agent-security-scanner-mcp 3.7.0 → 3.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (39) hide show
  1. package/README.md +156 -10
  2. package/analyzer.py +22 -5
  3. package/cross_file_analyzer.py +216 -0
  4. package/daemon.py +179 -0
  5. package/index.js +279 -3
  6. package/package.json +19 -5
  7. package/packages/npm-bloom.json +1 -0
  8. package/pattern_matcher.py +1 -0
  9. package/regex_fallback.py +199 -1
  10. package/requirements.txt +1 -0
  11. package/rules/prompt-injection.security.yaml +273 -41
  12. package/scripts/postinstall.js +60 -0
  13. package/skills/openclaw/SKILL.md +102 -0
  14. package/skills/security-review.md +139 -0
  15. package/skills/security-scan-batch.md +107 -0
  16. package/skills/security-scanner.md +76 -0
  17. package/src/cli/doctor.js +29 -1
  18. package/src/cli/init.js +93 -0
  19. package/src/cli/report.js +444 -0
  20. package/src/config.js +247 -0
  21. package/src/context.js +289 -0
  22. package/src/daemon-client.js +233 -0
  23. package/src/dedup.js +129 -0
  24. package/src/fix-patterns.js +76 -19
  25. package/src/history.js +159 -0
  26. package/src/tools/check-package.js +36 -12
  27. package/src/tools/fix-security.js +32 -5
  28. package/src/tools/import-resolver.js +249 -0
  29. package/src/tools/project-context.js +365 -0
  30. package/src/tools/scan-action.js +489 -0
  31. package/src/tools/scan-mcp.js +922 -0
  32. package/src/tools/scan-project.js +16 -4
  33. package/src/tools/scan-prompt.js +292 -527
  34. package/src/tools/scan-security.js +37 -6
  35. package/src/typosquat.js +210 -0
  36. package/src/utils.js +215 -8
  37. package/templates/gitlab-ci-security.yml +225 -0
  38. package/templates/pre-commit-hook.sh +233 -0
  39. package/src/tools/garak-bridge.js +0 -209
package/src/tools/scan-project.js CHANGED
@@ -4,7 +4,7 @@ import { existsSync, readFileSync, readdirSync, statSync } from "fs";
4
4
  import { join, resolve, relative, extname, basename } from "path";
5
5
  import { execFileSync } from "child_process";
6
6
  import { scanSecurity } from './scan-security.js';
7
- import { matchGlob, loadConfig, shouldExcludeFile } from '../config.js';
7
+ import { matchGlob, loadConfig, shouldExcludeFile, evaluatePolicy } from '../config.js';
8
8
  import { detectLanguage } from '../utils.js';
9
9
 
10
10
  export const scanProjectSchema = {
@@ -223,9 +223,9 @@ export async function scanProject({ directory_path, recursive, include_patterns,
223
223
  let crossFileIssues = [];
224
224
  if (cross_file && files.length <= 50) {
225
225
  try {
226
- const { runCrossFileAnalyzer } = await import('../utils.js');
227
- if (typeof runCrossFileAnalyzer === 'function') {
228
- const crossResults = runCrossFileAnalyzer(files);
226
+ const { runCrossFileAnalyzerAsync } = await import('../utils.js');
227
+ if (typeof runCrossFileAnalyzerAsync === 'function') {
228
+ const crossResults = await runCrossFileAnalyzerAsync(files);
229
229
  if (Array.isArray(crossResults)) {
230
230
  crossFileIssues = crossResults;
231
231
  for (const issue of crossFileIssues) {
@@ -243,6 +243,12 @@ export async function scanProject({ directory_path, recursive, include_patterns,
243
243
  const grade = calculateGrade(allIssues.length, files.length, bySeverity.error);
244
244
  const level = verbosity || 'compact';
245
245
 
246
+ // Evaluate policy
247
+ const policyResult = evaluatePolicy(
248
+ { grade, by_severity: bySeverity, issues_count: allIssues.length },
249
+ config
250
+ );
251
+
246
252
  if (level === 'minimal') {
247
253
  return {
248
254
  content: [{ type: "text", text: JSON.stringify({
@@ -253,6 +259,8 @@ export async function scanProject({ directory_path, recursive, include_patterns,
253
259
  warning: bySeverity.warning,
254
260
  info: bySeverity.info,
255
261
  grade,
262
+ policy_passed: policyResult.passed,
263
+ policy_violations: policyResult.violations.length > 0 ? policyResult.violations : undefined,
256
264
  message: allIssues.length > 0
257
265
  ? `Found ${allIssues.length} issue(s) across ${files.length} files. Grade: ${grade}`
258
266
  : `No issues found in ${files.length} files. Grade: ${grade}`
@@ -285,6 +293,8 @@ export async function scanProject({ directory_path, recursive, include_patterns,
285
293
  by_severity: bySeverity,
286
294
  by_category: byCategory,
287
295
  cross_file_issues: crossFileIssues.length > 0 ? crossFileIssues.length : undefined,
296
+ policy_passed: policyResult.passed,
297
+ policy_violations: policyResult.violations.length > 0 ? policyResult.violations : undefined,
288
298
  issues: topIssues
289
299
  }, null, 2) }]
290
300
  };
@@ -301,6 +311,8 @@ export async function scanProject({ directory_path, recursive, include_patterns,
301
311
  by_category: byCategory,
302
312
  by_file: byFile,
303
313
  cross_file_issues: crossFileIssues.length > 0 ? crossFileIssues : undefined,
314
+ policy_passed: policyResult.passed,
315
+ policy_violations: policyResult.violations.length > 0 ? policyResult.violations : undefined,
304
316
  issues: allIssues,
305
317
  scanned_files: files.map(f => relative(dirPath, f))
306
318
  }, null, 2) }]