goodvibesonly
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseGoodVibesOnly - Security Scanner
GoodVibesOnly - 安全扫描器
Automatically scan for security vulnerabilities before code leaves the developer's machine.
在代码离开开发者机器前自动扫描安全漏洞。
When to Auto-Invoke
自动触发时机
Run this skill BEFORE executing any:
git commitgit push- Deploy commands
Run this skill WHEN user says:
- "commit this"
- "push to main"
- "ship it"
- "is this safe?"
- "check security"
- "goodvibesonly"
- "ready to deploy"
在执行以下操作前运行此技能:
git commitgit push- 部署命令
当用户说出以下内容时运行此技能:
- "commit this"
- "push to main"
- "ship it"
- "这样安全吗?"
- "检查安全情况"
- "goodvibesonly"
- "准备部署"
Quick Scan Checklist
快速扫描清单
Scan changed files for:
扫描变更文件以查找:
🔴 CRITICAL (Stop and fix)
🔴 严重级别(立即修复)
undefinedundefinedHardcoded secrets
硬编码密钥
sk-[a-zA-Z0-9]{20,} # OpenAI
sk-ant-[a-zA-Z0-9-]{20,} # Anthropic
AKIA[0-9A-Z]{16} # AWS
ghp_[a-zA-Z0-9]{36} # GitHub
sk_(live|test)_[a-zA-Z0-9]{24,} # Stripe
api_key\s*=\s*["'][^"']+["'] # Generic API key
password\s*=\s*["'][^"']+["'] # Hardcoded password
-----BEGIN.*PRIVATE KEY----- # Private key
sk-[a-zA-Z0-9]{20,} # OpenAI
sk-ant-[a-zA-Z0-9-]{20,} # Anthropic
AKIA[0-9A-Z]{16} # AWS
ghp_[a-zA-Z0-9]{36} # GitHub
sk_(live|test)_[a-zA-Z0-9]{24,} # Stripe
api_key\s*=\s*["'][^"']+["'] # 通用API密钥
password\s*=\s*["'][^"']+["'] # 硬编码密码
-----BEGIN.*PRIVATE KEY----- # 私钥
Injection
注入漏洞
query.+.user # SQL injection (concat)
execute.${ # SQL injection (template)
exec(.+ # Command injection
subprocess.shell=True # Shell injection
eval(.[a-zA-Z_] # Code injection
query.+.user # SQL注入(拼接)
execute.${ # SQL注入(模板)
exec(.+ # 命令注入
subprocess.shell=True # Shell注入
eval(.[a-zA-Z_] # 代码注入
Dangerous config
危险配置
origin.["']*["'] # CORS allow all
verify\s=\s*False # SSL disabled
rejectUnauthorized.*false # SSL disabled (Node)
undefinedorigin.["']*["'] # CORS允许所有来源
verify\s=\s*False # SSL验证禁用
rejectUnauthorized.*false # SSL验证禁用(Node.js)
undefined🟡 HIGH (Warn)
🟡 高风险级别(警告)
innerHTML\s*= # XSS
dangerouslySetInnerHTML # XSS (React)
v-html= # XSS (Vue)
pickle\.loads # Insecure deserialization
yaml\.load\( # Unsafe YAML
md5\(.*password # Weak crypto
sha1\(.*password # Weak cryptoinnerHTML\s*= # XSS
dangerouslySetInnerHTML # XSS(React)
v-html= # XSS(Vue)
pickle\.loads # 不安全的反序列化
yaml\.load\( # 不安全的YAML解析
md5\(.*password # 弱加密算法
sha1\(.*password # 弱加密算法🟢 MEDIUM (Note)
🟢 中风险级别(提示)
debug.*=.*true # Debug mode
console\.log.*password # Logged secrets
TODO.*security # Security TODOs
http://(?!localhost) # Non-HTTPSdebug.*=.*true # 调试模式开启
console\.log.*password # 密钥被日志输出
TODO.*security # 安全相关待办事项
http://(?!localhost) # 非HTTPS协议Response Protocol
响应协议
If CRITICAL issues found:
- List all issues with file:line
- Show the problematic code
- Explain the fix
- Ask: "Want me to fix these before committing?"
- Do NOT proceed with commit until fixed or user explicitly overrides
If HIGH issues found:
- List issues
- Ask: "These should be fixed. Continue anyway?"
If only MEDIUM or clean:
- Brief summary
- Proceed with the requested action
若发现严重级别问题:
- 列出所有问题及对应的文件:行号
- 展示有问题的代码
- 说明修复方案
- 询问:“要我在提交前修复这些问题吗?”
- 在问题修复或用户明确覆盖前,禁止继续提交
若发现高风险级别问题:
- 列出问题
- 询问:“这些问题应该修复。是否仍要继续?”
若仅发现中风险级别问题或扫描无问题:
- 简要总结
- 继续执行用户请求的操作
Allowlist Flow
允许列表流程
When a user wants to suppress a specific finding, follow this flow:
- User says something like "allow the dangerouslySetInnerHTML one" or "ignore the XSS finding"
- Ask: "One-time (this commit only) or permanent?"
- Ask for reason: "What's the reason for allowing this?" (e.g., "Sanitized with DOMPurify")
当用户希望忽略特定检测结果时,请遵循以下流程:
- 用户表述类似“允许那个dangerouslySetInnerHTML的问题”或“忽略XSS检测结果”
- 询问:“仅本次提交有效还是永久有效?”
- 询问原因:“忽略该检测结果的原因是什么?”(例如:“已使用DOMPurify进行清理”)
One-Time Allow
单次允许
- Read existing (or create
.goodvibesonly.jsonif missing){ "allow": [] } - Add the temporary entry to the array
allow - Write the file (do not stage it with )
git add - Re-run the commit command
- After commit completes, remove the temporary entry from
.goodvibesonly.json - If the file is now empty (), delete it
{ "allow": [] }
- 读取现有的文件(若不存在则创建
.goodvibesonly.json){ "allow": [] } - 将临时条目添加到数组中
allow - 写入文件(不要使用暂存该文件)
git add - 重新执行提交命令
- 提交完成后,从中移除临时条目
.goodvibesonly.json - 若文件变为空(),则删除该文件
{ "allow": [] }
Permanent Allow
永久允许
- Read existing (or create
.goodvibesonly.jsonif missing){ "allow": [] } - Add the entry to the array with the user's reason
allow - Write the file (leave it for the user to commit when ready)
- Re-run the commit command
- Tell the user: "Added permanent allowlist rule. You can commit when ready."
.goodvibesonly.json
- 读取现有的文件(若不存在则创建
.goodvibesonly.json){ "allow": [] } - 将包含用户提供原因的条目添加到数组中
allow - 写入文件(留待用户在合适时机提交)
- 重新执行提交命令
- 告知用户:“已添加永久允许列表规则。你可以在合适时机提交文件。”
.goodvibesonly.json
Config Format: .goodvibesonly.json
.goodvibesonly.json配置格式:.goodvibesonly.json
.goodvibesonly.jsonjson
{
"allow": [
{ "pattern": "XSS via dangerouslySetInnerHTML", "reason": "Sanitized with DOMPurify" },
{ "path": "test/**", "reason": "Test files contain intentional patterns" },
{ "pattern": "SQL Injection", "path": "src/db/raw.js", "reason": "Parameterized at call site" }
]
}- only: suppress that pattern in all files
pattern - only: suppress all patterns in matching files (supports
pathand*globs)** - +
pattern: suppress specific pattern in specific filespath - Pattern names must match exactly — run to see all names
node bin/scan.js --list-patterns
json
{
"allow": [
{ "pattern": "XSS via dangerouslySetInnerHTML", "reason": "Sanitized with DOMPurify" },
{ "path": "test/**", "reason": "测试文件包含有意设置的检测模式" },
{ "pattern": "SQL Injection", "path": "src/db/raw.js", "reason": "在调用站点已使用参数化查询" }
]
}- 仅指定:在所有文件中忽略该检测模式
pattern - 仅指定:忽略匹配路径下所有文件的所有检测模式(支持
path和*通配符)** - 同时指定和
pattern:忽略指定路径下文件的特定检测模式path - 模式名称必须完全匹配 —— 运行查看所有模式名称
node bin/scan.js --list-patterns
Show the User What Changed
向用户展示变更内容
After adding an entry, show the user what was added:
Added to .goodvibesonly.json:
{ "pattern": "XSS via dangerouslySetInnerHTML", "reason": "Sanitized with DOMPurify" }添加条目后,向用户展示已添加的内容:
已添加到 .goodvibesonly.json:
{ "pattern": "XSS via dangerouslySetInnerHTML", "reason": "Sanitized with DOMPurify" }Example Output
示例输出
🛡️ GoodVibesOnly Security Scan
Scanned 8 files with changes.
🔴 CRITICAL - Must fix:
1. Hardcoded API Key
src/config.js:15
const API_KEY = "sk-abc123..."
→ Move to environment variable
2. SQL Injection
src/db/users.js:42
db.query("SELECT * FROM users WHERE id = " + id)
→ Use parameterized query: db.query("SELECT * FROM users WHERE id = ?", [id])
🟡 HIGH - Should fix:
3. XSS Risk
src/components/Comment.jsx:28
<div dangerouslySetInnerHTML={{__html: comment.body}} />
→ Sanitize with DOMPurify before rendering
Found 2 critical, 1 high, 0 medium issues.
Commit blocked. Want me to fix the critical issues?🛡️ GoodVibesOnly 安全扫描
已扫描8个变更文件。
🔴 严重级别 - 必须修复:
1. 硬编码API密钥
src/config.js:15
const API_KEY = "sk-abc123..."
→ 迁移到环境变量
2. SQL注入
src/db/users.js:42
db.query("SELECT * FROM users WHERE id = " + id)
→ 使用参数化查询:db.query("SELECT * FROM users WHERE id = ?", [id])
🟡 高风险级别 - 建议修复:
3. XSS风险
src/components/Comment.jsx:28
<div dangerouslySetInnerHTML={{__html: comment.body}} />
→ 渲染前使用DOMPurify进行清理
共发现2个严重级别、1个高风险级别、0个中风险级别问题。
提交已阻止。要我修复这些严重级别问题吗?