guardvibe 3.0.32 → 3.0.33

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/build/data/rules/dockerfile.js +1 -1
  2. package/build/data/rules/web-security.js +1 -1
  3. package/build/tools/check-code.js +2 -1
  4. package/package.json +1 -1
package/build/data/rules/dockerfile.js CHANGED
@@ -29,7 +29,7 @@ export const dockerfileRules = [
29
29
  severity: "medium",
30
30
  owasp: "A03:2025 Software Supply Chain Failures",
31
31
  description: "Using :latest tag or no tag makes builds non-reproducible and vulnerable to supply chain attacks.",
32
- pattern: /FROM\s+\S+(?::latest\s|(?!:)\s)/gi,
32
+ pattern: /^FROM\s+[^\s:@]+(?::latest)?(?=\s)/gim,
33
33
  languages: ["dockerfile"],
34
34
  fix: "Pin to a specific version tag: FROM node:20-alpine instead of FROM node:latest.",
35
35
  fixCode: "# Pin to specific version\nFROM node:20-alpine\n# Not: FROM node:latest\n# Not: FROM node",
package/build/data/rules/web-security.js CHANGED
@@ -179,7 +179,7 @@ export const webSecurityRules = [
179
179
  severity: "high",
180
180
  owasp: "A05:2021 Security Misconfiguration",
181
181
  description: "Response serving user-uploaded files does not set X-Content-Type-Options: nosniff. Browsers may MIME-sniff the content and execute uploaded files as HTML/JavaScript, enabling stored XSS via file uploads.",
182
- pattern: /(?:createReadStream|sendFile|send\s*\(|pipe\s*\(|res\.download|res\.sendFile|getSignedUrl|getPublicUrl)[\s\S]{0,500}?(?:(?!X-Content-Type-Options|nosniff)[\s\S]){10,}?(?:res\.end|\.pipe|return|response)/gi,
182
+ pattern: /(?:res\.sendFile|res\.download|createReadStream|getSignedUrl|getPublicUrl|\.pipe\s*\(\s*res)[\s\S]{0,500}?(?:(?!X-Content-Type-Options|nosniff)[\s\S]){10,}?(?:res\.end|\.pipe|return|response)/gi,
183
183
  languages: ["javascript", "typescript"],
184
184
  fix: "Set X-Content-Type-Options: nosniff on all responses serving user-uploaded content.",
185
185
  fixCode: '// Set nosniff header for uploaded file responses\nres.setHeader("X-Content-Type-Options", "nosniff");\nres.setHeader("Content-Disposition", "attachment"); // force download for unknown types\nres.sendFile(filePath);',
package/build/tools/check-code.js CHANGED
@@ -606,7 +606,8 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
606
606
  const hasPublishingFields = /"(?:bin|exports|module|types|typings)"\s*:/i.test(code);
607
607
  const mainPointsToBuild = /"main"\s*:\s*"(?:dist|build|lib|out)\//i.test(code);
608
608
  const runtimeNames = "node|nodemon|tsx|ts-node|next|nest|vite|remix|astro";
609
- const startsAsApp = new RegExp('"start"\\s*:\\s*"(?:' + runtimeNames + ')\\b', "i").test(code);
609
+ // Allow leading env-var assignments: NODE_OPTIONS=..., NODE_ENV=production, PORT=3000, etc.
610
+ const startsAsApp = new RegExp('"start"\\s*:\\s*"(?:[A-Z_][A-Z0-9_]*=\\S+\\s+)*(?:' + runtimeNames + ')\\b', "i").test(code);
610
611
  if (!hasPublishingFields && !mainPointsToBuild && startsAsApp)
611
612
  continue;
612
613
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "guardvibe",
3
- "version": "3.0.32",
3
+ "version": "3.0.33",
4
4
  "mcpName": "io.github.goklab/guardvibe",
5
5
  "description": "Security MCP for vibe coding. 365 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
6
6
  "type": "module",