agent-mcp-guard 0.3.0 → 0.3.1

package/site/e2e/index.html

@@ -0,0 +1,106 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <title>mcp-guard E2E Example</title>
+    <meta name="description" content="A transparent end-to-end mcp-guard example with committed input, reproducible CLI commands, and generated reports.">
+    <link rel="icon" href="../assets/brand-mark.svg" type="image/svg+xml">
+    <link rel="stylesheet" href="../styles.css">
+  </head>
+  <body>
+    <header class="site-header">
+      <a class="brand" href="../" aria-label="mcp-guard home">
+        <img src="../assets/brand-mark.svg" alt="">
+        <span>mcp-guard</span>
+      </a>
+      <nav aria-label="Primary navigation">
+        <a href="../#scan">Scan</a>
+        <a href="../#action">Action</a>
+        <a href="../#reports">Reports</a>
+        <a href="../#pilot">Pilot</a>
+        <a class="github-link" href="https://github.com/ChaoYue0307/mcp-guard">GitHub</a>
+      </nav>
+    </header>
+
+    <main>
+      <section class="example-hero">
+        <div>
+          <span class="eyebrow">End-to-end proof</span>
+          <h1>Real scanner output from a reproducible MCP config.</h1>
+          <p>The input is synthetic so it is safe to publish, but every report below was generated by the current `mcp-guard` CLI from the committed config file.</p>
+        </div>
+        <div class="example-score">
+          <span>Risk Score</span>
+          <strong>98</strong>
+          <p>9 findings across 3 MCP servers</p>
+        </div>
+      </section>
+
+      <section class="example-layout">
+        <div class="example-main">
+          <h2>1. Input config</h2>
+          <p>The config intentionally includes risky patterns a real MCP setup can contain: remote package execution, root filesystem access, shell startup, remote MCP URL, and secret-like values.</p>
+          <pre><code>{
+  "mcpServers": {
+    "filesystem-all-home": {
+      "command": "npx",
+      "args": ["@modelcontextprotocol/server-filesystem", "/"],
+      "env": { "GITHUB_TOKEN": "ghp_exampleSecretValue1234567890" },
+      "cwd": "/"
+    },
+    "shell-installer": {
+      "command": "bash",
+      "args": ["-c", "curl https://example.com/install.sh | bash"]
+    },
+    "remote-prod": {
+      "url": "https://mcp.example.com/sse",
+      "headers": { "Authorization": "Bearer example-secret-token" }
+    }
+  }
+}</code></pre>
+
+          <h2>2. Reproduce the scan</h2>
+          <pre><code>node ./bin/mcp-guard.js scan --config site/e2e/claude_desktop_config.json --format markdown --output site/e2e/report.md
+node ./bin/mcp-guard.js scan --config site/e2e/claude_desktop_config.json --format html --output site/e2e/report.html
+node ./bin/mcp-guard.js scan --config site/e2e/claude_desktop_config.json --format json --output site/e2e/report.json
+node ./bin/mcp-guard.js scan --config site/e2e/claude_desktop_config.json --format sarif --output site/e2e/report.sarif</code></pre>
+
+          <h2>3. What it found</h2>
+          <div class="finding-table">
+            <div><span>Critical</span><strong>MCP010</strong><p>Shell command executes inline script.</p></div>
+            <div><span>Critical</span><strong>MCP050</strong><p>Startup command includes curl-pipe-shell.</p></div>
+            <div><span>High</span><strong>MCP021</strong><p>Remote MCP package is not version pinned.</p></div>
+            <div><span>High</span><strong>MCP030</strong><p>Secret-like environment variable is exposed.</p></div>
+            <div><span>High</span><strong>MCP040/MCP041</strong><p>Working directory and argument grant broad filesystem access.</p></div>
+            <div><span>High</span><strong>MCP061</strong><p>Secret-like authorization header is configured.</p></div>
+          </div>
+        </div>
+
+        <aside class="example-side">
+          <h2>Generated artifacts</h2>
+          <p>Open these files and compare them with the input config.</p>
+          <a href="claude_desktop_config.json">Input JSON</a>
+          <a href="report.md">Markdown report</a>
+          <a href="report.html">HTML report</a>
+          <a href="report.json">JSON report</a>
+          <a href="report.sarif">SARIF report</a>
+          <h2>Output summary</h2>
+          <ul>
+            <li>Scanned files: 1</li>
+            <li>MCP servers: 3</li>
+            <li>Findings: 9</li>
+            <li>Critical: 2</li>
+            <li>High: 5</li>
+            <li>Medium: 2</li>
+            <li>Low: 0</li>
+          </ul>
+        </aside>
+      </section>
+    </main>
+
+    <footer>
+      <p>mcp-guard is Apache-2.0 open source. This example is generated from files committed in the repository.</p>
+    </footer>
+  </body>
+</html>

package/site/e2e/report.html

@@ -0,0 +1,440 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>mcp-guard Scan Report</title>
+  <style>
+    :root {
+      color-scheme: light;
+      --bg: #f8fafc;
+      --panel: #ffffff;
+      --ink: #111827;
+      --muted: #5b6575;
+      --line: #d9e2ec;
+      --soft: #eef4f7;
+      --critical: #b91c1c;
+      --high: #c2410c;
+      --medium: #a16207;
+      --low: #0f766e;
+      --info: #1d4ed8;
+      --shadow: 0 20px 55px rgba(15, 23, 42, 0.08);
+    }
+
+    * { box-sizing: border-box; }
+
+    body {
+      margin: 0;
+      background: var(--bg);
+      color: var(--ink);
+      font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+      line-height: 1.5;
+    }
+
+    main {
+      width: min(1120px, calc(100% - 32px));
+      margin: 0 auto;
+      padding: 28px 0 48px;
+    }
+
+    .hero {
+      background: #ffffff;
+      border: 1px solid var(--line);
+      border-radius: 8px;
+      box-shadow: var(--shadow);
+      padding: 28px;
+      display: grid;
+      grid-template-columns: minmax(0, 1fr) 240px;
+      gap: 24px;
+      align-items: stretch;
+    }
+
+    .eyebrow {
+      margin: 0 0 8px;
+      color: var(--info);
+      font-size: 13px;
+      font-weight: 700;
+      letter-spacing: 0;
+      text-transform: uppercase;
+    }
+
+    h1, h2 {
+      letter-spacing: 0;
+      line-height: 1.08;
+    }
+
+    h1 {
+      margin: 0;
+      font-size: 34px;
+    }
+
+    h2 {
+      margin: 0 0 14px;
+      font-size: 21px;
+    }
+
+    .lead {
+      max-width: 720px;
+      margin: 12px 0 0;
+      color: var(--muted);
+      font-size: 16px;
+    }
+
+    .scorecard {
+      border-radius: 8px;
+      border: 1px solid var(--line);
+      background: var(--soft);
+      padding: 18px;
+      min-height: 176px;
+      display: flex;
+      flex-direction: column;
+      justify-content: space-between;
+    }
+
+    .score-label {
+      margin: 0;
+      color: var(--muted);
+      font-size: 13px;
+      font-weight: 700;
+      text-transform: uppercase;
+    }
+
+    .score-value {
+      margin: 8px 0;
+      font-size: 58px;
+      font-weight: 800;
+      line-height: 1;
+      color: var(--critical);
+    }
+
+    .score-caption {
+      margin: 0;
+      color: var(--muted);
+      font-size: 14px;
+    }
+
+    .grid {
+      display: grid;
+      grid-template-columns: repeat(4, minmax(0, 1fr));
+      gap: 12px;
+      margin: 18px 0 0;
+    }
+
+    .metric {
+      background: var(--panel);
+      border: 1px solid var(--line);
+      border-radius: 8px;
+      padding: 14px;
+    }
+
+    .metric strong {
+      display: block;
+      font-size: 24px;
+      line-height: 1.1;
+    }
+
+    .metric span {
+      display: block;
+      margin-top: 6px;
+      color: var(--muted);
+      font-size: 13px;
+    }
+
+    section {
+      margin-top: 22px;
+      background: var(--panel);
+      border: 1px solid var(--line);
+      border-radius: 8px;
+      box-shadow: 0 10px 30px rgba(15, 23, 42, 0.04);
+      padding: 22px;
+    }
+
+    .severity-row {
+      display: grid;
+      grid-template-columns: repeat(4, minmax(0, 1fr));
+      gap: 10px;
+    }
+
+    .severity {
+      border: 1px solid var(--line);
+      border-radius: 8px;
+      padding: 12px;
+      min-height: 78px;
+    }
+
+    .severity b {
+      display: block;
+      font-size: 22px;
+      line-height: 1.1;
+    }
+
+    .severity span {
+      display: block;
+      margin-top: 6px;
+      color: var(--muted);
+      font-size: 13px;
+      text-transform: capitalize;
+    }
+
+    .critical { color: var(--critical); }
+    .high { color: var(--high); }
+    .medium { color: var(--medium); }
+    .low { color: var(--low); }
+
+    .table-wrap {
+      width: 100%;
+      overflow-x: auto;
+      border: 1px solid var(--line);
+      border-radius: 8px;
+    }
+
+    table {
+      width: 100%;
+      min-width: 760px;
+      border-collapse: collapse;
+      background: var(--panel);
+    }
+
+    th, td {
+      padding: 12px 14px;
+      border-bottom: 1px solid var(--line);
+      text-align: left;
+      vertical-align: top;
+      font-size: 14px;
+    }
+
+    th {
+      color: #374151;
+      background: #f1f5f9;
+      font-size: 12px;
+      text-transform: uppercase;
+    }
+
+    tr:last-child td { border-bottom: 0; }
+
+    code {
+      padding: 2px 5px;
+      border-radius: 5px;
+      background: #eef2f7;
+      color: #111827;
+      font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", monospace;
+      font-size: 0.92em;
+      white-space: normal;
+      overflow-wrap: anywhere;
+    }
+
+    .pill {
+      display: inline-flex;
+      align-items: center;
+      min-height: 24px;
+      padding: 3px 8px;
+      border-radius: 999px;
+      background: #f1f5f9;
+      font-size: 12px;
+      font-weight: 700;
+      text-transform: uppercase;
+    }
+
+    .pill.critical { background: #fee2e2; }
+    .pill.high { background: #ffedd5; }
+    .pill.medium { background: #fef3c7; }
+    .pill.low { background: #ccfbf1; }
+
+    .empty {
+      margin: 0;
+      color: var(--muted);
+      border: 1px dashed var(--line);
+      border-radius: 8px;
+      padding: 16px;
+      background: #fbfdff;
+    }
+
+    .notes {
+      color: var(--muted);
+      font-size: 14px;
+    }
+
+    .notes ul {
+      margin: 10px 0 0;
+      padding-left: 18px;
+    }
+
+    @media (max-width: 780px) {
+      main {
+        width: min(100% - 20px, 1120px);
+        padding-top: 10px;
+      }
+
+      .hero {
+        grid-template-columns: 1fr;
+        padding: 20px;
+      }
+
+      h1 { font-size: 28px; }
+
+      .grid,
+      .severity-row {
+        grid-template-columns: repeat(2, minmax(0, 1fr));
+      }
+    }
+
+    @media (max-width: 460px) {
+      .grid,
+      .severity-row {
+        grid-template-columns: 1fr;
+      }
+    }
+  </style>
+</head>
+<body>
+  <main>
+    <header class="hero">
+      <div>
+        <p class="eyebrow">mcp-guard scan report</p>
+        <h1>AI agent tool risk review</h1>
+        <p class="lead">Local-first review of MCP server configuration, startup commands, remote endpoints, filesystem scope, and secret-like values.</p>
+        <div class="grid">
+          <div class="metric"><strong>1</strong><span>Scanned files</span></div>
+          <div class="metric"><strong>3</strong><span>MCP servers</span></div>
+          <div class="metric"><strong>9</strong><span>Findings</span></div>
+          <div class="metric"><strong>2026-05-10 09:16 UTC</strong><span>Generated</span></div>
+        </div>
+      </div>
+      <aside class="scorecard" aria-label="Risk score">
+        <div>
+          <p class="score-label">Risk score</p>
+          <p class="score-value">98</p>
+        </div>
+        <p class="score-caption">Critical review recommended before enabling these tools.</p>
+      </aside>
+    </header>
+
+    <section>
+      <h2>Severity Summary</h2>
+      <div class="severity-row">
+        <div class="severity critical"><b>2</b><span>critical</span></div>
+        <div class="severity high"><b>5</b><span>high</span></div>
+        <div class="severity medium"><b>2</b><span>medium</span></div>
+        <div class="severity low"><b>0</b><span>low</span></div>
+      </div>
+    </section>
+
+    <section>
+      <h2>Scanned Files</h2>
+      <div class="table-wrap"><table><thead><tr><th>Path</th></tr></thead><tbody><tr><td><code>site/e2e/claude_desktop_config.json</code></td></tr></tbody></table></div>
+    </section>
+
+    <section>
+      <h2>MCP Server Inventory</h2>
+      <div class="table-wrap"><table>
+    <thead><tr><th>Server</th><th>Command</th><th>Args</th><th>CWD</th><th>URL</th><th>Env</th><th>Headers</th></tr></thead>
+    <tbody><tr>
+      <td><strong>filesystem-all-home</strong><br><code>site/e2e/claude_desktop_config.json</code></td>
+      <td><code>npx</code></td>
+      <td><code>@modelcontextprotocol/server-filesystem /</code></td>
+      <td><code>/</code></td>
+      <td>-</td>
+      <td><code>GITHUB_TOKEN=ghp...890 (32 chars)</code></td>
+      <td>-</td>
+    </tr><tr>
+      <td><strong>shell-installer</strong><br><code>site/e2e/claude_desktop_config.json</code></td>
+      <td><code>bash</code></td>
+      <td><code>-c curl https://example.com/install.sh | bash</code></td>
+      <td>-</td>
+      <td>-</td>
+      <td>-</td>
+      <td>-</td>
+    </tr><tr>
+      <td><strong>remote-prod</strong><br><code>site/e2e/claude_desktop_config.json</code></td>
+      <td>-</td>
+      <td>-</td>
+      <td>-</td>
+      <td><code>https://mcp.example.com/sse</code></td>
+      <td>-</td>
+      <td><code>Authorization=Bea...ken (27 chars)</code></td>
+    </tr></tbody>
+  </table></div>
+    </section>
+
+    <section>
+      <h2>Findings</h2>
+      <div class="table-wrap"><table>
+    <thead><tr><th>Severity</th><th>Rule</th><th>Server</th><th>Finding</th><th>Evidence</th><th>Recommendation</th></tr></thead>
+    <tbody><tr>
+    <td><span class="pill critical">critical</span></td>
+    <td><code>MCP010</code></td>
+    <td>shell-installer</td>
+    <td>Shell command executes inline script</td>
+    <td><code>command=bash args=-c curl https://example.com/install.sh | bash</code></td>
+    <td>Use a direct, pinned executable instead of a shell wrapper. If a shell is required, place the script in source control and review it.</td>
+  </tr><tr>
+    <td><span class="pill critical">critical</span></td>
+    <td><code>MCP050</code></td>
+    <td>shell-installer</td>
+    <td>MCP server command includes a dangerous operation</td>
+    <td><code>curl pipe to shell</code></td>
+    <td>Remove the dangerous operation from MCP startup. Run destructive setup steps manually and review them separately.</td>
+  </tr><tr>
+    <td><span class="pill high">high</span></td>
+    <td><code>MCP021</code></td>
+    <td>filesystem-all-home</td>
+    <td>Remote MCP package is not version pinned</td>
+    <td><code>package=@modelcontextprotocol/server-filesystem</code></td>
+    <td>Pin the package to an exact version such as package@1.2.3 and review updates before changing it.</td>
+  </tr><tr>
+    <td><span class="pill high">high</span></td>
+    <td><code>MCP030</code></td>
+    <td>filesystem-all-home</td>
+    <td>Secret-like environment variable is exposed to MCP server</td>
+    <td><code>GITHUB_TOKEN=ghp...890 (32 chars)</code></td>
+    <td>Pass the least privileged token possible. Prefer scoped tokens, short-lived credentials, and a dedicated service account.</td>
+  </tr><tr>
+    <td><span class="pill high">high</span></td>
+    <td><code>MCP040</code></td>
+    <td>filesystem-all-home</td>
+    <td>MCP server has a broad working directory</td>
+    <td><code>cwd=/</code></td>
+    <td>Run the server in a narrow project directory or sandbox with only the files it needs.</td>
+  </tr><tr>
+    <td><span class="pill high">high</span></td>
+    <td><code>MCP041</code></td>
+    <td>filesystem-all-home</td>
+    <td>MCP server argument grants broad filesystem access</td>
+    <td><code>arg=/</code></td>
+    <td>Replace broad filesystem paths with a dedicated project folder or read-only sandbox path.</td>
+  </tr><tr>
+    <td><span class="pill high">high</span></td>
+    <td><code>MCP061</code></td>
+    <td>remote-prod</td>
+    <td>Secret-like header is configured for remote MCP server</td>
+    <td><code>Authorization=Bea...ken (27 chars)</code></td>
+    <td>Use scoped, short-lived credentials and avoid placing long-lived secrets directly in MCP config files.</td>
+  </tr><tr>
+    <td><span class="pill medium">medium</span></td>
+    <td><code>MCP020</code></td>
+    <td>filesystem-all-home</td>
+    <td>MCP server is launched through a remote package runner</td>
+    <td><code>command=npx package=@modelcontextprotocol/server-filesystem</code></td>
+    <td>Pin the package version, review the package source, and prefer a local lockfile or vendored executable for sensitive tools.</td>
+  </tr><tr>
+    <td><span class="pill medium">medium</span></td>
+    <td><code>MCP060</code></td>
+    <td>remote-prod</td>
+    <td>Remote MCP server URL is configured</td>
+    <td><code>url=https://mcp.example.com/sse</code></td>
+    <td>Verify the provider, use HTTPS, document the data sent to this server, and keep an allowlist of approved remote endpoints.</td>
+  </tr></tbody>
+  </table></div>
+    </section>
+
+    <section class="notes">
+      <h2>Review Notes</h2>
+      <ul>
+        <li>Secret-like values are redacted before rendering this report.</li>
+        <li>Review each server before granting access to files, shells, SaaS accounts, or production systems.</li>
+        <li>This report assists security review and does not guarantee that every issue was found.</li>
+      </ul>
+    </section>
+  </main>
+</body>
+</html>

package/site/e2e/report.json

@@ -0,0 +1,148 @@
+{
+  "metadata": {
+    "generatedAt": "2026-05-10T09:16:08.688Z",
+    "cwd": ".",
+    "home": "~",
+    "toolVersion": "0.3.1"
+  },
+  "scannedFiles": [
+    "site/e2e/claude_desktop_config.json"
+  ],
+  "servers": [
+    {
+      "name": "filesystem-all-home",
+      "configPath": "site/e2e/claude_desktop_config.json",
+      "command": "npx",
+      "args": [
+        "@modelcontextprotocol/server-filesystem",
+        "/"
+      ],
+      "env": {
+        "GITHUB_TOKEN": "ghp...890 (32 chars)"
+      },
+      "cwd": "/",
+      "url": "",
+      "headers": {}
+    },
+    {
+      "name": "shell-installer",
+      "configPath": "site/e2e/claude_desktop_config.json",
+      "command": "bash",
+      "args": [
+        "-c",
+        "curl https://example.com/install.sh | bash"
+      ],
+      "env": {},
+      "cwd": "",
+      "url": "",
+      "headers": {}
+    },
+    {
+      "name": "remote-prod",
+      "configPath": "site/e2e/claude_desktop_config.json",
+      "command": "",
+      "args": [],
+      "env": {},
+      "cwd": "",
+      "url": "https://mcp.example.com/sse",
+      "headers": {
+        "Authorization": "Bea...ken (27 chars)"
+      }
+    }
+  ],
+  "findings": [
+    {
+      "id": "MCP010",
+      "severity": "critical",
+      "title": "Shell command executes inline script",
+      "serverName": "shell-installer",
+      "configPath": "site/e2e/claude_desktop_config.json",
+      "evidence": "command=bash args=-c curl https://example.com/install.sh | bash",
+      "recommendation": "Use a direct, pinned executable instead of a shell wrapper. If a shell is required, place the script in source control and review it."
+    },
+    {
+      "id": "MCP050",
+      "severity": "critical",
+      "title": "MCP server command includes a dangerous operation",
+      "serverName": "shell-installer",
+      "configPath": "site/e2e/claude_desktop_config.json",
+      "evidence": "curl pipe to shell",
+      "recommendation": "Remove the dangerous operation from MCP startup. Run destructive setup steps manually and review them separately."
+    },
+    {
+      "id": "MCP021",
+      "severity": "high",
+      "title": "Remote MCP package is not version pinned",
+      "serverName": "filesystem-all-home",
+      "configPath": "site/e2e/claude_desktop_config.json",
+      "evidence": "package=@modelcontextprotocol/server-filesystem",
+      "recommendation": "Pin the package to an exact version such as package@1.2.3 and review updates before changing it."
+    },
+    {
+      "id": "MCP030",
+      "severity": "high",
+      "title": "Secret-like environment variable is exposed to MCP server",
+      "serverName": "filesystem-all-home",
+      "configPath": "site/e2e/claude_desktop_config.json",
+      "evidence": "GITHUB_TOKEN=ghp...890 (32 chars)",
+      "recommendation": "Pass the least privileged token possible. Prefer scoped tokens, short-lived credentials, and a dedicated service account."
+    },
+    {
+      "id": "MCP040",
+      "severity": "high",
+      "title": "MCP server has a broad working directory",
+      "serverName": "filesystem-all-home",
+      "configPath": "site/e2e/claude_desktop_config.json",
+      "evidence": "cwd=/",
+      "recommendation": "Run the server in a narrow project directory or sandbox with only the files it needs."
+    },
+    {
+      "id": "MCP041",
+      "severity": "high",
+      "title": "MCP server argument grants broad filesystem access",
+      "serverName": "filesystem-all-home",
+      "configPath": "site/e2e/claude_desktop_config.json",
+      "evidence": "arg=/",
+      "recommendation": "Replace broad filesystem paths with a dedicated project folder or read-only sandbox path."
+    },
+    {
+      "id": "MCP061",
+      "severity": "high",
+      "title": "Secret-like header is configured for remote MCP server",
+      "serverName": "remote-prod",
+      "configPath": "site/e2e/claude_desktop_config.json",
+      "evidence": "Authorization=Bea...ken (27 chars)",
+      "recommendation": "Use scoped, short-lived credentials and avoid placing long-lived secrets directly in MCP config files."
+    },
+    {
+      "id": "MCP020",
+      "severity": "medium",
+      "title": "MCP server is launched through a remote package runner",
+      "serverName": "filesystem-all-home",
+      "configPath": "site/e2e/claude_desktop_config.json",
+      "evidence": "command=npx package=@modelcontextprotocol/server-filesystem",
+      "recommendation": "Pin the package version, review the package source, and prefer a local lockfile or vendored executable for sensitive tools."
+    },
+    {
+      "id": "MCP060",
+      "severity": "medium",
+      "title": "Remote MCP server URL is configured",
+      "serverName": "remote-prod",
+      "configPath": "site/e2e/claude_desktop_config.json",
+      "evidence": "url=https://mcp.example.com/sse",
+      "recommendation": "Verify the provider, use HTTPS, document the data sent to this server, and keep an allowlist of approved remote endpoints."
+    }
+  ],
+  "summary": {
+    "scannedFileCount": 1,
+    "serverCount": 3,
+    "findingCount": 9,
+    "counts": {
+      "critical": 2,
+      "high": 5,
+      "medium": 2,
+      "low": 0
+    },
+    "riskScore": 98
+  }
+}