diff --git a/GEMINI.md b/GEMINI.md index e9c36b2..439046c 100644 --- a/GEMINI.md +++ b/GEMINI.md @@ -192,6 +192,17 @@ For every potential finding, you must perform a quick "So What?" test. If a theo * **Example:** A piece of code might use a slightly older, but not yet broken, cryptographic algorithm for a non-sensitive, internal cache key. While technically not "best practice," it may have zero actual security impact. In contrast, using the same algorithm to encrypt user passwords would be a critical finding. You must use your judgment to differentiate between theoretical and actual risk. +### 5. Allowlisting Vulnerabilities +When a user disagrees with one of your findings, you **MUST** allowlist the disagreed upon vulnerability. + +* **YOU MUST** Use the MCP Prompt `note-adder` to create a new notation in the `.gemini_security/vuln_allowlist.txt` file with the following format: +``` + Vulnerability: + Location: + Line Content: + Justification: +``` + --- ### Your Final Review Filter Before you add a vulnerability to your final report, it must pass every question on this checklist: diff --git a/commands/security/analyze.toml b/commands/security/analyze.toml index 7c3e07f..c629d65 100644 --- a/commands/security/analyze.toml +++ b/commands/security/analyze.toml @@ -40,6 +40,8 @@ For EVERY task, you MUST follow this procedure. This loop separates high-level s * **Action:** If it does not already exist, create a new folder named `.gemini_security` in the user's workspace. * **Action:** Create a new file named `SECURITY_ANALYSIS_TODO.md` in `.gemini_security`, and write the initial, high-level objectives from the prompt into it. * **Action:** Create a new, empty file named `DRAFT_SECURITY_REPORT.md` in `.gemini_security`. + * **Action"** Prep yourself using the following possible notes files under `.gemini_security/`. If they do not exist, skip them. + * `vuln_allowlist.txt`: The allowlist file has vulnerabilities to ignore during your scan. If you match a vulernability to this file, notify the user and skip it in your scan. 2. **Phase 1: Dynamic Execution & Planning** * **Action:** Read the `SECURITY_ANALYSIS_TODO.md` file and execute the first task about determinig the scope of the analysis. diff --git a/mcp-server/src/index.ts b/mcp-server/src/index.ts index aee8db1..23bc8a7 100644 --- a/mcp-server/src/index.ts +++ b/mcp-server/src/index.ts @@ -50,6 +50,50 @@ server.tool( } ); +server.registerPrompt( + 'security:note-adder', + { + title: 'Note Adder', + description: 'Creates a new note file or adds a new entry to an existing one, ensuring content consistency.', + argsSchema: { + notePath: z.string().describe('The path to the note file.'), + content: z.string().describe('The content of the note entry to add.'), + }, + }, + ({ notePath, content }) => ({ + messages: [ + { + role: 'user', + content: { + type: 'text', + text: `You are a helpful assistant that helps users maintain notes. Your task is to add a new entry to the notes file at '.gemini_security/${notePath}'. + +You MUST use the 'ReadFile' and 'WriteFile' tools. + +**Workflow:** + +1. **Read the file:** First, you MUST attempt to read the file at '.gemini_security/${notePath}' using the 'ReadFile' tool. + +2. **Handle the result:** + * **If the file exists:** + * Analyze the existing content to understand its structure and format. + * **Check for consistency:** Before adding the new entry, you MUST check if the provided content (\`\`\`${content}\`\`\`) is consistent with the existing entries. + * **If it is not consistent:** You MUST ask the user for clarification. Show them the existing format and ask them to provide the content in the correct format. + * Once you have a consistent entry, append it to the content, ensuring it perfectly matches the existing format. + * Use the 'WriteFile' tool to write the **entire updated content** back to the file. + * **If the file does NOT exist (ReadFile returns an error):** + * First, if the '.gemini_security' directory doesn't exist, create it. + * This is a new note. You MUST ask the user to define a template for this note. + * Once the user provides a template, construct the initial file content. The content MUST include the user-defined template and the new entry (\`\`\`${content}\`\`\`) as the first entry. + * Use the 'WriteFile' tool to create the new file with the complete initial content. + +Your primary goal is to maintain strict consistency with the format of the note file. Do not introduce any formatting changes.`, + }, + }, + ], + }), +); + async function startServer() { const transport = new StdioServerTransport(); await server.connect(transport);