Metadata-Version: 2.4
Name: cve-guard
Version: 1.0.1
Summary: Scan projects for CVEs in AI-generated dependencies. Zero API calls. Works offline.
Author-email: NOUMENON <hello@noumenon.ai>
License: MIT
Project-URL: Homepage, https://github.com/noumenon-ai/cve-guard
Project-URL: Repository, https://github.com/noumenon-ai/cve-guard
Project-URL: Issues, https://github.com/noumenon-ai/cve-guard/issues
Keywords: cve,security,vulnerability,scanner,cli
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Requires-Python: >=3.10
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: typer>=0.9.0
Requires-Dist: rich>=13.0.0
Dynamic: license-file
Dynamic: requires-python

# CVE-Guard

**Stop AI from writing vulnerable code.**

One command. Zero API calls. Works offline.

```
$ cve-guard scan ./my-project
```

> Built by NOUMENON — AI agents that debate, evolve, and build.
> Want AI that thinks before it codes? noumenon.ai

![PyPI](https://img.shields.io/pypi/v/cve-guard)
![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)
![Python 3.10+](https://img.shields.io/badge/python-3.10+-blue.svg)

## Why This Exists

AI-generated code has 1.7x more vulnerabilities than human code.
Copilot, Cursor, and Claude don't check if the packages they suggest
have known CVEs. cve-guard does.

Run it before you commit. Run it in CI. Sleep better.

## Install

```bash
pip install cve-guard
```

## Usage

```bash
# Scan a project directory
cve-guard scan ./my-project

# Only show critical and high severity
cve-guard scan --severity critical

# Check a single package
cve-guard check react 18.2.0

# JSON output for CI/CD
cve-guard scan --format json

# Show fix commands
cve-guard scan --fix

# View the full CVE database
cve-guard db
```

## Output

```
  CVE-GUARD — Vulnerability Scanner v1.0.1

  Scanning: ./my-nextjs-app/package.json
  Found: 24 dependencies

  CRITICAL VULNERABILITIES
  Package                   CVE              CVSS  Installed  Fix
  next                      CVE-2025-29927    9.1  15.1.4     >= 15.2.3
  react-server-dom-webpack  CVE-2025-55182   10.0  19.2.0     >= 19.2.1

  MEDIUM VULNERABILITIES
  Package  CVE              CVSS  Installed  Fix
  axios    CVE-2023-45857    6.5  1.4.0      >= 1.6.0

  Summary: 2 critical | 1 medium

  Fix commands:
    npm install next@15.2.3 react-server-dom-webpack@19.2.1 axios@1.6.0
```

## CVEs Currently Detected

Every entry is verified against MITRE and/or the GitHub Advisory Database.

| Package | CVE / Advisory | CVSS | Severity | Fixed in |
|---------|----------------|------|----------|----------|
| react-server-dom-webpack / -turbopack / -parcel | CVE-2025-55182 | 10.0 | CRITICAL | 19.0.1 / 19.1.2 / 19.2.1 |
| next | CVE-2025-29927 | 9.1 | CRITICAL | 15.2.3 / 14.2.25 / 13.5.9 / 12.3.5 |
| golang.org/x/crypto | CVE-2024-45337 | 9.1 | CRITICAL | 0.31.0 |
| react-router | CVE-2025-59057 | 7.6 | HIGH | 7.9.0 |
| flask | CVE-2023-30861 | 7.5 | HIGH | 2.3.2 / 2.2.5 |
| cryptography | CVE-2024-26130 | 7.5 | HIGH | 42.0.4 |
| rack | CVE-2026-34829 | 7.5 | HIGH | 3.2.6 / 3.1.21 / 2.2.23 |
| nokogiri | GHSA-c4rq-3m3g-8wgx | 7.5 | HIGH | 1.19.3 |
| rustls | CVE-2024-32650 | 7.5 | HIGH | 0.23.5 / 0.22.4 / 0.21.11 |
| lodash | CVE-2021-23337 | 7.2 | HIGH | 4.17.21 |
| pillow | CVE-2024-28219 | 6.7 | HIGH | 10.3.0 |
| axios | CVE-2023-45857 | 6.5 | MEDIUM | 1.6.0 / 0.28.0 |
| jsonwebtoken | CVE-2022-23540 | 6.4 | MEDIUM | 9.0.0 |
| express | CVE-2024-29041 | 6.1 | MEDIUM | 4.19.2 |
| requests | CVE-2024-35195 | 5.6 | MEDIUM | 2.32.0 |
| django | CVE-2024-45231 | 3.7 | MEDIUM | 5.1.1 / 5.0.9 / 4.2.16 |

## Supported Languages

- **JavaScript/Node.js** — package.json
- **Python** — requirements.txt, pyproject.toml
- **Ruby** — Gemfile
- **Go** — go.mod
- **Rust** — Cargo.toml

All five manifest formats are parsed. The bundled database currently has
the deepest coverage for JavaScript and Python, plus verified entries for
Ruby (rack, nokogiri), Go (golang.org/x/crypto), and Rust (rustls).

## CI/CD Integration

### GitHub Action

```yaml
name: CVE Guard
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: pip install cve-guard
      - run: cve-guard scan . --format json --severity high
```

### Pre-commit Hook

```yaml
repos:
  - repo: https://github.com/noumenon-ai/cve-guard
    rev: v1.0.0
    hooks:
      - id: cve-guard
        name: CVE Guard
        entry: cve-guard scan
        language: python
        pass_filenames: false
```

## Contributing

Found a new CVE? Open a PR to add it to `database.py`.

## License

MIT

---

Part of the NOUMENON ecosystem.
NOUMENON is a multi-agent AI build system where agents debate
the best approach before writing a single line of code.
---
Built by [Noumenon](https://github.com/Noumenon-ai)
