agent-security-scanner-mcp 3.19.0 → 3.20.0

package/compliance/aiuc-1-controls.json

@@ -0,0 +1,330 @@
+{
+  "schema_version": "1.0",
+  "framework": "AIUC-1",
+  "source": "https://www.aiuc-1.com/crosswalks",
+  "source_snapshot": "2026-03-14",
+  "source_note": "Controls extracted from AIUC-1 crosswalks page, pinned to this date. Update source_snapshot if re-extracted.",
+  "domains": ["security", "safety"],
+  "controls": [
+    {
+      "id": "B001",
+      "title": "Third-party testing of adversarial robustness",
+      "domain": "security",
+      "aivss_threats": ["Agent Cascading Failures", "Agent Goal Manipulation"],
+      "owasp_llm": ["LLM01", "LLM04", "LLM08"],
+      "scanner_tools": ["scan_agent_prompt", "scan_security", "scan_skill"],
+      "evidence_requirements": [
+        "Scan results showing prompt injection detection coverage",
+        "AIVSS scores for adversarial robustness findings"
+      ],
+      "evaluation": {
+        "max_aivss_posture": 7.0,
+        "fail_on_actions": ["BLOCK"],
+        "fail_on_severities": ["CRITICAL"],
+        "required_tools": ["scan_agent_prompt"],
+        "min_grade": "D",
+        "max_critical_findings": 0
+      }
+    },
+    {
+      "id": "B002",
+      "title": "Detection of adversarial inputs",
+      "domain": "security",
+      "aivss_threats": ["Prompt Injection", "Evasion Attacks"],
+      "owasp_llm": ["LLM01"],
+      "scanner_tools": ["scan_agent_prompt"],
+      "evidence_requirements": [
+        "Prompt injection detection results",
+        "Coverage of OWASP prompt injection categories"
+      ],
+      "evaluation": {
+        "max_aivss_posture": 7.0,
+        "fail_on_actions": ["BLOCK"],
+        "fail_on_severities": ["CRITICAL"],
+        "required_tools": ["scan_agent_prompt"],
+        "min_grade": "D",
+        "max_critical_findings": 0
+      }
+    },
+    {
+      "id": "B003",
+      "title": "Protection of technical details from unauthorized access",
+      "domain": "security",
+      "aivss_threats": ["Model Theft", "Information Disclosure"],
+      "owasp_llm": ["LLM06", "LLM10"],
+      "scanner_tools": ["scan_security", "scan_project"],
+      "evidence_requirements": [
+        "Code scan results showing no information disclosure vulnerabilities",
+        "No hardcoded credentials or API keys"
+      ],
+      "evaluation": {
+        "max_aivss_posture": 6.0,
+        "fail_on_actions": [],
+        "fail_on_severities": ["CRITICAL"],
+        "required_tools": ["scan_security"],
+        "min_grade": "C",
+        "max_critical_findings": 0
+      }
+    },
+    {
+      "id": "B004",
+      "title": "Prevention of endpoint scraping and data extraction",
+      "domain": "security",
+      "aivss_threats": ["Data Exfiltration", "API Abuse"],
+      "owasp_llm": ["LLM02", "LLM06"],
+      "scanner_tools": ["scan_security", "scan_agent_action"],
+      "evidence_requirements": [
+        "Scan results for data exfiltration patterns",
+        "Action monitoring for unauthorized HTTP requests"
+      ],
+      "evaluation": {
+        "max_aivss_posture": 7.0,
+        "fail_on_actions": ["BLOCK"],
+        "fail_on_severities": ["CRITICAL"],
+        "required_tools": ["scan_security"],
+        "min_grade": "C",
+        "max_critical_findings": 0
+      }
+    },
+    {
+      "id": "B005",
+      "title": "Filtering and validation of AI system inputs",
+      "domain": "security",
+      "aivss_threats": ["Prompt Injection", "Input Manipulation"],
+      "owasp_llm": ["LLM01", "LLM03"],
+      "scanner_tools": ["scan_agent_prompt", "scan_security"],
+      "evidence_requirements": [
+        "Input validation scan results",
+        "Prompt injection detection coverage"
+      ],
+      "evaluation": {
+        "max_aivss_posture": 7.0,
+        "fail_on_actions": ["BLOCK"],
+        "fail_on_severities": ["CRITICAL"],
+        "required_tools": ["scan_agent_prompt"],
+        "min_grade": "D",
+        "max_critical_findings": 0
+      }
+    },
+    {
+      "id": "B006",
+      "title": "Prevention of unauthorized actions by AI system",
+      "domain": "security",
+      "aivss_threats": ["Agent Goal Manipulation", "Unauthorized Actions"],
+      "owasp_llm": ["LLM01", "LLM08"],
+      "scanner_tools": ["scan_agent_action", "scan_security"],
+      "evidence_requirements": [
+        "Action monitoring results",
+        "Security scan for privilege escalation"
+      ],
+      "evaluation": {
+        "max_aivss_posture": 7.0,
+        "fail_on_actions": ["BLOCK"],
+        "fail_on_severities": ["CRITICAL"],
+        "required_tools": ["scan_agent_action"],
+        "min_grade": "C",
+        "max_critical_findings": 0
+      }
+    },
+    {
+      "id": "B007",
+      "title": "Restriction of access privileges for AI components",
+      "domain": "security",
+      "aivss_threats": ["Privilege Escalation", "Lateral Movement"],
+      "owasp_llm": ["LLM06", "LLM08"],
+      "scanner_tools": ["scan_security", "scan_mcp_server"],
+      "evidence_requirements": [
+        "MCP server permission audit results",
+        "Least-privilege analysis"
+      ],
+      "evaluation": {
+        "max_aivss_posture": 6.0,
+        "fail_on_actions": [],
+        "fail_on_severities": ["CRITICAL"],
+        "required_tools": ["scan_security"],
+        "min_grade": "C",
+        "max_critical_findings": 0
+      }
+    },
+    {
+      "id": "B008",
+      "title": "Protection of deployment infrastructure",
+      "domain": "security",
+      "aivss_threats": ["Supply Chain Compromise", "Infrastructure Attacks"],
+      "owasp_llm": ["LLM05", "LLM09"],
+      "scanner_tools": ["scan_security", "scan_project"],
+      "evidence_requirements": [
+        "Project-level security scan results",
+        "Dependency and supply chain analysis"
+      ],
+      "evaluation": {
+        "max_aivss_posture": 7.0,
+        "fail_on_actions": [],
+        "fail_on_severities": ["CRITICAL"],
+        "required_tools": ["scan_project"],
+        "min_grade": "C",
+        "max_critical_findings": 0
+      }
+    },
+    {
+      "id": "B009",
+      "title": "Prevention of sensitive output exposure",
+      "domain": "security",
+      "aivss_threats": ["Data Leakage", "Output Manipulation"],
+      "owasp_llm": ["LLM02", "LLM06"],
+      "scanner_tools": ["scan_security", "scan_agent_prompt"],
+      "evidence_requirements": [
+        "Output exposure vulnerability scan results",
+        "Sensitive data handling analysis"
+      ],
+      "evaluation": {
+        "max_aivss_posture": 6.0,
+        "fail_on_actions": [],
+        "fail_on_severities": ["CRITICAL"],
+        "required_tools": ["scan_security"],
+        "min_grade": "C",
+        "max_critical_findings": 0
+      }
+    },
+    {
+      "id": "C003",
+      "title": "Prevention of harmful AI outputs",
+      "domain": "safety",
+      "aivss_threats": ["Harmful Content Generation", "Agent Goal Manipulation"],
+      "owasp_llm": ["LLM02", "LLM07"],
+      "scanner_tools": ["scan_agent_prompt", "scan_skill"],
+      "evidence_requirements": [
+        "Prompt safety scan results",
+        "Skill content safety analysis"
+      ],
+      "evaluation": {
+        "max_aivss_posture": 6.0,
+        "fail_on_actions": ["BLOCK"],
+        "fail_on_severities": ["CRITICAL"],
+        "required_tools": ["scan_agent_prompt"],
+        "min_grade": "D",
+        "max_critical_findings": 0
+      }
+    },
+    {
+      "id": "C004",
+      "title": "Prevention of out-of-scope AI outputs",
+      "domain": "safety",
+      "aivss_threats": ["Scope Creep", "Unauthorized Actions"],
+      "owasp_llm": ["LLM07", "LLM08"],
+      "scanner_tools": ["scan_agent_prompt", "scan_agent_action"],
+      "evidence_requirements": [
+        "Scope boundary enforcement results",
+        "Action monitoring for out-of-scope operations"
+      ],
+      "evaluation": {
+        "max_aivss_posture": 6.0,
+        "fail_on_actions": ["BLOCK"],
+        "fail_on_severities": ["CRITICAL"],
+        "required_tools": ["scan_agent_prompt"],
+        "min_grade": "D",
+        "max_critical_findings": 0
+      }
+    },
+    {
+      "id": "C005",
+      "title": "Detection and mitigation of high-risk AI outputs",
+      "domain": "safety",
+      "aivss_threats": ["High-Risk Actions", "Safety Violations"],
+      "owasp_llm": ["LLM02", "LLM07"],
+      "scanner_tools": ["scan_agent_action", "scan_security"],
+      "evidence_requirements": [
+        "High-risk action detection results",
+        "Safety check coverage analysis"
+      ],
+      "evaluation": {
+        "max_aivss_posture": 7.0,
+        "fail_on_actions": ["BLOCK"],
+        "fail_on_severities": ["CRITICAL"],
+        "required_tools": ["scan_agent_action"],
+        "min_grade": "D",
+        "max_critical_findings": 0
+      }
+    },
+    {
+      "id": "C006",
+      "title": "Detection and remediation of output vulnerabilities",
+      "domain": "safety",
+      "aivss_threats": ["Output Injection", "Cross-Site Scripting"],
+      "owasp_llm": ["LLM02"],
+      "scanner_tools": ["scan_security", "scan_project"],
+      "evidence_requirements": [
+        "Output vulnerability scan results",
+        "XSS and injection detection coverage"
+      ],
+      "evaluation": {
+        "max_aivss_posture": 7.0,
+        "fail_on_actions": [],
+        "fail_on_severities": ["CRITICAL"],
+        "required_tools": ["scan_security"],
+        "min_grade": "C",
+        "max_critical_findings": 0
+      }
+    },
+    {
+      "id": "C007",
+      "title": "Flagging of potentially unsafe AI-generated content",
+      "domain": "safety",
+      "aivss_threats": ["Unsafe Content", "Content Quality"],
+      "owasp_llm": ["LLM02", "LLM09"],
+      "scanner_tools": ["scan_agent_prompt", "scan_skill"],
+      "evidence_requirements": [
+        "Content safety scanning results",
+        "Unsafe content detection coverage"
+      ],
+      "evaluation": {
+        "max_aivss_posture": 6.0,
+        "fail_on_actions": ["BLOCK"],
+        "fail_on_severities": ["CRITICAL"],
+        "required_tools": ["scan_agent_prompt"],
+        "min_grade": "D",
+        "max_critical_findings": 0
+      }
+    },
+    {
+      "id": "C008",
+      "title": "Continuous monitoring and logging of AI system behavior",
+      "domain": "safety",
+      "aivss_threats": ["Unmonitored Drift", "Behavioral Anomalies"],
+      "owasp_llm": ["LLM09", "LLM10"],
+      "scanner_tools": ["scan_project", "scan_security"],
+      "evidence_requirements": [
+        "Monitoring infrastructure scan results",
+        "Logging coverage analysis"
+      ],
+      "evaluation": {
+        "max_aivss_posture": 6.0,
+        "fail_on_actions": [],
+        "fail_on_severities": ["CRITICAL"],
+        "required_tools": ["scan_project"],
+        "min_grade": "C",
+        "max_critical_findings": 0
+      }
+    },
+    {
+      "id": "C012",
+      "title": "Third-party safety testing of AI systems",
+      "domain": "safety",
+      "aivss_threats": ["Untested Scenarios", "Safety Gaps"],
+      "owasp_llm": ["LLM01", "LLM07"],
+      "scanner_tools": ["scan_skill", "scan_agent_prompt", "scan_security"],
+      "evidence_requirements": [
+        "Third-party scan results (skill, prompt, security)",
+        "AIVSS posture scores across all domains"
+      ],
+      "evaluation": {
+        "max_aivss_posture": 7.0,
+        "fail_on_actions": ["BLOCK"],
+        "fail_on_severities": ["CRITICAL"],
+        "required_tools": ["scan_skill"],
+        "min_grade": "D",
+        "max_critical_findings": 0
+      }
+    }
+  ]
+}

package/index.js

@@ -26,6 +26,8 @@ import { runDoctor } from './src/cli/doctor.js';
 import { runDemo } from './src/cli/demo.js';
 import { runInitHooks } from './src/cli/init-hooks.js';
 import { runReport } from './src/cli/report.js';
+import { scoreAivssSchema, scoreAivssTool } from './src/tools/score-aivss.js';
+import { complianceControlsSchema, getComplianceControls } from './src/tools/compliance-controls.js';
 
 // Handle both ESM and CJS bundling (Smithery bundles to CJS)
 let __dirname;
@@ -232,6 +234,24 @@ server.tool(
   _healthHandler
 );
 
+// ===========================================
+// AIVSS SCORING + COMPLIANCE
+// ===========================================
+
+server.tool(
+  "score_aivss",
+  "Score findings using OWASP AIVSS v2. Accepts any scanner output or raw findings JSON. Returns per-finding AIVSS scores (0-10) and aggregate posture. Use verbosity='minimal' for posture only, 'compact' (default) for scores, 'full' for all metrics.",
+  scoreAivssSchema,
+  scoreAivssTool
+);
+
+server.tool(
+  "get_compliance_controls",
+  "Look up AIUC-1 compliance controls with evaluation criteria. Filter by domain (security/safety), control IDs, or OWASP LLM tags. Returns structured evaluation rules for pass/partial/fail assessment.",
+  complianceControlsSchema,
+  getComplianceControls
+);
+
 // ===========================================
 // CLI COMMANDS - Extracted to src/cli/
 // ===========================================
@@ -515,7 +535,7 @@ const cliArgs = process.argv.slice(2);
   console.log('    init-hooks           Install Claude Code hooks for auto-scanning');
   console.log('    doctor [--fix]       Check environment & client configs');
   console.log('    demo [--lang js]     Generate vulnerable file + scan it');
-  console.log('    report <dir>         Generate HTML security report with history');
+  console.log('    report <dir>         Generate HTML security report with history [--threat-model]');
   console.log('    benchmark [flags]      Run accuracy benchmarks\n');
   console.log('  CLI Tools (for scripts & OpenClaw):');
   console.log('    scan-prompt <text>   Scan prompt for injection attacks');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-security-scanner-mcp",
-  "version": "3.19.0",
+  "version": "3.20.0",
   "mcpName": "io.github.sinewaveai/agent-security-scanner-mcp",
   "description": "Security scanner MCP server for AI coding agents. Prompt injection firewall, package hallucination detection (4.3M+ packages), 1000+ vulnerability rules with AST & taint analysis, auto-fix. For Claude Code, Cursor, Windsurf, Cline, OpenClaw.",
   "main": "index.js",
@@ -110,7 +110,9 @@
     "scripts/postinstall.js",
     "cross_file_analyzer.py",
     "daemon.py",
-    "python_taint_fallback.py"
+    "python_taint_fallback.py",
+    "src/lib/*.js",
+    "compliance/**"
   ],
   "devDependencies": {
     "all-the-package-names": "^2.0.2349",

package/src/cli/report.js

@@ -4,6 +4,10 @@ import { existsSync, writeFileSync, mkdirSync } from 'fs';
 import { resolve, join } from 'path';
 import { scanProject } from '../tools/scan-project.js';
 import { saveResult, loadHistory, getTrends, diffResults } from '../history.js';
+import { normalizeFindings } from '../lib/normalize-finding.js';
+import { scoreBatch } from '../lib/aivss.js';
+import { loadControls } from '../lib/compliance-controls.js';
+import { evaluateAll } from '../lib/compliance-evaluator.js';
 
 // Grade color mapping
 const GRADE_COLORS = {
@@ -359,6 +363,62 @@ function generateHtml(scanResult, history, diff) {
 </html>`;
 }
 
+/**
+ * Build the threat_model section from scan results.
+ * Exported for testing.
+ */
+export function buildThreatModel(scanResult) {
+  // scan_project wraps scan_security — tag findings as scan_security so
+  // controls scoped to either tool can see them. Duplicate each finding
+  // under both source_tools for correct evaluator scoping.
+  const base = normalizeFindings(scanResult.issues || [], 'scan_security');
+  const duped = base.map(f => ({ ...f, source_tool: 'scan_project' }));
+  const normalized = [...base, ...duped];
+  const aivssResult = scoreBatch(base); // score deduplicated set
+
+  const grade = scanResult.grade || null;
+  const controls = loadControls().controls;
+  const evidence = {
+    aivssPosture: aivssResult.posture,
+    findings: normalized,
+    grades: { scan_project: grade, scan_security: grade, project: grade },
+    toolsRun: ['scan_project', 'scan_security'],
+  };
+  const complianceResult = evaluateAll(controls, evidence);
+
+  return {
+    aivss: {
+      model: aivssResult.posture.model,
+      posture: {
+        max_score: aivssResult.posture.max_score,
+        p95_score: aivssResult.posture.p95_score,
+        mean_score: aivssResult.posture.mean_score,
+        posture_score: aivssResult.posture.posture_score,
+        posture_rating: aivssResult.posture.posture_rating,
+        score_distribution: aivssResult.posture.score_distribution,
+      },
+      findings: aivssResult.findings.map(f => ({
+        rule_id: f.rule_id,
+        aivss_score: f.aivss_score,
+        rating: f.rating,
+        vector_string: f.vector_string,
+        metrics: f.metrics,
+      })),
+    },
+    compliance: {
+      framework: 'AIUC-1',
+      controls_evaluated: complianceResult.controls_evaluated,
+      summary: {
+        pass: complianceResult.pass,
+        partial: complianceResult.partial,
+        fail: complianceResult.fail,
+        not_evaluated: complianceResult.not_evaluated,
+      },
+      results: complianceResult.results,
+    },
+  };
+}
+
 /**
  * Run the report CLI command.
  *
@@ -378,6 +438,7 @@ export async function runReport(args) {
   }
 
   const jsonOutput = args.includes('--json');
+  const threatModel = args.includes('--threat-model');
   const daysIdx = args.indexOf('--days');
   const days = daysIdx !== -1 && args[daysIdx + 1] ? parseInt(args[daysIdx + 1], 10) : 90;
 
@@ -390,6 +451,11 @@ export async function runReport(args) {
   });
   const scanResult = JSON.parse(result.content[0].text);
 
+  // Attach threat model before saving to history so future trends include AIVSS posture
+  if (threatModel) {
+    scanResult.threat_model = buildThreatModel(scanResult);
+  }
+
   // Save result to history
   const savedPath = saveResult(dirPath, scanResult);
   console.log(`  Results saved to ${savedPath}`);
@@ -413,10 +479,15 @@ export async function runReport(args) {
       diff,
       generated_at: new Date().toISOString(),
     };
+
     console.log(JSON.stringify(jsonReport, null, 2));
     return;
   }
 
+  if (threatModel) {
+    console.log('  Note: --threat-model currently only produces output with --json. HTML rendering is planned.');
+  }
+
   // Generate HTML report
   const html = generateHtml(scanResult, trends, diff);
   const scannerDir = join(dirPath, '.scanner');