agent-security-scanner-mcp 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/README.md +106 -0
  2. package/analyzer.py +119 -0
  3. package/index.js +269 -0
  4. package/package.json +48 -0
  5. package/rules/__init__.py +167 -0
  6. package/rules/dockerfile.security.yaml +291 -0
  7. package/rules/generic.secrets.yaml +503 -0
  8. package/rules/go.security.yaml +380 -0
  9. package/rules/java.security.yaml +453 -0
  10. package/rules/javascript.security.yaml +504 -0
  11. package/rules/python.security.yaml +602 -0
package/rules/dockerfile.security.yaml ADDED
@@ -0,0 +1,291 @@
1
+ rules:
2
+ # ============================================================================
3
+ # PRIVILEGE ESCALATION
4
+ # ============================================================================
5
+ - id: dockerfile.security.audit.run-as-root
6
+ languages: [dockerfile]
7
+ severity: WARNING
8
+ message: "Container running as root. Add USER directive to run as non-root user."
9
+ patterns:
10
+ - "^FROM(?!.*USER)"
11
+ metadata:
12
+ cwe: "CWE-250"
13
+ owasp: "A05:2021 - Security Misconfiguration"
14
+ confidence: MEDIUM
15
+ references:
16
+ - https://semgrep.dev/r/dockerfile.security.audit.missing-user
17
+
18
+ # ============================================================================
19
+ # HARDCODED SECRETS
20
+ # ============================================================================
21
+ - id: dockerfile.security.audit.secret-in-env
22
+ languages: [dockerfile]
23
+ severity: ERROR
24
+ message: "Secret in ENV instruction. Use build args or runtime secrets."
25
+ patterns:
26
+ - "ENV\\s+[A-Z_]*PASSWORD[A-Z_]*\\s*="
27
+ - "ENV\\s+[A-Z_]*SECRET[A-Z_]*\\s*="
28
+ - "ENV\\s+[A-Z_]*API_KEY[A-Z_]*\\s*="
29
+ - "ENV\\s+[A-Z_]*TOKEN[A-Z_]*\\s*="
30
+ - "ENV\\s+[A-Z_]*PRIVATE_KEY[A-Z_]*\\s*="
31
+ metadata:
32
+ cwe: "CWE-798"
33
+ owasp: "A07:2021 - Identification and Authentication Failures"
34
+ confidence: HIGH
35
+ references:
36
+ - https://semgrep.dev/r/dockerfile.security.audit.secret-in-env
37
+
38
+ - id: dockerfile.security.audit.secret-in-arg
39
+ languages: [dockerfile]
40
+ severity: WARNING
41
+ message: "Secret in ARG may be exposed in image history. Use multi-stage builds."
42
+ patterns:
43
+ - "ARG\\s+[A-Z_]*PASSWORD"
44
+ - "ARG\\s+[A-Z_]*SECRET"
45
+ - "ARG\\s+[A-Z_]*API_KEY"
46
+ - "ARG\\s+[A-Z_]*TOKEN"
47
+ metadata:
48
+ cwe: "CWE-798"
49
+ owasp: "A07:2021 - Identification and Authentication Failures"
50
+ confidence: MEDIUM
51
+ references:
52
+ - https://semgrep.dev/r/dockerfile.security.audit.secret-in-arg
53
+
54
+ # ============================================================================
55
+ # PACKAGE MANAGEMENT
56
+ # ============================================================================
57
+ - id: dockerfile.security.audit.apt-get-no-version
58
+ languages: [dockerfile]
59
+ severity: WARNING
60
+ message: "apt-get install without version pinning. Pin versions for reproducibility."
61
+ patterns:
62
+ - "apt-get\\s+install(?!.*=)"
63
+ - "apt\\s+install(?!.*=)"
64
+ metadata:
65
+ cwe: "CWE-1104"
66
+ owasp: "A06:2021 - Vulnerable and Outdated Components"
67
+ confidence: LOW
68
+ references:
69
+ - https://semgrep.dev/r/dockerfile.security.audit.apt-get-no-version
70
+
71
+ - id: dockerfile.security.audit.pip-no-version
72
+ languages: [dockerfile]
73
+ severity: WARNING
74
+ message: "pip install without version pinning. Pin versions for security."
75
+ patterns:
76
+ - "pip\\s+install(?!.*==)(?!.*-r)"
77
+ - "pip3\\s+install(?!.*==)(?!.*-r)"
78
+ metadata:
79
+ cwe: "CWE-1104"
80
+ owasp: "A06:2021 - Vulnerable and Outdated Components"
81
+ confidence: LOW
82
+ references:
83
+ - https://semgrep.dev/r/dockerfile.security.audit.pip-no-version
84
+
85
+ - id: dockerfile.security.audit.npm-install-unsafe
86
+ languages: [dockerfile]
87
+ severity: WARNING
88
+ message: "npm install with --unsafe-perm can lead to privilege escalation."
89
+ patterns:
90
+ - "npm\\s+install.*--unsafe-perm"
91
+ metadata:
92
+ cwe: "CWE-269"
93
+ owasp: "A05:2021 - Security Misconfiguration"
94
+ confidence: HIGH
95
+ references:
96
+ - https://semgrep.dev/r/dockerfile.security.audit.npm-unsafe-perm
97
+
98
+ # ============================================================================
99
+ # INSECURE COMMANDS
100
+ # ============================================================================
101
+ - id: dockerfile.security.audit.curl-pipe-bash
102
+ languages: [dockerfile]
103
+ severity: ERROR
104
+ message: "curl | bash is dangerous. Download, verify, then execute scripts."
105
+ patterns:
106
+ - "curl.*\\|.*sh"
107
+ - "curl.*\\|.*bash"
108
+ - "wget.*\\|.*sh"
109
+ - "wget.*\\|.*bash"
110
+ metadata:
111
+ cwe: "CWE-94"
112
+ owasp: "A08:2021 - Software and Data Integrity Failures"
113
+ confidence: HIGH
114
+ references:
115
+ - https://semgrep.dev/r/dockerfile.security.audit.curl-pipe-bash
116
+
117
+ - id: dockerfile.security.audit.add-instead-of-copy
118
+ languages: [dockerfile]
119
+ severity: WARNING
120
+ message: "ADD can auto-extract archives and fetch URLs. Use COPY for local files."
121
+ patterns:
122
+ - "^ADD\\s+"
123
+ metadata:
124
+ cwe: "CWE-829"
125
+ owasp: "A08:2021 - Software and Data Integrity Failures"
126
+ confidence: LOW
127
+ references:
128
+ - https://semgrep.dev/r/dockerfile.security.audit.add-instead-of-copy
129
+
130
+ # ============================================================================
131
+ # INSECURE BASE IMAGES
132
+ # ============================================================================
133
+ - id: dockerfile.security.audit.latest-tag
134
+ languages: [dockerfile]
135
+ severity: WARNING
136
+ message: "Using :latest tag. Pin to specific version for reproducibility."
137
+ patterns:
138
+ - "FROM\\s+[^:]+:latest"
139
+ - "FROM\\s+[^:]+\\s*$"
140
+ metadata:
141
+ cwe: "CWE-1104"
142
+ owasp: "A06:2021 - Vulnerable and Outdated Components"
143
+ confidence: MEDIUM
144
+ references:
145
+ - https://semgrep.dev/r/dockerfile.security.audit.latest-tag
146
+
147
+ # ============================================================================
148
+ # HEALTHCHECK
149
+ # ============================================================================
150
+ - id: dockerfile.security.audit.missing-healthcheck
151
+ languages: [dockerfile]
152
+ severity: INFO
153
+ message: "No HEALTHCHECK instruction. Add for container orchestration."
154
+ patterns:
155
+ - "^FROM(?!.*HEALTHCHECK)"
156
+ metadata:
157
+ cwe: "CWE-693"
158
+ owasp: "A05:2021 - Security Misconfiguration"
159
+ confidence: LOW
160
+ references:
161
+ - https://semgrep.dev/r/dockerfile.security.audit.missing-healthcheck
162
+
163
+ # ============================================================================
164
+ # EXPOSED PORTS
165
+ # ============================================================================
166
+ - id: dockerfile.security.audit.expose-ssh
167
+ languages: [dockerfile]
168
+ severity: WARNING
169
+ message: "SSH port exposed. Avoid running SSH in containers."
170
+ patterns:
171
+ - "EXPOSE\\s+22"
172
+ - "EXPOSE.*\\b22\\b"
173
+ metadata:
174
+ cwe: "CWE-284"
175
+ owasp: "A01:2021 - Broken Access Control"
176
+ confidence: HIGH
177
+ references:
178
+ - https://semgrep.dev/r/dockerfile.security.audit.expose-ssh
179
+
180
+ # ============================================================================
181
+ # SETUID/SETGID
182
+ # ============================================================================
183
+ - id: dockerfile.security.audit.chmod-dangerous
184
+ languages: [dockerfile]
185
+ severity: WARNING
186
+ message: "chmod 777 or setuid/setgid bits can be dangerous."
187
+ patterns:
188
+ - "chmod\\s+777"
189
+ - "chmod\\s+[0-7]*[4-7][0-7]*[0-7]"
190
+ - "chmod\\s+u\\+s"
191
+ - "chmod\\s+g\\+s"
192
+ metadata:
193
+ cwe: "CWE-732"
194
+ owasp: "A01:2021 - Broken Access Control"
195
+ confidence: MEDIUM
196
+ references:
197
+ - https://semgrep.dev/r/dockerfile.security.audit.chmod-dangerous
198
+
199
+ # ============================================================================
200
+ # APT CLEANUP
201
+ # ============================================================================
202
+ - id: dockerfile.security.audit.apt-no-clean
203
+ languages: [dockerfile]
204
+ severity: INFO
205
+ message: "apt-get without cleanup. Add rm -rf /var/lib/apt/lists/* to reduce image size."
206
+ patterns:
207
+ - "apt-get\\s+install(?!.*rm.*var.*lib.*apt)"
208
+ metadata:
209
+ cwe: "CWE-459"
210
+ owasp: "A05:2021 - Security Misconfiguration"
211
+ confidence: LOW
212
+ references:
213
+ - https://semgrep.dev/r/dockerfile.security.audit.apt-no-clean
214
+
215
+ # ============================================================================
216
+ # CERTIFICATE VALIDATION
217
+ # ============================================================================
218
+ - id: dockerfile.security.audit.curl-insecure
219
+ languages: [dockerfile]
220
+ severity: ERROR
221
+ message: "curl with -k/--insecure disables certificate validation."
222
+ patterns:
223
+ - "curl\\s+.*-k\\s+"
224
+ - "curl\\s+.*--insecure"
225
+ metadata:
226
+ cwe: "CWE-295"
227
+ owasp: "A07:2021 - Identification and Authentication Failures"
228
+ confidence: HIGH
229
+ references:
230
+ - https://semgrep.dev/r/dockerfile.security.audit.curl-insecure
231
+
232
+ - id: dockerfile.security.audit.wget-no-check
233
+ languages: [dockerfile]
234
+ severity: ERROR
235
+ message: "wget with --no-check-certificate disables certificate validation."
236
+ patterns:
237
+ - "wget\\s+.*--no-check-certificate"
238
+ metadata:
239
+ cwe: "CWE-295"
240
+ owasp: "A07:2021 - Identification and Authentication Failures"
241
+ confidence: HIGH
242
+ references:
243
+ - https://semgrep.dev/r/dockerfile.security.audit.wget-no-check
244
+
245
+ # ============================================================================
246
+ # SHELL FORM
247
+ # ============================================================================
248
+ - id: dockerfile.security.audit.run-shell-form
249
+ languages: [dockerfile]
250
+ severity: INFO
251
+ message: "RUN using shell form. Consider exec form for predictability."
252
+ patterns:
253
+ - "^RUN\\s+(?!\\[)"
254
+ metadata:
255
+ cwe: "CWE-78"
256
+ owasp: "A03:2021 - Injection"
257
+ confidence: LOW
258
+ references:
259
+ - https://semgrep.dev/r/dockerfile.security.audit.run-shell-form
260
+
261
+ # ============================================================================
262
+ # SUDO
263
+ # ============================================================================
264
+ - id: dockerfile.security.audit.sudo-in-dockerfile
265
+ languages: [dockerfile]
266
+ severity: WARNING
267
+ message: "sudo in Dockerfile is often unnecessary. Use USER directive instead."
268
+ patterns:
269
+ - "RUN\\s+.*sudo\\s+"
270
+ metadata:
271
+ cwe: "CWE-250"
272
+ owasp: "A05:2021 - Security Misconfiguration"
273
+ confidence: HIGH
274
+ references:
275
+ - https://semgrep.dev/r/dockerfile.security.audit.sudo-in-dockerfile
276
+
277
+ # ============================================================================
278
+ # WORKDIR
279
+ # ============================================================================
280
+ - id: dockerfile.security.audit.workdir-absolute
281
+ languages: [dockerfile]
282
+ severity: INFO
283
+ message: "WORKDIR should use absolute paths for clarity."
284
+ patterns:
285
+ - "WORKDIR\\s+[^/]"
286
+ metadata:
287
+ cwe: "CWE-426"
288
+ owasp: "A05:2021 - Security Misconfiguration"
289
+ confidence: LOW
290
+ references:
291
+ - https://semgrep.dev/r/dockerfile.security.audit.workdir-absolute