@mlawsonking/code-guard-mcp 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +22 -0
- package/index.mjs +42 -0
- package/package.json +20 -0
package/README.md
ADDED
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
# code-guard-mcp
|
|
2
|
+
|
|
3
|
+
Security scanner for **AI-generated code**, as an MCP server — the check a coding agent runs on its *own* code or
|
|
4
|
+
diff **before it commits**. Deterministic, free, **no LLM**.
|
|
5
|
+
|
|
6
|
+
**Why:** 53% of code is now AI-written and ~25% ships vulnerable, yet nothing scans it *in the agent's loop* for
|
|
7
|
+
free. Code Guard is that fast first-line scanner (not a full audit replacement).
|
|
8
|
+
|
|
9
|
+
## Tools
|
|
10
|
+
- **`scan_code`** — scan a snippet → findings `{rule, category, severity, line, message, remediation}` + verdict
|
|
11
|
+
`pass`/`review`/`block`. Detects command/code/SQL injection, SSRF, hardcoded secrets, weak crypto, unsafe
|
|
12
|
+
deserialization (pickle/yaml), disabled TLS verification, XSS / template injection.
|
|
13
|
+
- **`scan_diff`** — scan only the **added lines** of a unified diff (correct new-file line numbers).
|
|
14
|
+
- **`list_rules`** — the rule catalog (coverage transparency).
|
|
15
|
+
|
|
16
|
+
## Install
|
|
17
|
+
```json
|
|
18
|
+
{ "mcpServers": { "code-guard": { "command": "npx", "args": ["-y", "@mlawsonking/code-guard-mcp"] } } }
|
|
19
|
+
```
|
|
20
|
+
|
|
21
|
+
Deterministic (same input → same output). API: https://code-guard-api.vercel.app · part of the agent-guardrail
|
|
22
|
+
suite (Package Guard · Agent Firewall · Payment Guard · Email Guard · Code Guard).
|
package/index.mjs
ADDED
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
// code-guard-mcp — MCP server: security scan for AI-generated code. Deterministic, no LLM.
|
|
3
|
+
// scan_code -> scan a code snippet for vulns before committing/running it
|
|
4
|
+
// scan_diff -> scan only the added lines of a unified diff
|
|
5
|
+
// list_rules -> the rule catalog (coverage)
|
|
6
|
+
|
|
7
|
+
import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
|
|
8
|
+
import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
|
|
9
|
+
import { z } from 'zod';
|
|
10
|
+
|
|
11
|
+
const API = process.env.CODE_GUARD_API || 'https://code-guard-api.vercel.app';
|
|
12
|
+
const ok = (text) => ({ content: [{ type: 'text', text }] });
|
|
13
|
+
const err = (msg) => ({ content: [{ type: 'text', text: `Error: ${msg}` }], isError: true });
|
|
14
|
+
async function post(path, body) { const r = await fetch(`${API}${path}`, { method: 'POST', headers: { 'Content-Type': 'application/json', Accept: 'application/json' }, body: JSON.stringify(body) }); return r.json(); }
|
|
15
|
+
async function get(path) { const r = await fetch(`${API}${path}`, { headers: { Accept: 'application/json' } }); return r.json(); }
|
|
16
|
+
|
|
17
|
+
const server = new McpServer({ name: 'code-guard', version: '1.0.0' });
|
|
18
|
+
|
|
19
|
+
server.tool(
|
|
20
|
+
'scan_code',
|
|
21
|
+
'Security-scan a snippet of code you (the agent) just generated, BEFORE committing or running it. Deterministic rule engine (no LLM) for the high-frequency vulnerability classes in AI-written code: command/code/SQL injection, SSRF, hardcoded secrets & API keys, weak crypto, unsafe deserialization (pickle/yaml), disabled TLS verification, XSS / template injection. Returns findings (rule id, category, severity, line, message, remediation) and a verdict: pass / review / block. Fast first-line check, not a full audit.',
|
|
22
|
+
{ code: z.string().describe('The source code to scan.'), language: z.string().optional().describe('python | javascript | typescript | … (optional; auto-detected).') },
|
|
23
|
+
async ({ code, language }) => { try { const j = await post('/api/scan-code', { code, language }); return j.ok ? ok(JSON.stringify(j, null, 2)) : err(j.error || 'scan failed'); } catch (e) { return err(String((e && e.message) || e)); } }
|
|
24
|
+
);
|
|
25
|
+
|
|
26
|
+
server.tool(
|
|
27
|
+
'scan_diff',
|
|
28
|
+
'Scan only the ADDED lines of a unified diff (your just-written change), with correct new-file line numbers. Use in a commit loop to catch vulnerabilities you just introduced. Returns findings + a verdict: pass / review / block.',
|
|
29
|
+
{ diff: z.string().describe('A unified diff (git diff).'), language: z.string().optional() },
|
|
30
|
+
async ({ diff, language }) => { try { const j = await post('/api/scan-diff', { diff, language }); return j.ok ? ok(JSON.stringify(j, null, 2)) : err(j.error || 'scan failed'); } catch (e) { return err(String((e && e.message) || e)); } }
|
|
31
|
+
);
|
|
32
|
+
|
|
33
|
+
server.tool(
|
|
34
|
+
'list_rules',
|
|
35
|
+
'List the deterministic rule catalog Code Guard checks (rule id, category, severity, language), so you know its coverage.',
|
|
36
|
+
{},
|
|
37
|
+
async () => { try { const j = await get('/api/rules'); return j.ok ? ok(JSON.stringify(j, null, 2)) : err('failed'); } catch (e) { return err(String((e && e.message) || e)); } }
|
|
38
|
+
);
|
|
39
|
+
|
|
40
|
+
const transport = new StdioServerTransport();
|
|
41
|
+
await server.connect(transport);
|
|
42
|
+
console.error('code-guard-mcp running (3 tools).');
|
package/package.json
ADDED
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "@mlawsonking/code-guard-mcp",
|
|
3
|
+
"version": "1.0.0",
|
|
4
|
+
"mcpName": "io.github.mlawsonking/code-guard-mcp",
|
|
5
|
+
"publishConfig": { "access": "public" },
|
|
6
|
+
"description": "MCP server: security scanner for AI-generated code — the agent scans its own code/diff before committing. Detects injection, SSRF, hardcoded secrets, weak crypto, unsafe deserialization, TLS-off, XSS. Deterministic, free, no LLM.",
|
|
7
|
+
"type": "module",
|
|
8
|
+
"bin": { "code-guard-mcp": "index.mjs" },
|
|
9
|
+
"files": ["index.mjs", "README.md"],
|
|
10
|
+
"engines": { "node": ">=18" },
|
|
11
|
+
"keywords": ["mcp", "model-context-protocol", "ai", "agents", "security", "sast", "code-security", "ai-generated-code", "vulnerability", "injection", "secrets", "guardrails", "coding-agent"],
|
|
12
|
+
"repository": { "type": "git", "url": "git+https://github.com/mlawsonking/MCP.git", "directory": "code-guard-mcp" },
|
|
13
|
+
"homepage": "https://github.com/mlawsonking/MCP#readme",
|
|
14
|
+
"license": "MIT",
|
|
15
|
+
"author": "mlawsonking",
|
|
16
|
+
"dependencies": {
|
|
17
|
+
"@modelcontextprotocol/sdk": "^1.12.0",
|
|
18
|
+
"zod": "^3.23.8"
|
|
19
|
+
}
|
|
20
|
+
}
|