@sigildev/sigil 0.1.0

package/dist/scanner.js

@@ -0,0 +1,149 @@
+import { resolve } from "node:path";
+import { readFile, stat } from "node:fs/promises";
+import { computeScore } from "./scoring.js";
+import { discoverFiles } from "./discovery/files.js";
+import { parseManifest } from "./discovery/manifest.js";
+import { parseConfig } from "./discovery/config-parser.js";
+import { rules } from "./rules/index.js";
+import { detectVulnerableDeps } from "./rules/deps.js";
+const PKG_VERSION = "0.1.0";
+const SEVERITY_ORDER = {
+    critical: 0,
+    high: 1,
+    medium: 2,
+    low: 3,
+};
+export async function scan(target, options = {}) {
+    const start = Date.now();
+    const rootDir = resolve(target);
+    // ─── Layer 1: Discovery ───
+    const targetStat = await stat(rootDir);
+    const isConfigFile = !targetStat.isDirectory() &&
+        (target.endsWith(".json") || target.endsWith(".mcp.json"));
+    const configEntries = isConfigFile ? await parseConfig(rootDir) : undefined;
+    const manifest = await parseManifest(rootDir);
+    const language = await detectLanguage(rootDir);
+    const sourceFiles = await discoverFiles(rootDir, language);
+    // Read all source files into memory
+    const sources = new Map();
+    for (const file of sourceFiles) {
+        const fullPath = resolve(rootDir, file);
+        try {
+            const content = await readFile(fullPath, "utf-8");
+            sources.set(file, content);
+        }
+        catch {
+            // Skip unreadable files
+        }
+    }
+    // Discover MCP server primitives from source
+    const server = await discoverServer(sources);
+    const context = {
+        rootDir,
+        language,
+        sourceFiles,
+        sources,
+        server,
+        manifest,
+        configEntries,
+    };
+    // ─── Layer 2: Analysis ───
+    const ignoreSet = new Set(options.ignoreRules ?? []);
+    const minSev = options.minSeverity ?? "low";
+    const minSevOrder = SEVERITY_ORDER[minSev];
+    let findings = [];
+    for (const rule of rules) {
+        if (ignoreSet.has(rule.id))
+            continue;
+        if (SEVERITY_ORDER[rule.severity] > minSevOrder)
+            continue;
+        try {
+            const ruleFindings = rule.detect(context);
+            findings.push(...ruleFindings);
+        }
+        catch {
+            // Rule failed — skip silently (don't crash the scan)
+        }
+    }
+    // Run async dependency checker separately
+    try {
+        if (!ignoreSet.has("MCS-DEP-001")) {
+            const depFindings = await detectVulnerableDeps(context);
+            for (const f of depFindings) {
+                if (SEVERITY_ORDER[f.severity] > minSevOrder)
+                    continue;
+                findings.push(f);
+            }
+        }
+    }
+    catch {
+        // Network errors shouldn't crash the scan
+    }
+    // Sort: critical first, then by file/line
+    findings.sort((a, b) => {
+        const sevDiff = SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b.severity];
+        if (sevDiff !== 0)
+            return sevDiff;
+        const fileDiff = a.location.file.localeCompare(b.location.file);
+        if (fileDiff !== 0)
+            return fileDiff;
+        return a.location.startLine - b.location.startLine;
+    });
+    // ─── Layer 3: Reporting ───
+    const score = computeScore(findings);
+    const duration = Date.now() - start;
+    return {
+        scanner: { name: "sigil", version: PKG_VERSION },
+        target: {
+            path: target,
+            name: manifest?.name,
+            version: manifest?.version,
+            language,
+        },
+        server,
+        findings,
+        score,
+        timestamp: new Date().toISOString(),
+        duration,
+    };
+}
+async function detectLanguage(rootDir) {
+    try {
+        await stat(resolve(rootDir, "package.json"));
+        return "typescript";
+    }
+    catch {
+        // not TS
+    }
+    try {
+        await stat(resolve(rootDir, "pyproject.toml"));
+        return "python";
+    }
+    catch {
+        // not Python
+    }
+    try {
+        await stat(resolve(rootDir, "requirements.txt"));
+        return "python";
+    }
+    catch {
+        // not Python
+    }
+    try {
+        await stat(resolve(rootDir, "setup.py"));
+        return "python";
+    }
+    catch {
+        // not Python
+    }
+    return "unknown";
+}
+async function discoverServer(_sources) {
+    // TODO: Parse AST to extract tool/resource/prompt registrations
+    return {
+        tools: [],
+        resources: [],
+        prompts: [],
+    };
+}
+//# sourceMappingURL=scanner.js.map

package/dist/scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAQlD,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAC3D,OAAO,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAEvD,MAAM,WAAW,GAAG,OAAO,CAAC;AAS5B,MAAM,cAAc,GAA6B;IAC/C,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;CACP,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,IAAI,CACxB,MAAc,EACd,UAAuB,EAAE;IAEzB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAEhC,6BAA6B;IAE7B,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,CAAC;IACvC,MAAM,YAAY,GAChB,CAAC,UAAU,CAAC,WAAW,EAAE;QACzB,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC;IAE7D,MAAM,aAAa,GAAG,YAAY,CAAC,CAAC,CAAC,MAAM,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAE5E,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,OAAO,CAAC,CAAC;IAC/C,MAAM,WAAW,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAE3D,oCAAoC;IACpC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC1C,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACxC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAClD,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC7B,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,OAAO,CAAC,CAAC;IAE7C,MAAM,OAAO,GAAoB;QAC/B,OAAO;QACP,QAAQ;QACR,WAAW;QACX,OAAO;QACP,MAAM;QACN,QAAQ;QACR,aAAa;KACd,CAAC;IAEF,4BAA4B;IAE5B,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;IACrD,MAAM,MAAM,GAAG,OAAO,CAAC,WAAW,IAAI,KAAK,CAAC;IAC5C,MAAM,WAAW,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IAE3C,IAAI,QAAQ,GAAc,EAAE,CAAC;IAE7B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAAE,SAAS;QACrC,IAAI,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,WAAW;YAAE,SAAS;QAE1D,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAC1C,QAAQ,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;QACjC,CAAC;QAAC,MAAM,CAAC;YACP,qDAAqD;QACvD,CAAC;IACH,CAAC;IAED,0CAA0C;IAC1C,IAAI,CAAC;QACH,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,CAAC;YAClC,MAAM,WAAW,GAAG,MAAM,oBAAoB,CAAC,OAAO,CAAC,CAAC;YACxD,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;gBAC5B,IAAI,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,WAAW;oBAAE,SAAS;gBACvD,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACnB,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,0CAA0C;IAC5C,CAAC;IAED,0CAA0C;IAC1C,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACrB,MAAM,OAAO,GAAG,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACxE,IAAI,OAAO,KAAK,CAAC;YAAE,OAAO,OAAO,CAAC;QAClC,MAAM,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAChE,IAAI,QAAQ,KAAK,CAAC;YAAE,OAAO,QAAQ,CAAC;QACpC,OAAO,CAAC,CAAC,QAAQ,CAAC,SAAS,GAAG,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,6BAA6B;IAE7B,MAAM,KAAK,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;IAEpC,OAAO;QACL,OAAO,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE;QAChD,MAAM,EAAE;YACN,IAAI,EAAE,MAAM;YACZ,IAAI,EAAE,QAAQ,EAAE,IAAI;YACpB,OAAO,EAAE,QAAQ,EAAE,OAAO;YAC1B,QAAQ;SACT;QACD,MAAM;QACN,QAAQ;QACR,KAAK;QACL,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,OAAe;IAEf,IAAI,CAAC;QACH,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC,CAAC;QAC7C,OAAO,YAAY,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,SAAS;IACX,CAAC;IACD,IAAI,CAAC;QACH,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC,CAAC;QAC/C,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,aAAa;IACf,CAAC;IACD,IAAI,CAAC;QACH,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAC;QACjD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,aAAa;IACf,CAAC;IACD,IAAI,CAAC;QACH,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC;QACzC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,aAAa;IACf,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,QAA6B;IAE7B,gEAAgE;IAChE,OAAO;QACL,KAAK,EAAE,EAAE;QACT,SAAS,EAAE,EAAE;QACb,OAAO,EAAE,EAAE;KACZ,CAAC;AACJ,CAAC"}

package/dist/scoring.d.ts

@@ -0,0 +1,3 @@
+import type { Finding, Score } from "./analyzers/types.js";
+export declare function computeScore(findings: Finding[]): Score;
+//# sourceMappingURL=scoring.d.ts.map

package/dist/scoring.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scoring.d.ts","sourceRoot":"","sources":["../src/scoring.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,KAAK,EAA+B,MAAM,sBAAsB,CAAC;AASxF,wBAAgB,YAAY,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,KAAK,CAWvD"}

package/dist/scoring.js

@@ -0,0 +1,35 @@
+const PENALTIES = {
+    critical: 25,
+    high: 15,
+    medium: 5,
+    low: 2,
+};
+export function computeScore(findings) {
+    let totalPenalty = 0;
+    for (const finding of findings) {
+        totalPenalty += PENALTIES[finding.severity];
+    }
+    const value = Math.max(0, 100 - totalPenalty);
+    const grade = computeGrade(value);
+    const label = computeLabel(value);
+    return { value, grade, label };
+}
+function computeGrade(score) {
+    if (score >= 90)
+        return "A";
+    if (score >= 70)
+        return "B";
+    if (score >= 50)
+        return "C";
+    if (score >= 30)
+        return "D";
+    return "F";
+}
+function computeLabel(score) {
+    if (score >= 70)
+        return "PASS";
+    if (score >= 50)
+        return "WARN";
+    return "FAIL";
+}
+//# sourceMappingURL=scoring.js.map

package/dist/scoring.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scoring.js","sourceRoot":"","sources":["../src/scoring.ts"],"names":[],"mappings":"AAEA,MAAM,SAAS,GAA6B;IAC1C,QAAQ,EAAE,EAAE;IACZ,IAAI,EAAE,EAAE;IACR,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;CACP,CAAC;AAEF,MAAM,UAAU,YAAY,CAAC,QAAmB;IAC9C,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,YAAY,IAAI,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC9C,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,GAAG,YAAY,CAAC,CAAC;IAC9C,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAClC,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAElC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;AACjC,CAAC;AAED,SAAS,YAAY,CAAC,KAAa;IACjC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,GAAG,CAAC;IAC5B,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,GAAG,CAAC;IAC5B,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,GAAG,CAAC;IAC5B,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,GAAG,CAAC;IAC5B,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,YAAY,CAAC,KAAa;IACjC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC;IAC/B,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC;IAC/B,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/package.json

@@ -0,0 +1,57 @@
+{
+  "name": "@sigildev/sigil",
+  "version": "0.1.0",
+  "description": "Security scanner for MCP (Model Context Protocol) servers — static analysis, trust scoring, and vulnerability detection",
+  "type": "module",
+  "bin": {
+    "sigil": "dist/index.js"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/sigil-security/sigil.git"
+  },
+  "main": "./dist/scanner.js",
+  "types": "./dist/scanner.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsx src/index.ts",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "lint": "tsc --noEmit",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "mcp",
+    "security",
+    "scanner",
+    "model-context-protocol",
+    "static-analysis",
+    "sigil",
+    "trust-score",
+    "vulnerability",
+    "ai-safety"
+  ],
+  "license": "MIT",
+  "dependencies": {
+    "chalk": "^5.4.1",
+    "commander": "^13.1.0",
+    "fast-glob": "^3.3.3",
+    "semver": "^7.7.1",
+    "tree-sitter": "^0.22.4",
+    "tree-sitter-python": "^0.23.6",
+    "typescript": "^5.7.3",
+    "yaml": "^2.7.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.12.0",
+    "@types/semver": "^7.5.8",
+    "tsx": "^4.19.0",
+    "vitest": "^3.0.0"
+  },
+  "engines": {
+    "node": ">=20"
+  }
+}