GuardDiff is intended to be a community-maintained OSS safety layer for AI-assisted coding.
- Install dependencies with
npm install - Build the workspace with
npm run build - Run tests with
npm test - Run the false-positive benchmark with
npm run benchmark:fp - Run
npm run typecheckwhen touching TypeScript APIs, reporters, CLI commands, or integrations
- Every rule should ship with true-positive and false-positive tests
- Rule output must mask secrets by default
- Avoid cloud-dependent behavior in the core scanner
- Keep
ruleVersionsemantic and updateCHANGELOG.mdfor behavior changes - Run
npm run benchmark:fpbefore changing detector patterns
- Export a plain
rules: Rule[]array from the package entrypoint - Use stable IDs such as
terraform/public-s3-bucket - Do not duplicate built-in rule IDs
- Mark experimental rules with
experimental: trueand keep their default impact low
- GitHub Action changes should preserve SARIF, PR comments, workflow annotations, and output variables
- GitHub Action outputs must not emit raw secret material in comments, annotations, logs, or SARIF
- Keep external rule-pack execution opt-in for trusted branches only
- VS Code beta changes should keep the extension CLI-backed and avoid cloud calls
- Add user-facing changes under
## Unreleased - Group larger releases with
Added,Changed,Fixed,Security, andBreakingheadings when useful - Call out new rules,
ruleVersionchanges, severity changes, false-positive behavior changes, and migration notes - Mention benchmark or fixture updates when they change detector coverage
- Keep changes scoped
- Update
CHANGELOG.mdwhen rule behavior changes - Add or update examples when you introduce a new detection pattern