npm - agent-security-scanner-mcp - Versions diffs - 2.0.4 → 2.0.5 - Mend

agent-security-scanner-mcp 2.0.4 → 2.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -1,5 +1,11 @@
 # agent-security-scanner-mcp
+[![npm version](https://img.shields.io/npm/v/agent-security-scanner-mcp.svg)](https://www.npmjs.com/package/agent-security-scanner-mcp)
+[![npm downloads](https://img.shields.io/npm/dm/agent-security-scanner-mcp.svg)](https://www.npmjs.com/package/agent-security-scanner-mcp)
+[![npm total downloads](https://img.shields.io/npm/dt/agent-security-scanner-mcp.svg)](https://www.npmjs.com/package/agent-security-scanner-mcp)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![GitHub stars](https://img.shields.io/github/stars/sinewaveai/agent-security-scanner-mcp.svg)](https://github.com/sinewaveai/agent-security-scanner-mcp/stargazers)
 A powerful MCP (Model Context Protocol) server for real-time security vulnerability scanning. Integrates with Claude Desktop, Claude Code, OpenCode.ai, Kilo Code, and any MCP-compatible client to automatically detect and fix security issues as you code.
 AI coding agents like **Claude Code**, **Cursor**, **Windsurf**, **Cline**, **Copilot**, and **Devin** are transforming software development. But they introduce attack surfaces that traditional security tools weren't designed to handle:
@@ -14,22 +20,35 @@ AI coding agents like **Claude Code**, **Cursor**, **Windsurf**, **Cline**, **Co
 **359 Semgrep-aligned security rules | 120 auto-fix templates | 6 ecosystems indexed | AI Agent prompt security**
-## What's New in v2.0.2
+## Installation
-- **Prompt injection detection overhaul** - Detection rate improved from 33% to 80%+
-- **Code block scanning** - Detects attacks hidden inside markdown code blocks
-- **Base64 decode-and-rescan** - Runtime decoding of encoded payloads
-- **Security fix** - Command injection vulnerability patched (execFileSync)
-- **Test suite** - 51 vitest tests with GitHub Actions CI
-- **Bug fixes** - Package hallucination detection now correctly uses bloom filters
+### Default Package (Lightweight - 2.7 MB)
-## What's New in v2.0.0
+```bash
+npm install -g agent-security-scanner-mcp
+```
-- **AST-based analysis** - tree-sitter powered parsing for 12 languages with higher accuracy
-- **Taint analysis** - Track data flow from sources (user input) to sinks (dangerous functions)
-- **Graceful fallback** - Works out-of-the-box with regex; enhanced detection when tree-sitter installed
-- **Metavariable patterns** - Semgrep-style `$VAR` patterns for structural matching
-- **Doctor command upgrade** - Now checks for AST engine availability
+Includes hallucination detection for: **PyPI, RubyGems, crates.io, pub.dev, CPAN, raku.land** (1M+ packages)
+### Full Package (With npm - 8.7 MB)
+If you need **npm/JavaScript hallucination detection** (3.3M packages):
+```bash
+npm install -g agent-security-scanner-mcp-full
+```
+Or run directly with npx:
+```bash
+npx agent-security-scanner-mcp
+```
+### Prerequisites
+- **Node.js >= 18.0.0** (required)
+- **Python 3.x** (required for the analyzer engine)
+- **PyYAML** (`pip install pyyaml`) — required for rule loading
 ### Enhanced Detection with tree-sitter (Optional)
@@ -44,6 +63,31 @@ The scanner works without tree-sitter using regex-based detection, but AST analy
 - Taint tracking across function boundaries
 - Language-aware pattern matching
+---
+## What's New in v2.0.5
+- **Claude Code per-project fix** - `init claude-code` now uses `claude mcp add` CLI for reliable per-project configuration
+- **Doctor command upgrade** - Now correctly checks Claude Code config via `claude mcp list` instead of file-based check
+- **Documentation update** - README clarifies Claude Code's per-project MCP storage (`~/.claude.json` vs `~/.claude/settings.json`)
+## What's New in v2.0.2
+- **Prompt injection detection overhaul** - Detection rate improved from 33% to 80%+
+- **Code block scanning** - Detects attacks hidden inside markdown code blocks
+- **Base64 decode-and-rescan** - Runtime decoding of encoded payloads
+- **Security fix** - Command injection vulnerability patched (execFileSync)
+- **Test suite** - 51 vitest tests with GitHub Actions CI
+- **Bug fixes** - Package hallucination detection now correctly uses bloom filters
+## What's New in v2.0.0
+- **AST-based analysis** - tree-sitter powered parsing for 12 languages with higher accuracy
+- **Taint analysis** - Track data flow from sources (user input) to sinks (dangerous functions)
+- **Graceful fallback** - Works out-of-the-box with regex; enhanced detection when tree-sitter installed
+- **Metavariable patterns** - Semgrep-style `$VAR` patterns for structural matching
+- **Doctor command upgrade** - Now checks for AST engine availability
 ## What's New in v1.5.0
 - **92% smaller package** - Only 2.7 MB (down from 84 MB)
@@ -76,37 +120,6 @@ The scanner works without tree-sitter using regex-based detection, but AST analy
 - **CWE & OWASP mapped** - Every rule includes CWE and OWASP references
 - **Hallucination detection** - Detect AI-invented package names across 7 ecosystems via bloom filters and text lists
-## Installation
-### Default Package (Lightweight - 2.7 MB)
-```bash
-npm install -g agent-security-scanner-mcp
-```
-Includes hallucination detection for: **PyPI, RubyGems, crates.io, pub.dev, CPAN, raku.land** (1M+ packages)
-### Full Package (With npm - 8.7 MB)
-If you need **npm/JavaScript hallucination detection** (3.3M packages):
-```bash
-npm install -g agent-security-scanner-mcp-full
-```
-Or run directly with npx:
-```bash
-npx agent-security-scanner-mcp
-```
-## Prerequisites
-- **Node.js >= 18.0.0** (required)
-- **Python 3.x** (required for the analyzer engine)
-- **PyYAML** (`pip install pyyaml`) — required for rule loading
-- **tree-sitter** (optional, for enhanced AST-based detection): `pip install tree-sitter tree-sitter-python tree-sitter-javascript`
 ## Works With All Major AI Coding Tools
 | Tool | Integration | Status |
@@ -139,12 +152,14 @@ npx agent-security-scanner-mcp init cursor
 npx agent-security-scanner-mcp init claude-desktop
 npx agent-security-scanner-mcp init windsurf
 npx agent-security-scanner-mcp init cline
-npx agent-security-scanner-mcp init claude-code
+npx agent-security-scanner-mcp init claude-code      # Run in each project folder!
 npx agent-security-scanner-mcp init kilo-code
 npx agent-security-scanner-mcp init opencode
 npx agent-security-scanner-mcp init cody
 ```
+> **Claude Code users:** Run `init claude-code` in **each project folder** where you want security scanning. Claude Code uses per-project MCP configuration.
 **Interactive mode** — just run `init` with no client to pick from a list:
 ```bash
@@ -234,7 +249,17 @@ Add to your `claude_desktop_config.json`:
 ### Claude Code
-Add to your MCP settings (`~/.claude/settings.json`):
+**Important:** Claude Code stores MCP servers **per-project** in `~/.claude.json`, not in `~/.claude/settings.json`. Use the CLI to configure:
+```bash
+# Run this in EACH project folder where you want security scanning:
+claude mcp add security-scanner -- npx -y agent-security-scanner-mcp
+# Verify it's configured:
+claude mcp list
+```
+**Global configuration** (applies to new projects only) — add to `~/.claude/settings.json`:
 ```json
 {
@@ -247,6 +272,8 @@ Add to your MCP settings (`~/.claude/settings.json`):
 }
 ```
+> **Note:** Existing projects won't automatically inherit from the global config. You must run `claude mcp add` in each project folder, or use the automated init command which handles this for you.
 ### OpenCode.ai
 Add to your `opencode.jsonc` configuration file:

package/index.js CHANGED Viewed

@@ -1724,7 +1724,10 @@ const CLIENT_CONFIGS = {
     name: 'Claude Code',
     configKey: 'mcpServers',
     configPath: () => join(homedir(), '.claude', 'settings.json'),
-    buildEntry: () => ({ ...MCP_SERVER_ENTRY })
+    buildEntry: () => ({ ...MCP_SERVER_ENTRY }),
+    // Claude Code stores MCP config per-project in ~/.claude.json, not in settings.json
+    // Use the 'claude mcp add' CLI for reliable per-project configuration
+    useCliCommand: true
   },
   'cursor': {
     name: 'Cursor',
@@ -1843,6 +1846,91 @@ function printInitUsage() {
   console.log('    npx agent-security-scanner-mcp init cline --force --name my-scanner\n');
 }
+// Special init handler for clients that use CLI commands (e.g., Claude Code)
+async function runCliInit(client, flags) {
+  const serverName = flags.name;
+  const cwd = process.cwd();
+  console.log(`\n  Client:  ${client.name}`);
+  console.log(`  Project: ${cwd}`);
+  console.log(`  OS:      ${platform()} (${process.arch})`);
+  console.log(`  Key:     ${serverName}\n`);
+  // Check if claude CLI is available
+  const claudeCheck = checkCommand('claude', ['--version']);
+  if (!claudeCheck.ok) {
+    console.log('  ERROR: Claude Code CLI not found.');
+    console.log('  Please install Claude Code first: https://claude.ai/download\n');
+    console.log('  Alternative: Use --path to write to ~/.claude/settings.json directly:\n');
+    console.log(`    npx agent-security-scanner-mcp init claude-code --path ~/.claude/settings.json\n`);
+    process.exit(1);
+  }
+  // Check if already configured for this project
+  const listCheck = checkCommand('claude', ['mcp', 'list']);
+  if (listCheck.ok && listCheck.output.includes(serverName)) {
+    if (!flags.force) {
+      console.log(`  ${serverName} is already configured for this project.`);
+      console.log(`  Use --force to reconfigure.\n`);
+      process.exit(0);
+    }
+    // Remove existing entry first if --force
+    console.log(`  Removing existing ${serverName} configuration...`);
+    try {
+      execFileSync('claude', ['mcp', 'remove', serverName], { encoding: 'utf-8', stdio: 'pipe' });
+    } catch {
+      // Ignore errors - might not exist
+    }
+  }
+  // Build the CLI command
+  const cliArgs = ['mcp', 'add', serverName, '--', 'npx', '-y', 'agent-security-scanner-mcp'];
+  const fullCommand = `claude ${cliArgs.join(' ')}`;
+  if (flags.dryRun) {
+    console.log(`  [dry-run] Would run: ${fullCommand}`);
+    console.log(`  [dry-run] In directory: ${cwd}`);
+    console.log(`\n  No changes made.\n`);
+    process.exit(0);
+  }
+  console.log(`  Running: ${fullCommand}`);
+  console.log(`  In directory: ${cwd}\n`);
+  try {
+    const result = execFileSync('claude', cliArgs, { encoding: 'utf-8', stdio: 'pipe', cwd });
+    console.log(`  ${result.trim()}\n`);
+  } catch (e) {
+    console.error(`  ERROR: Failed to add MCP server.`);
+    console.error(`  ${e.message}\n`);
+    console.log('  Alternative: Add manually to ~/.claude/settings.json:\n');
+    console.log(`  {
+    "mcpServers": {
+      "${serverName}": {
+        "command": "npx",
+        "args": ["-y", "agent-security-scanner-mcp"]
+      }
+    }
+  }\n`);
+    process.exit(1);
+  }
+  // Verify it was added
+  const verifyCheck = checkCommand('claude', ['mcp', 'list']);
+  if (verifyCheck.ok && verifyCheck.output.includes(serverName)) {
+    console.log(`  ✓ Successfully configured ${serverName} for this project!\n`);
+  } else {
+    console.log(`  ⚠ Configuration may have succeeded but verification failed.`);
+    console.log(`  Run 'claude mcp list' to check.\n`);
+  }
+  console.log(`  Next steps:`);
+  console.log(`    1. Restart Claude Code in this folder`);
+  console.log(`    2. Verify by asking: "What MCP tools do you have?"`);
+  console.log(`    3. Test: "Scan this file for security issues"\n`);
+  console.log(`  Note: Run this command in each project folder where you want security scanning.\n`);
+}
 async function runInit(flags) {
   let clientName = flags.client;
@@ -1863,6 +1951,12 @@ async function runInit(flags) {
     process.exit(1);
   }
+  // Special handling for clients that use CLI commands (like Claude Code)
+  if (client.useCliCommand && !flags.path) {
+    await runCliInit(client, flags);
+    return;
+  }
   const configPath = flags.path || client.configPath();
   const serverName = flags.name;
   const entry = client.buildEntry();
@@ -2067,6 +2161,53 @@ async function runDoctor(flags) {
   console.log('\n  Client Configurations');
   for (const [key, client] of Object.entries(CLIENT_CONFIGS)) {
+    // Special handling for Claude Code - uses per-project config via CLI
+    if (client.useCliCommand) {
+      const claudeCheck = checkCommand('claude', ['--version']);
+      if (!claudeCheck.ok) {
+        console.log(`    \u2014 ${client.name.padEnd(20)} not installed (claude CLI not found)`);
+        continue;
+      }
+      // Check if configured for current project using claude mcp list
+      const listCheck = checkCommand('claude', ['mcp', 'list']);
+      if (listCheck.ok && listCheck.output) {
+        const output = listCheck.output.toLowerCase();
+        const hasScanner = output.includes('security-scanner') ||
+                          output.includes('agentic-security') ||
+                          output.includes('agent-security-scanner');
+        if (hasScanner) {
+          // Extract the actual server name from output
+          let serverName = 'security-scanner';
+          if (output.includes('agentic-security')) serverName = 'agentic-security';
+          console.log(`    \u2713 ${client.name.padEnd(20)} configured (${serverName})`);
+        } else if (output.includes('no mcp servers configured')) {
+          console.log(`    \u2717 ${client.name.padEnd(20)} not configured for this project`);
+          if (fix) {
+            try {
+              execFileSync('claude', ['mcp', 'add', 'security-scanner', '--', 'npx', '-y', 'agent-security-scanner-mcp'],
+                { encoding: 'utf-8', stdio: 'pipe' });
+              console.log(`      \u2713 Fixed: added security-scanner via claude mcp add`);
+              fixed++;
+            } catch {
+              console.log(`      \u2717 Auto-fix failed. Run: npx agent-security-scanner-mcp init claude-code`);
+              issues++;
+            }
+          } else {
+            console.log(`      Fix: npx agent-security-scanner-mcp init claude-code`);
+            issues++;
+          }
+        } else {
+          console.log(`    \u2717 ${client.name.padEnd(20)} entry missing from project config`);
+          console.log(`      Fix: npx agent-security-scanner-mcp init claude-code`);
+          issues++;
+        }
+      } else {
+        console.log(`    \u26a0 ${client.name.padEnd(20)} could not check config (run 'claude mcp list' manually)`);
+      }
+      continue;
+    }
     let configPath;
     try { configPath = client.configPath(); } catch { continue; }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "agent-security-scanner-mcp",
-  "version": "2.0.4",
+  "version": "2.0.5",
   "mcpName": "io.github.sinewaveai/agent-security-scanner-mcp",
   "description": "Security scanner MCP server for AI coding agents. Prompt injection firewall, package hallucination detection (4.3M+ packages), 359 vulnerability rules with auto-fix. For Claude Code, Cursor, Windsurf, Cline.",
   "main": "index.js",

package/packages/crates.txt CHANGED Viewed

@@ -23630,7 +23630,6 @@ cinnog
 cint
 cio
 cio-api
-cioqLsBmIV3xEUGI6XQRx411QEIZwwaDh7c
 cip
 cip_rust
 cipepser-bicycle-book-wordcount