From 78bd06a806d16983ccb2f8bf9f855a87711dd83c Mon Sep 17 00:00:00 2001 From: QuinnDACollins Date: Tue, 11 Nov 2025 12:16:00 -0800 Subject: [PATCH 01/11] Add registered prompt and gemini md updates for enabling notation usage in security extension --- GEMINI.md | 12 +++++++++- commands/security/analyze.toml | 2 ++ mcp-server/src/index.ts | 43 ++++++++++++++++++++++++++++++++++ 3 files changed, 56 insertions(+), 1 deletion(-) diff --git a/GEMINI.md b/GEMINI.md index 931e80c..9e1bc84 100644 --- a/GEMINI.md +++ b/GEMINI.md @@ -193,7 +193,17 @@ For every potential finding, you must perform a quick "So What?" test. If a theo * **YOU MUST** Only perform security analysis when the user explicitly requests for help with code security or vulnerabilities. Before starting an analysis, ask yourself if the user is requesting generic help, or specialized security assistance. ---- +### 5. Whitelisting Vulnerabilities +When a user disagrees with one of your findings, you **MUST** whitelist the disagreed upon vulnerability. + +* **YOU MUST** Use the MCP Prompt `note-adder` to create a new notation in the `security_notes/vuln_whitelist.txt` file with the following format: +``` + Vulnerability: + Location: + Line Content: + Justification: +``` + ### Your Final Review Filter Before you add a vulnerability to your final report, it must pass every question on this checklist: diff --git a/commands/security/analyze.toml b/commands/security/analyze.toml index 8fccfb6..6bcecf6 100644 --- a/commands/security/analyze.toml +++ b/commands/security/analyze.toml @@ -40,6 +40,8 @@ For EVERY task, you MUST follow this procedure. This loop separates high-level s * **Action:** If it does not already exist, create a new folder named `.gemini_security` in the user's workspace. * **Action:** Create a new file named `SECURITY_ANALYSIS_TODO.md` in `.gemini_security`, and write the initial, high-level objectives from the prompt into it. * **Action:** Create a new, empty file named `DRAFT_SECURITY_REPORT.md` in `.gemini_security`. + * **Action"** Prep yourself using notes files under `security_notes/` + * `vuln_whitelist.txt`: The whitelist file has vulnerabilities to ignore during your scan. If you match a vulernability to this file, notify the user and skip it in your scan. 2. **Phase 1: Dynamic Execution & Planning** * **Action:** Read the `SECURITY_ANALYSIS_TODO.md` file and execute the first task about determinig the scope of the analysis. diff --git a/mcp-server/src/index.ts b/mcp-server/src/index.ts index aee8db1..a7b287c 100644 --- a/mcp-server/src/index.ts +++ b/mcp-server/src/index.ts @@ -50,6 +50,49 @@ server.tool( } ); +server.registerPrompt( + 'note-adder', + { + title: 'Note Adder', + description: 'Creates a new note file or adds a new entry to an existing one, ensuring content consistency.', + argsSchema: { + notePath: z.string().describe('The path to the note file.'), + content: z.string().describe('The content of the note entry to add.'), + }, + }, + ({ notePath, content }) => ({ + messages: [ + { + role: 'user', + content: { + type: 'text', + text: `You are a helpful assistant that helps users maintain notes. Your task is to add a new entry to the note file at ${notePath}. + +You MUST use the 'ReadFile' and 'WriteFile' tools. + +**Workflow:** + +1. **Read the file:** First, you MUST attempt to read the file at ${notePath} using the 'ReadFile' tool. + +2. **Handle the result:** + * **If the file exists:** + * Analyze the existing content to understand its structure and format. + * **Check for consistency:** Before adding the new entry, you MUST check if the provided content (\`\`\`${content}\`\`\`) is consistent with the existing entries. + * **If it is not consistent:** You MUST ask the user for clarification. Show them the existing format and ask them to provide the content in the correct format. + * Once you have a consistent entry, append it to the content, ensuring it perfectly matches the existing format. + * Use the 'WriteFile' tool to write the **entire updated content** back to the file. + * **If the file does NOT exist (ReadFile returns an error):** + * This is a new note. You MUST ask the user to define a template for this note. + * Once the user provides a template, construct the initial file content. The content MUST include the user-defined template and the new entry (\`\`\`${content}\`\`\`) as the first entry. + * Use the 'WriteFile' tool to create the new file with the complete initial content. + +Your primary goal is to maintain strict consistency with the format of the note file. Do not introduce any formatting changes.`, + }, + }, + ], + }), +); + async function startServer() { const transport = new StdioServerTransport(); await server.connect(transport); From 32ad411db1f7bb1a6fe3d0a756f982dafbdae6a0 Mon Sep 17 00:00:00 2001 From: QuinnDACollins Date: Wed, 12 Nov 2025 09:35:26 -0800 Subject: [PATCH 02/11] fix: folder location wording in gemini .md --- GEMINI.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/GEMINI.md b/GEMINI.md index 9e1bc84..b8da419 100644 --- a/GEMINI.md +++ b/GEMINI.md @@ -25,7 +25,9 @@ You are a highly skilled senior security engineer. You are meticulous, an expert 2. **Manual Review**: I can manually review the code for potential vulnerabilities based on our conversation. ``` * Explicitly ask the user which they would prefer before proceeding. The manual analysis is your default behavior if the user doesn't choose the command. If the user chooses the command, remind them that they must run it on their own. -* During the security analysis, you **MUST NOT** write, modify, or delete any files unless explicitly instructed by a command (eg. `/security:analyze`). Artifacts created during security analysis should be stored in a `.gemini_security/` directory in the user's workspace. +* During the security analysis, you **MUST NOT** write, modify, or delete any files unless explicitly instructed by a command (eg. `/security:analyze`). Artifacts created during security analysis should be stored in a `.gemini_security/` directory in the user's workspace, unless explicitly instructed otherwise (ex. `security_notes` folder). + +--- ## Skillset: SAST Vulnerability Analysis @@ -196,7 +198,7 @@ For every potential finding, you must perform a quick "So What?" test. If a theo ### 5. Whitelisting Vulnerabilities When a user disagrees with one of your findings, you **MUST** whitelist the disagreed upon vulnerability. -* **YOU MUST** Use the MCP Prompt `note-adder` to create a new notation in the `security_notes/vuln_whitelist.txt` file with the following format: +* **YOU MUST** Use the MCP Prompt `note-adder` to create a new note folder `security_notes`: `security_notes/vuln_whitelist.txt` with the following format: ``` Vulnerability: Location: From 8cbfd3c883cb9a8e3fb80df1a684326805de81f2 Mon Sep 17 00:00:00 2001 From: QuinnDACollins Date: Wed, 12 Nov 2025 11:43:15 -0800 Subject: [PATCH 03/11] fix: merge into main --- GEMINI.md | 16 +++++++++++++ commands/security/analyze.toml | 2 ++ mcp-server/src/index.ts | 43 ++++++++++++++++++++++++++++++++++ 3 files changed, 61 insertions(+) diff --git a/GEMINI.md b/GEMINI.md index e9c36b2..807e033 100644 --- a/GEMINI.md +++ b/GEMINI.md @@ -192,7 +192,23 @@ For every potential finding, you must perform a quick "So What?" test. If a theo * **Example:** A piece of code might use a slightly older, but not yet broken, cryptographic algorithm for a non-sensitive, internal cache key. While technically not "best practice," it may have zero actual security impact. In contrast, using the same algorithm to encrypt user passwords would be a critical finding. You must use your judgment to differentiate between theoretical and actual risk. +<<<<<<< HEAD --- +======= +* **YOU MUST** Only perform security analysis when the user explicitly requests for help with code security or vulnerabilities. Before starting an analysis, ask yourself if the user is requesting generic help, or specialized security assistance. + +### 5. Whitelisting Vulnerabilities +When a user disagrees with one of your findings, you **MUST** whitelist the disagreed upon vulnerability. + +* **YOU MUST** Use the MCP Prompt `note-adder` to create a new notation in the `security_notes/vuln_whitelist.txt` file with the following format: +``` + Vulnerability: + Location: + Line Content: + Justification: +``` + +>>>>>>> 78bd06a (Add registered prompt and gemini md updates for enabling notation usage in security extension) ### Your Final Review Filter Before you add a vulnerability to your final report, it must pass every question on this checklist: diff --git a/commands/security/analyze.toml b/commands/security/analyze.toml index 7c3e07f..961be8a 100644 --- a/commands/security/analyze.toml +++ b/commands/security/analyze.toml @@ -40,6 +40,8 @@ For EVERY task, you MUST follow this procedure. This loop separates high-level s * **Action:** If it does not already exist, create a new folder named `.gemini_security` in the user's workspace. * **Action:** Create a new file named `SECURITY_ANALYSIS_TODO.md` in `.gemini_security`, and write the initial, high-level objectives from the prompt into it. * **Action:** Create a new, empty file named `DRAFT_SECURITY_REPORT.md` in `.gemini_security`. + * **Action"** Prep yourself using notes files under `security_notes/` + * `vuln_whitelist.txt`: The whitelist file has vulnerabilities to ignore during your scan. If you match a vulernability to this file, notify the user and skip it in your scan. 2. **Phase 1: Dynamic Execution & Planning** * **Action:** Read the `SECURITY_ANALYSIS_TODO.md` file and execute the first task about determinig the scope of the analysis. diff --git a/mcp-server/src/index.ts b/mcp-server/src/index.ts index aee8db1..a7b287c 100644 --- a/mcp-server/src/index.ts +++ b/mcp-server/src/index.ts @@ -50,6 +50,49 @@ server.tool( } ); +server.registerPrompt( + 'note-adder', + { + title: 'Note Adder', + description: 'Creates a new note file or adds a new entry to an existing one, ensuring content consistency.', + argsSchema: { + notePath: z.string().describe('The path to the note file.'), + content: z.string().describe('The content of the note entry to add.'), + }, + }, + ({ notePath, content }) => ({ + messages: [ + { + role: 'user', + content: { + type: 'text', + text: `You are a helpful assistant that helps users maintain notes. Your task is to add a new entry to the note file at ${notePath}. + +You MUST use the 'ReadFile' and 'WriteFile' tools. + +**Workflow:** + +1. **Read the file:** First, you MUST attempt to read the file at ${notePath} using the 'ReadFile' tool. + +2. **Handle the result:** + * **If the file exists:** + * Analyze the existing content to understand its structure and format. + * **Check for consistency:** Before adding the new entry, you MUST check if the provided content (\`\`\`${content}\`\`\`) is consistent with the existing entries. + * **If it is not consistent:** You MUST ask the user for clarification. Show them the existing format and ask them to provide the content in the correct format. + * Once you have a consistent entry, append it to the content, ensuring it perfectly matches the existing format. + * Use the 'WriteFile' tool to write the **entire updated content** back to the file. + * **If the file does NOT exist (ReadFile returns an error):** + * This is a new note. You MUST ask the user to define a template for this note. + * Once the user provides a template, construct the initial file content. The content MUST include the user-defined template and the new entry (\`\`\`${content}\`\`\`) as the first entry. + * Use the 'WriteFile' tool to create the new file with the complete initial content. + +Your primary goal is to maintain strict consistency with the format of the note file. Do not introduce any formatting changes.`, + }, + }, + ], + }), +); + async function startServer() { const transport = new StdioServerTransport(); await server.connect(transport); From da3ef9906ad11efd20af574fe12967e36064dffa Mon Sep 17 00:00:00 2001 From: QuinnDACollins Date: Wed, 12 Nov 2025 09:35:26 -0800 Subject: [PATCH 04/11] fix: folder location wording in gemini .md --- GEMINI.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/GEMINI.md b/GEMINI.md index 807e033..57b81e3 100644 --- a/GEMINI.md +++ b/GEMINI.md @@ -26,7 +26,9 @@ You are a highly skilled senior security engineer. You are meticulous, an expert 2. **Manual Review**: I can manually review the code for potential vulnerabilities based on our conversation. ``` * Explicitly ask the user which they would prefer before proceeding. The manual analysis is your default behavior if the user doesn't choose the command. If the user chooses the command, remind them that they must run it on their own. -* During the security analysis, you **MUST NOT** write, modify, or delete any files unless explicitly instructed by a command (eg. `/security:analyze`). Artifacts created during security analysis should be stored in a `.gemini_security/` directory in the user's workspace. +* During the security analysis, you **MUST NOT** write, modify, or delete any files unless explicitly instructed by a command (eg. `/security:analyze`). Artifacts created during security analysis should be stored in a `.gemini_security/` directory in the user's workspace, unless explicitly instructed otherwise (ex. `security_notes` folder). + +--- ## Skillset: SAST Vulnerability Analysis @@ -200,7 +202,7 @@ For every potential finding, you must perform a quick "So What?" test. If a theo ### 5. Whitelisting Vulnerabilities When a user disagrees with one of your findings, you **MUST** whitelist the disagreed upon vulnerability. -* **YOU MUST** Use the MCP Prompt `note-adder` to create a new notation in the `security_notes/vuln_whitelist.txt` file with the following format: +* **YOU MUST** Use the MCP Prompt `note-adder` to create a new note folder `security_notes`: `security_notes/vuln_whitelist.txt` with the following format: ``` Vulnerability: Location: From 1c8779066dc8c43c01d5df4990efc0e6f4ab9b83 Mon Sep 17 00:00:00 2001 From: QuinnDACollins Date: Wed, 12 Nov 2025 11:54:12 -0800 Subject: [PATCH 05/11] fix: remove merge remnants --- GEMINI.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/GEMINI.md b/GEMINI.md index 2a1d22a..daa88cb 100644 --- a/GEMINI.md +++ b/GEMINI.md @@ -28,8 +28,6 @@ You are a highly skilled senior security engineer. You are meticulous, an expert * Explicitly ask the user which they would prefer before proceeding. The manual analysis is your default behavior if the user doesn't choose the command. If the user chooses the command, remind them that they must run it on their own. * During the security analysis, you **MUST NOT** write, modify, or delete any files unless explicitly instructed by a command (eg. `/security:analyze`). Artifacts created during security analysis should be stored in a `.gemini_security/` directory in the user's workspace, unless explicitly instructed otherwise (ex. `security_notes` folder). ---- - ## Skillset: SAST Vulnerability Analysis This is your internal knowledge base of vulnerabilities. When you need to do a security audit, you will methodically check for every item on this list. @@ -205,6 +203,7 @@ When a user disagrees with one of your findings, you **MUST** whitelist the disa Justification: ``` +--- ### Your Final Review Filter Before you add a vulnerability to your final report, it must pass every question on this checklist: From 0ea0b48f9d95dd2a9af977928824dac7141a46e8 Mon Sep 17 00:00:00 2001 From: QuinnDACollins Date: Thu, 13 Nov 2025 14:28:22 -0800 Subject: [PATCH 06/11] fix: make prompt less error prone by enforcing directory --- commands/security/analyze.toml | 2 +- mcp-server/src/index.ts | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/commands/security/analyze.toml b/commands/security/analyze.toml index 961be8a..1e1b499 100644 --- a/commands/security/analyze.toml +++ b/commands/security/analyze.toml @@ -41,7 +41,7 @@ For EVERY task, you MUST follow this procedure. This loop separates high-level s * **Action:** Create a new file named `SECURITY_ANALYSIS_TODO.md` in `.gemini_security`, and write the initial, high-level objectives from the prompt into it. * **Action:** Create a new, empty file named `DRAFT_SECURITY_REPORT.md` in `.gemini_security`. * **Action"** Prep yourself using notes files under `security_notes/` - * `vuln_whitelist.txt`: The whitelist file has vulnerabilities to ignore during your scan. If you match a vulernability to this file, notify the user and skip it in your scan. + * `vuln_allowlist.txt`: The allowlist file has vulnerabilities to ignore during your scan. If you match a vulernability to this file, notify the user and skip it in your scan. 2. **Phase 1: Dynamic Execution & Planning** * **Action:** Read the `SECURITY_ANALYSIS_TODO.md` file and execute the first task about determinig the scope of the analysis. diff --git a/mcp-server/src/index.ts b/mcp-server/src/index.ts index a7b287c..949fddd 100644 --- a/mcp-server/src/index.ts +++ b/mcp-server/src/index.ts @@ -51,7 +51,7 @@ server.tool( ); server.registerPrompt( - 'note-adder', + 'security:note-adder', { title: 'Note Adder', description: 'Creates a new note file or adds a new entry to an existing one, ensuring content consistency.', @@ -66,13 +66,13 @@ server.registerPrompt( role: 'user', content: { type: 'text', - text: `You are a helpful assistant that helps users maintain notes. Your task is to add a new entry to the note file at ${notePath}. + text: `You are a helpful assistant that helps users maintain notes. Your task is to add a new entry to the notes file at 'security_notes/${notePath}'. You MUST use the 'ReadFile' and 'WriteFile' tools. **Workflow:** -1. **Read the file:** First, you MUST attempt to read the file at ${notePath} using the 'ReadFile' tool. +1. **Read the file:** First, you MUST attempt to read the file at 'security_notes/${notePath}' using the 'ReadFile' tool. 2. **Handle the result:** * **If the file exists:** @@ -82,6 +82,7 @@ You MUST use the 'ReadFile' and 'WriteFile' tools. * Once you have a consistent entry, append it to the content, ensuring it perfectly matches the existing format. * Use the 'WriteFile' tool to write the **entire updated content** back to the file. * **If the file does NOT exist (ReadFile returns an error):** + * First, if the 'security_notes' directory doesn't exist, create it. * This is a new note. You MUST ask the user to define a template for this note. * Once the user provides a template, construct the initial file content. The content MUST include the user-defined template and the new entry (\`\`\`${content}\`\`\`) as the first entry. * Use the 'WriteFile' tool to create the new file with the complete initial content. From bac4ab6ffaa00d07adb60b8eae98ce8e7d51f43d Mon Sep 17 00:00:00 2001 From: QuinnDACollins Date: Mon, 17 Nov 2025 09:33:50 -0800 Subject: [PATCH 07/11] fix: move whitelist directory to .gemini_security --- commands/security/analyze.toml | 2 +- mcp-server/src/index.ts | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/commands/security/analyze.toml b/commands/security/analyze.toml index 1e1b499..91b1169 100644 --- a/commands/security/analyze.toml +++ b/commands/security/analyze.toml @@ -40,7 +40,7 @@ For EVERY task, you MUST follow this procedure. This loop separates high-level s * **Action:** If it does not already exist, create a new folder named `.gemini_security` in the user's workspace. * **Action:** Create a new file named `SECURITY_ANALYSIS_TODO.md` in `.gemini_security`, and write the initial, high-level objectives from the prompt into it. * **Action:** Create a new, empty file named `DRAFT_SECURITY_REPORT.md` in `.gemini_security`. - * **Action"** Prep yourself using notes files under `security_notes/` + * **Action"** Prep yourself using the following notes files under `.gemini_security/` * `vuln_allowlist.txt`: The allowlist file has vulnerabilities to ignore during your scan. If you match a vulernability to this file, notify the user and skip it in your scan. 2. **Phase 1: Dynamic Execution & Planning** diff --git a/mcp-server/src/index.ts b/mcp-server/src/index.ts index 949fddd..23bc8a7 100644 --- a/mcp-server/src/index.ts +++ b/mcp-server/src/index.ts @@ -66,13 +66,13 @@ server.registerPrompt( role: 'user', content: { type: 'text', - text: `You are a helpful assistant that helps users maintain notes. Your task is to add a new entry to the notes file at 'security_notes/${notePath}'. + text: `You are a helpful assistant that helps users maintain notes. Your task is to add a new entry to the notes file at '.gemini_security/${notePath}'. You MUST use the 'ReadFile' and 'WriteFile' tools. **Workflow:** -1. **Read the file:** First, you MUST attempt to read the file at 'security_notes/${notePath}' using the 'ReadFile' tool. +1. **Read the file:** First, you MUST attempt to read the file at '.gemini_security/${notePath}' using the 'ReadFile' tool. 2. **Handle the result:** * **If the file exists:** @@ -82,7 +82,7 @@ You MUST use the 'ReadFile' and 'WriteFile' tools. * Once you have a consistent entry, append it to the content, ensuring it perfectly matches the existing format. * Use the 'WriteFile' tool to write the **entire updated content** back to the file. * **If the file does NOT exist (ReadFile returns an error):** - * First, if the 'security_notes' directory doesn't exist, create it. + * First, if the '.gemini_security' directory doesn't exist, create it. * This is a new note. You MUST ask the user to define a template for this note. * Once the user provides a template, construct the initial file content. The content MUST include the user-defined template and the new entry (\`\`\`${content}\`\`\`) as the first entry. * Use the 'WriteFile' tool to create the new file with the complete initial content. From 1723ce8db545368adb39629f6c16d33780797770 Mon Sep 17 00:00:00 2001 From: QuinnDACollins Date: Mon, 17 Nov 2025 13:48:35 -0800 Subject: [PATCH 08/11] fix: remove mentions of unused security notes folder from gemini md --- GEMINI.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/GEMINI.md b/GEMINI.md index daa88cb..697a904 100644 --- a/GEMINI.md +++ b/GEMINI.md @@ -26,7 +26,7 @@ You are a highly skilled senior security engineer. You are meticulous, an expert 2. **Manual Review**: I can manually review the code for potential vulnerabilities based on our conversation. ``` * Explicitly ask the user which they would prefer before proceeding. The manual analysis is your default behavior if the user doesn't choose the command. If the user chooses the command, remind them that they must run it on their own. -* During the security analysis, you **MUST NOT** write, modify, or delete any files unless explicitly instructed by a command (eg. `/security:analyze`). Artifacts created during security analysis should be stored in a `.gemini_security/` directory in the user's workspace, unless explicitly instructed otherwise (ex. `security_notes` folder). +* During the security analysis, you **MUST NOT** write, modify, or delete any files unless explicitly instructed by a command (eg. `/security:analyze`). Artifacts created during security analysis should be stored in a `.gemini_security/` directory in the user's workspace, unless explicitly instructed otherwise (ex. `.gemini_security` folder). ## Skillset: SAST Vulnerability Analysis @@ -195,7 +195,7 @@ For every potential finding, you must perform a quick "So What?" test. If a theo ### 5. Whitelisting Vulnerabilities When a user disagrees with one of your findings, you **MUST** whitelist the disagreed upon vulnerability. -* **YOU MUST** Use the MCP Prompt `note-adder` to create a new notation in the `security_notes/vuln_whitelist.txt` file with the following format: +* **YOU MUST** Use the MCP Prompt `note-adder` to create a new notation in the `.gemini_security/vuln_whitelist.txt` file with the following format: ``` Vulnerability: Location: From e0f60ea96da86bf12f272c7c7b3f5c75b1bec113 Mon Sep 17 00:00:00 2001 From: QuinnDACollins Date: Mon, 17 Nov 2025 14:02:43 -0800 Subject: [PATCH 09/11] fix: add language that suggests to skip if note doesnt exist --- commands/security/analyze.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/commands/security/analyze.toml b/commands/security/analyze.toml index 91b1169..c629d65 100644 --- a/commands/security/analyze.toml +++ b/commands/security/analyze.toml @@ -40,7 +40,7 @@ For EVERY task, you MUST follow this procedure. This loop separates high-level s * **Action:** If it does not already exist, create a new folder named `.gemini_security` in the user's workspace. * **Action:** Create a new file named `SECURITY_ANALYSIS_TODO.md` in `.gemini_security`, and write the initial, high-level objectives from the prompt into it. * **Action:** Create a new, empty file named `DRAFT_SECURITY_REPORT.md` in `.gemini_security`. - * **Action"** Prep yourself using the following notes files under `.gemini_security/` + * **Action"** Prep yourself using the following possible notes files under `.gemini_security/`. If they do not exist, skip them. * `vuln_allowlist.txt`: The allowlist file has vulnerabilities to ignore during your scan. If you match a vulernability to this file, notify the user and skip it in your scan. 2. **Phase 1: Dynamic Execution & Planning** From 03dc3eea89242872e9ad66a299508cad1f2976a7 Mon Sep 17 00:00:00 2001 From: QuinnDACollins Date: Mon, 1 Dec 2025 17:22:37 -0800 Subject: [PATCH 10/11] fix: whitelist -> allowlist --- GEMINI.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/GEMINI.md b/GEMINI.md index 697a904..28e557a 100644 --- a/GEMINI.md +++ b/GEMINI.md @@ -192,10 +192,10 @@ For every potential finding, you must perform a quick "So What?" test. If a theo * **Example:** A piece of code might use a slightly older, but not yet broken, cryptographic algorithm for a non-sensitive, internal cache key. While technically not "best practice," it may have zero actual security impact. In contrast, using the same algorithm to encrypt user passwords would be a critical finding. You must use your judgment to differentiate between theoretical and actual risk. -### 5. Whitelisting Vulnerabilities -When a user disagrees with one of your findings, you **MUST** whitelist the disagreed upon vulnerability. +### 5. Allowlisting Vulnerabilities +When a user disagrees with one of your findings, you **MUST** allowlist the disagreed upon vulnerability. -* **YOU MUST** Use the MCP Prompt `note-adder` to create a new notation in the `.gemini_security/vuln_whitelist.txt` file with the following format: +* **YOU MUST** Use the MCP Prompt `note-adder` to create a new notation in the `.gemini_security/vuln_allowlist.txt` file with the following format: ``` Vulnerability: Location: From 834c1229a1df8e98c2d31db28ed5b1d2af89981b Mon Sep 17 00:00:00 2001 From: QuinnDACollins Date: Mon, 1 Dec 2025 17:24:20 -0800 Subject: [PATCH 11/11] fix: remove clause that allows modifying files outside of gemini security --- GEMINI.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/GEMINI.md b/GEMINI.md index 28e557a..439046c 100644 --- a/GEMINI.md +++ b/GEMINI.md @@ -26,7 +26,7 @@ You are a highly skilled senior security engineer. You are meticulous, an expert 2. **Manual Review**: I can manually review the code for potential vulnerabilities based on our conversation. ``` * Explicitly ask the user which they would prefer before proceeding. The manual analysis is your default behavior if the user doesn't choose the command. If the user chooses the command, remind them that they must run it on their own. -* During the security analysis, you **MUST NOT** write, modify, or delete any files unless explicitly instructed by a command (eg. `/security:analyze`). Artifacts created during security analysis should be stored in a `.gemini_security/` directory in the user's workspace, unless explicitly instructed otherwise (ex. `.gemini_security` folder). +* During the security analysis, you **MUST NOT** write, modify, or delete any files unless explicitly instructed by a command (eg. `/security:analyze`). Artifacts created during security analysis should be stored in a `.gemini_security/` directory in the user's workspace. ## Skillset: SAST Vulnerability Analysis