agent-security-scanner-mcp 1.0.1 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +208 -35
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -1,6 +1,16 @@
1
1
  # agent-security-scanner-mcp
2
2
 
3
- An MCP (Model Context Protocol) server for security vulnerability scanning. Detects SQL injection, XSS, command injection, hardcoded secrets, and 160+ security issues.
3
+ A powerful MCP (Model Context Protocol) server for real-time security vulnerability scanning. Integrates with Claude Desktop and Claude Code to automatically detect and fix security issues as you code.
4
+
5
+ **165 Semgrep-aligned security rules | 105 auto-fix templates | 100% fix coverage**
6
+
7
+ ## Features
8
+
9
+ - **Real-time scanning** - Detect vulnerabilities instantly as you write code
10
+ - **Auto-fix suggestions** - Get actionable fixes for every security issue
11
+ - **Multi-language support** - JavaScript, TypeScript, Python, Java, Go, Dockerfile
12
+ - **Semgrep-compatible** - Rules aligned with Semgrep registry format
13
+ - **CWE & OWASP mapped** - Every rule includes CWE and OWASP references
4
14
 
5
15
  ## Installation
6
16
 
@@ -17,7 +27,7 @@ npx agent-security-scanner-mcp
17
27
  ## Requirements
18
28
 
19
29
  - Node.js >= 18.0.0
20
- - Python 3.x (for the analyzer)
30
+ - Python 3.x (for the analyzer engine)
21
31
 
22
32
  ## Configuration
23
33
 
@@ -36,9 +46,13 @@ Add to your `claude_desktop_config.json`:
36
46
  }
37
47
  ```
38
48
 
49
+ **Config file locations:**
50
+ - macOS: `~/Library/Application Support/Claude/claude_desktop_config.json`
51
+ - Windows: `%APPDATA%\Claude\claude_desktop_config.json`
52
+
39
53
  ### Claude Code
40
54
 
41
- Add to your MCP settings:
55
+ Add to your MCP settings (`~/.claude/settings.json`):
42
56
 
43
57
  ```json
44
58
  {
@@ -57,50 +71,209 @@ Add to your MCP settings:
57
71
 
58
72
  Scan a file for security vulnerabilities and return issues with suggested fixes.
59
73
 
60
- **Parameters:**
61
- - `file_path` (string): Path to the file to scan
74
+ ```
75
+ Parameters:
76
+ file_path (string): Absolute path to the file to scan
77
+
78
+ Returns:
79
+ - List of security issues
80
+ - Severity level (ERROR, WARNING, INFO)
81
+ - CWE and OWASP references
82
+ - Line numbers and code context
83
+ - Suggested fixes
84
+ ```
62
85
 
63
- **Returns:** List of security issues with severity, CWE references, and fix suggestions.
86
+ **Example output:**
87
+ ```json
88
+ {
89
+ "file": "/path/to/file.js",
90
+ "language": "javascript",
91
+ "issues_count": 3,
92
+ "issues": [
93
+ {
94
+ "ruleId": "javascript.lang.security.audit.sql-injection",
95
+ "message": "SQL Injection detected. Use parameterized queries.",
96
+ "line": 15,
97
+ "severity": "error",
98
+ "metadata": {
99
+ "cwe": "CWE-89",
100
+ "owasp": "A03:2021 - Injection"
101
+ },
102
+ "suggested_fix": {
103
+ "description": "Use parameterized queries instead of string concatenation",
104
+ "original": "db.query(\"SELECT * FROM users WHERE id = \" + userId)",
105
+ "fixed": "db.query(\"SELECT * FROM users WHERE id = ?\", [userId])"
106
+ }
107
+ }
108
+ ]
109
+ }
110
+ ```
64
111
 
65
112
  ### `fix_security`
66
113
 
67
- Scan a file and return the fixed content with all security issues resolved.
114
+ Automatically fix all security issues in a file.
68
115
 
69
- **Parameters:**
70
- - `file_path` (string): Path to the file to fix
116
+ ```
117
+ Parameters:
118
+ file_path (string): Absolute path to the file to fix
71
119
 
72
- **Returns:** Fixed file content with applied security fixes.
120
+ Returns:
121
+ - Number of fixes applied
122
+ - Details of each fix
123
+ - Fixed file content
124
+ ```
73
125
 
74
126
  ### `list_security_rules`
75
127
 
76
- List all available security fix templates and their descriptions.
77
-
78
- ## Detected Vulnerabilities
79
-
80
- | Category | Examples |
81
- |----------|----------|
82
- | Injection | SQL injection, Command injection, XSS |
83
- | Secrets | Hardcoded API keys, passwords, private keys |
84
- | Cryptography | Weak hashing (MD5, SHA1), insecure random |
85
- | Deserialization | Pickle, unsafe YAML load |
86
- | Network | SSL verification disabled, HTTP usage |
87
- | Path Traversal | Unsanitized file paths |
88
-
89
- ## Supported Languages
90
-
91
- - JavaScript / TypeScript
92
- - Python
93
- - Java
94
- - Go
95
- - Ruby
96
- - PHP
97
- - Dockerfile
98
- - Generic (secrets detection)
128
+ List all 105 available auto-fix templates.
129
+
130
+ ## Security Rules (165 total)
131
+
132
+ ### By Language
133
+
134
+ | Language | Rules | Categories |
135
+ |----------|-------|------------|
136
+ | JavaScript/TypeScript | 31 | XSS, injection, secrets, crypto |
137
+ | Python | 36 | Injection, deserialization, crypto, XXE |
138
+ | Java | 27 | Injection, XXE, crypto, deserialization |
139
+ | Go | 22 | Injection, crypto, race conditions |
140
+ | Dockerfile | 18 | Secrets, permissions, best practices |
141
+ | Generic (Secrets) | 31 | API keys, tokens, passwords |
142
+
143
+ ### By Category
144
+
145
+ | Category | Rules | Auto-Fix |
146
+ |----------|-------|----------|
147
+ | **Injection (SQL, Command, XSS)** | 35 | Yes |
148
+ | **Hardcoded Secrets** | 45 | Yes |
149
+ | **Weak Cryptography** | 18 | Yes |
150
+ | **Insecure Deserialization** | 12 | Yes |
151
+ | **Path Traversal** | 6 | Yes |
152
+ | **SSRF** | 6 | Yes |
153
+ | **XXE** | 6 | Yes |
154
+ | **SSL/TLS Issues** | 8 | Yes |
155
+ | **CSRF** | 4 | Yes |
156
+ | **JWT Vulnerabilities** | 6 | Yes |
157
+ | **Dockerfile Security** | 18 | Yes |
158
+ | **Other** | 11 | Yes |
159
+
160
+ ## Auto-Fix Templates (105 total)
161
+
162
+ Every detected vulnerability includes an automatic fix suggestion:
163
+
164
+ | Vulnerability | Fix Strategy |
165
+ |--------------|--------------|
166
+ | SQL Injection | Parameterized queries with placeholders |
167
+ | XSS (innerHTML) | Replace with `textContent` or DOMPurify |
168
+ | Command Injection | Use `execFile()` / `spawn()` with `shell: false` |
169
+ | Hardcoded Secrets | Environment variables (`process.env` / `os.environ`) |
170
+ | Weak Crypto (MD5/SHA1) | Replace with SHA-256 |
171
+ | Insecure Deserialization | Use `json.load()` or `yaml.safe_load()` |
172
+ | SSL verify=False | Set `verify=True` |
173
+ | Path Traversal | Use `path.basename()` / `os.path.basename()` |
174
+ | Eval/Exec | Remove or use safer alternatives |
175
+ | CORS Wildcard | Specify allowed origins |
176
+
177
+ ## Example Usage
178
+
179
+ ### Scanning a file
180
+
181
+ Ask Claude: *"Scan my app.js file for security issues"*
182
+
183
+ Claude will use `scan_security` and return:
184
+ - All vulnerabilities found
185
+ - Severity levels
186
+ - CWE/OWASP references
187
+ - Suggested fixes for each issue
188
+
189
+ ### Auto-fixing issues
190
+
191
+ Ask Claude: *"Fix all security issues in app.js"*
192
+
193
+ Claude will use `fix_security` to:
194
+ - Apply all available auto-fixes
195
+ - Return the secured code
196
+ - List all changes made
197
+
198
+ ## Supported Vulnerabilities
199
+
200
+ ### Injection
201
+ - SQL Injection (multiple databases)
202
+ - NoSQL Injection (MongoDB)
203
+ - Command Injection (exec, spawn, subprocess)
204
+ - XSS (innerHTML, document.write, React dangerouslySetInnerHTML)
205
+ - LDAP Injection
206
+ - XPath Injection
207
+ - Template Injection (Jinja2, SpEL)
208
+
209
+ ### Secrets & Credentials
210
+ - AWS Access Keys & Secret Keys
211
+ - GitHub Tokens (PAT, OAuth, App)
212
+ - Stripe API Keys
213
+ - OpenAI API Keys
214
+ - Slack Tokens & Webhooks
215
+ - Database URLs & Passwords
216
+ - Private Keys (RSA, SSH)
217
+ - JWT Secrets
218
+ - 25+ more token types
219
+
220
+ ### Cryptography
221
+ - Weak Hashing (MD5, SHA1)
222
+ - Weak Ciphers (DES, RC4)
223
+ - ECB Mode Usage
224
+ - Insecure Random
225
+ - Weak RSA Key Size
226
+ - Weak TLS Versions
227
+
228
+ ### Deserialization
229
+ - Python pickle/marshal/shelve
230
+ - YAML unsafe load
231
+ - Java ObjectInputStream
232
+ - Node serialize
233
+ - Go gob decode
234
+
235
+ ### Network & SSL
236
+ - SSL Verification Disabled
237
+ - Certificate Validation Bypass
238
+ - SSRF Vulnerabilities
239
+ - Open Redirects
240
+ - CORS Misconfiguration
241
+
242
+ ### Other
243
+ - Path Traversal
244
+ - XXE (XML External Entities)
245
+ - CSRF Disabled
246
+ - Debug Mode Enabled
247
+ - Prototype Pollution
248
+ - ReDoS (Regex DoS)
249
+ - Race Conditions
250
+
251
+ ## Contributing
252
+
253
+ Contributions welcome! Please see our [GitHub repository](https://github.com/sinewaveai/agent-security-layer-fork).
254
+
255
+ ### Adding New Rules
256
+
257
+ Rules are defined in YAML format in the `rules/` directory:
258
+
259
+ ```yaml
260
+ - id: language.category.rule-name
261
+ languages: [javascript]
262
+ severity: ERROR
263
+ message: "Description of the vulnerability"
264
+ patterns:
265
+ - "regex_pattern"
266
+ metadata:
267
+ cwe: "CWE-XXX"
268
+ owasp: "Category"
269
+ ```
99
270
 
100
271
  ## License
101
272
 
102
273
  MIT
103
274
 
104
- ## Repository
275
+ ## Links
105
276
 
106
- https://github.com/sinewaveai/agent-security-layer-fork
277
+ - **npm:** https://www.npmjs.com/package/agent-security-scanner-mcp
278
+ - **GitHub:** https://github.com/sinewaveai/agent-security-layer-fork
279
+ - **Issues:** https://github.com/sinewaveai/agent-security-layer-fork/issues
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "agent-security-scanner-mcp",
3
- "version": "1.0.1",
3
+ "version": "1.0.2",
4
4
  "description": "MCP server for security vulnerability scanning - detects SQL injection, XSS, command injection, hardcoded secrets, and more",
5
5
  "main": "index.js",
6
6
  "type": "module",