npm - agent-security-scanner-mcp - Versions diffs - 2.0.6 → 2.0.7 - Mend

agent-security-scanner-mcp 2.0.6 → 2.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -65,6 +65,13 @@ The scanner works without tree-sitter using regex-based detection, but AST analy
 ---
+## What's New in v2.0.7
+- **SARIF output format** - `scan_security` now supports `output_format: 'sarif'` for GitHub/GitLab Security tab integration
+- **GitHub Code Scanning** - Upload results directly to GitHub Advanced Security
+- **GitLab SAST** - Compatible with GitLab's security dashboard
+- **Full SARIF 2.1.0 compliance** - Includes rules, locations, fix suggestions, CWE/OWASP metadata
 ## What's New in v2.0.6
 - **fix_security reliability overhaul** - Fixes now validated before applying to prevent malformed code output
@@ -368,6 +375,7 @@ Scan a file for security vulnerabilities and return issues with suggested fixes.
 ```
 Parameters:
   file_path (string): Absolute path to the file to scan
+  output_format (string, optional): 'json' (default) or 'sarif' for GitHub/GitLab integration
 Returns:
   - List of security issues
@@ -377,7 +385,7 @@ Returns:
   - Suggested fixes
 ```
-**Example output:**
+**Example output (JSON - default):**
 ```json
 {
   "file": "/path/to/file.js",
@@ -403,6 +411,36 @@ Returns:
 }
 ```
+**Example output (SARIF - for GitHub/GitLab):**
+```json
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [{
+    "tool": {
+      "driver": {
+        "name": "agent-security-scanner-mcp",
+        "version": "2.0.7",
+        "rules": [...]
+      }
+    },
+    "results": [
+      {
+        "ruleId": "sql-injection",
+        "level": "error",
+        "message": { "text": "SQL Injection detected" },
+        "locations": [{
+          "physicalLocation": {
+            "artifactLocation": { "uri": "file.js" },
+            "region": { "startLine": 15 }
+          }
+        }]
+      }
+    ]
+  }]
+}
+```
 ### `fix_security`
 Automatically fix all security issues in a file.
@@ -640,6 +678,64 @@ Package lists are sourced from [garak-llm](https://huggingface.co/garak-llm) Hug
 ---
+## CI/CD Integration (SARIF)
+Upload scan results to GitHub Security tab or GitLab Security Dashboard using SARIF format.
+### GitHub Actions Example
+```yaml
+name: Security Scan
+on: [push, pull_request]
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+      - name: Run Security Scanner
+        run: |
+          npx agent-security-scanner-mcp scan src/ --format sarif --output results.sarif
+      - name: Upload SARIF to GitHub
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+```
+### GitLab CI Example
+```yaml
+security_scan:
+  stage: test
+  script:
+    - npx agent-security-scanner-mcp scan src/ --format sarif --output gl-sast-report.json
+  artifacts:
+    reports:
+      sast: gl-sast-report.json
+```
+### Programmatic Usage
+```javascript
+// Use output_format: 'sarif' parameter
+const result = await client.callTool({
+  name: 'scan_security',
+  arguments: {
+    file_path: '/path/to/file.js',
+    output_format: 'sarif'  // Returns SARIF 2.1.0 format
+  }
+});
+```
+---
 ## Security Rules (359 total)
 ### By Language

package/index.js CHANGED Viewed

@@ -949,14 +949,126 @@ export function createSandboxServer() {
   return server;
 }
+// SARIF (Static Analysis Results Interchange Format) conversion
+// Spec: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
+function convertToSarif(filePath, language, issues) {
+  const severityToLevel = {
+    'ERROR': 'error',
+    'WARNING': 'warning',
+    'INFO': 'note',
+    'HINT': 'note'
+  };
+  // Build rules from unique rule IDs
+  const rulesMap = new Map();
+  issues.forEach(issue => {
+    if (!rulesMap.has(issue.ruleId)) {
+      rulesMap.set(issue.ruleId, {
+        id: issue.ruleId,
+        name: issue.ruleId.split('.').pop().replace(/-/g, ' ').replace(/\b\w/g, c => c.toUpperCase()),
+        shortDescription: {
+          text: issue.message.replace(/^\[.*?\]\s*/, '') // Remove [RuleName] prefix
+        },
+        defaultConfiguration: {
+          level: severityToLevel[issue.severity] || 'warning'
+        },
+        properties: {
+          tags: ['security'],
+          ...(issue.metadata?.cwe && { 'security-severity': '7.0' }),
+        },
+        helpUri: issue.metadata?.references?.[0] || `https://cwe.mitre.org/data/definitions/${issue.metadata?.cwe?.replace('CWE-', '')}.html`
+      });
+    }
+  });
+  // Build results
+  const results = issues.map(issue => ({
+    ruleId: issue.ruleId,
+    level: severityToLevel[issue.severity] || 'warning',
+    message: {
+      text: issue.message
+    },
+    locations: [{
+      physicalLocation: {
+        artifactLocation: {
+          uri: filePath,
+          uriBaseId: '%SRCROOT%'
+        },
+        region: {
+          startLine: (issue.line || 0) + 1, // SARIF uses 1-indexed lines
+          startColumn: (issue.column || 0) + 1,
+          endLine: (issue.endLine || issue.line || 0) + 1,
+          endColumn: (issue.endColumn || issue.column || 0) + 1,
+          snippet: issue.line_content ? { text: issue.line_content } : undefined
+        }
+      }
+    }],
+    ...(issue.suggested_fix?.fixed && {
+      fixes: [{
+        description: {
+          text: issue.suggested_fix.description
+        },
+        artifactChanges: [{
+          artifactLocation: {
+            uri: filePath
+          },
+          replacements: [{
+            deletedRegion: {
+              startLine: (issue.line || 0) + 1,
+              startColumn: 1,
+              endLine: (issue.line || 0) + 1,
+              endColumn: (issue.suggested_fix.original?.length || 0) + 1
+            },
+            insertedContent: {
+              text: issue.suggested_fix.fixed
+            }
+          }]
+        }]
+      }]
+    }),
+    properties: {
+      ...(issue.metadata?.cwe && { cwe: issue.metadata.cwe }),
+      ...(issue.metadata?.owasp && { owasp: issue.metadata.owasp })
+    }
+  }));
+  return {
+    $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+    version: '2.1.0',
+    runs: [{
+      tool: {
+        driver: {
+          name: 'agent-security-scanner-mcp',
+          version: '2.0.7',
+          informationUri: 'https://github.com/sinewaveai/agent-security-scanner-mcp',
+          rules: Array.from(rulesMap.values())
+        }
+      },
+      results,
+      invocations: [{
+        executionSuccessful: true,
+        endTimeUtc: new Date().toISOString()
+      }],
+      artifacts: [{
+        location: {
+          uri: filePath,
+          uriBaseId: '%SRCROOT%'
+        },
+        sourceLanguage: language
+      }]
+    }]
+  };
+}
 // Register scan_security tool
 server.tool(
   "scan_security",
   "Scan a file for security vulnerabilities and return issues with suggested fixes",
   {
-    file_path: z.string().describe("Path to the file to scan")
+    file_path: z.string().describe("Path to the file to scan"),
+    output_format: z.enum(['json', 'sarif']).optional().describe("Output format: 'json' (default) or 'sarif' for GitHub/GitLab integration")
   },
-  async ({ file_path }) => {
+  async ({ file_path, output_format = 'json' }) => {
     if (!existsSync(file_path)) {
       return {
         content: [{ type: "text", text: JSON.stringify({ error: "File not found" }) }]
@@ -987,6 +1099,18 @@ server.tool(
       };
     });
+    // Return SARIF format if requested (for GitHub/GitLab integration)
+    if (output_format === 'sarif') {
+      const sarif = convertToSarif(file_path, language, enhancedIssues);
+      return {
+        content: [{
+          type: "text",
+          text: JSON.stringify(sarif, null, 2)
+        }]
+      };
+    }
+    // Default JSON format
     return {
       content: [{
         type: "text",

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "agent-security-scanner-mcp",
-  "version": "2.0.6",
+  "version": "2.0.7",
   "mcpName": "io.github.sinewaveai/agent-security-scanner-mcp",
   "description": "Security scanner MCP server for AI coding agents. Prompt injection firewall, package hallucination detection (4.3M+ packages), 359 vulnerability rules with auto-fix. For Claude Code, Cursor, Windsurf, Cline.",
   "main": "index.js",
@@ -52,7 +52,10 @@
     "zed",
     "prompt-firewall",
     "auto-fix",
-    "hallucination"
+    "hallucination",
+    "sarif",
+    "github-code-scanning",
+    "gitlab-sast"
   ],
   "author": "Sinewave AI <divya@sinewave.ai>",
   "license": "MIT",