guardvibe 3.1.35 → 3.1.37

package/CHANGELOG.md

@@ -5,6 +5,28 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.1.37] - 2026-06-07
+
+### Added — taint + secret scanning on the `check` path (no rule-count change, 438 / 36)
+Until now only `audit` ran taint analysis and secret-pattern scanning; the everyday `check` / `scan <file>` commands, the MCP `check_code` / `scan_file` / `scan_changed_files` tools, the `diff` path and the pre-commit hook ran regex rules only. They now share one combined analyzer, so two-step variable-indirection flows and hardcoded secrets are caught before code is committed:
+- **Two-step taint** — a query, file path or shell command assembled into a variable before reaching the sink (path traversal, SQL/code injection, XSS) is now reported on the check path, not just inline patterns.
+- **Command-injection taint sink** — `exec()` / `execSync()` fed tainted input is now a sink (the lookbehind excludes method calls like `regex.exec()` / `db.execSync()`). Validated against the corpus: 2 hits, both real RCE, zero hits on 9 production repos.
+- **Hardcoded secrets** — PEM private keys, cloud keys and tokens are flagged on the check path even when the variable name is innocuous.
+
+### Fixed — taint precision (improves both `check` and `audit`)
+- **Open redirect** no longer fires on same-origin root-relative targets (`redirect("/path")`, `` redirect(`/${slug}/settings`) ``); external (`https://…`) and protocol-relative (`//host`) targets are still flagged.
+- Taint and secrets are skipped on minified/vendor bundles (`.min.js` and long-line content), matching the audit, and secret patterns are skipped in test fixtures that carry fake keys by design.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
+## [3.1.36] - 2026-06-07
+
+### Added — high-value recall rules (436 → 438, 36 tools)
+- **VG1083** JWT verification bypass — flags `jwt.decode()` of a request-supplied token used without a real signature check, and `jwt.verify(..., { algorithms: ['none'] })` (algorithm-confusion / signature stripping). The decode branch is suppressed when the same file also verifies the token (decode-then-verify is legitimate).
+- **VG1084** DOM XSS via jQuery HTML insertion — `.html()/.append()/.prepend()/.after()/.before()/.replaceWith()` with user-controlled or concatenated/interpolated content (skips `.text()` and static literals).
+
+Both validated against the real-world corpus: zero false positives (the one borderline juice-shop `jwt.decode`-then-`verify` hit is correctly suppressed). The ReDoS guard now re-measures any over-budget pattern and uses the minimum across runs, so CPU/GC load spikes can no longer cause a flaky failure while genuine backtracking (consistently slow) is still caught.
+
 ## [3.1.35] - 2026-06-07
 
 ### Fixed — false-positive precision on real production apps (no rule-count change, 436 / 36)

package/README.md

@@ -6,7 +6,7 @@
 [![npm provenance](https://img.shields.io/badge/provenance-verified-brightgreen)](https://www.npmjs.com/package/guardvibe)
 [![codecov](https://codecov.io/gh/goklab/guardvibe/graph/badge.svg)](https://codecov.io/gh/goklab/guardvibe)
 
-**The security MCP built for vibe coding.** 436 security rules, 36 tools covering the entire AI-generated code journey — from first line to production deployment.
+**The security MCP built for vibe coding.** 438 security rules, 36 tools covering the entire AI-generated code journey — from first line to production deployment.
 
 Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf**, and any MCP-compatible coding agent.
 
@@ -14,7 +14,7 @@ Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf
 
 Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
 
-- **436 security rules, 36 tools** purpose-built for the stacks AI agents generate
+- **438 security rules, 36 tools** purpose-built for the stacks AI agents generate
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
@@ -52,7 +52,7 @@ GuardVibe is purpose-built for the AI coding workflow. Traditional tools are exc
 | CVE version detection | 67 packages, refreshed daily | Extensive | Extensive |
 | Compliance mapping (SOC2, PCI-DSS, HIPAA) | Built-in | Paid tier | None |
 | SARIF CI/CD export | Yes | Yes | Limited |
-| Rule count | 436 (focused, 68 AI-native) | 5000+ (broad) | N/A |
+| Rule count | 438 (focused, 68 AI-native) | 5000+ (broad) | N/A |
 
 **When to use GuardVibe:** You're building with AI agents and want security scanning integrated into your coding workflow — no dashboard, no account, no CI setup.
 
@@ -242,7 +242,7 @@ Malicious postinstall scripts, unpinned GitHub Actions, CI `npm` provenance / `-
 
 All scanning tools support `format: "json"` for machine-readable output.
 
-## Security Rules (436 rules across 25 modules)
+## Security Rules (438 rules across 25 modules)
 
 | Category | Rules | Coverage |
 |----------|-------|----------|
@@ -457,7 +457,7 @@ If your AI agent cannot connect to GuardVibe:
 
 1. **Restart your IDE/agent.** MCP servers are started by the host application. After running `npx guardvibe init`, restart Claude Code, Cursor, or Gemini CLI for the config to take effect.
 2. **Check the config path.** Run `npx guardvibe init claude` again and verify the output shows the correct config file location (`.mcp.json` in your project root for Claude Code, `.cursor/mcp.json` for Cursor).
-3. **Re-run `init` to upgrade.** When upgrading GuardVibe, re-run `npx guardvibe init claude` — `.mcp.json` is pinned to a specific version (e.g. `guardvibe@3.1.35`) at init time for fast deterministic startup. As of v3.1.2 the re-run also rewrites stale pins automatically (`Upgraded GuardVibe pin (3.1.27 → 3.1.28)`); since v3.1.27 the PostToolUse hook command is pinned to the same version (was `@latest`) and re-run upgrades a stale hook too. The same applies to `npx guardvibe hook install` and `npx guardvibe ci github` (since v3.1.3) — both are version-pinned at install/generate time and re-run to upgrade.
+3. **Re-run `init` to upgrade.** When upgrading GuardVibe, re-run `npx guardvibe init claude` — `.mcp.json` is pinned to a specific version (e.g. `guardvibe@3.1.36`) at init time for fast deterministic startup. As of v3.1.2 the re-run also rewrites stale pins automatically (`Upgraded GuardVibe pin (3.1.27 → 3.1.28)`); since v3.1.27 the PostToolUse hook command is pinned to the same version (was `@latest`) and re-run upgrades a stale hook too. The same applies to `npx guardvibe hook install` and `npx guardvibe ci github` (since v3.1.3) — both are version-pinned at install/generate time and re-run to upgrade.
 4. **Pre-3.1.1 users won't see the auto-update banner.** GuardVibe started writing a once-per-day "newer version available" notice to stderr in v3.1.1. If your install predates that, you'll never see it — run `npx -y guardvibe@latest init <host>` once to bake in the latest pin and start receiving banners on subsequent sessions.
 5. **Verify Node.js version.** GuardVibe requires Node.js >= 18.0.0. Check with `node --version`.
 6. **Check npx cache.** If you upgraded GuardVibe and the old version is cached, run `npx -y guardvibe@latest` to force the latest version.

package/build/cli/scan.js

@@ -76,7 +76,7 @@ export async function runDirectoryScan(targetPath, flags) {
 }
 export async function runDiffScan(base, flags) {
     const { execFileSync } = await import("child_process");
-    const { analyzeCode } = await import("../tools/check-code.js");
+    const { analyzeFileSecurity } = await import("../tools/file-security.js");
     const { EXTENSION_MAP, CONFIG_FILE_MAP } = await import("../utils/constants.js");
     const format = validateFormat(flags);
     const outputFile = getOutputPath(flags);
@@ -109,7 +109,7 @@ export async function runDiffScan(base, flags) {
             continue;
         try {
             const content = readFileSync(fullPath, "utf-8");
-            const findings = analyzeCode(content, language, undefined, fullPath, root);
+            const findings = analyzeFileSecurity(content, language, undefined, fullPath, root);
             for (const f of findings) {
                 allFindings.push({ file: relPath, severity: f.rule.severity, name: f.rule.name, id: f.rule.id, line: f.line, fix: f.rule.fix });
             }
@@ -167,7 +167,8 @@ export async function runDiffScan(base, flags) {
     }
 }
 export async function runFileCheck(filePath, flags) {
-    const { checkCode } = await import("../tools/check-code.js");
+    const { renderFindings } = await import("../tools/check-code.js");
+    const { analyzeFileSecurity } = await import("../tools/file-security.js");
     const resolved = resolve(filePath);
     if (!existsSync(resolved)) {
         console.error(`  [ERR] File not found: ${resolved}`);
@@ -191,7 +192,8 @@ export async function runFileCheck(filePath, flags) {
     }
     const format = validateFormat(flags);
     const formatArg = format === "json" ? "json" : format === "buddy" ? "buddy" : "markdown";
-    const result = checkCode(content, language, undefined, resolved, undefined, formatArg);
+    const findings = analyzeFileSecurity(content, language, undefined, resolved, undefined);
+    const result = renderFindings(findings, language, undefined, formatArg, resolved);
     const outputFile = getOutputPath(flags);
     if (outputFile) {
         safeWriteOutput(outputFile, result);

package/build/data/rules/web-security.js

@@ -221,4 +221,28 @@ export const webSecurityRules = [
         fixCode: "// BAD: ejs.render(req.body.template, data)\n// GOOD: fixed template, user value as data only\nconst tpl = ejs.compile(STATIC_TEMPLATE);\nres.send(tpl({ name: req.body.name }));",
         compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
     },
+    {
+        id: "VG1083",
+        name: "JWT Verification Bypass (decode/none-algorithm)",
+        severity: "critical",
+        owasp: "A07:2025 Auth Failures",
+        description: "A JWT is trusted without a real signature check: jwt.decode() of a request-supplied token returns the payload WITHOUT verifying the signature (any forged token is accepted), or jwt.verify() is called with algorithms including 'none' (algorithm-confusion / signature-stripping). Either lets an attacker mint arbitrary identities/claims.",
+        pattern: /(?:jwt\.verify\s*\([^;]{0,200}?algorithms\s*:\s*\[[^\]]*["']none["']|(?:jwt|jsonwebtoken|jose)\s*\.\s*decode\s*\(\s*(?:req\.|request\.|token\b|authToken|bearerToken|accessToken|authorization\b|headers\b))/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Always verify the signature with an explicit algorithm allowlist: jwt.verify(token, secret, { algorithms: ['HS256'] }). Never use jwt.decode() for authentication/authorization, and never include 'none' in the algorithms list.",
+        fixCode: "// BAD: const user = jwt.decode(req.headers.authorization);\n// GOOD:\nconst user = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] });",
+        compliance: ["SOC2:CC6.6", "PCI-DSS:Req6.5.10", "HIPAA:§164.312(d)"],
+    },
+    {
+        id: "VG1084",
+        name: "DOM XSS via jQuery HTML insertion",
+        severity: "high",
+        owasp: "A03:2025 Injection",
+        description: "jQuery DOM-insertion methods (.html(), .append(), .prepend(), .after(), .before(), .replaceWith(), .wrap*) parse their argument as HTML. Passing user-controlled or concatenated/interpolated content (location, query params, .val(), .data()) into them causes DOM-based cross-site scripting.",
+        pattern: /\$\([^)]*\)(?:\.\w+\([^)]*\))*?\.(?:html|append|prepend|after|before|replaceWith|wrap|wrapAll|wrapInner)\s*\(\s*(?:[^)]*?(?:location|document\.(?:URL|cookie|referrer)|searchParams|req\.|request\.|params\.|query\.|window\.name|\.val\s*\(\s*\)|\.data\s*\()|`[^`]*\$\{|["'][^"']*["']\s*\+)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Use .text() instead of .html() for untrusted content, or sanitize with DOMPurify before insertion. Build elements with $('<div>').text(value) rather than concatenating HTML strings.",
+        fixCode: "// BAD: $('#out').html(location.hash)\n// GOOD:\n$('#out').text(userValue); // auto-escaped\n// or: $('#out').html(DOMPurify.sanitize(html));",
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.7"],
+    },
 ];

package/build/index.js

@@ -3,7 +3,8 @@ import { createRequire } from "module";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { z } from "zod";
-import { checkCode, analyzeCode } from "./tools/check-code.js";
+import { renderFindings } from "./tools/check-code.js";
+import { analyzeFileSecurity } from "./tools/file-security.js";
 const require = createRequire(import.meta.url);
 const pkg = require("../package.json");
 import { checkProject } from "./tools/check-project.js";
@@ -75,8 +76,8 @@ server.tool("check_code", "Analyze inline code for security vulnerabilities (OWA
     format: z.enum(["markdown", "json"]).default("markdown").describe("Output format: markdown (human) or json (machine-readable for agents)"),
 }, async ({ code, language, framework, format }) => {
     const rules = getRules();
-    const results = checkCode(code, language, framework, undefined, undefined, format, rules);
-    const findings = analyzeCode(code, language, framework, undefined, undefined, rules);
+    const findings = analyzeFileSecurity(code, language, framework, undefined, undefined, rules);
+    const results = renderFindings(findings, language, framework, format, undefined);
     const cwd = process.cwd();
     recordScan(cwd, { toolName: "check_code", filesScanned: 1, findings: findings.map(f => ({ severity: f.rule.severity, ruleId: f.rule.id })) });
     const summary = getSummaryLine(cwd, findings.length, format);
@@ -507,8 +508,8 @@ server.tool("scan_file", "Scan a single file on disk by path for security vulner
         return { content: [{ type: "text", text: format === "json" ? JSON.stringify({ summary: { total: 0 }, findings: [] }) : "Unsupported file type." }] };
     }
     const rules = getRules();
-    const result = checkCode(content, language, undefined, resolved, dirname(resolved), format, rules);
-    const findings = analyzeCode(content, language, undefined, resolved, dirname(resolved), rules);
+    const findings = analyzeFileSecurity(content, language, undefined, resolved, dirname(resolved), rules);
+    const result = renderFindings(findings, language, undefined, format, resolved);
     const cwd = dirname(resolved);
     recordScan(cwd, { toolName: "scan_file", filesScanned: 1, findings: findings.map(f => ({ severity: f.rule.severity, ruleId: f.rule.id })) });
     const summary = getSummaryLine(cwd, findings.length, format);
@@ -569,7 +570,7 @@ server.tool("scan_changed_files", "Scan only files that have changed since a giv
             continue;
         try {
             const content = readFileSync(fullPath, "utf-8");
-            const findings = analyzeCode(content, language, undefined, fullPath, root, rules);
+            const findings = analyzeFileSecurity(content, language, undefined, fullPath, root, rules);
             for (const f of findings) {
                 allFindings.push({
                     file: relPath, id: f.rule.id, name: f.rule.name,

package/build/tools/check-code.d.ts

@@ -14,3 +14,9 @@ export declare function isRuleDefinitionFile(code: string, filePath?: string): b
 export declare function analyzeCode(code: string, language: string, framework?: string, filePath?: string, configDir?: string, rules?: SecurityRule[]): Finding[];
 export declare function formatFindingsJson(findings: Finding[], extra?: Record<string, unknown>): string;
 export declare function checkCode(code: string, language: string, framework?: string, filePath?: string, configDir?: string, format?: "markdown" | "json" | "buddy", rules?: SecurityRule[]): string;
+/**
+ * Render a pre-computed Finding[] into the requested output format. Split out of
+ * `checkCode` so the `check` path can run the combined analyzer (`analyzeFileSecurity`
+ * = regex + taint + secrets) and still reuse the exact same rendering.
+ */
+export declare function renderFindings(findings: Finding[], language: string, framework?: string, format?: "markdown" | "json" | "buddy", filePath?: string): string;

package/build/tools/check-code.js

@@ -958,6 +958,11 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                     && /^[A-Za-z][A-Za-z .,!?'’()-]*\s[A-Za-z .,!?'’()-]+$/.test(msgPair[2]))
                     continue;
             }
+            // VG1083 (JWT verification bypass): jwt.decode() is fine when used only to peek at a
+            // token that is ALSO verified (decode-then-verify). Skip the decode branch when a real
+            // signature verification exists in the file. (The none-algorithm branch always fires.)
+            if (rule.id === "VG1083" && /\.decode\s*\(/.test(match[0]) && /jwt\.verify\s*\(|jwtVerify\s*\(|jose[\s\S]{0,60}?(?:jwtVerify|verify)/i.test(code))
+                continue;
             // VG138 (Plaintext Password Comparison): skip benign non-credential comparisons.
             // (1) Confirm-password match: `req.body.password == req.body.cpassword` compares two
             //     user inputs from the same form, not a submission against a stored secret.
@@ -1492,6 +1497,14 @@ export function formatFindingsJson(findings, extra) {
 }
 export function checkCode(code, language, framework, filePath, configDir, format = "markdown", rules) {
     const findings = analyzeCode(code, language, framework, filePath, configDir, rules);
+    return renderFindings(findings, language, framework, format, filePath);
+}
+/**
+ * Render a pre-computed Finding[] into the requested output format. Split out of
+ * `checkCode` so the `check` path can run the combined analyzer (`analyzeFileSecurity`
+ * = regex + taint + secrets) and still reuse the exact same rendering.
+ */
+export function renderFindings(findings, language, framework, format = "markdown", filePath) {
     if (format === "json") {
         return formatFindingsJson(findings);
     }

package/build/tools/file-security.d.ts

@@ -0,0 +1,7 @@
+import { type Finding } from "./check-code.js";
+import type { SecurityRule } from "../data/rules/types.js";
+/**
+ * Run regex rules + per-file taint analysis + secret patterns on a single file's
+ * content and return a merged, de-duplicated `Finding[]`.
+ */
+export declare function analyzeFileSecurity(code: string, language: string, framework?: string, filePath?: string, configDir?: string, rules?: SecurityRule[]): Finding[];

package/build/tools/file-security.js

@@ -0,0 +1,144 @@
+// guardvibe-ignore — defines the combined per-file analyzer; references vulnerability
+// category names (sql-injection, command-injection, etc.) as plain strings, not vulnerable code.
+/**
+ * Combined per-file security analysis for the `check` path.
+ *
+ * `analyzeCode` (regex rules) alone runs on the `check`/`scan <file>`/`check_code`/
+ * `scan_file` and pre-commit paths, while taint analysis and secret-pattern scanning
+ * historically only ran inside `audit`. That left two-step variable-indirection flows
+ * (a query/path/command assembled into a variable before reaching the sink) and
+ * hardcoded secrets (e.g. PEM private keys in innocuously-named variables) invisible to
+ * the most-used commands and to the pre-commit hook.
+ *
+ * `analyzeFileSecurity` merges all three — regex + per-file taint + secret patterns —
+ * into one `Finding[]`, converting taint/secret hits into synthetic-rule findings so the
+ * existing rendering, scoring and JSON pipeline consumes them unchanged. Taint/secret
+ * findings that land on a line a regex rule already covers are dropped to avoid
+ * double-reporting.
+ *
+ * NOTE: this is intentionally NOT wired into the directory `scanDirectory` path, because
+ * `full-audit` already runs the code, secrets and taint sections separately — adding them
+ * to `scanDirectory` would double-count inside `audit`.
+ */
+import { basename } from "path";
+import { analyzeCode } from "./check-code.js";
+import { analyzeTaint } from "./taint-analysis.js";
+import { scanContent } from "./scan-secrets.js";
+import { isExcludedFilename } from "../utils/constants.js";
+const TAINT_OWASP = {
+    "sql-injection": "A03:2021 Injection",
+    "command-injection": "A03:2021 Injection",
+    "code-injection": "A03:2021 Injection",
+    "xss": "A03:2021 Injection",
+    "open-redirect": "A01:2021 Broken Access Control",
+    "path-traversal": "A01:2021 Broken Access Control",
+};
+// Regex VG rules that already represent the same vuln class as a taint sink type.
+// When one fires on the exact sink line, the taint finding is redundant — drop it.
+const TAINT_REGEX_OVERLAP = {
+    "sql-injection": new Set(["VG010", "VG013", "VG123", "VG543", "VG1002"]),
+    "command-injection": new Set(["VG011"]),
+    "code-injection": new Set(["VG014", "VG070"]),
+    "xss": new Set(["VG012", "VG408", "VG852", "VG1080", "VG1084"]),
+    "open-redirect": new Set(["VG101", "VG409", "VG425", "VG660"]),
+    "path-traversal": new Set(["VG102"]),
+};
+// Regex rules that already report a hardcoded secret; drop a secret-pattern hit on the
+// same line as one of these to avoid double-reporting.
+const SECRET_REGEX_OVERLAP = new Set(["VG001", "VG062", "VG003", "VG506"]);
+// Mirrors analyzeCode's test-file skip for credential rules — fixtures legitimately
+// embed fake keys (e.g. a test PEM for a crypto unit test). Real keys in production
+// files (e.g. a hardcoded private key in lib/insecurity.ts) are still flagged.
+const TEST_FILE_RE = /(?:\.(?:[\w-]+-)?(?:spec|test|e2e|stories|cy)\.(?:ts|tsx|js|jsx|mjs|cjs)$|_test\.go$|\/__tests__\/|\/__mocks__\/|\/tests?\/|\/cypress\/|\/playwright\/|\/dockertest\/|\/testutil\/|\/testhelpers?\/|\/testfixtures?\/)/i;
+// Synthetic regex that never matches — synthetic rules are only ever attached to
+// pre-computed findings, never run against source.
+const NEVER_MATCH = /(?!)/;
+// Minified bundles pack everything onto a few enormous lines; mangled `e`/`t` params
+// then masquerade as taint sources (`e.target.value`) feeding innerHTML sinks — a pure
+// FP class. The audit excludes these from taint via collectJsFiles+isExcludedFilename;
+// the check path mirrors that with a name pattern plus a content fallback for bundles
+// that aren't named `.min.js`.
+function looksMinified(code) {
+    if (code.length < 5000)
+        return false;
+    let lineLen = 0;
+    for (let i = 0; i < code.length; i++) {
+        if (code[i] === "\n") {
+            if (lineLen > 1000)
+                return true;
+            lineLen = 0;
+        }
+        else
+            lineLen++;
+    }
+    return lineLen > 1000;
+}
+function taintToFinding(t) {
+    const rule = {
+        id: `TAINT:${t.sink.type}`,
+        name: `Tainted flow: ${t.source.type} → ${t.sink.type}`,
+        severity: t.severity,
+        owasp: TAINT_OWASP[t.sink.type] ?? "A03:2021 Injection",
+        description: t.description,
+        pattern: NEVER_MATCH,
+        languages: ["javascript", "typescript"],
+        fix: t.fix,
+    };
+    return { rule, match: t.sink.code, line: t.sink.line, confidence: "medium" };
+}
+function secretToFinding(s) {
+    const rule = {
+        id: `SECRET:${s.provider}`,
+        name: `Hardcoded secret: ${s.provider}`,
+        severity: s.severity,
+        owasp: "A07:2021 Identification and Authentication Failures",
+        description: `Possible ${s.provider} found in source — move it to an environment variable.`,
+        pattern: NEVER_MATCH,
+        languages: [],
+        fix: s.fix,
+    };
+    return { rule, match: s.match, line: s.line, confidence: "high" };
+}
+/**
+ * Run regex rules + per-file taint analysis + secret patterns on a single file's
+ * content and return a merged, de-duplicated `Finding[]`.
+ */
+export function analyzeFileSecurity(code, language, framework, filePath, configDir, rules) {
+    const regexFindings = analyzeCode(code, language, framework, filePath, configDir, rules);
+    const regexIdsByLine = new Map();
+    for (const f of regexFindings) {
+        const set = regexIdsByLine.get(f.line) ?? new Set();
+        set.add(f.rule.id);
+        regexIdsByLine.set(f.line, set);
+    }
+    // --- Per-file taint (JS/TS only; analyzeTaint no-ops for other languages) ---
+    const taintFindings = [];
+    const seenTaint = new Set();
+    const isVendorBundle = (filePath && isExcludedFilename(basename(filePath))) || looksMinified(code);
+    for (const t of (isVendorBundle ? [] : analyzeTaint(code, language, filePath))) {
+        const overlap = TAINT_REGEX_OVERLAP[t.sink.type];
+        const onLine = regexIdsByLine.get(t.sink.line);
+        if (overlap && onLine && [...onLine].some(id => overlap.has(id)))
+            continue;
+        const key = `${t.sink.type}:${t.sink.line}`;
+        if (seenTaint.has(key))
+            continue;
+        seenTaint.add(key);
+        taintFindings.push(taintToFinding(t));
+    }
+    // --- Secret patterns (skipped in test fixtures, which carry fake keys by design) ---
+    const secretFindings = [];
+    const isTestFile = filePath ? TEST_FILE_RE.test(filePath) : false;
+    const seenSecret = new Set();
+    for (const s of (isTestFile ? [] : scanContent(code, filePath ?? "inline"))) {
+        const onLine = regexIdsByLine.get(s.line);
+        if (onLine && [...onLine].some(id => SECRET_REGEX_OVERLAP.has(id)))
+            continue;
+        const key = `${s.provider}:${s.line}`;
+        if (seenSecret.has(key))
+            continue;
+        seenSecret.add(key);
+        secretFindings.push(secretToFinding(s));
+    }
+    return [...regexFindings, ...taintFindings, ...secretFindings];
+}

package/build/tools/scan-staged.js

@@ -1,6 +1,7 @@
 import { execFileSync } from "child_process";
 import { extname, basename } from "path";
-import { analyzeCode, formatFindingsJson } from "./check-code.js";
+import { formatFindingsJson } from "./check-code.js";
+import { analyzeFileSecurity } from "./file-security.js";
 import { securityBanner } from "../utils/banner.js";
 const EXTENSION_MAP = {
     ".js": "javascript", ".jsx": "javascript", ".mjs": "javascript", ".cjs": "javascript",
@@ -79,7 +80,7 @@ export function scanStaged(cwd = process.cwd(), format = "markdown", rules) {
             skippedFiles.push(filePath);
             continue;
         }
-        const findings = analyzeCode(content, language, undefined, filePath, cwd, rules);
+        const findings = analyzeFileSecurity(content, language, undefined, filePath, cwd, rules);
         if (findings.length > 0) {
             results.push({ path: filePath, findings });
         }

package/build/tools/taint-analysis.js

@@ -39,6 +39,12 @@ const TAINT_SINKS = [
     { pattern: /new\s+Function\s*\(/g, type: "code-injection", severity: "critical",
         description: "User input flows into Function constructor, enabling arbitrary code execution.",
         fix: "Never construct functions from user input. Use a safe evaluator or predefined functions." },
+    // Command injection: bare child_process exec()/execSync() (the shell-invoking forms).
+    // The negative lookbehind excludes method calls like `regex.exec(...)`, `query.exec()`,
+    // and `db.execSync(...)` — only the imported, shell-spawning function is a sink.
+    { pattern: /(?<!\.)\bexec(?:Sync)?\s*\(/g, type: "command-injection", severity: "critical",
+        description: "User input flows into a shell command (exec/execSync), enabling OS command injection.",
+        fix: "Use execFile()/spawn() with an argument array (no shell) and validate input against an allowlist." },
     { pattern: /writeFileSync?\s*\(/g, type: "path-traversal", severity: "high",
         description: "User input flows into file write path, enabling arbitrary file overwrite.",
         fix: "Validate and sanitize file paths. Use path.resolve() and verify the result is within allowed directories." },
@@ -78,6 +84,17 @@ function isSafeParameterizedSqlSink(lines, sinkIdx) {
     const interps = tpl.match(/\$\{[^}]*\}/g) || [];
     return interps.every(s => /\$\{\s*[\w$.]*(?:hash|sha\d*|md5|bcrypt|argon2?|hmac|digest|encode|escape|encodeURIComponent|toString|String|Number|parseInt|parseFloat)\b/i.test(s));
 }
+/**
+ * A `redirect(...)` whose target is a root-relative, same-origin path
+ * (e.g. redirect("/login") or redirect(`/${slug}/settings`)) cannot be an open
+ * redirect — the browser stays on the current origin. Only external URLs
+ * (`https://…`), protocol-relative URLs (`//host`), or non-literal targets are
+ * candidates. This kills the dominant open-redirect FP class on Next.js pages,
+ * which routinely build internal navigation paths from route params/searchParams.
+ */
+function isSameOriginRedirect(line) {
+    return /\bredirect\s*\(\s*["'`]\/(?!\/)/.test(line);
+}
 function extractAssignments(lines) {
     const assignments = [];
     const assignPattern = /(?:const|let|var)\s+([\w]+)\s*=\s*(.*)/;
@@ -152,6 +169,8 @@ export function analyzeTaint(code, language, filePath) {
                 continue;
             if (sink.type === "sql-injection" && isSafeParameterizedSqlSink(lines, i))
                 continue;
+            if (sink.type === "open-redirect" && isSameOriginRedirect(line))
+                continue;
             for (const tVar of taintedVars) {
                 if (line.includes(tVar.name)) {
                     const chain = [];
@@ -183,6 +202,8 @@ export function analyzeTaint(code, language, filePath) {
                 continue;
             if (sink.type === "sql-injection" && isSafeParameterizedSqlSink(lines, i))
                 continue;
+            if (sink.type === "open-redirect" && isSameOriginRedirect(line))
+                continue;
             for (const source of TAINT_SOURCES) {
                 source.pattern.lastIndex = 0;
                 if (source.pattern.test(line)) {

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "guardvibe",
-  "version": "3.1.35",
+  "version": "3.1.37",
   "mcpName": "io.github.goklab/guardvibe",
-  "description": "Security MCP for vibe coding. 436 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 67 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
+  "description": "Security MCP for vibe coding. 438 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 67 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",
   "bin": {
     "guardvibe": "build/cli.js",