agent-security-scanner-mcp 1.1.2 → 1.3.0

package/README.md

@@ -2,13 +2,29 @@
 
 A powerful MCP (Model Context Protocol) server for real-time security vulnerability scanning. Integrates with Claude Desktop, Claude Code, OpenCode.ai, Kilo Code, and any MCP-compatible client to automatically detect and fix security issues as you code.
 
-**165 Semgrep-aligned security rules | 105 auto-fix templates | 100% fix coverage | Package hallucination detection**
+**275+ Semgrep-aligned security rules | 105 auto-fix templates | 100% fix coverage | Package hallucination detection | AI Agent prompt security**
+
+## What's New in v1.3.0
+
+- **AI Agent Prompt Security** - New `scan_agent_prompt` tool to detect malicious prompts before execution
+- **56 prompt attack detection rules** - Exfiltration, backdoor requests, social engineering, jailbreaks
+- **Risk scoring engine** - BLOCK/WARN/LOG/ALLOW actions with 0-100 risk scores
+- **Prompt injection detection** - 39 rules for LLM prompt injection patterns
+
+## What's New in v1.2.0
+
+- **110 new security rules** - Now covering 10 languages and IaC
+- **PHP support** - SQL injection, XSS, command injection, deserialization, file inclusion
+- **Ruby/Rails support** - Mass assignment, CSRF, unsafe eval, YAML deserialization
+- **C/C++ support** - Buffer overflow, format strings, memory safety, use-after-free
+- **Terraform support** - AWS S3, IAM, RDS, security groups, CloudTrail
+- **Kubernetes support** - Privileged containers, RBAC, network policies, secrets
 
 ## Features
 
 - **Real-time scanning** - Detect vulnerabilities instantly as you write code
 - **Auto-fix suggestions** - Get actionable fixes for every security issue
-- **Multi-language support** - JavaScript, TypeScript, Python, Java, Go, Dockerfile
+- **Multi-language support** - JavaScript, TypeScript, Python, Java, Go, PHP, Ruby, C/C++, Dockerfile, Terraform, Kubernetes
 - **Semgrep-compatible** - Rules aligned with Semgrep registry format
 - **CWE & OWASP mapped** - Every rule includes CWE and OWASP references
 - **Hallucination detection** - Detect AI-invented package names (Dart, Perl, Raku)
@@ -206,6 +222,89 @@ List all 105 available auto-fix templates.
 
 ---
 
+## AI Agent Prompt Security
+
+Protect AI coding agents (Claude Code, Cursor, Copilot, etc.) from malicious prompts before execution. Detects exfiltration attempts, backdoor requests, social engineering, and obfuscated attacks.
+
+### `scan_agent_prompt`
+
+Scan a prompt for malicious intent before allowing an AI agent to execute it.
+
+```
+Parameters:
+  prompt_text (string): The prompt text to analyze
+  context (object, optional):
+    - sensitivity_level: "high" | "medium" | "low" (default: "medium")
+
+Returns:
+  - action: "BLOCK" | "WARN" | "LOG" | "ALLOW"
+  - risk_score: 0-100
+  - risk_level: "CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "NONE"
+  - findings: Array of detected issues
+  - explanation: Human-readable summary
+  - recommendations: Suggested actions
+```
+
+**Risk Thresholds:**
+
+| Risk Level | Score Range | Action |
+|------------|-------------|--------|
+| CRITICAL | 85-100 | BLOCK |
+| HIGH | 70-84 | BLOCK |
+| MEDIUM | 50-69 | WARN |
+| LOW | 25-49 | LOG |
+| NONE | 0-24 | ALLOW |
+
+**Example - Malicious prompt (BLOCKED):**
+```json
+{
+  "action": "BLOCK",
+  "risk_score": 100,
+  "risk_level": "CRITICAL",
+  "findings": [
+    {
+      "rule_id": "agent.injection.security.backdoor-request",
+      "category": "malicious-injection",
+      "severity": "error",
+      "message": "Request to add backdoor or hidden access mechanism",
+      "matched_text": "add a hidden backdoor",
+      "confidence": "high"
+    }
+  ],
+  "explanation": "Detected 1 potential security issue(s) in prompt",
+  "recommendations": [
+    "Do not execute this prompt",
+    "Review the flagged patterns",
+    "Report if this appears to be an attack attempt"
+  ]
+}
+```
+
+**Example - Safe prompt (ALLOWED):**
+```json
+{
+  "action": "ALLOW",
+  "risk_score": 0,
+  "risk_level": "NONE",
+  "findings": [],
+  "explanation": "No security issues detected in prompt",
+  "recommendations": []
+}
+```
+
+**Attack Categories Detected (56 rules):**
+
+| Category | Rules | Examples |
+|----------|-------|----------|
+| Exfiltration | 10 | Send code to webhook, read .env files, push to external repo |
+| Malicious Injection | 11 | Add backdoor, create reverse shell, disable authentication |
+| System Manipulation | 9 | rm -rf /, modify /etc/passwd, add cron persistence |
+| Social Engineering | 6 | Fake authorization claims, fake debug mode, urgency pressure |
+| Obfuscation | 4 | Base64 encoded commands, ROT13, fragmented instructions |
+| Agent Manipulation | 3 | Ignore previous instructions, override safety, DAN jailbreaks |
+
+---
+
 ## Package Hallucination Detection
 
 Detect AI-hallucinated package names that don't exist in official registries. Prevents supply chain attacks where attackers register fake package names suggested by AI.
@@ -313,7 +412,7 @@ Package lists are sourced from:
 
 ---
 
-## Security Rules (165 total)
+## Security Rules (275 total)
 
 ### By Language
 
@@ -323,6 +422,10 @@ Package lists are sourced from:
 | Python | 36 | Injection, deserialization, crypto, XXE |
 | Java | 27 | Injection, XXE, crypto, deserialization |
 | Go | 22 | Injection, crypto, race conditions |
+| **PHP** | 25 | SQL injection, XSS, command injection, deserialization |
+| **Ruby/Rails** | 25 | Mass assignment, CSRF, eval, YAML deserialization |
+| **C/C++** | 25 | Buffer overflow, format string, memory safety |
+| **Terraform/K8s** | 35 | AWS misconfig, IAM, privileged containers, RBAC |
 | Dockerfile | 18 | Secrets, permissions, best practices |
 | Generic (Secrets) | 31 | API keys, tokens, passwords |
 
@@ -330,18 +433,18 @@ Package lists are sourced from:
 
 | Category | Rules | Auto-Fix |
 |----------|-------|----------|
-| **Injection (SQL, Command, XSS)** | 35 | Yes |
-| **Hardcoded Secrets** | 45 | Yes |
-| **Weak Cryptography** | 18 | Yes |
-| **Insecure Deserialization** | 12 | Yes |
-| **Path Traversal** | 6 | Yes |
-| **SSRF** | 6 | Yes |
-| **XXE** | 6 | Yes |
-| **SSL/TLS Issues** | 8 | Yes |
-| **CSRF** | 4 | Yes |
-| **JWT Vulnerabilities** | 6 | Yes |
-| **Dockerfile Security** | 18 | Yes |
-| **Other** | 11 | Yes |
+| **Injection (SQL, Command, XSS)** | 55 | Yes |
+| **Hardcoded Secrets** | 50 | Yes |
+| **Weak Cryptography** | 25 | Yes |
+| **Insecure Deserialization** | 18 | Yes |
+| **Memory Safety (C/C++)** | 20 | Yes |
+| **Infrastructure as Code** | 35 | Yes |
+| **Path Traversal** | 10 | Yes |
+| **SSRF** | 8 | Yes |
+| **XXE** | 8 | Yes |
+| **SSL/TLS Issues** | 12 | Yes |
+| **CSRF** | 6 | Yes |
+| **Other** | 28 | Yes |
 
 ## Auto-Fix Templates (105 total)
 
@@ -425,6 +528,30 @@ Claude will use `fix_security` to:
 - Open Redirects
 - CORS Misconfiguration
 
+### Memory Safety (C/C++)
+- Buffer Overflow (strcpy, strcat, sprintf, gets)
+- Format String Vulnerabilities
+- Use-After-Free
+- Double-Free
+- Integer Overflow in malloc
+- Insecure memset (optimized away)
+- Unsafe temp files (mktemp, tmpnam)
+
+### Infrastructure as Code
+- AWS S3 Public Access
+- Security Groups Open to World (SSH, RDP)
+- IAM Admin Policies (Action:*, Resource:*)
+- RDS Public Access / Unencrypted
+- CloudTrail Disabled
+- KMS Key Rotation Disabled
+- EBS Unencrypted
+- EC2 IMDSv1 Enabled
+- Kubernetes Privileged Containers
+- K8s Run as Root
+- K8s Host Network/PID
+- RBAC Wildcard Permissions
+- Cluster Admin Bindings
+
 ### Other
 - Path Traversal
 - XXE (XML External Entities)
@@ -433,6 +560,9 @@ Claude will use `fix_security` to:
 - Prototype Pollution
 - ReDoS (Regex DoS)
 - Race Conditions
+- Open Redirects
+- Mass Assignment (Rails)
+- Unsafe Eval/Constantize
 
 ## Contributing
 

package/analyzer.py

@@ -32,6 +32,13 @@ EXTENSION_MAP = {
     '.json': 'json',
     '.tf': 'terraform',
     '.hcl': 'terraform',
+    # Prompt/text file extensions for prompt injection scanning
+    '.txt': 'generic',
+    '.md': 'generic',
+    '.prompt': 'generic',
+    '.jinja': 'generic',
+    '.jinja2': 'generic',
+    '.j2': 'generic',
 }
 
 def detect_language(file_path):