guardvibe 3.0.15 → 3.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/build/data/rules/nextjs.js +1 -1
  2. package/build/tools/full-audit.js +10 -7
  3. package/package.json +1 -1
package/build/data/rules/nextjs.js CHANGED
@@ -66,7 +66,7 @@ export const nextjsRules = [
66
66
  severity: "medium",
67
67
  owasp: "A05:2025 Security Misconfiguration",
68
68
  description: "next.config is missing important security headers (Content-Security-Policy, Strict-Transport-Security, X-Frame-Options).",
69
- pattern: /(?:async\s+)?headers\s*\(\s*\)(?![\s\S]*(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy))/g,
69
+ pattern: /(?:async\s+)?headers\s*\(\s*\)\s*\{[\s\S]{0,20}return\s+\[(?![\s\S]*(?:X-Frame-Options|Strict-Transport-Security|Content-Security-Policy))/g,
70
70
  languages: ["javascript", "typescript"],
71
71
  fix: "Add security headers in next.config.ts headers() function.",
72
72
  fixCode: '// next.config.ts\nasync headers() {\n return [{\n source: "/(.*)",\n headers: [\n { key: "X-Frame-Options", value: "DENY" },\n { key: "X-Content-Type-Options", value: "nosniff" },\n { key: "Strict-Transport-Security", value: "max-age=63072000; includeSubDomains" },\n ]\n }];\n}',
package/build/tools/full-audit.js CHANGED
@@ -232,18 +232,21 @@ export async function runFullAudit(path, options) {
232
232
  const parsed = safeJsonParse(configJson);
233
233
  if (parsed) {
234
234
  const counts = parseSectionCounts(parsed);
235
- const configFindings = (parsed.findings ?? []).map((f) => ({
235
+ // auditConfig uses "issues" key, not "findings"
236
+ const rawIssues = parsed.issues ?? parsed.findings ?? [];
237
+ const configFindings = rawIssues.map((f) => ({
236
238
  ruleId: (f.id ?? f.ruleId ?? "CONFIG"),
237
239
  severity: (f.severity ?? "medium"),
238
- file: (f.file ?? ""),
240
+ file: (Array.isArray(f.files) && f.files.length > 0 ? f.files[0] : (f.file ?? "")),
239
241
  line: (f.line ?? 0),
240
- name: (f.name ?? f.description ?? ""),
241
- description: (f.description ?? f.details ?? ""),
242
- fix: (f.fix ?? f.remediation ?? ""),
242
+ name: (f.title ?? f.name ?? ""),
243
+ description: (f.description ?? ""),
244
+ fix: (f.fix ?? ""),
243
245
  }));
244
246
  sections.push({ name: "config", status: "ok", ...counts, details: counts.findings === 0 ? "Config secure" : `${counts.findings} config issue(s)`, sectionFindings: configFindings });
245
- for (const f of parsed.findings ?? []) {
246
- allFindings.push({ ruleId: f.id ?? f.ruleId ?? "CONFIG", severity: f.severity ?? "medium", file: f.file ?? "", line: f.line ?? 0 });
247
+ for (const f of rawIssues) {
248
+ const file = Array.isArray(f.files) && f.files.length > 0 ? f.files[0] : (f.file ?? "");
249
+ allFindings.push({ ruleId: f.id ?? f.ruleId ?? "CONFIG", severity: f.severity ?? "medium", file, line: f.line ?? 0 });
247
250
  }
248
251
  }
249
252
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "guardvibe",
3
- "version": "3.0.15",
3
+ "version": "3.0.16",
4
4
  "mcpName": "io.github.goklab/guardvibe",
5
5
  "description": "Security MCP for vibe coding. 335 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
6
6
  "type": "module",