{"id":51245287,"url":"https://github.com/shieldnet-360/securevibe","last_synced_at":"2026-06-29T04:00:28.233Z","repository":{"id":366494688,"uuid":"1276049109","full_name":"ShieldNet-360/securevibe","owner":"ShieldNet-360","description":"SecureVibe — prevention-first security for AI-written code. Signed SKILL.md knowledge that makes AI coding assistants write secure code at generation time, plus a deterministic CI gate. Offline · keyless · Ed25519-signed. By ShieldNet360.","archived":false,"fork":false,"pushed_at":"2026-06-22T04:09:12.000Z","size":4636,"stargazers_count":2,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-22T05:21:37.302Z","etag":null,"topics":["ai","claude-code","cursor","devsecops","llm","mcp","sast","secure-coding","security","supply-chain"],"latest_commit_sha":null,"homepage":"https://shieldnet-360.github.io/securevibe/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ShieldNet-360.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-06-21T13:31:41.000Z","updated_at":"2026-06-22T04:06:52.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ShieldNet-360/securevibe","commit_stats":null,"previous_names":["shieldnet-360/securevibe"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/ShieldNet-360/securevibe","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShieldNet-360%2Fsecurevibe","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShieldNet-360%2Fsecurevibe/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShieldNet-360%2Fsecurevibe/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShieldNet-360%2Fsecurevibe/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ShieldNet-360","download_url":"https://codeload.github.com/ShieldNet-360/securevibe/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ShieldNet-360%2Fsecurevibe/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34912252,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-29T02:00:05.398Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","claude-code","cursor","devsecops","llm","mcp","sast","secure-coding","security","supply-chain"],"created_at":"2026-06-29T04:00:20.431Z","updated_at":"2026-06-29T04:00:28.203Z","avatar_url":"https://github.com/ShieldNet-360.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SecureVibe\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](./LICENSE)\n[![Skills](https://img.shields.io/badge/skills-29-blue)](#skill-catalogue)\n[![Vulnerabilities](https://img.shields.io/badge/CVE%20patterns-58-orange)](./vulnerabilities/cve/code-relevant/cve_patterns.json)\n[![Ecosystems](https://img.shields.io/badge/supply--chain%20ecosystems-9-purple)](./vulnerabilities/supply-chain/malicious-packages)\n[![secret-detection patterns](https://img.shields.io/badge/Secret%20patterns-74-red)](./skills/secret-detection/checklists/secret_detection.yaml)\n[![Platforms](https://img.shields.io/badge/platforms-win%20%7C%20mac%20%7C%20linux-green)](#platform-support)\n\n**SecureVibe** is a structured, machine-readable library of security skills and\nsupply-chain vulnerability intelligence designed to be embedded directly into AI\ncoding assistants — Claude Code, Cursor, GitHub Copilot, Codex, Windsurf,\nCline / OpenCode, Antigravity, and Devin. It ships bundled rules offline and\nsupports incremental, Ed25519-signed remote updates. See\n[SIGNING.md](./SIGNING.md) for the signing model.\n\nMaintained by **[ShieldNet360](https://www.shieldnet360.com)** and released under\nthe [MIT license](./LICENSE) — free to fork, embed, and ship in commercial products.\n\n---\n\n## Table of contents\n\n- [Why SecureVibe](#why-securevibe)\n- [What's inside](#whats-inside)\n- [Install \u0026 run](#install--run)\n- [Quick start — embed in your IDE](#quick-start--embed-in-your-ide)\n- [CLI install and routine updates](#cli-install-and-routine-updates)\n- [Vulnerability database — repo sample vs full upstream](#vulnerability-database--repo-sample-vs-full-upstream)\n- [Token efficiency](#token-efficiency)\n- [Project layout](#project-layout)\n- [Documentation](#documentation)\n- [CLI package layout](#cli-package-layout)\n- [MCP server](#mcp-server)\n- [Building and running tests](#building-and-running-tests)\n- [Signing model](#signing-model)\n- [Platform support](#platform-support)\n- [Skill catalogue](#skill-catalogue)\n- [Enterprise profiles](#enterprise-profiles)\n- [Compliance evidence](#compliance-evidence)\n- [Private repositories](#private-repositories)\n- [SDKs](#sdks)\n- [Localization](#localization)\n- [Contributing](#contributing)\n- [License and attribution](#license-and-attribution)\n\n---\n\n## Why SecureVibe\n\n- **AI coding assistants don't ship with current security knowledge.** Training\n  data is months or years stale: a package compromised yesterday is happily\n  imported by the model today.\n- **Security review is an afterthought** in the \"vibe coding\" workflow. Hardcoded\n  secrets, vulnerable dependencies, typosquat imports, and unsafe deserialization\n  all land in production routinely.\n- **No standardized way to inject security context** into AI tools today — every\n  team writes its own `CLAUDE.md`, `.cursorrules`, or `copilot-instructions.md`,\n  and most contain only style rules.\n- **Existing answers are proprietary, expensive, or infra-heavy.** SecureVibe is\n  MIT-licensed, runs entirely offline, and ships as plain files in a Git repo plus\n  a single static Go binary.\n\nSecureVibe closes the loop by shipping security knowledge *at the point of code\ngeneration*, before the diff ever touches your repo.\n\n## What's inside\n\n| Area | Path | Description |\n|------|------|-------------|\n| **Skills** | [`skills/`](./skills) | 28 self-contained `SKILL.md` manifests with rules, patterns, and checklists. Each skill is a security capability the AI tool consults at generation time. |\n| **Vulnerability database** | [`vulnerabilities/`](./vulnerabilities) | Curated supply-chain corpus (malicious packages, typosquats, CVE detection patterns, dependency-confusion rules) plus an offline OSV cache. Delta-updatable. See the [Vulnerability database](#vulnerability-database--repo-sample-vs-full-upstream) section below for ecosystem coverage and counts. |\n| **Detection rules** | [`rules/`](./rules) | Sigma-format detection rules for AWS, GCP, Azure, K8s, Linux, macOS, Windows, O365, Google Workspace, Salesforce, and Slack — designed to complement the prevention-time rules in `skills/`. |\n| **Compliance maps** | [`compliance/`](./compliance) | OWASP Top 10, CWE Top 25, SANS Top 25 framework mappings plus developer-facing compliance coverage maps (SOC 2, HIPAA, PCI-DSS, FedRAMP). |\n| **Dictionaries** | [`dictionaries/`](./dictionaries) | Security term definitions, CWE catalogue, MITRE ATT\u0026CK technique references — context the AI needs to reason about security. |\n| **Pre-compiled IDE files** | [`dist/`](./dist) | Ready-to-drop-in `CLAUDE.md`, `.cursorrules`, `copilot-instructions.md`, `AGENTS.md`, `.windsurfrules`, `devin.md`, `.clinerules`, and a universal `SECURITY-SKILLS.md`. |\n| **CLI + MCP binary** | [`cmd/securevibe/`](./cmd/securevibe) | Single static Go binary: scanners, CI gate, IDE config, maintainer (`dev`) commands, and the `securevibe mcp` server. |\n| **MCP server** | [`internal/mcp/`](./internal/mcp) | JSON-RPC 2.0 Model Context Protocol server for on-demand skill / vulnerability lookups, exposed via `securevibe mcp`. |\n\n## Install \u0026 run\n\nThere are three ways to use SecureVibe, depending on whether you want the\n**MCP server** (16 scanning tools, any agent), the **skills** (knowledge for\nClaude Code), or both. Pick one — they're independent.\n\n### A. npm / npx — no Go, no clone (easiest)\n\nTwo published packages:\n\n| Package | What it is |\n|---------|------------|\n| [`@shieldnet360/secure-code-mcp`](https://www.npmjs.com/package/@shieldnet360/secure-code-mcp) | the MCP server (Go binary + data), agent-agnostic |\n| [`@shieldnet360/secure-code-skill`](https://www.npmjs.com/package/@shieldnet360/secure-code-skill) | the 29 skills + a connector, for Claude Code |\n\n**MCP server** — add to any MCP client's config (no install; `npx` fetches and\nruns it on demand):\n\n```jsonc\n// Claude Code / Cursor / Windsurf / Cline … mcpServers block\n{\n  \"mcpServers\": {\n    \"SecureVibe\": { \"command\": \"npx\", \"args\": [\"-y\", \"@shieldnet360/secure-code-mcp\"] }\n  }\n}\n```\n\nOr, in Claude Code: `claude mcp add SecureVibe -- npx -y @shieldnet360/secure-code-mcp`\n\n**Skills** — install the native Claude Code skills into a project, then\noptionally wire up the MCP for active scanning:\n\n```bash\n# install the 29 skills into ./.claude/skills (self-contained; no MCP needed)\nnpx @shieldnet360/secure-code-skill init\n\n# (optional) connect the MCP engine for precise automated scanning\nnpx @shieldnet360/secure-code-skill connect-mcp\n#   connect-mcp is generic — it can register any MCP server:\n#   npx @shieldnet360/secure-code-skill connect-mcp \u003cname\u003e -- \u003ccmd\u003e ...\n```\n\n`npx` downloads + runs in one step (nothing is permanently installed — only the\nfiles `init` writes). Prefer a persistent command? `npm install -g\n@shieldnet360/secure-code-skill`, then `secure-code-skill init`.\n\n### B. curl \\| sh — prebuilt binary (no Go, no clone)\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/shieldnet-360/securevibe/main/install.sh | sh\n```\n\nDownloads the `securevibe` binary for your OS/arch from the latest GitHub\nrelease, **verifies its SHA-256** against the release `SHA256SUMS.txt`, and\ninstalls it to `~/.local/bin`. Override with `SECUREVIBE_BIN_DIR` (install\ndir) or `SECUREVIBE_VERSION` (pin a tag). macOS + Linux, amd64 + arm64.\n\n### C. Go — `go install`\n\n```bash\n# one binary: CLI + MCP server + maintainer (dev) commands\ngo install github.com/shieldnet-360/securevibe/cmd/securevibe@latest\n```\n\n`securevibe` reads its library data from disk (it does not embed it), so point\nit at a **library directory** via `--path` (or `$SKILLS_LIBRARY_PATH`). Get one\nby cloning (section D below); `securevibe update` keeps that directory's\nsigned skills + vulnerability data current:\n\n```bash\ngit clone https://github.com/shieldnet-360/securevibe.git lib\nsecurevibe mcp --path ./lib        # run the MCP server against ./lib\nsecurevibe update --path ./lib     # later: pull signed updates into ./lib\n```\n\n### D. From source (clone)\n\n```bash\ngit clone https://github.com/shieldnet-360/securevibe.git\ncd securevibe\n\n# build the single binary\ngo build -o securevibe ./cmd/securevibe\n\n# run the MCP server against this checkout\n./securevibe mcp --path .\n```\n\nWire the local binary into an agent by absolute path:\n\n```jsonc\n{\n  \"mcpServers\": {\n    \"SecureVibe\": {\n      \"command\": \"/abs/path/securevibe/securevibe\",\n      \"args\": [\"mcp\", \"--path\", \"/abs/path/securevibe\"]\n    }\n  }\n}\n```\n\nThe skills also live in the checkout — copy\n`dist/claude-skills/.claude/skills/` into your project's `.claude/skills/`, or\nuse the IDE-embed files in [`dist/`](./dist) (next section).\n\n## Quick start — embed in your IDE\n\nThe fastest path is to copy the pre-compiled file for your tool from\n[`dist/`](./dist) into your project root. Three patterns are available for every\ntool:\n\n1. **Copy once** — fastest, no live updates.\n2. **Symlink** — auto-updates whenever you run `skills-check update` or `git pull`.\n3. **CLI-generated** — `skills-check init` writes a project-specific file with only\n   the skills you care about, at the token budget you specify.\n\n### Claude Code (`CLAUDE.md`)\n\n```bash\n# Option 1: Copy the universal skill loader\ncp securevibe/dist/CLAUDE.md /your-project/CLAUDE.md\n\n# Option 2: Symlink for auto-updates\nln -s /path/to/securevibe/dist/CLAUDE.md /your-project/CLAUDE.md\n\n# Option 3: Generate a project-specific CLAUDE.md\nskills-check init --tool claude --skills secret-detection,dependency-audit,secure-code-review\n```\n\n### Cursor (`.cursorrules`)\n\n```bash\ncp securevibe/dist/.cursorrules /your-project/.cursorrules\n# or\nskills-check init --tool cursor --skills secret-detection,dependency-audit\n```\n\n### GitHub Copilot (`.github/copilot-instructions.md`)\n\n```bash\ncp securevibe/dist/copilot-instructions.md /your-project/.github/copilot-instructions.md\n```\n\n### Codex / OpenAI (`AGENTS.md`)\n\n```bash\ncp securevibe/dist/AGENTS.md /your-project/AGENTS.md\n```\n\n### Windsurf (`.windsurfrules`)\n\n```bash\ncp securevibe/dist/.windsurfrules /your-project/.windsurfrules\n```\n\n### Devin (`devin.md`)\n\n```bash\ncp securevibe/dist/devin.md /your-project/devin.md\n```\n\n### Cline / OpenCode (`.clinerules`)\n\n```bash\ncp securevibe/dist/.clinerules /your-project/.clinerules\n```\n\n### Universal (any tool that reads project-root markdown)\n\n```bash\ncp securevibe/dist/SECURITY-SKILLS.md /your-project/SECURITY-SKILLS.md\n```\n\n## CLI install and routine updates\n\nVulnerability data and detection patterns change weekly. The CLI keeps your\nlocal copy current with incremental, signature-verified remote updates.\n\n### Install (all platforms)\n\n```bash\n# From source (requires Go 1.22+)\ngo install github.com/shieldnet-360/securevibe/cmd/skills-check@latest\n\n# macOS via Homebrew\nbrew install shieldnet-360/tap/skills-check\n\n# Windows via winget\nwinget install shieldnet-360.skills-check\n\n# Linux via .deb / .rpm — see docs/install-linux.md\n```\n\n### Pull latest rules\n\n```bash\n# Pull latest rules, vulnerabilities, and skills\nskills-check update\n\n# Pull and regenerate IDE files in one step\nskills-check update --regenerate\n\n# Check for updates without applying\nskills-check update --check-only\n\n# Revert to the previous version\nskills-check update --rollback\n\n# How stale is my data? (your AI is only as current as what it's fed)\nskills-check status                      # version, advisory count, data age, verdict\nskills-check status --json               # machine-readable for CI\nskills-check status --fail-if-stale      # exit 1 when the data is \u003e30 days old (CI gate)\nskills-check status --max-age-days 14    # custom freshness budget\n\n# Use a custom source (HTTP URL, local directory, or tarball)\nskills-check update --source https://cdn.example.com/skills-library/\nskills-check update --source /mnt/airgap/skills-library-v2.tar.gz\n```\n\n### Scheduled updates\n\n| Platform | Mechanism | Example |\n|----------|-----------|---------|\n| macOS | `launchd` LaunchAgent | `skills-check scheduler install --interval 6h` |\n| Linux | `systemd` user timer | `skills-check scheduler install --interval 6h` |\n| Windows | Task Scheduler | `skills-check scheduler install --interval 6h` |\n\nThe scheduled task issues anonymous `GET` requests for public release artifacts and\nwrites them to disk. **No device identifier, hostname, IP, or user information is\ntransmitted.** The update server cannot distinguish a fresh install from its\nhundredth recurring check.\n\n### Manual / Git-based\n\n```bash\ncd /path/to/skills-library\ngit pull origin main\nskills-check regenerate    # rebuild dist/ files from the latest skills\n```\n\n### Vulnerability database — repo sample vs full upstream\n\nThe committed `vulnerabilities/osv/` directory is a **small latest-first\nsample** of the upstream OSV archives at\n`osv-vulnerabilities.storage.googleapis.com`, generated by\n`scripts/ingest-osv.py`. It exists as an offline fallback so a fresh\n`git clone` can scan without network access. Sample size is controlled\nby `--per-ecosystem` (default 100); per-ecosystem advisory counts are\npublished in [DATA_QUALITY.md](./DATA_QUALITY.md), regenerated on every\ningest.\n\nThe sample is **not a complete mirror**. Upstream npm alone has ~80,000\nadvisories. To get full coverage at scan time, populate the user-local cache.\nTwo sources are supported:\n\n```bash\n# Option 1: pull the full upstream catalogue from osv.dev directly.\n# ~250 MB, ~5–10 minutes on a typical connection.\nskills-check fetch-vulns\n\n# Option 2: pull the pre-built osv-cache.tar.gz from the latest GitHub\n# release. Single HTTPS download, no per-ecosystem fan-out; recommended\n# for production / air-gapped deployments and CI that cannot hit\n# osv.dev directly.\nskills-check fetch-vulns --from-release\n\n# Verify the cache is present and fresh (exit 1 if missing or \u003e7d old;\n# suitable for cron / CI)\nskills-check fetch-vulns --check\n\n# Pull only specific ecosystems (e.g. JS/Python only). Applies to\n# osv.dev mode; the release-asset tarball is a single bundle.\nskills-check fetch-vulns --only npm,pypi\n```\n\nThe cache lives at `$SKILLS_MCP_CACHE` (falling back to\n`$XDG_CACHE_HOME/skills-mcp/vulns` and then `~/.cache/skills-mcp/vulns`).\n`skills-mcp` and `skills-check validate` prefer the user cache and only\nfall back to the repo-bundled sample when the cache is missing or\nincomplete — so populating it is purely additive and does not require\nchanges to skill content. Re-run weekly (or wire up the\n`skills-check scheduler` to do it for you) to stay current with osv.dev.\n\n## Token efficiency\n\nAI coding tools have finite context windows, and every byte of instructions you\ninject costs either tokens (for API tools) or working memory (for IDE tools).\nSecureVibe is designed around three principles:\n\n- **Skills are loaded on demand, not all at once.** The CLI lets you pick exactly\n  which skills your project needs.\n- **Every `SKILL.md` declares a `token_budget` block** with three pre-counted\n  variants: `minimal`, `compact`, and `full`.\n- **The `dist/` files are pre-compiled to a budget tier.** Generated output is\n  checked at build time and the build fails if a variant exceeds its budget.\n\n| Tier | Approx. tokens | Contents | Recommended for |\n|------|----------------|----------|-----------------|\n| `minimal` | \u003c 500 | ALWAYS / NEVER bullet rules only | Expensive API-based tools, very small context budgets |\n| `compact` | \u003c 2000 | Full rules + known false positives + references; no examples or rationale | Default for most IDE integrations |\n| `full` | \u003c 5000 | Rules + examples + rationale + related CWEs | Local models with large context, Devin-style agents |\n\nSelect your tier with `skills-check init --budget compact`. Compact is the default.\n\n## Project layout\n\n```\nskills-library/\n├── README.md  PROPOSAL.md  ARCHITECTURE.md  SIGNING.md  LICENSE\n├── skills/                              # 29 skill definitions (the core product)\n│   ├── secret-detection/                #   74 secret-detection patterns + exclusions + test corpus\n│   ├── dependency-audit/                #   known-malicious package corpus\n│   ├── supply-chain-security/           #   typosquat + dependency-confusion rules\n│   ├── secure-code-review/              #   OWASP Top 10 checklists + injection patterns\n│   ├── api-security/                    #   auth + input validation patterns\n│   ├── compliance-awareness/            #   CWE + OWASP framework mappings\n│   ├── iac-security/                    #   Terraform / CloudFormation / Pulumi\n│   ├── container-security/              #   Dockerfile / K8s / Helm\n│   ├── frontend-security/               #   XSS, CSP, CORS, SRI, trusted types\n│   ├── database-security/               #   SQL injection, ORM safety, RLS\n│   ├── crypto-misuse/                   #   weak ciphers, bad RNG, KDF\n│   ├── auth-security/                   #   JWT, OAuth, sessions, MFA\n│   ├── iam-best-practices/              #   least-privilege roles + policies\n│   ├── serverless-security/             #   Lambda / Cloud Functions IAM\n│   ├── mobile-security/                 #   Android exported components, iOS ATS\n│   ├── ml-security/                     #   model artifacts, poisoning, training-data PII\n│   ├── llm-app-security/                #   prompt injection, output handling, RAG\n│   ├── protocol-security/               #   TLS 1.2+, mTLS, HSTS, gRPC\n│   ├── error-handling-security/         #   information disclosure\n│   ├── logging-security/                #   secrets / PII in logs, log injection\n│   ├── cors-security/                   #   origin allowlists, preflight\n│   ├── cicd-security/                   #   GitHub Actions / GitLab CI hardening\n│   ├── ssrf-prevention/                 #   cloud-metadata + DNS-rebinding sinks\n│   ├── deserialization-security/        #   unsafe deserializers + safe alternatives\n│   ├── graphql-security/                #   depth / cost limits, introspection\n│   ├── file-upload-security/            #   MIME + magic-byte validation\n│   ├── websocket-security/              #   origin check, auth, rate limits\n│   └── saas-security/                   #   GWS / Atlassian / Slack / Salesforce / 14 services\n├── vulnerabilities/                     # Supply-chain vulnerability database\n│   ├── manifest.json                    #   versioned, checksummed, delta-updatable\n│   ├── supply-chain/\n│   │   ├── malicious-packages/          #   ~1,900 entries across 9 ecosystems\n│   │   │                                #   (npm/pypi/crates/go/rubygems/maven/nuget/\n│   │   │                                #   github-actions/docker)\n│   │   ├── typosquat-db/                #   ~270 known typosquats (curated + derived)\n│   │   └── dependency-confusion/        #   internal-namespace patterns\n│   ├── osv/                             #   per-ecosystem OSV.dev cache —\n│   │                                    #   stride-sampled subset across 10\n│   │                                    #   ecosystems (composer, crates, go,\n│   │                                    #   maven, npm, nuget, pub, pypi,\n│   │                                    #   rubygems, swift) for offline\n│   │                                    #   lookups, not comprehensive\n│   │                                    #   vulnerability intelligence;\n│   │                                    #   refresh via scripts/ingest-osv.py\n│   │                                    #   (see DATA_QUALITY.md for counts)\n│   └── cve/\n│       └── code-relevant/               #   58 CVE → code-pattern mappings (2015-2025)\n├── rules/                               # Sigma detection rules\n│   ├── cloud/aws,gcp,azure/             #   CloudTrail / Cloud Audit Logs / Azure AD\n│   ├── endpoint/linux,macos,windows/    #   auditd / UnifiedLog / Sysmon\n│   ├── container/k8s/                   #   API audit / privileged pod / exec\n│   └── saas/o365,gws,salesforce,slack/  #   Mailbox forwarding / admin roles / GWS delegation / SF exports / Slack app scopes\n├── dictionaries/                        # Reference data for AI context\n│   ├── security_terms.yaml\n│   ├── cwe_top25.yaml\n│   ├── owasp_top10_2025.yaml\n│   └── attack_techniques.yaml           #   MITRE ATT\u0026CK subset\n├── dist/                                # Pre-compiled IDE-specific files\n│   ├── CLAUDE.md   .cursorrules   copilot-instructions.md   AGENTS.md\n│   ├── .windsurfrules   devin.md   .clinerules\n│   └── SECURITY-SKILLS.md               #   universal format\n├── cmd/\n│   ├── skills-check/                    # CLI (Go, single binary)\n│   └── skills-mcp/                      # MCP server over JSON-RPC stdio\n├── packaging/                           # OS installers / package manager manifests\n│   ├── macos/ windows/ linux/           #   pkgbuild + MSI + nfpm .deb/.rpm\n│   ├── homebrew/ winget/ scoop/         #   tap formula + winget + scoop\n│   ├── apt-yum/                         #   GitHub Pages-hosted APT / YUM repos\n│   └── codesign/                        #   notarization + Authenticode docs\n├── docs/                                # Install + admin docs\n│   ├── install-{macos,linux,windows}.md\n│   ├── admin-team-rollout.md\n│   └── air-gapped-install.md\n├── profiles/                            # Enterprise --profile mappings\n│   ├── financial-services.yaml\n│   ├── healthcare.yaml\n│   └── government.yaml\n├── compliance/                          # Framework control mappings\n│   ├── soc2_mapping.yaml\n│   ├── hipaa_mapping.yaml\n│   └── pci_dss_mapping.yaml\n├── sdk/                                 # Programmatic access\n│   ├── go/                              #   Re-exports of internal/skill\n│   ├── python/                          #   skillslib Python package\n│   └── typescript/                      #   skillslib npm package\n├── manifest.json                        # Root manifest for signed remote updates\n└── .github/workflows/\n    ├── validate.yml                     # CI: validate all skills, rules, manifests\n    └── release.yml                      # CI: build CLI, tag release, publish manifests\n```\n\n## Documentation\n\n- [PROPOSAL.md](./PROPOSAL.md) — problem statement, design principles, target\n  audience, scope boundaries, and the canonical `SKILL.md` format specification.\n- [ARCHITECTURE.md](./ARCHITECTURE.md) — system diagrams, compiler architecture,\n  update protocol, CLI layout, scheduler implementation, and signing model.\n- [SIGNING.md](./SIGNING.md) — Ed25519 release signing procedure and key\n  management policy.\n- [docs/](./docs/) — install guides (macOS / Linux / Windows / air-gapped) and\n  the team rollout admin guide.\n- [packaging/codesign/README.md](./packaging/codesign/README.md) — macOS\n  notarization and Windows Authenticode signing in the release workflow.\n\n## CLI package layout\n\n```\ncmd/skills-check/\n├── main.go                    # Cobra root command\n├── cmd/                       # init / update / validate / list / regenerate\n│                              # / version / manifest / scheduler / self-update\n│                              # / configure / evidence / new / test\n└── internal/\n    ├── token/                 # tiktoken-go counter + 1.3x Claude multiplier\n    ├── compiler/              # 8 IDE-specific formatters + core compile loop\n    ├── manifest/              # manifest.json: load, checksum, Ed25519 sign /\n    │                          # verify, delta, atomic write\n    ├── updater/               # Remote update: HTTP / dir / tarball sources,\n    │                          # verify-before-replace, rollback\n    └── scheduler/             # Cross-platform scheduled updates\n                               # (launchd / systemd / Task Scheduler)\n\ncmd/skills-mcp/                # Model Context Protocol server (JSON-RPC 2.0 over stdio)\n├── main.go\n└── internal/\n    ├── mcp/                   # JSON-RPC dispatch + tool definitions\n    └── tools/                 # lookup_vulnerability, check_secret_pattern,\n                               # get_skill, search_skills\n\ninternal/skill/                # SKILL.md parser (shared by skills-check and skills-mcp)\n```\n\n## MCP server\n\n`skills-mcp` exposes SecureVibe to AI tools that speak the\n[Model Context Protocol](https://modelcontextprotocol.io). It runs as a\nshort-lived child process spoken to over stdio:\n\n```bash\ngo build -o skills-mcp ./cmd/skills-mcp\nskills-mcp --path /path/to/skills-library\n```\n\nThe server registers fifteen tools on `tools/list`:\n\n- `lookup_vulnerability(package, ecosystem?, version?)` — search the supply-chain\n  malicious-packages database, the typosquat DB, AND the local OSV cache\n  (vulnerabilities/osv/) for known CVE / GHSA / OSV-ID advisories.\n- `check_secret_pattern(text)` — run the secret-detection regex rules against\n  `text`, returning matches with severity and whether they are known false\n  positives.\n- `get_skill(skill_id, budget?)` — return the requested skill at the requested\n  tier (`minimal` / `compact` / `full`).\n- `search_skills(query)` — substring match across skill metadata.\n- `scan_secrets(text | file_path, format?)` — secret scan of inline text or a path\n  under the configured allowed roots; supports the `sarif` output format.\n- `check_dependency(package, version?, ecosystem, format?)` — check a dependency\n  against the malicious-packages corpus, the typosquat DB, the CVE-pattern list,\n  and the local OSV cache; ecosystem-native semver matching (node-semver, PEP 440,\n  Go module pseudo-versions) is used when both sides parse. Optional SARIF output.\n- `check_typosquat(package, ecosystem?)` — flag candidate typosquats from the\n  curated typosquat database.\n- `map_compliance_control(skill_id | query, framework?)` — map an installed\n  skill (or free-text query) to controls in SOC 2, HIPAA, or PCI-DSS.\n- `get_sigma_rule(rule_id | query, category?)` — fetch a Sigma detection rule\n  from `rules/` by ID, free-text query, or category.\n- `version_status()` — report data version, manifest signature state, and\n  whether the loaded library is the canonical signed release.\n- `scan_dependencies(file_path, format?)` — parse a project lockfile or\n  manifest (`package-lock.json`, `package.json`, `yarn.lock`,\n  `pnpm-lock.yaml`, `requirements.txt`, `Pipfile.lock`, `poetry.lock`,\n  `go.sum`, `Cargo.lock`, `pom.xml`,\n  `gradle.lockfile` / `build.gradle.lockfile`, `packages.lock.json`,\n  `*.csproj` / `*.fsproj` / `*.vbproj`, `Gemfile.lock`, `composer.lock`,\n  `Package.resolved`, and `pubspec.lock`) and report every dependency\n  that matches the malicious-packages, typosquat, or CVE databases.\n  Parsers cover every vulnerability-database ecosystem (npm, PyPI,\n  crates, Go, RubyGems, Maven, NuGet, Composer, Swift, Dart/pub — plus\n  GitHub Actions and Docker, which are surfaced via\n  `scan_github_actions` and `scan_dockerfile` respectively). Supports\n  the `sarif` output format.\n- `scan_github_actions(file_path, format?)` — run the\n  `skills/cicd-security/SKILL.md` rules\n  against a workflow file: unpinned actions, missing `permissions:` defaults,\n  `pull_request_target` checkout, untrusted-input script injection,\n  `curl | sh`, and stored cloud credentials. Supports the `sarif` format.\n- `scan_dockerfile(file_path, format?)` — hardening pass over a\n  Dockerfile: untagged / `:latest` base images, `USER root`, secrets in\n  `ENV`/`ARG`, `ADD https://…`, `curl | sh`, and `apt-get install`\n  without version pins. Supports the `sarif` format.\n- `explain_finding(query)` — map a CWE / CVE ID or free-text finding\n  description to the relevant skills and CVE-pattern entries, so a SAST/SCA\n  finding from another scanner can be paired with remediation guidance.\n- `gate(file_path, severity_floor?)` — dispatch the appropriate\n  scanner for `file_path` (falling back to a secret scan for files no\n  specialised scanner claims) and return a CI-friendly `pass` flag plus\n  `exit_code` (0 on pass, 1 on fail). Findings at or above\n  `severity_floor` (default `high`) fail the check; counts are returned\n  per severity so a wrapper can produce a one-line summary.\n\nThe library root is resolved from `--path`, then `$SKILLS_LIBRARY_PATH`, then the\ndirectory containing the binary.\n\n### Same tools, from the terminal\n\nThe eight tools that operate on packages or files are also exposed as\ntop-level `skills-check` subcommands so they fit into shell scripts,\npre-commit hooks, and CI steps without anyone having to speak JSON-RPC.\nBoth surfaces share the same Go library, so a finding from\n`skills-check scan-dockerfile foo.Dockerfile` is bit-identical to the\ncorresponding `scan_dockerfile` MCP tool response.\n\n```bash\n# Package lookups\nskills-check check-dependency  --package axios   --version 0.21.1 --ecosystem npm --vuln-source hybrid\nskills-check check-typosquat   --package lodahs  --ecosystem npm\nskills-check lookup-vulnerability --package event-stream --ecosystem npm\n\n# File scanners (a file, or a directory to scan recursively)\nskills-check scan-secrets         src/server.js\nskills-check scan-secrets         ./src                 # walks the tree\nskills-check scan-dependencies    package-lock.json\nskills-check scan-dependencies    .                     # auto-discovers lockfiles\nskills-check scan-dockerfile      Dockerfile\nskills-check scan-github-actions  .github/workflows/ci.yml\n\n# Write an HTML + PDF report into a folder instead of the terminal\nskills-check scan-dependencies    . --report-dir ./reports\n\n# CI gate — non-zero exit when findings meet --severity-floor\nskills-check gate Dockerfile --severity-floor high\n```\n\nEvery scan-/check- subcommand accepts `--format text` (default,\nhuman-readable), `--format json` (matches the MCP server's response\nschema field-for-field), and where the underlying scanner supports it,\n`--format sarif` for CI ingestion. The `--vuln-source` flag is\nthreaded through to the same `local | external | hybrid` modes\ndocumented in [Live OSV.dev lookups](#live-osvdev-lookups-via---vuln-source-opt-in-enrichment).\n\nEvery `scan-*` subcommand also accepts `--report-dir \u003cdir\u003e`. When set,\nthe scanner writes a self-contained, styled **HTML report** and a\nmatching **PDF** (`\u003ccommand\u003e-report.html` and `\u003ccommand\u003e-report.pdf`)\ninto that directory instead of printing to the terminal; the directory\nis created if it does not exist. The HTML report has a clickable\nsummary bar — **file(s) scanned** shows every file (including clean\nones), **finding(s)** shows only files with findings, and each severity\nbadge filters to that severity — and you can Print → Save as PDF from a\nbrowser as well. On a directory scan the PDF and terminal output list\nonly files that actually have findings, while the summary still counts\nevery file scanned.\n\nThe file scanners read their rule data from a skills-library checkout.\nWhen you run them outside this repo — in a CI step, a pre-commit hook, or\nanother project — point them at the data tree once via the\n`SKILLS_LIBRARY_PATH` environment variable instead of passing `--path` on\nevery call (resolution order: explicit `--path` → `$SKILLS_LIBRARY_PATH` →\ncurrent directory). If no rule data is found the command exits non-zero\nwith an error, so a misconfigured gate fails loudly rather than silently\npassing:\n\n```bash\nexport SKILLS_LIBRARY_PATH=/opt/skills-library   # data tree, set once\nskills-check gate Dockerfile --severity-floor high\n```\n\nArguments can be files or directories. A directory is walked — skipping\n`.git`, `node_modules`, `vendor`, and build output — and gated in one call\nfor both specialised findings (every Dockerfile, lockfile, and\n`.github/workflows/*.yml`) and secrets in any other text file:\n\n```bash\nskills-check gate . --severity-floor high      # gate the whole repo\n```\n\nEmpty, oversized, and binary files are skipped during the walk so the scan\nstays fast and avoids entropy false positives on images and build artefacts.\n\n### Gate in pre-commit and CI\n\nThe `gate` command is also wired up as a [pre-commit](https://pre-commit.com)\nhook and a GitHub Action, both of which run the published\n`@shieldnet360/secure-code-mcp` package (binary + data bundled, no checkout\nneeded).\n\n**pre-commit** — add to `.pre-commit-config.yaml`:\n\n```yaml\nrepos:\n  - repo: https://github.com/shieldnet-360/securevibe\n    rev: v0.4.0            # a release tag that ships the CLI\n    hooks:\n      - id: secure-code-gate\n```\n\nIt runs `secure-code-check gate` over the staged files and blocks the commit\nwhen any finding meets the severity floor (default `high`; override with\n`args: [\"--severity-floor\", \"critical\"]`).\n\n**GitHub Actions** — gate specific files in a workflow:\n\n```yaml\n- uses: shieldnet-360/securevibe@v0.4.0\n  with:\n    files: Dockerfile package-lock.json .github/workflows/ci.yml\n    severity-floor: high\n```\n\nTo also surface the findings in GitHub Code Scanning (Security tab + PR\nannotations), set `sarif-file` and grant the workflow the upload permission —\nthe job still fails when any finding meets the severity floor:\n\n```yaml\npermissions:\n  contents: read\n  security-events: write\n\nsteps:\n  - uses: actions/checkout@v4\n  - uses: shieldnet-360/securevibe@vNEXT   # first tag with gate --format sarif\n    with:\n      files: Dockerfile package-lock.json .github/workflows/ci.yml\n      severity-floor: high\n      sarif-file: gate.sarif\n```\n\n### Extend the block list when you learn something (LEARN loop)\n\nFound a bad package the curated database doesn't know yet? Block it immediately\n— locally, with no round trip:\n\n```bash\nskills-check contribute add -p evil-pkg -e npm \\\n  --reason \"exfiltrates AWS creds in a postinstall script\"\n\nskills-check gate package.json --severity-floor high   # now fails on evil-pkg\n```\n\n`contribute add` writes only to `.skills-check/overlay.json` in your project;\nthe rule never leaves your machine. Sharing widens by blast radius:\n\n| Scope | How | Who enforces it |\n|-------|-----|-----------------|\n| **You** | `contribute add` writes `.skills-check/overlay.json` | every local `check`/`scan`/`gate` |\n| **Team** | commit `.skills-check/overlay.json` | every teammate's gate (git is the fan-out) + CI, on next pull |\n| **Org** | point `SKILLS_CHECK_OVERLAY` at a shared overlay file outside any repo (OS path-list separated for several) | every `skills-check` invocation, across all repos and CI jobs |\n\nWhen you want to share a finding upstream, `contribute keygen` +\n`contribute submit --key …` produces a **signed**, portable candidate that a\nreviewer can `contribute verify` before it is promoted into the central,\ncentrally-signed database. Crowdsource candidates, centralize trust — see\n**[Contribute a Finding](docs/contribute.md)**.\n\n## Building and running tests\n\n```bash\ngo build -trimpath -ldflags \"-s -w\" -o skills-check ./cmd/skills-check\ngo build -trimpath -ldflags \"-s -w\" -o skills-mcp   ./cmd/skills-mcp\ngo test ./...                                       # covers CLI + MCP server\n./skills-check validate                             # check SKILL.md frontmatter + budgets\n./skills-check list                                 # enumerate skills with token counts\n./skills-check regenerate                           # rebuild dist/ files\n./skills-check manifest compute --path . --write    # recompute SHA-256 checksums\n./skills-check manifest verify  --path . --checksums-only  # verify committed checksums\n```\n\nThe same commands run in CI on every PR. `skills-check validate` enforces the\nper-skill token budgets declared in each `SKILL.md` frontmatter; `skills-check\nregenerate` rebuilds every file in `dist/` and CI fails if the committed copy\ndiffers from the regenerated output.\n\n## Signing model\n\nRelease manifests are signed with **Ed25519**. The public key is embedded in the\nCLI binary at build time via `-ldflags -X`. See [SIGNING.md](./SIGNING.md) for the\nout-of-band YubiKey-backed signing procedure and key management policy.\n\n## Platform support\n\n| OS | Architectures | CLI install | Scheduled updates |\n|----|---------------|-------------|-------------------|\n| macOS | `amd64`, `arm64` | `brew install shieldnet-360/tap/skills-check`, `go install` | `launchd` |\n| Linux | `amd64`, `arm64` | `.deb`, `.rpm`, `go install`, `apt`, `yum` | `systemd` user timer |\n| Windows | `amd64` | MSI, `winget`, `scoop`, `go install` | Task Scheduler |\n\n## Skill catalogue\n\nAll 29 skills are language-agnostic unless otherwise noted.\n\n| Skill | Category | Severity | Languages |\n|-------|----------|----------|-----------|\n| `secret-detection` | prevention | critical | * |\n| `dependency-audit` | supply-chain | high | * |\n| `secure-code-review` | prevention | high | * |\n| `supply-chain-security` | supply-chain | critical | * |\n| `api-security` | prevention | high | * |\n| `compliance-awareness` | compliance | medium | * |\n| `iac-security` | hardening | high | hcl, yaml, json |\n| `container-security` | hardening | high | dockerfile, yaml |\n| `electron-security` | hardening | critical | javascript, typescript |\n| `frontend-security` | prevention | high | javascript, typescript, html |\n| `database-security` | prevention | high | sql, javascript, typescript, python, java, go |\n| `crypto-misuse` | prevention | high | * |\n| `auth-security` | prevention | critical | * |\n| `iam-best-practices` | hardening | high | * |\n| `serverless-security` | hardening | high | python, javascript, typescript, java, yaml |\n| `mobile-security` | hardening | high | java, kotlin, swift, objective-c |\n| `ml-security` | prevention | high | python, jupyter |\n| `llm-app-security` | prevention | critical | python, javascript, typescript, go, * |\n| `protocol-security` | hardening | high | * |\n| `error-handling-security` | prevention | medium | * |\n| `logging-security` | prevention | high | * |\n| `cors-security` | hardening | medium | javascript, typescript, python, go, java |\n| `cicd-security` | prevention | critical | yaml, shell, * |\n| `ssrf-prevention` | prevention | critical | * |\n| `deserialization-security` | prevention | critical | java, python, csharp, php, ruby, javascript, typescript |\n| `graphql-security` | prevention | high | javascript, typescript, python, go, java, kotlin, csharp, ruby |\n| `file-upload-security` | prevention | high | * |\n| `websocket-security` | prevention | high | javascript, typescript, python, go, java, csharp, ruby, elixir |\n| `saas-security` | prevention | critical | * |\n\n## Enterprise profiles\n\n`skills-check init` and `skills-check regenerate` accept `--profile \u003cname\u003e` to\nselect a curated, compliance-aligned subset of skills:\n\n| Profile | Frameworks | Use case |\n|---------|-----------|----------|\n| `financial-services` | PCI-DSS v4.0, SOC 2 | Banks, fintech, payment processors |\n| `healthcare` | HIPAA Security Rule | Hospitals, telehealth, claims processing |\n| `government` | FedRAMP, NIST SP 800-53 Rev. 5 | Public-sector workloads |\n\nProfile definitions live under [`profiles/`](./profiles).\n\n## Compliance evidence\n\n```bash\nskills-check evidence --framework SOC2    --format markdown --out evidence.md\nskills-check evidence --framework HIPAA   --format json\nskills-check evidence --framework PCI-DSS --format markdown\n```\n\nThe command maps controls to installed skills using YAML files in\n[`compliance/`](./compliance) and emits a timestamped compliance coverage report\nmapping installed skills to framework controls. The report is a developer-facing\ncoverage map, not a substitute for a real audit — which still requires runtime\nevidence, change-management records, access reviews, and so on.\n\n## Private repositories\n\nFor air-gapped or internal deployments, point the CLI at your own signed bundle:\n\n```bash\nskills-check configure \\\n  --source https://skills.internal.example.com \\\n  --bearer-token-env SKILLS_TOKEN \\\n  --trusted-key /etc/skills/orgkey.pem \\\n  --profile financial-services\n```\n\nThis writes `.skills-check.yaml` next to the repo. The updater accepts multiple\ntrusted Ed25519 keys (`VerifyAny`) and authenticated HTTPS pulls.\n\n## SDKs\n\nMinimal Go, Python, and TypeScript SDKs live under [`sdk/`](./sdk).\n\n```go\nimport skillslib \"github.com/shieldnet-360/securevibe/sdk/go\"\n\ns, _ := skillslib.LoadSkill(\"skills/secret-detection/SKILL.md\")\nfmt.Println(skillslib.Extract(s, skillslib.TierCompact))\n```\n\n```python\nimport skillslib\ns = skillslib.load_skill(\"skills/secret-detection/SKILL.md\")\nprint(skillslib.extract(s, \"compact\"))\n```\n\n```ts\nimport { loadSkill, extract } from \"@skills-library/skillslib\";\nconst s = loadSkill(\"skills/secret-detection/SKILL.md\");\nconsole.log(extract(s, \"compact\"));\n```\n\n## Contributing\n\nWe welcome contributions from the community. Please see\n[CONTRIBUTING.md](./CONTRIBUTING.md) for the full guide and\n[AGENTS.md](./AGENTS.md) for the project's AI-assisted-contribution\npolicy (TL;DR: AI tools may be used to assist, but fully or\npredominantly AI-generated pull requests are not accepted). In brief:\n\n- **Skill contributions** — add a new directory under `skills/` with a `SKILL.md`\n  and associated rules. Use [`skills/secret-detection/`](./skills/secret-detection)\n  as the reference implementation.\n- **Vulnerability data** — add entries to `vulnerabilities/supply-chain/` JSON\n  files via PR. Every entry must include at least one external reference (CVE\n  ID, advisory URL, or reputable disclosure write-up).\n- **Detection rules** — add Sigma YAML files to `rules/`. Follow the existing\n  taxonomy (`cloud/`, `endpoint/`, `container/`, `saas/`).\n- **False positive fixes** — update the `exclusions:` block of\n  `skills/secret-detection/checklists/secret_detection.yaml` (or the\n  equivalent exclusion file for another skill). False-positive PRs are\n  merged quickly.\n- **IDE integration** — improve the templates in the `dist/` compiler for\n  specific tools.\n- Run `skills-check validate` and `go test ./...` before submitting a PR. CI\n  runs the same checks and rejects PRs that fail.\n\nTo report a security issue privately, see [SECURITY.md](./SECURITY.md).\n\n## License and attribution\n\nSecureVibe is released under the [MIT License](./LICENSE).\n\n\u003e Copyright (c) 2024-2026 **ShieldNet360** — https://www.shieldnet360.com\n\nThe project is maintained by [ShieldNet360](https://www.shieldnet360.com) and is\nfree to fork, embed, and ship in commercial products. We ask only that the MIT\ncopyright notice and the attribution above are preserved in derivative works.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshieldnet-360%2Fsecurevibe","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshieldnet-360%2Fsecurevibe","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshieldnet-360%2Fsecurevibe/lists"}