agent-security-scanner-mcp 2.0.5 → 2.0.7

package/README.md

@@ -65,6 +65,22 @@ The scanner works without tree-sitter using regex-based detection, but AST analy
 
 ---
 
+## What's New in v2.0.7
+
+- **SARIF output format** - `scan_security` now supports `output_format: 'sarif'` for GitHub/GitLab Security tab integration
+- **GitHub Code Scanning** - Upload results directly to GitHub Advanced Security
+- **GitLab SAST** - Compatible with GitLab's security dashboard
+- **Full SARIF 2.1.0 compliance** - Includes rules, locations, fix suggestions, CWE/OWASP metadata
+
+## What's New in v2.0.6
+
+- **fix_security reliability overhaul** - Fixes now validated before applying to prevent malformed code output
+- **Python f-string SQL injection** - Now detects AND fixes `f"SELECT...{var}"` patterns
+- **Python .format() SQL injection** - Now fixes `"SELECT...{}".format(var)` patterns
+- **JavaScript template literal SQL injection** - Now fixes `` `SELECT...${var}` `` patterns
+- **Multi-pattern fix engine** - Each vulnerability type can have multiple language-specific fix patterns
+- **Syntax validation** - Rejects fixes with unbalanced quotes, brackets, or obvious syntax errors
+
 ## What's New in v2.0.5
 
 - **Claude Code per-project fix** - `init claude-code` now uses `claude mcp add` CLI for reliable per-project configuration
@@ -359,6 +375,7 @@ Scan a file for security vulnerabilities and return issues with suggested fixes.
 ```
 Parameters:
   file_path (string): Absolute path to the file to scan
+  output_format (string, optional): 'json' (default) or 'sarif' for GitHub/GitLab integration
 
 Returns:
   - List of security issues
@@ -368,7 +385,7 @@ Returns:
   - Suggested fixes
 ```
 
-**Example output:**
+**Example output (JSON - default):**
 ```json
 {
   "file": "/path/to/file.js",
@@ -394,6 +411,36 @@ Returns:
 }
 ```
 
+**Example output (SARIF - for GitHub/GitLab):**
+```json
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [{
+    "tool": {
+      "driver": {
+        "name": "agent-security-scanner-mcp",
+        "version": "2.0.7",
+        "rules": [...]
+      }
+    },
+    "results": [
+      {
+        "ruleId": "sql-injection",
+        "level": "error",
+        "message": { "text": "SQL Injection detected" },
+        "locations": [{
+          "physicalLocation": {
+            "artifactLocation": { "uri": "file.js" },
+            "region": { "startLine": 15 }
+          }
+        }]
+      }
+    ]
+  }]
+}
+```
+
 ### `fix_security`
 
 Automatically fix all security issues in a file.
@@ -631,6 +678,64 @@ Package lists are sourced from [garak-llm](https://huggingface.co/garak-llm) Hug
 
 ---
 
+## CI/CD Integration (SARIF)
+
+Upload scan results to GitHub Security tab or GitLab Security Dashboard using SARIF format.
+
+### GitHub Actions Example
+
+```yaml
+name: Security Scan
+on: [push, pull_request]
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Run Security Scanner
+        run: |
+          npx agent-security-scanner-mcp scan src/ --format sarif --output results.sarif
+
+      - name: Upload SARIF to GitHub
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+```
+
+### GitLab CI Example
+
+```yaml
+security_scan:
+  stage: test
+  script:
+    - npx agent-security-scanner-mcp scan src/ --format sarif --output gl-sast-report.json
+  artifacts:
+    reports:
+      sast: gl-sast-report.json
+```
+
+### Programmatic Usage
+
+```javascript
+// Use output_format: 'sarif' parameter
+const result = await client.callTool({
+  name: 'scan_security',
+  arguments: {
+    file_path: '/path/to/file.js',
+    output_format: 'sarif'  // Returns SARIF 2.1.0 format
+  }
+});
+```
+
+---
+
 ## Security Rules (359 total)
 
 ### By Language

package/index.js

@@ -28,7 +28,73 @@ const FIX_TEMPLATES = {
   // ===========================================
   "sql-injection": {
     description: "Use parameterized queries instead of string concatenation",
-    fix: (line) => line.replace(/["']([^"']*)\s*["']\s*\+\s*(\w+)/, '"$1?", [$2]')
+    patterns: [
+      // Python f-strings: cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
+      {
+        match: /f["'].*(?:SELECT|INSERT|UPDATE|DELETE).*\{(\w+)\}.*["']/i,
+        fix: (line) => {
+          // Extract the query and variable
+          const match = line.match(/(\w+\.(?:execute|query|run))\s*\(\s*f(["'])(.*?)(?:SELECT|INSERT|UPDATE|DELETE)(.*?)\{(\w+)\}(.*?)\2/i);
+          if (match) {
+            const [, method, quote, prefix, queryStart, varName, suffix] = match;
+            // Reconstruct as parameterized query
+            const cleanPrefix = prefix.replace(/\{[^}]+\}/g, '?');
+            const cleanSuffix = suffix.replace(/\{[^}]+\}/g, '?');
+            return line.replace(
+              /f(["']).*\1/,
+              `"${cleanPrefix}${queryStart.trim().toUpperCase()}${cleanSuffix}?", (${varName},)`
+            );
+          }
+          // Simpler fallback for f-strings
+          return line.replace(/f(["'])(.*?)\{(\w+)\}(.*?)\1/, '"$2?$4", ($3,)');
+        },
+        languages: ['python']
+      },
+      // Python .format(): "SELECT ... WHERE id = {}".format(user_id)
+      {
+        match: /["'].*(?:SELECT|INSERT|UPDATE|DELETE).*\{\}.*["']\.format\s*\(/i,
+        fix: (line) => {
+          return line.replace(
+            /(["'])(.*?)\{\}(.*?)\1\.format\s*\(\s*(\w+)\s*\)/,
+            '"$2?$3", [$4]'
+          );
+        },
+        languages: ['python']
+      },
+      // Python % formatting: "SELECT ... WHERE id = %s" % user_id
+      {
+        match: /["'].*(?:SELECT|INSERT|UPDATE|DELETE).*%s.*["']\s*%\s*\(/i,
+        fix: (line) => {
+          return line.replace(
+            /(["'])(.*?)%s(.*?)\1\s*%\s*\(\s*(\w+)\s*,?\s*\)/,
+            '"$2?$3", [$4]'
+          );
+        },
+        languages: ['python']
+      },
+      // JS template literals: `SELECT * FROM users WHERE id = ${userId}`
+      {
+        match: /`.*(?:SELECT|INSERT|UPDATE|DELETE).*\$\{.*\}.*`/i,
+        fix: (line) => {
+          return line.replace(
+            /`(.*?)\$\{(\w+)\}(.*?)`/,
+            '"$1?$3", [$2]'
+          );
+        },
+        languages: ['javascript', 'typescript']
+      },
+      // Simple concatenation (no quotes inside): "SELECT ... WHERE id = " + userId
+      {
+        match: /["'](?:SELECT|INSERT|UPDATE|DELETE)[^"']+["']\s*\+\s*\w+(?!\s*\+\s*["'])/i,
+        fix: (line) => {
+          return line.replace(
+            /(["'])((?:SELECT|INSERT|UPDATE|DELETE)[^"']+)\1\s*\+\s*(\w+)/i,
+            '"$2?", [$3]'
+          );
+        },
+        languages: ['javascript', 'python', 'java', 'go', 'ruby', 'php']
+      }
+    ]
   },
   "nosql-injection": {
     description: "Sanitize MongoDB query inputs",
@@ -765,17 +831,96 @@ function runAnalyzer(filePath) {
   }
 }
 
+// Validate that a fix produces valid syntax
+function validateFix(original, fixed, language) {
+  // Rule 1: Fix must be different from original
+  if (fixed === original || !fixed) {
+    return { valid: false, reason: 'no_change' };
+  }
+
+  // Rule 2: Balanced quotes (ignore escaped quotes)
+  const unescaped = fixed.replace(/\\["'`]/g, '');
+  const singleQuotes = (unescaped.match(/'/g) || []).length;
+  const doubleQuotes = (unescaped.match(/"/g) || []).length;
+  const backticks = (unescaped.match(/`/g) || []).length;
+  if (singleQuotes % 2 !== 0 || doubleQuotes % 2 !== 0 || backticks % 2 !== 0) {
+    return { valid: false, reason: 'unbalanced_quotes' };
+  }
+
+  // Rule 3: Balanced brackets
+  const brackets = { '(': 0, '[': 0, '{': 0 };
+  const closers = { ')': '(', ']': '[', '}': '{' };
+  for (const char of unescaped) {
+    if (brackets[char] !== undefined) brackets[char]++;
+    if (closers[char]) brackets[closers[char]]--;
+  }
+  if (Object.values(brackets).some(v => v !== 0)) {
+    return { valid: false, reason: 'unbalanced_brackets' };
+  }
+
+  // Rule 4: No obvious syntax errors
+  const badPatterns = [
+    /""[^,\s\]);}]/, // empty string followed by unexpected char
+    /\+\s*[)\]}]/, // + followed by closing bracket
+    /,\s*\+/, // comma followed by +
+    /\(\s*\+/, // open paren followed by +
+  ];
+  for (const pattern of badPatterns) {
+    if (pattern.test(fixed)) {
+      return { valid: false, reason: 'syntax_error' };
+    }
+  }
+
+  return { valid: true };
+}
+
 // Generate fix suggestion for an issue
 function generateFix(issue, line, language) {
   const ruleId = issue.ruleId.toLowerCase();
 
-  for (const [pattern, template] of Object.entries(FIX_TEMPLATES)) {
-    if (ruleId.includes(pattern)) {
-      return {
-        description: template.description,
-        original: line,
-        fixed: template.fix(line, language)
-      };
+  for (const [templateId, template] of Object.entries(FIX_TEMPLATES)) {
+    if (!ruleId.includes(templateId)) continue;
+
+    // New: handle patterns array
+    if (template.patterns && Array.isArray(template.patterns)) {
+      for (const pattern of template.patterns) {
+        // Skip if language doesn't match
+        if (pattern.languages && !pattern.languages.includes(language)) {
+          continue;
+        }
+
+        // Skip if pattern doesn't match the line
+        if (!pattern.match.test(line)) {
+          continue;
+        }
+
+        // Try the fix
+        const candidate = pattern.fix(line, language);
+        const validation = validateFix(line, candidate, language);
+
+        if (validation.valid) {
+          return {
+            description: template.description,
+            original: line,
+            fixed: candidate
+          };
+        }
+        // If invalid, try next pattern
+      }
+    }
+
+    // Fallback: old-style single fix function (backward compatible)
+    if (template.fix && typeof template.fix === 'function') {
+      const candidate = template.fix(line, language);
+      const validation = validateFix(line, candidate, language);
+
+      if (validation.valid) {
+        return {
+          description: template.description,
+          original: line,
+          fixed: candidate
+        };
+      }
     }
   }
 
@@ -804,14 +949,126 @@ export function createSandboxServer() {
   return server;
 }
 
+// SARIF (Static Analysis Results Interchange Format) conversion
+// Spec: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
+function convertToSarif(filePath, language, issues) {
+  const severityToLevel = {
+    'ERROR': 'error',
+    'WARNING': 'warning',
+    'INFO': 'note',
+    'HINT': 'note'
+  };
+
+  // Build rules from unique rule IDs
+  const rulesMap = new Map();
+  issues.forEach(issue => {
+    if (!rulesMap.has(issue.ruleId)) {
+      rulesMap.set(issue.ruleId, {
+        id: issue.ruleId,
+        name: issue.ruleId.split('.').pop().replace(/-/g, ' ').replace(/\b\w/g, c => c.toUpperCase()),
+        shortDescription: {
+          text: issue.message.replace(/^\[.*?\]\s*/, '') // Remove [RuleName] prefix
+        },
+        defaultConfiguration: {
+          level: severityToLevel[issue.severity] || 'warning'
+        },
+        properties: {
+          tags: ['security'],
+          ...(issue.metadata?.cwe && { 'security-severity': '7.0' }),
+        },
+        helpUri: issue.metadata?.references?.[0] || `https://cwe.mitre.org/data/definitions/${issue.metadata?.cwe?.replace('CWE-', '')}.html`
+      });
+    }
+  });
+
+  // Build results
+  const results = issues.map(issue => ({
+    ruleId: issue.ruleId,
+    level: severityToLevel[issue.severity] || 'warning',
+    message: {
+      text: issue.message
+    },
+    locations: [{
+      physicalLocation: {
+        artifactLocation: {
+          uri: filePath,
+          uriBaseId: '%SRCROOT%'
+        },
+        region: {
+          startLine: (issue.line || 0) + 1, // SARIF uses 1-indexed lines
+          startColumn: (issue.column || 0) + 1,
+          endLine: (issue.endLine || issue.line || 0) + 1,
+          endColumn: (issue.endColumn || issue.column || 0) + 1,
+          snippet: issue.line_content ? { text: issue.line_content } : undefined
+        }
+      }
+    }],
+    ...(issue.suggested_fix?.fixed && {
+      fixes: [{
+        description: {
+          text: issue.suggested_fix.description
+        },
+        artifactChanges: [{
+          artifactLocation: {
+            uri: filePath
+          },
+          replacements: [{
+            deletedRegion: {
+              startLine: (issue.line || 0) + 1,
+              startColumn: 1,
+              endLine: (issue.line || 0) + 1,
+              endColumn: (issue.suggested_fix.original?.length || 0) + 1
+            },
+            insertedContent: {
+              text: issue.suggested_fix.fixed
+            }
+          }]
+        }]
+      }]
+    }),
+    properties: {
+      ...(issue.metadata?.cwe && { cwe: issue.metadata.cwe }),
+      ...(issue.metadata?.owasp && { owasp: issue.metadata.owasp })
+    }
+  }));
+
+  return {
+    $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+    version: '2.1.0',
+    runs: [{
+      tool: {
+        driver: {
+          name: 'agent-security-scanner-mcp',
+          version: '2.0.7',
+          informationUri: 'https://github.com/sinewaveai/agent-security-scanner-mcp',
+          rules: Array.from(rulesMap.values())
+        }
+      },
+      results,
+      invocations: [{
+        executionSuccessful: true,
+        endTimeUtc: new Date().toISOString()
+      }],
+      artifacts: [{
+        location: {
+          uri: filePath,
+          uriBaseId: '%SRCROOT%'
+        },
+        sourceLanguage: language
+      }]
+    }]
+  };
+}
+
 // Register scan_security tool
 server.tool(
   "scan_security",
   "Scan a file for security vulnerabilities and return issues with suggested fixes",
   {
-    file_path: z.string().describe("Path to the file to scan")
+    file_path: z.string().describe("Path to the file to scan"),
+    output_format: z.enum(['json', 'sarif']).optional().describe("Output format: 'json' (default) or 'sarif' for GitHub/GitLab integration")
   },
-  async ({ file_path }) => {
+  async ({ file_path, output_format = 'json' }) => {
     if (!existsSync(file_path)) {
       return {
         content: [{ type: "text", text: JSON.stringify({ error: "File not found" }) }]
@@ -842,6 +1099,18 @@ server.tool(
       };
     });
 
+    // Return SARIF format if requested (for GitHub/GitLab integration)
+    if (output_format === 'sarif') {
+      const sarif = convertToSarif(file_path, language, enhancedIssues);
+      return {
+        content: [{
+          type: "text",
+          text: JSON.stringify(sarif, null, 2)
+        }]
+      };
+    }
+
+    // Default JSON format
     return {
       content: [{
         type: "text",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-security-scanner-mcp",
-  "version": "2.0.5",
+  "version": "2.0.7",
   "mcpName": "io.github.sinewaveai/agent-security-scanner-mcp",
   "description": "Security scanner MCP server for AI coding agents. Prompt injection firewall, package hallucination detection (4.3M+ packages), 359 vulnerability rules with auto-fix. For Claude Code, Cursor, Windsurf, Cline.",
   "main": "index.js",
@@ -52,7 +52,10 @@
     "zed",
     "prompt-firewall",
     "auto-fix",
-    "hallucination"
+    "hallucination",
+    "sarif",
+    "github-code-scanning",
+    "gitlab-sast"
   ],
   "author": "Sinewave AI <divya@sinewave.ai>",
   "license": "MIT",