guardvibe 3.0.34 → 3.0.35

package/build/tools/check-code.js

@@ -314,9 +314,15 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
             continue;
         if (rule.id.startsWith("VG21") && !filePath && language !== "yaml")
             continue;
-        // Skip credential rules in test files — fixtures and assertions intentionally use fake values.
+        // Skip noisy rules in test files — fixtures, payload strings, and HTTP test helpers
+        // generate FPs for credential, injection, and HTTP-header rules without representing
+        // real exploitable code.
+        // - VG001/VG062: hardcoded credentials (test fixtures use fake values intentionally)
+        // - VG010/VG011/VG013/VG014: injection rules trigger on payload strings like
+        //   agent.get('/?q=' + sqlPayload) which match the regex but aren't database calls
+        // - VG042/VG678: HTTP-response/security-header rules (tests don't serve to real users)
         const isTestFile = filePath && /(?:\.(?:spec|test|e2e|stories)\.(?:ts|tsx|js|jsx|mjs|cjs)$|\/__tests__\/|\/tests?\/|\/cypress\/|\/playwright\/)/i.test(filePath);
-        if (isTestFile && (rule.id === "VG001" || rule.id === "VG062"))
+        if (isTestFile && ["VG001", "VG062", "VG010", "VG011", "VG013", "VG014", "VG042", "VG678"].includes(rule.id))
             continue;
         // Skip Expo-specific rule (VG708) when project is not an Expo app.
         // The rule's regex incorrectly matches the literal strings "app.json"/"app.config.ts"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.0.34",
+  "version": "3.0.35",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 365 rules, 38 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",