vibe-shield 1.0.0 → 1.1.0

package/dist/cli.js

@@ -1,130 +1,227 @@
 #!/usr/bin/env node
 
 // src/scanner.ts
-import { readFileSync, readdirSync, statSync } from "fs";
+import { readFileSync, readdirSync, statSync, existsSync } from "fs";
 import { join, extname } from "path";
 
 // src/patterns.ts
 var securityPatterns = [
+  {
+    id: "aws-access-key",
+    name: "AWS Access Key",
+    regex: /['"`](AKIA[0-9A-Z]{16})['"`]/g,
+    fixPrompt: "AWS access key detected. Remove immediately and rotate in AWS console. Use environment variables or IAM roles.",
+    severity: "critical"
+  },
+  {
+    id: "aws-secret-key",
+    name: "AWS Secret Key",
+    regex: /aws_?secret_?access_?key\s*[:=]\s*['"`][A-Za-z0-9\/+=]{40}['"`]/gi,
+    fixPrompt: "AWS secret key detected. Remove immediately and rotate in AWS console. Use environment variables.",
+    severity: "critical"
+  },
+  {
+    id: "openai-key",
+    name: "OpenAI API Key",
+    regex: /['"`](sk-[A-Za-z0-9]{48,})['"`]/g,
+    fixPrompt: "OpenAI API key detected. Remove and rotate at platform.openai.com. Use process.env.OPENAI_API_KEY.",
+    severity: "critical"
+  },
+  {
+    id: "anthropic-key",
+    name: "Anthropic API Key",
+    regex: /['"`](sk-ant-[A-Za-z0-9\-]{80,})['"`]/g,
+    fixPrompt: "Anthropic API key detected. Remove and rotate at console.anthropic.com. Use process.env.ANTHROPIC_API_KEY.",
+    severity: "critical"
+  },
+  {
+    id: "stripe-secret",
+    name: "Stripe Secret Key",
+    regex: /['"`](sk_live_[A-Za-z0-9]{24,})['"`]/g,
+    fixPrompt: "Stripe live secret key detected. Remove and rotate in Stripe dashboard. Use process.env.STRIPE_SECRET_KEY.",
+    severity: "critical"
+  },
+  {
+    id: "stripe-restricted",
+    name: "Stripe Restricted Key",
+    regex: /['"`](rk_live_[A-Za-z0-9]{24,})['"`]/g,
+    fixPrompt: "Stripe restricted key detected. Remove and rotate in Stripe dashboard. Use environment variables.",
+    severity: "critical"
+  },
+  {
+    id: "github-token",
+    name: "GitHub Token",
+    regex: /['"`](ghp_[A-Za-z0-9]{36}|github_pat_[A-Za-z0-9_]{22,})['"`]/g,
+    fixPrompt: "GitHub token detected. Remove and rotate at github.com/settings/tokens. Use process.env.GITHUB_TOKEN.",
+    severity: "critical"
+  },
+  {
+    id: "slack-token",
+    name: "Slack Token",
+    regex: /['"`](xox[baprs]-[A-Za-z0-9\-]{10,})['"`]/g,
+    fixPrompt: "Slack token detected. Remove and rotate in Slack app settings. Use environment variables.",
+    severity: "critical"
+  },
+  {
+    id: "twilio-key",
+    name: "Twilio API Key",
+    regex: /['"`](SK[A-Za-z0-9]{32})['"`]/g,
+    fixPrompt: "Twilio API key detected. Remove and rotate in Twilio console. Use environment variables.",
+    severity: "critical"
+  },
+  {
+    id: "sendgrid-key",
+    name: "SendGrid API Key",
+    regex: /['"`](SG\.[A-Za-z0-9\-_]{22}\.[A-Za-z0-9\-_]{43})['"`]/g,
+    fixPrompt: "SendGrid API key detected. Remove and rotate in SendGrid dashboard. Use environment variables.",
+    severity: "critical"
+  },
+  {
+    id: "private-key",
+    name: "Private Key",
+    regex: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g,
+    fixPrompt: "Private key detected in code. Move to a secure file outside repo or use a secrets manager.",
+    severity: "critical"
+  },
   {
     id: "hardcoded-secret",
     name: "Hardcoded Secret",
     regex: /(?:api_?key|api_?secret|secret_?key|auth_?token|access_?token|private_?key|client_?secret)\s*[:=]\s*['"`][A-Za-z0-9_\-\.\/\+]{8,}['"`]/gi,
-    fixPrompt: "Move this secret to an environment variable. Add it to .env and use process.env.YOUR_SECRET. Add .env to .gitignore."
+    fixPrompt: "Move this secret to an environment variable. Add to .env and use process.env.YOUR_SECRET. Add .env to .gitignore.",
+    severity: "high"
   },
   {
     id: "hardcoded-password",
     name: "Hardcoded Password",
     regex: /(?:password|passwd|pwd)\s*[:=]\s*['"`][^'"`\s]{4,}['"`]/gi,
-    fixPrompt: "Move this password to an environment variable. Never commit passwords to version control."
-  },
-  {
-    id: "aws-key",
-    name: "AWS Access Key",
-    regex: /['"`](AKIA[0-9A-Z]{16})['"`]/g,
-    fixPrompt: "AWS access key detected. Remove it immediately and rotate the key in AWS console. Use environment variables or AWS IAM roles."
+    fixPrompt: "Move this password to an environment variable. Never commit passwords to version control.",
+    severity: "high"
   },
   {
     id: "jwt-secret-inline",
     name: "Hardcoded JWT Secret",
     regex: /jwt\.sign\s*\([^)]+,\s*['"`][^'"`]{8,}['"`]/gi,
-    fixPrompt: "Move JWT secret to an environment variable. Hardcoded secrets get committed to version control."
+    fixPrompt: "Move JWT secret to an environment variable. Hardcoded secrets get committed to version control.",
+    severity: "high"
+  },
+  {
+    id: "database-url",
+    name: "Database Connection String",
+    regex: /['"`](mongodb(\+srv)?|postgres(ql)?|mysql|redis):\/\/[^'"`\s]{10,}['"`]/gi,
+    fixPrompt: "Database connection string with credentials detected. Use process.env.DATABASE_URL.",
+    severity: "high"
   },
   {
     id: "sql-injection-template",
     name: "SQL Injection",
     regex: /(?:query|execute)\s*\(\s*`(?:SELECT|INSERT|UPDATE|DELETE|DROP)[^`]*\$\{/gi,
-    fixPrompt: "Use parameterized queries instead of template literals. Example: query('SELECT * FROM users WHERE id = ?', [userId])"
+    fixPrompt: "Use parameterized queries instead of template literals. Example: query('SELECT * FROM users WHERE id = ?', [userId])",
+    severity: "high"
   },
   {
     id: "sql-injection-concat",
     name: "SQL Injection",
     regex: /(?:query|execute)\s*\(\s*['"](?:SELECT|INSERT|UPDATE|DELETE)[^'"]*['"]\s*\+/gi,
-    fixPrompt: "Never concatenate variables into SQL strings. Use parameterized queries with placeholders."
+    fixPrompt: "Never concatenate variables into SQL strings. Use parameterized queries with placeholders.",
+    severity: "high"
   },
   {
     id: "command-injection",
     name: "Command Injection",
     regex: /(?:exec|execSync)\s*\(\s*`[^`]*\$\{/g,
-    fixPrompt: "Avoid template literals in shell commands. Use spawn() with an array of arguments, or use a library like shell-escape."
+    fixPrompt: "Avoid template literals in shell commands. Use spawn() with an array of arguments.",
+    severity: "critical"
   },
   {
     id: "command-injection-concat",
     name: "Command Injection",
     regex: /(?:exec|execSync)\s*\([^)]*\+\s*(?:req\.|user|input|param|query|body)/gi,
-    fixPrompt: "User input in shell commands allows arbitrary command execution. Use spawn() with argument arrays."
+    fixPrompt: "User input in shell commands allows arbitrary command execution. Use spawn() with argument arrays.",
+    severity: "critical"
   },
   {
     id: "eval-usage",
     name: "Dangerous eval()",
     regex: /[=:]\s*eval\s*\(\s*(?:req\.|user|input|param|query|body|data)/gi,
-    fixPrompt: "eval() with user input allows arbitrary code execution. Use JSON.parse() for JSON, or refactor to avoid eval entirely."
+    fixPrompt: "eval() with user input allows arbitrary code execution. Use JSON.parse() for JSON, or refactor to avoid eval.",
+    severity: "high"
   },
   {
     id: "new-function",
     name: "Dangerous Function Constructor",
     regex: /new\s+Function\s*\([^)]*(?:req\.|user|input|param|query|body)/gi,
-    fixPrompt: "new Function() with user input is as dangerous as eval(). Refactor to avoid dynamic code generation."
+    fixPrompt: "new Function() with user input is as dangerous as eval(). Refactor to avoid dynamic code generation.",
+    severity: "high"
   },
   {
     id: "innerhtml-variable",
     name: "XSS via innerHTML",
     regex: /\.innerHTML\s*=\s*(?:req\.|user|input|param|query|body|data|props\.|this\.)/gi,
-    fixPrompt: "Setting innerHTML with user data enables XSS attacks. Use textContent or sanitize with DOMPurify."
+    fixPrompt: "Setting innerHTML with user data enables XSS attacks. Use textContent or sanitize with DOMPurify.",
+    severity: "high"
   },
   {
     id: "react-dangerous-html",
     name: "React XSS Risk",
     regex: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*(?:props\.|this\.|data|user|input)/gi,
-    fixPrompt: "dangerouslySetInnerHTML with user data enables XSS. Sanitize HTML with DOMPurify first."
+    fixPrompt: "dangerouslySetInnerHTML with user data enables XSS. Sanitize HTML with DOMPurify first.",
+    severity: "high"
   },
   {
     id: "weak-hash-md5",
     name: "Weak Hash (MD5)",
     regex: /createHash\s*\(\s*['"`]md5['"`]\s*\)/g,
-    fixPrompt: "MD5 is broken. Use crypto.createHash('sha256'). For passwords, use bcrypt or argon2."
+    fixPrompt: "MD5 is broken. Use crypto.createHash('sha256'). For passwords, use bcrypt or argon2.",
+    severity: "medium"
   },
   {
     id: "weak-hash-sha1",
     name: "Weak Hash (SHA1)",
     regex: /createHash\s*\(\s*['"`]sha1['"`]\s*\)/g,
-    fixPrompt: "SHA1 is deprecated for security. Use crypto.createHash('sha256'). For passwords, use bcrypt or argon2."
+    fixPrompt: "SHA1 is deprecated for security. Use crypto.createHash('sha256'). For passwords, use bcrypt or argon2.",
+    severity: "medium"
   },
   {
     id: "ssl-disabled",
     name: "SSL Verification Disabled",
     regex: /rejectUnauthorized\s*:\s*false/g,
-    fixPrompt: "Disabling SSL verification allows man-in-the-middle attacks. Remove this or set to true."
+    fixPrompt: "Disabling SSL verification allows man-in-the-middle attacks. Remove this or set to true.",
+    severity: "medium"
   },
   {
     id: "cors-wildcard",
     name: "CORS Allows All Origins",
     regex: /['"`]Access-Control-Allow-Origin['"`]\s*[,:]\s*['"`]\*['"`]/g,
-    fixPrompt: "CORS wildcard (*) allows any website to make requests. Specify allowed origins explicitly."
+    fixPrompt: "CORS wildcard (*) allows any website to make requests. Specify allowed origins explicitly.",
+    severity: "medium"
   },
   {
     id: "path-traversal",
     name: "Path Traversal Risk",
     regex: /(?:readFile|writeFile|readFileSync|writeFileSync)\s*\(\s*(?:req\.|user|input|param|query|body)/gi,
-    fixPrompt: "User input in file paths allows reading/writing arbitrary files. Validate paths with path.resolve() and check they're within allowed directories."
+    fixPrompt: "User input in file paths allows reading/writing arbitrary files. Validate paths with path.resolve() and check they're within allowed directories.",
+    severity: "high"
   },
   {
     id: "nosql-where",
     name: "NoSQL Injection ($where)",
     regex: /\.(find|findOne)\s*\(\s*\{[^}]*\$where\s*:/g,
-    fixPrompt: "$where executes JavaScript and enables NoSQL injection. Use standard MongoDB query operators."
+    fixPrompt: "$where executes JavaScript and enables NoSQL injection. Use standard MongoDB query operators.",
+    severity: "high"
   },
   {
     id: "pickle-load",
     name: "Insecure Pickle (Python)",
     regex: /pickle\.loads?\s*\(\s*(?:request|user|input|data|file)/gi,
-    fixPrompt: "pickle.load with untrusted data allows arbitrary code execution. Use JSON for untrusted data."
+    fixPrompt: "pickle.load with untrusted data allows arbitrary code execution. Use JSON for untrusted data.",
+    severity: "critical"
   },
   {
     id: "python-shell",
     name: "Shell Injection (Python)",
     regex: /subprocess\.\w+\s*\([^)]*shell\s*=\s*True[^)]*(?:request|user|input|param)/gi,
-    fixPrompt: "shell=True with user input enables command injection. Pass command as a list without shell=True."
+    fixPrompt: "shell=True with user input enables command injection. Pass command as a list without shell=True.",
+    severity: "critical"
   }
 ];
 
@@ -186,6 +283,29 @@ function getLineNumber(content, matchIndex) {
 `);
   return lines.length;
 }
+function checkGitignore(dir) {
+  const warnings = [];
+  const gitignorePath = join(dir, ".gitignore");
+  const envPath = join(dir, ".env");
+  if (!existsSync(envPath)) {
+    return warnings;
+  }
+  if (!existsSync(gitignorePath)) {
+    warnings.push(".env file exists but no .gitignore found. Create a .gitignore and add .env to prevent committing secrets.");
+    return warnings;
+  }
+  try {
+    const gitignoreContent = readFileSync(gitignorePath, "utf-8");
+    const lines = gitignoreContent.split(`
+`).map((l) => l.trim());
+    const envIgnored = lines.some((line) => line === ".env" || line === ".env*" || line === "*.env" || line === ".env.local" || line.startsWith(".env"));
+    if (!envIgnored) {
+      warnings.push(".env file exists but is not in .gitignore. Add .env to .gitignore to prevent committing secrets.");
+    }
+  } catch {
+  }
+  return warnings;
+}
 function scanFile(filePath) {
   const issues = [];
   let content;
@@ -206,7 +326,8 @@ function scanFile(filePath) {
         patternId: pattern.id,
         patternName: pattern.name,
         fixPrompt: pattern.fixPrompt,
-        match: matchText.length > 60 ? matchText.substring(0, 60) + "..." : matchText
+        match: matchText.length > 60 ? matchText.substring(0, 60) + "..." : matchText,
+        severity: pattern.severity
       });
     }
   }
@@ -215,15 +336,25 @@ function scanFile(filePath) {
 function scanFiles(dir) {
   const files = collectFiles(dir);
   const allIssues = [];
+  const warnings = checkGitignore(dir);
   for (const file of files) {
     const issues = scanFile(file);
     allIssues.push(...issues);
   }
-  return allIssues;
+  const severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+  allIssues.sort((a, b) => severityOrder[a.severity] - severityOrder[b.severity]);
+  return { issues: allIssues, warnings };
 }
 
 // src/prompter.ts
-function formatAgentPrompt(issues) {
+var severityColors = {
+  critical: "\x1B[31m",
+  high: "\x1B[33m",
+  medium: "\x1B[36m",
+  low: "\x1B[37m"
+};
+var reset = "\x1B[0m";
+function formatAgentPrompt(issues, useColors = true) {
   if (!issues || issues.length === 0) {
     return "";
   }
@@ -234,7 +365,10 @@ function formatAgentPrompt(issues) {
     ""
   ];
   issues.forEach((issue, index) => {
-    lines.push(`[TASK ${index + 1}] Fix ${issue.patternName} in ${issue.file} at line ${issue.line}`);
+    const severityLabel = issue.severity.toUpperCase();
+    const color = useColors ? severityColors[issue.severity] : "";
+    const colorReset = useColors ? reset : "";
+    lines.push(`${color}[${severityLabel}]${colorReset} [TASK ${index + 1}] Fix ${issue.patternName} in ${issue.file} at line ${issue.line}`);
     lines.push(`[FOUND]: ${issue.match}`);
     lines.push(`[INSTRUCTION]: ${issue.fixPrompt}`);
     lines.push("");
@@ -255,9 +389,39 @@ function generateSummary(issues) {
   }
   return summary;
 }
+function generateSeveritySummary(issues) {
+  const summary = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0
+  };
+  for (const issue of issues) {
+    summary[issue.severity]++;
+  }
+  return summary;
+}
+function formatJson(issues, warnings) {
+  return JSON.stringify({
+    summary: {
+      total: issues.length,
+      bySeverity: generateSeveritySummary(issues),
+      byType: generateSummary(issues)
+    },
+    issues: issues.map((issue) => ({
+      severity: issue.severity,
+      type: issue.patternName,
+      file: issue.file,
+      line: issue.line,
+      match: issue.match,
+      fix: issue.fixPrompt
+    })),
+    warnings
+  }, null, 2);
+}
 
 // src/init.ts
-import { writeFileSync, existsSync, readFileSync as readFileSync2 } from "fs";
+import { writeFileSync, existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
 import { join as join2 } from "path";
 var CURSORRULES_CONTENT = `# Vibe Shield Security Rules
 
@@ -272,7 +436,7 @@ Before marking a task as done, run \`npx vibe-shield\`. If issues are found, fol
 `;
 function initVibeShield(dir) {
   const cursorrulesPath = join2(dir, ".cursorrules");
-  if (existsSync(cursorrulesPath)) {
+  if (existsSync2(cursorrulesPath)) {
     try {
       const existingContent = readFileSync2(cursorrulesPath, "utf-8");
       if (existingContent.includes("vibe-shield") || existingContent.includes("Vibe Shield")) {
@@ -316,7 +480,7 @@ function initVibeShield(dir) {
 }
 
 // src/cli.ts
-var VERSION = "1.0.0";
+var VERSION = "1.1.0";
 var colors = {
   reset: "\x1B[0m",
   cyan: "\x1B[36m",
@@ -324,7 +488,8 @@ var colors = {
   red: "\x1B[31m",
   yellow: "\x1B[33m",
   dim: "\x1B[2m",
-  bold: "\x1B[1m"
+  bold: "\x1B[1m",
+  magenta: "\x1B[35m"
 };
 function printBanner() {
   console.log(colors.cyan + `
@@ -345,10 +510,14 @@ function printHelp() {
   console.log(colors.green + "  init" + colors.reset + colors.dim + "          Create .cursorrules for AI agent integration" + colors.reset);
   console.log(colors.green + "  help" + colors.reset + colors.dim + "          Show this help message" + colors.reset);
   console.log(colors.green + "  version" + colors.reset + colors.dim + `       Show version number
+` + colors.reset);
+  console.log("Options:");
+  console.log(colors.green + "  --json" + colors.reset + colors.dim + `        Output results as JSON
 ` + colors.reset);
   console.log("Examples:");
   console.log(colors.dim + "  npx vibe-shield" + colors.reset);
   console.log(colors.dim + "  npx vibe-shield scan ./src" + colors.reset);
+  console.log(colors.dim + "  npx vibe-shield scan . --json" + colors.reset);
   console.log(colors.dim + `  npx vibe-shield init
 ` + colors.reset);
 }
@@ -362,32 +531,60 @@ function runInit(dir) {
   const result = initVibeShield(dir);
   if (result.success) {
     console.log(colors.green + "✓ " + colors.reset + result.message);
-    console.log(colors.dim + `  Created: ${result.path}
+    console.log(colors.dim + `  Path: ${result.path}
 ` + colors.reset);
     console.log("Your AI agent will now run vibe-shield before completing tasks.");
     console.log(colors.dim + `Happy vibe coding!
 ` + colors.reset);
     process.exit(0);
   } else {
-    console.log(colors.red + "✗ " + colors.reset + result.message);
-    process.exit(1);
+    console.log(colors.yellow + "! " + colors.reset + result.message);
+    process.exit(0);
   }
 }
-function runScan(dir) {
-  printBanner();
-  console.log(colors.yellow + `Scanning ${dir}...
+function runScan(dir, jsonOutput) {
+  if (!jsonOutput) {
+    printBanner();
+    console.log(colors.yellow + `Scanning ${dir}...
 ` + colors.reset);
-  const issues = scanFiles(dir);
+  }
+  const { issues, warnings } = scanFiles(dir);
+  if (jsonOutput) {
+    console.log(formatJson(issues, warnings));
+    process.exit(issues.length > 0 ? 1 : 0);
+  }
+  if (warnings.length > 0) {
+    console.log(colors.yellow + "Warnings:" + colors.reset);
+    for (const warning of warnings) {
+      console.log(colors.yellow + "  ⚠ " + colors.reset + warning);
+    }
+    console.log("");
+  }
   if (issues.length === 0) {
     console.log(colors.green + colors.bold + "✓ SAFE" + colors.reset);
     console.log(colors.dim + `No security issues detected. Ship it!
 ` + colors.reset);
     process.exit(0);
   }
-  const summary = generateSummary(issues);
+  const severitySummary = generateSeveritySummary(issues);
   console.log(colors.red + colors.bold + `✗ Found ${issues.length} security issue${issues.length > 1 ? "s" : ""}
 ` + colors.reset);
-  console.log("Summary:");
+  console.log("By severity:");
+  if (severitySummary.critical > 0) {
+    console.log(colors.red + `  • Critical: ${severitySummary.critical}` + colors.reset);
+  }
+  if (severitySummary.high > 0) {
+    console.log(colors.yellow + `  • High: ${severitySummary.high}` + colors.reset);
+  }
+  if (severitySummary.medium > 0) {
+    console.log(colors.cyan + `  • Medium: ${severitySummary.medium}` + colors.reset);
+  }
+  if (severitySummary.low > 0) {
+    console.log(colors.dim + `  • Low: ${severitySummary.low}` + colors.reset);
+  }
+  console.log("");
+  const summary = generateSummary(issues);
+  console.log("By type:");
   for (const [pattern, count] of Object.entries(summary)) {
     console.log(colors.dim + `  • ${pattern}: ${count}` + colors.reset);
   }
@@ -398,14 +595,16 @@ function runScan(dir) {
   process.exit(1);
 }
 var args = process.argv.slice(2);
-var command = args[0] || "scan";
-var targetDir = args[1] || process.cwd();
+var jsonFlag = args.includes("--json");
+var filteredArgs = args.filter((arg) => !arg.startsWith("--"));
+var command = filteredArgs[0] || "scan";
+var targetDir = filteredArgs[1] || process.cwd();
 switch (command) {
   case "init":
     runInit(targetDir === process.cwd() ? process.cwd() : targetDir);
     break;
   case "scan":
-    runScan(targetDir);
+    runScan(targetDir, jsonFlag);
     break;
   case "help":
   case "--help":
@@ -421,7 +620,7 @@ switch (command) {
     break;
   default:
     if (command.startsWith(".") || command.startsWith("/")) {
-      runScan(command);
+      runScan(command, jsonFlag);
     } else {
       console.log(colors.red + `Unknown command: ${command}` + colors.reset);
       console.log(colors.dim + `Run "vibe-shield help" for usage.

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 export { scanFiles } from "./scanner";
-export { formatAgentPrompt, generateSummary } from "./prompter";
+export { formatAgentPrompt, generateSummary, generateSeveritySummary, formatJson, } from "./prompter";
 export { initVibeShield } from "./init";
 export { securityPatterns } from "./patterns";
-export type { SecurityPattern, SecurityIssue, InitResult, IssueSummary } from "./types";
+export type { SecurityPattern, SecurityIssue, InitResult, IssueSummary, ScanResult, Severity, } from "./types";

package/dist/index.js

@@ -1,128 +1,225 @@
 // src/scanner.ts
-import { readFileSync, readdirSync, statSync } from "fs";
+import { readFileSync, readdirSync, statSync, existsSync } from "fs";
 import { join, extname } from "path";
 
 // src/patterns.ts
 var securityPatterns = [
+  {
+    id: "aws-access-key",
+    name: "AWS Access Key",
+    regex: /['"`](AKIA[0-9A-Z]{16})['"`]/g,
+    fixPrompt: "AWS access key detected. Remove immediately and rotate in AWS console. Use environment variables or IAM roles.",
+    severity: "critical"
+  },
+  {
+    id: "aws-secret-key",
+    name: "AWS Secret Key",
+    regex: /aws_?secret_?access_?key\s*[:=]\s*['"`][A-Za-z0-9\/+=]{40}['"`]/gi,
+    fixPrompt: "AWS secret key detected. Remove immediately and rotate in AWS console. Use environment variables.",
+    severity: "critical"
+  },
+  {
+    id: "openai-key",
+    name: "OpenAI API Key",
+    regex: /['"`](sk-[A-Za-z0-9]{48,})['"`]/g,
+    fixPrompt: "OpenAI API key detected. Remove and rotate at platform.openai.com. Use process.env.OPENAI_API_KEY.",
+    severity: "critical"
+  },
+  {
+    id: "anthropic-key",
+    name: "Anthropic API Key",
+    regex: /['"`](sk-ant-[A-Za-z0-9\-]{80,})['"`]/g,
+    fixPrompt: "Anthropic API key detected. Remove and rotate at console.anthropic.com. Use process.env.ANTHROPIC_API_KEY.",
+    severity: "critical"
+  },
+  {
+    id: "stripe-secret",
+    name: "Stripe Secret Key",
+    regex: /['"`](sk_live_[A-Za-z0-9]{24,})['"`]/g,
+    fixPrompt: "Stripe live secret key detected. Remove and rotate in Stripe dashboard. Use process.env.STRIPE_SECRET_KEY.",
+    severity: "critical"
+  },
+  {
+    id: "stripe-restricted",
+    name: "Stripe Restricted Key",
+    regex: /['"`](rk_live_[A-Za-z0-9]{24,})['"`]/g,
+    fixPrompt: "Stripe restricted key detected. Remove and rotate in Stripe dashboard. Use environment variables.",
+    severity: "critical"
+  },
+  {
+    id: "github-token",
+    name: "GitHub Token",
+    regex: /['"`](ghp_[A-Za-z0-9]{36}|github_pat_[A-Za-z0-9_]{22,})['"`]/g,
+    fixPrompt: "GitHub token detected. Remove and rotate at github.com/settings/tokens. Use process.env.GITHUB_TOKEN.",
+    severity: "critical"
+  },
+  {
+    id: "slack-token",
+    name: "Slack Token",
+    regex: /['"`](xox[baprs]-[A-Za-z0-9\-]{10,})['"`]/g,
+    fixPrompt: "Slack token detected. Remove and rotate in Slack app settings. Use environment variables.",
+    severity: "critical"
+  },
+  {
+    id: "twilio-key",
+    name: "Twilio API Key",
+    regex: /['"`](SK[A-Za-z0-9]{32})['"`]/g,
+    fixPrompt: "Twilio API key detected. Remove and rotate in Twilio console. Use environment variables.",
+    severity: "critical"
+  },
+  {
+    id: "sendgrid-key",
+    name: "SendGrid API Key",
+    regex: /['"`](SG\.[A-Za-z0-9\-_]{22}\.[A-Za-z0-9\-_]{43})['"`]/g,
+    fixPrompt: "SendGrid API key detected. Remove and rotate in SendGrid dashboard. Use environment variables.",
+    severity: "critical"
+  },
+  {
+    id: "private-key",
+    name: "Private Key",
+    regex: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g,
+    fixPrompt: "Private key detected in code. Move to a secure file outside repo or use a secrets manager.",
+    severity: "critical"
+  },
   {
     id: "hardcoded-secret",
     name: "Hardcoded Secret",
     regex: /(?:api_?key|api_?secret|secret_?key|auth_?token|access_?token|private_?key|client_?secret)\s*[:=]\s*['"`][A-Za-z0-9_\-\.\/\+]{8,}['"`]/gi,
-    fixPrompt: "Move this secret to an environment variable. Add it to .env and use process.env.YOUR_SECRET. Add .env to .gitignore."
+    fixPrompt: "Move this secret to an environment variable. Add to .env and use process.env.YOUR_SECRET. Add .env to .gitignore.",
+    severity: "high"
   },
   {
     id: "hardcoded-password",
     name: "Hardcoded Password",
     regex: /(?:password|passwd|pwd)\s*[:=]\s*['"`][^'"`\s]{4,}['"`]/gi,
-    fixPrompt: "Move this password to an environment variable. Never commit passwords to version control."
-  },
-  {
-    id: "aws-key",
-    name: "AWS Access Key",
-    regex: /['"`](AKIA[0-9A-Z]{16})['"`]/g,
-    fixPrompt: "AWS access key detected. Remove it immediately and rotate the key in AWS console. Use environment variables or AWS IAM roles."
+    fixPrompt: "Move this password to an environment variable. Never commit passwords to version control.",
+    severity: "high"
   },
   {
     id: "jwt-secret-inline",
     name: "Hardcoded JWT Secret",
     regex: /jwt\.sign\s*\([^)]+,\s*['"`][^'"`]{8,}['"`]/gi,
-    fixPrompt: "Move JWT secret to an environment variable. Hardcoded secrets get committed to version control."
+    fixPrompt: "Move JWT secret to an environment variable. Hardcoded secrets get committed to version control.",
+    severity: "high"
+  },
+  {
+    id: "database-url",
+    name: "Database Connection String",
+    regex: /['"`](mongodb(\+srv)?|postgres(ql)?|mysql|redis):\/\/[^'"`\s]{10,}['"`]/gi,
+    fixPrompt: "Database connection string with credentials detected. Use process.env.DATABASE_URL.",
+    severity: "high"
   },
   {
     id: "sql-injection-template",
     name: "SQL Injection",
     regex: /(?:query|execute)\s*\(\s*`(?:SELECT|INSERT|UPDATE|DELETE|DROP)[^`]*\$\{/gi,
-    fixPrompt: "Use parameterized queries instead of template literals. Example: query('SELECT * FROM users WHERE id = ?', [userId])"
+    fixPrompt: "Use parameterized queries instead of template literals. Example: query('SELECT * FROM users WHERE id = ?', [userId])",
+    severity: "high"
   },
   {
     id: "sql-injection-concat",
     name: "SQL Injection",
     regex: /(?:query|execute)\s*\(\s*['"](?:SELECT|INSERT|UPDATE|DELETE)[^'"]*['"]\s*\+/gi,
-    fixPrompt: "Never concatenate variables into SQL strings. Use parameterized queries with placeholders."
+    fixPrompt: "Never concatenate variables into SQL strings. Use parameterized queries with placeholders.",
+    severity: "high"
   },
   {
     id: "command-injection",
     name: "Command Injection",
     regex: /(?:exec|execSync)\s*\(\s*`[^`]*\$\{/g,
-    fixPrompt: "Avoid template literals in shell commands. Use spawn() with an array of arguments, or use a library like shell-escape."
+    fixPrompt: "Avoid template literals in shell commands. Use spawn() with an array of arguments.",
+    severity: "critical"
   },
   {
     id: "command-injection-concat",
     name: "Command Injection",
     regex: /(?:exec|execSync)\s*\([^)]*\+\s*(?:req\.|user|input|param|query|body)/gi,
-    fixPrompt: "User input in shell commands allows arbitrary command execution. Use spawn() with argument arrays."
+    fixPrompt: "User input in shell commands allows arbitrary command execution. Use spawn() with argument arrays.",
+    severity: "critical"
   },
   {
     id: "eval-usage",
     name: "Dangerous eval()",
     regex: /[=:]\s*eval\s*\(\s*(?:req\.|user|input|param|query|body|data)/gi,
-    fixPrompt: "eval() with user input allows arbitrary code execution. Use JSON.parse() for JSON, or refactor to avoid eval entirely."
+    fixPrompt: "eval() with user input allows arbitrary code execution. Use JSON.parse() for JSON, or refactor to avoid eval.",
+    severity: "high"
   },
   {
     id: "new-function",
     name: "Dangerous Function Constructor",
     regex: /new\s+Function\s*\([^)]*(?:req\.|user|input|param|query|body)/gi,
-    fixPrompt: "new Function() with user input is as dangerous as eval(). Refactor to avoid dynamic code generation."
+    fixPrompt: "new Function() with user input is as dangerous as eval(). Refactor to avoid dynamic code generation.",
+    severity: "high"
   },
   {
     id: "innerhtml-variable",
     name: "XSS via innerHTML",
     regex: /\.innerHTML\s*=\s*(?:req\.|user|input|param|query|body|data|props\.|this\.)/gi,
-    fixPrompt: "Setting innerHTML with user data enables XSS attacks. Use textContent or sanitize with DOMPurify."
+    fixPrompt: "Setting innerHTML with user data enables XSS attacks. Use textContent or sanitize with DOMPurify.",
+    severity: "high"
   },
   {
     id: "react-dangerous-html",
     name: "React XSS Risk",
     regex: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*(?:props\.|this\.|data|user|input)/gi,
-    fixPrompt: "dangerouslySetInnerHTML with user data enables XSS. Sanitize HTML with DOMPurify first."
+    fixPrompt: "dangerouslySetInnerHTML with user data enables XSS. Sanitize HTML with DOMPurify first.",
+    severity: "high"
   },
   {
     id: "weak-hash-md5",
     name: "Weak Hash (MD5)",
     regex: /createHash\s*\(\s*['"`]md5['"`]\s*\)/g,
-    fixPrompt: "MD5 is broken. Use crypto.createHash('sha256'). For passwords, use bcrypt or argon2."
+    fixPrompt: "MD5 is broken. Use crypto.createHash('sha256'). For passwords, use bcrypt or argon2.",
+    severity: "medium"
   },
   {
     id: "weak-hash-sha1",
     name: "Weak Hash (SHA1)",
     regex: /createHash\s*\(\s*['"`]sha1['"`]\s*\)/g,
-    fixPrompt: "SHA1 is deprecated for security. Use crypto.createHash('sha256'). For passwords, use bcrypt or argon2."
+    fixPrompt: "SHA1 is deprecated for security. Use crypto.createHash('sha256'). For passwords, use bcrypt or argon2.",
+    severity: "medium"
   },
   {
     id: "ssl-disabled",
     name: "SSL Verification Disabled",
     regex: /rejectUnauthorized\s*:\s*false/g,
-    fixPrompt: "Disabling SSL verification allows man-in-the-middle attacks. Remove this or set to true."
+    fixPrompt: "Disabling SSL verification allows man-in-the-middle attacks. Remove this or set to true.",
+    severity: "medium"
   },
   {
     id: "cors-wildcard",
     name: "CORS Allows All Origins",
     regex: /['"`]Access-Control-Allow-Origin['"`]\s*[,:]\s*['"`]\*['"`]/g,
-    fixPrompt: "CORS wildcard (*) allows any website to make requests. Specify allowed origins explicitly."
+    fixPrompt: "CORS wildcard (*) allows any website to make requests. Specify allowed origins explicitly.",
+    severity: "medium"
   },
   {
     id: "path-traversal",
     name: "Path Traversal Risk",
     regex: /(?:readFile|writeFile|readFileSync|writeFileSync)\s*\(\s*(?:req\.|user|input|param|query|body)/gi,
-    fixPrompt: "User input in file paths allows reading/writing arbitrary files. Validate paths with path.resolve() and check they're within allowed directories."
+    fixPrompt: "User input in file paths allows reading/writing arbitrary files. Validate paths with path.resolve() and check they're within allowed directories.",
+    severity: "high"
   },
   {
     id: "nosql-where",
     name: "NoSQL Injection ($where)",
     regex: /\.(find|findOne)\s*\(\s*\{[^}]*\$where\s*:/g,
-    fixPrompt: "$where executes JavaScript and enables NoSQL injection. Use standard MongoDB query operators."
+    fixPrompt: "$where executes JavaScript and enables NoSQL injection. Use standard MongoDB query operators.",
+    severity: "high"
   },
   {
     id: "pickle-load",
     name: "Insecure Pickle (Python)",
     regex: /pickle\.loads?\s*\(\s*(?:request|user|input|data|file)/gi,
-    fixPrompt: "pickle.load with untrusted data allows arbitrary code execution. Use JSON for untrusted data."
+    fixPrompt: "pickle.load with untrusted data allows arbitrary code execution. Use JSON for untrusted data.",
+    severity: "critical"
   },
   {
     id: "python-shell",
     name: "Shell Injection (Python)",
     regex: /subprocess\.\w+\s*\([^)]*shell\s*=\s*True[^)]*(?:request|user|input|param)/gi,
-    fixPrompt: "shell=True with user input enables command injection. Pass command as a list without shell=True."
+    fixPrompt: "shell=True with user input enables command injection. Pass command as a list without shell=True.",
+    severity: "critical"
   }
 ];
 
@@ -184,6 +281,29 @@ function getLineNumber(content, matchIndex) {
 `);
   return lines.length;
 }
+function checkGitignore(dir) {
+  const warnings = [];
+  const gitignorePath = join(dir, ".gitignore");
+  const envPath = join(dir, ".env");
+  if (!existsSync(envPath)) {
+    return warnings;
+  }
+  if (!existsSync(gitignorePath)) {
+    warnings.push(".env file exists but no .gitignore found. Create a .gitignore and add .env to prevent committing secrets.");
+    return warnings;
+  }
+  try {
+    const gitignoreContent = readFileSync(gitignorePath, "utf-8");
+    const lines = gitignoreContent.split(`
+`).map((l) => l.trim());
+    const envIgnored = lines.some((line) => line === ".env" || line === ".env*" || line === "*.env" || line === ".env.local" || line.startsWith(".env"));
+    if (!envIgnored) {
+      warnings.push(".env file exists but is not in .gitignore. Add .env to .gitignore to prevent committing secrets.");
+    }
+  } catch {
+  }
+  return warnings;
+}
 function scanFile(filePath) {
   const issues = [];
   let content;
@@ -204,7 +324,8 @@ function scanFile(filePath) {
         patternId: pattern.id,
         patternName: pattern.name,
         fixPrompt: pattern.fixPrompt,
-        match: matchText.length > 60 ? matchText.substring(0, 60) + "..." : matchText
+        match: matchText.length > 60 ? matchText.substring(0, 60) + "..." : matchText,
+        severity: pattern.severity
       });
     }
   }
@@ -213,14 +334,24 @@ function scanFile(filePath) {
 function scanFiles(dir) {
   const files = collectFiles(dir);
   const allIssues = [];
+  const warnings = checkGitignore(dir);
   for (const file of files) {
     const issues = scanFile(file);
     allIssues.push(...issues);
   }
-  return allIssues;
+  const severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+  allIssues.sort((a, b) => severityOrder[a.severity] - severityOrder[b.severity]);
+  return { issues: allIssues, warnings };
 }
 // src/prompter.ts
-function formatAgentPrompt(issues) {
+var severityColors = {
+  critical: "\x1B[31m",
+  high: "\x1B[33m",
+  medium: "\x1B[36m",
+  low: "\x1B[37m"
+};
+var reset = "\x1B[0m";
+function formatAgentPrompt(issues, useColors = true) {
   if (!issues || issues.length === 0) {
     return "";
   }
@@ -231,7 +362,10 @@ function formatAgentPrompt(issues) {
     ""
   ];
   issues.forEach((issue, index) => {
-    lines.push(`[TASK ${index + 1}] Fix ${issue.patternName} in ${issue.file} at line ${issue.line}`);
+    const severityLabel = issue.severity.toUpperCase();
+    const color = useColors ? severityColors[issue.severity] : "";
+    const colorReset = useColors ? reset : "";
+    lines.push(`${color}[${severityLabel}]${colorReset} [TASK ${index + 1}] Fix ${issue.patternName} in ${issue.file} at line ${issue.line}`);
     lines.push(`[FOUND]: ${issue.match}`);
     lines.push(`[INSTRUCTION]: ${issue.fixPrompt}`);
     lines.push("");
@@ -252,8 +386,38 @@ function generateSummary(issues) {
   }
   return summary;
 }
+function generateSeveritySummary(issues) {
+  const summary = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0
+  };
+  for (const issue of issues) {
+    summary[issue.severity]++;
+  }
+  return summary;
+}
+function formatJson(issues, warnings) {
+  return JSON.stringify({
+    summary: {
+      total: issues.length,
+      bySeverity: generateSeveritySummary(issues),
+      byType: generateSummary(issues)
+    },
+    issues: issues.map((issue) => ({
+      severity: issue.severity,
+      type: issue.patternName,
+      file: issue.file,
+      line: issue.line,
+      match: issue.match,
+      fix: issue.fixPrompt
+    })),
+    warnings
+  }, null, 2);
+}
 // src/init.ts
-import { writeFileSync, existsSync, readFileSync as readFileSync2 } from "fs";
+import { writeFileSync, existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
 import { join as join2 } from "path";
 var CURSORRULES_CONTENT = `# Vibe Shield Security Rules
 
@@ -268,7 +432,7 @@ Before marking a task as done, run \`npx vibe-shield\`. If issues are found, fol
 `;
 function initVibeShield(dir) {
   const cursorrulesPath = join2(dir, ".cursorrules");
-  if (existsSync(cursorrulesPath)) {
+  if (existsSync2(cursorrulesPath)) {
     try {
       const existingContent = readFileSync2(cursorrulesPath, "utf-8");
       if (existingContent.includes("vibe-shield") || existingContent.includes("Vibe Shield")) {
@@ -315,5 +479,7 @@ export {
   scanFiles,
   initVibeShield,
   generateSummary,
+  generateSeveritySummary,
+  formatJson,
   formatAgentPrompt
 };

package/dist/prompter.d.ts

@@ -1,9 +1,17 @@
-import type { SecurityIssue, IssueSummary } from "./types";
+import type { SecurityIssue, IssueSummary, Severity } from "./types";
 /**
  * Format issues into an "Agent Protocol" string that AI agents can read and act on.
  */
-export declare function formatAgentPrompt(issues: SecurityIssue[]): string;
+export declare function formatAgentPrompt(issues: SecurityIssue[], useColors?: boolean): string;
 /**
  * Generate a summary of issues by type.
  */
 export declare function generateSummary(issues: SecurityIssue[]): IssueSummary;
+/**
+ * Generate severity summary
+ */
+export declare function generateSeveritySummary(issues: SecurityIssue[]): Record<Severity, number>;
+/**
+ * Format issues as JSON for CI/CD pipelines
+ */
+export declare function formatJson(issues: SecurityIssue[], warnings: string[]): string;

package/dist/scanner.d.ts

@@ -1,5 +1,5 @@
-import type { SecurityIssue } from "./types";
+import type { ScanResult } from "./types";
 /**
  * Scan all files in a directory for security issues.
  */
-export declare function scanFiles(dir: string): SecurityIssue[];
+export declare function scanFiles(dir: string): ScanResult;

package/dist/types.d.ts

@@ -1,8 +1,10 @@
+export type Severity = "critical" | "high" | "medium" | "low";
 export interface SecurityPattern {
     id: string;
     name: string;
     regex: RegExp;
     fixPrompt: string;
+    severity: Severity;
 }
 export interface SecurityIssue {
     file: string;
@@ -11,6 +13,7 @@ export interface SecurityIssue {
     patternName: string;
     fixPrompt: string;
     match: string;
+    severity: Severity;
 }
 export interface InitResult {
     success: boolean;
@@ -20,3 +23,7 @@ export interface InitResult {
 export interface IssueSummary {
     [patternName: string]: number;
 }
+export interface ScanResult {
+    issues: SecurityIssue[];
+    warnings: string[];
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vibe-shield",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "Security scanner for vibe coders - find and fix AI-generated security issues",
   "type": "module",
   "main": "dist/index.js",