aws-security-mcp 0.6.1 → 0.6.3

package/dist/bin/aws-security-mcp.js

@@ -237,7 +237,7 @@ import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"
 import { z } from "zod";
 
 // src/version.ts
-var VERSION = "0.6.1";
+var VERSION = "0.6.3";
 
 // src/utils/aws-client.ts
 import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
@@ -502,10 +502,6 @@ import {
   ConfigServiceClient,
   DescribeConfigurationRecordersCommand
 } from "@aws-sdk/client-config-service";
-import {
-  Macie2Client,
-  GetMacieSessionCommand
-} from "@aws-sdk/client-macie2";
 import {
   CloudTrailClient,
   DescribeTrailsCommand
@@ -549,7 +545,7 @@ function isNotEnabled(err) {
   err.name === "DisabledException" || err.message.includes("not enabled") || err.message.includes("not subscribed");
 }
 function computeMaturityLevel(enabledCount) {
-  if (enabledCount >= 6) return "comprehensive";
+  if (enabledCount >= 5) return "comprehensive";
   if (enabledCount >= 4) return "advanced";
   if (enabledCount >= 2) return "intermediate";
   return "basic";
@@ -853,53 +849,6 @@ var ServiceDetectionScanner = class {
         services.push({ name: "AWS Config", enabled: null, details: "Detection error" });
       }
     }
-    if (region.startsWith("cn-")) {
-      services.push({ name: "Macie", enabled: null, details: "Not available in China regions" });
-      warnings.push("Macie is not available in AWS China regions.");
-    } else {
-      try {
-        const mc = createClient(Macie2Client, region, ctx.credentials);
-        await mc.send(new GetMacieSessionCommand({}));
-        services.push({
-          name: "Macie",
-          enabled: true,
-          details: "Sensitive data detection active"
-        });
-      } catch (err) {
-        if (isAccessDenied(err)) {
-          warnings.push("Macie: insufficient permissions to check status");
-          services.push({ name: "Macie", enabled: null, details: "Access denied" });
-        } else if (isNotEnabled(err)) {
-          services.push({
-            name: "Macie",
-            enabled: false,
-            recommendation: "Enable Macie to detect sensitive data in S3",
-            freeTrialAvailable: true
-          });
-          findings.push(
-            makeFinding({
-              riskScore: 5,
-              title: "Amazon Macie is not enabled",
-              resourceType: "AWS::Macie::Session",
-              resourceId: "macie",
-              resourceArn: `arn:${partition}:macie2:${region}:${accountId}:session`,
-              region,
-              description: "Amazon Macie is not enabled in this region. Macie uses machine learning to discover and protect sensitive data stored in S3.",
-              impact: "Detects sensitive data (PII, credentials, financial data) in S3 buckets. Without it, sensitive data exposure may go unnoticed.",
-              remediationSteps: [
-                "Open the Amazon Macie console.",
-                "Click 'Get Started' and enable Macie.",
-                "Macie offers a 30-day free trial for sensitive data discovery.",
-                "Configure automated sensitive data discovery jobs."
-              ]
-            })
-          );
-        } else {
-          warnings.push(`Macie detection failed: ${err instanceof Error ? err.message : String(err)}`);
-          services.push({ name: "Macie", enabled: null, details: "Detection error" });
-        }
-      }
-    }
     const knownServices = services.filter((s) => s.enabled !== null);
     const enabledCount = services.filter((s) => s.enabled === true).length;
     const coveragePercent = knownServices.length > 0 ? Math.round(enabledCount / knownServices.length * 100) : 0;
@@ -3925,6 +3874,12 @@ var zhI18n = {
   trendTitle: "30\u65E5\u8D8B\u52BF",
   findingsBySeverity: "\u6309\u4E25\u91CD\u6027\u5206\u7C7B\u7684\u53D1\u73B0",
   showMoreCount: (n) => `\u663E\u793A\u5269\u4F59 ${n} \u9879\u2026`,
+  // Filter toolbar
+  filterSeverity: "\u4E25\u91CD\u6027\uFF1A",
+  filterModule: "\u6A21\u5757\uFF1A",
+  filterAll: "\u5168\u90E8",
+  filterAllModules: "\u5168\u90E8\u6A21\u5757",
+  filterCountTpl: "\u663E\u793A {shown} / {total} \u4E2A\u53D1\u73B0",
   // Extended — MLPS extras
   // Markdown report
   executiveSummary: "\u6267\u884C\u6458\u8981",
@@ -3955,6 +3910,44 @@ var zhI18n = {
     "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883": "\u56DB\u3001\u5B89\u5168\u8BA1\u7B97\u73AF\u5883",
     "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3": "\u4E94\u3001\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3"
   },
+  // Module display names
+  moduleNames: {
+    service_detection: "\u5B89\u5168\u670D\u52A1\u68C0\u6D4B",
+    secret_exposure: "\u5BC6\u94A5\u66B4\u9732",
+    ssl_certificate: "SSL \u8BC1\u4E66",
+    dns_dangling: "\u60AC\u6302 DNS",
+    network_reachability: "\u7F51\u7EDC\u53EF\u8FBE\u6027",
+    iam_privilege_escalation: "IAM \u63D0\u6743\u5206\u6790",
+    public_access_verify: "\u516C\u7F51\u8BBF\u95EE\u9A8C\u8BC1",
+    tag_compliance: "\u6807\u7B7E\u5408\u89C4",
+    idle_resources: "\u95F2\u7F6E\u8D44\u6E90",
+    disaster_recovery: "\u707E\u5907\u8BC4\u4F30",
+    security_hub_findings: "Security Hub",
+    guardduty_findings: "GuardDuty",
+    inspector_findings: "Inspector",
+    trusted_advisor_findings: "Trusted Advisor",
+    config_rules_findings: "Config Rules",
+    access_analyzer_findings: "Access Analyzer",
+    patch_compliance_findings: "\u8865\u4E01\u5408\u89C4",
+    imdsv2_enforcement: "IMDSv2 \u5F3A\u5236",
+    waf_coverage: "WAF \u8986\u76D6",
+    // Security Hub sub-categories
+    "sh:FSBP": "\u5B89\u5168\u6700\u4F73\u5B9E\u8DF5",
+    "sh:Inspector": "\u8F6F\u4EF6\u6F0F\u6D1E",
+    "sh:GuardDuty": "\u5A01\u80C1\u68C0\u6D4B",
+    "sh:Config": "\u914D\u7F6E\u5408\u89C4",
+    "sh:Access Analyzer": "\u5916\u90E8\u8BBF\u95EE",
+    "sh:Other": "\u5176\u4ED6\u5B89\u5168\u53D1\u73B0"
+  },
+  // Security Hub sub-categories
+  securityHubSubCategories: {
+    FSBP: { label: "\u5B89\u5168\u6700\u4F73\u5B9E\u8DF5" },
+    Inspector: { label: "\u8F6F\u4EF6\u6F0F\u6D1E" },
+    GuardDuty: { label: "\u5A01\u80C1\u68C0\u6D4B" },
+    Config: { label: "\u914D\u7F6E\u5408\u89C4" },
+    "Access Analyzer": { label: "\u5916\u90E8\u8BBF\u95EE" },
+    Other: { label: "\u5176\u4ED6\u5B89\u5168\u53D1\u73B0" }
+  },
   // Service Recommendations
   notEnabled: "\u672A\u542F\u7528",
   serviceRecommendations: {
@@ -4157,6 +4150,12 @@ var enI18n = {
   trendTitle: "30-Day Trends",
   findingsBySeverity: "Findings by Severity",
   showMoreCount: (n) => `Show ${n} more\u2026`,
+  // Filter toolbar
+  filterSeverity: "Severity:",
+  filterModule: "Module:",
+  filterAll: "All",
+  filterAllModules: "All Modules",
+  filterCountTpl: "Showing {shown} / {total} findings",
   // Extended \u2014 MLPS extras
   // Markdown report
   executiveSummary: "Executive Summary",
@@ -4187,6 +4186,44 @@ var enI18n = {
     "\u5B89\u5168\u8BA1\u7B97\u73AF\u5883": "IV. Computing Environment Security",
     "\u5B89\u5168\u7BA1\u7406\u4E2D\u5FC3": "V. Security Management Center"
   },
+  // Module display names
+  moduleNames: {
+    service_detection: "Security Service Detection",
+    secret_exposure: "Secret Exposure",
+    ssl_certificate: "SSL Certificate",
+    dns_dangling: "Dangling DNS",
+    network_reachability: "Network Reachability",
+    iam_privilege_escalation: "IAM Privilege Escalation",
+    public_access_verify: "Public Access Verification",
+    tag_compliance: "Tag Compliance",
+    idle_resources: "Idle Resources",
+    disaster_recovery: "Disaster Recovery",
+    security_hub_findings: "Security Hub",
+    guardduty_findings: "GuardDuty",
+    inspector_findings: "Inspector",
+    trusted_advisor_findings: "Trusted Advisor",
+    config_rules_findings: "Config Rules",
+    access_analyzer_findings: "Access Analyzer",
+    patch_compliance_findings: "Patch Compliance",
+    imdsv2_enforcement: "IMDSv2 Enforcement",
+    waf_coverage: "WAF Coverage",
+    // Security Hub sub-categories
+    "sh:FSBP": "Security Best Practices",
+    "sh:Inspector": "Software Vulnerabilities",
+    "sh:GuardDuty": "Threat Detection",
+    "sh:Config": "Configuration Compliance",
+    "sh:Access Analyzer": "External Access",
+    "sh:Other": "Other Security Findings"
+  },
+  // Security Hub sub-categories
+  securityHubSubCategories: {
+    FSBP: { label: "Security Best Practices" },
+    Inspector: { label: "Software Vulnerabilities" },
+    GuardDuty: { label: "Threat Detection" },
+    Config: { label: "Configuration Compliance" },
+    "Access Analyzer": { label: "External Access" },
+    Other: { label: "Other Security Findings" }
+  },
   // Service Recommendations
   notEnabled: "Not Enabled",
   serviceRecommendations: {
@@ -4391,7 +4428,7 @@ function generateMarkdownReport(scanResults, lang) {
   for (const m of modules) {
     const status = m.status === "success" ? "\u2705" : "\u274C";
     lines.push(
-      `| ${m.module} | ${m.resourcesScanned} | ${m.findingsCount} | ${status} |`
+      `| ${t.moduleNames[m.module] ?? m.module} | ${m.resourcesScanned} | ${m.findingsCount} | ${status} |`
     );
   }
   lines.push("");
@@ -7234,6 +7271,22 @@ var SEV_COLOR = {
   LOW: "#22c55e"
 };
 var SEVERITY_ORDER2 = ["CRITICAL", "HIGH", "MEDIUM", "LOW"];
+function getRecommendationTemplate(rem) {
+  return rem.replace(/\b(i-[0-9a-f]+)\b/g, "{instance}").replace(/\b(vol-[0-9a-f]+)\b/g, "{volume}").replace(/\b(sg-[0-9a-f]+)\b/g, "{sg}").replace(/\b(eipalloc-[0-9a-f]+)\b/g, "{eip}").replace(/\b(arn:aws[-\w]*:[^"\s]+)\b/g, "{arn}").replace(/"[^"]+"/g, "{name}").replace(/bucket \S+/g, "bucket {name}").replace(/instance \S+/g, "instance {id}").replace(/volume \S+/g, "volume {id}").replace(/rule \S+/g, "rule {name}");
+}
+function getSecurityHubSource(finding) {
+  const impact = finding.impact ?? "";
+  const match = impact.match(/^Source:\s*([^(]+)/);
+  if (!match) return "Other";
+  const product = match[1].trim();
+  if (product === "Security Hub" || product.includes("Foundational")) return "FSBP";
+  if (product === "Inspector" || product.includes("Inspector")) return "Inspector";
+  if (product === "GuardDuty" || product.includes("GuardDuty")) return "GuardDuty";
+  if (product === "Config" || product.includes("Config")) return "Config";
+  if (product === "IAM Access Analyzer" || product.includes("Access Analyzer")) return "Access Analyzer";
+  return "Other";
+}
+var SECURITY_HUB_SUB_CAT_ORDER = ["FSBP", "Inspector", "GuardDuty", "Config", "Access Analyzer", "Other"];
 function scoreColor(score) {
   if (score >= 80) return "#22c55e";
   if (score >= 50) return "#eab308";
@@ -7418,7 +7471,16 @@ function sharedCss() {
     .rec-body ol{padding-left:24px}
     .rec-body li{margin-bottom:8px;color:#cbd5e1;font-size:13px}
     .rec-body .badge{margin-right:6px;vertical-align:middle}
+    .filter-toolbar{display:flex;flex-wrap:wrap;gap:16px;align-items:center;margin-bottom:20px;padding:12px 16px;background:#1e293b;border:1px solid #334155;border-radius:8px}
+    .filter-group{display:flex;align-items:center;gap:8px}
+    .filter-label{color:#94a3b8;font-size:13px}
+    .filter-btn{padding:4px 12px;border-radius:4px;border:1px solid #475569;background:transparent;color:#cbd5e1;cursor:pointer;font-size:13px}
+    .filter-btn:hover{background:#334155}
+    .filter-btn.active{background:#3b82f6;border-color:#3b82f6;color:#fff}
+    .filter-select{padding:4px 8px;border-radius:4px;border:1px solid #475569;background:#0f172a;color:#cbd5e1;font-size:13px}
+    .filter-count{color:#64748b;font-size:13px;margin-left:auto}
     @media print{
+      .filter-toolbar{display:none !important}
       body{background:#fff;color:#1e293b;-webkit-print-color-adjust:exact;print-color-adjust:exact}
       .container{max-width:100%;padding:20px}
       .card,.score-card,.stat-card,.chart-box,.finding-fold,.top5-card,.trend-chart,.category-fold,.module-fold,.finding-card,.rec-fold{background:#fff;border:1px solid #e2e8f0}
@@ -7611,6 +7673,47 @@ function generateHtmlReport(scanResults, history, lang) {
   const allFindings = modules.flatMap(
     (m) => m.findings.map((f) => ({ ...f, module: f.module ?? m.module }))
   );
+  const shModule = modules.find((m) => m.module === "security_hub_findings");
+  const shSubCats = [];
+  if (shModule && shModule.findingsCount > 0) {
+    const catMap = {};
+    for (const f of shModule.findings) {
+      const cat = getSecurityHubSource(f);
+      if (!catMap[cat]) catMap[cat] = [];
+      catMap[cat].push(f);
+    }
+    for (const cat of SECURITY_HUB_SUB_CAT_ORDER) {
+      const catFindings = catMap[cat];
+      if (catFindings && catFindings.length > 0) {
+        const meta = t.securityHubSubCategories[cat];
+        const shLabel = t.moduleNames[`sh:${cat}`] ?? meta?.label ?? cat;
+        shSubCats.push({
+          key: cat,
+          label: shLabel,
+          count: catFindings.length,
+          findings: catFindings
+        });
+      }
+    }
+  }
+  const DETECTION_ONLY_MODULES = /* @__PURE__ */ new Set([
+    "guardduty_findings",
+    "inspector_findings",
+    "config_rules_findings",
+    "access_analyzer_findings"
+  ]);
+  const barChartModules = modules.flatMap((m) => {
+    if (DETECTION_ONLY_MODULES.has(m.module)) return [];
+    if (m.module === "security_hub_findings" && shSubCats.length > 0) {
+      return shSubCats.map((sc) => ({
+        ...m,
+        module: t.moduleNames[`sh:${sc.key}`] ?? sc.key,
+        findingsCount: sc.count,
+        findings: sc.findings
+      }));
+    }
+    return [{ ...m, module: t.moduleNames[m.module] ?? m.module }];
+  });
   let top5Html = "";
   if (allFindings.length > 0) {
     const top5 = [...allFindings].sort((a, b) => b.riskScore - a.riskScore).slice(0, 5);
@@ -7636,13 +7739,14 @@ function generateHtmlReport(scanResults, history, lang) {
     </section>`;
   }
   let findingsHtml;
+  let filterToolbarHtml = "";
   if (summary.totalFindings === 0) {
     findingsHtml = `<div class="no-findings">${esc(t.noIssuesFound)}</div>`;
   } else {
     const FOLD_THRESHOLD = 20;
-    const renderCard = (f) => {
+    const renderCard = (f, moduleKey) => {
       const sev = f.severity.toLowerCase();
-      return `<div class="finding-card sev-${esc(sev)}">
+      return `<div class="finding-card sev-${esc(sev)}" data-severity="${esc(f.severity)}" data-module="${esc(moduleKey)}">
         <span class="badge badge-${esc(sev)}">${esc(f.severity)}</span>
         <span class="finding-title-text">${esc(f.title)}</span>
         <span class="finding-resource">${esc(f.resourceArn || f.resourceId)}</span>
@@ -7653,12 +7757,12 @@ function generateHtmlReport(scanResults, history, lang) {
         </div></details>
       </div>`;
     };
-    const renderCards = (findings) => {
+    const renderCards = (findings, moduleKey) => {
       if (findings.length <= FOLD_THRESHOLD) {
-        return findings.map(renderCard).join("\n");
+        return findings.map((f) => renderCard(f, moduleKey)).join("\n");
       }
-      const first = findings.slice(0, FOLD_THRESHOLD).map(renderCard).join("\n");
-      const rest = findings.slice(FOLD_THRESHOLD).map(renderCard).join("\n");
+      const first = findings.slice(0, FOLD_THRESHOLD).map((f) => renderCard(f, moduleKey)).join("\n");
+      const rest = findings.slice(FOLD_THRESHOLD).map((f) => renderCard(f, moduleKey)).join("\n");
       return `${first}
 <details><summary>${t.showRemainingFindings(findings.length - FOLD_THRESHOLD)}</summary>
 ${rest}
@@ -7676,37 +7780,76 @@ ${rest}
       if (!moduleMap.has(mod)) moduleMap.set(mod, []);
       moduleMap.get(mod).push(f);
     }
-    const moduleEntries = [...moduleMap.entries()].sort((a, b) => {
+    const expandedEntries = [];
+    for (const [mod, findings] of moduleMap.entries()) {
+      if (DETECTION_ONLY_MODULES.has(mod)) continue;
+      if (mod === "security_hub_findings" && shSubCats.length > 0) {
+        for (const sc of shSubCats) {
+          expandedEntries.push([sc.key, sc.findings, sc.label]);
+        }
+      } else {
+        expandedEntries.push([mod, findings, null]);
+      }
+    }
+    const moduleEntries = expandedEntries.sort((a, b) => {
       const aHasCritHigh = a[1].some((f) => f.severity === "CRITICAL" || f.severity === "HIGH");
       const bHasCritHigh = b[1].some((f) => f.severity === "CRITICAL" || f.severity === "HIGH");
       if (aHasCritHigh !== bHasCritHigh) return aHasCritHigh ? -1 : 1;
       return b[1].length - a[1].length;
     });
-    findingsHtml = moduleEntries.map(([modName, modFindings]) => {
-      const sevCounts = { CRITICAL: 0, HIGH: 0, MEDIUM: 0, LOW: 0 };
-      for (const f of modFindings) sevCounts[f.severity]++;
-      const badges = SEVERITY_ORDER2.filter((sev) => sevCounts[sev] > 0).map((sev) => `<span class="badge badge-${sev.toLowerCase()}">${sevCounts[sev]} ${sev.charAt(0) + sev.slice(1).toLowerCase()}</span>`).join(" ");
-      const sevGroups = SEVERITY_ORDER2.map((sev) => {
-        const findings = modFindings.filter((f) => f.severity === sev);
-        if (findings.length === 0) return "";
-        findings.sort((a, b) => b.riskScore - a.riskScore);
+    const renderSeverityGroups = (findings, moduleKey) => {
+      return SEVERITY_ORDER2.map((sev) => {
+        const sevFindings = findings.filter((f) => f.severity === sev);
+        if (sevFindings.length === 0) return "";
+        sevFindings.sort((a, b) => b.riskScore - a.riskScore);
         const emoji = SEV_EMOJI[sev] ?? "";
         const label = sev.charAt(0) + sev.slice(1).toLowerCase();
         return `<details class="severity-group-fold">
-          <summary><h4>${emoji} ${label} (${findings.length})</h4></summary>
-          ${renderCards(findings)}
+          <summary><h4>${emoji} ${label} (${sevFindings.length})</h4></summary>
+          ${renderCards(sevFindings, moduleKey)}
         </details>`;
       }).filter(Boolean).join("\n");
-      return `<details class="module-fold">
+    };
+    const renderModuleBadges = (findings) => {
+      const sevCounts = { CRITICAL: 0, HIGH: 0, MEDIUM: 0, LOW: 0 };
+      for (const f of findings) sevCounts[f.severity]++;
+      return SEVERITY_ORDER2.filter((sev) => sevCounts[sev] > 0).map((sev) => `<span class="badge badge-${sev.toLowerCase()}">${sevCounts[sev]} ${sev.charAt(0) + sev.slice(1).toLowerCase()}</span>`).join(" ");
+    };
+    findingsHtml = moduleEntries.map(([modName, modFindings, subCatLabel]) => {
+      const badges = renderModuleBadges(modFindings);
+      const displayName = subCatLabel ?? (t.moduleNames[modName] ?? modName);
+      return `<details class="module-fold" data-module="${esc(modName)}">
         <summary>
-          <h3>&#128274; ${esc(modName)} (${modFindings.length})</h3>
+          <h3>&#128274; ${esc(displayName)} (${modFindings.length})</h3>
           <span class="module-badges">${badges}</span>
         </summary>
         <div class="module-body">
-          ${sevGroups}
+          ${renderSeverityGroups(modFindings, modName)}
         </div>
       </details>`;
     }).join("\n");
+    const moduleOptions = moduleEntries.map(([modKey, , subCatLabel]) => {
+      const label = subCatLabel ?? (t.moduleNames[modKey] ?? modKey);
+      return `<option value="${esc(modKey)}">${esc(label)}</option>`;
+    }).join("\n        ");
+    filterToolbarHtml = `<div class="filter-toolbar" id="filterBar">
+      <div class="filter-group">
+        <span class="filter-label">${esc(t.filterSeverity)}</span>
+        <button class="filter-btn active" data-severity="ALL">${esc(t.filterAll)}</button>
+        <button class="filter-btn" data-severity="CRITICAL">Critical</button>
+        <button class="filter-btn" data-severity="HIGH">High</button>
+        <button class="filter-btn" data-severity="MEDIUM">Medium</button>
+        <button class="filter-btn" data-severity="LOW">Low</button>
+      </div>
+      <div class="filter-group">
+        <span class="filter-label">${esc(t.filterModule)}</span>
+        <select class="filter-select" id="moduleFilter">
+          <option value="ALL">${esc(t.filterAllModules)}</option>
+          ${moduleOptions}
+        </select>
+      </div>
+      <div class="filter-count" id="filterCount" data-tpl="${esc(t.filterCountTpl)}"></div>
+    </div>`;
   }
   let trendHtml = "";
   if (history && history.length >= 2) {
@@ -7723,8 +7866,29 @@ ${rest}
       </div>
     </section>`;
   }
-  const statsRows = modules.map(
-    (m) => `<tr><td>${esc(m.module)}</td><td>${m.resourcesScanned}</td><td>${m.findingsCount}</td><td>${m.status === "success" ? "&#10003;" : "&#10007;"}</td></tr>`
+  const isModuleDisabled = (m) => {
+    if (!m.warnings?.length) return void 0;
+    const w = m.warnings.find(
+      (w2) => SERVICE_NOT_ENABLED_PATTERNS.some((p) => w2.includes(p))
+    );
+    return w;
+  };
+  const statsRows = modules.flatMap(
+    (m) => {
+      if (DETECTION_ONLY_MODULES.has(m.module)) return [];
+      if (m.module === "security_hub_findings" && shSubCats.length > 0) {
+        return shSubCats.map(
+          (sc) => `<tr><td>${esc(sc.label)}</td><td>${m.resourcesScanned}</td><td>${sc.count}</td><td>&#10003;</td></tr>`
+        );
+      }
+      const disabledWarning = isModuleDisabled(m);
+      if (disabledWarning) {
+        const rec = t.serviceRecommendations[m.module];
+        const reason = rec ? rec.action : disabledWarning;
+        return [`<tr><td>${esc(t.moduleNames[m.module] ?? m.module)}</td><td>-</td><td>-</td><td style="color:#eab308">&#9888; ${esc(reason)}</td></tr>`];
+      }
+      return [`<tr><td>${esc(t.moduleNames[m.module] ?? m.module)}</td><td>${m.resourcesScanned}</td><td>${m.findingsCount}</td><td>${m.status === "success" ? "&#10003;" : "&#10007;"}</td></tr>`];
+    }
   ).join("\n");
   let recsHtml = "";
   if (summary.totalFindings > 0) {
@@ -7732,6 +7896,9 @@ ${rest}
     const kbPatches = [];
     let kbSeverity = "LOW";
     let kbUrl;
+    const cveList = [];
+    let cveSeverity = "LOW";
+    let cveUrl;
     const genericPatterns = ["See References", "None Provided", "Review the finding", "Review and remediate."];
     for (const f of allFindings) {
       const rem = f.remediationSteps[0] ?? "Review and remediate.";
@@ -7744,6 +7911,13 @@ ${rest}
         if (!kbUrl && url) kbUrl = url;
         continue;
       }
+      const cveMatch = f.title.match(/CVE-[\d-]+/);
+      if (cveMatch && (f.module === "security_hub_findings" || f.module === "inspector_findings")) {
+        cveList.push(cveMatch[0]);
+        if (SEVERITY_ORDER2.indexOf(f.severity) < SEVERITY_ORDER2.indexOf(cveSeverity)) cveSeverity = f.severity;
+        if (!cveUrl && url) cveUrl = url;
+        continue;
+      }
       if (f.module === "security_hub_findings") {
         const controlMatch = f.title.match(/^([A-Z][A-Za-z0-9]*\.\d+)\s/);
         if (controlMatch) {
@@ -7760,6 +7934,23 @@ ${rest}
           continue;
         }
       }
+      if (f.module !== "security_hub_findings" && f.module !== "inspector_findings") {
+        const template = getRecommendationTemplate(rem);
+        if (template !== rem) {
+          const templateKey = `tmpl:${f.module}:${template}`;
+          const existingTmpl = recMap.get(templateKey);
+          if (existingTmpl) {
+            existingTmpl.count++;
+            if (!existingTmpl.url && url) existingTmpl.url = url;
+            if (SEVERITY_ORDER2.indexOf(f.severity) < SEVERITY_ORDER2.indexOf(existingTmpl.severity)) {
+              existingTmpl.severity = f.severity;
+            }
+            continue;
+          }
+          recMap.set(templateKey, { text: rem, severity: f.severity, count: 1, url });
+          continue;
+        }
+      }
       const existing = recMap.get(rem);
       if (existing) {
         existing.count++;
@@ -7776,8 +7967,14 @@ ${rest}
       const kbList = unique.slice(0, 5).join(", ") + (unique.length > 5 ? ", \u2026" : "");
       recMap.set("__kb__", { text: t.installWindowsPatches(unique.length, kbList), severity: kbSeverity, count: 1, url: kbUrl });
     }
+    if (cveList.length > 0) {
+      const unique = [...new Set(cveList)];
+      const cveDisplay = unique.slice(0, 5).join(", ") + (unique.length > 5 ? ", \u2026" : "");
+      const cveText = (lang ?? "zh") === "zh" ? `\u4FEE\u590D ${unique.length} \u4E2A\u8F6F\u4EF6\u6F0F\u6D1E (${cveDisplay})\uFF0C\u66F4\u65B0\u53D7\u5F71\u54CD\u7684\u8F6F\u4EF6\u5305\u5230\u6700\u65B0\u7248\u672C` : `Fix ${unique.length} software vulnerabilities (${cveDisplay}) \u2014 update affected packages to latest patched versions`;
+      recMap.set("__cve__", { text: cveText, severity: cveSeverity, count: 1, url: cveUrl });
+    }
     for (const [key, rec] of recMap) {
-      if (key.startsWith("ctrl:") && rec.count > 1) {
+      if ((key.startsWith("ctrl:") || key.startsWith("tmpl:")) && rec.count > 1) {
         rec.text += ` \u2014 ${t.affectedResources(rec.count)}`;
         rec.count = 1;
       }
@@ -7808,6 +8005,43 @@ ${remaining.map(renderRec).join("\n")}
         </div>
       </details>`;
   }
+  const filterScript = summary.totalFindings > 0 ? `<script>
+(function(){
+  var activeSev='ALL',activeMod='ALL';
+  var countEl=document.getElementById('filterCount');
+  var tpl=countEl?countEl.getAttribute('data-tpl'):'';
+  function apply(){
+    var cards=document.querySelectorAll('.finding-card[data-severity]');
+    var shown=0,total=cards.length;
+    cards.forEach(function(c){
+      var sevOk=activeSev==='ALL'||c.getAttribute('data-severity')===activeSev;
+      var modOk=activeMod==='ALL'||c.getAttribute('data-module')===activeMod;
+      c.style.display=(sevOk&&modOk)?'':'none';
+      if(sevOk&&modOk)shown++;
+    });
+    if(countEl)countEl.textContent=tpl.replace('{shown}',shown).replace('{total}',total);
+    document.querySelectorAll('.module-fold').forEach(function(f){
+      var mod=f.getAttribute('data-module');
+      if(activeMod!=='ALL'&&mod!==activeMod){f.style.display='none';return;}
+      f.style.display='';
+    });
+    document.querySelectorAll('.severity-group-fold').forEach(function(g){
+      g.style.display=g.querySelectorAll('.finding-card:not([style*="display: none"])').length?'':'none';
+    });
+  }
+  document.querySelectorAll('.filter-btn[data-severity]').forEach(function(b){
+    b.addEventListener('click',function(){
+      document.querySelectorAll('.filter-btn[data-severity]').forEach(function(x){x.classList.remove('active')});
+      b.classList.add('active');
+      activeSev=b.getAttribute('data-severity');
+      apply();
+    });
+  });
+  var sel=document.getElementById('moduleFilter');
+  if(sel)sel.addEventListener('change',function(){activeMod=sel.value;apply();});
+  apply();
+})();
+</script>` : "";
   return `<!DOCTYPE html>
 <html lang="${htmlLang}">
 <head>
@@ -7844,7 +8078,7 @@ ${remaining.map(renderRec).join("\n")}
   </div>
   <div class="chart-box">
     <div class="chart-title">${esc(t.findingsByModule)}</div>
-    ${barChart(modules, t.allModulesClean)}
+    ${barChart(barChartModules, t.allModulesClean)}
   </div>
 </section>
 
@@ -7864,6 +8098,7 @@ ${buildServiceReminderHtml(modules, lang)}
 
 <section>
   <h2>${esc(t.allFindings)}</h2>
+  ${filterToolbarHtml}
   ${findingsHtml}
 </section>
 
@@ -7875,6 +8110,7 @@ ${recsHtml}
 </footer>
 
 </div>
+${filterScript}
 </body>
 </html>`;
 }
@@ -8017,6 +8253,9 @@ ${itemsHtml}
     const mlpsKbPatches = [];
     let mlpsKbSeverity = "LOW";
     let mlpsKbUrl;
+    const mlpsCveList = [];
+    let mlpsCveSeverity = "LOW";
+    let mlpsCveUrl;
     const mlpsGenericPatterns = ["See References", "None Provided", "Review the finding", "Review and remediate."];
     for (const r of failedResults) {
       for (const f of r.relatedFindings) {
@@ -8030,6 +8269,13 @@ ${itemsHtml}
           if (!mlpsKbUrl && url) mlpsKbUrl = url;
           continue;
         }
+        const cveMatch = f.title.match(/CVE-[\d-]+/);
+        if (cveMatch) {
+          mlpsCveList.push(cveMatch[0]);
+          if (SEVERITY_ORDER2.indexOf(f.severity) < SEVERITY_ORDER2.indexOf(mlpsCveSeverity)) mlpsCveSeverity = f.severity;
+          if (!mlpsCveUrl && url) mlpsCveUrl = url;
+          continue;
+        }
         if (f.module === "security_hub_findings") {
           const controlMatch = f.title.match(/^([A-Z][A-Za-z0-9]*\.\d+)\s/);
           if (controlMatch) {
@@ -8046,6 +8292,23 @@ ${itemsHtml}
             continue;
           }
         }
+        if (f.module !== "security_hub_findings" && f.module !== "inspector_findings") {
+          const template = getRecommendationTemplate(rem);
+          if (template !== rem) {
+            const templateKey = `tmpl:${f.module}:${template}`;
+            const existingTmpl = mlpsRecMap.get(templateKey);
+            if (existingTmpl) {
+              existingTmpl.count++;
+              if (!existingTmpl.url && url) existingTmpl.url = url;
+              if (SEVERITY_ORDER2.indexOf(f.severity) < SEVERITY_ORDER2.indexOf(existingTmpl.severity)) {
+                existingTmpl.severity = f.severity;
+              }
+              continue;
+            }
+            mlpsRecMap.set(templateKey, { text: rem, severity: f.severity, count: 1, url });
+            continue;
+          }
+        }
         const existing = mlpsRecMap.get(rem);
         if (existing) {
           existing.count++;
@@ -8063,8 +8326,14 @@ ${itemsHtml}
       const kbList = unique.slice(0, 5).join(", ") + (unique.length > 5 ? ", \u2026" : "");
       mlpsRecMap.set("__kb__", { text: t.installWindowsPatches(unique.length, kbList), severity: mlpsKbSeverity, count: 1, url: mlpsKbUrl });
     }
+    if (mlpsCveList.length > 0) {
+      const unique = [...new Set(mlpsCveList)];
+      const cveDisplay = unique.slice(0, 5).join(", ") + (unique.length > 5 ? ", \u2026" : "");
+      const cveText = (lang ?? "zh") === "zh" ? `\u4FEE\u590D ${unique.length} \u4E2A\u8F6F\u4EF6\u6F0F\u6D1E (${cveDisplay})\uFF0C\u66F4\u65B0\u53D7\u5F71\u54CD\u7684\u8F6F\u4EF6\u5305\u5230\u6700\u65B0\u7248\u672C` : `Fix ${unique.length} software vulnerabilities (${cveDisplay}) \u2014 update affected packages to latest patched versions`;
+      mlpsRecMap.set("__cve__", { text: cveText, severity: mlpsCveSeverity, count: 1, url: mlpsCveUrl });
+    }
     for (const [key, rec] of mlpsRecMap) {
-      if (key.startsWith("ctrl:") && rec.count > 1) {
+      if ((key.startsWith("ctrl:") || key.startsWith("tmpl:")) && rec.count > 1) {
         rec.text += ` \u2014 ${t.affectedResources(rec.count)}`;
         rec.count = 1;
       }
@@ -8360,7 +8629,6 @@ Detects which AWS security services are enabled and assesses overall security ma
 - **GuardDuty not enabled** \u2014 Risk 7.5: Provides continuous threat detection.
 - **Inspector not enabled** \u2014 Risk 6.0: Scans for software vulnerabilities.
 - **AWS Config not enabled** \u2014 Risk 6.0: Tracks configuration changes.
-- **Macie not enabled** \u2014 Risk 5.0: Detects sensitive data in S3 (not available in China regions).
 - CloudTrail detection is included for coverage metrics.
 
 ### Maturity Levels
@@ -8368,8 +8636,8 @@ Detects which AWS security services are enabled and assesses overall security ma
 |------------------|-------|
 | 0\u20131 | Basic |
 | 2\u20133 | Intermediate |
-| 4\u20135 | Advanced |
-| 6   | Comprehensive |
+| 4   | Advanced |
+| 5   | Comprehensive |
 
 ## 2. Security Hub Findings (security_hub_findings)
 Aggregates active findings from AWS Security Hub. Replaces individual config scanners (SG, S3, IAM, CloudTrail, RDS, EBS, VPC, etc.) with centralized compliance checks from FSBP, CIS, and PCI DSS standards.
@@ -8503,7 +8771,7 @@ import { readFileSync as readFileSync2 } from "fs";
 import { join as join2, dirname } from "path";
 import { fileURLToPath } from "url";
 var MODULE_DESCRIPTIONS = {
-  service_detection: "Detects which AWS security services (Security Hub, GuardDuty, Inspector, Config, Macie) are enabled and assesses security maturity.",
+  service_detection: "Detects which AWS security services (Security Hub, GuardDuty, Inspector, Config) are enabled and assesses security maturity.",
   secret_exposure: "Checks Lambda env vars and EC2 userData for exposed secrets (AWS keys, private keys, passwords).",
   ssl_certificate: "Checks ACM certificates for expiry, failed status, and upcoming renewals.",
   dns_dangling: "Checks Route53 CNAME records for dangling DNS (subdomain takeover risk).",
@@ -8938,14 +9206,12 @@ function createServer(defaultRegion) {
           "Security Hub": "+300 security checks",
           "GuardDuty": "Threat detection",
           "Inspector": "Vulnerability scanning",
-          "AWS Config": "Configuration tracking",
-          "Macie": "Sensitive data detection"
+          "AWS Config": "Configuration tracking"
         };
         const serviceFreeTrials = {
           "Security Hub": true,
           "GuardDuty": true,
-          "Inspector": true,
-          "Macie": true
+          "Inspector": true
         };
         const services = detection.services;
         const coveragePercent = detection.coveragePercent;
@@ -8980,7 +9246,7 @@ function createServer(defaultRegion) {
           lines.push("");
           lines.push("### Recommendations (Priority Order)");
           lines.push("");
-          const priorityOrder = ["Security Hub", "GuardDuty", "Inspector", "AWS Config", "Macie", "CloudTrail"];
+          const priorityOrder = ["Security Hub", "GuardDuty", "Inspector", "AWS Config", "CloudTrail"];
           const sorted = disabled.sort(
             (a, b) => priorityOrder.indexOf(a.name) - priorityOrder.indexOf(b.name)
           );
@@ -9003,7 +9269,7 @@ function createServer(defaultRegion) {
           const nextMilestones = {
             basic: { level: "Intermediate", target: 2, suggestions: ["Security Hub", "GuardDuty"] },
             intermediate: { level: "Advanced", target: 4, suggestions: ["Inspector", "AWS Config"] },
-            advanced: { level: "Comprehensive", target: 6, suggestions: ["Macie"] }
+            advanced: { level: "Comprehensive", target: 5, suggestions: ["CloudTrail"] }
           };
           const next = nextMilestones[maturityLevel];
           if (next) {