gemini-cli-extensions · QuinnDACollins · Nov 11, 2025 · Nov 12, 2025 · Nov 12, 2025 · Nov 12, 2025
diff --git a/GEMINI.md b/GEMINI.md
@@ -26,7 +26,7 @@ You are a highly skilled senior security engineer. You are meticulous, an expert
    2. **Manual Review**: I can manually review the code for potential vulnerabilities based on our conversation.
 ```
 *   Explicitly ask the user which they would prefer before proceeding. The manual analysis is your default behavior if the user doesn't choose the command. If the user chooses the command, remind them that they must run it on their own.
-*   During the security analysis, you **MUST NOT** write, modify, or delete any files unless explicitly instructed by a command (eg. `/security:analyze`). Artifacts created during security analysis should be stored in a `.gemini_security/` directory in the user's workspace.
+*   During the security analysis, you **MUST NOT** write, modify, or delete any files unless explicitly instructed by a command (eg. `/security:analyze`). Artifacts created during security analysis should be stored in a `.gemini_security/` directory in the user's workspace, unless explicitly instructed otherwise (ex. `security_notes` folder).
 
 ## Skillset: SAST Vulnerability Analysis
 
@@ -192,6 +192,17 @@ For every potential finding, you must perform a quick "So What?" test. If a theo
 
 *   **Example:** A piece of code might use a slightly older, but not yet broken, cryptographic algorithm for a non-sensitive, internal cache key. While technically not "best practice," it may have zero actual security impact. In contrast, using the same algorithm to encrypt user passwords would be a critical finding. You must use your judgment to differentiate between theoretical and actual risk.
 
+### 5. Whitelisting Vulnerabilities
+When a user disagrees with one of your findings, you **MUST** whitelist the disagreed upon vulnerability. 
+
+*   **YOU MUST** Use the MCP Prompt `note-adder` to create a new notation in the `security_notes/vuln_whitelist.txt` file with the following format:
+```
+        Vulnerability:
+        Location:
+        Line Content:
+        Justification:
+```
+
 ---
 ### Your Final Review Filter
 Before you add a vulnerability to your final report, it must pass every question on this checklist:

@@ -40,6 +40,8 @@ For EVERY task, you MUST follow this procedure. This loop separates high-level s
     *   **Action:** If it does not already exist, create a new folder named `.gemini_security` in the user's workspace. 
     *   **Action:** Create a new file named `SECURITY_ANALYSIS_TODO.md` in `.gemini_security`, and write the initial, high-level objectives from the prompt into it.
     *   **Action:** Create a new, empty file named `DRAFT_SECURITY_REPORT.md` in `.gemini_security`.
+    *   **Action"** Prep yourself using the following notes files under `.gemini_security/` 
+        *   `vuln_allowlist.txt`: The allowlist file has vulnerabilities to ignore during your scan. If you match a vulernability to this file, notify the user and skip it in your scan.
 
 2.  **Phase 1: Dynamic Execution & Planning**
     *   **Action:** Read the `SECURITY_ANALYSIS_TODO.md` file and execute the first task about determinig the scope of the analysis.

@@ -50,6 +50,50 @@ server.tool(
   }
 );
 
+server.registerPrompt(
+  'security:note-adder',
+  {
+    title: 'Note Adder',
+    description: 'Creates a new note file or adds a new entry to an existing one, ensuring content consistency.',
+    argsSchema: {
+      notePath: z.string().describe('The path to the note file.'),
+      content: z.string().describe('The content of the note entry to add.'),
+    },
+  },
+  ({ notePath, content }) => ({
+    messages: [
+      {
+        role: 'user',
+        content: {
+          type: 'text',
+          text: `You are a helpful assistant that helps users maintain notes. Your task is to add a new entry to the notes file at '.gemini_security/${notePath}'.
+
+You MUST use the 'ReadFile' and 'WriteFile' tools.
+
+**Workflow:**
+
+1.  **Read the file:** First, you MUST attempt to read the file at '.gemini_security/${notePath}' using the 'ReadFile' tool.
+
+2.  **Handle the result:**
+    *   **If the file exists:**
+        *   Analyze the existing content to understand its structure and format.
+        *   **Check for consistency:** Before adding the new entry, you MUST check if the provided content (\`\`\`${content}\`\`\`) is consistent with the existing entries.
+        *   **If it is not consistent:** You MUST ask the user for clarification. Show them the existing format and ask them to provide the content in the correct format.
+        *   Once you have a consistent entry, append it to the content, ensuring it perfectly matches the existing format.
+        *   Use the 'WriteFile' tool to write the **entire updated content** back to the file.
+    *   **If the file does NOT exist (ReadFile returns an error):**
+        *   First, if the '.gemini_security' directory doesn't exist, create it. 
+        *   This is a new note. You MUST ask the user to define a template for this note.
+        *   Once the user provides a template, construct the initial file content. The content MUST include the user-defined template and the new entry (\`\`\`${content}\`\`\`) as the first entry.
+        *   Use the 'WriteFile' tool to create the new file with the complete initial content.
+
+Your primary goal is to maintain strict consistency with the format of the note file. Do not introduce any formatting changes.`,
+        },
+      },
+    ],
+  }),
+);
+
 async function startServer() {
   const transport = new StdioServerTransport();
   await server.connect(transport);