guardvibe 3.1.26 → 3.1.27

package/CHANGELOG.md

@@ -5,6 +5,34 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.1.27] - 2026-06-06
+
+### Fixed
+- **`audit --format sarif` now emits real SARIF v2.1.0** (was silently falling back to a markdown report). The audit SARIF covers all six sections — code, secrets, dependencies, config, taint, auth-coverage — so it is strictly richer than `scan --format sarif` (code-only). `audit --format sarif` now implies `--full` so CI gets every finding with no silent truncation; each result carries its originating section + severity in `properties`, and run-level `properties` carry verdict / score / grade / resultHash
+- **`init claude` hook is now version-pinned** (was `guardvibe@latest`). The PostToolUse hook command now pins to the same version as the MCP server, restoring the determinism guarantee; re-running `init` also rewrites a stale `@latest` (or older-pinned) hook to the current version
+- **Malformed `.guardviberc` no longer fails silently.** A `.guardviberc` that is not valid JSON now prints a warning to **stderr** (stdout stays clean for MCP JSON-RPC and machine formats) telling the user their `rules.disable` / `authExceptions` / `scan.exclude` are NOT being applied — previously the parse error was swallowed and defaults were used with no signal
+
+### Notes
+- Surfaced by a fresh-user end-to-end simulation (CLI commands, MCP tools, host inits, output formats, edge cases, real-world dogfood). Self-audit PASS A 100; dogfood result hashes unchanged (dvna 58, juice-shop 199, nodejs-goof 295)
+
+## [3.1.26] - 2026-06-06
+
+### Added — 5 new rules (424 → 429)
+- **VG1071** axios proxy-auth credential leak on cross-origin redirect. Flags axios client pins on vulnerable ranges where `proxy.auth` Basic credentials are forwarded to the redirect target host; fix advises pinning via `overrides`/`resolutions` to the patched line and stripping `Proxy-Authorization` on host change via a request interceptor
+- **VG1072** hono `setCookie` attribute injection / cookie smuggling. Detects untrusted input flowing into `setCookie(c, name, value, …)` without sanitization of CR / LF / `;` bytes — enables Set-Cookie header injection and downstream cookie smuggling on the same response
+- **VG1073** drizzle `sql.raw()` user-input interpolation. Flags `sql.raw(\`…${userInput}…\`)` and `db.execute(sql.raw(…))` patterns that splice request data into raw SQL — bypasses drizzle's parameterized-query safety net. Fix advises switching to the `sql\`…${userInput}\`` tagged-template form which parameterizes the binding
+- **VG1074** Miasma supply-chain IOC — `@redhat-cloud-services/*` namespace compromise (RHSB-2026-006). Pins the maintainer-account-takeover wave that shipped credential-exfil postinstall scripts under the Red Hat scope; fix advises pinning to pre-compromise versions via `overrides` and rotating any npm/CI tokens reachable from `npm install`
+- **VG1075** Session messenger exfil endpoint IOC (`filev2.getsession.org`). Detects callsites and stringified URLs that point at the Session-relay endpoint used by the Miasma wave (and other recent supply-chain payloads) to POST exfiltrated `process.env` + `~/.npmrc` content to attacker infrastructure
+
+### Changed
+- `overrides` bumped: `hono` → `^4.12.21` (covers VG1042 + VG1072 patched line)
+- CLI `rulesApplied` default 424 → 429 (src/index.ts + src/tools/full-audit.ts)
+- `server.json` (MCP registry metadata) refreshed: 390 → 429 rules, version 3.1.22 → 3.1.26
+- README updated end-to-end: hero count 422 → 429, CVE-version intelligence 60 → 63, new threat-intel bullet for VG1069 → VG1075, supply-chain section calls out VG1069 / VG1070 / VG1074 / VG1075
+
+### Self-audit
+- `npx guardvibe audit` after `npm audit fix` → PASS A 100 (0 findings, 0 advisories)
+
 ## [3.1.25] - 2026-05-16
 
 ### Added — 2 new rules (422 → 424)

package/README.md

@@ -6,7 +6,7 @@
 [![npm provenance](https://img.shields.io/badge/provenance-verified-brightgreen)](https://www.npmjs.com/package/guardvibe)
 [![codecov](https://codecov.io/gh/goklab/guardvibe/graph/badge.svg)](https://codecov.io/gh/goklab/guardvibe)
 
-**The security MCP built for vibe coding.** 422 security rules, 36 tools covering the entire AI-generated code journey — from first line to production deployment.
+**The security MCP built for vibe coding.** 429 security rules, 36 tools covering the entire AI-generated code journey — from first line to production deployment.
 
 Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf**, and any MCP-compatible coding agent.
 
@@ -14,11 +14,11 @@ Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf
 
 Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
 
-- **422 security rules, 36 tools** purpose-built for the stacks AI agents generate
+- **429 security rules, 36 tools** purpose-built for the stacks AI agents generate
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
-- **CVE version intelligence** — detects 60 known vulnerable package versions in package.json, refreshed every day from GHSA / OSV.dev / CISA KEV
+- **CVE version intelligence** — detects 63 known vulnerable package versions in package.json, refreshed every day from GHSA / OSV.dev / CISA KEV
 - **AI agent & MCP security** — detects MCP server vulnerabilities, tool-description prompt injection (OWASP MCP Top 10), model-controlled sandbox-disable flags, excessive AI permissions, indirect prompt injection
 - **Auto-fix suggestions** — `fix_code` tool returns concrete patches and structured edits the AI agent can apply mechanically. Coverage: hardcoded credentials → env-var migration; public-prefix LLM keys (`NEXT_PUBLIC_/VITE_/EXPO_PUBLIC_/REACT_APP_`) → prefix removal; CORS wildcards → env allowlist; `dangerouslyAllowBrowser` flags → drop; sandbox bypass flags (`unsafe`/`noSandbox`/`allowEval`) → drop; agent loops → add `maxSteps`; raw-HTML React props → `<ReactMarkdown>`; missing auth checks → insert auth guard; SQL injection → parameterized queries; missing rate limiters / CSRF / security headers → snippet templates.
 - **Pre-commit hook** — block insecure code before it reaches your repo
@@ -28,7 +28,7 @@ Most security tools are built for enterprise security teams. GuardVibe is built
 
 ## New in v3.1.x
 
-- **Daily threat-intel pipeline** — rule set tracks GHSA / OSV.dev / CISA KEV every day. v3.1.23 alone added 22 new CVE / supply-chain / AI-runtime rules covering the Next.js May 2026 13-advisory cluster, Drizzle ORM SQL identifier injection (CVE-2026-39356), Clerk `clerkFrontendApiProxy` SSRF (CVE-2026-34076), tRPC `experimental_nextAppDirCaller` prototype pollution (CVE-2025-68130), MikroORM SQL injection, angular-expressions filter RCE, `@tanstack/*` Mini Shai-Hulud supply-chain attack, Kysely JSON-path traversal, `@nyariv/sandboxjs` sandbox escape, OpenClaude `dangerouslyDisableSandbox` model-controlled flag, Strapi content-type builder SQL injection, LangSmith untrusted prompt-manifest deserialization, and more
+- **Daily threat-intel pipeline** — rule set tracks GHSA / OSV.dev / CISA KEV every day. Latest shipments (v3.1.24 → v3.1.26) added `VG1069` node-ipc protestware detection, `VG1070` CI `npm` provenance / `--ignore-scripts` hardening, `VG1071` axios proxy-auth redirect credential leak, `VG1072` hono `setCookie` attribute injection, `VG1073` drizzle `sql.raw` interpolation, `VG1074` Miasma `@redhat-cloud-services` namespace compromise IOC (RHSB-2026-006), and `VG1075` Session messenger exfil endpoint IOC (`filev2.getsession.org`). The hono override floor is pinned to `^4.12.21`. Earlier in the v3.1.2x line: Next.js May 2026 13-advisory cluster, Drizzle ORM SQL identifier injection (CVE-2026-39356), Clerk `clerkFrontendApiProxy` SSRF (CVE-2026-34076), tRPC `experimental_nextAppDirCaller` prototype pollution (CVE-2025-68130), MikroORM SQL injection, angular-expressions filter RCE, `@tanstack/*` Mini Shai-Hulud supply-chain attack, Kysely JSON-path traversal, `@nyariv/sandboxjs` sandbox escape, OpenClaude `dangerouslyDisableSandbox` model-controlled flag, Strapi content-type builder SQL injection, LangSmith untrusted prompt-manifest deserialization, and more
 - **OWASP MCP Top 10 alignment** — `VG1068` flags MCP / AI tool definitions whose `description`, `instructions`, or `systemPrompt` fields carry prompt-injection markers (`ignore previous instructions`, `you are now`, `jailbreak mode`, `system prompt:`, `override safety`, …); pair with `VG1063` which catches `dangerouslyDisableSandbox: true` in agent runtimes
 - **Inline suppress** — `// guardvibe-ignore VG001` silences individual findings per-line
 - **CLI-first approach** — `npx guardvibe audit`, `npx guardvibe scan`, `npx guardvibe doctor` all work standalone without MCP
@@ -49,10 +49,10 @@ GuardVibe is purpose-built for the AI coding workflow. Traditional tools are exc
 | AI/LLM security (prompt injection, MCP, tool abuse) | 68 rules | Experimental/None | None |
 | AI host security (CVE-2025-59536, CVE-2026-21852) | `guardvibe doctor` | Not supported | Not supported |
 | Auto-fix suggestions for AI agents | `fix_code` tool | CLI autofix | Not supported |
-| CVE version detection | 60 packages, refreshed daily | Extensive | Extensive |
+| CVE version detection | 63 packages, refreshed daily | Extensive | Extensive |
 | Compliance mapping (SOC2, PCI-DSS, HIPAA) | Built-in | Paid tier | None |
 | SARIF CI/CD export | Yes | Yes | Limited |
-| Rule count | 422 (focused, 68 AI-native) | 5000+ (broad) | N/A |
+| Rule count | 429 (focused, 68 AI-native) | 5000+ (broad) | N/A |
 
 **When to use GuardVibe:** You're building with AI agents and want security scanning integrated into your coding workflow — no dashboard, no account, no CI setup.
 
@@ -176,13 +176,13 @@ React Native, Expo — AsyncStorage secrets, deep link token exposure, hardcoded
 ### Firebase
 Firestore security rules, Firebase Admin SDK exposure, storage rules, custom token validation
 
-### CVE Version Intelligence (60 CVEs, refreshed daily)
+### CVE Version Intelligence (63 CVEs, refreshed daily)
 **Frameworks:** Next.js (CVE-2024-34351, CVE-2024-46982, CVE-2025-29927, CVE-2026-23869, CVE-2026-44573 / 44574 / 44575 / 44578 / 44579 / 45109 May 2026 cluster), React + react-server-dom-* (CVE-2025-55182, CVE-2026-23870), Express, Hono pre-4.12.18 cluster, @vitejs/plugin-rsc, Strapi content-type-builder (CVE-2026-22599)
 **Auth:** Clerk middleware bypass (GHSA-vqx2), Clerk `has()` org/billing/reverification bypass (GHSA-w24r), Clerk `clerkFrontendApiProxy` SSRF (CVE-2026-34076), NextAuth.js (2 CVEs), jsonwebtoken
-**ORMs / SQL:** Drizzle SQL identifier injection (CVE-2026-39356), MikroORM SQL injection (CVE-2026-44680), Prisma raw-query call-form, Kysely JSON-path traversal (CVE-2026-44635)
+**ORMs / SQL:** Drizzle SQL identifier injection (CVE-2026-39356) + Drizzle `sql.raw` interpolation (VG1073), MikroORM SQL injection (CVE-2026-44680), Prisma raw-query call-form, Kysely JSON-path traversal (CVE-2026-44635)
 **AI ecosystem:** @anthropic-ai/sdk (CVE-2026-34451 + memory tool path escape), Vercel AI SDK file-type bypass (CVE-2025-48985), LangSmith untrusted prompt manifest (CVE-2026-45134), OpenClaude sandbox bypass (CVE-2026-42074), @nyariv/sandboxjs Function.caller escape (CVE-2026-43898)
-**HTTP / parsing:** Axios pre-1.15.2 cluster (SSRF + prototype-pollution + DoS + CRLF), fast-uri path traversal + host confusion (CVE-2026-6321 / 6322), fast-xml-parser CDATA injection, xmldom CDATA, protobuf.js multi-CVE cluster, undici (2 CVEs), ws
-**Tools / supply chain:** @tanstack/* Mini Shai-Hulud (84 malicious versions, May 2026), @wdio/browserstack-service command injection (CVE-2026-25244), @babel/plugin-transform-modules-systemjs arbitrary code (CVE-2026-44728), @opentelemetry exporter-prometheus DoS (CVE-2026-44902), systeminformation Linux cmd injection (CVE-2026-44724), velocityjs prototype pollution, defu, sharp, lodash, node-fetch, tar, xml2js, crypto-js, angular-expressions RCE, i18next-http-backend, vm2 sandbox breakouts
+**HTTP / parsing:** Axios pre-1.15.2 cluster (SSRF + prototype-pollution + DoS + CRLF) + axios proxy-auth redirect leak (VG1071), Hono `setCookie` attribute injection (VG1072, override pinned `^4.12.21`), fast-uri path traversal + host confusion (CVE-2026-6321 / 6322), fast-xml-parser CDATA injection, xmldom CDATA, protobuf.js multi-CVE cluster, undici (2 CVEs), ws
+**Tools / supply chain:** node-ipc protestware (VG1069), Miasma `@redhat-cloud-services` namespace compromise IOC (VG1074), Session messenger exfil endpoint IOC (VG1075), @tanstack/* Mini Shai-Hulud (84 malicious versions, May 2026), @wdio/browserstack-service command injection (CVE-2026-25244), @babel/plugin-transform-modules-systemjs arbitrary code (CVE-2026-44728), @opentelemetry exporter-prometheus DoS (CVE-2026-44902), systeminformation Linux cmd injection (CVE-2026-44724), velocityjs prototype pollution, defu, sharp, lodash, node-fetch, tar, xml2js, crypto-js, angular-expressions RCE, i18next-http-backend, vm2 sandbox breakouts
 
 ### Deployment & Config
 Vercel (vercel.json, cron secrets, headers), Next.js config, Docker, Docker Compose, Fly.io, Render, Netlify, Cloudflare
@@ -197,7 +197,7 @@ API keys (AWS, GitHub, Stripe, OpenAI, Resend, Turso), .env management, .gitigno
 Maps security findings to SOC2, PCI-DSS, HIPAA, GDPR, ISO27001, and EU AI Act (EUAIACT) controls. Identifies which code-level vulnerabilities are relevant to specific compliance requirements. **Not a substitute for professional compliance audits.**
 
 ### Supply Chain
-Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection, `@tanstack/*` Mini Shai-Hulud mass-malware versions (May 2026), `@wdio/browserstack-service` command injection via git branch names (CVE-2026-25244), lockfile poisoning patterns
+Malicious postinstall scripts, unpinned GitHub Actions, CI `npm` provenance / `--ignore-scripts` hardening (VG1070), typosquat detection, `node-ipc` protestware versions (VG1069), Miasma `@redhat-cloud-services` namespace compromise IOC (VG1074, RHSB-2026-006), Session messenger exfil endpoint IOC (VG1075, `filev2.getsession.org`), `@tanstack/*` Mini Shai-Hulud mass-malware versions (May 2026), `@wdio/browserstack-service` command injection via git branch names (CVE-2026-25244), lockfile poisoning patterns
 
 ## Tools (36 MCP tools)
 
@@ -242,7 +242,7 @@ Malicious postinstall scripts, unpinned GitHub Actions, typosquat detection, `@t
 
 All scanning tools support `format: "json"` for machine-readable output.
 
-## Security Rules (390 rules across 25 modules)
+## Security Rules (429 rules across 25 modules)
 
 | Category | Rules | Coverage |
 |----------|-------|----------|
@@ -457,7 +457,7 @@ If your AI agent cannot connect to GuardVibe:
 
 1. **Restart your IDE/agent.** MCP servers are started by the host application. After running `npx guardvibe init`, restart Claude Code, Cursor, or Gemini CLI for the config to take effect.
 2. **Check the config path.** Run `npx guardvibe init claude` again and verify the output shows the correct config file location (`.mcp.json` in your project root for Claude Code, `.cursor/mcp.json` for Cursor).
-3. **Re-run `init` to upgrade.** When upgrading GuardVibe, re-run `npx guardvibe init claude` — `.mcp.json` is pinned to a specific version (e.g. `guardvibe@3.1.3`) at init time for fast deterministic startup. As of v3.1.2 the re-run also rewrites stale pins automatically (`Upgraded GuardVibe pin (3.0.55 → 3.1.3)`). The same applies to `npx guardvibe hook install` and `npx guardvibe ci github` (since v3.1.3) — both are version-pinned at install/generate time and re-run to upgrade.
+3. **Re-run `init` to upgrade.** When upgrading GuardVibe, re-run `npx guardvibe init claude` — `.mcp.json` is pinned to a specific version (e.g. `guardvibe@3.1.27`) at init time for fast deterministic startup. As of v3.1.2 the re-run also rewrites stale pins automatically (`Upgraded GuardVibe pin (3.1.26 → 3.1.27)`); since v3.1.27 the PostToolUse hook command is pinned to the same version (was `@latest`) and re-run upgrades a stale hook too. The same applies to `npx guardvibe hook install` and `npx guardvibe ci github` (since v3.1.3) — both are version-pinned at install/generate time and re-run to upgrade.
 4. **Pre-3.1.1 users won't see the auto-update banner.** GuardVibe started writing a once-per-day "newer version available" notice to stderr in v3.1.1. If your install predates that, you'll never see it — run `npx -y guardvibe@latest init <host>` once to bake in the latest pin and start receiving banners on subsequent sessions.
 5. **Verify Node.js version.** GuardVibe requires Node.js >= 18.0.0. Check with `node --version`.
 6. **Check npx cache.** If you upgraded GuardVibe and the old version is cached, run `npx -y guardvibe@latest` to force the latest version.

package/build/cli/audit.js

@@ -16,7 +16,8 @@ export async function runAudit(args) {
     const failOn = getStringFlag(flags, "fail-on") ?? "critical";
     const skipDeps = flags["skip-deps"] === true;
     const skipSecrets = flags["skip-secrets"] === true;
-    const full = flags["full"] === true;
+    // SARIF is consumed by CI / code-scanning — never silently truncate findings.
+    const full = flags["full"] === true || rawFormat === "sarif";
     setRules(builtinRules);
     // Terminal format by default when outputting to TTY, unless --format is specified
     const isTerminal = !outputFile && process.stdout.isTTY && !flags["format"];

package/build/cli/init.js

@@ -109,17 +109,27 @@ function setupClaudeGuide() {
     const existingSettings = readJsonFile(claudeSettingsPath) || {};
     if (!existingSettings.hooks)
         existingSettings.hooks = {};
+    const hookCommand = `jq -r '.tool_input.file_path' | xargs npx -y guardvibe@${pkg.version} check --format buddy 2>/dev/null || true`;
     if (!existingSettings.hooks.PostToolUse) {
         existingSettings.hooks.PostToolUse = [
             {
                 matcher: "Edit|Write",
-                hooks: [{
-                        type: "command",
-                        command: "jq -r '.tool_input.file_path' | xargs npx -y guardvibe@latest check --format buddy 2>/dev/null || true"
-                    }]
+                hooks: [{ type: "command", command: hookCommand }]
             }
         ];
     }
+    else {
+        // Re-run upgrade: rewrite any stale GuardVibe hook command (e.g. @latest or an
+        // older pin) to the current pinned version — keeps the hook scanner deterministic
+        // and in lock-step with the pinned MCP server.
+        for (const entry of existingSettings.hooks.PostToolUse) {
+            for (const h of entry?.hooks ?? []) {
+                if (typeof h.command === "string" && /npx\s+-y\s+guardvibe@[^\s]+\s+check/.test(h.command)) {
+                    h.command = hookCommand;
+                }
+            }
+        }
+    }
     writeJsonFile(claudeSettingsPath, existingSettings);
     console.log(`  [OK] Claude Code hooks configured (.claude/settings.json)`);
     const claudeMdPath = join(process.cwd(), "CLAUDE.md");

package/build/tools/full-audit.d.ts

@@ -92,6 +92,11 @@ export declare function runFullAudit(path: string, options?: {
     full?: boolean;
 }): Promise<AuditResult>;
 /**
- * Format audit result as markdown, JSON, or terminal-friendly output.
+ * Build a SARIF v2.1.0 document from a full audit result.
+ * Covers every section (code, secrets, dependencies, config, taint, auth-coverage)
+ * — richer than `scan --format sarif`, which is code-only.
+ * Note: for complete CI coverage, run the audit with `full: true` so sectionFindings
+ * are not capped before they reach this formatter.
  */
-export declare function formatAuditResult(result: AuditResult, format: "markdown" | "json" | "terminal"): string;
+export declare function formatAuditSarif(result: AuditResult): string;
+export declare function formatAuditResult(result: AuditResult, format: "markdown" | "json" | "terminal" | "sarif"): string;

package/build/tools/full-audit.js

@@ -7,6 +7,7 @@
  * - Coverage metrics (files scanned, rules applied, %)
  */
 import { createHash } from "node:crypto";
+import { createRequire } from "node:module";
 import { resolve } from "node:path";
 import { readdirSync, readFileSync, statSync, existsSync } from "node:fs";
 import { scanDirectory } from "./scan-directory.js";
@@ -18,6 +19,8 @@ import { analyzeAuthCoverage } from "./auth-coverage.js";
 import { getRules } from "../utils/rule-registry.js";
 import { loadConfig } from "../utils/config.js";
 import { isExcludedFilename } from "../utils/constants.js";
+const _require = createRequire(import.meta.url);
+const _pkg = _require("../../package.json");
 // --- Core Logic ---
 /**
  * Compute verdict: PASS (0 critical + 0 high), WARN (high > 0), FAIL (critical > 0)
@@ -522,7 +525,84 @@ function buildInlineRemediationPlan(result) {
 /**
  * Format audit result as markdown, JSON, or terminal-friendly output.
  */
+/**
+ * Map an audit severity string to a SARIF level.
+ */
+function auditSeverityToLevel(severity) {
+    if (severity === "critical" || severity === "high")
+        return "error";
+    if (severity === "medium")
+        return "warning";
+    return "note";
+}
+/**
+ * Build a SARIF v2.1.0 document from a full audit result.
+ * Covers every section (code, secrets, dependencies, config, taint, auth-coverage)
+ * — richer than `scan --format sarif`, which is code-only.
+ * Note: for complete CI coverage, run the audit with `full: true` so sectionFindings
+ * are not capped before they reach this formatter.
+ */
+export function formatAuditSarif(result) {
+    const sarifResults = [];
+    const ruleMap = new Map();
+    for (const section of result.sections) {
+        for (const f of section.sectionFindings ?? []) {
+            const ruleName = f.name ?? f.ruleId;
+            const description = f.description ?? f.name ?? f.ruleId;
+            if (!ruleMap.has(f.ruleId)) {
+                ruleMap.set(f.ruleId, { id: f.ruleId, name: ruleName, description });
+            }
+            const messageText = f.fix
+                ? `${ruleName}: ${description} Fix: ${f.fix}`
+                : `${ruleName}: ${description}`;
+            sarifResults.push({
+                ruleId: f.ruleId,
+                level: auditSeverityToLevel(f.severity),
+                message: { text: messageText },
+                locations: [{
+                        physicalLocation: {
+                            artifactLocation: { uri: f.file || "unknown" },
+                            region: { startLine: f.line > 0 ? f.line : 1 },
+                        },
+                    }],
+                properties: { section: section.name, severity: f.severity },
+            });
+        }
+    }
+    const sarifRules = [...ruleMap.values()].map(r => ({
+        id: r.id,
+        name: r.name,
+        shortDescription: { text: r.name },
+        fullDescription: { text: r.description },
+        helpUri: "https://guardvibe.dev",
+    }));
+    const sarif = {
+        $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
+        version: "2.1.0",
+        runs: [{
+                tool: {
+                    driver: {
+                        name: "GuardVibe",
+                        version: _pkg.version,
+                        informationUri: "https://guardvibe.dev",
+                        rules: sarifRules,
+                    },
+                },
+                results: sarifResults,
+                properties: {
+                    verdict: result.verdict,
+                    score: result.score,
+                    grade: result.grade,
+                    resultHash: result.resultHash,
+                },
+            }],
+    };
+    return JSON.stringify(sarif, null, 2);
+}
 export function formatAuditResult(result, format) {
+    if (format === "sarif") {
+        return formatAuditSarif(result);
+    }
     if (format === "json") {
         // Embed remediation plan directly in JSON when verdict is not PASS
         if (result.verdict !== "PASS") {

package/build/utils/config.js

@@ -74,7 +74,13 @@ export function loadConfig(dir) {
             } : undefined,
         };
     }
-    catch { }
+    catch (err) {
+        // A .guardviberc exists but could not be parsed. Warn on stderr (never stdout —
+        // stdout must stay clean for MCP JSON-RPC and CLI machine formats) so the user
+        // knows their rule disables / authExceptions / scan.exclude are NOT being applied.
+        const reason = err instanceof Error ? err.message : String(err);
+        console.error(`[guardvibe] Warning: failed to parse ${configPath} — ${reason}. Using default config; your .guardviberc settings are NOT applied.`);
+    }
     configCache.set(configDir, resolvedConfig);
     return resolvedConfig;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.1.26",
+  "version": "3.1.27",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 429 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 63 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",