guardvibe 1.9.2 → 1.9.4

package/build/cli.js

@@ -110,6 +110,22 @@ function setupClaudeHooksAndGuide() {
         writeFileSync(claudeMdPath, `# Project Guidelines\n${guardvibeBlock}`, "utf-8");
         console.log(`  [OK] Created CLAUDE.md with GuardVibe guidance`);
     }
+    // Add generated files to .gitignore so they don't get committed
+    addToGitignore([".claude.json", ".claude/", "CLAUDE.md"]);
+}
+function addToGitignore(entries) {
+    const gitignorePath = join(process.cwd(), ".gitignore");
+    let content = "";
+    try {
+        content = readFileSync(gitignorePath, "utf-8");
+    }
+    catch { /* no .gitignore yet */ }
+    const missing = entries.filter(e => !content.split("\n").some(line => line.trim() === e));
+    if (missing.length === 0)
+        return;
+    const block = `\n# GuardVibe / Claude Code (auto-added by guardvibe init)\n${missing.join("\n")}\n`;
+    writeFileSync(gitignorePath, content.trimEnd() + block, "utf-8");
+    console.log(`  [OK] Added ${missing.join(", ")} to .gitignore`);
 }
 // ── Pre-commit hook ──────────────────────────────────────────────────
 const HOOK_SCRIPT = `#!/bin/sh
@@ -245,6 +261,36 @@ if (SCAN_SCRIPT_DETECTED) {
 else {
     main();
 }
+/**
+ * Check if scan results should cause a non-zero exit based on --fail-on flag.
+ * Default: "critical" — only exit 1 on critical findings.
+ * Options: "critical", "high", "medium", "low", "none"
+ */
+function shouldFail(result, failOn) {
+    if (failOn === "none")
+        return false;
+    const levels = {
+        low: ["critical", "high", "medium", "low"],
+        medium: ["critical", "high", "medium"],
+        high: ["critical", "high"],
+        critical: ["critical"],
+    };
+    const failLevels = levels[failOn] || levels.critical;
+    // Try JSON format first
+    try {
+        const parsed = JSON.parse(result);
+        if (parsed.summary) {
+            return failLevels.some(level => (parsed.summary[level] ?? 0) > 0);
+        }
+        if (parsed.findings) {
+            return parsed.findings.some((f) => failLevels.includes(f.severity));
+        }
+    }
+    catch { /* not JSON, try markdown tags */ }
+    // Markdown format: check for [SEVERITY] tags
+    const tags = failLevels.map(l => `[${l.toUpperCase()}]`);
+    return tags.some(tag => result.includes(tag));
+}
 function parseArgs(args) {
     const flags = {};
     const positional = [];
@@ -288,8 +334,8 @@ async function runScan() {
         console.log(result);
     }
     if (format !== "sarif") {
-        const hasBlocking = result.includes("[CRITICAL]") || result.includes("[HIGH]");
-        if (hasBlocking)
+        const failOn = flags["fail-on"] ?? "high";
+        if (shouldFail(result, failOn))
             process.exit(1);
     }
 }
@@ -325,8 +371,8 @@ async function runDirectoryScan(targetPath, flags) {
         console.log(`  [OK] Baseline saved to ${baselineFile}`);
     }
     if (format !== "sarif") {
-        const hasBlocking = result.includes("[CRITICAL]") || result.includes("[HIGH]");
-        if (hasBlocking)
+        const failOn = flags["fail-on"] ?? "critical";
+        if (shouldFail(result, failOn))
             process.exit(1);
     }
 }
@@ -405,9 +451,18 @@ async function runDiffScan(base, flags) {
     else {
         console.log(result);
     }
-    const hasBlocking = allFindings.some(f => f.severity === "critical" || f.severity === "high");
-    if (hasBlocking)
-        process.exit(1);
+    const failOn = flags["fail-on"] ?? "critical";
+    if (failOn !== "none") {
+        const failLevels = {
+            low: ["critical", "high", "medium", "low"],
+            medium: ["critical", "high", "medium"],
+            high: ["critical", "high"],
+            critical: ["critical"],
+        };
+        const levels = failLevels[failOn] || failLevels.critical;
+        if (allFindings.some(f => levels.includes(f.severity)))
+            process.exit(1);
+    }
 }
 async function runFileCheck(filePath, flags) {
     const { checkCode } = await import("./tools/check-code.js");
@@ -443,8 +498,8 @@ async function runFileCheck(filePath, flags) {
     else {
         console.log(result);
     }
-    const hasBlocking = result.includes("[CRITICAL]") || result.includes("[HIGH]");
-    if (hasBlocking)
+    const failOn = flags["fail-on"] ?? "critical";
+    if (shouldFail(result, failOn))
         process.exit(1);
 }
 // ── Main CLI ─────────────────────────────────────────────────────────
@@ -468,6 +523,8 @@ function printUsage() {
   Options:
     --format <type>       Output format: markdown (default), json, sarif
     --output <file>       Write results to file instead of stdout
+    --fail-on <level>     Exit 1 when findings at this level exist
+                          Options: critical (default), high, medium, low, none
     --baseline <file>     Compare against a previous scan JSON for fix tracking
     --save-baseline       Save current scan as baseline (.guardvibe-baseline.json)
     --version, -V         Print version and exit

package/build/data/rules/nextjs.js

@@ -180,4 +180,28 @@ export const nextjsRules = [
         fixCode: '<!-- EJS: use escaped output -->\n<p><%= userInput %></p>   <!-- SAFE: HTML-escaped -->\n<!-- NOT: <%- userInput %>  DANGEROUS: raw HTML -->\n\n<!-- Handlebars: use double braces -->\n<p>{{userInput}}</p>      <!-- SAFE: escaped -->\n<!-- NOT: {{{userInput}}}   DANGEROUS: raw HTML -->\n\n<!-- Pug: use = not != -->\np= userInput              //- SAFE: escaped\n//- NOT: p!= userInput    DANGEROUS: raw HTML',
         compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
     },
+    {
+        id: "VG415",
+        name: "Cached Function Exposes User-Specific Data",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "A function marked with 'use cache' accesses user-specific data (auth, session, cookies, headers) but caches the result. Cached data is shared across all users, leaking one user's data to others.",
+        pattern: /["']use cache["'][\s\S]{0,800}?(?:auth\s*\(|getServerSession|currentUser|getUser|cookies\s*\(|headers\s*\()/g,
+        languages: ["javascript", "typescript"],
+        fix: "Do not access user-specific data inside cached functions. Pass user-independent parameters only, or use cacheTag with user-specific tags.",
+        fixCode: '// BAD: caches user-specific data\n"use cache";\nasync function getData() {\n  const { userId } = await auth(); // WRONG in cached fn!\n  return db.items.findMany({ where: { userId } });\n}\n\n// GOOD: cache only shared data\n"use cache";\nasync function getPublicPosts() {\n  return db.posts.findMany({ where: { published: true } });\n}',
+        compliance: ["SOC2:CC6.1"],
+    },
+    {
+        id: "VG416",
+        name: "Cached Function Without Revalidation Strategy",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "A function marked with 'use cache' does not specify a cacheLife or cacheTag for revalidation. Without explicit revalidation, stale data may be served indefinitely, including outdated security-sensitive information.",
+        pattern: /["']use cache["'](?:(?!cacheLife|cacheTag|unstable_cache)[\s\S]){10,}?(?:return|export)/g,
+        languages: ["javascript", "typescript"],
+        fix: "Add cacheLife() or cacheTag() inside cached functions to control revalidation.",
+        fixCode: '"use cache";\nimport { cacheLife, cacheTag } from "next/cache";\n\nasync function getCachedData() {\n  cacheLife("hours");\n  cacheTag("data-feed");\n  return db.posts.findMany();\n}\n\n// Revalidate when data changes:\nimport { revalidateTag } from "next/cache";\nrevalidateTag("data-feed");',
+        compliance: ["SOC2:CC7.1"],
+    },
 ];

package/build/tools/check-code.js

@@ -47,23 +47,38 @@ function isInsideStringLiteral(lines, lineNumber, code, matchIndex) {
     const line = lines[lineNumber - 1];
     if (!line)
         return false;
-    const trimmed = line.trimStart();
-    // Line is part of a template literal or multi-line string
-    // Check if we're between backticks by counting unescaped backticks before this point
+    // 1. Template literal: count unescaped backticks before this point
     const before = code.substring(0, matchIndex);
     const backtickCount = (before.match(/(?<!\\)`/g) || []).length;
     if (backtickCount % 2 === 1)
-        return true; // inside template literal
-    // Line is a string property value (fixCode, description, fix, exploit, audit, fixCode)
-    // Look backwards to find if this line is inside a property assignment string
+        return true;
+    // 2. The match line itself is a string continuation (starts with quote + or ends with +quote)
+    const trimmed = line.trimStart();
+    if (/^["']/.test(trimmed) && /\+\s*$/.test(line))
+        return true; // "string" +
+    if (/^\s*\+\s*["']/.test(line))
+        return true; // + "string continuation"
+    // 3. Line contains escaped newlines (\n) suggesting it's inside a string value
+    const quotesBefore = line.substring(0, line.indexOf(trimmed.charAt(0)));
+    if (/\\n/.test(line) && /["'`].*\\n/.test(line)) {
+        // Extra check: is the match portion inside quotes on this line?
+        const matchEnd = matchIndex + 20; // approximate
+        const lineStart = code.lastIndexOf("\n", matchIndex) + 1;
+        const col = matchIndex - lineStart;
+        const beforeCol = line.substring(0, col);
+        const singleQuotes = (beforeCol.match(/(?<!\\)'/g) || []).length;
+        const doubleQuotes = (beforeCol.match(/(?<!\\)"/g) || []).length;
+        if (singleQuotes % 2 === 1 || doubleQuotes % 2 === 1)
+            return true;
+    }
+    // 4. Look backwards for property assignment context (fixCode, description, etc.)
     for (let i = lineNumber - 1; i >= Math.max(0, lineNumber - 20); i--) {
         const prev = lines[i]?.trimStart() || "";
-        // Property assignment with string value that likely spans lines
-        if (/^(?:fixCode|fix|description|exploit|audit|fixCode)\s*[:=]/.test(prev))
+        if (/^(?:fixCode|fix|description|exploit|audit)\s*[:=]/.test(prev))
             return true;
         if (/^(?:fixCode|fix|description|exploit|audit)\s*:\s*$/.test(prev))
             return true;
-        // Hit a rule boundary (id: "VG...) — stop looking
+        // Hit a rule boundary — stop looking
         if (/^\s*id\s*:\s*["']VG/.test(prev))
             break;
         if (/^\s*\{/.test(prev) && i < lineNumber - 2)
@@ -90,7 +105,32 @@ function isHumanReadableString(lines, lineNumber) {
         return true;
     return false;
 }
+/**
+ * Detect if a file is a security rule definition file.
+ * These files intentionally contain vulnerable code patterns
+ * as regex matchers and fixCode examples — scanning them is meaningless.
+ */
+function isRuleDefinitionFile(code, filePath) {
+    // Path-based: known rule definition directories
+    if (filePath && /(?:\/rules\/|\/data\/rules\/)/.test(filePath)) {
+        // Confirm it actually exports SecurityRule objects
+        if (/SecurityRule\s*\[\]/.test(code) && /id:\s*["']VG\d+["']/.test(code)) {
+            return true;
+        }
+    }
+    // Content-based: file defines multiple VG rules with pattern: regex
+    if (/id:\s*["']VG\d+["']/g.test(code) && /pattern:\s*\//.test(code)) {
+        const ruleCount = (code.match(/id:\s*["']VG\d+["']/g) || []).length;
+        if (ruleCount >= 3)
+            return true; // 3+ rule definitions = rule file
+    }
+    return false;
+}
 export function analyzeCode(code, language, framework, filePath, configDir, rules) {
+    // Skip files that are security rule definitions (they intentionally contain
+    // vulnerable code patterns as regex matchers and fixCode examples)
+    if (isRuleDefinitionFile(code, filePath))
+        return [];
     const config = loadConfig(configDir);
     const ignoreEntries = loadIgnoreFile(configDir || process.cwd());
     const findings = [];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "1.9.2",
+  "version": "1.9.4",
   "description": "Security MCP for vibe coding. 277 rules, 24 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {