guardvibe 1.9.5 → 2.0.0

package/build/cli.js

@@ -50,6 +50,9 @@ function setupPlatform(name) {
         }
         if (existing.mcpServers["guardvibe"]) {
             console.log(`  [OK] GuardVibe already configured in ${platform.description}`);
+            // Still ensure CLAUDE.md and .gitignore are set up
+            if (name === "claude")
+                setupClaudeHooksAndGuide();
             return true;
         }
         existing.mcpServers["guardvibe"] = GUARDVIBE_MCP_CONFIG;
@@ -225,9 +228,6 @@ jobs:
         with:
           node-version: "22"
 
-      - name: Install dependencies
-        run: npm ci
-
       - name: Run GuardVibe security scan
         run: npx -y guardvibe-scan --format sarif --output guardvibe-results.sarif
 

package/build/data/rules/api-security.js

@@ -33,7 +33,7 @@ export const apiSecurityRules = [
         severity: "high",
         owasp: "API2:2023 Broken Authentication",
         description: "Next.js Route Handler that performs data operations without any authentication check. API routes are publicly accessible by default.",
-        pattern: /export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?:(?!auth\s*\(|getServerSession|currentUser|getUser|requireAuth|requireAdmin|requireRole|isAuthenticated|verifyToken|checkAuth|clerkClient|getToken|session|protect|withAuth)[\s\S]){10,}?(?:prisma|db|supabase|query|fetch|sql)\.\w+/g,
+        pattern: /export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?:(?!auth\s*\(|getServerSession|currentUser|getUser|requireAuth|requireAdmin|requireRole|isAuthenticated|verifyToken|checkAuth|clerkClient|getToken|session|protect|withAuth|verifyAuth|checkPermission|assertAuth|ensureAuth|guardAuth|validateAuth|authorize|checkSession|verifySession|validateSession|ensureAuthenticated)[\s\S]){10,}?(?:prisma|db|supabase|query|fetch|sql)\.\w+/g,
         languages: ["javascript", "typescript"],
         fix: "Add authentication at the start of every Route Handler that reads or writes data.",
         fixCode: 'import { auth } from "@clerk/nextjs/server";\n\nexport async function GET() {\n  const { userId } = await auth();\n  if (!userId) return new Response("Unauthorized", { status: 401 });\n  // ... data access\n}',
@@ -96,7 +96,7 @@ export const apiSecurityRules = [
         severity: "high",
         owasp: "API5:2023 Broken Function Level Authorization",
         description: "Endpoint in /admin or /api/admin path performs operations without verifying admin role or permissions. Any authenticated user could access admin functionality.",
-        pattern: /(?:\/api\/admin|\/admin)[\s\S]*?export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?:(?!role|isAdmin|orgRole|permission|requireAdmin|checkRole|adminOnly|org:admin)[\s\S]){10,}?(?:prisma|db|supabase|sql)\.\w+/g,
+        pattern: /(?:\/api\/admin|\/admin)[\s\S]*?export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?:(?!role|isAdmin|orgRole|permission|requireAdmin|checkRole|adminOnly|org:admin|verifyAuth|checkPermission|assertAuth|ensureAuth|authorize)[\s\S]){10,}?(?:prisma|db|supabase|sql)\.\w+/g,
         languages: ["javascript", "typescript"],
         fix: "Always verify admin role/permissions in admin endpoints.",
         fixCode: 'const { userId, orgRole } = await auth();\nif (orgRole !== "org:admin") {\n  return new Response("Forbidden", { status: 403 });\n}',

package/build/data/rules/auth.js

@@ -6,7 +6,7 @@ export const authRules = [
         severity: "high",
         owasp: "A01:2025 Broken Access Control",
         description: "Route handler accesses database without authentication check. Anyone can call this endpoint.",
-        pattern: /export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?:(?!auth\s*\(|getServerSession|currentUser|getUser|requireAuth|requireAdmin|isAuthenticated|verifyToken|checkAuth|protect)[\s\S])*?(?:prisma|db|supabase)\.\w+/g,
+        pattern: /export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?:(?!auth\s*\(|getServerSession|currentUser|getUser|requireAuth|requireAdmin|isAuthenticated|verifyToken|checkAuth|protect|verifyAuth|checkPermission|assertAuth|ensureAuth|guardAuth|validateAuth|authorize|checkSession|verifySession|validateSession|ensureAuthenticated|withAuth)[\s\S])*?(?:prisma|db|supabase)\.\w+/g,
         languages: ["javascript", "typescript"],
         fix: "Add authentication check at the start of every route handler that accesses data.",
         fixCode: 'import { auth } from "@clerk/nextjs/server";\n\nexport async function GET() {\n  const { userId } = await auth();\n  if (!userId) return new Response("Unauthorized", { status: 401 });\n  const data = await db.query(...);\n}',
@@ -69,7 +69,7 @@ export const authRules = [
         severity: "high",
         owasp: "A01:2025 Broken Access Control",
         description: "Admin or dashboard route handler does not verify user role or permissions.",
-        pattern: /(?:\/admin|\/dashboard)[\s\S]*?export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH|default)\s*\([^)]*\)\s*\{(?:(?!role|permission|isAdmin|orgRole|checkRole|requireAdmin|requireRole|adminOnly)[\s\S])*?\}/g,
+        pattern: /(?:\/admin|\/dashboard)[\s\S]*?export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH|default)\s*\([^)]*\)\s*\{(?:(?!role|permission|isAdmin|orgRole|checkRole|requireAdmin|requireRole|adminOnly|verifyAuth|checkPermission|assertAuth|ensureAuth|authorize)[\s\S])*?\}/g,
         languages: ["javascript", "typescript"],
         fix: "Always verify user roles and permissions in admin routes.",
         fixCode: 'import { auth } from "@clerk/nextjs/server";\n\nexport async function GET() {\n  const { userId, orgRole } = await auth();\n  if (orgRole !== "org:admin") {\n    return new Response("Forbidden", { status: 403 });\n  }\n}',

package/build/data/rules/core.js

@@ -19,7 +19,7 @@ export const coreRules = [
         severity: "critical",
         owasp: "A01:2025 Broken Access Control",
         description: "Cloud provider API key or token pattern detected in source code (AWS, GitHub, OpenAI, Stripe).",
-        pattern: /(?:AKIA[0-9A-Z]{16}|(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}|sk-[A-Za-z0-9]{20,}|sk_live_[A-Za-z0-9]{5,}|rk_live_[A-Za-z0-9]{5,})/g,
+        pattern: /(?:AKIA[0-9A-Z]{16}|(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}|sk-(?:proj-)?[A-Za-z0-9\-_]{20,}|sk_live_[A-Za-z0-9]{5,}|rk_live_[A-Za-z0-9]{5,})/g,
         languages: ["javascript", "typescript", "python", "go", "html", "shell"],
         fix: "Remove hardcoded keys immediately. Use environment variables or a secrets manager (AWS Secrets Manager, Vault). Rotate any compromised keys.",
         fixCode: "// Store keys in environment variables\nconst awsKey = process.env.AWS_ACCESS_KEY_ID;\nconst githubToken = process.env.GITHUB_TOKEN;",
@@ -386,4 +386,52 @@ export const coreRules = [
         fixCode: '// BAD: user input in event handler\n// `<img onerror="${userInput}">`\n\n// GOOD: use addEventListener\nconst img = document.createElement("img");\nimg.addEventListener("error", () => handleError(sanitizedInput));',
         compliance: ["SOC2:CC7.1"],
     },
+    {
+        id: "VG111",
+        name: "SSRF via User-Controlled URL",
+        severity: "high",
+        owasp: "A10:2025 Server-Side Request Forgery",
+        description: "User-controlled input is passed directly to fetch(), axios, or http.request() as the URL. Attackers can make the server request internal services (169.254.169.254 for cloud metadata, localhost admin panels, internal APIs) leading to data exfiltration or remote code execution.",
+        pattern: /(?:fetch|axios\.(?:get|post|put|delete|patch|request)|got(?:\.(?:get|post|put|delete|patch))?|request|http\.(?:get|request)|https\.(?:get|request)|urllib\.request\.urlopen)\s*\(\s*(?:url|uri|href|endpoint|target|destination|webhook[Uu]rl|callback[Uu]rl|redirect[Uu]rl|image[Uu]rl|proxy[Uu]rl|api[Uu]rl|base[Uu]rl|link|src|source|remoteUrl|externalUrl|userUrl|inputUrl|requestUrl)\b/gi,
+        languages: ["javascript", "typescript", "python"],
+        fix: "Validate URLs against an allowlist of trusted domains. Block private/internal IP ranges (10.x, 172.16-31.x, 192.168.x, 127.x, 169.254.x, ::1). Use a URL parser to check the hostname before making the request.",
+        fixCode: '// Validate URL before fetching\nconst ALLOWED_HOSTS = ["api.example.com", "cdn.example.com"];\nconst parsed = new URL(userUrl);\nif (!ALLOWED_HOSTS.includes(parsed.hostname)) {\n  throw new Error("Blocked: untrusted host");\n}\n// Also block private IPs\nconst ip = await dns.resolve(parsed.hostname);\nif (isPrivateIP(ip)) throw new Error("Blocked: internal host");\nawait fetch(parsed.href);',
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
+    },
+    {
+        id: "VG112",
+        name: "XSS via insertAdjacentHTML",
+        severity: "high",
+        owasp: "A02:2025 Injection",
+        description: "insertAdjacentHTML() renders raw HTML strings into the DOM without sanitization, enabling Cross-Site Scripting (XSS). Unlike textContent, this method parses and executes HTML including script tags and event handlers.",
+        pattern: /\.insertAdjacentHTML\s*\(\s*["'](?:beforebegin|afterbegin|beforeend|afterend)["']\s*,/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Use textContent or innerText for plain text. If HTML is needed, sanitize with DOMPurify first.",
+        fixCode: '// BAD: XSS risk\nel.insertAdjacentHTML("beforeend", userInput);\n\n// GOOD: plain text\nel.insertAdjacentText("beforeend", userInput);\n\n// GOOD: sanitized HTML\nimport DOMPurify from "dompurify";\nel.insertAdjacentHTML("beforeend", DOMPurify.sanitize(userInput));',
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.7"],
+    },
+    {
+        id: "VG113",
+        name: "XSS/SSRF via XMLHttpRequest",
+        severity: "high",
+        owasp: "A02:2025 Injection",
+        description: "XMLHttpRequest.open() is called with a user-controlled URL. This can lead to SSRF (server-side) or data exfiltration (client-side) if the URL is not validated.",
+        pattern: /\.open\s*\(\s*["'](?:GET|POST|PUT|DELETE|PATCH)["']\s*,\s*(?:url|uri|href|endpoint|target|userUrl|inputUrl|src)\b/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Validate the URL against an allowlist before passing to XMLHttpRequest.open(). Prefer fetch() with URL validation over raw XHR.",
+        fixCode: '// Validate URL before XHR\nconst allowed = ["https://api.example.com"];\nconst parsed = new URL(userUrl);\nif (!allowed.some(a => userUrl.startsWith(a))) throw new Error("Blocked");\nxhr.open("GET", parsed.href);',
+        compliance: ["SOC2:CC7.1"],
+    },
+    {
+        id: "VG114",
+        name: "SQL Injection via Template Literal",
+        severity: "critical",
+        owasp: "A02:2025 Injection",
+        description: "SQL query constructed using JavaScript template literals with interpolated variables. Template literal SQL is just as dangerous as string concatenation — any user-controlled value can break out of the SQL context and inject arbitrary queries.",
+        pattern: /(?:query|execute|raw|sql|prepare|QueryRow|QueryContext|db\.run|db\.all|db\.get|connection\.query)\s*\(\s*`[^`]*\$\{/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Use parameterized queries. For tagged template literals (e.g. Prisma sql``, Drizzle sql``), the tagged version IS safe — only raw template literals passed to query() are dangerous.",
+        fixCode: '// BAD: template literal SQL\ndb.query(`SELECT * FROM users WHERE id = \'${userId}\'`);\n\n// GOOD: parameterized query\ndb.query("SELECT * FROM users WHERE id = $1", [userId]);\n\n// ALSO SAFE: tagged template literal (Prisma/Drizzle)\nimport { sql } from "drizzle-orm";\ndb.execute(sql`SELECT * FROM users WHERE id = ${userId}`);',
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
+    },
 ];

package/build/data/rules/nextjs.js

@@ -30,7 +30,7 @@ export const nextjsRules = [
         severity: "critical",
         owasp: "A01:2025 Broken Access Control",
         description: "Server Action performs data mutations without verifying user authentication. Anyone can invoke Server Actions directly via POST request.",
-        pattern: /["']use server["'][\s\S]{0,500}?export\s+async\s+function\s+\w+\s*\([^)]*\)\s*\{(?![\s\S]{0,800}?(?:auth\s*\(|getServerSession|currentUser|getUser|requireAuth|clerkClient))/g,
+        pattern: /["']use server["'][\s\S]{0,500}?export\s+async\s+function\s+\w+\s*\([^)]*\)\s*\{(?![\s\S]{0,800}?(?:auth\s*\(|getServerSession|currentUser|getUser|requireAuth|requireAdmin|clerkClient|verifyAuth|checkPermission|assertAuth|ensureAuth|authorize|withAuth))/g,
         languages: ["javascript", "typescript"],
         fix: "Always verify authentication at the start of every Server Action.",
         fixCode: '"use server";\nimport { auth } from "@clerk/nextjs/server";\n\nexport async function deleteItem(id: string) {\n  const { userId } = await auth();\n  if (!userId) throw new Error("Unauthorized");\n}',
@@ -114,7 +114,7 @@ export const nextjsRules = [
         severity: "medium",
         owasp: "A01:2025 Broken Access Control",
         description: "redirect() or NextResponse.redirect() uses user-controlled input (searchParams, query) which can redirect users to malicious sites.",
-        pattern: /redirect\s*\(\s*(?:searchParams|params|req\.query|request\.url|url|query)\s*[\.\[]/g,
+        pattern: /(?:redirect|NextResponse\.redirect|res\.redirect|Response\.redirect)\s*\(\s*(?:searchParams|params|req\.query|request\.url|url|query|returnTo|callbackUrl|next|goto|returnUrl|redirectUrl|destination)\b/gi,
         languages: ["javascript", "typescript"],
         fix: "Validate redirect URLs against an allowlist of trusted domains.",
         fixCode: '// Validate redirect URL\nconst ALLOWED_HOSTS = ["example.com"];\nconst target = searchParams.get("next") ?? "/";\ntry {\n  const url = new URL(target, request.url);\n  if (!ALLOWED_HOSTS.includes(url.hostname)) redirect("/");\n  redirect(url.pathname);\n} catch {\n  redirect("/");\n}',

package/build/tools/check-code.js

@@ -169,7 +169,7 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
             continue;
         // Context-aware: skip rate limiting rules for admin routes that have admin auth
         const isAdminRoute = filePath && /\/admin\//i.test(filePath);
-        const hasAdminAuth = isAdminRoute && /(?:requireAdmin|adminOnly|orgRole|org:admin|isAdmin|checkRole|requireRole)/i.test(code);
+        const hasAdminAuth = isAdminRoute && /(?:requireAdmin|adminOnly|orgRole|org:admin|isAdmin|checkRole|requireRole|verifyAuth|checkPermission|assertAuth|ensureAuth|authorize)/i.test(code);
         if (hasAdminAuth && rateLimitRuleIds.has(rule.id))
             continue;
         // Skip npm package rules (VG863/VG864/VG865): only apply to package.json files
@@ -344,6 +344,7 @@ export function formatFindingsJson(findings, extra) {
     return JSON.stringify({
         summary: {
             total: findings.length, critical, high, medium, low,
+            // blocked: true when critical or high findings exist (would fail --fail-on high)
             blocked: critical > 0 || high > 0,
             ...extra,
         },
@@ -366,19 +367,68 @@ export function checkCode(code, language, framework, filePath, configDir, format
 }
 function formatCleanReport(language, framework) {
     const ctx = framework ? ` (${framework})` : "";
+    const tips = getLanguageTips(language, framework);
     return [
         `# GuardVibe Security Report`,
         ``,
         `**Language:** ${language}${ctx}`,
         `**Status:** No security issues detected`,
         ``,
-        `The code looks clean! Here are some general tips:`,
-        `- Keep dependencies updated (\`npm audit\`)`,
-        `- Validate all user input with schemas (zod, joi)`,
-        `- Use environment variables for secrets`,
-        `- Add rate limiting to API endpoints`,
+        `Tips for ${language}${ctx}:`,
+        ...tips.map(t => `- ${t}`),
     ].join("\n");
 }
+function getLanguageTips(language, framework) {
+    if (framework === "nextjs" || framework === "next")
+        return [
+            "Use `server-only` imports in files with secrets or DB access",
+            "Validate Server Action inputs with zod schemas",
+            "Set `serverActions.allowedOrigins` in next.config",
+            "Add security headers via `headers()` in next.config",
+        ];
+    if (framework === "express" || framework === "fastify" || framework === "hono")
+        return [
+            "Add rate limiting middleware to auth and write endpoints",
+            "Use helmet() for security headers",
+            "Validate request body with zod or joi before processing",
+            "Never reflect user input in error responses",
+        ];
+    if (language === "python")
+        return [
+            "Use parameterized queries — never f-strings in SQL",
+            "Add `Depends(get_current_user)` to protected routes",
+            "Pin dependency versions in requirements.txt",
+            "Use `secrets.compare_digest()` for token comparison",
+        ];
+    if (language === "sql")
+        return [
+            "Use `SECURITY INVOKER` on views to respect RLS",
+            "Avoid `GRANT ALL` — use least-privilege permissions",
+            "Add `IF EXISTS` to destructive DDL for safety",
+            "Use parameterized queries in application code",
+        ];
+    if (language === "dockerfile")
+        return [
+            "Use specific image tags, never `latest`",
+            "Run as non-root user with `USER` directive",
+            "Use multi-stage builds to minimize attack surface",
+            "Don't copy `.env` or secrets into the image",
+        ];
+    if (language === "yaml" || language === "terraform")
+        return [
+            "Never hardcode secrets in config — use env vars or secrets manager",
+            "Pin action/provider versions to specific SHA or tag",
+            "Use least-privilege IAM policies",
+            "Enable audit logging for infrastructure changes",
+        ];
+    // Default for JS/TS
+    return [
+        "Keep dependencies updated (`npm audit`)",
+        "Validate all user input with schemas (zod, joi)",
+        "Use environment variables for secrets",
+        "Use `textContent` instead of `innerHTML` for user data",
+    ];
+}
 function formatReport(findings, language, framework) {
     const ctx = framework ? ` (${framework})` : "";
     // Severity ordering

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "1.9.5",
+  "version": "2.0.0",
   "description": "Security MCP for vibe coding. 277 rules, 24 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {