This release adds 1 notable feature for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+14 more
Summary
AI summaryCross-file taint analysis added via analyze_cross_file_dataflow MCP tool.
Full changelog
What's New
Cross-file taint analysis — new analyze_cross_file_dataflow MCP tool that tracks tainted data flowing across module boundaries.
How it works
- Resolves imports/exports between files
- Builds a module graph
- Identifies exported functions whose parameters flow to dangerous sinks
- Finds call sites that pass tainted user input to those functions
- Reports the full cross-file flow chain: source → call → sink
Detects across files
- SQL injection (req.body → helper → db.query)
- XSS (user input → renderer → innerHTML)
- Open redirect (searchParams → nav helper → redirect)
- Code injection (input → processor → eval)
- Path traversal (user path → file util → readFileSync)
Example
[SOURCE] http-input -> userId in src/routes/users.ts:3
[CALL] runQuery(userId) in src/routes/users.ts:4
[SINK] sql-injection in src/lib/db.ts:4
26 tools, 313 rules.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About goklab/guardvibe
Security MCP for vibe coding with 330 rules and 29 tools. Purpose-built for AI-generated code — scans Next.js, Supabase, Clerk, Stripe, Prisma, Hono, GraphQL, and 25+ modules. Cross-file taint analysis, host security audit, auto-fix, SARIF export, pre-commit hook, and CVE version detection. Zero config, runs locally.
Related context
Beta — feedback welcome: [email protected]