agent-security-scanner-mcp 4.1.1 → 4.3.0

package/README.md

@@ -63,6 +63,10 @@ Continue reading below for full version documentation →
 
 ---
 
+> **New in v4.3.0 (2026-05-05):** Critical security and reliability fixes — GitHub Actions now **fail closed** instead of fail-open when scanner output is invalid (preventing security gate bypass), patched **8 Hono CVEs** (XSS, path traversal, authentication bypass), fixed confidence threshold filtering case sensitivity, and corrected SARIF generation for GitHub Code Scanning. All fixes include comprehensive regression tests. **Upgrade recommended for production use.** [See Full Changelog](CHANGELOG.md#430---2026-05-05).
+>
+> **New in v4.2.0:** Compliance evidence collection — evaluate projects against SOC2-Technical (8 controls) and GDPR-Technical (6 controls) frameworks. Collects evidence from code scans, SBOM, vulnerability checks, and hallucination detection, then evaluates controls with pass/partial/fail/not_evaluated status. Supports evidence persistence for audit trails. [See Compliance Evaluation](#-compliance-evaluation-new-in-v420).
+>
 > **New in v4.1.0:** SBOM generation and dependency vulnerability analysis — generates CycloneDX v1.5 SBOMs, scans against OSV.dev for CVEs, detects hallucinated packages, compares baselines, and generates HTML audit reports. Supports 8 lock file formats and 7 manifest formats across npm, Python, Go, Rust, Ruby, and Java ecosystems. [See SBOM Tools](#-sbom--supply-chain-analysis-new-in-v410).
 >
 > **New in v4.0.0:** LLM-powered semantic code review agent with intent profiling — understands what your project is supposed to do and flags patterns that violate that intent. Same `eval()` call = safe in a build tool, dangerous in an e-commerce app. Supports Claude CLI (no API key needed!), Anthropic, and OpenAI. [See code-review-agent](#-llm-powered-code-review-agent-new-in-v400).
@@ -94,6 +98,8 @@ Continue reading below for full version documentation →
 | `sbom_check_hallucinations` | Verify all SBOM packages exist in official registries | Before deploying, to catch AI-invented packages |
 | `sbom_diff` | Compare current SBOM against baseline, detect added/removed/changed packages | In CI/CD to track dependency drift |
 | `sbom_export_report` | Generate HTML or JSON audit report from SBOM with vulnerability data | For PCI-DSS compliance, security reviews |
+| `get_compliance_controls` | Look up compliance controls with evaluation criteria (AIUC-1, SOC2, GDPR) | To understand compliance requirements |
+| `evaluate_compliance` | Evaluate project against compliance frameworks with evidence collection | For SOC2/GDPR technical compliance audits |
 
 ## Quick Start
 
@@ -424,6 +430,177 @@ sbom-report <dir> [--format html|json] [--output <path>] [--no-vulnerabilities]
 
 ---
 
+## 📋 Compliance Evaluation (New in v4.2.0)
+
+Evaluate projects against technical compliance frameworks with automated evidence collection from code scans, SBOM, vulnerability checks, and hallucination detection.
+
+### Quick Start
+
+```bash
+# Evaluate against SOC2 technical controls
+npx agent-security-scanner-mcp evaluate-compliance . --framework soc2-technical
+
+# Evaluate against GDPR technical controls
+npx agent-security-scanner-mcp evaluate-compliance . --framework gdpr-technical
+
+# Evaluate with evidence persistence (for audit trails)
+npx agent-security-scanner-mcp evaluate-compliance . --framework soc2-technical --save-evidence
+
+# List available compliance frameworks
+npx agent-security-scanner-mcp get-compliance-controls --verbosity full
+```
+
+### Supported Frameworks
+
+| Framework | Controls | Focus Areas |
+|-----------|----------|-------------|
+| **AIUC-1** | 16 | AI agent security, prompt injection, hallucination |
+| **SOC2-Technical** | 8 | Supply chain, code security, crypto, auth, drift |
+| **GDPR-Technical** | 6 | Data privacy, encryption, third-party risks |
+
+> **Note:** These are technical controls only. SOC2-Technical does not cover organizational, administrative, or physical SOC 2 controls. GDPR-Technical does not cover DPIAs, data subject rights, or processor contracts.
+
+### SOC2-Technical Controls
+
+| Control ID | Title | What It Checks |
+|------------|-------|----------------|
+| SOC2-T001 | Software dependency inventory exists | SBOM has ≥1 component |
+| SOC2-T002 | No critical dependency vulnerabilities | OSV.dev scan for critical/high CVEs |
+| SOC2-T003 | No hallucinated packages | Package registry verification |
+| SOC2-T004 | No critical code security findings | Static analysis for injection, deserialization |
+| SOC2-T005 | Data exfiltration/exposure below threshold | Exfiltration patterns, info-exposure scan |
+| SOC2-T006 | Cryptographic controls adequate | Weak algorithms, hardcoded keys |
+| SOC2-T007 | Authentication/authorization adequate | Auth bypass, permissions issues |
+| SOC2-T008 | Dependency drift tracked | SBOM baseline comparison |
+
+### GDPR-Technical Controls
+
+| Control ID | Title | What It Checks |
+|------------|-------|----------------|
+| GDPR-T001 | Sensitive data exposure below threshold | PII patterns, secrets, logging |
+| GDPR-T002 | Data exfiltration below threshold | External data transfer patterns |
+| GDPR-T003 | Encryption/transport adequate | Weak crypto, plaintext transport |
+| GDPR-T004 | Third-party dependency inventory | SBOM component count |
+| GDPR-T005 | No critical third-party vulnerabilities | OSV.dev vulnerability scan |
+| GDPR-T006 | No hallucinated packages | Registry verification |
+
+### MCP Tools
+
+#### `get_compliance_controls`
+
+Look up compliance controls with evaluation criteria. Filter by framework, domain, or OWASP LLM tags.
+
+```json
+// Input
+{ "framework": "soc2-technical", "domain": "supply-chain", "verbosity": "compact" }
+
+// Output
+{
+  "framework": "SOC2-Technical",
+  "controls_count": 4,
+  "controls": [
+    {
+      "id": "SOC2-T001",
+      "title": "Software dependency inventory exists",
+      "domain": "supply-chain",
+      "references": ["CC6.6", "CC7.1"],
+      "scanner_tools": ["sbom_generate"],
+      "evaluation": { "evidence_checks": [...] }
+    }
+  ]
+}
+```
+
+#### `evaluate_compliance`
+
+Evaluate a project against compliance frameworks. Collects evidence from multiple sources, evaluates each control, and optionally saves timestamped evidence bundles.
+
+```json
+// Input
+{
+  "directory_path": "./my-project",
+  "frameworks": ["soc2-technical", "gdpr-technical"],
+  "save_evidence": true,
+  "verbosity": "compact"
+}
+
+// Output
+{
+  "directory": "./my-project",
+  "tools_run": ["scan_project", "scan_security", "sbom_generate", "sbom_scan_vulnerabilities", "sbom_check_hallucinations"],
+  "scan_summary": { "grade": "B", "by_severity": { "CRITICAL": 0, "HIGH": 2, "MEDIUM": 5 } },
+  "sbom_summary": { "component_count": 212, "ecosystems": ["npm", "pypi"] },
+  "supply_chain": {
+    "vulnerabilities": { "total": 3, "by_severity": { "critical": 0, "high": 1, "medium": 2 } },
+    "hallucinations": { "hallucinated_count": 0 },
+    "drift": { "baseline_exists": true, "added": 2, "removed": 0 }
+  },
+  "compliance": {
+    "soc2-technical": {
+      "pass": 6, "partial": 1, "fail": 0, "not_evaluated": 1,
+      "results": [
+        { "control_id": "SOC2-T001", "status": "pass", "reasons": [] },
+        { "control_id": "SOC2-T002", "status": "partial", "reasons": ["High-severity dependency vulnerabilities exceed threshold"] }
+      ]
+    }
+  },
+  "evidence_saved": ".scanner/evidence/2026-04-02T05-30-00-soc2-technical.json"
+}
+```
+
+### Evidence Collection
+
+The `evaluate_compliance` tool collects evidence from multiple sources:
+
+| Source | Tools Used | Evidence Collected |
+|--------|------------|-------------------|
+| Code Scan | `scan_project`, `scan_security` | Security grade, findings by severity/category |
+| SBOM | `sbom_generate` | Component count, ecosystems, direct vs transitive |
+| Vulnerabilities | `sbom_scan_vulnerabilities` | CVE counts by severity |
+| Hallucinations | `sbom_check_hallucinations` | Hallucinated package count |
+| Drift | `sbom_diff` | Added/removed/changed packages vs baseline |
+
+### Evidence Persistence
+
+When `save_evidence: true`, the tool saves timestamped JSON evidence bundles to `.scanner/evidence/`:
+
+```
+.scanner/evidence/
+├── 2026-04-02T05-30-00-soc2-technical.json
+├── 2026-04-02T05-35-00-gdpr-technical.json
+└── ...
+```
+
+These bundles contain complete evidence data for audit trails and compliance documentation.
+
+### Control Evaluation Logic
+
+Controls use a path-based evidence check system with operators:
+
+| Operator | Description | Example |
+|----------|-------------|---------|
+| `exists` | Path value is present and non-null | `sbom.component_count exists` |
+| `eq` | Exact equality | `drift.baseline_exists eq true` |
+| `lte` | Less than or equal | `vulnerabilities.critical lte 0` |
+| `gte` | Greater than or equal | `sbom.component_count gte 1` |
+
+**Three-tier null handling:**
+1. **Explicit null** (e.g., OSV outage) → `not_evaluated` — source failure
+2. **Missing top-level section** → `not_evaluated` — evidence never collected
+3. **Missing leaf key** → use `default` value if specified (e.g., no crypto findings = 0)
+
+### CLI Commands
+
+```bash
+# Evaluate compliance
+evaluate-compliance <dir> [--framework <name>] [--save-evidence] [--verbosity minimal|compact|full]
+
+# List controls
+get-compliance-controls [--framework <name>] [--domain <name>] [--verbosity minimal|compact|full]
+```
+
+---
+
 ## Tool Reference
 
 ### `scan_security`
@@ -1421,6 +1598,27 @@ All MCP tools support a `verbosity` parameter to minimize context window consump
 
 ## Changelog
 
+### v4.2.0 (2026-04-02) - Compliance Evidence Collection
+
+**🚀 New Feature: SOC2/GDPR Technical Compliance Evaluation**
+
+- **2 New MCP Tools:** `evaluate_compliance`, `get_compliance_controls` (enhanced)
+- **SOC2-Technical Framework:** 8 controls covering dependency inventory, vulnerabilities, hallucinations, code findings, exfiltration, crypto, auth, drift
+- **GDPR-Technical Framework:** 6 controls covering data exposure, exfiltration, encryption, dependency inventory, vulnerabilities, hallucinations
+- **Multi-Framework Registry:** Generalized loader supporting per-framework domain validation
+- **Evidence Collection:** Automated evidence gathering from code scans, SBOM, OSV.dev, hallucination checks
+- **Evidence Persistence:** Timestamped JSON bundles saved to `.scanner/evidence/` for audit trails
+- **Generic evidence_checks Evaluator:** Path-based check system with `exists`/`eq`/`lte`/`gte` operators
+- **Three-Tier Null Handling:** Distinguishes source failures (null) from absent categories (undefined)
+- **48 New Tests:** Comprehensive coverage for multi-framework loading, evidence checks, SOC2/GDPR evaluation
+
+**Design Notes:**
+- Technical controls only — does not claim full SOC 2 or GDPR compliance
+- Missing evidence → `not_evaluated`, not false pass (secure default)
+- AIUC-1 backward compatibility maintained (zero regression)
+
+---
+
 ### v4.1.0 (2026-03-27) - SBOM Generation & Vulnerability Analysis
 
 **🚀 New Feature: Software Bill of Materials (SBOM)**

package/compliance/gdpr-technical-controls.json

@@ -0,0 +1,112 @@
+{
+  "schema_version": "1.1",
+  "framework": "GDPR-Technical",
+  "source": "GDPR Articles 25, 32 — technical measures subset",
+  "source_snapshot": "2026-03-31",
+  "source_note": "Technical controls only. This does not cover organizational measures, DPIAs, data subject rights, lawful basis, or processor contracts. Not a substitute for legal compliance assessment.",
+  "domains": ["privacy", "security", "supply-chain"],
+  "controls": [
+    {
+      "id": "GDPR-T001",
+      "title": "Sensitive data exposure findings below threshold",
+      "domain": "privacy",
+      "references": ["Art. 25(1)", "Art. 32(1)(b)"],
+      "scanner_tools": ["scan_security", "scan_project"],
+      "evidence_requirements": [
+        "Information exposure scan results (secrets, PII patterns, logging of sensitive data)",
+        "No critical sensitive data exposure findings"
+      ],
+      "evaluation": {
+        "evidence_checks": [
+          { "path": "scan.by_category_severity.info-exposure.CRITICAL", "operator": "lte", "value": 0, "on_fail": "fail", "reason": "Critical sensitive data exposure findings detected", "default": 0 },
+          { "path": "scan.by_category_severity.info-exposure.HIGH", "operator": "lte", "value": 3, "on_fail": "partial", "reason": "High-severity data exposure findings exceed threshold", "default": 0 },
+          { "path": "scan.by_category_severity.secrets.CRITICAL", "operator": "lte", "value": 0, "on_fail": "fail", "reason": "Critical hardcoded secrets detected", "default": 0 }
+        ]
+      }
+    },
+    {
+      "id": "GDPR-T002",
+      "title": "Data exfiltration findings below threshold",
+      "domain": "privacy",
+      "references": ["Art. 32(1)(b)", "Art. 32(2)"],
+      "scanner_tools": ["scan_security", "scan_project"],
+      "evidence_requirements": [
+        "Exfiltration pattern detection results",
+        "No critical or high exfiltration findings"
+      ],
+      "evaluation": {
+        "evidence_checks": [
+          { "path": "scan.by_category_severity.exfiltration.CRITICAL", "operator": "lte", "value": 0, "on_fail": "fail", "reason": "Critical data exfiltration patterns detected", "default": 0 },
+          { "path": "scan.by_category_severity.exfiltration.HIGH", "operator": "lte", "value": 0, "on_fail": "fail", "reason": "High-severity data exfiltration patterns detected", "default": 0 }
+        ]
+      }
+    },
+    {
+      "id": "GDPR-T003",
+      "title": "Encryption and secure transport controls adequate",
+      "domain": "security",
+      "references": ["Art. 32(1)(a)"],
+      "scanner_tools": ["scan_security", "scan_project"],
+      "evidence_requirements": [
+        "Cryptographic findings scan (weak algorithms, missing encryption, plaintext transport)",
+        "No critical crypto findings"
+      ],
+      "evaluation": {
+        "evidence_checks": [
+          { "path": "scan.by_category_severity.crypto.CRITICAL", "operator": "lte", "value": 0, "on_fail": "fail", "reason": "Critical cryptographic findings (weak encryption, plaintext transport)", "default": 0 },
+          { "path": "scan.by_category_severity.crypto.HIGH", "operator": "lte", "value": 2, "on_fail": "partial", "reason": "High-severity cryptographic findings exceed threshold", "default": 0 }
+        ]
+      }
+    },
+    {
+      "id": "GDPR-T004",
+      "title": "Third-party dependency inventory exists",
+      "domain": "supply-chain",
+      "references": ["Art. 28(1)", "Art. 32(1)(d)"],
+      "scanner_tools": ["sbom_generate"],
+      "evidence_requirements": [
+        "CycloneDX SBOM generated from project lockfiles",
+        "Inventory of all third-party components processing data"
+      ],
+      "evaluation": {
+        "evidence_checks": [
+          { "path": "sbom.component_count", "operator": "gte", "value": 1, "on_fail": "fail", "reason": "No third-party dependency inventory — SBOM generation found zero components" }
+        ]
+      }
+    },
+    {
+      "id": "GDPR-T005",
+      "title": "No critical vulnerabilities in third-party dependencies",
+      "domain": "supply-chain",
+      "references": ["Art. 32(1)(b)", "Art. 32(1)(d)"],
+      "scanner_tools": ["sbom_generate", "sbom_scan_vulnerabilities"],
+      "evidence_requirements": [
+        "OSV vulnerability scan results for all SBOM components",
+        "Zero critical-severity known vulnerabilities in third-party code"
+      ],
+      "evaluation": {
+        "evidence_checks": [
+          { "path": "supply_chain.vulnerabilities.by_severity.critical", "operator": "lte", "value": 0, "on_fail": "fail", "reason": "Critical vulnerabilities in third-party dependencies", "default": 0 },
+          { "path": "supply_chain.vulnerabilities.by_severity.high", "operator": "lte", "value": 5, "on_fail": "partial", "reason": "High-severity dependency vulnerabilities exceed threshold", "default": 0 }
+        ]
+      }
+    },
+    {
+      "id": "GDPR-T006",
+      "title": "No hallucinated packages in dependency tree",
+      "domain": "supply-chain",
+      "references": ["Art. 32(1)(d)"],
+      "scanner_tools": ["sbom_generate", "sbom_check_hallucinations"],
+      "evidence_requirements": [
+        "Hallucination check results against official package registries",
+        "Zero phantom/hallucinated packages"
+      ],
+      "evaluation": {
+        "evidence_checks": [
+          { "path": "supply_chain.hallucinations.hallucinated_count", "operator": "eq", "value": 0, "on_fail": "fail", "reason": "Hallucinated (phantom) packages detected — supply chain integrity risk" },
+          { "path": "supply_chain.hallucinations.legitimate_count", "operator": "gte", "value": 1, "on_fail": "not_evaluated", "not_evaluated_reason": "No packages could be verified — all ecosystems unsupported by hallucination checker", "default": 0 }
+        ]
+      }
+    }
+  ]
+}

package/compliance/soc2-technical-controls.json

@@ -0,0 +1,148 @@
+{
+  "schema_version": "1.1",
+  "framework": "SOC2-Technical",
+  "source": "AICPA Trust Services Criteria (2017) — technical controls subset",
+  "source_snapshot": "2026-03-31",
+  "source_note": "Technical controls only. This does not cover organizational, administrative, or physical SOC 2 controls. Not a substitute for a SOC 2 audit.",
+  "domains": ["security", "availability", "confidentiality", "supply-chain", "auth"],
+  "controls": [
+    {
+      "id": "SOC2-T001",
+      "title": "Software dependency inventory exists",
+      "domain": "supply-chain",
+      "references": ["CC6.6", "CC7.1"],
+      "scanner_tools": ["sbom_generate"],
+      "evidence_requirements": [
+        "CycloneDX SBOM generated from project lockfiles",
+        "Component count and ecosystem breakdown"
+      ],
+      "evaluation": {
+        "evidence_checks": [
+          { "path": "sbom.component_count", "operator": "gte", "value": 1, "on_fail": "fail", "reason": "No dependency inventory — SBOM generation found zero components" }
+        ]
+      }
+    },
+    {
+      "id": "SOC2-T002",
+      "title": "No critical dependency vulnerabilities",
+      "domain": "supply-chain",
+      "references": ["CC6.6", "CC7.1", "CC7.2"],
+      "scanner_tools": ["sbom_generate", "sbom_scan_vulnerabilities"],
+      "evidence_requirements": [
+        "OSV vulnerability scan results for all SBOM components",
+        "Zero critical-severity known vulnerabilities"
+      ],
+      "evaluation": {
+        "evidence_checks": [
+          { "path": "supply_chain.vulnerabilities.by_severity.critical", "operator": "lte", "value": 0, "on_fail": "fail", "reason": "Critical dependency vulnerabilities found", "default": 0 },
+          { "path": "supply_chain.vulnerabilities.by_severity.high", "operator": "lte", "value": 5, "on_fail": "partial", "reason": "High-severity dependency vulnerabilities exceed threshold", "default": 0 }
+        ]
+      }
+    },
+    {
+      "id": "SOC2-T003",
+      "title": "No hallucinated (phantom) packages in dependency tree",
+      "domain": "supply-chain",
+      "references": ["CC6.6", "CC6.8"],
+      "scanner_tools": ["sbom_generate", "sbom_check_hallucinations"],
+      "evidence_requirements": [
+        "Hallucination check results for all SBOM components",
+        "Zero hallucinated packages detected"
+      ],
+      "evaluation": {
+        "evidence_checks": [
+          { "path": "supply_chain.hallucinations.hallucinated_count", "operator": "eq", "value": 0, "on_fail": "fail", "reason": "Hallucinated (phantom) packages detected in dependency tree" },
+          { "path": "supply_chain.hallucinations.legitimate_count", "operator": "gte", "value": 1, "on_fail": "not_evaluated", "not_evaluated_reason": "No packages could be verified — all ecosystems unsupported by hallucination checker", "default": 0 }
+        ]
+      }
+    },
+    {
+      "id": "SOC2-T004",
+      "title": "No critical code security findings",
+      "domain": "security",
+      "references": ["CC6.1", "CC6.6", "CC7.2"],
+      "scanner_tools": ["scan_security", "scan_project"],
+      "evidence_requirements": [
+        "Static analysis scan with zero CRITICAL findings",
+        "Project-level security grade"
+      ],
+      "evaluation": {
+        "evidence_checks": [
+          { "path": "scan.by_category_severity.injection.CRITICAL", "operator": "lte", "value": 0, "on_fail": "fail", "reason": "Critical injection vulnerabilities found", "default": 0 },
+          { "path": "scan.by_category_severity.deserialization.CRITICAL", "operator": "lte", "value": 0, "on_fail": "fail", "reason": "Critical deserialization vulnerabilities found", "default": 0 },
+          { "path": "scan.by_severity.CRITICAL", "operator": "lte", "value": 0, "on_fail": "fail", "reason": "Critical code findings present", "default": 0 }
+        ]
+      }
+    },
+    {
+      "id": "SOC2-T005",
+      "title": "Data exfiltration and information exposure below threshold",
+      "domain": "confidentiality",
+      "references": ["CC6.1", "CC6.5", "C1.1"],
+      "scanner_tools": ["scan_security", "scan_project"],
+      "evidence_requirements": [
+        "Exfiltration pattern scan results",
+        "Information exposure findings below threshold"
+      ],
+      "evaluation": {
+        "evidence_checks": [
+          { "path": "scan.by_category_severity.exfiltration.CRITICAL", "operator": "lte", "value": 0, "on_fail": "fail", "reason": "Critical exfiltration findings detected", "default": 0 },
+          { "path": "scan.by_category_severity.exfiltration.HIGH", "operator": "lte", "value": 0, "on_fail": "fail", "reason": "High-severity exfiltration findings detected", "default": 0 },
+          { "path": "scan.by_category_severity.info-exposure.CRITICAL", "operator": "lte", "value": 0, "on_fail": "fail", "reason": "Critical information exposure findings detected", "default": 0 },
+          { "path": "scan.by_category_severity.info-exposure.HIGH", "operator": "lte", "value": 3, "on_fail": "partial", "reason": "High-severity information exposure findings exceed threshold", "default": 0 }
+        ]
+      }
+    },
+    {
+      "id": "SOC2-T006",
+      "title": "Cryptographic controls adequate",
+      "domain": "confidentiality",
+      "references": ["CC6.1", "CC6.7", "C1.1"],
+      "scanner_tools": ["scan_security", "scan_project"],
+      "evidence_requirements": [
+        "No critical/high crypto findings (weak algorithms, hardcoded keys)",
+        "Encryption usage scan results"
+      ],
+      "evaluation": {
+        "evidence_checks": [
+          { "path": "scan.by_category_severity.crypto.CRITICAL", "operator": "lte", "value": 0, "on_fail": "fail", "reason": "Critical cryptographic findings (weak algorithms, hardcoded keys)", "default": 0 },
+          { "path": "scan.by_category_severity.crypto.HIGH", "operator": "lte", "value": 2, "on_fail": "partial", "reason": "High-severity cryptographic findings exceed threshold", "default": 0 }
+        ]
+      }
+    },
+    {
+      "id": "SOC2-T007",
+      "title": "Authentication and authorization controls adequate",
+      "domain": "auth",
+      "references": ["CC6.1", "CC6.2", "CC6.3"],
+      "scanner_tools": ["scan_security", "scan_project"],
+      "evidence_requirements": [
+        "No critical auth findings (hardcoded creds, missing auth checks)",
+        "Least-privilege and permissions scan results"
+      ],
+      "evaluation": {
+        "evidence_checks": [
+          { "path": "scan.by_category_severity.auth.CRITICAL", "operator": "lte", "value": 0, "on_fail": "fail", "reason": "Critical authentication/authorization findings detected", "default": 0 },
+          { "path": "scan.by_category_severity.auth.HIGH", "operator": "lte", "value": 2, "on_fail": "partial", "reason": "High-severity auth findings exceed threshold", "default": 0 },
+          { "path": "scan.by_category_severity.permissions.CRITICAL", "operator": "lte", "value": 0, "on_fail": "fail", "reason": "Critical permissions/least-privilege findings detected", "default": 0 }
+        ]
+      }
+    },
+    {
+      "id": "SOC2-T008",
+      "title": "Dependency drift tracked when baseline exists",
+      "domain": "supply-chain",
+      "references": ["CC6.6", "CC8.1"],
+      "scanner_tools": ["sbom_generate", "sbom_diff"],
+      "evidence_requirements": [
+        "SBOM baseline comparison results",
+        "Change tracking for added, removed, and version-changed packages"
+      ],
+      "evaluation": {
+        "evidence_checks": [
+          { "path": "supply_chain.drift.baseline_exists", "operator": "eq", "value": true, "on_fail": "not_evaluated", "not_evaluated_reason": "No SBOM baseline — dependency drift cannot be evaluated" }
+        ]
+      }
+    }
+  ]
+}

package/index.js

@@ -33,6 +33,7 @@ import { sbomVulnerabilitiesSchema, sbomScanVulnerabilities } from './src/tools/
 import { sbomHallucinationsSchema, sbomCheckHallucinations } from './src/tools/sbom-hallucinations.js';
 import { sbomDiffSchema, sbomDiff } from './src/tools/sbom-diff.js';
 import { sbomReportSchema, sbomExportReport } from './src/tools/sbom-report.js';
+import { evaluateComplianceSchema, evaluateCompliance } from './src/tools/evaluate-compliance.js';
 
 // Handle both ESM and CJS bundling (Smithery bundles to CJS)
 let __dirname;
@@ -252,11 +253,18 @@ server.tool(
 
 server.tool(
   "get_compliance_controls",
-  "Look up AIUC-1 compliance controls with evaluation criteria. Filter by domain (security/safety), control IDs, or OWASP LLM tags. Returns structured evaluation rules for pass/partial/fail assessment.",
+  "Look up compliance controls with evaluation criteria. Supports multiple frameworks: aiuc-1 (default), soc2-technical, gdpr-technical. Filter by domain, control IDs, or OWASP LLM tags.",
   complianceControlsSchema,
   getComplianceControls
 );
 
+server.tool(
+  "evaluate_compliance",
+  "Evaluate a project against compliance frameworks (SOC2-technical, GDPR-technical, AIUC-1). Collects evidence from code scans, SBOM, vulnerability checks, and hallucination detection, then evaluates controls. Optionally saves timestamped evidence bundle.",
+  evaluateComplianceSchema,
+  evaluateCompliance
+);
+
 // ===========================================
 // SBOM / SUPPLY CHAIN ANALYSIS
 // ===========================================

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-security-scanner-mcp",
-  "version": "4.1.1",
+  "version": "4.3.0",
   "mcpName": "io.github.sinewaveai/agent-security-scanner-mcp",
   "description": "Security scanner MCP server for AI coding agents. Prompt injection firewall, package hallucination detection (4.3M+ packages), 1700+ vulnerability rules with AST & taint analysis, LLM-powered semantic code review, auto-fix. For Claude Code, Cursor, Windsurf, Cline, OpenClaw.",
   "main": "index.js",

package/src/config.js

@@ -172,8 +172,9 @@ export function meetsSeverityThreshold(severity, config) {
 }
 
 export function meetsConfidenceThreshold(confidence, config) {
-  const threshold = config.confidence_threshold || 'LOW';
-  const confidenceLevel = CONFIDENCE_ORDER[confidence] ?? 0;
+  const threshold = String(config.confidence_threshold || 'LOW').toUpperCase();
+  const normalizedConfidence = String(confidence || 'LOW').toUpperCase();
+  const confidenceLevel = CONFIDENCE_ORDER[normalizedConfidence] ?? 0;
   const thresholdLevel = CONFIDENCE_ORDER[threshold] ?? 0;
   return confidenceLevel >= thresholdLevel;
 }