npm - guardvibe - Versions diffs - 3.1.3 → 3.1.4 - Mend

guardvibe 3.1.3 → 3.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/build/data/rules/dockerfile.js +4 -1
package/build/data/rules/nextjs.js +4 -1
package/build/tools/check-code.js +39 -0
package/package.json +1 -1

package/build/data/rules/dockerfile.js CHANGED Viewed

@@ -53,7 +53,10 @@ export const dockerfileRules = [
         severity: "medium",
         owasp: "A05:2025 Security Misconfiguration",
         description: "ADD has extra features (URL fetch, tar extraction) that can introduce unexpected behavior. Use COPY for local files.",
-        pattern: /ADD\s+(?!https?:\/\/)\S+\s+\S+/gi,
+        // Anchor to start of line + case-sensitive: Docker `ADD` instruction is uppercase and
+        // begins a line. Matching `add` case-insensitive caught `RUN pnpm add`, `apk add`,
+        // `yarn add`, etc. — package-manager subcommands inside RUN, not Docker instructions.
+        pattern: /^ADD\s+(?!https?:\/\/)\S+\s+\S+/gm,
         languages: ["dockerfile"],
         fix: "Use COPY instead of ADD for local files. Only use ADD for URLs or tar extraction.",
         fixCode: "# Use COPY for local files\nCOPY ./src /app/src\n# Only use ADD for remote files or tar extraction\n# ADD https://example.com/file.tar.gz /app/",

package/build/data/rules/nextjs.js CHANGED Viewed

@@ -90,7 +90,10 @@ export const nextjsRules = [
         severity: "high",
         owasp: "A01:2025 Broken Access Control",
         description: "Sensitive data (tokens, secrets, internal IDs) appears to be passed from server to client component as props.",
-        pattern: /(?:(?:^|[^a-zA-Z])(?:secret|token|password|apiKey|api_key|privateKey|private_key|internalId|ssn|creditCard|credit_card))\s*=\s*\{[\s\S]*?\}/g,
+        // Require no-space `=` to match JSX prop syntax (`token={value}`) and exclude JS object
+        // literal assignments (`apiKey = { ... }`, `token = { ... }`) common in test helpers,
+        // default-param destructuring, and config objects.
+        pattern: /(?:(?:^|[^a-zA-Z])(?:secret|token|password|apiKey|api_key|privateKey|private_key|internalId|ssn|creditCard|credit_card))=\{[\s\S]*?\}/g,
         languages: ["javascript", "typescript"],
         fix: "Never pass sensitive data as props to client components. Keep secrets server-side.",
         fixCode: "// Keep sensitive data server-side\nexport default async function Page() {\n  const secret = process.env.API_SECRET;\n  const publicData = await fetchData(secret);\n  return <ClientComponent data={publicData} />;\n}",

package/build/tools/check-code.js CHANGED Viewed

@@ -471,6 +471,33 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         // Skip destructive DDL rules (VG540-VG542) and view rules (VG439) in migration directories
         if ((rule.id.startsWith("VG54") || rule.id === "VG439") && isMigrationFile)
             continue;
+        // VG146 (Unquoted .env Value): only fire on `.env` / `.env.local` / `.env.production` etc.
+        // Bash scripts use `${VAR:-default}` and similar expansions that legitimately contain
+        // `{`, `}`, `:` characters; matching them as "unquoted env values" is a FP class.
+        if (rule.id === "VG146" && filePath && !/(?:^|\/)\.env(?:\.[\w.-]+)?$/.test(filePath))
+            continue;
+        // VG200 (Container running as root): skip when a USER directive exists anywhere in the file.
+        // The rule's regex with `(?:(?!^USER)[\s\S])*` is unreliable across multi-stage builds; a
+        // file-level check is more robust.
+        if (rule.id === "VG200" && /^USER\s+\S+/m.test(code))
+            continue;
+        // VG206 (Missing HEALTHCHECK): skip when a HEALTHCHECK directive exists anywhere. The
+        // rule's regex requires HEALTHCHECK *after* CMD/ENTRYPOINT, but Dockerfiles commonly place
+        // HEALTHCHECK before CMD (nginx production stage), producing FPs.
+        if (rule.id === "VG206" && /^HEALTHCHECK\s+/m.test(code))
+            continue;
+        // VG407 (Server Data Leaked to Client Component): skip files that ARE client components.
+        // Signals: the `"use client"` directive (Next.js App Router) OR usage of React state/effect
+        // hooks (universal client-render signal — Remix, Vite-React, Pages Router, etc.). The rule
+        // targets server→client prop-boundary leaks; intra-client passing of local form state to
+        // a child component (e.g. PasswordStrengthIndicator) is not the same boundary.
+        if (rule.id === "VG407") {
+            const head = code.slice(0, 1000);
+            const hasUseClient = /^\s*['"]use client['"];?\s*$/m.test(head);
+            const hasReactStateHooks = /\b(?:useState|useReducer|useEffect|useLayoutEffect|useRef|useMemo|useCallback|useContext|useTransition|useSyncExternalStore)\s*\(/.test(code);
+            if (hasUseClient || hasReactStateHooks)
+                continue;
+        }
         // Skip SQL injection rules in schema/migration .sql files (DDL, not user input)
         if (rule.id === "VG543" && (isMigrationFile || isSqlSchemaFile))
             continue;
@@ -651,12 +678,24 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 effectiveRule = { ...effectiveRule, severity: "low" };
             }
         }
+        // VG202 (latest/untagged image): pre-compute `AS <alias>` names from the file so
+        // matches against intermediate-stage references (`FROM base AS builder`) can be
+        // filtered out at match time. The set is null for other rules to avoid wasted work.
+        const dockerStageAliases = rule.id === "VG202"
+            ? new Set(Array.from(code.matchAll(/^FROM\s+\S+\s+AS\s+(\w[\w.-]*)/gim)).map(m => m[1].toLowerCase()))
+            : null;
         let match;
         while ((match = rule.pattern.exec(code)) !== null) {
             const beforeMatch = code.substring(0, match.index);
             const lineNumber = beforeMatch.split("\n").length;
             if (isLineSuppressed(suppressions, lineNumber, rule.id))
                 continue;
+            // VG202: skip when the FROM target matches a previous AS-alias in the same file.
+            if (dockerStageAliases) {
+                const target = match[0].replace(/^FROM\s+/i, "").split(/[:@\s]/)[0].toLowerCase();
+                if (dockerStageAliases.has(target))
+                    continue;
+            }
             // Skip matches on comment lines and inside string literals.
             // CVE version-pin rules (VG900-VG931) are exempt — they scan package.json
             // dependency declarations where these contexts don't apply.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.1.3",
+  "version": "3.1.4",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 390 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis, +25 AI-native rules (MCP supply-chain, RAG/vector poisoning, agent loop DoS, public-prefix LLM keys, sandbox bypass). Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",