agent-security-scanner-mcp 1.1.2 → 1.2.0

package/README.md

@@ -2,13 +2,22 @@
 
 A powerful MCP (Model Context Protocol) server for real-time security vulnerability scanning. Integrates with Claude Desktop, Claude Code, OpenCode.ai, Kilo Code, and any MCP-compatible client to automatically detect and fix security issues as you code.
 
-**165 Semgrep-aligned security rules | 105 auto-fix templates | 100% fix coverage | Package hallucination detection**
+**275 Semgrep-aligned security rules | 105 auto-fix templates | 100% fix coverage | Package hallucination detection**
+
+## What's New in v1.2.0
+
+- **110 new security rules** - Now covering 10 languages and IaC
+- **PHP support** - SQL injection, XSS, command injection, deserialization, file inclusion
+- **Ruby/Rails support** - Mass assignment, CSRF, unsafe eval, YAML deserialization
+- **C/C++ support** - Buffer overflow, format strings, memory safety, use-after-free
+- **Terraform support** - AWS S3, IAM, RDS, security groups, CloudTrail
+- **Kubernetes support** - Privileged containers, RBAC, network policies, secrets
 
 ## Features
 
 - **Real-time scanning** - Detect vulnerabilities instantly as you write code
 - **Auto-fix suggestions** - Get actionable fixes for every security issue
-- **Multi-language support** - JavaScript, TypeScript, Python, Java, Go, Dockerfile
+- **Multi-language support** - JavaScript, TypeScript, Python, Java, Go, PHP, Ruby, C/C++, Dockerfile, Terraform, Kubernetes
 - **Semgrep-compatible** - Rules aligned with Semgrep registry format
 - **CWE & OWASP mapped** - Every rule includes CWE and OWASP references
 - **Hallucination detection** - Detect AI-invented package names (Dart, Perl, Raku)
@@ -313,7 +322,7 @@ Package lists are sourced from:
 
 ---
 
-## Security Rules (165 total)
+## Security Rules (275 total)
 
 ### By Language
 
@@ -323,6 +332,10 @@ Package lists are sourced from:
 | Python | 36 | Injection, deserialization, crypto, XXE |
 | Java | 27 | Injection, XXE, crypto, deserialization |
 | Go | 22 | Injection, crypto, race conditions |
+| **PHP** | 25 | SQL injection, XSS, command injection, deserialization |
+| **Ruby/Rails** | 25 | Mass assignment, CSRF, eval, YAML deserialization |
+| **C/C++** | 25 | Buffer overflow, format string, memory safety |
+| **Terraform/K8s** | 35 | AWS misconfig, IAM, privileged containers, RBAC |
 | Dockerfile | 18 | Secrets, permissions, best practices |
 | Generic (Secrets) | 31 | API keys, tokens, passwords |
 
@@ -330,18 +343,18 @@ Package lists are sourced from:
 
 | Category | Rules | Auto-Fix |
 |----------|-------|----------|
-| **Injection (SQL, Command, XSS)** | 35 | Yes |
-| **Hardcoded Secrets** | 45 | Yes |
-| **Weak Cryptography** | 18 | Yes |
-| **Insecure Deserialization** | 12 | Yes |
-| **Path Traversal** | 6 | Yes |
-| **SSRF** | 6 | Yes |
-| **XXE** | 6 | Yes |
-| **SSL/TLS Issues** | 8 | Yes |
-| **CSRF** | 4 | Yes |
-| **JWT Vulnerabilities** | 6 | Yes |
-| **Dockerfile Security** | 18 | Yes |
-| **Other** | 11 | Yes |
+| **Injection (SQL, Command, XSS)** | 55 | Yes |
+| **Hardcoded Secrets** | 50 | Yes |
+| **Weak Cryptography** | 25 | Yes |
+| **Insecure Deserialization** | 18 | Yes |
+| **Memory Safety (C/C++)** | 20 | Yes |
+| **Infrastructure as Code** | 35 | Yes |
+| **Path Traversal** | 10 | Yes |
+| **SSRF** | 8 | Yes |
+| **XXE** | 8 | Yes |
+| **SSL/TLS Issues** | 12 | Yes |
+| **CSRF** | 6 | Yes |
+| **Other** | 28 | Yes |
 
 ## Auto-Fix Templates (105 total)
 
@@ -425,6 +438,30 @@ Claude will use `fix_security` to:
 - Open Redirects
 - CORS Misconfiguration
 
+### Memory Safety (C/C++)
+- Buffer Overflow (strcpy, strcat, sprintf, gets)
+- Format String Vulnerabilities
+- Use-After-Free
+- Double-Free
+- Integer Overflow in malloc
+- Insecure memset (optimized away)
+- Unsafe temp files (mktemp, tmpnam)
+
+### Infrastructure as Code
+- AWS S3 Public Access
+- Security Groups Open to World (SSH, RDP)
+- IAM Admin Policies (Action:*, Resource:*)
+- RDS Public Access / Unencrypted
+- CloudTrail Disabled
+- KMS Key Rotation Disabled
+- EBS Unencrypted
+- EC2 IMDSv1 Enabled
+- Kubernetes Privileged Containers
+- K8s Run as Root
+- K8s Host Network/PID
+- RBAC Wildcard Permissions
+- Cluster Admin Bindings
+
 ### Other
 - Path Traversal
 - XXE (XML External Entities)
@@ -433,6 +470,9 @@ Claude will use `fix_security` to:
 - Prototype Pollution
 - ReDoS (Regex DoS)
 - Race Conditions
+- Open Redirects
+- Mass Assignment (Rails)
+- Unsafe Eval/Constantize
 
 ## Contributing
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-security-scanner-mcp",
-  "version": "1.1.2",
+  "version": "1.2.0",
   "description": "MCP server for security scanning & package hallucination detection. Works with Claude Desktop, Claude Code, OpenCode, Kilo Code. Detects SQL injection, XSS, secrets, and AI-invented packages.",
   "main": "index.js",
   "type": "module",

package/rules/c.security.yaml

@@ -0,0 +1,459 @@
+rules:
+  # =============================================================================
+  # C/C++ SECURITY RULES - Buffer Overflow (Dangerous Functions)
+  # =============================================================================
+
+  - id: c.lang.security.audit.strcpy-usage
+    languages: [c, cpp]
+    severity: ERROR
+    message: "strcpy is unsafe and can cause buffer overflow. Use strncpy or strlcpy with bounds checking."
+    patterns:
+      - "\\bstrcpy\\s*\\("
+    metadata:
+      cwe: "CWE-120"
+      owasp: "A06:2021 - Vulnerable and Outdated Components"
+      confidence: HIGH
+      references:
+        - https://semgrep.dev/r/c.lang.security.insecure-use-strcpy
+        - https://cwe.mitre.org/data/definitions/120.html
+
+  - id: c.lang.security.audit.strcat-usage
+    languages: [c, cpp]
+    severity: ERROR
+    message: "strcat is unsafe and can cause buffer overflow. Use strncat or strlcat with bounds checking."
+    patterns:
+      - "\\bstrcat\\s*\\("
+    metadata:
+      cwe: "CWE-120"
+      owasp: "A06:2021 - Vulnerable and Outdated Components"
+      confidence: HIGH
+      references:
+        - https://cwe.mitre.org/data/definitions/120.html
+
+  - id: c.lang.security.audit.gets-usage
+    languages: [c, cpp]
+    severity: ERROR
+    message: "gets() is extremely dangerous and removed in C11. Use fgets() with buffer size."
+    patterns:
+      - "\\bgets\\s*\\("
+    metadata:
+      cwe: "CWE-242"
+      owasp: "A06:2021 - Vulnerable and Outdated Components"
+      confidence: HIGH
+      references:
+        - https://semgrep.dev/r/c.lang.security.insecure-use-gets
+        - https://cwe.mitre.org/data/definitions/242.html
+
+  - id: c.lang.security.audit.sprintf-usage
+    languages: [c, cpp]
+    severity: ERROR
+    message: "sprintf can cause buffer overflow. Use snprintf with buffer size limit."
+    patterns:
+      - "\\bsprintf\\s*\\("
+    metadata:
+      cwe: "CWE-120"
+      owasp: "A06:2021 - Vulnerable and Outdated Components"
+      confidence: HIGH
+      references:
+        - https://semgrep.dev/r/c.lang.security.insecure-use-sprintf
+        - https://cwe.mitre.org/data/definitions/120.html
+
+  - id: c.lang.security.audit.vsprintf-usage
+    languages: [c, cpp]
+    severity: ERROR
+    message: "vsprintf can cause buffer overflow. Use vsnprintf with buffer size limit."
+    patterns:
+      - "\\bvsprintf\\s*\\("
+    metadata:
+      cwe: "CWE-120"
+      owasp: "A06:2021 - Vulnerable and Outdated Components"
+      confidence: HIGH
+      references:
+        - https://cwe.mitre.org/data/definitions/120.html
+
+  # =============================================================================
+  # C/C++ SECURITY RULES - Format String Vulnerabilities
+  # =============================================================================
+
+  - id: c.lang.security.audit.format-string-printf
+    languages: [c, cpp]
+    severity: ERROR
+    message: "Format string vulnerability. User input as format string can lead to crashes or code execution. Use printf(\"%s\", str)."
+    patterns:
+      - "printf\\s*\\(\\s*[a-zA-Z_][a-zA-Z0-9_]*\\s*\\)"
+      - "fprintf\\s*\\([^,]*,\\s*[a-zA-Z_][a-zA-Z0-9_]*\\s*\\)"
+      - "sprintf\\s*\\([^,]*,\\s*[a-zA-Z_][a-zA-Z0-9_]*\\s*\\)"
+    metadata:
+      cwe: "CWE-134"
+      owasp: "A03:2021 - Injection"
+      confidence: MEDIUM
+      references:
+        - https://semgrep.dev/r/c.lang.security.format-string
+        - https://cwe.mitre.org/data/definitions/134.html
+
+  - id: c.lang.security.audit.format-string-syslog
+    languages: [c, cpp]
+    severity: ERROR
+    message: "Format string vulnerability in syslog. Use syslog(LOG_INFO, \"%s\", str)."
+    patterns:
+      - "syslog\\s*\\([^,]*,\\s*[a-zA-Z_][a-zA-Z0-9_]*\\s*\\)"
+    metadata:
+      cwe: "CWE-134"
+      owasp: "A03:2021 - Injection"
+      confidence: HIGH
+      references:
+        - https://cwe.mitre.org/data/definitions/134.html
+
+  # =============================================================================
+  # C/C++ SECURITY RULES - Memory Management
+  # =============================================================================
+
+  - id: c.lang.security.audit.use-after-free
+    languages: [c, cpp]
+    severity: ERROR
+    message: "Potential use-after-free. Set pointer to NULL after free() to prevent accidental reuse."
+    patterns:
+      - "free\\s*\\([^)]+\\)\\s*;(?!\\s*\\w+\\s*=\\s*NULL)"
+    metadata:
+      cwe: "CWE-416"
+      owasp: "A06:2021 - Vulnerable and Outdated Components"
+      confidence: MEDIUM
+      references:
+        - https://semgrep.dev/r/c.lang.security.use-after-free
+        - https://cwe.mitre.org/data/definitions/416.html
+
+  - id: c.lang.security.audit.double-free
+    languages: [c, cpp]
+    severity: ERROR
+    message: "Potential double-free vulnerability. Track free() calls and set pointers to NULL."
+    patterns:
+      - "free\\s*\\(\\s*([a-zA-Z_][a-zA-Z0-9_]*)\\s*\\)[^}]*free\\s*\\(\\s*\\1\\s*\\)"
+    metadata:
+      cwe: "CWE-415"
+      owasp: "A06:2021 - Vulnerable and Outdated Components"
+      confidence: MEDIUM
+      references:
+        - https://semgrep.dev/r/c.lang.security.double-free
+        - https://cwe.mitre.org/data/definitions/415.html
+
+  - id: c.lang.security.audit.null-dereference
+    languages: [c, cpp]
+    severity: WARNING
+    message: "Potential null pointer dereference. Check pointer before dereferencing."
+    patterns:
+      - "\\*\\s*\\([^)]*malloc\\s*\\("
+      - "malloc\\s*\\([^)]*\\)\\s*;[^}]*\\*"
+    metadata:
+      cwe: "CWE-476"
+      owasp: "A06:2021 - Vulnerable and Outdated Components"
+      confidence: LOW
+      references:
+        - https://cwe.mitre.org/data/definitions/476.html
+
+  # =============================================================================
+  # C/C++ SECURITY RULES - Integer Overflow
+  # =============================================================================
+
+  - id: c.lang.security.audit.integer-overflow-malloc
+    languages: [c, cpp]
+    severity: ERROR
+    message: "Potential integer overflow in malloc size calculation. Check for overflow before allocation."
+    patterns:
+      - "malloc\\s*\\([^)]*\\*[^)]*\\)"
+      - "calloc\\s*\\([^)]*\\*[^)]*\\)"
+      - "realloc\\s*\\([^,]*,[^)]*\\*[^)]*\\)"
+    metadata:
+      cwe: "CWE-190"
+      owasp: "A06:2021 - Vulnerable and Outdated Components"
+      confidence: MEDIUM
+      references:
+        - https://cwe.mitre.org/data/definitions/190.html
+
+  # =============================================================================
+  # C/C++ SECURITY RULES - Unsafe Functions
+  # =============================================================================
+
+  - id: c.lang.security.audit.scanf-usage
+    languages: [c, cpp]
+    severity: WARNING
+    message: "scanf without width limit can overflow buffer. Use scanf(\"%99s\", buf) with width specifier."
+    patterns:
+      - "scanf\\s*\\([^)]*%s"
+      - "fscanf\\s*\\([^)]*%s"
+      - "sscanf\\s*\\([^)]*%s"
+    metadata:
+      cwe: "CWE-120"
+      owasp: "A06:2021 - Vulnerable and Outdated Components"
+      confidence: MEDIUM
+      references:
+        - https://semgrep.dev/r/c.lang.security.insecure-use-scanf
+        - https://cwe.mitre.org/data/definitions/120.html
+
+  - id: c.lang.security.audit.strtok-usage
+    languages: [c, cpp]
+    severity: WARNING
+    message: "strtok is not thread-safe and modifies input. Use strtok_r for thread safety."
+    patterns:
+      - "\\bstrtok\\s*\\("
+    metadata:
+      cwe: "CWE-362"
+      owasp: "A04:2021 - Insecure Design"
+      confidence: MEDIUM
+      references:
+        - https://semgrep.dev/r/c.lang.security.strtok-use
+        - https://man7.org/linux/man-pages/man3/strtok.3.html
+
+  # =============================================================================
+  # C/C++ SECURITY RULES - Command Injection
+  # =============================================================================
+
+  - id: c.lang.security.audit.system-usage
+    languages: [c, cpp]
+    severity: ERROR
+    message: "system() executes shell commands. Avoid with user input or use exec family with arguments."
+    patterns:
+      - "\\bsystem\\s*\\("
+    metadata:
+      cwe: "CWE-78"
+      owasp: "A03:2021 - Injection"
+      confidence: HIGH
+      references:
+        - https://cwe.mitre.org/data/definitions/78.html
+
+  - id: c.lang.security.audit.popen-usage
+    languages: [c, cpp]
+    severity: WARNING
+    message: "popen() can be vulnerable to command injection. Validate and sanitize input."
+    patterns:
+      - "\\bpopen\\s*\\("
+    metadata:
+      cwe: "CWE-78"
+      owasp: "A03:2021 - Injection"
+      confidence: MEDIUM
+      references:
+        - https://cwe.mitre.org/data/definitions/78.html
+
+  # =============================================================================
+  # C/C++ SECURITY RULES - Cryptography
+  # =============================================================================
+
+  - id: c.lang.security.audit.weak-random
+    languages: [c, cpp]
+    severity: WARNING
+    message: "rand() is not cryptographically secure. Use /dev/urandom or platform secure random for security."
+    patterns:
+      - "\\brand\\s*\\("
+      - "\\bsrand\\s*\\("
+    metadata:
+      cwe: "CWE-330"
+      owasp: "A02:2021 - Cryptographic Failures"
+      confidence: MEDIUM
+      references:
+        - https://cwe.mitre.org/data/definitions/330.html
+
+  - id: c.lang.security.audit.weak-hash-md5
+    languages: [c, cpp]
+    severity: WARNING
+    message: "MD5 is cryptographically broken. Use SHA-256 or stronger for security-sensitive hashing."
+    patterns:
+      - "MD5_Init\\s*\\("
+      - "MD5_Update\\s*\\("
+      - "MD5_Final\\s*\\("
+      - "MD5\\s*\\("
+    metadata:
+      cwe: "CWE-328"
+      owasp: "A02:2021 - Cryptographic Failures"
+      confidence: HIGH
+      references:
+        - https://cwe.mitre.org/data/definitions/328.html
+
+  - id: c.lang.security.audit.weak-hash-sha1
+    languages: [c, cpp]
+    severity: WARNING
+    message: "SHA1 is deprecated for security use. Use SHA-256 or stronger."
+    patterns:
+      - "SHA1_Init\\s*\\("
+      - "SHA1_Update\\s*\\("
+      - "SHA1_Final\\s*\\("
+      - "SHA1\\s*\\("
+    metadata:
+      cwe: "CWE-328"
+      owasp: "A02:2021 - Cryptographic Failures"
+      confidence: HIGH
+      references:
+        - https://cwe.mitre.org/data/definitions/328.html
+
+  - id: c.lang.security.audit.weak-cipher-des
+    languages: [c, cpp]
+    severity: ERROR
+    message: "DES is a weak cipher. Use AES-256 for encryption."
+    patterns:
+      - "DES_set_key\\s*\\("
+      - "DES_ecb_encrypt\\s*\\("
+      - "DES_cbc_encrypt\\s*\\("
+      - "EVP_des_"
+    metadata:
+      cwe: "CWE-327"
+      owasp: "A02:2021 - Cryptographic Failures"
+      confidence: HIGH
+      references:
+        - https://cwe.mitre.org/data/definitions/327.html
+
+  - id: c.lang.security.audit.ecb-mode
+    languages: [c, cpp]
+    severity: ERROR
+    message: "ECB mode is insecure. Use CBC, GCM, or other authenticated modes."
+    patterns:
+      - "EVP_aes_.*_ecb\\s*\\("
+      - "AES_ecb_encrypt\\s*\\("
+      - "_ecb\\s*\\("
+    metadata:
+      cwe: "CWE-327"
+      owasp: "A02:2021 - Cryptographic Failures"
+      confidence: HIGH
+      references:
+        - https://cwe.mitre.org/data/definitions/327.html
+
+  # =============================================================================
+  # C/C++ SECURITY RULES - Insecure memset
+  # =============================================================================
+
+  - id: c.lang.security.audit.insecure-memset
+    languages: [c, cpp]
+    severity: WARNING
+    message: "memset may be optimized away by compiler when clearing sensitive data. Use explicit_bzero or volatile."
+    patterns:
+      - "memset\\s*\\([^,]*password"
+      - "memset\\s*\\([^,]*secret"
+      - "memset\\s*\\([^,]*key"
+    metadata:
+      cwe: "CWE-14"
+      owasp: "A02:2021 - Cryptographic Failures"
+      confidence: MEDIUM
+      references:
+        - https://semgrep.dev/r/c.lang.security.insecure-use-memset
+        - https://cwe.mitre.org/data/definitions/14.html
+
+  # =============================================================================
+  # C/C++ SECURITY RULES - File Descriptor Leaks
+  # =============================================================================
+
+  - id: c.lang.security.audit.fd-leak
+    languages: [c, cpp]
+    severity: WARNING
+    message: "Potential file descriptor leak. Ensure fopen/open calls have matching fclose/close."
+    patterns:
+      - "fopen\\s*\\([^)]+\\)\\s*;(?![^}]*fclose)"
+      - "open\\s*\\([^)]+\\)\\s*;(?![^}]*close)"
+    metadata:
+      cwe: "CWE-775"
+      owasp: "A06:2021 - Vulnerable and Outdated Components"
+      confidence: LOW
+      references:
+        - https://semgrep.dev/r/c.lang.security.fd-leak
+        - https://cwe.mitre.org/data/definitions/775.html
+
+  # =============================================================================
+  # C/C++ SECURITY RULES - Hardcoded Credentials
+  # =============================================================================
+
+  - id: c.lang.security.audit.hardcoded-password
+    languages: [c, cpp]
+    severity: ERROR
+    message: "Hardcoded password detected. Use environment variables or secure configuration."
+    patterns:
+      - "password\\s*=\\s*\"[^\"]{4,}\""
+      - "passwd\\s*=\\s*\"[^\"]{4,}\""
+      - "secret\\s*=\\s*\"[^\"]{4,}\""
+      - "api_key\\s*=\\s*\"[^\"]{20,}\""
+    metadata:
+      cwe: "CWE-798"
+      owasp: "A07:2021 - Identification and Authentication Failures"
+      confidence: HIGH
+      references:
+        - https://cwe.mitre.org/data/definitions/798.html
+
+  # =============================================================================
+  # C++ SPECIFIC SECURITY RULES
+  # =============================================================================
+
+  - id: cpp.lang.security.audit.new-delete-mismatch
+    languages: [cpp]
+    severity: ERROR
+    message: "new/delete mismatch. Use delete[] for arrays allocated with new[]."
+    patterns:
+      - "new\\s+[a-zA-Z_][a-zA-Z0-9_]*\\s*\\[[^\\]]+\\][^}]*delete\\s+[^\\[]"
+    metadata:
+      cwe: "CWE-762"
+      owasp: "A06:2021 - Vulnerable and Outdated Components"
+      confidence: MEDIUM
+      references:
+        - https://semgrep.dev/r/cpp.lang.security.new-delete-mismatch
+        - https://cwe.mitre.org/data/definitions/762.html
+
+  - id: cpp.lang.security.audit.unsafe-reinterpret-cast
+    languages: [cpp]
+    severity: WARNING
+    message: "reinterpret_cast can lead to undefined behavior. Use safer alternatives when possible."
+    patterns:
+      - "reinterpret_cast\\s*<"
+    metadata:
+      cwe: "CWE-704"
+      owasp: "A06:2021 - Vulnerable and Outdated Components"
+      confidence: LOW
+      references:
+        - https://isocpp.org/wiki/faq/casts
+
+  - id: cpp.lang.security.audit.unchecked-return
+    languages: [c, cpp]
+    severity: WARNING
+    message: "Return value not checked. Security-sensitive functions should have return values validated."
+    patterns:
+      - "\\bfread\\s*\\([^)]+\\)\\s*;"
+      - "\\bfwrite\\s*\\([^)]+\\)\\s*;"
+      - "\\bread\\s*\\([^)]+\\)\\s*;"
+      - "\\bwrite\\s*\\([^)]+\\)\\s*;"
+    metadata:
+      cwe: "CWE-252"
+      owasp: "A06:2021 - Vulnerable and Outdated Components"
+      confidence: LOW
+      references:
+        - https://semgrep.dev/r/c.lang.security.unchecked-return-value
+        - https://cwe.mitre.org/data/definitions/252.html
+
+  # =============================================================================
+  # C/C++ SECURITY RULES - Path Traversal
+  # =============================================================================
+
+  - id: c.lang.security.audit.path-traversal
+    languages: [c, cpp]
+    severity: ERROR
+    message: "Potential path traversal. Validate file paths and use realpath() to resolve canonical paths."
+    patterns:
+      - "fopen\\s*\\([^)]*\\.\\."
+      - "open\\s*\\([^)]*\\.\\."
+    metadata:
+      cwe: "CWE-22"
+      owasp: "A01:2021 - Broken Access Control"
+      confidence: HIGH
+      references:
+        - https://cwe.mitre.org/data/definitions/22.html
+
+  # =============================================================================
+  # C/C++ SECURITY RULES - Temporary Files
+  # =============================================================================
+
+  - id: c.lang.security.audit.insecure-tempfile
+    languages: [c, cpp]
+    severity: WARNING
+    message: "mktemp is insecure due to race conditions. Use mkstemp() instead."
+    patterns:
+      - "\\bmktemp\\s*\\("
+      - "\\btmpnam\\s*\\("
+      - "\\btempnam\\s*\\("
+    metadata:
+      cwe: "CWE-377"
+      owasp: "A01:2021 - Broken Access Control"
+      confidence: HIGH
+      references:
+        - https://cwe.mitre.org/data/definitions/377.html