guardvibe 3.0.18 → 3.0.20

package/README.md

@@ -6,7 +6,7 @@
 [![npm provenance](https://img.shields.io/badge/provenance-verified-brightgreen)](https://www.npmjs.com/package/guardvibe)
 [![codecov](https://codecov.io/gh/goklab/guardvibe/graph/badge.svg)](https://codecov.io/gh/goklab/guardvibe)
 
-**The security MCP built for vibe coding.** 335 security rules, 34 tools covering the entire AI-generated code journey — from first line to production deployment.
+**The security MCP built for vibe coding.** 335 security rules, 36 tools covering the entire AI-generated code journey — from first line to production deployment.
 
 Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf**, and any MCP-compatible coding agent.
 
@@ -14,7 +14,7 @@ Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf
 
 Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
 
-- **335 security rules, 34 tools** purpose-built for the stacks AI agents generate
+- **335 security rules, 36 tools** purpose-built for the stacks AI agents generate
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
@@ -26,6 +26,15 @@ Most security tools are built for enterprise security teams. GuardVibe is built
 - **Agent-friendly output** — JSON format for AI agents, Markdown for humans, SARIF for CI/CD
 - **Plugin system** — extend with community or premium rule packs
 
+## New in v3
+
+- **Inline suppress** — `// guardvibe-ignore VG001` silences individual findings per-line
+- **CLI-first approach** — `npx guardvibe audit`, `npx guardvibe scan`, `npx guardvibe doctor` all work standalone without MCP
+- **Embedded remediation plan** — `remediation_plan` generates a section-by-section fix checklist after every audit
+- **Score reflects all sections** — security score now factors code, dependencies, config, secrets, auth coverage, and taint analysis
+- **Gitignored secrets excluded** — files matched by `.gitignore` are automatically skipped during secret scanning
+- **Taint sanitizer recognition** — dataflow analysis recognizes common sanitizers (DOMPurify, escape functions, parameterized queries) and stops propagation
+
 ## How GuardVibe Compares
 
 GuardVibe is purpose-built for the AI coding workflow. Traditional tools are excellent for enterprise CI/CD pipelines — GuardVibe fills a different gap.
@@ -183,7 +192,7 @@ Maps security findings to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, and EU AI Act (E
 ### Supply Chain
 Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
 
-## Tools (33 MCP tools)
+## Tools (36 MCP tools)
 
 | Tool | What it does |
 |------|-------------|
@@ -221,6 +230,8 @@ Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection
 | `auth_coverage` | **Auth coverage map** — enumerate routes, parse middleware matchers, detect auth guards, report coverage % |
 | `deep_scan` | **LLM-powered deep analysis** — IDOR, business logic, race conditions, privilege escalation (requires API key) |
 | `full_audit` | **Single source of truth** — runs ALL checks in one call, returns PASS/FAIL/WARN verdict + score + coverage % + deterministic result hash |
+| `remediation_plan` | **Remediation plan** — generates section-by-section fix checklist after audit |
+| `verify_remediation` | **Remediation verification** — compares before/after audit, flags skipped sections |
 
 All scanning tools support `format: "json"` for machine-readable output.
 

package/build/cli/hook.js

@@ -11,7 +11,7 @@ const HOOK_SCRIPT = `#!/bin/sh
 echo "🔒 GuardVibe: scanning staged files..."
 
 # Run guardvibe scan on staged files
-RESULT=$(npx -y guardvibe-scan 2>&1)
+RESULT=$(npx -y guardvibe scan --staged 2>&1)
 EXIT_CODE=$?
 
 if [ $EXIT_CODE -ne 0 ]; then

package/build/data/rules/advanced-security.js

@@ -304,7 +304,7 @@ export const advancedSecurityRules = [
         severity: "medium",
         owasp: "A04:2025 Insecure Design",
         description: "Regular expression contains nested quantifiers ((a+)+), overlapping alternation with quantifiers (([a-z]+)*), or other patterns that cause catastrophic backtracking. Attackers can send crafted input to freeze the event loop.",
-        pattern: /\/(?:[^/\\]|\\.)*(?:\([^)]*[+*][^)]*\)[+*]|\(\?:[^)]*[+*][^)]*\)[+*]|\[[^\]]*\][+*][^/]*[+*])(?:[^/\\]|\\.)*\//g,
+        pattern: /\/(?:[^/\\]|\\.)*(?:\([^)]*[+*][^)]*\)\s*[+*]|\(\?:[^)]*[+*][^)]*\)\s*[+*])(?:[^/\\]|\\.)*\//g,
         languages: ["javascript", "typescript"],
         fix: "Rewrite the regex to avoid nested quantifiers. Use atomic groups or possessive quantifiers if available, or use the 'safe-regex' library to validate patterns.",
         fixCode: '// BAD: catastrophic backtracking\nconst re = /(a+)+$/;\n\n// GOOD: no nested quantifiers\nconst re = /a+$/;\n\n// GOOD: validate with safe-regex\nimport safe from "safe-regex";\nif (!safe(pattern)) throw new Error("Unsafe regex");',
@@ -330,7 +330,7 @@ export const advancedSecurityRules = [
         severity: "medium",
         owasp: "A01:2025 Broken Access Control",
         description: "POST/PUT/PATCH/DELETE route handler performs database mutations without CSRF token verification. Cross-site requests from malicious pages can trick authenticated users into performing unwanted actions.",
-        pattern: /export\s+(?:async\s+)?function\s+(?:POST|PUT|PATCH|DELETE)\s*\([^)]*\)\s*\{(?:(?!csrf|csrfToken|CSRF|x-csrf|verifyCsrf|validateCsrf|anti.?forgery|requireAdmin|requireAuth|checkAuth|withAuth|protectRoute|authenticate|x-csrf-protection)[\s\S]){10,}?(?:\.create\s*\(|\.update\s*\(|\.delete\s*\(|\.insert\s*\(|\.upsert\s*\()/g,
+        pattern: /export\s+(?:async\s+)?function\s+(?:POST|PUT|PATCH|DELETE)\s*\([^)]*\)\s*\{(?:(?!csrf|csrfToken|CSRF|x-csrf|verifyCsrf|validateCsrf|anti.?forgery|requireAdmin|requireAuth|checkAuth|withAuth|protectRoute|authenticate|x-csrf-protection|getAuth|currentUser|clerkClient|createServerClient|createServerSupabaseClient|getServerSession|getSession|auth\(\)|getToken|verifyToken|clerkMiddleware)[\s\S]){10,}?(?:\.create\s*\(|\.update\s*\(|\.delete\s*\(|\.insert\s*\(|\.upsert\s*\()/g,
         languages: ["javascript", "typescript"],
         fix: "Add CSRF token verification to state-changing endpoints.",
         fixCode: '// Verify CSRF token from header\nexport async function POST(req: Request) {\n  const csrfToken = req.headers.get("x-csrf-token");\n  if (!verifyCsrfToken(csrfToken)) {\n    return new Response("CSRF validation failed", { status: 403 });\n  }\n}',
@@ -356,7 +356,7 @@ export const advancedSecurityRules = [
         severity: "high",
         owasp: "A04:2025 Insecure Design",
         description: "Rate limiting catch block returns a permissive result (limited: false, success: true) when the rate limit backend (Redis) fails. If Redis goes down, all rate limits are disabled.",
-        pattern: /catch\s*\([^)]*\)\s*\{[\s\S]{0,200}?(?:limited\s*:\s*false|success\s*:\s*true|allowed\s*:\s*true|return\s+(?:false|null|undefined)\s*;?\s*\})/g,
+        pattern: /(?:rateLimit|rateLimiter|limiter|Ratelimit)[\s\S]{0,500}?catch\s*\([^)]*\)\s*\{[\s\S]{0,200}?(?:limited\s*:\s*false|success\s*:\s*true|allowed\s*:\s*true)/g,
         languages: ["javascript", "typescript"],
         fix: "Fail closed: when the rate limiter backend is unavailable, deny the request.",
         fixCode: '// BAD: fail-open\ncatch (error) { return { limited: false }; }\n\n// GOOD: fail-closed\ncatch (error) {\n  console.error("Rate limiter unavailable:", error);\n  return { limited: true };\n}',

package/build/data/rules/modern-stack.js

@@ -527,7 +527,7 @@ export const modernStackRules = [
         severity: "critical",
         owasp: "A03:2025 Injection",
         description: "User input is interpolated into a Supabase .or() filter string via template literal or concatenation. This is equivalent to SQL injection for PostgREST — attackers can modify filter logic to access unauthorized data.",
-        pattern: /\.or\s*\(\s*(?:`[^`]*\$\{)|\.or\s*\(\s*\w+\s*\)|["'][^"']*["']\s*\+\s*\w+(?:Id|Name|Term|Input)\b[\s\S]{0,100}?\.or\s*\(/gi,
+        pattern: /\.or\s*\(\s*(?:`[^`]*\$\{(?!(?:sfv|sanitize|escape|validate|encodeURIComponent)\s*\())|\.or\s*\(\s*\w+\s*\)|["'][^"']*["']\s*\+\s*\w+(?:Id|Name|Term|Input)\b[\s\S]{0,100}?\.or\s*\(/gi,
         languages: ["javascript", "typescript"],
         fix: "Never interpolate user input into .or() strings. Use separate .eq() filters or build the filter from validated enum values.",
         fixCode: '// BAD: filter injection\n.or(`sender_id.eq.${userId},receiver_id.eq.${userId}`)\n\n// GOOD: use server-verified auth ID\nconst { data: { user } } = await supabase.auth.getUser();\n.or(`sender_id.eq.${user.id},receiver_id.eq.${user.id}`)\n\n// BEST: use RLS policies instead of client-side filtering',

package/build/tools/check-code.js

@@ -5,18 +5,23 @@ import { loadIgnoreFile, isIgnored } from "../utils/ignore.js";
 import { securityBanner } from "../utils/banner.js";
 function parseSuppressionsFromCode(lines) {
     const suppressions = [];
-    const pattern = /(?:\/\/|#|<!--)\s*guardvibe-ignore(?:-next-line)?\s*(VG\d+)?\s*(?:-->)?/i;
+    const pattern = /(?:\/\/|#|<!--)\s*guardvibe-ignore(?:-next-line)?\s*(VG\d+)?(?:\s.*)?(?:-->)?/i;
     for (let i = 0; i < lines.length; i++) {
         const match = pattern.exec(lines[i]);
         if (!match)
             continue;
         const ruleId = match[1] || null;
         const isNextLine = lines[i].includes("guardvibe-ignore-next-line");
+        const isCommentOnlyLine = /^\s*(?:\/\/|#|<!--)/.test(lines[i]);
         if (isNextLine) {
-            suppressions.push({ line: i + 2, ruleId }); // next line (1-indexed)
+            suppressions.push({ line: i + 2, ruleId });
+        }
+        else if (isCommentOnlyLine) {
+            suppressions.push({ line: i + 1, ruleId });
+            suppressions.push({ line: i + 2, ruleId });
         }
         else {
-            suppressions.push({ line: i + 1, ruleId }); // same line (1-indexed)
+            suppressions.push({ line: i + 1, ruleId });
         }
     }
     return suppressions;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.0.18",
+  "version": "3.0.20",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 335 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",