agent-security-scanner-mcp 1.0.0

package/README.md

@@ -0,0 +1,106 @@
+# agent-security-scanner-mcp
+
+An MCP (Model Context Protocol) server for security vulnerability scanning. Detects SQL injection, XSS, command injection, hardcoded secrets, and 160+ security issues.
+
+## Installation
+
+```bash
+npm install -g agent-security-scanner-mcp
+```
+
+Or run directly with npx:
+
+```bash
+npx agent-security-scanner-mcp
+```
+
+## Requirements
+
+- Node.js >= 18.0.0
+- Python 3.x (for the analyzer)
+
+## Configuration
+
+### Claude Desktop
+
+Add to your `claude_desktop_config.json`:
+
+```json
+{
+  "mcpServers": {
+    "security-scanner": {
+      "command": "npx",
+      "args": ["-y", "agent-security-scanner-mcp"]
+    }
+  }
+}
+```
+
+### Claude Code
+
+Add to your MCP settings:
+
+```json
+{
+  "mcpServers": {
+    "security-scanner": {
+      "command": "npx",
+      "args": ["-y", "agent-security-scanner-mcp"]
+    }
+  }
+}
+```
+
+## Available Tools
+
+### `scan_security`
+
+Scan a file for security vulnerabilities and return issues with suggested fixes.
+
+**Parameters:**
+- `file_path` (string): Path to the file to scan
+
+**Returns:** List of security issues with severity, CWE references, and fix suggestions.
+
+### `fix_security`
+
+Scan a file and return the fixed content with all security issues resolved.
+
+**Parameters:**
+- `file_path` (string): Path to the file to fix
+
+**Returns:** Fixed file content with applied security fixes.
+
+### `list_security_rules`
+
+List all available security fix templates and their descriptions.
+
+## Detected Vulnerabilities
+
+| Category | Examples |
+|----------|----------|
+| Injection | SQL injection, Command injection, XSS |
+| Secrets | Hardcoded API keys, passwords, private keys |
+| Cryptography | Weak hashing (MD5, SHA1), insecure random |
+| Deserialization | Pickle, unsafe YAML load |
+| Network | SSL verification disabled, HTTP usage |
+| Path Traversal | Unsanitized file paths |
+
+## Supported Languages
+
+- JavaScript / TypeScript
+- Python
+- Java
+- Go
+- Ruby
+- PHP
+- Dockerfile
+- Generic (secrets detection)
+
+## License
+
+MIT
+
+## Repository
+
+https://github.com/sinewaveai/agent-security-layer-fork

package/analyzer.py

@@ -0,0 +1,119 @@
+import sys
+import json
+import re
+import os
+
+# Add the directory containing this script to the path
+sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))
+
+from rules import get_rules, get_rules_for_language, get_rule_stats
+
+# File extension to language mapping
+EXTENSION_MAP = {
+    '.py': 'python',
+    '.js': 'javascript',
+    '.ts': 'typescript',
+    '.tsx': 'typescript',
+    '.jsx': 'javascript',
+    '.java': 'java',
+    '.go': 'go',
+    '.rb': 'ruby',
+    '.php': 'php',
+    '.cs': 'csharp',
+    '.rs': 'rust',
+    '.c': 'c',
+    '.cpp': 'cpp',
+    '.h': 'c',
+    '.hpp': 'cpp',
+    '.sql': 'sql',
+    '.dockerfile': 'dockerfile',
+    '.yaml': 'yaml',
+    '.yml': 'yaml',
+    '.json': 'json',
+    '.tf': 'terraform',
+    '.hcl': 'terraform',
+}
+
+def detect_language(file_path):
+    """Detect the programming language from file extension or name"""
+    basename = os.path.basename(file_path).lower()
+    
+    if basename == 'dockerfile' or basename.startswith('dockerfile.'):
+        return 'dockerfile'
+    
+    _, ext = os.path.splitext(file_path.lower())
+    return EXTENSION_MAP.get(ext, 'generic')
+
+def analyze_file(file_path):
+    """Analyze a single file for security vulnerabilities"""
+    issues = []
+    
+    try:
+        language = detect_language(file_path)
+        rules = get_rules_for_language(language)
+        
+        with open(file_path, 'r', encoding='utf-8') as f:
+            lines = f.readlines()
+            content = ''.join(lines)
+        
+        for line_index, line in enumerate(lines):
+            original_line = line
+            line = line.strip()
+            if not line:
+                continue
+            
+            # Skip comment-only lines (basic detection)
+            if line.startswith('#') or line.startswith('//') or line.startswith('*'):
+                continue
+                
+            for rule_id, rule in rules.items():
+                for pattern in rule['patterns']:
+                    try:
+                        # Use IGNORECASE for better detection (API_KEY vs api_key)
+                        matches = re.finditer(pattern, line, re.IGNORECASE)
+                        for match in matches:
+                            # Calculate column based on original line (preserve indentation)
+                            col_offset = len(original_line) - len(original_line.lstrip())
+                            issues.append({
+                                'ruleId': rule['id'],
+                                'message': f"[{rule['name']}] {rule['message']}",
+                                'line': line_index,
+                                'column': match.start() + col_offset,
+                                'length': match.end() - match.start(),
+                                'severity': rule['severity'],
+                                'metadata': rule.get('metadata', {})
+                            })
+                    except re.error:
+                        # Skip invalid regex patterns
+                        continue
+                        
+    except Exception as e:
+        return {'error': str(e)}
+    
+    # Deduplicate issues (same rule, same line)
+    seen = set()
+    unique_issues = []
+    for issue in issues:
+        key = (issue['ruleId'], issue['line'], issue['column'])
+        if key not in seen:
+            seen.add(key)
+            unique_issues.append(issue)
+        
+    return unique_issues
+
+def main():
+    if len(sys.argv) < 2:
+        print(json.dumps({'error': 'No file path provided'}))
+        sys.exit(1)
+        
+    file_path = sys.argv[1]
+    
+    if not os.path.exists(file_path):
+        print(json.dumps({'error': f'File not found: {file_path}'}))
+        sys.exit(1)
+        
+    results = analyze_file(file_path)
+    print(json.dumps(results))
+
+if __name__ == '__main__':
+    main()

package/index.js

@@ -0,0 +1,269 @@
+#!/usr/bin/env node
+
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { z } from "zod";
+import { execSync } from "child_process";
+import { readFileSync, existsSync } from "fs";
+import { dirname, join } from "path";
+import { fileURLToPath } from "url";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+// Security fix templates
+const FIX_TEMPLATES = {
+  "sql-injection": {
+    description: "Use parameterized queries instead of string concatenation",
+    fix: (line) => line.replace(/["']([^"']*)\s*["']\s*\+\s*(\w+)/, '"$1?", [$2]')
+  },
+  "innerhtml": {
+    description: "Use textContent or DOMPurify.sanitize()",
+    fix: (line) => line.replace(/\.innerHTML\s*=/, '.textContent =')
+  },
+  "child-process-exec": {
+    description: "Use execFile() or spawn() with shell: false",
+    fix: (line) => line.replace(/\bexec\s*\(/, 'execFile(')
+  },
+  "hardcoded": {
+    description: "Use environment variables",
+    fix: (line, lang) => {
+      if (lang === 'python') {
+        return line.replace(/=\s*["'][^"']+["']/, '= os.environ.get("SECRET")');
+      }
+      return line.replace(/[:=]\s*["'][^"']+["']/, ': process.env.SECRET');
+    }
+  },
+  "md5": {
+    description: "Use SHA-256 or stronger",
+    fix: (line) => line.replace(/md5/gi, 'sha256')
+  },
+  "sha1": {
+    description: "Use SHA-256 or stronger",
+    fix: (line) => line.replace(/sha1/gi, 'sha256')
+  },
+  "pickle": {
+    description: "Use JSON instead of pickle",
+    fix: (line) => line.replace(/pickle\.(load|loads)/, 'json.$1')
+  },
+  "yaml.load": {
+    description: "Use yaml.safe_load()",
+    fix: (line) => line.replace(/yaml\.load\s*\(/, 'yaml.safe_load(')
+  },
+  "verify=false": {
+    description: "Enable SSL verification",
+    fix: (line) => line.replace(/verify\s*=\s*False/i, 'verify=True')
+  }
+};
+
+// Detect language from file extension
+function detectLanguage(filePath) {
+  const ext = filePath.split('.').pop().toLowerCase();
+  const langMap = {
+    'py': 'python', 'js': 'javascript', 'ts': 'typescript',
+    'tsx': 'typescript', 'jsx': 'javascript', 'java': 'java',
+    'go': 'go', 'rb': 'ruby', 'php': 'php'
+  };
+  return langMap[ext] || 'generic';
+}
+
+// Run the Python analyzer
+function runAnalyzer(filePath) {
+  try {
+    const analyzerPath = join(__dirname, 'analyzer.py');
+    const result = execSync(`python3 "${analyzerPath}" "${filePath}"`, {
+      encoding: 'utf-8',
+      timeout: 30000
+    });
+    return JSON.parse(result);
+  } catch (error) {
+    return { error: error.message };
+  }
+}
+
+// Generate fix suggestion for an issue
+function generateFix(issue, line, language) {
+  const ruleId = issue.ruleId.toLowerCase();
+
+  for (const [pattern, template] of Object.entries(FIX_TEMPLATES)) {
+    if (ruleId.includes(pattern)) {
+      return {
+        description: template.description,
+        original: line,
+        fixed: template.fix(line, language)
+      };
+    }
+  }
+
+  return {
+    description: "Review and fix manually based on the security rule",
+    original: line,
+    fixed: null
+  };
+}
+
+// Create MCP Server
+const server = new McpServer(
+  {
+    name: "security-scanner",
+    version: "1.0.0",
+  },
+  {
+    capabilities: {
+      tools: {},
+    },
+  }
+);
+
+// Register scan_security tool
+server.tool(
+  "scan_security",
+  "Scan a file for security vulnerabilities and return issues with suggested fixes",
+  {
+    file_path: z.string().describe("Path to the file to scan")
+  },
+  async ({ file_path }) => {
+    if (!existsSync(file_path)) {
+      return {
+        content: [{ type: "text", text: JSON.stringify({ error: "File not found" }) }]
+      };
+    }
+
+    const issues = runAnalyzer(file_path);
+
+    if (issues.error) {
+      return {
+        content: [{ type: "text", text: JSON.stringify(issues) }]
+      };
+    }
+
+    // Read file content for fix suggestions
+    const content = readFileSync(file_path, 'utf-8');
+    const lines = content.split('\n');
+    const language = detectLanguage(file_path);
+
+    // Enhance issues with fix suggestions
+    const enhancedIssues = issues.map(issue => {
+      const line = lines[issue.line] || '';
+      const fix = generateFix(issue, line, language);
+      return {
+        ...issue,
+        line_content: line.trim(),
+        suggested_fix: fix
+      };
+    });
+
+    return {
+      content: [{
+        type: "text",
+        text: JSON.stringify({
+          file: file_path,
+          language: language,
+          issues_count: enhancedIssues.length,
+          issues: enhancedIssues
+        }, null, 2)
+      }]
+    };
+  }
+);
+
+// Register fix_security tool
+server.tool(
+  "fix_security",
+  "Scan a file and return the fixed content with all security issues resolved",
+  {
+    file_path: z.string().describe("Path to the file to fix")
+  },
+  async ({ file_path }) => {
+    if (!existsSync(file_path)) {
+      return {
+        content: [{ type: "text", text: JSON.stringify({ error: "File not found" }) }]
+      };
+    }
+
+    const issues = runAnalyzer(file_path);
+
+    if (issues.error || !Array.isArray(issues) || issues.length === 0) {
+      return {
+        content: [{
+          type: "text",
+          text: JSON.stringify({
+            message: issues.error ? "Error scanning file" : "No security issues found",
+            details: issues
+          })
+        }]
+      };
+    }
+
+    // Read and fix the file
+    const content = readFileSync(file_path, 'utf-8');
+    const lines = content.split('\n');
+    const language = detectLanguage(file_path);
+    const fixes = [];
+
+    // Apply fixes (process in reverse order to preserve line numbers)
+    const sortedIssues = [...issues].sort((a, b) => b.line - a.line);
+
+    for (const issue of sortedIssues) {
+      const lineIndex = issue.line;
+      if (lineIndex >= 0 && lineIndex < lines.length) {
+        const originalLine = lines[lineIndex];
+        const fix = generateFix(issue, originalLine, language);
+
+        if (fix.fixed && fix.fixed !== originalLine) {
+          lines[lineIndex] = fix.fixed;
+          fixes.push({
+            line: lineIndex + 1,
+            rule: issue.ruleId,
+            original: originalLine.trim(),
+            fixed: fix.fixed.trim(),
+            description: fix.description
+          });
+        }
+      }
+    }
+
+    return {
+      content: [{
+        type: "text",
+        text: JSON.stringify({
+          file: file_path,
+          fixes_applied: fixes.length,
+          fixes: fixes,
+          fixed_content: lines.join('\n')
+        }, null, 2)
+      }]
+    };
+  }
+);
+
+// Register list_security_rules tool
+server.tool(
+  "list_security_rules",
+  "List all available security fix templates and their descriptions",
+  {},
+  async () => {
+    const rules = Object.entries(FIX_TEMPLATES).map(([id, template]) => ({
+      pattern: id,
+      description: template.description
+    }));
+
+    return {
+      content: [{
+        type: "text",
+        text: JSON.stringify({ rules }, null, 2)
+      }]
+    };
+  }
+);
+
+// Start the server with stdio transport
+async function main() {
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+  console.error("Security Scanner MCP Server running on stdio");
+}
+
+main().catch((error) => {
+  console.error("Fatal error:", error);
+  process.exit(1);
+});

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "agent-security-scanner-mcp",
+  "version": "1.0.0",
+  "description": "MCP server for security vulnerability scanning - detects SQL injection, XSS, command injection, hardcoded secrets, and more",
+  "main": "index.js",
+  "type": "module",
+  "bin": {
+    "agent-security-scanner-mcp": "./index.js"
+  },
+  "scripts": {
+    "start": "node index.js"
+  },
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "claude",
+    "security",
+    "scanner",
+    "vulnerability",
+    "sast",
+    "code-analysis",
+    "sql-injection",
+    "xss",
+    "secrets-detection"
+  ],
+  "author": "",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/sinewaveai/agent-security-layer-fork.git"
+  },
+  "homepage": "https://github.com/sinewaveai/agent-security-layer-fork#readme",
+  "bugs": {
+    "url": "https://github.com/sinewaveai/agent-security-layer-fork/issues"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.25.3",
+    "zod": "^4.3.6"
+  },
+  "files": [
+    "index.js",
+    "analyzer.py",
+    "rules/**"
+  ]
+}

package/rules/__init__.py

@@ -0,0 +1,167 @@
+# Rule loader for YAML-based security rules
+# Aligned with Semgrep registry format
+
+import os
+import re
+
+try:
+    import yaml
+    HAS_YAML = True
+except ImportError:
+    HAS_YAML = False
+
+RULES_DIR = os.path.dirname(os.path.abspath(__file__))
+
+def load_yaml_rules():
+    """Load all YAML rule files from the rules directory"""
+    rules = {}
+    
+    if not HAS_YAML:
+        print("Warning: PyYAML not installed. Using fallback rules.")
+        return rules
+    
+    for filename in os.listdir(RULES_DIR):
+        if filename.endswith('.yaml') or filename.endswith('.yml'):
+            filepath = os.path.join(RULES_DIR, filename)
+            try:
+                with open(filepath, 'r', encoding='utf-8') as f:
+                    data = yaml.safe_load(f)
+                    if data and 'rules' in data:
+                        for rule in data['rules']:
+                            rule_id = rule.get('id', '')
+                            if rule_id:
+                                rules[rule_id] = {
+                                    'id': rule_id,
+                                    'name': rule_id.split('.')[-1].replace('-', ' ').title(),
+                                    'patterns': rule.get('patterns', []),
+                                    'message': rule.get('message', ''),
+                                    'severity': rule.get('severity', 'WARNING').lower(),
+                                    'languages': rule.get('languages', ['generic']),
+                                    'metadata': rule.get('metadata', {})
+                                }
+            except Exception as e:
+                print(f"Error loading {filename}: {e}")
+    
+    return rules
+
+# Fallback rules if YAML is not available
+FALLBACK_RULES = {
+    'python.lang.security.audit.sql-injection': {
+        'id': 'python.lang.security.audit.sql-injection',
+        'name': 'SQL Injection',
+        'patterns': [
+            r'execute\s*\(\s*["\'].*\$\{.*\}.*["\']',
+            r'query\s*\(\s*["\'].*\+.*["\']',
+            r'SELECT\s+.*\s+FROM\s+.*\s+WHERE\s+.*=.*\+',
+            r'cursor\.execute\s*\(\s*[^)]*%.*\)',
+        ],
+        'message': 'Possible SQL injection vulnerability detected. Use parameterized queries.',
+        'severity': 'error',
+        'languages': ['python'],
+        'metadata': {
+            'cwe': 'CWE-89',
+            'owasp': 'A03:2021 - Injection',
+            'confidence': 'MEDIUM'
+        }
+    },
+    'javascript.browser.security.dom-based-xss': {
+        'id': 'javascript.browser.security.dom-based-xss',
+        'name': 'Cross-Site Scripting (XSS)',
+        'patterns': [
+            r'innerHTML\s*=\s*',
+            r'outerHTML\s*=\s*',
+            r'document\.write\s*\(',
+            r'\.html\s*\(\s*[^)]*\+',
+        ],
+        'message': 'Possible XSS vulnerability. Sanitize user input before rendering.',
+        'severity': 'error',
+        'languages': ['javascript', 'typescript'],
+        'metadata': {
+            'cwe': 'CWE-79',
+            'owasp': 'A03:2021 - Injection',
+            'confidence': 'MEDIUM'
+        }
+    },
+    'generic.secrets.security.hardcoded-secret': {
+        'id': 'generic.secrets.security.hardcoded-secret',
+        'name': 'Hardcoded Secrets',
+        'patterns': [
+            r'(api|secret|private)[_-]?key\s*[:=]\s*["\'][^"\']{20,}["\']',
+            r'password\s*[:=]\s*["\'][^"\']{6,}["\']',
+            r'["\'](sk_live_[A-Za-z0-9]{24,})["\']',
+            r'["\'](sk_test_[A-Za-z0-9]{24,})["\']',
+            r'["\'](ghp_[A-Za-z0-9]{30,})["\']',
+        ],
+        'message': 'Possible hardcoded secret detected. Use environment variables instead.',
+        'severity': 'warning',
+        'languages': ['generic'],
+        'metadata': {
+            'cwe': 'CWE-798',
+            'owasp': 'A07:2021 - Identification and Authentication Failures',
+            'confidence': 'HIGH'
+        }
+    }
+}
+
+def get_rules():
+    """Get all rules - from YAML if available, otherwise fallback"""
+    yaml_rules = load_yaml_rules()
+    if yaml_rules:
+        return yaml_rules
+    return FALLBACK_RULES
+
+def get_rules_for_language(language):
+    """Get rules applicable to a specific language"""
+    all_rules = get_rules()
+    applicable_rules = {}
+    
+    language = language.lower()
+    
+    for rule_id, rule in all_rules.items():
+        rule_languages = [lang.lower() for lang in rule.get('languages', ['generic'])]
+        if language in rule_languages or 'generic' in rule_languages:
+            applicable_rules[rule_id] = rule
+    
+    return applicable_rules
+
+def get_rules_by_category(category):
+    """Get rules by category (e.g., 'injection', 'crypto', 'secrets')"""
+    all_rules = get_rules()
+    category_rules = {}
+    
+    category = category.lower()
+    
+    for rule_id, rule in all_rules.items():
+        if category in rule_id.lower():
+            category_rules[rule_id] = rule
+    
+    return category_rules
+
+def get_rule_stats():
+    """Get statistics about loaded rules"""
+    all_rules = get_rules()
+    
+    stats = {
+        'total': len(all_rules),
+        'by_severity': {'error': 0, 'warning': 0, 'info': 0},
+        'by_language': {},
+        'by_category': {}
+    }
+    
+    for rule_id, rule in all_rules.items():
+        severity = rule.get('severity', 'warning').lower()
+        stats['by_severity'][severity] = stats['by_severity'].get(severity, 0) + 1
+        
+        for lang in rule.get('languages', ['generic']):
+            lang = lang.lower()
+            stats['by_language'][lang] = stats['by_language'].get(lang, 0) + 1
+        
+        parts = rule_id.split('.')
+        if len(parts) >= 3:
+            category = parts[2] if parts[2] != 'lang' else parts[3] if len(parts) > 3 else parts[2]
+            stats['by_category'][category] = stats['by_category'].get(category, 0) + 1
+    
+    return stats
+
+# Export for backward compatibility
+RULES = get_rules()