guardvibe 3.0.34 → 3.0.36
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -314,9 +314,15 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
|
|
|
314
314
|
continue;
|
|
315
315
|
if (rule.id.startsWith("VG21") && !filePath && language !== "yaml")
|
|
316
316
|
continue;
|
|
317
|
-
// Skip
|
|
317
|
+
// Skip noisy rules in test files — fixtures, payload strings, and HTTP test helpers
|
|
318
|
+
// generate FPs for credential, injection, and HTTP-header rules without representing
|
|
319
|
+
// real exploitable code.
|
|
320
|
+
// - VG001/VG062: hardcoded credentials (test fixtures use fake values intentionally)
|
|
321
|
+
// - VG010/VG011/VG013/VG014: injection rules trigger on payload strings like
|
|
322
|
+
// agent.get('/?q=' + sqlPayload) which match the regex but aren't database calls
|
|
323
|
+
// - VG042/VG678: HTTP-response/security-header rules (tests don't serve to real users)
|
|
318
324
|
const isTestFile = filePath && /(?:\.(?:spec|test|e2e|stories)\.(?:ts|tsx|js|jsx|mjs|cjs)$|\/__tests__\/|\/tests?\/|\/cypress\/|\/playwright\/)/i.test(filePath);
|
|
319
|
-
if (isTestFile &&
|
|
325
|
+
if (isTestFile && ["VG001", "VG062", "VG010", "VG011", "VG013", "VG014", "VG042", "VG678"].includes(rule.id))
|
|
320
326
|
continue;
|
|
321
327
|
// Skip Expo-specific rule (VG708) when project is not an Expo app.
|
|
322
328
|
// The rule's regex incorrectly matches the literal strings "app.json"/"app.config.ts"
|
|
@@ -40,6 +40,10 @@ export interface AuditSection {
|
|
|
40
40
|
details: string;
|
|
41
41
|
/** Individual findings for this section — enables AI to see exactly what to fix */
|
|
42
42
|
sectionFindings?: SectionFinding[];
|
|
43
|
+
/** True when sectionFindings array is shorter than findings (response-size cap). Read findings for the real count. */
|
|
44
|
+
truncated?: boolean;
|
|
45
|
+
/** Hint message when truncated — tells the agent how to retrieve the rest */
|
|
46
|
+
truncationHint?: string;
|
|
43
47
|
}
|
|
44
48
|
export interface AuditResult {
|
|
45
49
|
verdict: AuditVerdict;
|
|
@@ -149,7 +149,20 @@ export async function runFullAudit(path, options) {
|
|
|
149
149
|
name: f.name,
|
|
150
150
|
fix: f.fix,
|
|
151
151
|
}));
|
|
152
|
-
|
|
152
|
+
const codeTruncated = (counts.findings ?? 0) > codeSectionFindings.length;
|
|
153
|
+
sections.push({
|
|
154
|
+
name: "code",
|
|
155
|
+
status: "ok",
|
|
156
|
+
...counts,
|
|
157
|
+
details: `Code ${codeGrade} (${codeScore}/100)`,
|
|
158
|
+
sectionFindings: codeSectionFindings,
|
|
159
|
+
...(codeTruncated
|
|
160
|
+
? {
|
|
161
|
+
truncated: true,
|
|
162
|
+
truncationHint: `Showing top ${codeSectionFindings.length} of ${counts.findings} findings (sorted by severity). Call check_code on individual files for the rest, or use the CLI: npx guardvibe scan --format json.`,
|
|
163
|
+
}
|
|
164
|
+
: {}),
|
|
165
|
+
});
|
|
153
166
|
for (const f of parsed.findings ?? []) {
|
|
154
167
|
allFindings.push({ ruleId: f.id ?? "unknown", severity: f.severity, file: f.file ?? "", line: f.line ?? 0 });
|
|
155
168
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "3.0.
|
|
3
|
+
"version": "3.0.36",
|
|
4
4
|
"mcpName": "io.github.goklab/guardvibe",
|
|
5
5
|
"description": "Security MCP for vibe coding. 365 rules, 38 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
|
|
6
6
|
"type": "module",
|