@raghulm/aegis-mcp 1.0.2 → 1.0.4

package/tools/git/repo.py

@@ -0,0 +1,22 @@
+from __future__ import annotations
+
+import subprocess
+
+
+def get_recent_commits(limit: int = 10) -> list[dict[str, str]]:
+    try:
+        raw = subprocess.check_output(
+            ["git", "log", f"-{limit}", "--pretty=format:%H|%an|%s"],
+            text=True,
+        )
+    except FileNotFoundError as exc:
+        raise RuntimeError("git is not installed or not on PATH") from exc
+    except subprocess.CalledProcessError as exc:
+        raise RuntimeError(f"git log failed: {exc.output}") from exc
+
+    commits = []
+    for line in raw.splitlines():
+        parts = line.split("|", maxsplit=2)
+        if len(parts) == 3:
+            commits.append({"hash": parts[0], "author": parts[1], "subject": parts[2]})
+    return commits

package/tools/kubernetes/audit.py

@@ -0,0 +1,108 @@
+from __future__ import annotations
+
+import json
+import subprocess
+from typing import Any
+
+
+def k8s_security_audit(namespace: str = "") -> list[dict[str, Any]]:
+    findings = []
+
+    cmd_base = ["kubectl", "get"]
+    if namespace:
+        ns_args = ["-n", namespace]
+    else:
+        ns_args = ["-A"]
+
+    try:
+        pods_result = subprocess.check_output(
+            cmd_base + ["pods"] + ns_args + ["-o", "json"],
+            stderr=subprocess.STDOUT,
+            text=True,
+        )
+        pods_payload = json.loads(pods_result)
+    except Exception as exc:
+        print(f"Warning: Failed to get pods: {exc}")
+        pods_payload = {"items": []}
+
+    try:
+        services_result = subprocess.check_output(
+            cmd_base + ["svc"] + ns_args + ["-o", "json"],
+            stderr=subprocess.STDOUT,
+            text=True,
+        )
+        svcs_payload = json.loads(services_result)
+    except Exception as exc:
+        print(f"Warning: Failed to get services: {exc}")
+        svcs_payload = {"items": []}
+
+    try:
+        roles_result = subprocess.check_output(
+            cmd_base + ["clusterrolebindings", "-o", "json"],
+            stderr=subprocess.STDOUT,
+            text=True,
+        )
+        crb_payload = json.loads(roles_result)
+    except Exception as exc:
+        print(f"Warning: Failed to get clusterrolebindings: {exc}")
+        crb_payload = {"items": []}
+
+    # Parse pods
+    for pod in pods_payload.get("items", []):
+        metadata = pod.get("metadata", {})
+        pod_name = metadata.get("name", "unknown")
+        pod_ns = metadata.get("namespace", "unknown")
+        spec = pod.get("spec", {})
+
+        # Check hostNetwork
+        if spec.get("hostNetwork") is True:
+            findings.append({
+                "type": "hostNetwork",
+                "severity": "HIGH",
+                "resource": f"Pod/{pod_ns}/{pod_name}",
+                "message": "Pod is using host network."
+            })
+
+        # Check privileged containers
+        for container in spec.get("containers", []):
+            sec_ctx = container.get("securityContext", {})
+            if sec_ctx.get("privileged") is True:
+                findings.append({
+                    "type": "privileged_container",
+                    "severity": "CRITICAL",
+                    "resource": f"Pod/{pod_ns}/{pod_name}",
+                    "message": f"Container '{container.get('name')}' is running as privileged.",
+                })
+
+    # Parse services
+    for svc in svcs_payload.get("items", []):
+        metadata = svc.get("metadata", {})
+        svc_name = metadata.get("name", "unknown")
+        svc_ns = metadata.get("namespace", "unknown")
+        spec = svc.get("spec", {})
+
+        if spec.get("type") == "NodePort":
+            findings.append({
+                "type": "exposed_nodeport",
+                "severity": "MEDIUM",
+                "resource": f"Service/{svc_ns}/{svc_name}",
+                "message": "Service is exposed via NodePort."
+            })
+
+    # Parse cluster role bindings
+    for crb in crb_payload.get("items", []):
+        metadata = crb.get("metadata", {})
+        crb_name = metadata.get("name", "unknown")
+        role_ref = crb.get("roleRef", {})
+
+        if role_ref.get("name") == "cluster-admin":
+            for subj in crb.get("subjects", []):
+                if subj.get("kind") == "ServiceAccount":
+                    findings.append({
+                        "type": "cluster_admin_sa",
+                        "severity": "CRITICAL",
+                        "resource": f"ClusterRoleBinding/{crb_name}",
+                        "message": f"ServiceAccount '{subj.get('namespace')}/{subj.get('name')}' is bound to cluster-admin."
+                    })
+
+    return findings

package/tools/kubernetes/pods.py

@@ -0,0 +1,27 @@
+from __future__ import annotations
+
+import json
+import subprocess
+from typing import Any
+
+
+def list_pods(namespace: str = "default") -> list[dict[str, Any]]:
+    try:
+        result = subprocess.check_output(
+            ["kubectl", "get", "pods", "-n", namespace, "-o", "json"],
+            stderr=subprocess.STDOUT,
+            text=True,
+        )
+    except FileNotFoundError as exc:
+        raise RuntimeError("kubectl is not installed or not on PATH") from exc
+    except subprocess.CalledProcessError as exc:
+        raise RuntimeError(f"kubectl error (namespace '{namespace}'): {exc.output}") from exc
+
+    payload = json.loads(result)
+    return [
+        {
+            "name": item["metadata"]["name"],
+            "phase": item["status"].get("phase"),
+        }
+        for item in payload.get("items", [])
+    ]

package/tools/network/headers.py

@@ -0,0 +1,99 @@
+from __future__ import annotations
+
+from typing import Any
+
+import requests
+
+_SECURITY_HEADERS = {
+    "Strict-Transport-Security": {
+        "description": "Enforces HTTPS connections",
+        "recommended": True,
+    },
+    "Content-Security-Policy": {
+        "description": "Controls resources the browser is allowed to load",
+        "recommended": True,
+    },
+    "X-Content-Type-Options": {
+        "description": "Prevents MIME-type sniffing",
+        "recommended": True,
+        "expected_value": "nosniff",
+    },
+    "X-Frame-Options": {
+        "description": "Controls whether the page can be embedded in iframes",
+        "recommended": True,
+    },
+    "Referrer-Policy": {
+        "description": "Controls how much referrer information is sent",
+        "recommended": True,
+    },
+    "Permissions-Policy": {
+        "description": "Controls browser features available to the page",
+        "recommended": True,
+    },
+    "X-XSS-Protection": {
+        "description": "Legacy XSS filter (mostly deprecated but still checked)",
+        "recommended": False,
+    },
+    "Cache-Control": {
+        "description": "Controls caching behavior for sensitive data",
+        "recommended": True,
+    },
+}
+
+
+def check_http_headers(url: str) -> dict[str, Any]:
+    """Audit HTTP security headers for a given URL.
+
+    Args:
+        url: The target URL to check (must include scheme, e.g. https://example.com).
+
+    Returns:
+        Dict with header analysis, score, and recommendations.
+    """
+    if not url.startswith(("http://", "https://")):
+        url = "https://" + url
+
+    try:
+        resp = requests.head(url, timeout=10, allow_redirects=True)
+    except requests.ConnectionError as exc:
+        raise RuntimeError(f"Cannot connect to '{url}': {exc}") from exc
+    except requests.Timeout as exc:
+        raise RuntimeError(f"Request to '{url}' timed out") from exc
+
+    headers_lower = {k.lower(): v for k, v in resp.headers.items()}
+    total_recommended = sum(1 for h in _SECURITY_HEADERS.values() if h["recommended"])
+    present_recommended = 0
+
+    results: list[dict[str, Any]] = []
+    for header_name, info in _SECURITY_HEADERS.items():
+        value = headers_lower.get(header_name.lower())
+        is_present = value is not None
+        if is_present and info["recommended"]:
+            present_recommended += 1
+
+        entry: dict[str, Any] = {
+            "header": header_name,
+            "present": is_present,
+            "value": value or "",
+            "description": info["description"],
+        }
+
+        expected = info.get("expected_value")
+        if expected and is_present and value != expected:
+            entry["warning"] = f"Expected '{expected}', got '{value}'"
+
+        results.append(entry)
+
+    score = round((present_recommended / total_recommended) * 100) if total_recommended else 0
+    grade = "A" if score >= 85 else "B" if score >= 70 else "C" if score >= 50 else "D" if score >= 30 else "F"
+
+    missing = [r["header"] for r in results if not r["present"] and _SECURITY_HEADERS[r["header"]]["recommended"]]
+
+    return {
+        "url": url,
+        "status_code": resp.status_code,
+        "score": score,
+        "grade": grade,
+        "headers": results,
+        "missing_recommended": missing,
+    }

package/tools/network/port_scanner.py

@@ -0,0 +1,66 @@
+from __future__ import annotations
+
+import socket
+from typing import Any
+
+_COMMON_PORTS: dict[int, str] = {
+    21: "FTP",
+    22: "SSH",
+    23: "Telnet",
+    25: "SMTP",
+    53: "DNS",
+    80: "HTTP",
+    110: "POP3",
+    143: "IMAP",
+    443: "HTTPS",
+    445: "SMB",
+    993: "IMAPS",
+    995: "POP3S",
+    3306: "MySQL",
+    3389: "RDP",
+    5432: "PostgreSQL",
+    6379: "Redis",
+    8080: "HTTP-Alt",
+    8443: "HTTPS-Alt",
+    27017: "MongoDB",
+}
+
+
+def port_scan(host: str, ports: str = "") -> list[dict[str, Any]]:
+    """Perform a basic TCP connect scan on a host.
+
+    Args:
+        host: Target hostname or IP address.
+        ports: Comma-separated port numbers. If empty, scans common service ports.
+
+    Returns:
+        List of port results with port number, status, and service name.
+    """
+    try:
+        resolved_ip = socket.gethostbyname(host)
+    except socket.gaierror as exc:
+        raise RuntimeError(f"Cannot resolve hostname '{host}': {exc}") from exc
+
+    if ports:
+        try:
+            port_list = [int(p.strip()) for p in ports.split(",") if p.strip()]
+        except ValueError as exc:
+            raise RuntimeError(f"Invalid port specification: {exc}") from exc
+    else:
+        port_list = list(_COMMON_PORTS.keys())
+
+    results: list[dict[str, Any]] = []
+    for port in sorted(port_list):
+        try:
+            with socket.create_connection((host, port), timeout=2):
+                status = "open"
+        except (socket.timeout, ConnectionRefusedError, OSError):
+            status = "closed"
+
+        results.append({
+            "port": port,
+            "status": status,
+            "service": _COMMON_PORTS.get(port, "unknown"),
+        })
+
+    return results

package/tools/network/ssl_checker.py

@@ -0,0 +1,65 @@
+from __future__ import annotations
+
+import socket
+import ssl
+from datetime import datetime, timezone
+from typing import Any
+
+
+def check_ssl_certificate(hostname: str, port: int = 443) -> dict[str, Any]:
+    """Check the SSL/TLS certificate for a given hostname.
+
+    Args:
+        hostname: Domain name to check.
+        port: TCP port (default 443).
+
+    Returns:
+        Certificate details including subject, issuer, validity, and expiry info.
+    """
+    context = ssl.create_default_context()
+    try:
+        with socket.create_connection((hostname, port), timeout=10) as sock:
+            with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+                cert = ssock.getpeercert()
+    except socket.gaierror as exc:
+        raise RuntimeError(f"DNS resolution failed for '{hostname}': {exc}") from exc
+    except socket.timeout as exc:
+        raise RuntimeError(f"Connection to '{hostname}:{port}' timed out") from exc
+    except ssl.SSLError as exc:
+        raise RuntimeError(f"SSL error for '{hostname}:{port}': {exc}") from exc
+    except OSError as exc:
+        raise RuntimeError(f"Connection failed to '{hostname}:{port}': {exc}") from exc
+
+    if not cert:
+        raise RuntimeError(f"No certificate returned by '{hostname}:{port}'")
+
+    def _format_name(name_tuples: tuple) -> str:
+        parts = []
+        for attr_group in name_tuples:
+            for key, value in attr_group:
+                parts.append(f"{key}={value}")
+        return ", ".join(parts)
+
+    not_before = datetime.strptime(cert["notBefore"], "%b %d %H:%M:%S %Y %Z").replace(tzinfo=timezone.utc)
+    not_after = datetime.strptime(cert["notAfter"], "%b %d %H:%M:%S %Y %Z").replace(tzinfo=timezone.utc)
+    now = datetime.now(tz=timezone.utc)
+    days_until_expiry = (not_after - now).days
+
+    san_entries = []
+    for san_type, san_value in cert.get("subjectAltName", ()):
+        san_entries.append(f"{san_type}:{san_value}")
+
+    return {
+        "hostname": hostname,
+        "port": port,
+        "subject": _format_name(cert.get("subject", ())),
+        "issuer": _format_name(cert.get("issuer", ())),
+        "serial_number": cert.get("serialNumber", ""),
+        "version": cert.get("version", ""),
+        "not_before": not_before.isoformat(),
+        "not_after": not_after.isoformat(),
+        "days_until_expiry": days_until_expiry,
+        "expired": days_until_expiry < 0,
+        "subject_alt_names": san_entries,
+        "protocol": "TLSv1.2+",
+    }

package/tools/security/deps.py

@@ -0,0 +1,103 @@
+from __future__ import annotations
+
+import json
+import os
+import re
+from typing import Any
+
+import requests
+
+
+def _parse_requirements_txt(file_path: str) -> list[dict[str, str]]:
+    packages: list[dict[str, str]] = []
+    with open(file_path, "r", encoding="utf-8") as fh:
+        for line in fh:
+            line = line.strip()
+            if not line or line.startswith("#") or line.startswith("-"):
+                continue
+            match = re.match(r"^([A-Za-z0-9_\-\.]+)\s*(?:[=<>!~]+\s*(.+))?", line)
+            if match:
+                name = match.group(1)
+                version = match.group(2).strip() if match.group(2) else ""
+                packages.append({"name": name, "version": version})
+    return packages
+
+
+def _parse_package_json(file_path: str) -> list[dict[str, str]]:
+    with open(file_path, "r", encoding="utf-8") as fh:
+        data = json.load(fh)
+    packages: list[dict[str, str]] = []
+    for dep_key in ("dependencies", "devDependencies"):
+        for name, version in data.get(dep_key, {}).items():
+            clean_version = re.sub(r"^[\^~>=<]", "", version)
+            packages.append({"name": name, "version": clean_version})
+    return packages
+
+
+def _query_osv(ecosystem: str, package_name: str, version: str) -> list[dict[str, Any]]:
+    """Query the OSV.dev API for known vulnerabilities."""
+    payload: dict[str, Any] = {
+        "package": {"name": package_name, "ecosystem": ecosystem},
+    }
+    if version:
+        payload["version"] = version
+
+    try:
+        resp = requests.post(
+            "https://api.osv.dev/v1/query",
+            json=payload,
+            timeout=10,
+        )
+        resp.raise_for_status()
+    except requests.RequestException:
+        return []
+
+    vulns = resp.json().get("vulns", [])
+    results: list[dict[str, Any]] = []
+    for vuln in vulns:
+        aliases = vuln.get("aliases", [])
+        cve = next((a for a in aliases if a.startswith("CVE-")), aliases[0] if aliases else vuln.get("id", ""))
+        severity_list = vuln.get("severity", [])
+        severity = severity_list[0].get("score", "unknown") if severity_list else "unknown"
+        results.append({
+            "id": vuln.get("id", ""),
+            "cve": cve,
+            "summary": vuln.get("summary", "No summary available"),
+            "severity": severity,
+        })
+    return results
+
+
+def check_dependencies(file_path: str) -> list[dict[str, Any]]:
+    """Scan a dependency file for known vulnerabilities via OSV.dev.
+
+    Args:
+        file_path: Path to requirements.txt or package.json.
+
+    Returns:
+        List of packages with their vulnerability status.
+    """
+    if not os.path.exists(file_path):
+        raise RuntimeError(f"File does not exist: {file_path}")
+
+    basename = os.path.basename(file_path).lower()
+    if basename == "requirements.txt":
+        packages = _parse_requirements_txt(file_path)
+        ecosystem = "PyPI"
+    elif basename == "package.json":
+        packages = _parse_package_json(file_path)
+        ecosystem = "npm"
+    else:
+        raise RuntimeError(f"Unsupported dependency file: {basename}. Use requirements.txt or package.json.")
+
+    results: list[dict[str, Any]] = []
+    for pkg in packages:
+        vulns = _query_osv(ecosystem, pkg["name"], pkg["version"])
+        results.append({
+            "package": pkg["name"],
+            "version": pkg["version"] or "unspecified",
+            "vulnerabilities_found": len(vulns),
+            "vulnerabilities": vulns,
+        })
+
+    return results

package/tools/security/secrets.py

@@ -0,0 +1,91 @@
+from __future__ import annotations
+
+import os
+import re
+from typing import Any
+
+# Common secret patterns with descriptive names
+_PATTERNS: list[tuple[str, re.Pattern[str]]] = [
+    ("AWS Access Key", re.compile(r"(?:^|[^A-Z0-9])(?:AKIA[0-9A-Z]{16})(?:[^A-Z0-9]|$)")),
+    ("AWS Secret Key", re.compile(
+        r"""(?:aws_secret_access_key|secret_access_key|aws_secret)\s*[=:]\s*['"]?([A-Za-z0-9/+=]{40})['"]?""",
+        re.IGNORECASE,
+    )),
+    ("Generic API Key", re.compile(
+        r"""(?:api[_-]?key|apikey|api[_-]?secret)\s*[=:]\s*['"]?([A-Za-z0-9_\-]{20,60})['"]?""",
+        re.IGNORECASE,
+    )),
+    ("Generic Token", re.compile(
+        r"""(?:token|auth[_-]?token|access[_-]?token|bearer)\s*[=:]\s*['"]?([A-Za-z0-9_\-\.]{20,200})['"]?""",
+        re.IGNORECASE,
+    )),
+    ("Generic Password", re.compile(
+        r"""(?:password|passwd|pwd|secret)\s*[=:]\s*['"]?([^\s'"]{8,})['"]?""",
+        re.IGNORECASE,
+    )),
+    ("Private Key", re.compile(r"-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----")),
+    ("GitHub Token", re.compile(r"(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}")),
+    ("Slack Token", re.compile(r"xox[bporas]-[A-Za-z0-9\-]{10,}")),
+    ("Stripe Key", re.compile(r"(?:sk|pk)_(?:test|live)_[A-Za-z0-9]{20,}")),
+    ("SendGrid Key", re.compile(r"SG\.[A-Za-z0-9_\-]{22,}\.[A-Za-z0-9_\-]{43,}")),
+]
+
+_SKIP_DIRS = {".git", "__pycache__", "node_modules", ".venv", "venv", ".env", ".tox", "dist", "build"}
+_SKIP_EXTENSIONS = {".pyc", ".pyo", ".so", ".dll", ".exe", ".bin", ".jpg", ".png", ".gif", ".ico", ".woff", ".ttf"}
+_MAX_FILE_SIZE = 1_048_576  # 1 MB
+
+
+def _redact(match_text: str, keep: int = 6) -> str:
+    if len(match_text) <= keep:
+        return "***REDACTED***"
+    return match_text[:keep] + "***REDACTED***"
+
+
+def _scan_file(file_path: str) -> list[dict[str, Any]]:
+    findings: list[dict[str, Any]] = []
+    try:
+        if os.path.getsize(file_path) > _MAX_FILE_SIZE:
+            return findings
+        with open(file_path, "r", encoding="utf-8", errors="ignore") as fh:
+            for line_no, line in enumerate(fh, start=1):
+                for pattern_name, pattern in _PATTERNS:
+                    match = pattern.search(line)
+                    if match:
+                        matched_text = match.group(0).strip()
+                        findings.append({
+                            "file": file_path,
+                            "line": line_no,
+                            "pattern": pattern_name,
+                            "match": _redact(matched_text),
+                        })
+    except (OSError, UnicodeDecodeError):
+        pass
+    return findings
+
+
+def scan_secrets(path: str) -> list[dict[str, Any]]:
+    """Scan a file or directory for exposed secrets using regex patterns.
+
+    Args:
+        path: Path to a file or directory to scan.
+
+    Returns:
+        List of findings, each with file, line, pattern name, and redacted match.
+    """
+    if not os.path.exists(path):
+        raise RuntimeError(f"Path does not exist: {path}")
+
+    findings: list[dict[str, Any]] = []
+    if os.path.isfile(path):
+        return _scan_file(path)
+
+    for root, dirs, files in os.walk(path):
+        dirs[:] = [d for d in dirs if d not in _SKIP_DIRS]
+        for fname in files:
+            ext = os.path.splitext(fname)[1].lower()
+            if ext in _SKIP_EXTENSIONS:
+                continue
+            full_path = os.path.join(root, fname)
+            findings.extend(_scan_file(full_path))
+
+    return findings