agent-security-scanner-mcp 3.1.0 → 3.3.0

package/src/tools/scan-security.js

@@ -0,0 +1,117 @@
+// src/tools/scan-security.js
+import { z } from "zod";
+import { existsSync, readFileSync } from "fs";
+import { detectLanguage, runAnalyzer, generateFix, toSarif } from '../utils.js';
+
+export const scanSecuritySchema = {
+  file_path: z.string().describe("Path to the file to scan"),
+  output_format: z.enum(['json', 'sarif']).optional().describe("Output format: 'json' (default) or 'sarif' for GitHub/GitLab integration"),
+  verbosity: z.enum(['minimal', 'compact', 'full']).optional().describe("Response detail level: 'minimal' (counts only), 'compact' (default, actionable info), 'full' (complete metadata)")
+};
+
+// Verbosity formatters
+function formatMinimal(file_path, language, issues) {
+  const bySeverity = { error: 0, warning: 0, info: 0 };
+  issues.forEach(i => bySeverity[i.severity] = (bySeverity[i.severity] || 0) + 1);
+  return {
+    file: file_path,
+    language,
+    total: issues.length,
+    critical: bySeverity.error,
+    warning: bySeverity.warning,
+    info: bySeverity.info,
+    message: issues.length > 0
+      ? `Found ${issues.length} issue(s). Use verbosity='compact' for details.`
+      : "No security issues found."
+  };
+}
+
+function formatCompact(file_path, language, issues) {
+  return {
+    file: file_path,
+    language,
+    issues_count: issues.length,
+    issues: issues.map(i => ({
+      line: i.line + 1,
+      ruleId: i.ruleId,
+      severity: i.severity,
+      message: i.message,
+      fix: i.suggested_fix?.fixed ? i.suggested_fix.fixed.trim() : null
+    }))
+  };
+}
+
+function formatFull(file_path, language, issues) {
+  return {
+    file: file_path,
+    language,
+    issues_count: issues.length,
+    issues: issues
+  };
+}
+
+export async function scanSecurity({ file_path, output_format, verbosity }) {
+  if (!existsSync(file_path)) {
+    return {
+      content: [{ type: "text", text: JSON.stringify({ error: "File not found" }) }]
+    };
+  }
+
+  const issues = runAnalyzer(file_path);
+
+  if (issues.error) {
+    return {
+      content: [{ type: "text", text: JSON.stringify(issues) }]
+    };
+  }
+
+  // Read file content for fix suggestions
+  const content = readFileSync(file_path, 'utf-8');
+  const lines = content.split('\n');
+  const language = detectLanguage(file_path);
+
+  // Enhance issues with fix suggestions
+  const enhancedIssues = issues.map(issue => {
+    const line = lines[issue.line] || '';
+    const fix = generateFix(issue, line, language);
+    return {
+      ...issue,
+      line_content: line.trim(),
+      suggested_fix: fix
+    };
+  });
+
+  // Determine verbosity (default: compact)
+  const level = verbosity || 'compact';
+
+  // Return SARIF format if requested (always full detail)
+  if (output_format === 'sarif') {
+    return {
+      content: [{
+        type: "text",
+        text: JSON.stringify(toSarif(file_path, language, enhancedIssues), null, 2)
+      }]
+    };
+  }
+
+  // Format based on verbosity
+  let result;
+  switch (level) {
+    case 'minimal':
+      result = formatMinimal(file_path, language, enhancedIssues);
+      break;
+    case 'full':
+      result = formatFull(file_path, language, enhancedIssues);
+      break;
+    case 'compact':
+    default:
+      result = formatCompact(file_path, language, enhancedIssues);
+  }
+
+  return {
+    content: [{
+      type: "text",
+      text: JSON.stringify(result, null, 2)
+    }]
+  };
+}

package/src/utils.js

@@ -0,0 +1,153 @@
+import { execFileSync } from "child_process";
+import { readFileSync, existsSync } from "fs";
+import { dirname, join, extname, basename } from "path";
+import { fileURLToPath } from "url";
+import { FIX_TEMPLATES } from './fix-patterns.js';
+
+// Handle both ESM and CJS bundling (Smithery bundles to CJS)
+let __dirname;
+try {
+  __dirname = dirname(fileURLToPath(import.meta.url));
+} catch {
+  __dirname = process.cwd();
+}
+
+// Detect language from file extension
+export function detectLanguage(filePath) {
+  // Check basename first for extensionless files like Dockerfile
+  const base = filePath.split('/').pop().split('\\').pop().toLowerCase();
+  if (base === 'dockerfile' || base.startsWith('dockerfile.')) return 'dockerfile';
+
+  const ext = filePath.split('.').pop().toLowerCase();
+  const langMap = {
+    'py': 'python', 'js': 'javascript', 'ts': 'typescript',
+    'tsx': 'typescript', 'jsx': 'javascript', 'java': 'java',
+    'go': 'go', 'rb': 'ruby', 'php': 'php',
+    'cs': 'csharp', 'rs': 'rust', 'c': 'c', 'cpp': 'cpp',
+    'cc': 'cpp', 'cxx': 'cpp', 'h': 'c', 'hpp': 'cpp',
+    'tf': 'terraform', 'hcl': 'terraform',
+    'yaml': 'generic', 'yml': 'generic',
+    'sql': 'sql',
+    // Prompt/text file extensions for prompt injection scanning
+    'txt': 'generic', 'md': 'generic', 'prompt': 'generic',
+    'jinja': 'generic', 'jinja2': 'generic', 'j2': 'generic'
+  };
+  return langMap[ext] || 'generic';
+}
+
+// Run the Python analyzer
+export function runAnalyzer(filePath) {
+  try {
+    const analyzerPath = join(__dirname, '..', 'analyzer.py');
+    const result = execFileSync('python3', [analyzerPath, filePath], {
+      encoding: 'utf-8',
+      timeout: 30000
+    });
+    return JSON.parse(result);
+  } catch (error) {
+    return { error: error.message };
+  }
+}
+
+// Generate fix suggestion for an issue
+export function generateFix(issue, line, language) {
+  const ruleId = issue.ruleId.toLowerCase();
+
+  for (const [pattern, template] of Object.entries(FIX_TEMPLATES)) {
+    if (ruleId.includes(pattern)) {
+      return {
+        description: template.description,
+        original: line,
+        fixed: template.fix(line, language)
+      };
+    }
+  }
+
+  return {
+    description: "Review and fix manually based on the security rule",
+    original: line,
+    fixed: null
+  };
+}
+
+// Convert issues to SARIF 2.1.0 format
+export function toSarif(file_path, language, issues) {
+  const severityToLevel = {
+    'error': 'error',
+    'ERROR': 'error',
+    'warning': 'warning',
+    'WARNING': 'warning',
+    'info': 'note',
+    'INFO': 'note'
+  };
+
+  // Build unique rules from issues
+  const rulesMap = new Map();
+  for (const issue of issues) {
+    if (!rulesMap.has(issue.ruleId)) {
+      rulesMap.set(issue.ruleId, {
+        id: issue.ruleId,
+        shortDescription: { text: issue.message },
+        defaultConfiguration: {
+          level: severityToLevel[issue.severity] || 'warning'
+        },
+        properties: issue.metadata || {}
+      });
+    }
+  }
+
+  // Build results
+  const results = issues.map(issue => {
+    const result = {
+      ruleId: issue.ruleId,
+      level: severityToLevel[issue.severity] || 'warning',
+      message: { text: issue.message },
+      locations: [{
+        physicalLocation: {
+          artifactLocation: { uri: file_path },
+          region: {
+            startLine: (issue.line || 0) + 1,
+            startColumn: (issue.column || 0) + 1
+          }
+        }
+      }]
+    };
+
+    // Add fix if available
+    if (issue.suggested_fix && issue.suggested_fix.fixed) {
+      result.fixes = [{
+        description: { text: issue.suggested_fix.description || 'Apply security fix' },
+        artifactChanges: [{
+          artifactLocation: { uri: file_path },
+          replacements: [{
+            deletedRegion: {
+              startLine: (issue.line || 0) + 1,
+              startColumn: 1,
+              endLine: (issue.line || 0) + 1,
+              endColumn: (issue.line_content?.length || 0) + 1
+            },
+            insertedContent: { text: issue.suggested_fix.fixed }
+          }]
+        }]
+      }];
+    }
+
+    return result;
+  });
+
+  return {
+    $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+    version: '2.1.0',
+    runs: [{
+      tool: {
+        driver: {
+          name: 'agent-security-scanner-mcp',
+          version: '3.1.0',
+          informationUri: 'https://github.com/sinewaveai/agent-security-scanner-mcp',
+          rules: Array.from(rulesMap.values())
+        }
+      },
+      results: results
+    }]
+  };
+}