@sulthonzh/mcp-audit 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +134 -0
- package/dist/cli.d.ts +3 -0
- package/dist/cli.d.ts.map +1 -0
- package/dist/cli.js +165 -0
- package/dist/cli.js.map +1 -0
- package/dist/config/config-loader.d.ts +17 -0
- package/dist/config/config-loader.d.ts.map +1 -0
- package/dist/config/config-loader.js +72 -0
- package/dist/config/config-loader.js.map +1 -0
- package/dist/index.d.ts +8 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +22 -0
- package/dist/index.js.map +1 -0
- package/dist/reporter/report-generator.d.ts +7 -0
- package/dist/reporter/report-generator.d.ts.map +1 -0
- package/dist/reporter/report-generator.js +240 -0
- package/dist/reporter/report-generator.js.map +1 -0
- package/dist/reporters/sarif-reporter.d.ts +18 -0
- package/dist/reporters/sarif-reporter.d.ts.map +1 -0
- package/dist/reporters/sarif-reporter.js +148 -0
- package/dist/reporters/sarif-reporter.js.map +1 -0
- package/dist/scanners/config-scanner.d.ts +11 -0
- package/dist/scanners/config-scanner.d.ts.map +1 -0
- package/dist/scanners/config-scanner.js +399 -0
- package/dist/scanners/config-scanner.js.map +1 -0
- package/dist/scanners/docker-scanner.d.ts +13 -0
- package/dist/scanners/docker-scanner.d.ts.map +1 -0
- package/dist/scanners/docker-scanner.js +384 -0
- package/dist/scanners/docker-scanner.js.map +1 -0
- package/dist/scanners/helm-scanner.d.ts +16 -0
- package/dist/scanners/helm-scanner.d.ts.map +1 -0
- package/dist/scanners/helm-scanner.js +385 -0
- package/dist/scanners/helm-scanner.js.map +1 -0
- package/dist/scanners/k8s-scanner.d.ts +14 -0
- package/dist/scanners/k8s-scanner.d.ts.map +1 -0
- package/dist/scanners/k8s-scanner.js +315 -0
- package/dist/scanners/k8s-scanner.js.map +1 -0
- package/dist/scanners/server-scanner.d.ts +13 -0
- package/dist/scanners/server-scanner.d.ts.map +1 -0
- package/dist/scanners/server-scanner.js +346 -0
- package/dist/scanners/server-scanner.js.map +1 -0
- package/dist/types/security-result.d.ts +35 -0
- package/dist/types/security-result.d.ts.map +1 -0
- package/dist/types/security-result.js +3 -0
- package/dist/types/security-result.js.map +1 -0
- package/dist/utils/logger.d.ts +19 -0
- package/dist/utils/logger.d.ts.map +1 -0
- package/dist/utils/logger.js +71 -0
- package/dist/utils/logger.js.map +1 -0
- package/package.json +77 -0
|
@@ -0,0 +1,399 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
+
};
|
|
5
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
exports.scanConfig = scanConfig;
|
|
7
|
+
const fs_extra_1 = __importDefault(require("fs-extra"));
|
|
8
|
+
const path_1 = __importDefault(require("path"));
|
|
9
|
+
const js_yaml_1 = __importDefault(require("js-yaml"));
|
|
10
|
+
const logger_1 = require("../utils/logger");
|
|
11
|
+
const STANDARD_CONFIG_PATHS = [
|
|
12
|
+
'claude_desktop_config.json',
|
|
13
|
+
'.cursor/mcp.json',
|
|
14
|
+
'.vscode/mcp.json',
|
|
15
|
+
'mcp.json',
|
|
16
|
+
'~/.config/claude/claude_desktop_config.json',
|
|
17
|
+
'~/.cursor/mcp.json',
|
|
18
|
+
];
|
|
19
|
+
// Known dangerous argument patterns
|
|
20
|
+
const DANGEROUS_ARGS = [
|
|
21
|
+
{ pattern: /--allow-all/i, title: 'Allow-All Flag', severity: 'high' },
|
|
22
|
+
{ pattern: /--no-sandbox/i, title: 'Sandbox Disabled', severity: 'high' },
|
|
23
|
+
{ pattern: /--privileged/i, title: 'Privileged Mode', severity: 'high' },
|
|
24
|
+
{ pattern: /eval/i, title: 'Code Evaluation', severity: 'high' },
|
|
25
|
+
{ pattern: /exec/i, title: 'Code Execution', severity: 'medium' },
|
|
26
|
+
{ pattern: /\$\(/i, title: 'Command Substitution', severity: 'high' },
|
|
27
|
+
{ pattern: /\|\|/i, title: 'Shell Pipe Chain', severity: 'medium' },
|
|
28
|
+
{ pattern: /&&/i, title: 'Shell Command Chain', severity: 'medium' },
|
|
29
|
+
{ pattern: /\.\.\/\.\.\//i, title: 'Path Traversal', severity: 'high' },
|
|
30
|
+
];
|
|
31
|
+
// Known safe MCP server packages
|
|
32
|
+
const KNOWN_SAFE_PACKAGES = new Set([
|
|
33
|
+
'@modelcontextprotocol/server-filesystem',
|
|
34
|
+
'@modelcontextprotocol/server-github',
|
|
35
|
+
'@modelcontextprotocol/server-postgres',
|
|
36
|
+
'@modelcontextprotocol/server-brave-search',
|
|
37
|
+
'@modelcontextprotocol/server-puppeteer',
|
|
38
|
+
'@modelcontextprotocol/server-memory',
|
|
39
|
+
'@modelcontextprotocol/server-fetch',
|
|
40
|
+
]);
|
|
41
|
+
async function scanConfig(config, verbose = false) {
|
|
42
|
+
logger_1.logger.info('Starting MCP configuration scan...');
|
|
43
|
+
const result = {
|
|
44
|
+
configFiles: [],
|
|
45
|
+
issues: [],
|
|
46
|
+
permissions: {
|
|
47
|
+
fileAccess: [],
|
|
48
|
+
networkAccess: false,
|
|
49
|
+
environmentVariables: {},
|
|
50
|
+
},
|
|
51
|
+
score: 100,
|
|
52
|
+
};
|
|
53
|
+
// Find and analyze MCP config files
|
|
54
|
+
for (const configPath of STANDARD_CONFIG_PATHS) {
|
|
55
|
+
const fullPath = expandPath(configPath);
|
|
56
|
+
if (fs_extra_1.default.existsSync(fullPath)) {
|
|
57
|
+
result.configFiles.push(fullPath);
|
|
58
|
+
await analyzeConfigFile(fullPath, result);
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
// Calculate security score
|
|
62
|
+
calculateSecurityScore(result);
|
|
63
|
+
const securityResult = {
|
|
64
|
+
scanType: 'config',
|
|
65
|
+
timestamp: new Date().toISOString(),
|
|
66
|
+
target: 'local configuration',
|
|
67
|
+
issues: result.issues,
|
|
68
|
+
score: result.score,
|
|
69
|
+
summary: {
|
|
70
|
+
configFilesFound: result.configFiles.length,
|
|
71
|
+
highRiskIssues: result.issues.filter((i) => i.type === 'high').length,
|
|
72
|
+
mediumRiskIssues: result.issues.filter((i) => i.type === 'medium').length,
|
|
73
|
+
lowRiskIssues: result.issues.filter((i) => i.type === 'low').length,
|
|
74
|
+
},
|
|
75
|
+
};
|
|
76
|
+
if (verbose) {
|
|
77
|
+
logger_1.logger.debug('Detailed scan results:', result);
|
|
78
|
+
}
|
|
79
|
+
return securityResult;
|
|
80
|
+
}
|
|
81
|
+
async function analyzeConfigFile(configPath, result) {
|
|
82
|
+
try {
|
|
83
|
+
const content = await fs_extra_1.default.readFile(configPath, 'utf8');
|
|
84
|
+
let config;
|
|
85
|
+
if (configPath.endsWith('.json')) {
|
|
86
|
+
config = JSON.parse(content);
|
|
87
|
+
}
|
|
88
|
+
else if (configPath.endsWith('.yaml') || configPath.endsWith('.yml')) {
|
|
89
|
+
config = js_yaml_1.default.load(content);
|
|
90
|
+
}
|
|
91
|
+
else {
|
|
92
|
+
logger_1.logger.warn(`Unsupported config file format: ${configPath}`);
|
|
93
|
+
return;
|
|
94
|
+
}
|
|
95
|
+
analyzeServers(config, result, configPath);
|
|
96
|
+
// Check file permissions
|
|
97
|
+
checkFilePermissions(configPath, result);
|
|
98
|
+
}
|
|
99
|
+
catch (error) {
|
|
100
|
+
logger_1.logger.error(`Error analyzing config file ${configPath}:`, error);
|
|
101
|
+
result.issues.push({
|
|
102
|
+
type: 'high',
|
|
103
|
+
category: 'config',
|
|
104
|
+
title: 'Invalid Configuration',
|
|
105
|
+
description: `Could not parse MCP configuration file: ${configPath}`,
|
|
106
|
+
recommendation: 'Check file syntax and ensure it contains valid JSON/YAML',
|
|
107
|
+
evidence: error instanceof Error ? error.message : String(error),
|
|
108
|
+
});
|
|
109
|
+
}
|
|
110
|
+
}
|
|
111
|
+
function analyzeServers(config, result, configPath) {
|
|
112
|
+
const servers = config.servers || config.mcpServers || [];
|
|
113
|
+
if (!Array.isArray(servers) && typeof servers === 'object') {
|
|
114
|
+
Object.entries(servers).forEach(([name, server]) => {
|
|
115
|
+
analyzeServer(server, result, configPath, name);
|
|
116
|
+
});
|
|
117
|
+
}
|
|
118
|
+
else if (Array.isArray(servers)) {
|
|
119
|
+
servers.forEach((server, i) => {
|
|
120
|
+
analyzeServer(server, result, configPath, `server-${i}`);
|
|
121
|
+
});
|
|
122
|
+
}
|
|
123
|
+
}
|
|
124
|
+
function analyzeServer(server, result, configPath, name) {
|
|
125
|
+
const command = server.command || '';
|
|
126
|
+
const args = server.args || [];
|
|
127
|
+
const fullCommand = `${command} ${args.join(' ')}`;
|
|
128
|
+
// Check if this is a known safe package
|
|
129
|
+
const isKnownSafe = KNOWN_SAFE_PACKAGES.has(command) || args.some((a) => KNOWN_SAFE_PACKAGES.has(a));
|
|
130
|
+
// === Runtime Interpreter Detection ===
|
|
131
|
+
if (command.includes('npx') || command.includes('node')) {
|
|
132
|
+
result.issues.push({
|
|
133
|
+
type: isKnownSafe ? 'low' : 'high',
|
|
134
|
+
category: 'permissions',
|
|
135
|
+
title: isKnownSafe ? 'Standard Node.js MCP Server' : 'Unverified Node.js Server',
|
|
136
|
+
description: isKnownSafe
|
|
137
|
+
? `Server "${name}" uses a known official MCP package: ${command}`
|
|
138
|
+
: `Server "${name}" runs via ${command} — any npm package can execute arbitrary code`,
|
|
139
|
+
recommendation: isKnownSafe
|
|
140
|
+
? 'This is a known safe package, but still review the version'
|
|
141
|
+
: 'Verify the package source, check npm page, review recent versions for supply-chain attacks',
|
|
142
|
+
evidence: `Command: ${command}, Args: ${JSON.stringify(args)}`,
|
|
143
|
+
});
|
|
144
|
+
result.score -= isKnownSafe ? 2 : 20;
|
|
145
|
+
}
|
|
146
|
+
if (command.includes('python') || command.includes('uvx') || command.includes('pip')) {
|
|
147
|
+
result.issues.push({
|
|
148
|
+
type: isKnownSafe ? 'low' : 'high',
|
|
149
|
+
category: 'permissions',
|
|
150
|
+
title: isKnownSafe ? 'Standard Python MCP Server' : 'Unverified Python Server',
|
|
151
|
+
description: `Server "${name}" runs via ${command} — can execute arbitrary Python code`,
|
|
152
|
+
recommendation: 'Verify the package is from a trusted source and pin the version',
|
|
153
|
+
evidence: `Command: ${command}, Args: ${JSON.stringify(args)}`,
|
|
154
|
+
});
|
|
155
|
+
result.score -= isKnownSafe ? 2 : 20;
|
|
156
|
+
}
|
|
157
|
+
if (command.includes('bash') || command.includes('sh') || command.includes('zsh')) {
|
|
158
|
+
result.issues.push({
|
|
159
|
+
type: 'high',
|
|
160
|
+
category: 'injection',
|
|
161
|
+
title: 'Shell Command Execution',
|
|
162
|
+
description: `Server "${name}" directly executes shell commands — highest risk for command injection`,
|
|
163
|
+
recommendation: 'Avoid shell-based MCP servers. If needed, use with strict sandboxing',
|
|
164
|
+
evidence: `Command: ${command}, Args: ${JSON.stringify(args)}`,
|
|
165
|
+
});
|
|
166
|
+
result.score -= 30;
|
|
167
|
+
}
|
|
168
|
+
// === Dangerous Argument Patterns ===
|
|
169
|
+
for (const dangerous of DANGEROUS_ARGS) {
|
|
170
|
+
if (dangerous.pattern.test(fullCommand)) {
|
|
171
|
+
result.issues.push({
|
|
172
|
+
type: dangerous.severity,
|
|
173
|
+
category: 'injection',
|
|
174
|
+
title: dangerous.title,
|
|
175
|
+
description: `Server "${name}" has dangerous argument matching "${dangerous.pattern}"`,
|
|
176
|
+
recommendation: 'Review if this flag is necessary and what it exposes',
|
|
177
|
+
evidence: `Full command: ${fullCommand}`,
|
|
178
|
+
});
|
|
179
|
+
result.score -= dangerous.severity === 'high' ? 25 : 15;
|
|
180
|
+
}
|
|
181
|
+
}
|
|
182
|
+
// === Environment Variable Secrets ===
|
|
183
|
+
if (server.env && Object.keys(server.env).length > 0) {
|
|
184
|
+
for (const [key, value] of Object.entries(server.env)) {
|
|
185
|
+
result.permissions.environmentVariables[key] = value;
|
|
186
|
+
const sensitivePatterns = ['SECRET', 'KEY', 'PASSWORD', 'TOKEN', 'API_KEY', 'PRIVATE', 'CREDENTIAL'];
|
|
187
|
+
if (sensitivePatterns.some((p) => key.toUpperCase().includes(p))) {
|
|
188
|
+
const isPlaintext = typeof value === 'string' && value.length > 0 && !value.startsWith('$(');
|
|
189
|
+
result.issues.push({
|
|
190
|
+
type: isPlaintext ? 'high' : 'medium',
|
|
191
|
+
category: 'config',
|
|
192
|
+
title: isPlaintext ? 'Plaintext Secret in Config' : 'Secret Reference in Config',
|
|
193
|
+
description: isPlaintext
|
|
194
|
+
? `Server "${name}" has a plaintext secret in ${key} — this file may be readable by other processes`
|
|
195
|
+
: `Server "${name}" references a secret via ${key}`,
|
|
196
|
+
recommendation: isPlaintext
|
|
197
|
+
? 'Use system keychain, vault, or at minimum ensure config file has restricted permissions (chmod 600)'
|
|
198
|
+
: 'Good practice referencing secrets, ensure the resolver is secure',
|
|
199
|
+
evidence: `Variable: ${key}=${isPlaintext ? '[REDACTED]' : value}`,
|
|
200
|
+
});
|
|
201
|
+
result.score -= isPlaintext ? 25 : 5;
|
|
202
|
+
}
|
|
203
|
+
}
|
|
204
|
+
}
|
|
205
|
+
// === Filesystem Access Patterns ===
|
|
206
|
+
const fsPatterns = ['/home', '/etc', '/var', '/root', '/Users', '~/', '/tmp'];
|
|
207
|
+
const rootPatterns = ['/', '*', '.'];
|
|
208
|
+
const hasFsArgs = args.some((arg) => {
|
|
209
|
+
const argStr = String(arg);
|
|
210
|
+
if (fsPatterns.some((p) => argStr.includes(p)))
|
|
211
|
+
return true;
|
|
212
|
+
if (argStr === '/' || argStr === '*')
|
|
213
|
+
return true;
|
|
214
|
+
if (argStr.includes('/*'))
|
|
215
|
+
return true;
|
|
216
|
+
return false;
|
|
217
|
+
});
|
|
218
|
+
if (hasFsArgs) {
|
|
219
|
+
const isRoot = args.some((arg) => arg === '/' || arg === '*' || arg.includes('/*'));
|
|
220
|
+
result.issues.push({
|
|
221
|
+
type: isRoot ? 'high' : 'medium',
|
|
222
|
+
category: 'filesystem',
|
|
223
|
+
title: isRoot ? 'Root Filesystem Access' : 'Broad Filesystem Access',
|
|
224
|
+
description: isRoot
|
|
225
|
+
? `Server "${name}" has access to the entire filesystem — any file can be read/written`
|
|
226
|
+
: `Server "${name}" has filesystem access that may include sensitive directories`,
|
|
227
|
+
recommendation: isRoot
|
|
228
|
+
? 'Restrict to specific project directories only'
|
|
229
|
+
: 'Review if all directories are necessary',
|
|
230
|
+
evidence: `Args: ${args.join(', ')}`,
|
|
231
|
+
});
|
|
232
|
+
result.score -= isRoot ? 25 : 10;
|
|
233
|
+
}
|
|
234
|
+
// === Network/URL-based Servers ===
|
|
235
|
+
if (server.url) {
|
|
236
|
+
result.permissions.networkAccess = true;
|
|
237
|
+
const isLocalhost = server.url.includes('localhost') || server.url.includes('127.0.0.1');
|
|
238
|
+
const isHttps = server.url.startsWith('https://');
|
|
239
|
+
if (!isLocalhost && !isHttps) {
|
|
240
|
+
result.issues.push({
|
|
241
|
+
type: 'high',
|
|
242
|
+
category: 'network',
|
|
243
|
+
title: 'Insecure Remote Server',
|
|
244
|
+
description: `Server "${name}" connects to a remote server over plain HTTP`,
|
|
245
|
+
recommendation: 'Use HTTPS to prevent MITM attacks on MCP communication',
|
|
246
|
+
evidence: `URL: ${server.url}`,
|
|
247
|
+
});
|
|
248
|
+
result.score -= 20;
|
|
249
|
+
}
|
|
250
|
+
else if (!isLocalhost) {
|
|
251
|
+
result.issues.push({
|
|
252
|
+
type: 'low',
|
|
253
|
+
category: 'network',
|
|
254
|
+
title: 'Remote MCP Server',
|
|
255
|
+
description: `Server "${name}" connects to a remote server — your prompts and tool results travel over the network`,
|
|
256
|
+
recommendation: 'Ensure you trust the remote server operator',
|
|
257
|
+
evidence: `URL: ${server.url}`,
|
|
258
|
+
});
|
|
259
|
+
result.score -= 3;
|
|
260
|
+
}
|
|
261
|
+
}
|
|
262
|
+
// === Network Access via Command ===
|
|
263
|
+
if (command.includes('http') || command.includes('curl') || command.includes('wget') || command.includes('fetch')) {
|
|
264
|
+
result.permissions.networkAccess = true;
|
|
265
|
+
result.issues.push({
|
|
266
|
+
type: 'medium',
|
|
267
|
+
category: 'network',
|
|
268
|
+
title: 'Network Access',
|
|
269
|
+
description: `Server "${name}" has network capabilities via ${command}`,
|
|
270
|
+
recommendation: 'Ensure server origin is trusted and network usage is justified',
|
|
271
|
+
evidence: `Command: ${command}`,
|
|
272
|
+
});
|
|
273
|
+
result.score -= 10;
|
|
274
|
+
}
|
|
275
|
+
// === Transport Security ===
|
|
276
|
+
if (server.type === 'sse' || (server.url && !server.url.includes('localhost') && !server.url.includes('127.0.0.1'))) {
|
|
277
|
+
if (server.url && !server.url.startsWith('https://')) {
|
|
278
|
+
result.issues.push({
|
|
279
|
+
type: 'high',
|
|
280
|
+
category: 'transport',
|
|
281
|
+
title: 'Insecure SSE Transport',
|
|
282
|
+
description: `Server "${name}" uses SSE transport over unencrypted connection — prompts and tool results can be intercepted`,
|
|
283
|
+
recommendation: 'Use wss:// or https:// for SSE transport to protect MCP messages in transit',
|
|
284
|
+
evidence: `Transport: ${server.type || 'sse'}, URL: ${server.url}`,
|
|
285
|
+
});
|
|
286
|
+
result.score -= 20;
|
|
287
|
+
}
|
|
288
|
+
if (server.type === 'sse') {
|
|
289
|
+
result.issues.push({
|
|
290
|
+
type: 'medium',
|
|
291
|
+
category: 'transport',
|
|
292
|
+
title: 'SSE Transport Without Auth',
|
|
293
|
+
description: `Server "${name}" uses SSE transport — verify it requires authentication to prevent unauthorized tool invocation`,
|
|
294
|
+
recommendation: 'Add API key, Bearer token, or mTLS authentication to SSE endpoints',
|
|
295
|
+
evidence: `URL: ${server.url}`,
|
|
296
|
+
});
|
|
297
|
+
result.score -= 10;
|
|
298
|
+
}
|
|
299
|
+
}
|
|
300
|
+
// === Supply Chain: Version Pinning ===
|
|
301
|
+
if (command.includes('npx') || command.includes('uvx') || command.includes('pip')) {
|
|
302
|
+
const hasVersion = args.some((a) => /@\d|^\d|^v\d/.test(String(a)) || String(a).includes('==') || String(a).includes('>='));
|
|
303
|
+
if (!hasVersion) {
|
|
304
|
+
const pkgArg = args.find((a) => !a.startsWith('-'));
|
|
305
|
+
result.issues.push({
|
|
306
|
+
type: 'medium',
|
|
307
|
+
category: 'supply-chain',
|
|
308
|
+
title: 'Unpinned Package Version',
|
|
309
|
+
description: `Server "${name}" runs ${pkgArg || 'a package'} without a pinned version — a malicious update could compromise your system`,
|
|
310
|
+
recommendation: `Pin the version: npx ${pkgArg}@1.2.3 or uvx ${pkgArg}==1.2.3`,
|
|
311
|
+
evidence: `Command: ${command} ${args.join(' ')}`,
|
|
312
|
+
});
|
|
313
|
+
result.score -= 15;
|
|
314
|
+
}
|
|
315
|
+
}
|
|
316
|
+
// === Supply Chain: Local/Relative Path Execution ===
|
|
317
|
+
if (command.startsWith('.') || command.startsWith('/') || args.some((a) => String(a).startsWith('./') || String(a).startsWith('../'))) {
|
|
318
|
+
result.issues.push({
|
|
319
|
+
type: 'medium',
|
|
320
|
+
category: 'supply-chain',
|
|
321
|
+
title: 'Local Path Execution',
|
|
322
|
+
description: `Server "${name}" runs from a local path — ensure the code is from a trusted source and hasn't been tampered with`,
|
|
323
|
+
recommendation: 'Verify the source code integrity of local MCP servers',
|
|
324
|
+
evidence: `Command: ${command}, Args: ${args.join(' ')}`,
|
|
325
|
+
});
|
|
326
|
+
result.score -= 8;
|
|
327
|
+
}
|
|
328
|
+
// === Prompt Injection Risk: Auto-approve Patterns ===
|
|
329
|
+
if (args.some((a) => /--auto-?approve|--yes|-y|--no-?confirm/i.test(String(a)))) {
|
|
330
|
+
result.issues.push({
|
|
331
|
+
type: 'high',
|
|
332
|
+
category: 'permissions',
|
|
333
|
+
title: 'Auto-Approve Enabled',
|
|
334
|
+
description: `Server "${name}" has auto-approve flags — tool calls execute without user confirmation`,
|
|
335
|
+
recommendation: 'Remove auto-approve flags and review each tool call manually',
|
|
336
|
+
evidence: `Full command: ${fullCommand}`,
|
|
337
|
+
});
|
|
338
|
+
result.score -= 25;
|
|
339
|
+
}
|
|
340
|
+
}
|
|
341
|
+
function checkFilePermissions(configPath, result) {
|
|
342
|
+
try {
|
|
343
|
+
const stat = fs_extra_1.default.statSync(configPath);
|
|
344
|
+
const mode = stat.mode & 0o777;
|
|
345
|
+
const isWorldReadable = mode & 0o004;
|
|
346
|
+
const isGroupWritable = mode & 0o020;
|
|
347
|
+
const isWorldWritable = mode & 0o002;
|
|
348
|
+
if (isWorldWritable) {
|
|
349
|
+
result.issues.push({
|
|
350
|
+
type: 'high',
|
|
351
|
+
category: 'config',
|
|
352
|
+
title: 'World-Writable Config File',
|
|
353
|
+
description: `${configPath} is world-writable — any user on this system can modify your MCP configuration`,
|
|
354
|
+
recommendation: 'Run: chmod 600 <config-file> to restrict access',
|
|
355
|
+
evidence: `File mode: ${mode.toString(8)}`,
|
|
356
|
+
});
|
|
357
|
+
result.score -= 20;
|
|
358
|
+
}
|
|
359
|
+
else if (isGroupWritable) {
|
|
360
|
+
result.issues.push({
|
|
361
|
+
type: 'medium',
|
|
362
|
+
category: 'config',
|
|
363
|
+
title: 'Group-Writable Config File',
|
|
364
|
+
description: `${configPath} is group-writable — group members can modify your MCP configuration`,
|
|
365
|
+
recommendation: 'Run: chmod 600 <config-file> for stricter access',
|
|
366
|
+
evidence: `File mode: ${mode.toString(8)}`,
|
|
367
|
+
});
|
|
368
|
+
result.score -= 10;
|
|
369
|
+
}
|
|
370
|
+
if (isWorldReadable) {
|
|
371
|
+
// Only flag if config contains secrets
|
|
372
|
+
const hasSecrets = result.issues.some((i) => i.title.includes('Plaintext Secret'));
|
|
373
|
+
if (hasSecrets) {
|
|
374
|
+
result.issues.push({
|
|
375
|
+
type: 'medium',
|
|
376
|
+
category: 'config',
|
|
377
|
+
title: 'World-Readable Config With Secrets',
|
|
378
|
+
description: `${configPath} is world-readable and contains secrets — other users can read your API keys`,
|
|
379
|
+
recommendation: 'Run: chmod 600 <config-file>',
|
|
380
|
+
evidence: `File mode: ${mode.toString(8)}`,
|
|
381
|
+
});
|
|
382
|
+
result.score -= 15;
|
|
383
|
+
}
|
|
384
|
+
}
|
|
385
|
+
}
|
|
386
|
+
catch {
|
|
387
|
+
// Permission check is best-effort, skip on error
|
|
388
|
+
}
|
|
389
|
+
}
|
|
390
|
+
function calculateSecurityScore(result) {
|
|
391
|
+
result.score = Math.max(0, Math.min(100, result.score));
|
|
392
|
+
}
|
|
393
|
+
function expandPath(p) {
|
|
394
|
+
if (p.startsWith('~/')) {
|
|
395
|
+
return path_1.default.join(process.env.HOME || '', p.slice(2));
|
|
396
|
+
}
|
|
397
|
+
return p;
|
|
398
|
+
}
|
|
399
|
+
//# sourceMappingURL=config-scanner.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"config-scanner.js","sourceRoot":"","sources":["../../src/scanners/config-scanner.ts"],"names":[],"mappings":";;;;;AAyEA,gCA8CC;AAvHD,wDAA0B;AAC1B,gDAAwB;AACxB,sDAA2B;AAE3B,4CAAyC;AAoCzC,MAAM,qBAAqB,GAAG;IAC5B,4BAA4B;IAC5B,kBAAkB;IAClB,kBAAkB;IAClB,UAAU;IACV,6CAA6C;IAC7C,oBAAoB;CACrB,CAAC;AAEF,oCAAoC;AACpC,MAAM,cAAc,GAAG;IACrB,EAAE,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAe,EAAE;IAC/E,EAAE,OAAO,EAAE,eAAe,EAAE,KAAK,EAAE,kBAAkB,EAAE,QAAQ,EAAE,MAAe,EAAE;IAClF,EAAE,OAAO,EAAE,eAAe,EAAE,KAAK,EAAE,iBAAiB,EAAE,QAAQ,EAAE,MAAe,EAAE;IACjF,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,QAAQ,EAAE,MAAe,EAAE;IACzE,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,gBAAgB,EAAE,QAAQ,EAAE,QAAiB,EAAE;IAC1E,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,sBAAsB,EAAE,QAAQ,EAAE,MAAe,EAAE;IAC9E,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,kBAAkB,EAAE,QAAQ,EAAE,QAAiB,EAAE;IAC5E,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,qBAAqB,EAAE,QAAQ,EAAE,QAAiB,EAAE;IAC7E,EAAE,OAAO,EAAE,eAAe,EAAE,KAAK,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAe,EAAE;CACjF,CAAC;AAEF,iCAAiC;AACjC,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,yCAAyC;IACzC,qCAAqC;IACrC,uCAAuC;IACvC,2CAA2C;IAC3C,wCAAwC;IACxC,qCAAqC;IACrC,oCAAoC;CACrC,CAAC,CAAC;AAEI,KAAK,UAAU,UAAU,CAAC,MAAW,EAAE,OAAO,GAAG,KAAK;IAC3D,eAAM,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;IAElD,MAAM,MAAM,GAAqB;QAC/B,WAAW,EAAE,EAAE;QACf,MAAM,EAAE,EAAE;QACV,WAAW,EAAE;YACX,UAAU,EAAE,EAAE;YACd,aAAa,EAAE,KAAK;YACpB,oBAAoB,EAAE,EAAE;SACzB;QACD,KAAK,EAAE,GAAG;KACX,CAAC;IAEF,oCAAoC;IACpC,KAAK,MAAM,UAAU,IAAI,qBAAqB,EAAE,CAAC;QAC/C,MAAM,QAAQ,GAAG,UAAU,CAAC,UAAU,CAAC,CAAC;QAExC,IAAI,kBAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5B,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAClC,MAAM,iBAAiB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,sBAAsB,CAAC,MAAM,CAAC,CAAC;IAE/B,MAAM,cAAc,GAAmB;QACrC,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,MAAM,EAAE,qBAAqB;QAC7B,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO,EAAE;YACP,gBAAgB,EAAE,MAAM,CAAC,WAAW,CAAC,MAAM;YAC3C,cAAc,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,MAAM;YACrE,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,MAAM;YACzE,aAAa,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,CAAC,CAAC,MAAM;SACpE;KACF,CAAC;IAEF,IAAI,OAAO,EAAE,CAAC;QACZ,eAAM,CAAC,KAAK,CAAC,wBAAwB,EAAE,MAAM,CAAC,CAAC;IACjD,CAAC;IAED,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,UAAkB,EAAE,MAAwB;IAC3E,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,kBAAE,CAAC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QACtD,IAAI,MAAiB,CAAC;QAEtB,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YACjC,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC/B,CAAC;aAAM,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACvE,MAAM,GAAG,iBAAI,CAAC,IAAI,CAAC,OAAO,CAAc,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,eAAM,CAAC,IAAI,CAAC,mCAAmC,UAAU,EAAE,CAAC,CAAC;YAC7D,OAAO;QACT,CAAC;QAED,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;QAE3C,yBAAyB;QACzB,oBAAoB,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,eAAM,CAAC,KAAK,CAAC,+BAA+B,UAAU,GAAG,EAAE,KAAK,CAAC,CAAC;QAClE,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;YACjB,IAAI,EAAE,MAAM;YACZ,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,uBAAuB;YAC9B,WAAW,EAAE,2CAA2C,UAAU,EAAE;YACpE,cAAc,EAAE,0DAA0D;YAC1E,QAAQ,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SACjE,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,MAAiB,EAAE,MAAwB,EAAE,UAAkB;IACrF,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,UAAU,IAAI,EAAE,CAAC;IAE1D,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC3D,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,EAAE,EAAE;YACjD,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,IAAI,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;IACL,CAAC;SAAM,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;YAC5B,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,CAAC,EAAE,CAAC,CAAC;QAC3D,CAAC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,MAAiB,EAAE,MAAwB,EAAE,UAAkB,EAAE,IAAY;IAClG,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC;IACrC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;IAC/B,MAAM,WAAW,GAAG,GAAG,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;IAEnD,wCAAwC;IACxC,MAAM,WAAW,GAAG,mBAAmB,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAErG,wCAAwC;IACxC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACxD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;YACjB,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM;YAClC,QAAQ,EAAE,aAAa;YACvB,KAAK,EAAE,WAAW,CAAC,CAAC,CAAC,6BAA6B,CAAC,CAAC,CAAC,2BAA2B;YAChF,WAAW,EAAE,WAAW;gBACtB,CAAC,CAAC,WAAW,IAAI,wCAAwC,OAAO,EAAE;gBAClE,CAAC,CAAC,WAAW,IAAI,cAAc,OAAO,+CAA+C;YACvF,cAAc,EAAE,WAAW;gBACzB,CAAC,CAAC,4DAA4D;gBAC9D,CAAC,CAAC,4FAA4F;YAChG,QAAQ,EAAE,YAAY,OAAO,WAAW,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;SAC/D,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACvC,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACrF,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;YACjB,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM;YAClC,QAAQ,EAAE,aAAa;YACvB,KAAK,EAAE,WAAW,CAAC,CAAC,CAAC,4BAA4B,CAAC,CAAC,CAAC,0BAA0B;YAC9E,WAAW,EAAE,WAAW,IAAI,cAAc,OAAO,sCAAsC;YACvF,cAAc,EAAE,iEAAiE;YACjF,QAAQ,EAAE,YAAY,OAAO,WAAW,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;SAC/D,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACvC,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAClF,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;YACjB,IAAI,EAAE,MAAM;YACZ,QAAQ,EAAE,WAAW;YACrB,KAAK,EAAE,yBAAyB;YAChC,WAAW,EAAE,WAAW,IAAI,yEAAyE;YACrG,cAAc,EAAE,sEAAsE;YACtF,QAAQ,EAAE,YAAY,OAAO,WAAW,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;SAC/D,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;IACrB,CAAC;IAED,sCAAsC;IACtC,KAAK,MAAM,SAAS,IAAI,cAAc,EAAE,CAAC;QACvC,IAAI,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YACxC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;gBACjB,IAAI,EAAE,SAAS,CAAC,QAAQ;gBACxB,QAAQ,EAAE,WAAW;gBACrB,KAAK,EAAE,SAAS,CAAC,KAAK;gBACtB,WAAW,EAAE,WAAW,IAAI,sCAAsC,SAAS,CAAC,OAAO,GAAG;gBACtF,cAAc,EAAE,sDAAsD;gBACtE,QAAQ,EAAE,iBAAiB,WAAW,EAAE;aACzC,CAAC,CAAC;YACH,MAAM,CAAC,KAAK,IAAI,SAAS,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,uCAAuC;IACvC,IAAI,MAAM,CAAC,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;YACtD,MAAM,CAAC,WAAW,CAAC,oBAAoB,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YAErD,MAAM,iBAAiB,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC;YACrG,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjE,MAAM,WAAW,GAAG,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;gBAC7F,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;oBACjB,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;oBACrC,QAAQ,EAAE,QAAQ;oBAClB,KAAK,EAAE,WAAW,CAAC,CAAC,CAAC,4BAA4B,CAAC,CAAC,CAAC,4BAA4B;oBAChF,WAAW,EAAE,WAAW;wBACtB,CAAC,CAAC,WAAW,IAAI,+BAA+B,GAAG,iDAAiD;wBACpG,CAAC,CAAC,WAAW,IAAI,6BAA6B,GAAG,EAAE;oBACrD,cAAc,EAAE,WAAW;wBACzB,CAAC,CAAC,qGAAqG;wBACvG,CAAC,CAAC,kEAAkE;oBACtE,QAAQ,EAAE,aAAa,GAAG,IAAI,WAAW,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,KAAK,EAAE;iBACnE,CAAC,CAAC;gBACH,MAAM,CAAC,KAAK,IAAI,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;YACvC,CAAC;QACH,CAAC;IACH,CAAC;IAED,qCAAqC;IACrC,MAAM,UAAU,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;IAC9E,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE;QAClC,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;QAC3B,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QAC5D,IAAI,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QAClD,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACvC,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,KAAK,GAAG,IAAI,GAAG,KAAK,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;QACpF,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;YACjB,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;YAChC,QAAQ,EAAE,YAAY;YACtB,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,yBAAyB;YACpE,WAAW,EAAE,MAAM;gBACjB,CAAC,CAAC,WAAW,IAAI,sEAAsE;gBACvF,CAAC,CAAC,WAAW,IAAI,gEAAgE;YACnF,cAAc,EAAE,MAAM;gBACpB,CAAC,CAAC,+CAA+C;gBACjD,CAAC,CAAC,yCAAyC;YAC7C,QAAQ,EAAE,SAAS,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;SACrC,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACnC,CAAC;IAED,oCAAoC;IACpC,IAAI,MAAM,CAAC,GAAG,EAAE,CAAC;QACf,MAAM,CAAC,WAAW,CAAC,aAAa,GAAG,IAAI,CAAC;QACxC,MAAM,WAAW,GAAG,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACzF,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;QAElD,IAAI,CAAC,WAAW,IAAI,CAAC,OAAO,EAAE,CAAC;YAC7B,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;gBACjB,IAAI,EAAE,MAAM;gBACZ,QAAQ,EAAE,SAAS;gBACnB,KAAK,EAAE,wBAAwB;gBAC/B,WAAW,EAAE,WAAW,IAAI,+CAA+C;gBAC3E,cAAc,EAAE,wDAAwD;gBACxE,QAAQ,EAAE,QAAQ,MAAM,CAAC,GAAG,EAAE;aAC/B,CAAC,CAAC;YACH,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QACrB,CAAC;aAAM,IAAI,CAAC,WAAW,EAAE,CAAC;YACxB,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;gBACjB,IAAI,EAAE,KAAK;gBACX,QAAQ,EAAE,SAAS;gBACnB,KAAK,EAAE,mBAAmB;gBAC1B,WAAW,EAAE,WAAW,IAAI,uFAAuF;gBACnH,cAAc,EAAE,6CAA6C;gBAC7D,QAAQ,EAAE,QAAQ,MAAM,CAAC,GAAG,EAAE;aAC/B,CAAC,CAAC;YACH,MAAM,CAAC,KAAK,IAAI,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IAED,qCAAqC;IACrC,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAClH,MAAM,CAAC,WAAW,CAAC,aAAa,GAAG,IAAI,CAAC;QACxC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;YACjB,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,SAAS;YACnB,KAAK,EAAE,gBAAgB;YACvB,WAAW,EAAE,WAAW,IAAI,kCAAkC,OAAO,EAAE;YACvE,cAAc,EAAE,gEAAgE;YAChF,QAAQ,EAAE,YAAY,OAAO,EAAE;SAChC,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;IACrB,CAAC;IAED,6BAA6B;IAC7B,IAAI,MAAM,CAAC,IAAI,KAAK,KAAK,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QACpH,IAAI,MAAM,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YACrD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;gBACjB,IAAI,EAAE,MAAM;gBACZ,QAAQ,EAAE,WAAW;gBACrB,KAAK,EAAE,wBAAwB;gBAC/B,WAAW,EAAE,WAAW,IAAI,gGAAgG;gBAC5H,cAAc,EAAE,6EAA6E;gBAC7F,QAAQ,EAAE,cAAc,MAAM,CAAC,IAAI,IAAI,KAAK,UAAU,MAAM,CAAC,GAAG,EAAE;aACnE,CAAC,CAAC;YACH,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QACrB,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;YAC1B,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;gBACjB,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,WAAW;gBACrB,KAAK,EAAE,4BAA4B;gBACnC,WAAW,EAAE,WAAW,IAAI,kGAAkG;gBAC9H,cAAc,EAAE,oEAAoE;gBACpF,QAAQ,EAAE,QAAQ,MAAM,CAAC,GAAG,EAAE;aAC/B,CAAC,CAAC;YACH,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QACrB,CAAC;IACH,CAAC;IAED,wCAAwC;IACxC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAClF,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;QAC5H,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;YACpD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;gBACjB,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,cAAc;gBACxB,KAAK,EAAE,0BAA0B;gBACjC,WAAW,EAAE,WAAW,IAAI,UAAU,MAAM,IAAI,WAAW,6EAA6E;gBACxI,cAAc,EAAE,wBAAwB,MAAM,iBAAiB,MAAM,SAAS;gBAC9E,QAAQ,EAAE,YAAY,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;aAClD,CAAC,CAAC;YACH,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QACrB,CAAC;IACH,CAAC;IAED,sDAAsD;IACtD,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;QACtI,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;YACjB,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,cAAc;YACxB,KAAK,EAAE,sBAAsB;YAC7B,WAAW,EAAE,WAAW,IAAI,mGAAmG;YAC/H,cAAc,EAAE,uDAAuD;YACvE,QAAQ,EAAE,YAAY,OAAO,WAAW,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;SACzD,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,IAAI,CAAC,CAAC;IACpB,CAAC;IAED,uDAAuD;IACvD,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,yCAAyC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAChF,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;YACjB,IAAI,EAAE,MAAM;YACZ,QAAQ,EAAE,aAAa;YACvB,KAAK,EAAE,sBAAsB;YAC7B,WAAW,EAAE,WAAW,IAAI,yEAAyE;YACrG,cAAc,EAAE,8DAA8D;YAC9E,QAAQ,EAAE,iBAAiB,WAAW,EAAE;SACzC,CAAC,CAAC;QACH,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;IACrB,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,UAAkB,EAAE,MAAwB;IACxE,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,kBAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QACrC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC;QAC/B,MAAM,eAAe,GAAG,IAAI,GAAG,KAAK,CAAC;QACrC,MAAM,eAAe,GAAG,IAAI,GAAG,KAAK,CAAC;QACrC,MAAM,eAAe,GAAG,IAAI,GAAG,KAAK,CAAC;QAErC,IAAI,eAAe,EAAE,CAAC;YACpB,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;gBACjB,IAAI,EAAE,MAAM;gBACZ,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,4BAA4B;gBACnC,WAAW,EAAE,GAAG,UAAU,gFAAgF;gBAC1G,cAAc,EAAE,iDAAiD;gBACjE,QAAQ,EAAE,cAAc,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE;aAC3C,CAAC,CAAC;YACH,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QACrB,CAAC;aAAM,IAAI,eAAe,EAAE,CAAC;YAC3B,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;gBACjB,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,4BAA4B;gBACnC,WAAW,EAAE,GAAG,UAAU,sEAAsE;gBAChG,cAAc,EAAE,kDAAkD;gBAClE,QAAQ,EAAE,cAAc,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE;aAC3C,CAAC,CAAC;YACH,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;QACrB,CAAC;QAED,IAAI,eAAe,EAAE,CAAC;YACpB,uCAAuC;YACvC,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC,CAAC;YACnF,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;oBACjB,IAAI,EAAE,QAAQ;oBACd,QAAQ,EAAE,QAAQ;oBAClB,KAAK,EAAE,oCAAoC;oBAC3C,WAAW,EAAE,GAAG,UAAU,8EAA8E;oBACxG,cAAc,EAAE,8BAA8B;oBAC9C,QAAQ,EAAE,cAAc,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE;iBAC3C,CAAC,CAAC;gBACH,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;YACrB,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,iDAAiD;IACnD,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAAC,MAAwB;IACtD,MAAM,CAAC,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,UAAU,CAAC,CAAS;IAC3B,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACvB,OAAO,cAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACvD,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
import { SecurityResult } from '../types/security-result';
|
|
2
|
+
/**
|
|
3
|
+
* Docker/Container security scanner for MCP servers.
|
|
4
|
+
*
|
|
5
|
+
* Checks Dockerfiles, docker-compose files, and container configs
|
|
6
|
+
* for common security misconfigurations.
|
|
7
|
+
*/
|
|
8
|
+
interface DockerScanOptions {
|
|
9
|
+
strict?: boolean;
|
|
10
|
+
}
|
|
11
|
+
export declare function scanDocker(targetPath: string, options?: DockerScanOptions): Promise<SecurityResult>;
|
|
12
|
+
export {};
|
|
13
|
+
//# sourceMappingURL=docker-scanner.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"docker-scanner.d.ts","sourceRoot":"","sources":["../../src/scanners/docker-scanner.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,cAAc,EAAiB,MAAM,0BAA0B,CAAC;AAEzE;;;;;GAKG;AAEH,UAAU,iBAAiB;IACzB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAID,wBAAsB,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,GAAE,iBAAsB,GAAG,OAAO,CAAC,cAAc,CAAC,CAkE7G"}
|