npm - @raghulm/aegis-mcp - Versions diffs - 1.0.4 → 1.0.7 - Mend

@raghulm/aegis-mcp 1.0.4 → 1.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/README.md +286 -290
package/audit/audit_logger.py +62 -62
package/package.json +5 -6
package/policies/roles.yaml +34 -34
package/policies/scope_rules.yaml +16 -16
package/requirements.txt +8 -7
package/run_stdio.py +22 -22
package/server/auth.py +69 -69
package/server/config.py +82 -82
package/server/health.py +19 -19
package/server/logging.py +33 -33
package/server/main.py +212 -144
package/server/stdio.py +7 -7
package/tools/aws/ec2.py +26 -26
package/tools/aws/s3.py +54 -54
package/tools/cicd/jenkins.py +256 -0
package/tools/cicd/pipeline.py +33 -33
package/tools/git/repo.py +22 -22
package/tools/kubernetes/audit.py +108 -108
package/tools/kubernetes/pods.py +27 -27
package/tools/network/headers.py +99 -99
package/tools/network/port_scanner.py +66 -66
package/tools/network/ssl_checker.py +65 -65
package/tools/security/deps.py +103 -103
package/tools/security/secrets.py +91 -91
package/tools/security/semgrep.py +261 -261
package/tools/security/trivy.py +19 -19

package/tools/security/deps.py CHANGED Viewed

@@ -1,103 +1,103 @@
-from __future__ import annotations
-import json
-import os
-import re
-from typing import Any
-import requests
-def _parse_requirements_txt(file_path: str) -> list[dict[str, str]]:
-    packages: list[dict[str, str]] = []
-    with open(file_path, "r", encoding="utf-8") as fh:
-        for line in fh:
-            line = line.strip()
-            if not line or line.startswith("#") or line.startswith("-"):
-                continue
-            match = re.match(r"^([A-Za-z0-9_\-\.]+)\s*(?:[=<>!~]+\s*(.+))?", line)
-            if match:
-                name = match.group(1)
-                version = match.group(2).strip() if match.group(2) else ""
-                packages.append({"name": name, "version": version})
-    return packages
-def _parse_package_json(file_path: str) -> list[dict[str, str]]:
-    with open(file_path, "r", encoding="utf-8") as fh:
-        data = json.load(fh)
-    packages: list[dict[str, str]] = []
-    for dep_key in ("dependencies", "devDependencies"):
-        for name, version in data.get(dep_key, {}).items():
-            clean_version = re.sub(r"^[\^~>=<]", "", version)
-            packages.append({"name": name, "version": clean_version})
-    return packages
-def _query_osv(ecosystem: str, package_name: str, version: str) -> list[dict[str, Any]]:
-    """Query the OSV.dev API for known vulnerabilities."""
-    payload: dict[str, Any] = {
-        "package": {"name": package_name, "ecosystem": ecosystem},
-    }
-    if version:
-        payload["version"] = version
-    try:
-        resp = requests.post(
-            "https://api.osv.dev/v1/query",
-            json=payload,
-            timeout=10,
-        )
-        resp.raise_for_status()
-    except requests.RequestException:
-        return []
-    vulns = resp.json().get("vulns", [])
-    results: list[dict[str, Any]] = []
-    for vuln in vulns:
-        aliases = vuln.get("aliases", [])
-        cve = next((a for a in aliases if a.startswith("CVE-")), aliases[0] if aliases else vuln.get("id", ""))
-        severity_list = vuln.get("severity", [])
-        severity = severity_list[0].get("score", "unknown") if severity_list else "unknown"
-        results.append({
-            "id": vuln.get("id", ""),
-            "cve": cve,
-            "summary": vuln.get("summary", "No summary available"),
-            "severity": severity,
-        })
-    return results
-def check_dependencies(file_path: str) -> list[dict[str, Any]]:
-    """Scan a dependency file for known vulnerabilities via OSV.dev.
-    Args:
-        file_path: Path to requirements.txt or package.json.
-    Returns:
-        List of packages with their vulnerability status.
-    """
-    if not os.path.exists(file_path):
-        raise RuntimeError(f"File does not exist: {file_path}")
-    basename = os.path.basename(file_path).lower()
-    if basename == "requirements.txt":
-        packages = _parse_requirements_txt(file_path)
-        ecosystem = "PyPI"
-    elif basename == "package.json":
-        packages = _parse_package_json(file_path)
-        ecosystem = "npm"
-    else:
-        raise RuntimeError(f"Unsupported dependency file: {basename}. Use requirements.txt or package.json.")
-    results: list[dict[str, Any]] = []
-    for pkg in packages:
-        vulns = _query_osv(ecosystem, pkg["name"], pkg["version"])
-        results.append({
-            "package": pkg["name"],
-            "version": pkg["version"] or "unspecified",
-            "vulnerabilities_found": len(vulns),
-            "vulnerabilities": vulns,
-        })
-    return results
+from __future__ import annotations
+import json
+import os
+import re
+from typing import Any
+import requests
+def _parse_requirements_txt(file_path: str) -> list[dict[str, str]]:
+    packages: list[dict[str, str]] = []
+    with open(file_path, "r", encoding="utf-8") as fh:
+        for line in fh:
+            line = line.strip()
+            if not line or line.startswith("#") or line.startswith("-"):
+                continue
+            match = re.match(r"^([A-Za-z0-9_\-\.]+)\s*(?:[=<>!~]+\s*(.+))?", line)
+            if match:
+                name = match.group(1)
+                version = match.group(2).strip() if match.group(2) else ""
+                packages.append({"name": name, "version": version})
+    return packages
+def _parse_package_json(file_path: str) -> list[dict[str, str]]:
+    with open(file_path, "r", encoding="utf-8") as fh:
+        data = json.load(fh)
+    packages: list[dict[str, str]] = []
+    for dep_key in ("dependencies", "devDependencies"):
+        for name, version in data.get(dep_key, {}).items():
+            clean_version = re.sub(r"^[\^~>=<]", "", version)
+            packages.append({"name": name, "version": clean_version})
+    return packages
+def _query_osv(ecosystem: str, package_name: str, version: str) -> list[dict[str, Any]]:
+    """Query the OSV.dev API for known vulnerabilities."""
+    payload: dict[str, Any] = {
+        "package": {"name": package_name, "ecosystem": ecosystem},
+    }
+    if version:
+        payload["version"] = version
+    try:
+        resp = requests.post(
+            "https://api.osv.dev/v1/query",
+            json=payload,
+            timeout=10,
+        )
+        resp.raise_for_status()
+    except requests.RequestException:
+        return []
+    vulns = resp.json().get("vulns", [])
+    results: list[dict[str, Any]] = []
+    for vuln in vulns:
+        aliases = vuln.get("aliases", [])
+        cve = next((a for a in aliases if a.startswith("CVE-")), aliases[0] if aliases else vuln.get("id", ""))
+        severity_list = vuln.get("severity", [])
+        severity = severity_list[0].get("score", "unknown") if severity_list else "unknown"
+        results.append({
+            "id": vuln.get("id", ""),
+            "cve": cve,
+            "summary": vuln.get("summary", "No summary available"),
+            "severity": severity,
+        })
+    return results
+def check_dependencies(file_path: str) -> list[dict[str, Any]]:
+    """Scan a dependency file for known vulnerabilities via OSV.dev.
+    Args:
+        file_path: Path to requirements.txt or package.json.
+    Returns:
+        List of packages with their vulnerability status.
+    """
+    if not os.path.exists(file_path):
+        raise RuntimeError(f"File does not exist: {file_path}")
+    basename = os.path.basename(file_path).lower()
+    if basename == "requirements.txt":
+        packages = _parse_requirements_txt(file_path)
+        ecosystem = "PyPI"
+    elif basename == "package.json":
+        packages = _parse_package_json(file_path)
+        ecosystem = "npm"
+    else:
+        raise RuntimeError(f"Unsupported dependency file: {basename}. Use requirements.txt or package.json.")
+    results: list[dict[str, Any]] = []
+    for pkg in packages:
+        vulns = _query_osv(ecosystem, pkg["name"], pkg["version"])
+        results.append({
+            "package": pkg["name"],
+            "version": pkg["version"] or "unspecified",
+            "vulnerabilities_found": len(vulns),
+            "vulnerabilities": vulns,
+        })
+    return results

package/tools/security/secrets.py CHANGED Viewed

@@ -1,91 +1,91 @@
-from __future__ import annotations
-import os
-import re
-from typing import Any
-# Common secret patterns with descriptive names
-_PATTERNS: list[tuple[str, re.Pattern[str]]] = [
-    ("AWS Access Key", re.compile(r"(?:^|[^A-Z0-9])(?:AKIA[0-9A-Z]{16})(?:[^A-Z0-9]|$)")),
-    ("AWS Secret Key", re.compile(
-        r"""(?:aws_secret_access_key|secret_access_key|aws_secret)\s*[=:]\s*['"]?([A-Za-z0-9/+=]{40})['"]?""",
-        re.IGNORECASE,
-    )),
-    ("Generic API Key", re.compile(
-        r"""(?:api[_-]?key|apikey|api[_-]?secret)\s*[=:]\s*['"]?([A-Za-z0-9_\-]{20,60})['"]?""",
-        re.IGNORECASE,
-    )),
-    ("Generic Token", re.compile(
-        r"""(?:token|auth[_-]?token|access[_-]?token|bearer)\s*[=:]\s*['"]?([A-Za-z0-9_\-\.]{20,200})['"]?""",
-        re.IGNORECASE,
-    )),
-    ("Generic Password", re.compile(
-        r"""(?:password|passwd|pwd|secret)\s*[=:]\s*['"]?([^\s'"]{8,})['"]?""",
-        re.IGNORECASE,
-    )),
-    ("Private Key", re.compile(r"-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----")),
-    ("GitHub Token", re.compile(r"(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}")),
-    ("Slack Token", re.compile(r"xox[bporas]-[A-Za-z0-9\-]{10,}")),
-    ("Stripe Key", re.compile(r"(?:sk|pk)_(?:test|live)_[A-Za-z0-9]{20,}")),
-    ("SendGrid Key", re.compile(r"SG\.[A-Za-z0-9_\-]{22,}\.[A-Za-z0-9_\-]{43,}")),
-]
-_SKIP_DIRS = {".git", "__pycache__", "node_modules", ".venv", "venv", ".env", ".tox", "dist", "build"}
-_SKIP_EXTENSIONS = {".pyc", ".pyo", ".so", ".dll", ".exe", ".bin", ".jpg", ".png", ".gif", ".ico", ".woff", ".ttf"}
-_MAX_FILE_SIZE = 1_048_576  # 1 MB
-def _redact(match_text: str, keep: int = 6) -> str:
-    if len(match_text) <= keep:
-        return "***REDACTED***"
-    return match_text[:keep] + "***REDACTED***"
-def _scan_file(file_path: str) -> list[dict[str, Any]]:
-    findings: list[dict[str, Any]] = []
-    try:
-        if os.path.getsize(file_path) > _MAX_FILE_SIZE:
-            return findings
-        with open(file_path, "r", encoding="utf-8", errors="ignore") as fh:
-            for line_no, line in enumerate(fh, start=1):
-                for pattern_name, pattern in _PATTERNS:
-                    match = pattern.search(line)
-                    if match:
-                        matched_text = match.group(0).strip()
-                        findings.append({
-                            "file": file_path,
-                            "line": line_no,
-                            "pattern": pattern_name,
-                            "match": _redact(matched_text),
-                        })
-    except (OSError, UnicodeDecodeError):
-        pass
-    return findings
-def scan_secrets(path: str) -> list[dict[str, Any]]:
-    """Scan a file or directory for exposed secrets using regex patterns.
-    Args:
-        path: Path to a file or directory to scan.
-    Returns:
-        List of findings, each with file, line, pattern name, and redacted match.
-    """
-    if not os.path.exists(path):
-        raise RuntimeError(f"Path does not exist: {path}")
-    findings: list[dict[str, Any]] = []
-    if os.path.isfile(path):
-        return _scan_file(path)
-    for root, dirs, files in os.walk(path):
-        dirs[:] = [d for d in dirs if d not in _SKIP_DIRS]
-        for fname in files:
-            ext = os.path.splitext(fname)[1].lower()
-            if ext in _SKIP_EXTENSIONS:
-                continue
-            full_path = os.path.join(root, fname)
-            findings.extend(_scan_file(full_path))
-    return findings
+from __future__ import annotations
+import os
+import re
+from typing import Any
+# Common secret patterns with descriptive names
+_PATTERNS: list[tuple[str, re.Pattern[str]]] = [
+    ("AWS Access Key", re.compile(r"(?:^|[^A-Z0-9])(?:AKIA[0-9A-Z]{16})(?:[^A-Z0-9]|$)")),
+    ("AWS Secret Key", re.compile(
+        r"""(?:aws_secret_access_key|secret_access_key|aws_secret)\s*[=:]\s*['"]?([A-Za-z0-9/+=]{40})['"]?""",
+        re.IGNORECASE,
+    )),
+    ("Generic API Key", re.compile(
+        r"""(?:api[_-]?key|apikey|api[_-]?secret)\s*[=:]\s*['"]?([A-Za-z0-9_\-]{20,60})['"]?""",
+        re.IGNORECASE,
+    )),
+    ("Generic Token", re.compile(
+        r"""(?:token|auth[_-]?token|access[_-]?token|bearer)\s*[=:]\s*['"]?([A-Za-z0-9_\-\.]{20,200})['"]?""",
+        re.IGNORECASE,
+    )),
+    ("Generic Password", re.compile(
+        r"""(?:password|passwd|pwd|secret)\s*[=:]\s*['"]?([^\s'"]{8,})['"]?""",
+        re.IGNORECASE,
+    )),
+    ("Private Key", re.compile(r"-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----")),
+    ("GitHub Token", re.compile(r"(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}")),
+    ("Slack Token", re.compile(r"xox[bporas]-[A-Za-z0-9\-]{10,}")),
+    ("Stripe Key", re.compile(r"(?:sk|pk)_(?:test|live)_[A-Za-z0-9]{20,}")),
+    ("SendGrid Key", re.compile(r"SG\.[A-Za-z0-9_\-]{22,}\.[A-Za-z0-9_\-]{43,}")),
+]
+_SKIP_DIRS = {".git", "__pycache__", "node_modules", ".venv", "venv", ".env", ".tox", "dist", "build"}
+_SKIP_EXTENSIONS = {".pyc", ".pyo", ".so", ".dll", ".exe", ".bin", ".jpg", ".png", ".gif", ".ico", ".woff", ".ttf"}
+_MAX_FILE_SIZE = 1_048_576  # 1 MB
+def _redact(match_text: str, keep: int = 6) -> str:
+    if len(match_text) <= keep:
+        return "***REDACTED***"
+    return match_text[:keep] + "***REDACTED***"
+def _scan_file(file_path: str) -> list[dict[str, Any]]:
+    findings: list[dict[str, Any]] = []
+    try:
+        if os.path.getsize(file_path) > _MAX_FILE_SIZE:
+            return findings
+        with open(file_path, "r", encoding="utf-8", errors="ignore") as fh:
+            for line_no, line in enumerate(fh, start=1):
+                for pattern_name, pattern in _PATTERNS:
+                    match = pattern.search(line)
+                    if match:
+                        matched_text = match.group(0).strip()
+                        findings.append({
+                            "file": file_path,
+                            "line": line_no,
+                            "pattern": pattern_name,
+                            "match": _redact(matched_text),
+                        })
+    except (OSError, UnicodeDecodeError):
+        pass
+    return findings
+def scan_secrets(path: str) -> list[dict[str, Any]]:
+    """Scan a file or directory for exposed secrets using regex patterns.
+    Args:
+        path: Path to a file or directory to scan.
+    Returns:
+        List of findings, each with file, line, pattern name, and redacted match.
+    """
+    if not os.path.exists(path):
+        raise RuntimeError(f"Path does not exist: {path}")
+    findings: list[dict[str, Any]] = []
+    if os.path.isfile(path):
+        return _scan_file(path)
+    for root, dirs, files in os.walk(path):
+        dirs[:] = [d for d in dirs if d not in _SKIP_DIRS]
+        for fname in files:
+            ext = os.path.splitext(fname)[1].lower()
+            if ext in _SKIP_EXTENSIONS:
+                continue
+            full_path = os.path.join(root, fname)
+            findings.extend(_scan_file(full_path))
+    return findings