@securityreviewai/security-review-mcp 0.2.9

package/dist/prompts/analysisPrompts.js

@@ -0,0 +1,496 @@
+import * as z from "zod/v4";
+export function registerAnalysisPrompts(server) {
+    server.registerPrompt("full_security_analysis", {
+        description: "Comprehensive end-to-end security analysis of any content. Generates security objectives, components, data dictionary, threat scenarios (with CVSS 4.0 scoring), and countermeasures. Use this when the user asks for a complete security review of a document, architecture, or system description.",
+        argsSchema: {
+            content: z.string(),
+            content_type: z.string().default("document"),
+        },
+    }, async ({ content, content_type }) => promptText(`You are an expert security architect performing a comprehensive security threat model analysis.
+
+Analyze the following ${content_type} and produce a **complete security review** with all five sections below.
+
+## CONTENT TO ANALYZE
+---
+${content}
+---
+
+## INSTRUCTIONS
+
+Produce the analysis in the following order. Each section builds on the previous ones.
+
+---
+
+### SECTION 1: SECURITY OBJECTIVES
+
+Identify 8-15 security objectives organized into three categories:
+
+**Regulatory Requirements**: Objectives derived from applicable regulations (GDPR, HIPAA, PCI-DSS, SOC2, etc.). For each, cite the specific regulation and section.
+
+**Internal Security Requirements**: Objectives based on security best practices (authentication, authorization, encryption, input validation, logging, etc.).
+
+**Contractual Requirements**: Objectives arising from business agreements, SLAs, or third-party commitments.
+
+For each objective provide:
+- **Name**: Concise title
+- **Description**: 2-3 sentence explanation
+- **Type**: Regulatory / Internal / Contractual
+- **Reasoning**: Why this objective is relevant to this system
+- **Evidence**: What in the content led to this objective
+
+---
+
+### SECTION 2: SYSTEM COMPONENTS
+
+Identify all distinct system components/entities. For each provide:
+- **Name**: Component name
+- **Description**: What it does
+- **Purpose**: Its role in the overall architecture
+- **Connected To**: List of other components it interacts with
+- **Security Objective IDs**: Which objectives from Section 1 are relevant
+
+---
+
+### SECTION 3: DATA DICTIONARY
+
+Identify 8-15 sensitive data assets in two categories:
+
+**Direct Sensitive Data**: PII, financial data, health data, authentication credentials, etc.
+**Stepping Stones**: Data that isn't sensitive itself but could be used to access sensitive data (API keys, tokens, session IDs, internal URLs, config files, etc.)
+
+For each asset provide:
+- **Name**: Data asset name
+- **Description**: What it contains and where it resides
+- **Type**: Direct Sensitive Data / Stepping Stone
+- **Reasoning**: Why this is security-relevant
+
+---
+
+### SECTION 4: THREAT SCENARIOS
+
+Generate 15-40 threat scenarios across the PWN-ISMS categories:
+1. **Product Security** (application-level vulnerabilities, business logic flaws)
+2. **Workload Security** (container, runtime, compute vulnerabilities)
+3. **Network Security** (network-layer attacks, TLS, DNS, firewall issues)
+4. **Identity & Access Management** (authentication, authorization, privilege escalation)
+5. **Secrets Management** (credential exposure, key management, rotation)
+6. **Logging & Monitoring** (detection gaps, audit trail tampering, alert fatigue)
+7. **Supply Chain** (dependency vulnerabilities, CI/CD attacks, third-party risks)
+
+For each threat provide:
+- **Name**: Concise threat title
+- **Description**: Detailed description of the attack scenario (3-5 sentences)
+- **Category**: PWN-ISMS category from above
+- **STRIDE Classification**: Which STRIDE categories apply (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)
+- **CWE ID**: The most relevant CWE identifier
+- **CVSS 4.0 Score**: Score from 0.0 to 10.0 using CVSS 4.0 methodology
+- **CVSS Vector**: The CVSS 4.0 vector string
+- **Severity**: Critical (9.0-10.0) / High (7.0-8.9) / Medium (4.0-6.9) / Low (0.1-3.9)
+- **Reasoning**: Why this threat is realistic for this system
+- **Affected Components**: Which components from Section 2 are affected
+- **Affected Data**: Which data assets from Section 3 are at risk
+
+---
+
+### SECTION 5: COUNTERMEASURES
+
+Generate countermeasures for every threat in Section 4. Each threat must have at least one countermeasure.
+
+For each countermeasure provide:
+- **Name**: Concise title
+- **Description**: What the countermeasure does
+- **Implementation Steps**: Numbered list of concrete steps to implement
+- **Threat IDs**: Which threats this mitigates
+- **Category**: The PWN-ISMS category
+- **Framework References**: Relevant compliance framework sections (e.g., "OWASP ASVS V2.1", "NIST SP 800-53 AC-2")
+- **Priority**: High / Medium / Low
+
+---
+
+## OUTPUT FORMAT
+
+Present each section with clear markdown headers. Use tables where appropriate.
+Ensure every threat has at least one countermeasure. Cross-reference IDs between sections.`));
+    server.registerPrompt("security_objectives_analysis", {
+        description: "Generate security objectives for content. Identifies regulatory, internal, and contractual security requirements. Use when the user asks specifically about security objectives or requirements.",
+        argsSchema: {
+            content: z.string(),
+            frameworks: z.string().optional(),
+        },
+    }, async ({ content, frameworks }) => promptText(`You are an expert security architect specializing in security requirements and compliance.
+
+Analyze the following content and identify comprehensive security objectives.${frameworks ? `\n\nPay special attention to these compliance frameworks: ${frameworks}` : ""}
+
+## CONTENT
+---
+${content}
+---
+
+## INSTRUCTIONS
+
+Generate 8-15 security objectives organized into three categories:
+
+### Regulatory Requirements
+Objectives derived from applicable regulations and standards (GDPR, HIPAA, PCI-DSS, SOC2, NIST, ISO 27001, DORA, etc.).
+For each, cite the specific regulation and relevant section/clause.
+
+### Internal Security Requirements
+Objectives based on security best practices and industry standards:
+- Authentication and credential management
+- Authorization and access control
+- Data encryption (at rest and in transit)
+- Input validation and output encoding
+- Session management
+- Error handling and logging
+- Secure communications
+- Security configuration
+
+### Contractual Requirements
+Objectives arising from business agreements, SLAs, data processing agreements, or third-party commitments.
+
+For **each objective** provide:
+| Field | Description |
+|-------|-------------|
+| Name | Concise, descriptive title |
+| Description | 2-3 sentence detailed explanation |
+| Type | Regulatory / Internal / Contractual |
+| Reasoning | Why this is relevant to the analyzed system |
+| Evidence | Specific text or patterns from the content that justify this |
+| Framework Reference | Applicable standard and section (e.g., "OWASP ASVS V2.1.1") |
+
+Present as a structured list with clear categorization.`));
+    server.registerPrompt("component_analysis", {
+        description: "Extract and analyze system components/entities from content. Identifies all distinct components, their purposes, connections, and security profiles. Use when the user asks about system architecture or component identification.",
+        argsSchema: {
+            content: z.string(),
+        },
+    }, async ({ content }) => promptText(`You are an expert software architect analyzing system architecture for security threat modeling.
+
+## CONTENT
+---
+${content}
+---
+
+## TASK
+
+Identify and describe ALL distinct system components/entities in the content above.
+
+For **each component** provide:
+
+1. **Name**: Exact name as described in the content
+2. **Description**: Brief functional description (1-2 sentences)
+3. **Purpose**: Its role within the overall system architecture
+4. **Technology**: Specific technologies, frameworks, or platforms used (if identifiable)
+5. **Connected To**: List of other component names it communicates with
+6. **Data Handled**: What data flows through or is stored by this component
+7. **Trust Level**: External (untrusted) / Internal (trusted) / Semi-trusted
+8. **Attack Surface**: What interfaces it exposes (APIs, UI, network ports, file access, etc.)
+9. **Security Profile**: Key security characteristics (authentication required, encryption used, etc.)
+
+## GUIDELINES
+- Include infrastructure components (databases, message queues, caches, load balancers)
+- Include external services and third-party integrations
+- Include client-side components (browsers, mobile apps, CLI tools)
+- Map the connections between components to identify trust boundaries
+- Identify any component that processes, stores, or transmits sensitive data
+
+Present the components in a structured format, followed by a connection/data flow summary.`));
+    server.registerPrompt("data_dictionary_analysis", {
+        description: "Build a security-focused data dictionary from content. Identifies sensitive data assets and stepping stones. Use when the user asks about data classification, sensitive data, or data security.",
+        argsSchema: {
+            content: z.string(),
+        },
+    }, async ({ content }) => promptText(`You are a security expert specializing in data classification and sensitive data identification.
+
+## CONTENT
+---
+${content}
+---
+
+## TASK
+
+Identify all sensitive data assets in the system described above. Categorize them into two types:
+
+### Type 1: Direct Sensitive Data
+Data that is inherently sensitive and requires protection:
+- **PII** (Personally Identifiable Information): names, emails, addresses, phone numbers, SSNs, etc.
+- **Financial Data**: credit card numbers, bank accounts, transaction records, billing info
+- **Health Data (PHI)**: medical records, prescriptions, diagnoses, insurance info
+- **Authentication Data**: passwords, password hashes, biometric data
+- **Business Sensitive**: trade secrets, proprietary algorithms, strategic plans, financial reports
+
+### Type 2: Stepping Stones
+Data that could be used as a pathway to access sensitive data:
+- API keys and tokens
+- Session identifiers
+- Internal URLs and endpoints
+- Database connection strings
+- Configuration files with security settings
+- Encryption keys and certificates
+- Service account credentials
+- JWT secrets
+- Webhook URLs
+- Internal IP addresses and network topology
+
+For **each data asset** provide:
+| Field | Description |
+|-------|-------------|
+| Name | Descriptive name for the data asset |
+| Type | Direct Sensitive Data / Stepping Stone |
+| Sub-type | PII, Financial, PHI, Auth, Business, API Key, Token, Config, etc. |
+| Description | What the data contains and its purpose |
+| Location | Where it is stored/transmitted (database, file, API, memory, etc.) |
+| Protection Required | Encryption, access control, masking, or other protections needed |
+| Reasoning | Why this data is security-relevant |
+
+Generate 8-15 data assets. Ensure both direct sensitive data and stepping stones are represented.`));
+    server.registerPrompt("threat_analysis", {
+        description: "Generate threat scenarios with CVSS 4.0 scoring. Analyzes content for threats across PWN-ISMS categories (Product, Workload, Network, IAM, Secrets, Logging, Supply Chain). Use when the user asks specifically about threats, vulnerabilities, or attack scenarios.",
+        argsSchema: {
+            content: z.string(),
+            categories: z.string().optional(),
+        },
+    }, async ({ content, categories }) => promptText(`You are a senior security threat analyst performing threat modeling using the PWN-ISMS methodology.
+
+## CONTENT
+---
+${content}
+---
+
+## TASK
+
+Generate detailed threat scenarios for the system described above.${categories ? `\n\nFocus specifically on these PWN-ISMS categories: ${categories}` : ""}
+
+### PWN-ISMS Categories
+
+Analyze threats across ALL of these categories (unless specific categories are requested):
+
+1. **Product Security (P)**: Application-level vulnerabilities
+   - Injection attacks (SQL, XSS, command, LDAP, template)
+   - Business logic flaws
+   - Authentication/session bypasses
+   - Insecure direct object references
+   - File upload vulnerabilities
+   - API abuse and rate limiting gaps
+
+2. **Workload Security (W)**: Runtime and compute vulnerabilities
+   - Container escape and image vulnerabilities
+   - Serverless function abuse
+   - Memory corruption and buffer overflows
+   - Insecure deserialization
+   - Resource exhaustion
+
+3. **Network Security (N)**: Network-layer attacks
+   - Man-in-the-middle attacks
+   - TLS/SSL misconfigurations
+   - DNS attacks
+   - Network segmentation failures
+   - DDoS vulnerabilities
+   - Exposed services and ports
+
+4. **Identity & Access Management (I)**: Auth and access threats
+   - Credential stuffing and brute force
+   - Privilege escalation
+   - Insecure session management
+   - OAuth/OIDC misconfigurations
+   - Broken access control (IDOR, BOLA)
+   - Insufficient MFA
+
+5. **Secrets Management (S)**: Credential and key threats
+   - Hardcoded credentials in source code
+   - Exposed API keys
+   - Insufficient key rotation
+   - Insecure credential storage
+   - Secrets in logs or error messages
+
+6. **Logging & Monitoring (M)**: Detection and audit threats
+   - Insufficient logging
+   - Log injection
+   - Alert fatigue and missed detections
+   - Audit trail tampering
+   - Monitoring blind spots
+
+7. **Supply Chain (S)**: Dependency and pipeline threats
+   - Vulnerable dependencies
+   - Dependency confusion attacks
+   - CI/CD pipeline compromises
+   - Malicious packages
+   - Third-party service compromises
+
+### Output Format
+
+For **each threat** provide:
+| Field | Description |
+|-------|-------------|
+| Name | Concise threat title |
+| Description | Detailed attack scenario (3-5 sentences describing the attack vector, preconditions, and impact) |
+| Category | PWN-ISMS category (Product/Workload/Network/IAM/Secrets/Logging/Supply Chain) |
+| STRIDE | Applicable STRIDE categories (Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege) |
+| CWE ID | Most relevant CWE identifier (e.g., CWE-79) |
+| CVSS 4.0 Score | Numerical score 0.0-10.0 |
+| CVSS Vector | CVSS 4.0 vector string |
+| Severity | Critical (9.0-10.0) / High (7.0-8.9) / Medium (4.0-6.9) / Low (0.1-3.9) |
+| Reasoning | Why this threat is realistic and relevant |
+
+### CVSS 4.0 Scoring Guidance
+
+When scoring, consider these metrics:
+- **Attack Vector (AV)**: Network / Adjacent / Local / Physical
+- **Attack Complexity (AC)**: Low / High
+- **Attack Requirements (AT)**: None / Present
+- **Privileges Required (PR)**: None / Low / High
+- **User Interaction (UI)**: None / Passive / Active
+- **Vulnerable System Impact**: Confidentiality (VC), Integrity (VI), Availability (VA)
+- **Subsequent System Impact**: Confidentiality (SC), Integrity (SI), Availability (SA)
+
+Generate 15-40 threats total, aiming for at least 2-3 per category. Focus on realistic, actionable threats specific to the analyzed system -- avoid generic or theoretical scenarios.`));
+    server.registerPrompt("countermeasure_analysis", {
+        description: "Generate countermeasures/mitigations for identified threats. Maps each countermeasure to specific threats with implementation steps and framework references. Use when the user asks about mitigations, remediation, or security controls.",
+        argsSchema: {
+            content: z.string(),
+            threats_context: z.string().optional(),
+        },
+    }, async ({ content, threats_context }) => {
+        const threatsSection = threats_context
+            ? `\n\n## PREVIOUSLY IDENTIFIED THREATS\n---\n${threats_context}\n---\n`
+            : "";
+        const threatsInstruction = threats_context
+            ? "Map countermeasures directly to the threats provided above. Otherwise, first identify the key threats, then provide countermeasures."
+            : "First identify the key threats in the system, then provide countermeasures for each.";
+        return promptText(`You are a security engineering expert specializing in designing security controls and countermeasures.
+
+## CONTENT
+---
+${content}
+---
+${threatsSection}
+
+## TASK
+
+Generate actionable countermeasures for the security threats in the system described above.
+${threatsInstruction}
+
+### Requirements
+
+1. **Every identified threat must have at least one countermeasure**
+2. Countermeasures should be specific and implementable, not generic advice
+3. Include both preventive and detective controls
+4. Reference industry standards and frameworks where applicable
+
+### Output Format
+
+For **each countermeasure** provide:
+| Field | Description |
+|-------|-------------|
+| Name | Concise countermeasure title |
+| Description | What this countermeasure does and why it is effective (2-3 sentences) |
+| Implementation Steps | Numbered list of concrete steps to implement this control |
+| Threat(s) Mitigated | Which specific threats this addresses |
+| Category | PWN-ISMS category (Product/Workload/Network/IAM/Secrets/Logging/Supply Chain) |
+| Framework References | Relevant standards (e.g., "OWASP ASVS V2.1", "NIST SP 800-53 AC-2", "CIS Control 6.1") |
+| Priority | High (must implement) / Medium (should implement) / Low (nice to have) |
+| Effort | Low (hours-days) / Medium (days-weeks) / High (weeks-months) |
+
+### Countermeasure Categories to Cover
+
+Ensure coverage across these control types:
+- **Preventive**: Controls that prevent the threat from occurring
+- **Detective**: Controls that detect when a threat is being exploited
+- **Corrective**: Controls that limit damage after exploitation
+- **Compensating**: Alternative controls when primary controls are not feasible
+
+Generate 15-30 countermeasures ensuring complete threat coverage.`);
+    });
+    server.registerPrompt("code_security_review", {
+        description: "Perform a security-focused code review. Analyzes code for vulnerabilities, injection flaws, hardcoded secrets, insecure patterns, and OWASP Top 10 issues. Use when the user provides code or asks for a code security review.",
+        argsSchema: {
+            code_content: z.string(),
+            language: z.string().default("auto-detect"),
+        },
+    }, async ({ code_content, language }) => promptText(`You are a senior application security engineer performing a security-focused code review.
+
+## CODE (${language})
+\`\`\`
+${code_content}
+\`\`\`
+
+## TASK
+
+Perform a thorough security code review. Analyze for:
+
+### 1. Injection Vulnerabilities
+- SQL injection
+- Cross-site scripting (XSS)
+- Command injection
+- LDAP injection
+- Template injection
+- XML/XXE injection
+- Path traversal
+
+### 2. Authentication & Authorization
+- Hardcoded credentials
+- Weak password handling
+- Missing authentication checks
+- Broken access control
+- Insecure session management
+- Missing CSRF protection
+
+### 3. Data Exposure
+- Sensitive data in logs
+- Unencrypted sensitive data
+- Information disclosure in error messages
+- PII handling violations
+- Insecure data storage
+
+### 4. Cryptographic Issues
+- Weak algorithms (MD5, SHA1, DES)
+- Hardcoded keys/secrets
+- Insecure random number generation
+- Missing encryption
+
+### 5. Configuration & Dependencies
+- Debug mode in production
+- Insecure defaults
+- Missing security headers
+- Vulnerable dependencies
+- Exposed configuration
+
+### 6. Logic Flaws
+- Race conditions
+- Business logic bypasses
+- Integer overflows
+- Null pointer issues
+- Resource exhaustion
+
+## OUTPUT FORMAT
+
+For each finding provide:
+| Field | Description |
+|-------|-------------|
+| Finding | Concise title |
+| Severity | Critical / High / Medium / Low / Informational |
+| Location | File/function/line reference |
+| Description | What the vulnerability is and how it could be exploited |
+| CWE | Relevant CWE ID |
+| OWASP | Relevant OWASP Top 10 category |
+| Remediation | Specific code fix or approach to resolve |
+| Code Example | Show the vulnerable code and the fixed version |
+
+Also provide a summary with:
+- Total findings by severity
+- Overall risk assessment
+- Top 3 priority fixes`));
+}
+function promptText(text) {
+    return {
+        messages: [
+            {
+                role: "user",
+                content: {
+                    type: "text",
+                    text,
+                },
+            },
+        ],
+    };
+}