guardvibe 2.3.9 → 2.4.1

package/build/cli.js

@@ -136,7 +136,7 @@ function setupClaudeGuide() {
                 matcher: "Edit|Write",
                 hooks: [{
                         type: "command",
-                        command: "jq -r '.tool_input.file_path' | xargs npx -y guardvibe check --format markdown 2>/dev/null || true"
+                        command: "jq -r '.tool_input.file_path' | xargs npx -y guardvibe check --format buddy 2>/dev/null || true"
                     }]
             }
         ];
@@ -560,7 +560,8 @@ async function runFileCheck(filePath, flags) {
         process.exit(1);
     }
     const format = flags.format ?? "markdown";
-    const result = checkCode(content, language, undefined, resolved, undefined, format === "json" ? "json" : "markdown");
+    const formatArg = format === "json" ? "json" : format === "buddy" ? "buddy" : "markdown";
+    const result = checkCode(content, language, undefined, resolved, undefined, formatArg);
     const outputFile = flags.output ?? null;
     if (outputFile) {
         writeFileSync(outputFile, result, "utf-8");
@@ -592,7 +593,7 @@ function printUsage() {
     npx guardvibe-scan --format sarif --output results.sarif
 
   Options:
-    --format <type>       Output format: markdown (default), json, sarif
+    --format <type>       Output format: markdown (default), json, sarif, buddy
     --output <file>       Write results to file instead of stdout
     --fail-on <level>     Exit 1 when findings at this level or above exist
                           critical (default) | high | medium | low | none

package/build/data/rules/database.js

@@ -123,4 +123,16 @@ export const databaseRules = [
         fixCode: '-- PostgreSQL: use SECURITY INVOKER\nCREATE OR REPLACE FUNCTION get_user_data(user_id uuid)\nRETURNS TABLE (id uuid, name text)\nLANGUAGE sql\nSECURITY INVOKER  -- respects RLS!\nAS $$\n  SELECT id, name FROM users WHERE id = user_id;\n$$;\n\n// TypeScript: call with anon key (not service role)\nconst { data } = await supabase.rpc("get_user_data", { user_id: userId });',
         compliance: ["SOC2:CC6.1"],
     },
+    {
+        id: "VG912",
+        name: "MongoDB NoSQL Injection via Query Operators",
+        severity: "high",
+        owasp: "A02:2025 Injection",
+        description: "MongoDB query operators ($where, $regex, $gt, $ne, $nin) used in database queries may be vulnerable to NoSQL injection if user input is passed directly without validation. Attackers can manipulate query logic to bypass authentication or extract data.",
+        pattern: /\.(find|findOne|updateOne|deleteOne|aggregate)\(\s*\{[^}]*(\$where|\$regex|\$gt|\$ne|\$nin)/g,
+        languages: ["javascript", "typescript"],
+        fix: "Validate and sanitize all user input before using it in MongoDB queries. Use a schema validation library (zod, joi) to ensure query parameters match expected types. Never pass raw request body directly to MongoDB queries.",
+        fixCode: 'import { z } from "zod";\n\n// Validate input before query\nconst schema = z.object({ id: z.string().regex(/^[a-f0-9]{24}$/) });\nconst { id } = schema.parse(req.body);\n\n// Safe query — no raw operators from user input\nconst user = await db.collection("users").findOne({ _id: new ObjectId(id) });',
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
+    },
 ];

package/build/data/rules/deployment.js

@@ -244,4 +244,16 @@ export const deploymentRules = [
         fixCode: '// Validate URL scheme\nfunction isSafeUrl(url: string): boolean {\n  try {\n    const parsed = new URL(url);\n    return ["https:", "http:"].includes(parsed.protocol);\n  } catch {\n    return false;\n  }\n}\n\n// Usage\n<img src={isSafeUrl(userUrl) ? userUrl : "/placeholder.png"} />',
         compliance: ["SOC2:CC7.1"],
     },
+    {
+        id: "VG911",
+        name: "Kubernetes Secret Hardcoded Value",
+        severity: "critical",
+        owasp: "A07:2025 Identification and Authentication Failures",
+        description: "Kubernetes Secret manifest contains hardcoded base64-encoded values in the data field. These secrets are only base64-encoded (not encrypted) and will be exposed in version control. Use External Secrets, Sealed Secrets, or a secrets manager instead.",
+        pattern: /kind:\s*Secret[\s\S]*?data:[\s\S]*?(?!\s*\{\{)[\w+/=]{8,}/g,
+        languages: ["yaml"],
+        fix: "Never commit Secret manifests with hardcoded values. Use External Secrets Operator, Sealed Secrets, or inject secrets via CI/CD pipeline. Store sensitive values in a secrets manager (Vault, AWS Secrets Manager, etc.).",
+        fixCode: '# Use External Secrets Operator\napiVersion: external-secrets.io/v1beta1\nkind: ExternalSecret\nmetadata:\n  name: my-secret\nspec:\n  refreshInterval: 1h\n  secretStoreRef:\n    name: vault-backend\n    kind: SecretStore\n  target:\n    name: my-secret\n  data:\n    - secretKey: password\n      remoteRef:\n        key: secret/data/myapp\n        property: password',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req6.5.3", "HIPAA:§164.312(a)"],
+    },
 ];

package/build/data/rules/modern-stack.js

@@ -482,4 +482,16 @@ export const modernStackRules = [
         fixCode: 'import { randomUUID } from "crypto";\nimport path from "path";\n\n// Generate safe filename\nconst ext = path.extname(file.name).toLowerCase();\nconst ALLOWED_EXT = [".jpg", ".jpeg", ".png", ".webp", ".pdf"];\nif (!ALLOWED_EXT.includes(ext)) throw new Error("Invalid file type");\nconst safeName = `${randomUUID()}${ext}`;\nawait fs.writeFile(`/uploads/${safeName}`, buffer);',
         compliance: ["SOC2:CC7.1"],
     },
+    {
+        id: "VG910",
+        name: "Hono SSE Injection via streamSSE",
+        severity: "medium",
+        owasp: "A02:2025 Injection",
+        description: "Hono's streamSSE() sends Server-Sent Events to clients. If event, id, or retry fields contain unsanitized user input, attackers can inject CR/LF characters to forge SSE messages, hijack event streams, or trigger client-side actions. Related to CVE-2026-29085.",
+        pattern: /streamSSE\s*\(/g,
+        languages: ["javascript", "typescript"],
+        fix: "Sanitize all SSE field values by stripping CR/LF characters (\\r, \\n) before passing them to streamSSE. Never use raw user input in event, id, or retry fields.",
+        fixCode: '// Sanitize SSE fields\nfunction sanitizeSSE(value: string): string {\n  return value.replace(/[\\r\\n]/g, "");\n}\n\n// Usage with Hono streamSSE\nreturn streamSSE(c, async (stream) => {\n  await stream.writeSSE({\n    event: sanitizeSSE(eventName),\n    data: sanitizeSSE(data),\n    id: sanitizeSSE(id),\n  });\n});',
+        compliance: ["SOC2:CC7.1"],
+    },
 ];

package/build/tools/check-code.d.ts

@@ -6,4 +6,4 @@ export interface Finding {
 }
 export declare function analyzeCode(code: string, language: string, framework?: string, filePath?: string, configDir?: string, rules?: SecurityRule[]): Finding[];
 export declare function formatFindingsJson(findings: Finding[], extra?: Record<string, unknown>): string;
-export declare function checkCode(code: string, language: string, framework?: string, filePath?: string, configDir?: string, format?: "markdown" | "json", rules?: SecurityRule[]): string;
+export declare function checkCode(code: string, language: string, framework?: string, filePath?: string, configDir?: string, format?: "markdown" | "json" | "buddy", rules?: SecurityRule[]): string;

package/build/tools/check-code.js

@@ -1,3 +1,4 @@
+import { basename } from "path";
 import { owaspRules } from "../data/rules/index.js";
 import { loadConfig } from "../utils/config.js";
 import { loadIgnoreFile, isIgnored } from "../utils/ignore.js";
@@ -421,6 +422,9 @@ export function checkCode(code, language, framework, filePath, configDir, format
     if (format === "json") {
         return formatFindingsJson(findings);
     }
+    if (format === "buddy") {
+        return formatBuddyOutput(findings, filePath);
+    }
     if (findings.length === 0) {
         return formatCleanReport(language, framework);
     }
@@ -547,3 +551,49 @@ function formatReport(findings, language, framework) {
     }
     return lines.join("\n");
 }
+// ─── Buddy Format ────────────────────────────────────────────────
+function severityWeight(s) {
+    return s === "critical" ? 4 : s === "high" ? 3 : s === "medium" ? 2 : 1;
+}
+function formatBuddyOutput(findings, filePath) {
+    const counts = { critical: 0, high: 0, medium: 0, low: 0 };
+    for (const f of findings) {
+        const sev = f.rule.severity;
+        if (sev in counts)
+            counts[sev]++;
+    }
+    let score = 100;
+    score -= counts.critical * 15;
+    score -= counts.high * 8;
+    score -= counts.medium * 3;
+    score -= counts.low * 1;
+    score = Math.max(0, Math.min(100, score));
+    const grade = score >= 90 ? "A" : score >= 75 ? "B" : score >= 60 ? "C" : score >= 40 ? "D" : "F";
+    const faces = {
+        A: "\\[^_^]/",
+        B: " [^_^]b",
+        C: " [o_o] ",
+        D: " [>_<] ",
+        F: " [X_X]!",
+    };
+    const face = faces[grade] || faces.C;
+    const messages = {
+        A: ["All clear, captain!", "Fort Knox level!", "Zero issues. Nice!", "Secure & clean!"],
+        B: ["Looking good!", "Almost perfect!", "Solid work!", "Just minor things."],
+        C: ["Some issues here...", "Needs attention.", "Review recommended."],
+        D: ["Multiple issues!", "Fix these ASAP.", "Getting risky..."],
+        F: ["Red alert!", "Critical issues!", "Stop and fix now!", "Danger zone!"],
+    };
+    const pool = messages[grade] || messages.C;
+    const msg = pool[Math.floor(Math.random() * pool.length)];
+    if (findings.length === 0) {
+        return `🛡️ ${face} GuardVibe: ${grade} [${score}] ✓ ${msg}`;
+    }
+    const sorted = [...findings].sort((a, b) => severityWeight(b.rule.severity) - severityWeight(a.rule.severity));
+    const top = sorted[0];
+    const fileName = filePath ? basename(filePath) : "unknown";
+    const severityIcon = counts.critical > 0 ? "🚨" : counts.high > 0 ? "⚠" : "⚡";
+    const total = counts.critical + counts.high + counts.medium + counts.low;
+    const detail = `${total} issue${total > 1 ? "s" : ""} — ${top.rule.name} (${fileName}:${top.line})`;
+    return `🛡️ ${face} GuardVibe: ${grade} [${score}] ${severityIcon} ${detail} — ${msg}`;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "2.3.9",
+  "version": "2.4.1",
   "description": "Security MCP for vibe coding. 313 rules, 25 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {