npm - agent-security-scanner-mcp - Versions diffs - 1.0.2 → 1.1.1 - Mend

agent-security-scanner-mcp 1.0.2 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md CHANGED Viewed

@@ -1,8 +1,8 @@
 # agent-security-scanner-mcp
-A powerful MCP (Model Context Protocol) server for real-time security vulnerability scanning. Integrates with Claude Desktop and Claude Code to automatically detect and fix security issues as you code.
+A powerful MCP (Model Context Protocol) server for real-time security vulnerability scanning. Integrates with Claude Desktop, Claude Code, OpenCode.ai, Kilo Code, and any MCP-compatible client to automatically detect and fix security issues as you code.
-**165 Semgrep-aligned security rules | 105 auto-fix templates | 100% fix coverage**
+**165 Semgrep-aligned security rules | 105 auto-fix templates | 100% fix coverage | Package hallucination detection**
 ## Features
@@ -11,6 +11,7 @@ A powerful MCP (Model Context Protocol) server for real-time security vulnerabil
 - **Multi-language support** - JavaScript, TypeScript, Python, Java, Go, Dockerfile
 - **Semgrep-compatible** - Rules aligned with Semgrep registry format
 - **CWE & OWASP mapped** - Every rule includes CWE and OWASP references
+- **Hallucination detection** - Detect AI-invented package names (Dart, Perl, Raku)
 ## Installation
@@ -65,6 +66,82 @@ Add to your MCP settings (`~/.claude/settings.json`):
 }
 ```
+### OpenCode.ai
+Add to your `opencode.jsonc` configuration file:
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "mcp": {
+    "security-scanner": {
+      "type": "local",
+      "command": ["npx", "-y", "agent-security-scanner-mcp"],
+      "enabled": true
+    }
+  }
+}
+```
+Or if installed globally:
+```json
+{
+  "mcp": {
+    "security-scanner": {
+      "type": "local",
+      "command": ["agent-security-scanner-mcp"],
+      "enabled": true
+    }
+  }
+}
+```
+### Kilo Code
+**Global configuration** - Add to VS Code settings `mcp_settings.json`:
+```json
+{
+  "mcpServers": {
+    "security-scanner": {
+      "command": "npx",
+      "args": ["-y", "agent-security-scanner-mcp"],
+      "alwaysAllow": [],
+      "disabled": false
+    }
+  }
+}
+```
+**Project-level configuration** - Create `.kilocode/mcp.json` in your project root:
+```json
+{
+  "mcpServers": {
+    "security-scanner": {
+      "command": "npx",
+      "args": ["-y", "agent-security-scanner-mcp"],
+      "alwaysAllow": ["scan_security", "list_security_rules"],
+      "disabled": false
+    }
+  }
+}
+```
+**Windows users** - Use cmd wrapper:
+```json
+{
+  "mcpServers": {
+    "security-scanner": {
+      "command": "cmd",
+      "args": ["/c", "npx", "-y", "agent-security-scanner-mcp"]
+    }
+  }
+}
+```
 ## Available Tools
 ### `scan_security`
@@ -127,6 +204,115 @@ Returns:
 List all 105 available auto-fix templates.
+---
+## Package Hallucination Detection
+Detect AI-hallucinated package names that don't exist in official registries. Prevents supply chain attacks where attackers register fake package names suggested by AI.
+### `check_package`
+Check if a single package name is legitimate or potentially hallucinated.
+```
+Parameters:
+  package_name (string): The package name to verify
+  ecosystem (enum): "dart", "perl", "raku", "npm", "pypi"
+Returns:
+  - legitimate: true/false
+  - hallucinated: true/false
+  - confidence: "high"
+  - recommendation: Action to take
+```
+**Example:**
+```json
+{
+  "package": "flutter_animations",
+  "ecosystem": "dart",
+  "legitimate": true,
+  "hallucinated": false,
+  "confidence": "high",
+  "total_known_packages": 64721,
+  "recommendation": "Package exists in registry - safe to use"
+}
+```
+### `scan_packages`
+Scan a code file and detect all potentially hallucinated package imports.
+```
+Parameters:
+  file_path (string): Path to the file to scan
+  ecosystem (enum): "dart", "perl", "raku", "npm", "pypi"
+Returns:
+  - List of all packages found
+  - Which are legitimate vs hallucinated
+  - Recommendation
+```
+**Example output:**
+```json
+{
+  "file": "/path/to/main.dart",
+  "ecosystem": "dart",
+  "total_packages_found": 5,
+  "legitimate_count": 4,
+  "hallucinated_count": 1,
+  "hallucinated_packages": ["fake_flutter_pkg"],
+  "legitimate_packages": ["flutter", "http", "provider", "shared_preferences"],
+  "recommendation": "⚠️ Found 1 potentially hallucinated package(s): fake_flutter_pkg"
+}
+```
+### `list_package_stats`
+Show statistics about loaded package lists.
+```json
+{
+  "package_lists": [
+    { "ecosystem": "dart", "packages_loaded": 64721, "status": "ready" },
+    { "ecosystem": "perl", "packages_loaded": 1000, "status": "ready" },
+    { "ecosystem": "raku", "packages_loaded": 2626, "status": "ready" }
+  ],
+  "total_packages": 68347
+}
+```
+### Adding Custom Package Lists
+Add your own package lists to `packages/` directory:
+```bash
+# Format: one package name per line
+packages/
+├── dart.txt    # 64,721 packages
+├── perl.txt    # 1,000 packages
+├── raku.txt    # 2,626 packages
+├── npm.txt     # Add your own
+└── pypi.txt    # Add your own
+```
+### Fetching Package Lists
+```bash
+# Using the included script
+cd mcp-server
+pip install datasets
+python scripts/fetch-packages.py
+```
+Package lists are sourced from:
+- **Dart:** [dchitimalla1/dart-20250529](https://huggingface.co/datasets/dchitimalla1/dart-20250529)
+- **Perl:** [dchitimalla1/perl-20250530](https://huggingface.co/datasets/dchitimalla1/perl-20250530)
+- **Raku:** [dchitimalla1/raku-20250523](https://huggingface.co/datasets/dchitimalla1/raku-20250523)
+---
 ## Security Rules (165 total)
 ### By Language

package/index.js CHANGED Viewed

@@ -824,6 +824,235 @@ server.tool(
   }
 );
+// ===========================================
+// PACKAGE HALLUCINATION DETECTION
+// ===========================================
+// Load legitimate package lists into memory (hash sets for O(1) lookup)
+const LEGITIMATE_PACKAGES = {
+  dart: new Set(),
+  perl: new Set(),
+  raku: new Set(),
+  npm: new Set(),
+  pypi: new Set()
+};
+// Package import patterns by ecosystem
+const IMPORT_PATTERNS = {
+  dart: [
+    /import\s+['"]package:([^\/'"]+)/g,
+    /dependencies:\s*\n(?:\s+(\w+):\s*[\^~]?[\d.]+\n)+/g
+  ],
+  perl: [
+    /use\s+([\w:]+)/g,
+    /require\s+([\w:]+)/g
+  ],
+  raku: [
+    /use\s+([\w:]+)/g,
+    /need\s+([\w:]+)/g
+  ],
+  npm: [
+    /require\s*\(\s*['"]([^'"]+)['"]\s*\)/g,
+    /from\s+['"]([^'"]+)['"]/g,
+    /import\s+['"]([^'"]+)['"]/g
+  ],
+  pypi: [
+    /^import\s+([\w]+)/gm,
+    /^from\s+([\w]+)/gm
+  ]
+};
+// Load package lists on startup
+function loadPackageLists() {
+  const packagesDir = join(__dirname, 'packages');
+  for (const ecosystem of Object.keys(LEGITIMATE_PACKAGES)) {
+    const filePath = join(packagesDir, `${ecosystem}.txt`);
+    try {
+      if (existsSync(filePath)) {
+        const content = readFileSync(filePath, 'utf-8');
+        const packages = content.split('\n').filter(p => p.trim());
+        LEGITIMATE_PACKAGES[ecosystem] = new Set(packages);
+        console.error(`Loaded ${packages.length} ${ecosystem} packages`);
+      }
+    } catch (error) {
+      console.error(`Warning: Could not load ${ecosystem} packages: ${error.message}`);
+    }
+  }
+}
+// Extract package names from code
+function extractPackages(code, ecosystem) {
+  const packages = new Set();
+  const patterns = IMPORT_PATTERNS[ecosystem] || [];
+  for (const pattern of patterns) {
+    const regex = new RegExp(pattern.source, pattern.flags);
+    let match;
+    while ((match = regex.exec(code)) !== null) {
+      const pkg = match[1];
+      if (pkg && !pkg.startsWith('.') && !pkg.startsWith('/')) {
+        // Normalize package name (handle scoped packages, subpaths)
+        const basePkg = pkg.split('/')[0].replace(/^@/, '');
+        packages.add(basePkg);
+      }
+    }
+  }
+  return Array.from(packages);
+}
+// Check if a package is hallucinated
+function isHallucinated(packageName, ecosystem) {
+  const legitPackages = LEGITIMATE_PACKAGES[ecosystem];
+  if (!legitPackages || legitPackages.size === 0) {
+    return { unknown: true, reason: `No package list loaded for ${ecosystem}` };
+  }
+  return { hallucinated: !legitPackages.has(packageName) };
+}
+// Register check_package tool
+server.tool(
+  "check_package",
+  "Check if a package name is legitimate or potentially hallucinated (AI-invented)",
+  {
+    package_name: z.string().describe("The package name to verify"),
+    ecosystem: z.enum(["dart", "perl", "raku", "npm", "pypi"]).describe("The package ecosystem")
+  },
+  async ({ package_name, ecosystem }) => {
+    const legitPackages = LEGITIMATE_PACKAGES[ecosystem];
+    const totalPackages = legitPackages?.size || 0;
+    if (totalPackages === 0) {
+      return {
+        content: [{
+          type: "text",
+          text: JSON.stringify({
+            package: package_name,
+            ecosystem,
+            status: "unknown",
+            reason: `No package list loaded for ${ecosystem}. Add packages/${ecosystem}.txt`,
+            suggestion: "Load package list or verify manually at the package registry"
+          }, null, 2)
+        }]
+      };
+    }
+    const exists = legitPackages.has(package_name);
+    return {
+      content: [{
+        type: "text",
+        text: JSON.stringify({
+          package: package_name,
+          ecosystem,
+          legitimate: exists,
+          hallucinated: !exists,
+          confidence: "high",
+          total_known_packages: totalPackages,
+          recommendation: exists
+            ? "Package exists in registry - safe to use"
+            : "⚠️ POTENTIAL HALLUCINATION - Package not found in registry. Verify before using!"
+        }, null, 2)
+      }]
+    };
+  }
+);
+// Register scan_packages tool
+server.tool(
+  "scan_packages",
+  "Scan code for package imports and check for hallucinated (AI-invented) packages",
+  {
+    file_path: z.string().describe("Path to the file to scan"),
+    ecosystem: z.enum(["dart", "perl", "raku", "npm", "pypi"]).describe("The package ecosystem")
+  },
+  async ({ file_path, ecosystem }) => {
+    if (!existsSync(file_path)) {
+      return {
+        content: [{ type: "text", text: JSON.stringify({ error: "File not found" }) }]
+      };
+    }
+    const code = readFileSync(file_path, 'utf-8');
+    const packages = extractPackages(code, ecosystem);
+    const legitPackages = LEGITIMATE_PACKAGES[ecosystem];
+    const totalKnown = legitPackages?.size || 0;
+    if (totalKnown === 0) {
+      return {
+        content: [{
+          type: "text",
+          text: JSON.stringify({
+            file: file_path,
+            ecosystem,
+            packages_found: packages,
+            status: "unknown",
+            reason: `No package list loaded for ${ecosystem}`
+          }, null, 2)
+        }]
+      };
+    }
+    const results = packages.map(pkg => ({
+      package: pkg,
+      legitimate: legitPackages.has(pkg),
+      hallucinated: !legitPackages.has(pkg)
+    }));
+    const hallucinated = results.filter(r => r.hallucinated);
+    const legitimate = results.filter(r => r.legitimate);
+    return {
+      content: [{
+        type: "text",
+        text: JSON.stringify({
+          file: file_path,
+          ecosystem,
+          total_packages_found: packages.length,
+          legitimate_count: legitimate.length,
+          hallucinated_count: hallucinated.length,
+          known_packages_in_registry: totalKnown,
+          hallucinated_packages: hallucinated.map(r => r.package),
+          legitimate_packages: legitimate.map(r => r.package),
+          all_results: results,
+          recommendation: hallucinated.length > 0
+            ? `⚠️ Found ${hallucinated.length} potentially hallucinated package(s): ${hallucinated.map(r => r.package).join(', ')}`
+            : "✅ All packages verified as legitimate"
+        }, null, 2)
+      }]
+    };
+  }
+);
+// Register list_package_stats tool
+server.tool(
+  "list_package_stats",
+  "List statistics about loaded package lists for hallucination detection",
+  {},
+  async () => {
+    const stats = Object.entries(LEGITIMATE_PACKAGES).map(([ecosystem, packages]) => ({
+      ecosystem,
+      packages_loaded: packages.size,
+      status: packages.size > 0 ? "ready" : "not loaded"
+    }));
+    return {
+      content: [{
+        type: "text",
+        text: JSON.stringify({
+          package_lists: stats,
+          total_packages: stats.reduce((sum, s) => sum + s.packages_loaded, 0),
+          usage: "Use check_package or scan_packages to detect hallucinated packages"
+        }, null, 2)
+      }]
+    };
+  }
+);
+// Load package lists on module initialization
+loadPackageLists();
 // Start the server with stdio transport
 async function main() {
   const transport = new StdioServerTransport();

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "agent-security-scanner-mcp",
-  "version": "1.0.2",
-  "description": "MCP server for security vulnerability scanning - detects SQL injection, XSS, command injection, hardcoded secrets, and more",
+  "version": "1.1.1",
+  "description": "MCP server for security scanning & package hallucination detection - SQL injection, XSS, secrets, and AI-invented package detection",
   "main": "index.js",
   "type": "module",
   "bin": {
@@ -21,7 +21,10 @@
     "code-analysis",
     "sql-injection",
     "xss",
-    "secrets-detection"
+    "secrets-detection",
+    "hallucination-detection",
+    "package-verification",
+    "supply-chain-security"
   ],
   "author": "",
   "license": "MIT",
@@ -43,6 +46,7 @@
   "files": [
     "index.js",
     "analyzer.py",
-    "rules/**"
+    "rules/**",
+    "packages/**"
   ]
 }