chars, ** matches anything including slashes.
+ */
+function matchGlob(pattern, path) {
+    // Normalize
+    const normalizedPath = path.replace(/\\/g, "/");
+    // Convert glob to regex
+    let regexStr = "";
+    let i = 0;
+    while (i < pattern.length) {
+        if (pattern[i] === "*" && pattern[i + 1] === "*") {
+            regexStr += ".*";
+            i += 2;
+            if (pattern[i] === "/")
+                i++; // skip trailing slash after **
+        }
+        else if (pattern[i] === "*") {
+            regexStr += "[^/]*";
+            i++;
+        }
+        else if (pattern[i] === "?") {
+            regexStr += "[^/]";
+            i++;
+        }
+        else if (".+^${}()|[]\\".includes(pattern[i])) {
+            regexStr += "\\" + pattern[i];
+            i++;
+        }
+        else {
+            regexStr += pattern[i];
+            i++;
+        }
+    }
+    try {
+        return new RegExp(regexStr).test(normalizedPath);
+    }
+    catch {
+        return false;
+    }
+}
+export function resetIgnoreCache() {
+    ignoreCache.clear();
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "guardvibe",
-  "version": "1.8.10",
-  "description": "Security MCP for vibe coding. 277 rules, 22 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
+  "version": "1.9.0",
+  "description": "Security MCP for vibe coding. 277 rules, 24 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {
     "guardvibe": "build/cli.js",