guardvibe 1.8.2 → 1.8.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/build/data/rules/deployment.js +1 -1
  2. package/build/tools/check-code.js +3 -0
  3. package/build/utils/constants.js +2 -0
  4. package/package.json +1 -1
package/build/data/rules/deployment.js CHANGED
@@ -55,7 +55,7 @@ export const deploymentRules = [
55
55
  severity: "critical",
56
56
  owasp: "A07:2025 Sensitive Data Exposure",
57
57
  description: "Secret or API key hardcoded in vercel.json. This file is committed to git.",
58
- pattern: /["'](?:SECRET|KEY|TOKEN|PASSWORD|CREDENTIAL)\w*["']\s*:\s*["'][A-Za-z0-9_\-]{12,}["']/gi,
58
+ pattern: /["'](?:\w+_(?:SECRET|KEY|TOKEN|PASSWORD|CREDENTIAL)|(?:SECRET|PASSWORD|CREDENTIAL)_?\w*)["']\s*:\s*["'][A-Za-z0-9_\-]{12,}["']/gi,
59
59
  languages: ["vercel-config", "json"],
60
60
  fix: "Use Vercel environment variables (vercel env add) instead of hardcoding in config files.",
61
61
  fixCode: '# Store secrets as Vercel env vars\nvercel env add SECRET_KEY production\n\n# Reference in code\nconst key = process.env.SECRET_KEY;',
package/build/tools/check-code.js CHANGED
@@ -73,6 +73,9 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
73
73
  continue;
74
74
  if (rule.id.startsWith("VG21") && !filePath && language !== "yaml")
75
75
  continue;
76
+ // Skip npm package rules (VG863/VG864/VG865): only apply to package.json files
77
+ if ((rule.id === "VG863" || rule.id === "VG864" || rule.id === "VG865") && filePath && !filePath.endsWith("package.json"))
78
+ continue;
76
79
  rule.pattern.lastIndex = 0;
77
80
  // Apply severity override from config
78
81
  const effectiveRule = config.rules.severity[rule.id]
package/build/utils/constants.js CHANGED
@@ -29,4 +29,6 @@ export const DEFAULT_EXCLUDES = new Set([
29
29
  "node_modules", ".git", "build", "dist", "vendor", "__pycache__",
30
30
  ".next", ".nuxt", ".svelte-kit", "target", "bin", "obj",
31
31
  "coverage", ".turbo", ".venv", "venv",
32
+ ".vercel", ".clerk", ".wrangler", ".netlify", ".amplify",
33
+ ".serverless", ".firebase", ".expo", ".output",
32
34
  ]);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "guardvibe",
3
- "version": "1.8.2",
3
+ "version": "1.8.3",
4
4
  "description": "Security MCP for vibe coding. 277 rules, 22 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
5
5
  "type": "module",
6
6
  "bin": {