agent-security-scanner-mcp 1.0.0 → 1.0.1

package/index.js

@@ -10,29 +10,180 @@ import { fileURLToPath } from "url";
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 
-// Security fix templates
+// Security fix templates - comprehensive coverage for 165+ rules
 const FIX_TEMPLATES = {
+  // ===========================================
+  // SQL INJECTION
+  // ===========================================
   "sql-injection": {
     description: "Use parameterized queries instead of string concatenation",
     fix: (line) => line.replace(/["']([^"']*)\s*["']\s*\+\s*(\w+)/, '"$1?", [$2]')
   },
+  "nosql-injection": {
+    description: "Sanitize MongoDB query inputs",
+    fix: (line) => line.replace(/\{\s*(\w+)\s*:\s*(\w+)\s*\}/, '{ $1: sanitize($2) }')
+  },
+  "raw-query": {
+    description: "Use parameterized queries instead of raw SQL",
+    fix: (line) => line.replace(/\.query\s*\(\s*["'`]/, '.query("SELECT * FROM table WHERE id = ?", [')
+  },
+
+  // ===========================================
+  // XSS (Cross-Site Scripting)
+  // ===========================================
   "innerhtml": {
     description: "Use textContent or DOMPurify.sanitize()",
     fix: (line) => line.replace(/\.innerHTML\s*=/, '.textContent =')
   },
+  "outerhtml": {
+    description: "Use textContent or DOMPurify.sanitize()",
+    fix: (line) => line.replace(/\.outerHTML\s*=/, '.textContent =')
+  },
+  "document-write": {
+    description: "Use DOM methods instead of document.write()",
+    fix: (line) => line.replace(/document\.write(ln)?\s*\(/, 'document.body.appendChild(document.createTextNode(')
+  },
+  "insertadjacenthtml": {
+    description: "Use insertAdjacentText or sanitize input",
+    fix: (line) => line.replace(/\.insertAdjacentHTML\s*\(/, '.insertAdjacentText(')
+  },
+  "dangerouslysetinnerhtml": {
+    description: "Sanitize content with DOMPurify before using dangerouslySetInnerHTML",
+    fix: (line) => line.replace(/dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*(\w+)/, 'dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize($1)')
+  },
+  "xss-response-writer": {
+    description: "Escape HTML output before writing to response",
+    fix: (line) => line.replace(/\.Write\s*\(\s*(\w+)/, '.Write(html.EscapeString($1)')
+  },
+
+  // ===========================================
+  // COMMAND INJECTION
+  // ===========================================
   "child-process-exec": {
     description: "Use execFile() or spawn() with shell: false",
     fix: (line) => line.replace(/\bexec\s*\(/, 'execFile(')
   },
+  "spawn-shell": {
+    description: "Use spawn with shell: false",
+    fix: (line) => line.replace(/shell\s*:\s*true/i, 'shell: false')
+  },
+  "dangerous-subprocess": {
+    description: "Use subprocess.run with list arguments",
+    fix: (line) => line.replace(/subprocess\.(call|run|Popen)\s*\(\s*["'](.+?)["']\s*,\s*shell\s*=\s*True/, 'subprocess.$1(["$2".split()], shell=False')
+  },
+  "dangerous-system-call": {
+    description: "Use subprocess.run instead of os.system",
+    fix: (line) => line.replace(/os\.system\s*\(/, 'subprocess.run([')
+  },
+  "command-injection-exec": {
+    description: "Use exec.Command with separate arguments",
+    fix: (line) => line.replace(/exec\.Command\s*\(\s*["'](\w+)\s+/, 'exec.Command("$1", ')
+  },
+  "runtime-exec": {
+    description: "Use ProcessBuilder with separate arguments",
+    fix: (line) => line.replace(/Runtime\.getRuntime\(\)\.exec\s*\(/, 'new ProcessBuilder(')
+  },
+  "process-builder": {
+    description: "Validate and sanitize command arguments",
+    fix: (line) => line.replace(/new ProcessBuilder\s*\(\s*(.+?)\s*\)/, 'new ProcessBuilder(validateArgs($1))')
+  },
+
+  // ===========================================
+  // HARDCODED SECRETS & CREDENTIALS
+  // ===========================================
   "hardcoded": {
     description: "Use environment variables",
     fix: (line, lang) => {
       if (lang === 'python') {
         return line.replace(/=\s*["'][^"']+["']/, '= os.environ.get("SECRET")');
       }
-      return line.replace(/[:=]\s*["'][^"']+["']/, ': process.env.SECRET');
+      return line.replace(/=\s*["'][^"']+["']/, '= process.env.SECRET');
+    }
+  },
+  "api-key": {
+    description: "Use environment variables for API keys",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/=\s*["'][^"']+["']/, '= os.environ.get("API_KEY")');
+      if (lang === 'go') return line.replace(/=\s*["'][^"']+["']/, '= os.Getenv("API_KEY")');
+      return line.replace(/=\s*["'][^"']+["']/, '= process.env.API_KEY');
+    }
+  },
+  "password": {
+    description: "Use environment variables for passwords",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/=\s*["'][^"']+["']/, '= os.environ.get("PASSWORD")');
+      if (lang === 'go') return line.replace(/=\s*["'][^"']+["']/, '= os.Getenv("PASSWORD")');
+      return line.replace(/=\s*["'][^"']+["']/, '= process.env.PASSWORD');
+    }
+  },
+  "secret-key": {
+    description: "Use environment variables for secret keys",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/=\s*["'][^"']+["']/, '= os.environ.get("SECRET_KEY")');
+      return line.replace(/=\s*["'][^"']+["']/, '= process.env.SECRET_KEY');
+    }
+  },
+  "aws-access": {
+    description: "Use AWS credentials from environment or IAM roles",
+    fix: (line) => line.replace(/=\s*["']AKIA[^"']+["']/, '= os.environ.get("AWS_ACCESS_KEY_ID")')
+  },
+  "aws-secret": {
+    description: "Use AWS credentials from environment or IAM roles",
+    fix: (line) => line.replace(/=\s*["'][^"']{40}["']/, '= os.environ.get("AWS_SECRET_ACCESS_KEY")')
+  },
+  "stripe": {
+    description: "Use environment variables for Stripe keys",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/=\s*["']sk_(live|test)_[^"']+["']/, '= os.environ.get("STRIPE_SECRET_KEY")');
+      return line.replace(/=\s*["']sk_(live|test)_[^"']+["']/, '= process.env.STRIPE_SECRET_KEY');
+    }
+  },
+  "github": {
+    description: "Use environment variables for GitHub tokens",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/=\s*["'](ghp_|github_pat_)[^"']+["']/, '= os.environ.get("GITHUB_TOKEN")');
+      return line.replace(/=\s*["'](ghp_|github_pat_)[^"']+["']/, '= process.env.GITHUB_TOKEN');
+    }
+  },
+  "openai": {
+    description: "Use environment variables for OpenAI keys",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/=\s*["']sk-[^"']+["']/, '= os.environ.get("OPENAI_API_KEY")');
+      return line.replace(/=\s*["']sk-[^"']+["']/, '= process.env.OPENAI_API_KEY');
+    }
+  },
+  "slack": {
+    description: "Use environment variables for Slack tokens",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/=\s*["']xox[baprs]-[^"']+["']/, '= os.environ.get("SLACK_TOKEN")');
+      return line.replace(/=\s*["']xox[baprs]-[^"']+["']/, '= process.env.SLACK_TOKEN');
+    }
+  },
+  "jwt-token": {
+    description: "Use environment variables for JWT secrets",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/=\s*["'][^"']+["']/, '= os.environ.get("JWT_SECRET")');
+      return line.replace(/=\s*["'][^"']+["']/, '= process.env.JWT_SECRET');
     }
   },
+  "private-key": {
+    description: "Load private keys from secure file or vault",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/=\s*["']-----BEGIN[^"']+["']/, '= load_key_from_file(os.environ.get("PRIVATE_KEY_PATH"))');
+      return line.replace(/=\s*["']-----BEGIN[^"']+["']/, '= fs.readFileSync(process.env.PRIVATE_KEY_PATH)');
+    }
+  },
+  "database-url": {
+    description: "Use environment variables for database URLs",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/=\s*["'][^"']+["']/, '= os.environ.get("DATABASE_URL")');
+      return line.replace(/=\s*["'][^"']+["']/, '= process.env.DATABASE_URL');
+    }
+  },
+
+  // ===========================================
+  // WEAK CRYPTOGRAPHY
+  // ===========================================
   "md5": {
     description: "Use SHA-256 or stronger",
     fix: (line) => line.replace(/md5/gi, 'sha256')
@@ -41,17 +192,434 @@ const FIX_TEMPLATES = {
     description: "Use SHA-256 or stronger",
     fix: (line) => line.replace(/sha1/gi, 'sha256')
   },
+  "des": {
+    description: "Use AES instead of DES",
+    fix: (line) => line.replace(/DES/g, 'AES').replace(/des/g, 'aes')
+  },
+  "ecb-mode": {
+    description: "Use CBC or GCM mode instead of ECB",
+    fix: (line) => line.replace(/ECB/g, 'GCM').replace(/ecb/g, 'gcm')
+  },
+  "weak-cipher": {
+    description: "Use AES-256-GCM or ChaCha20-Poly1305",
+    fix: (line) => line.replace(/(DES|RC4|Blowfish)/gi, 'AES')
+  },
+  "insecure-random": {
+    description: "Use cryptographically secure random",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/random\.(random|randint|choice|randrange)\s*\(/, 'secrets.token_hex(');
+      if (lang === 'go') return line.replace(/math\/rand/, 'crypto/rand');
+      if (lang === 'java') return line.replace(/new Random\(\)/, 'SecureRandom.getInstanceStrong()');
+      return line.replace(/Math\.random\s*\(\)/, 'crypto.randomUUID()');
+    }
+  },
+  "weak-rsa": {
+    description: "Use RSA key size of 2048 bits or more",
+    fix: (line) => line.replace(/\b(512|1024)\b/, '2048')
+  },
+  "weak-tls": {
+    description: "Use TLS 1.2 or higher",
+    fix: (line) => line.replace(/TLS1[01]|SSLv[23]/gi, 'TLS12')
+  },
+
+  // ===========================================
+  // INSECURE DESERIALIZATION
+  // ===========================================
   "pickle": {
     description: "Use JSON instead of pickle",
-    fix: (line) => line.replace(/pickle\.(load|loads)/, 'json.$1')
+    fix: (line) => line.replace(/pickle\.(load|loads)\s*\(/, 'json.$1(')
   },
-  "yaml.load": {
+  "yaml-load": {
     description: "Use yaml.safe_load()",
     fix: (line) => line.replace(/yaml\.load\s*\(/, 'yaml.safe_load(')
   },
-  "verify=false": {
+  "marshal": {
+    description: "Use JSON instead of marshal",
+    fix: (line) => line.replace(/marshal\.(load|loads)\s*\(/, 'json.$1(')
+  },
+  "shelve": {
+    description: "Use JSON or SQLite instead of shelve",
+    fix: (line) => line.replace(/shelve\.open\s*\(/, 'json.load(open(')
+  },
+  "node-serialize": {
+    description: "Use JSON.parse instead of node-serialize",
+    fix: (line) => line.replace(/serialize\.unserialize\s*\(/, 'JSON.parse(')
+  },
+  "object-inputstream": {
+    description: "Use JSON or validated deserialization",
+    fix: (line) => line.replace(/new ObjectInputStream\s*\(/, 'new JsonReader(')
+  },
+  "xstream": {
+    description: "Configure XStream security or use JSON",
+    fix: (line) => line.replace(/xstream\.fromXML\s*\(/, 'new ObjectMapper().readValue(')
+  },
+  "gob-decode": {
+    description: "Use JSON instead of gob for untrusted data",
+    fix: (line) => line.replace(/gob\.NewDecoder/, 'json.NewDecoder')
+  },
+
+  // ===========================================
+  // SSL/TLS ISSUES
+  // ===========================================
+  "verify": {
     description: "Enable SSL verification",
     fix: (line) => line.replace(/verify\s*=\s*False/i, 'verify=True')
+  },
+  "insecure-skip-verify": {
+    description: "Enable certificate verification",
+    fix: (line) => line.replace(/InsecureSkipVerify\s*:\s*true/, 'InsecureSkipVerify: false')
+  },
+  "reject-unauthorized": {
+    description: "Enable certificate verification",
+    fix: (line) => line.replace(/rejectUnauthorized\s*:\s*false/, 'rejectUnauthorized: true')
+  },
+  "trust-all": {
+    description: "Remove trust-all certificate configuration",
+    fix: (line) => '// TODO: Remove trust-all certificates - ' + line
+  },
+  "ssl-verify-disabled": {
+    description: "Enable SSL verification",
+    fix: (line) => line.replace(/verify\s*=\s*False/, 'verify=True')
+  },
+
+  // ===========================================
+  // PATH TRAVERSAL
+  // ===========================================
+  "path-traversal": {
+    description: "Sanitize file paths and use basename",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/open\s*\(\s*(\w+)/, 'open(os.path.basename($1)');
+      if (lang === 'go') return line.replace(/os\.Open\s*\(\s*(\w+)/, 'os.Open(filepath.Base($1)');
+      if (lang === 'java') return line.replace(/new File\s*\(\s*(\w+)/, 'new File(new File($1).getName()');
+      return line.replace(/readFileSync\s*\(\s*(\w+)/, 'readFileSync(path.basename($1)');
+    }
+  },
+
+  // ===========================================
+  // SSRF (Server-Side Request Forgery)
+  // ===========================================
+  "ssrf": {
+    description: "Validate and whitelist URLs before making requests",
+    fix: (line) => line.replace(/(axios|fetch|requests|http)\.(get|post|request)\s*\(\s*(\w+)/, '$1.$2(validateUrl($3)')
+  },
+
+  // ===========================================
+  // EVAL AND CODE INJECTION
+  // ===========================================
+  "eval": {
+    description: "Avoid eval() - use safer alternatives",
+    fix: (line) => '// SECURITY: Remove eval() - ' + line
+  },
+  "exec-detected": {
+    description: "Avoid exec() - use safer alternatives",
+    fix: (line) => '# SECURITY: Remove exec() - ' + line
+  },
+  "compile-detected": {
+    description: "Avoid compile() with untrusted input",
+    fix: (line) => '# SECURITY: Review compile() usage - ' + line
+  },
+  "function-constructor": {
+    description: "Avoid Function constructor - use safer alternatives",
+    fix: (line) => '// SECURITY: Remove Function() constructor - ' + line
+  },
+  "settimeout-string": {
+    description: "Use function reference instead of string",
+    fix: (line) => line.replace(/setTimeout\s*\(\s*["'](.+?)["']/, 'setTimeout(() => { $1 }')
+  },
+
+  // ===========================================
+  // OPEN REDIRECT
+  // ===========================================
+  "open-redirect": {
+    description: "Validate redirect URLs against whitelist",
+    fix: (line) => line.replace(/redirect\s*\(\s*(\w+)/, 'redirect(validateRedirectUrl($1)')
+  },
+
+  // ===========================================
+  // CORS
+  // ===========================================
+  "cors-wildcard": {
+    description: "Specify allowed origins instead of wildcard",
+    fix: (line) => line.replace(/['"]\*['"]/, '"https://yourdomain.com"')
+  },
+
+  // ===========================================
+  // CSRF
+  // ===========================================
+  "csrf": {
+    description: "Enable CSRF protection",
+    fix: (line) => line.replace(/csrf\s*:\s*false/i, 'csrf: true').replace(/@csrf_exempt/, '# @csrf_exempt  // TODO: Add CSRF protection')
+  },
+
+  // ===========================================
+  // DEBUG MODE
+  // ===========================================
+  "debug": {
+    description: "Disable debug mode in production",
+    fix: (line) => line.replace(/debug\s*=\s*True/i, 'debug=os.environ.get("DEBUG", "False").lower() == "true"')
+  },
+
+  // ===========================================
+  // JWT ISSUES
+  // ===========================================
+  "jwt-none": {
+    description: "Specify a secure algorithm for JWT",
+    fix: (line) => line.replace(/algorithm\s*[=:]\s*["']none["']/i, 'algorithm: "HS256"')
+  },
+  "jwt-decode-without-verify": {
+    description: "Enable JWT signature verification",
+    fix: (line) => line.replace(/verify\s*=\s*False/, 'verify=True')
+  },
+
+  // ===========================================
+  // XXE (XML External Entities)
+  // ===========================================
+  "xxe": {
+    description: "Disable external entities in XML parser",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/etree\.parse\s*\(/, 'etree.parse(parser=etree.XMLParser(resolve_entities=False), ');
+      if (lang === 'java') return '// TODO: Disable external entities - ' + line;
+      return line;
+    }
+  },
+  "lxml": {
+    description: "Disable external entities in lxml",
+    fix: (line) => line.replace(/etree\.(parse|fromstring)\s*\(/, 'etree.$1(parser=etree.XMLParser(resolve_entities=False, no_network=True), ')
+  },
+
+  // ===========================================
+  // LDAP INJECTION
+  // ===========================================
+  "ldap-injection": {
+    description: "Escape LDAP special characters in user input",
+    fix: (line) => line.replace(/filter\s*=\s*["']([^"']*)\s*["']\s*\+\s*(\w+)/, 'filter = "$1" + escapeLdap($2)')
+  },
+
+  // ===========================================
+  // XPATH INJECTION
+  // ===========================================
+  "xpath-injection": {
+    description: "Use parameterized XPath queries",
+    fix: (line) => line.replace(/xpath\s*\(\s*["']([^"']*)\s*["']\s*\+\s*(\w+)/, 'xpath("$1?", [$2]')
+  },
+
+  // ===========================================
+  // TEMPLATE INJECTION
+  // ===========================================
+  "template-injection": {
+    description: "Avoid user input in template strings",
+    fix: (line) => '// TODO: Sanitize template input - ' + line
+  },
+  "jinja2-autoescape": {
+    description: "Enable autoescape in Jinja2 templates",
+    fix: (line) => line.replace(/autoescape\s*=\s*False/, 'autoescape=True')
+  },
+
+  // ===========================================
+  // LOGGING SENSITIVE DATA
+  // ===========================================
+  "logging-sensitive": {
+    description: "Remove sensitive data from logs",
+    fix: (line) => line.replace(/(password|secret|token|key|credential)/gi, '[REDACTED]')
+  },
+
+  // ===========================================
+  // REGEX DOS
+  // ===========================================
+  "regex-dos": {
+    description: "Use regex with timeout or simplified pattern",
+    fix: (line) => '// TODO: Review regex for ReDoS - ' + line
+  },
+
+  // ===========================================
+  // PROTOTYPE POLLUTION
+  // ===========================================
+  "prototype-pollution": {
+    description: "Validate object keys before assignment",
+    fix: (line) => line.replace(/(\w+)\[(\w+)\]\s*=/, 'if (!["__proto__", "constructor", "prototype"].includes($2)) $1[$2] =')
+  },
+
+  // ===========================================
+  // DOCKERFILE
+  // ===========================================
+  "latest-tag": {
+    description: "Use specific version tags instead of latest",
+    fix: (line) => line.replace(/:latest/, ':1.0.0  # TODO: specify exact version')
+  },
+  "run-as-root": {
+    description: "Add USER directive to run as non-root",
+    fix: (line) => line + '\nUSER nonroot'
+  },
+  "add-instead-of-copy": {
+    description: "Use COPY instead of ADD for local files",
+    fix: (line) => line.replace(/^ADD\s+/, 'COPY ')
+  },
+  "curl-pipe-bash": {
+    description: "Download and verify scripts before execution",
+    fix: (line) => '# TODO: Download, verify checksum, then execute - ' + line
+  },
+  "secret-in-env": {
+    description: "Use Docker secrets or build args with --secret",
+    fix: (line) => line.replace(/ENV\s+(\w*(?:PASSWORD|SECRET|KEY|TOKEN)\w*)\s*=\s*(\S+)/, '# Use --secret instead: ENV $1=$2')
+  },
+  "secret-in-arg": {
+    description: "Use Docker secrets instead of ARG for secrets",
+    fix: (line) => line.replace(/ARG\s+(\w*(?:PASSWORD|SECRET|KEY|TOKEN)\w*)/, '# Use --secret instead: ARG $1')
+  },
+
+  // ===========================================
+  // HELMET / SECURITY HEADERS
+  // ===========================================
+  "helmet-missing": {
+    description: "Add helmet middleware for security headers",
+    fix: (line) => 'app.use(helmet()); // Add security headers\n' + line
+  },
+
+  // ===========================================
+  // SPEL INJECTION
+  // ===========================================
+  "spel-injection": {
+    description: "Avoid user input in SpEL expressions",
+    fix: (line) => '// TODO: Sanitize SpEL input - ' + line
+  },
+
+  // ===========================================
+  // ADDITIONAL DOCKERFILE FIXES
+  // ===========================================
+  "apt-get-no-version": {
+    description: "Pin package versions in apt-get install",
+    fix: (line) => line.replace(/apt-get install\s+(\w+)/, 'apt-get install $1=VERSION  # TODO: specify version')
+  },
+  "pip-no-version": {
+    description: "Pin package versions in pip install",
+    fix: (line) => line.replace(/pip install\s+(\w+)/, 'pip install $1==VERSION  # TODO: specify version')
+  },
+  "npm-install-unsafe": {
+    description: "Use npm ci for reproducible builds",
+    fix: (line) => line.replace(/npm install/, 'npm ci')
+  },
+  "missing-healthcheck": {
+    description: "Add HEALTHCHECK instruction",
+    fix: (line) => line + '\nHEALTHCHECK --interval=30s --timeout=3s CMD curl -f http://localhost/ || exit 1'
+  },
+  "expose-ssh": {
+    description: "Avoid exposing SSH port in containers",
+    fix: (line) => '# SECURITY: Avoid SSH in containers - ' + line
+  },
+  "chmod-dangerous": {
+    description: "Use least privilege permissions",
+    fix: (line) => line.replace(/chmod\s+(777|666|755)/, 'chmod 644  # TODO: use least privilege')
+  },
+  "apt-no-clean": {
+    description: "Clean apt cache to reduce image size",
+    fix: (line) => line.replace(/apt-get install/, 'apt-get install -y && apt-get clean && rm -rf /var/lib/apt/lists/*  #')
+  },
+  "curl-insecure": {
+    description: "Remove insecure flag from curl",
+    fix: (line) => line.replace(/curl\s+(-k|--insecure)/, 'curl')
+  },
+  "wget-no-check": {
+    description: "Enable certificate checking in wget",
+    fix: (line) => line.replace(/wget\s+--no-check-certificate/, 'wget')
+  },
+  "run-shell-form": {
+    description: "Use exec form for RUN commands",
+    fix: (line) => line.replace(/RUN\s+(.+)$/, 'RUN ["/bin/sh", "-c", "$1"]')
+  },
+  "sudo-in-dockerfile": {
+    description: "Avoid sudo in Dockerfile - use USER directive",
+    fix: (line) => line.replace(/sudo\s+/, '')
+  },
+  "workdir-absolute": {
+    description: "Use absolute paths in WORKDIR",
+    fix: (line) => line.replace(/WORKDIR\s+([^/])/, 'WORKDIR /$1')
+  },
+
+  // ===========================================
+  // ADDITIONAL TOKEN/SECRET TYPES
+  // ===========================================
+  "gcp": {
+    description: "Use environment variables for GCP credentials",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/=\s*["'][^"']+["']/, '= os.environ.get("GOOGLE_APPLICATION_CREDENTIALS")');
+      return line.replace(/=\s*["'][^"']+["']/, '= process.env.GOOGLE_APPLICATION_CREDENTIALS');
+    }
+  },
+  "azure": {
+    description: "Use environment variables for Azure credentials",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/=\s*["'][^"']+["']/, '= os.environ.get("AZURE_STORAGE_KEY")');
+      return line.replace(/=\s*["'][^"']+["']/, '= process.env.AZURE_STORAGE_KEY');
+    }
+  },
+  "npm-token": {
+    description: "Use environment variables for npm tokens",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/=\s*["'][^"']+["']/, '= os.environ.get("NPM_TOKEN")');
+      return line.replace(/=\s*["'][^"']+["']/, '= process.env.NPM_TOKEN');
+    }
+  },
+  "pypi": {
+    description: "Use environment variables for PyPI tokens",
+    fix: (line) => line.replace(/=\s*["'][^"']+["']/, '= os.environ.get("PYPI_TOKEN")')
+  },
+  "discord": {
+    description: "Use environment variables for Discord tokens",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/=\s*["'][^"']+["']/, '= os.environ.get("DISCORD_TOKEN")');
+      return line.replace(/=\s*["'][^"']+["']/, '= process.env.DISCORD_TOKEN');
+    }
+  },
+  "shopify": {
+    description: "Use environment variables for Shopify tokens",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/=\s*["'][^"']+["']/, '= os.environ.get("SHOPIFY_TOKEN")');
+      return line.replace(/=\s*["'][^"']+["']/, '= process.env.SHOPIFY_TOKEN');
+    }
+  },
+  "facebook": {
+    description: "Use environment variables for Facebook tokens",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/=\s*["'][^"']+["']/, '= os.environ.get("FACEBOOK_TOKEN")');
+      return line.replace(/=\s*["'][^"']+["']/, '= process.env.FACEBOOK_TOKEN');
+    }
+  },
+  "twitter": {
+    description: "Use environment variables for Twitter tokens",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/=\s*["'][^"']+["']/, '= os.environ.get("TWITTER_BEARER_TOKEN")');
+      return line.replace(/=\s*["'][^"']+["']/, '= process.env.TWITTER_BEARER_TOKEN');
+    }
+  },
+  "gitlab": {
+    description: "Use environment variables for GitLab tokens",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/=\s*["'][^"']+["']/, '= os.environ.get("GITLAB_TOKEN")');
+      return line.replace(/=\s*["'][^"']+["']/, '= process.env.GITLAB_TOKEN');
+    }
+  },
+  "bitbucket": {
+    description: "Use environment variables for Bitbucket tokens",
+    fix: (line, lang) => {
+      if (lang === 'python') return line.replace(/=\s*["'][^"']+["']/, '= os.environ.get("BITBUCKET_TOKEN")');
+      return line.replace(/=\s*["'][^"']+["']/, '= process.env.BITBUCKET_TOKEN');
+    }
+  },
+
+  // ===========================================
+  // ADDITIONAL SECURITY FIXES
+  // ===========================================
+  "race-condition": {
+    description: "Use mutex or sync primitives for shared state",
+    fix: (line) => '// TODO: Add mutex protection - ' + line
+  },
+  "gin-bind": {
+    description: "Use explicit binding in Gin handlers",
+    fix: (line) => line.replace(/ShouldBind\s*\(/, 'ShouldBindJSON(')
+  },
+  "permit-all": {
+    description: "Review permitAll() and restrict access",
+    fix: (line) => '// SECURITY: Review permitAll() - ' + line
   }
 };
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-security-scanner-mcp",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "MCP server for security vulnerability scanning - detects SQL injection, XSS, command injection, hardcoded secrets, and more",
   "main": "index.js",
   "type": "module",