guardvibe 2.9.9 → 3.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1,10 +1,11 @@
|
|
|
1
1
|
export interface SecretFinding {
|
|
2
2
|
provider: string;
|
|
3
|
-
severity: "critical" | "high" | "medium";
|
|
3
|
+
severity: "critical" | "high" | "medium" | "low";
|
|
4
4
|
file: string;
|
|
5
5
|
line: number;
|
|
6
6
|
match: string;
|
|
7
7
|
fix: string;
|
|
8
|
+
gitStatus?: "ignored" | "tracked" | "unknown";
|
|
8
9
|
}
|
|
9
10
|
export declare function scanContent(content: string, filename: string): SecretFinding[];
|
|
10
11
|
export declare function scanSecrets(path: string, recursive?: boolean, format?: "markdown" | "json"): string;
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { existsSync, readdirSync, readFileSync, statSync } from "fs";
|
|
2
2
|
import { basename, dirname, extname, join, relative, resolve } from "path";
|
|
3
|
+
import { execFileSync } from "child_process";
|
|
3
4
|
import { secretPatterns, calculateEntropy } from "../data/secret-patterns.js";
|
|
4
5
|
import { loadConfig } from "../utils/config.js";
|
|
5
6
|
const DEFAULT_SECRET_EXCLUDES = new Set(["node_modules", ".git", "build", "dist"]);
|
|
@@ -125,6 +126,29 @@ function isEnvCoveredByGitignore(envFile, gitignoreEntries) {
|
|
|
125
126
|
content.includes(".env"));
|
|
126
127
|
});
|
|
127
128
|
}
|
|
129
|
+
/**
|
|
130
|
+
* Check if a file is ignored by git (in .gitignore) and not tracked.
|
|
131
|
+
* Returns: "ignored" (safe), "tracked" (dangerous - committed secret), "unknown" (no git)
|
|
132
|
+
*/
|
|
133
|
+
function getGitProtectionStatus(filePath, gitRoot) {
|
|
134
|
+
if (!gitRoot)
|
|
135
|
+
return "unknown";
|
|
136
|
+
try {
|
|
137
|
+
// git check-ignore returns 0 if ignored, 1 if not ignored
|
|
138
|
+
execFileSync("git", ["check-ignore", "-q", filePath], { cwd: gitRoot, stdio: "pipe" });
|
|
139
|
+
return "ignored";
|
|
140
|
+
}
|
|
141
|
+
catch {
|
|
142
|
+
// Not ignored — check if it's actually tracked (committed)
|
|
143
|
+
try {
|
|
144
|
+
const result = execFileSync("git", ["ls-files", filePath], { cwd: gitRoot, encoding: "utf-8" });
|
|
145
|
+
return result.trim().length > 0 ? "tracked" : "ignored"; // untracked + not ignored = safe-ish
|
|
146
|
+
}
|
|
147
|
+
catch {
|
|
148
|
+
return "unknown";
|
|
149
|
+
}
|
|
150
|
+
}
|
|
151
|
+
}
|
|
128
152
|
export function scanSecrets(path, recursive = true, format = "markdown") {
|
|
129
153
|
const targetPath = resolve(path);
|
|
130
154
|
const filePaths = [];
|
|
@@ -158,6 +182,25 @@ export function scanSecrets(path, recursive = true, format = "markdown") {
|
|
|
158
182
|
// Skip unreadable files.
|
|
159
183
|
}
|
|
160
184
|
}
|
|
185
|
+
// Enrich findings with git protection status
|
|
186
|
+
const gitRoot = findGitRoot(scanRoot);
|
|
187
|
+
const gitStatusCache = new Map();
|
|
188
|
+
for (const finding of allFindings) {
|
|
189
|
+
let status = gitStatusCache.get(finding.file);
|
|
190
|
+
if (status === undefined) {
|
|
191
|
+
status = getGitProtectionStatus(finding.file, gitRoot);
|
|
192
|
+
gitStatusCache.set(finding.file, status);
|
|
193
|
+
}
|
|
194
|
+
finding.gitStatus = status;
|
|
195
|
+
if (status === "ignored") {
|
|
196
|
+
// File is in .gitignore — secrets are local-only, not exposed
|
|
197
|
+
if (finding.severity === "critical")
|
|
198
|
+
finding.severity = "low";
|
|
199
|
+
else if (finding.severity === "high")
|
|
200
|
+
finding.severity = "low";
|
|
201
|
+
finding.fix = `✅ Protected: this file is in .gitignore and not committed to git. ${finding.fix.replace(/Rotate.*?\.|acilen.*?\./i, "").trim()}`;
|
|
202
|
+
}
|
|
203
|
+
}
|
|
161
204
|
const envFiles = uniquePaths.filter((filePath) => basename(filePath).startsWith(".env"));
|
|
162
205
|
for (const envFile of envFiles) {
|
|
163
206
|
const gitignoreEntries = collectGitignoreEntries(dirname(envFile));
|
|
@@ -171,6 +214,7 @@ export function scanSecrets(path, recursive = true, format = "markdown") {
|
|
|
171
214
|
line: 0,
|
|
172
215
|
match: `${envName} is not listed in .gitignore`,
|
|
173
216
|
fix: `Add '${envName}' or '.env*' to .gitignore immediately.`,
|
|
217
|
+
gitStatus: "tracked",
|
|
174
218
|
});
|
|
175
219
|
}
|
|
176
220
|
if (format === "json") {
|
|
@@ -179,7 +223,7 @@ export function scanSecrets(path, recursive = true, format = "markdown") {
|
|
|
179
223
|
const medCount = allFindings.length - critCount - highCount;
|
|
180
224
|
return JSON.stringify({
|
|
181
225
|
summary: { total: allFindings.length, critical: critCount, high: highCount, medium: medCount, blocked: critCount > 0 || highCount > 0 },
|
|
182
|
-
findings: allFindings.map(f => ({ provider: f.provider, severity: f.severity, file: f.file, line: f.line, match: f.match, fix: f.fix })),
|
|
226
|
+
findings: allFindings.map(f => ({ provider: f.provider, severity: f.severity, file: f.file, line: f.line, match: f.match, fix: f.fix, gitStatus: f.gitStatus })),
|
|
183
227
|
});
|
|
184
228
|
}
|
|
185
229
|
const lines = [
|
|
@@ -195,7 +239,37 @@ export function scanSecrets(path, recursive = true, format = "markdown") {
|
|
|
195
239
|
lines.push("", "---", "", "## Findings", "");
|
|
196
240
|
const order = { critical: 0, high: 1, medium: 2 };
|
|
197
241
|
allFindings.sort((left, right) => order[left.severity] - order[right.severity]);
|
|
198
|
-
|
|
242
|
+
// Group findings by git status for clearer output
|
|
243
|
+
const tracked = allFindings.filter(f => f.gitStatus === "tracked");
|
|
244
|
+
const ignored = allFindings.filter(f => f.gitStatus === "ignored");
|
|
245
|
+
const unknown = allFindings.filter(f => f.gitStatus === "unknown");
|
|
246
|
+
if (tracked.length > 0) {
|
|
247
|
+
lines.push("## ⚠️ Exposed Secrets (committed to git)", "");
|
|
248
|
+
for (const finding of tracked) {
|
|
249
|
+
lines.push(`### [${finding.severity.toUpperCase()}] ${finding.provider}`, `**File:** ${finding.file}${finding.line > 0 ? `:${finding.line}` : ""}`, `**Match:** \`${finding.match}\``, `**Fix:** ${finding.fix}`, "");
|
|
250
|
+
}
|
|
251
|
+
}
|
|
252
|
+
if (ignored.length > 0) {
|
|
253
|
+
lines.push(`## ✅ Protected Secrets (${ignored.length} in .gitignore — local only)`, "");
|
|
254
|
+
lines.push("These files are in .gitignore and not committed. Secrets are safe.", "");
|
|
255
|
+
// Group by file for compact display
|
|
256
|
+
const byFile = new Map();
|
|
257
|
+
for (const f of ignored) {
|
|
258
|
+
const group = byFile.get(f.file) ?? [];
|
|
259
|
+
group.push(f);
|
|
260
|
+
byFile.set(f.file, group);
|
|
261
|
+
}
|
|
262
|
+
for (const [file, findings] of byFile) {
|
|
263
|
+
lines.push(`- **${basename(file)}**: ${findings.map(f => f.provider).join(", ")}`);
|
|
264
|
+
}
|
|
265
|
+
lines.push("");
|
|
266
|
+
}
|
|
267
|
+
// Show unknown-status findings same as exposed (no git protection confirmed)
|
|
268
|
+
const exposed = [...tracked, ...unknown];
|
|
269
|
+
if (exposed.length === 0 && tracked.length === 0) {
|
|
270
|
+
// Re-render exposed section header if only unknown findings
|
|
271
|
+
}
|
|
272
|
+
for (const finding of unknown) {
|
|
199
273
|
lines.push(`### [${finding.severity.toUpperCase()}] ${finding.provider}`, `**File:** ${finding.file}${finding.line > 0 ? `:${finding.line}` : ""}`, `**Match:** \`${finding.match}\``, `**Fix:** ${finding.fix}`, "");
|
|
200
274
|
}
|
|
201
275
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "
|
|
3
|
+
"version": "3.0.0",
|
|
4
4
|
"mcpName": "io.github.goklab/guardvibe",
|
|
5
5
|
"description": "Security MCP for vibe coding. 334 rules, 31 tools, CLI + doctor. Host security: CVE-2025-59536 hook injection, CVE-2026-21852 base URL hijack, MCP config audit, AI host hardening. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
|
|
6
6
|
"type": "module",
|