vibe-shield 1.0.0 → 1.2.0

package/dist/hook.d.ts

@@ -0,0 +1,7 @@
+export interface HookResult {
+    success: boolean;
+    message: string;
+    path?: string;
+}
+export declare function installHook(dir: string): HookResult;
+export declare function uninstallHook(dir: string): HookResult;

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 export { scanFiles } from "./scanner";
-export { formatAgentPrompt, generateSummary } from "./prompter";
+export { formatAgentPrompt, generateSummary, generateSeveritySummary, formatJson, } from "./prompter";
 export { initVibeShield } from "./init";
 export { securityPatterns } from "./patterns";
-export type { SecurityPattern, SecurityIssue, InitResult, IssueSummary } from "./types";
+export type { SecurityPattern, SecurityIssue, InitResult, IssueSummary, ScanResult, Severity, } from "./types";

package/dist/index.js

@@ -1,128 +1,225 @@
 // src/scanner.ts
-import { readFileSync, readdirSync, statSync } from "fs";
+import { readFileSync, readdirSync, statSync, existsSync } from "fs";
 import { join, extname } from "path";
 
 // src/patterns.ts
 var securityPatterns = [
+  {
+    id: "aws-access-key",
+    name: "AWS Access Key",
+    regex: /['"`](AKIA[0-9A-Z]{16})['"`]/g,
+    fixPrompt: "AWS access key detected. Remove immediately and rotate in AWS console. Use environment variables or IAM roles.",
+    severity: "critical"
+  },
+  {
+    id: "aws-secret-key",
+    name: "AWS Secret Key",
+    regex: /aws_?secret_?access_?key\s*[:=]\s*['"`][A-Za-z0-9\/+=]{40}['"`]/gi,
+    fixPrompt: "AWS secret key detected. Remove immediately and rotate in AWS console. Use environment variables.",
+    severity: "critical"
+  },
+  {
+    id: "openai-key",
+    name: "OpenAI API Key",
+    regex: /['"`](sk-[A-Za-z0-9]{48,})['"`]/g,
+    fixPrompt: "OpenAI API key detected. Remove and rotate at platform.openai.com. Use process.env.OPENAI_API_KEY.",
+    severity: "critical"
+  },
+  {
+    id: "anthropic-key",
+    name: "Anthropic API Key",
+    regex: /['"`](sk-ant-[A-Za-z0-9\-]{80,})['"`]/g,
+    fixPrompt: "Anthropic API key detected. Remove and rotate at console.anthropic.com. Use process.env.ANTHROPIC_API_KEY.",
+    severity: "critical"
+  },
+  {
+    id: "stripe-secret",
+    name: "Stripe Secret Key",
+    regex: /['"`](sk_live_[A-Za-z0-9]{24,})['"`]/g,
+    fixPrompt: "Stripe live secret key detected. Remove and rotate in Stripe dashboard. Use process.env.STRIPE_SECRET_KEY.",
+    severity: "critical"
+  },
+  {
+    id: "stripe-restricted",
+    name: "Stripe Restricted Key",
+    regex: /['"`](rk_live_[A-Za-z0-9]{24,})['"`]/g,
+    fixPrompt: "Stripe restricted key detected. Remove and rotate in Stripe dashboard. Use environment variables.",
+    severity: "critical"
+  },
+  {
+    id: "github-token",
+    name: "GitHub Token",
+    regex: /['"`](ghp_[A-Za-z0-9]{36}|github_pat_[A-Za-z0-9_]{22,})['"`]/g,
+    fixPrompt: "GitHub token detected. Remove and rotate at github.com/settings/tokens. Use process.env.GITHUB_TOKEN.",
+    severity: "critical"
+  },
+  {
+    id: "slack-token",
+    name: "Slack Token",
+    regex: /['"`](xox[baprs]-[A-Za-z0-9\-]{10,})['"`]/g,
+    fixPrompt: "Slack token detected. Remove and rotate in Slack app settings. Use environment variables.",
+    severity: "critical"
+  },
+  {
+    id: "twilio-key",
+    name: "Twilio API Key",
+    regex: /['"`](SK[A-Za-z0-9]{32})['"`]/g,
+    fixPrompt: "Twilio API key detected. Remove and rotate in Twilio console. Use environment variables.",
+    severity: "critical"
+  },
+  {
+    id: "sendgrid-key",
+    name: "SendGrid API Key",
+    regex: /['"`](SG\.[A-Za-z0-9\-_]{22}\.[A-Za-z0-9\-_]{43})['"`]/g,
+    fixPrompt: "SendGrid API key detected. Remove and rotate in SendGrid dashboard. Use environment variables.",
+    severity: "critical"
+  },
+  {
+    id: "private-key",
+    name: "Private Key",
+    regex: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g,
+    fixPrompt: "Private key detected in code. Move to a secure file outside repo or use a secrets manager.",
+    severity: "critical"
+  },
   {
     id: "hardcoded-secret",
     name: "Hardcoded Secret",
     regex: /(?:api_?key|api_?secret|secret_?key|auth_?token|access_?token|private_?key|client_?secret)\s*[:=]\s*['"`][A-Za-z0-9_\-\.\/\+]{8,}['"`]/gi,
-    fixPrompt: "Move this secret to an environment variable. Add it to .env and use process.env.YOUR_SECRET. Add .env to .gitignore."
+    fixPrompt: "Move this secret to an environment variable. Add to .env and use process.env.YOUR_SECRET. Add .env to .gitignore.",
+    severity: "high"
   },
   {
     id: "hardcoded-password",
     name: "Hardcoded Password",
     regex: /(?:password|passwd|pwd)\s*[:=]\s*['"`][^'"`\s]{4,}['"`]/gi,
-    fixPrompt: "Move this password to an environment variable. Never commit passwords to version control."
-  },
-  {
-    id: "aws-key",
-    name: "AWS Access Key",
-    regex: /['"`](AKIA[0-9A-Z]{16})['"`]/g,
-    fixPrompt: "AWS access key detected. Remove it immediately and rotate the key in AWS console. Use environment variables or AWS IAM roles."
+    fixPrompt: "Move this password to an environment variable. Never commit passwords to version control.",
+    severity: "high"
   },
   {
     id: "jwt-secret-inline",
     name: "Hardcoded JWT Secret",
     regex: /jwt\.sign\s*\([^)]+,\s*['"`][^'"`]{8,}['"`]/gi,
-    fixPrompt: "Move JWT secret to an environment variable. Hardcoded secrets get committed to version control."
+    fixPrompt: "Move JWT secret to an environment variable. Hardcoded secrets get committed to version control.",
+    severity: "high"
+  },
+  {
+    id: "database-url",
+    name: "Database Connection String",
+    regex: /['"`](mongodb(\+srv)?|postgres(ql)?|mysql|redis):\/\/[^'"`\s]{10,}['"`]/gi,
+    fixPrompt: "Database connection string with credentials detected. Use process.env.DATABASE_URL.",
+    severity: "high"
   },
   {
     id: "sql-injection-template",
     name: "SQL Injection",
     regex: /(?:query|execute)\s*\(\s*`(?:SELECT|INSERT|UPDATE|DELETE|DROP)[^`]*\$\{/gi,
-    fixPrompt: "Use parameterized queries instead of template literals. Example: query('SELECT * FROM users WHERE id = ?', [userId])"
+    fixPrompt: "Use parameterized queries instead of template literals. Example: query('SELECT * FROM users WHERE id = ?', [userId])",
+    severity: "high"
   },
   {
     id: "sql-injection-concat",
     name: "SQL Injection",
     regex: /(?:query|execute)\s*\(\s*['"](?:SELECT|INSERT|UPDATE|DELETE)[^'"]*['"]\s*\+/gi,
-    fixPrompt: "Never concatenate variables into SQL strings. Use parameterized queries with placeholders."
+    fixPrompt: "Never concatenate variables into SQL strings. Use parameterized queries with placeholders.",
+    severity: "high"
   },
   {
     id: "command-injection",
     name: "Command Injection",
     regex: /(?:exec|execSync)\s*\(\s*`[^`]*\$\{/g,
-    fixPrompt: "Avoid template literals in shell commands. Use spawn() with an array of arguments, or use a library like shell-escape."
+    fixPrompt: "Avoid template literals in shell commands. Use spawn() with an array of arguments.",
+    severity: "critical"
   },
   {
     id: "command-injection-concat",
     name: "Command Injection",
     regex: /(?:exec|execSync)\s*\([^)]*\+\s*(?:req\.|user|input|param|query|body)/gi,
-    fixPrompt: "User input in shell commands allows arbitrary command execution. Use spawn() with argument arrays."
+    fixPrompt: "User input in shell commands allows arbitrary command execution. Use spawn() with argument arrays.",
+    severity: "critical"
   },
   {
     id: "eval-usage",
     name: "Dangerous eval()",
     regex: /[=:]\s*eval\s*\(\s*(?:req\.|user|input|param|query|body|data)/gi,
-    fixPrompt: "eval() with user input allows arbitrary code execution. Use JSON.parse() for JSON, or refactor to avoid eval entirely."
+    fixPrompt: "eval() with user input allows arbitrary code execution. Use JSON.parse() for JSON, or refactor to avoid eval.",
+    severity: "high"
   },
   {
     id: "new-function",
     name: "Dangerous Function Constructor",
     regex: /new\s+Function\s*\([^)]*(?:req\.|user|input|param|query|body)/gi,
-    fixPrompt: "new Function() with user input is as dangerous as eval(). Refactor to avoid dynamic code generation."
+    fixPrompt: "new Function() with user input is as dangerous as eval(). Refactor to avoid dynamic code generation.",
+    severity: "high"
   },
   {
     id: "innerhtml-variable",
     name: "XSS via innerHTML",
     regex: /\.innerHTML\s*=\s*(?:req\.|user|input|param|query|body|data|props\.|this\.)/gi,
-    fixPrompt: "Setting innerHTML with user data enables XSS attacks. Use textContent or sanitize with DOMPurify."
+    fixPrompt: "Setting innerHTML with user data enables XSS attacks. Use textContent or sanitize with DOMPurify.",
+    severity: "high"
   },
   {
     id: "react-dangerous-html",
     name: "React XSS Risk",
     regex: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*(?:props\.|this\.|data|user|input)/gi,
-    fixPrompt: "dangerouslySetInnerHTML with user data enables XSS. Sanitize HTML with DOMPurify first."
+    fixPrompt: "dangerouslySetInnerHTML with user data enables XSS. Sanitize HTML with DOMPurify first.",
+    severity: "high"
   },
   {
     id: "weak-hash-md5",
     name: "Weak Hash (MD5)",
     regex: /createHash\s*\(\s*['"`]md5['"`]\s*\)/g,
-    fixPrompt: "MD5 is broken. Use crypto.createHash('sha256'). For passwords, use bcrypt or argon2."
+    fixPrompt: "MD5 is broken. Use crypto.createHash('sha256'). For passwords, use bcrypt or argon2.",
+    severity: "medium"
   },
   {
     id: "weak-hash-sha1",
     name: "Weak Hash (SHA1)",
     regex: /createHash\s*\(\s*['"`]sha1['"`]\s*\)/g,
-    fixPrompt: "SHA1 is deprecated for security. Use crypto.createHash('sha256'). For passwords, use bcrypt or argon2."
+    fixPrompt: "SHA1 is deprecated for security. Use crypto.createHash('sha256'). For passwords, use bcrypt or argon2.",
+    severity: "medium"
   },
   {
     id: "ssl-disabled",
     name: "SSL Verification Disabled",
     regex: /rejectUnauthorized\s*:\s*false/g,
-    fixPrompt: "Disabling SSL verification allows man-in-the-middle attacks. Remove this or set to true."
+    fixPrompt: "Disabling SSL verification allows man-in-the-middle attacks. Remove this or set to true.",
+    severity: "medium"
   },
   {
     id: "cors-wildcard",
     name: "CORS Allows All Origins",
     regex: /['"`]Access-Control-Allow-Origin['"`]\s*[,:]\s*['"`]\*['"`]/g,
-    fixPrompt: "CORS wildcard (*) allows any website to make requests. Specify allowed origins explicitly."
+    fixPrompt: "CORS wildcard (*) allows any website to make requests. Specify allowed origins explicitly.",
+    severity: "medium"
   },
   {
     id: "path-traversal",
     name: "Path Traversal Risk",
     regex: /(?:readFile|writeFile|readFileSync|writeFileSync)\s*\(\s*(?:req\.|user|input|param|query|body)/gi,
-    fixPrompt: "User input in file paths allows reading/writing arbitrary files. Validate paths with path.resolve() and check they're within allowed directories."
+    fixPrompt: "User input in file paths allows reading/writing arbitrary files. Validate paths with path.resolve() and check they're within allowed directories.",
+    severity: "high"
   },
   {
     id: "nosql-where",
     name: "NoSQL Injection ($where)",
     regex: /\.(find|findOne)\s*\(\s*\{[^}]*\$where\s*:/g,
-    fixPrompt: "$where executes JavaScript and enables NoSQL injection. Use standard MongoDB query operators."
+    fixPrompt: "$where executes JavaScript and enables NoSQL injection. Use standard MongoDB query operators.",
+    severity: "high"
   },
   {
     id: "pickle-load",
     name: "Insecure Pickle (Python)",
     regex: /pickle\.loads?\s*\(\s*(?:request|user|input|data|file)/gi,
-    fixPrompt: "pickle.load with untrusted data allows arbitrary code execution. Use JSON for untrusted data."
+    fixPrompt: "pickle.load with untrusted data allows arbitrary code execution. Use JSON for untrusted data.",
+    severity: "critical"
   },
   {
     id: "python-shell",
     name: "Shell Injection (Python)",
     regex: /subprocess\.\w+\s*\([^)]*shell\s*=\s*True[^)]*(?:request|user|input|param)/gi,
-    fixPrompt: "shell=True with user input enables command injection. Pass command as a list without shell=True."
+    fixPrompt: "shell=True with user input enables command injection. Pass command as a list without shell=True.",
+    severity: "critical"
   }
 ];
 
@@ -184,6 +281,29 @@ function getLineNumber(content, matchIndex) {
 `);
   return lines.length;
 }
+function checkGitignore(dir) {
+  const warnings = [];
+  const gitignorePath = join(dir, ".gitignore");
+  const envPath = join(dir, ".env");
+  if (!existsSync(envPath)) {
+    return warnings;
+  }
+  if (!existsSync(gitignorePath)) {
+    warnings.push(".env file exists but no .gitignore found. Create a .gitignore and add .env to prevent committing secrets.");
+    return warnings;
+  }
+  try {
+    const gitignoreContent = readFileSync(gitignorePath, "utf-8");
+    const lines = gitignoreContent.split(`
+`).map((l) => l.trim());
+    const envIgnored = lines.some((line) => line === ".env" || line === ".env*" || line === "*.env" || line === ".env.local" || line.startsWith(".env"));
+    if (!envIgnored) {
+      warnings.push(".env file exists but is not in .gitignore. Add .env to .gitignore to prevent committing secrets.");
+    }
+  } catch {
+  }
+  return warnings;
+}
 function scanFile(filePath) {
   const issues = [];
   let content;
@@ -204,7 +324,8 @@ function scanFile(filePath) {
         patternId: pattern.id,
         patternName: pattern.name,
         fixPrompt: pattern.fixPrompt,
-        match: matchText.length > 60 ? matchText.substring(0, 60) + "..." : matchText
+        match: matchText.length > 60 ? matchText.substring(0, 60) + "..." : matchText,
+        severity: pattern.severity
       });
     }
   }
@@ -213,14 +334,24 @@ function scanFile(filePath) {
 function scanFiles(dir) {
   const files = collectFiles(dir);
   const allIssues = [];
+  const warnings = checkGitignore(dir);
   for (const file of files) {
     const issues = scanFile(file);
     allIssues.push(...issues);
   }
-  return allIssues;
+  const severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+  allIssues.sort((a, b) => severityOrder[a.severity] - severityOrder[b.severity]);
+  return { issues: allIssues, warnings };
 }
 // src/prompter.ts
-function formatAgentPrompt(issues) {
+var severityColors = {
+  critical: "\x1B[31m",
+  high: "\x1B[33m",
+  medium: "\x1B[36m",
+  low: "\x1B[37m"
+};
+var reset = "\x1B[0m";
+function formatAgentPrompt(issues, useColors = true) {
   if (!issues || issues.length === 0) {
     return "";
   }
@@ -231,7 +362,10 @@ function formatAgentPrompt(issues) {
     ""
   ];
   issues.forEach((issue, index) => {
-    lines.push(`[TASK ${index + 1}] Fix ${issue.patternName} in ${issue.file} at line ${issue.line}`);
+    const severityLabel = issue.severity.toUpperCase();
+    const color = useColors ? severityColors[issue.severity] : "";
+    const colorReset = useColors ? reset : "";
+    lines.push(`${color}[${severityLabel}]${colorReset} [TASK ${index + 1}] Fix ${issue.patternName} in ${issue.file} at line ${issue.line}`);
     lines.push(`[FOUND]: ${issue.match}`);
     lines.push(`[INSTRUCTION]: ${issue.fixPrompt}`);
     lines.push("");
@@ -252,8 +386,38 @@ function generateSummary(issues) {
   }
   return summary;
 }
+function generateSeveritySummary(issues) {
+  const summary = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0
+  };
+  for (const issue of issues) {
+    summary[issue.severity]++;
+  }
+  return summary;
+}
+function formatJson(issues, warnings) {
+  return JSON.stringify({
+    summary: {
+      total: issues.length,
+      bySeverity: generateSeveritySummary(issues),
+      byType: generateSummary(issues)
+    },
+    issues: issues.map((issue) => ({
+      severity: issue.severity,
+      type: issue.patternName,
+      file: issue.file,
+      line: issue.line,
+      match: issue.match,
+      fix: issue.fixPrompt
+    })),
+    warnings
+  }, null, 2);
+}
 // src/init.ts
-import { writeFileSync, existsSync, readFileSync as readFileSync2 } from "fs";
+import { writeFileSync, existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
 import { join as join2 } from "path";
 var CURSORRULES_CONTENT = `# Vibe Shield Security Rules
 
@@ -268,7 +432,7 @@ Before marking a task as done, run \`npx vibe-shield\`. If issues are found, fol
 `;
 function initVibeShield(dir) {
   const cursorrulesPath = join2(dir, ".cursorrules");
-  if (existsSync(cursorrulesPath)) {
+  if (existsSync2(cursorrulesPath)) {
     try {
       const existingContent = readFileSync2(cursorrulesPath, "utf-8");
       if (existingContent.includes("vibe-shield") || existingContent.includes("Vibe Shield")) {
@@ -315,5 +479,7 @@ export {
   scanFiles,
   initVibeShield,
   generateSummary,
+  generateSeveritySummary,
+  formatJson,
   formatAgentPrompt
 };

package/dist/mcp-server.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};