guardvibe 2.9.0 → 2.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +3 -3
  2. package/build/index.js +7 -7
  3. package/build/tools/compliance-report.js +9 -5
  4. package/package.json +1 -1
package/README.md CHANGED
@@ -177,8 +177,8 @@ Dockerfile security, GitHub Actions CI/CD, Terraform (S3, IAM, RDS, security gro
177
177
  ### Secrets & Environment
178
178
  API keys (AWS, GitHub, Stripe, OpenAI, Resend, Turso), .env management, .gitignore coverage, high-entropy detection, NEXT_PUBLIC exposure
179
179
 
180
- ### Compliance
181
- SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act (EUAIACT) control mapping with compliance reports
180
+ ### Compliance Control Mapping
181
+ Maps security findings to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, and EU AI Act (EUAIACT) controls. Identifies which code-level vulnerabilities are relevant to specific compliance requirements. **Not a substitute for professional compliance audits.**
182
182
 
183
183
  ### Supply Chain
184
184
  Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
@@ -195,7 +195,7 @@ Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
195
195
  | `scan_secrets` | Detect leaked secrets, API keys, tokens |
196
196
  | `check_dependencies` | Check individual packages against OSV |
197
197
  | `check_package_health` | Typosquat detection, maintenance status, adoption metrics |
198
- | `compliance_report` | SOC2 / PCI-DSS / HIPAA / GDPR / ISO27001 / EU AI Act compliance mapping |
198
+ | `compliance_report` | Map security findings to compliance controls (SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act) |
199
199
  | `export_sarif` | SARIF v2.1.0 export for CI/CD integration |
200
200
  | `get_security_docs` | Security best practices and guides |
201
201
  | `fix_code` | **Auto-fix suggestions** with concrete patches for AI agents |
package/build/index.js CHANGED
@@ -43,7 +43,7 @@ import { fixCode as fixCodeTool } from "./tools/fix-code.js";
43
43
  const server = new McpServer({
44
44
  name: "guardvibe",
45
45
  version: pkg.version,
46
- description: "Security MCP for vibe coding. 334 security rules and 31 tools covering OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, and host environment hardening. Scans code, dependencies, secrets, configs, and git history. Generates compliance reports (SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act). Runs 100% locally with zero configuration.",
46
+ description: "Security MCP for vibe coding. 334 security rules and 31 tools covering OWASP, Next.js, Supabase, Stripe, Clerk, Prisma, Hono, AI SDK, MCP server security, and host environment hardening. Scans code, dependencies, secrets, configs, and git history. Maps security findings to compliance controls (SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EU AI Act). Runs 100% locally with zero configuration. Note: GuardVibe is a security scanner, not a compliance auditor — it helps identify code-level issues relevant to compliance frameworks but does not replace professional compliance audits.",
47
47
  });
48
48
  // Tool 1: Analyze code for security vulnerabilities
49
49
  server.tool("check_code", "Analyze code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Use this when reviewing or writing code to catch security issues early.", {
@@ -235,7 +235,7 @@ server.tool("scan_staged", "Scan git-staged files for security vulnerabilities b
235
235
  return { content: [{ type: "text", text: results + summary }] };
236
236
  });
237
237
  // Tool 9: Generate compliance-focused security report
238
- server.tool("compliance_report", "Generate a compliance-focused security report mapped to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, or EUAIACT (EU AI Act) controls. Scans a directory and groups findings by compliance control. Includes exploit scenarios and audit evidence for each finding. Use mode=executive for a C-level summary.", {
238
+ server.tool("compliance_report", "Map security scan findings to compliance framework controls (SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, EUAIACT). Scans a directory and groups code-level security issues by the compliance control they relate to. Includes exploit scenarios and remediation evidence for each finding. Use mode=executive for a risk summary. Note: this maps code vulnerabilities to controls — it does not perform a compliance audit or replace professional assessment.", {
239
239
  path: z.string().describe("Directory to scan"),
240
240
  framework: z.enum(["SOC2", "PCI-DSS", "HIPAA", "GDPR", "ISO27001", "EUAIACT", "all"]).describe("Compliance framework"),
241
241
  format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
@@ -590,7 +590,7 @@ server.tool("security_workflow", "Get the recommended GuardVibe security workflo
590
590
  "pr_review",
591
591
  "new_project",
592
592
  "fix_vulnerabilities",
593
- "compliance_audit",
593
+ "compliance_mapping",
594
594
  "dependency_check",
595
595
  ]).describe("What you are currently doing"),
596
596
  }, async ({ task }) => {
@@ -642,11 +642,11 @@ server.tool("security_workflow", "Get the recommended GuardVibe security workflo
642
642
  ],
643
643
  },
644
644
  compliance_audit: {
645
- task: "compliance_audit",
646
- description: "Generate compliance reports for regulatory frameworks.",
645
+ task: "compliance_mapping",
646
+ description: "Map security findings to compliance framework controls. This identifies code-level issues relevant to specific controls — it does not replace professional compliance audits.",
647
647
  steps: [
648
- { tool: "compliance_report", params: { path: ".", framework: "<SOC2|PCI-DSS|HIPAA|GDPR|ISO27001|EUAIACT>", format: "json" }, purpose: "Generate compliance-mapped findings report." },
649
- { tool: "explain_remediation", params: { ruleId: "<id>" }, purpose: "Get audit evidence and fix strategies for each finding.", condition: "for each finding" },
648
+ { tool: "compliance_report", params: { path: ".", framework: "<SOC2|PCI-DSS|HIPAA|GDPR|ISO27001|EUAIACT>", format: "json" }, purpose: "Scan code and map findings to compliance controls." },
649
+ { tool: "explain_remediation", params: { ruleId: "<id>" }, purpose: "Get remediation guidance and fix strategies for each finding.", condition: "for each finding" },
650
650
  ],
651
651
  },
652
652
  dependency_check: {
package/build/tools/compliance-report.js CHANGED
@@ -77,16 +77,18 @@ export function complianceReport(path, framework, format = "markdown", rules, mo
77
77
  }
78
78
  // --- FULL MODE ---
79
79
  const lines = [
80
- `# GuardVibe Compliance Report`,
80
+ `# GuardVibe Compliance Control Mapping`,
81
+ ``,
82
+ `> This report maps code-level security findings to ${framework} controls. It identifies vulnerabilities relevant to compliance requirements but is not a substitute for professional compliance audits.`,
81
83
  ``,
82
84
  `Framework: ${framework}`,
83
85
  `Directory: ${scanRoot}`,
84
86
  `Files scanned: ${filePaths.length}`,
85
- `Compliance issues: ${relevant.length}`,
87
+ `Security issues mapped to controls: ${relevant.length}`,
86
88
  ``,
87
89
  ];
88
90
  if (controlMap.size === 0) {
89
- lines.push(`## No Compliance Issues`, ``, `No issues mapped to ${framework} controls were found.`);
91
+ lines.push(`## No Issues Found`, ``, `No code-level security issues mapped to ${framework} controls were found. This does not constitute a compliance certification.`);
90
92
  return lines.join("\n");
91
93
  }
92
94
  // Sort controls
@@ -120,7 +122,9 @@ function formatExecutiveSummary(framework, scanRoot, filesScanned, relevant, con
120
122
  const total = critical + high + medium;
121
123
  const riskLevel = critical > 0 ? "HIGH" : high > 0 ? "MEDIUM" : total > 0 ? "LOW" : "MINIMAL";
122
124
  const lines = [
123
- `# Executive Security Summary`,
125
+ `# Security Findings — ${framework} Control Mapping`,
126
+ ``,
127
+ `> Maps code-level security findings to ${framework} controls. Not a compliance audit or certification.`,
124
128
  ``,
125
129
  `**Framework:** ${framework} | **Date:** ${new Date().toISOString().split("T")[0]}`,
126
130
  `**Directory:** ${scanRoot}`,
@@ -167,7 +171,7 @@ function formatExecutiveSummary(framework, scanRoot, filesScanned, relevant, con
167
171
  }
168
172
  }
169
173
  // Compliance coverage
170
- lines.push(`## Compliance Coverage`, ``, `| Control | Status | Issues |`, `|---------|--------|--------|`);
174
+ lines.push(`## Controls with Findings`, ``, `| Control | Status | Issues |`, `|---------|--------|--------|`);
171
175
  const sortedControls = [...controlMap.entries()].sort((a, b) => a[0].localeCompare(b[0]));
172
176
  for (const [control, items] of sortedControls) {
173
177
  const hasCritical = items.some(i => i.finding.rule.severity === "critical");
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "guardvibe",
3
- "version": "2.9.0",
3
+ "version": "2.9.1",
4
4
  "mcpName": "io.github.goklab/guardvibe",
5
5
  "description": "Security MCP for vibe coding. 334 rules, 31 tools, CLI + doctor. Host security: CVE-2025-59536 hook injection, CVE-2026-21852 base URL hijack, MCP config audit, AI host hardening. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
6
6
  "type": "module",