npm - aws-security-mcp - Versions diffs - 0.7.1 → 0.7.2 - Mend

aws-security-mcp 0.7.1 → 0.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dashboard/dist/assets/index-BXloWmhE.css +2 -0
package/dashboard/dist/index.html +2 -2
package/dist/bin/aws-security-mcp.js +459 -7
package/dist/bin/aws-security-mcp.js.map +1 -1
package/dist/src/index.d.ts +3 -1
package/dist/src/index.js +460 -7
package/dist/src/index.js.map +1 -1
package/package.json +1 -1
package/dashboard/dist/assets/index-UN8P_PO6.css +0 -2
/package/dashboard/dist/assets/{index-AKJ_-GfD.js → index-DsWFAp9v.js} +0 -0

package/dist/src/index.d.ts CHANGED Viewed

@@ -127,10 +127,12 @@ declare function generateMarkdownReport(scanResults: FullScanResult, lang?: Lang
 declare function generateHtmlReport(scanResults: FullScanResult, history?: DashboardHistoryEntry[], lang?: Lang): string;
 declare function generateMlps3HtmlReport(scanResults: FullScanResult, history?: DashboardHistoryEntry[], lang?: Lang): string;
+declare function generateHwDefenseHtmlReport(scanResults: FullScanResult, lang?: Lang): string;
 declare function calculateScore(summary: FullScanResult["summary"]): number;
 declare function saveResults(scanResults: FullScanResult, outputDir?: string): string;
 declare function createServer(defaultRegion: string): McpServer;
 declare function startServer(defaultRegion: string): Promise<void>;
-export { type DashboardData, type DashboardHistoryEntry, type Finding, type FullScanResult, type Lang, type OrgAccount, type Priority, type ScanContext, type ScanResult, type Scanner, type Severity, assumeRole, buildRoleArn, calculateScore, createServer, generateHtmlReport, generateMarkdownReport, generateMlps3HtmlReport, getCurrentAccountId, listOrgAccounts, runAllScanners, runMultiAccountScanners, saveResults, startServer };
+export { type DashboardData, type DashboardHistoryEntry, type Finding, type FullScanResult, type Lang, type OrgAccount, type Priority, type ScanContext, type ScanResult, type Scanner, type Severity, assumeRole, buildRoleArn, calculateScore, createServer, generateHtmlReport, generateHwDefenseHtmlReport, generateMarkdownReport, generateMlps3HtmlReport, getCurrentAccountId, listOrgAccounts, runAllScanners, runMultiAccountScanners, saveResults, startServer };

package/dist/src/index.js CHANGED Viewed

@@ -4,7 +4,7 @@ import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"
 import { z } from "zod";
 // src/version.ts
-var VERSION = "0.7.1";
+var VERSION = "0.7.2";
 // src/utils/aws-client.ts
 import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
@@ -3784,6 +3784,39 @@ var zhI18n = {
       action: "\u5B89\u88C5 SSM Agent \u5E76\u914D\u7F6E Patch Manager"
     }
   },
+  // HW Defense HTML Report
+  hwReportTitle: "\u62A4\u7F51\u84DD\u961F\u5B89\u5168\u8BC4\u4F30\u62A5\u544A",
+  hwAutoCheck: "\u81EA\u52A8\u5316\u68C0\u67E5",
+  hwManualCheck: "\u4EBA\u5DE5\u786E\u8BA4\u4E8B\u9879",
+  hwNoAutoCheck: "\u6B64\u9879\u65E0\u81EA\u52A8\u5316\u68C0\u67E5",
+  hwClean: "\u672A\u53D1\u73B0\u95EE\u9898",
+  hwTotalFindings: "\u53D1\u73B0\u603B\u6570",
+  hwSectionsChecked: "\u68C0\u67E5\u5206\u7C7B",
+  hwAutoVerified: "\u81EA\u52A8\u9A8C\u8BC1",
+  hwManualPending: "\u4EBA\u5DE5\u5F85\u786E\u8BA4",
+  hwManualCount: (n) => `${n} \u9879\u4EBA\u5DE5\u786E\u8BA4`,
+  hwAffectedResources: (n) => `\u67E5\u770B\u53D7\u5F71\u54CD\u8D44\u6E90 (${n})`,
+  hwRemediation: "\u4FEE\u590D\u5EFA\u8BAE",
+  hwSectionNames: {
+    attack_surface: { name: "\u653B\u51FB\u9762\u6536\u655B", icon: "\u{1F3AF}" },
+    vulnerability_patch: { name: "\u6F0F\u6D1E\u4E0E\u8865\u4E01\u7BA1\u7406", icon: "\u{1FA79}" },
+    identity_credential: { name: "\u8EAB\u4EFD\u4E0E\u51ED\u8BC1\u5B89\u5168", icon: "\u{1F511}" },
+    transport_security: { name: "\u4F20\u8F93\u4E0E\u5B9E\u4F8B\u5B89\u5168", icon: "\u{1F512}" },
+    security_services: { name: "\u5B89\u5168\u670D\u52A1\u72B6\u6001", icon: "\u{1F6E1}\uFE0F" },
+    emergency_response: { name: "\u5E94\u6025\u54CD\u5E94\u51C6\u5907", icon: "\u{1F6A8}" },
+    environment_control: { name: "\u73AF\u5883\u5904\u7F6E", icon: "\u{1F3D7}\uFE0F" },
+    post_review: { name: "\u62A4\u7F51\u540E\u4F18\u5316", icon: "\u{1F4CA}" }
+  },
+  hwManualItems: {
+    attack_surface: ["\u7ED8\u5236\u51FA\u5165\u7AD9\u8DEF\u5F84\u67B6\u6784\u56FE\uFF0C\u6807\u6CE8\u6240\u6709\u4E92\u8054\u7F51/DX\u4E13\u7EBF\u51FA\u5165\u7AD9\u8DEF\u5F84"],
+    vulnerability_patch: ["\u8054\u7CFB\u5B89\u5168\u5382\u5546\u8FDB\u884C\u6A21\u62DF\u653B\u51FB\u6F14\u7EC3\uFF08\u6E17\u900F\u6D4B\u8BD5\uFF09", "\u5173\u6CE8 AWS \u5B89\u5168\u516C\u544A\uFF08\u5DF2\u77E5\u6F0F\u6D1E\u4E0E\u8865\u4E01\uFF09"],
+    identity_credential: ["\u6240\u6709 IAM \u7528\u6237\u7ED1\u5B9A MFA", "AKSK \u8F6E\u8F6C\u5468\u671F \u2264 90 \u5929", "\u907F\u514D\u5171\u4EAB\u8D26\u6237\u4F7F\u7528", "S3/Lambda/\u5E94\u7528\u4EE3\u7801\u4E2D\u65E0\u660E\u6587\u5BC6\u7801"],
+    transport_security: ["\u786E\u8BA4\u6240\u6709\u5BF9\u5916\u670D\u52A1\u4F7F\u7528 TLS 1.2+", "\u68C0\u67E5\u5185\u90E8\u670D\u52A1\u95F4\u901A\u4FE1\u662F\u5426\u52A0\u5BC6"],
+    security_services: ["\u786E\u8BA4 Security Hub \u5DF2\u5F00\u542F\u5E76\u914D\u7F6E\u6807\u51C6", "\u786E\u8BA4 GuardDuty \u5DF2\u5728\u6240\u6709\u533A\u57DF\u5F00\u542F", "\u786E\u8BA4 CloudTrail \u591A\u533A\u57DF\u65E5\u5FD7\u8BB0\u5F55\u5DF2\u5F00\u542F", "\u786E\u8BA4 Config Rules \u5DF2\u914D\u7F6E"],
+    emergency_response: ["\u51C6\u5907\u4E13\u7528\u9694\u79BB\u5B89\u5168\u7EC4\uFF08\u65E0 Inbound/Outbound \u89C4\u5219\uFF09", "\u5236\u5B9A\u5B9E\u4F8B\u9694\u79BB SOP\uFF1A\u544A\u8B66 \u2192 \u6392\u67E5 \u2192 \u5C01\u9501\u653B\u51FBIP \u2192 \u7F51\u7EDC\u9694\u79BB \u2192 \u5B89\u5168\u5904\u7F6E \u2192 \u8BB0\u5F55\u653B\u51FB\u9879", "\u7EC4\u5EFA 7\xD724 \u76D1\u63A7\u5FEB\u901F\u54CD\u5E94\u56E2\u961F", "\u521B\u5EFA\u62A4\u7F51\u671F\u95F4\u4E13\u7528\u6C9F\u901A\u6E20\u9053\uFF08\u4F01\u5FAE/\u9489\u9489/\u98DE\u4E66/Chime\uFF09", "\u4E0E AWS TAM \u5EFA\u7ACB WAR-ROOM \u8054\u7CFB\uFF08\u4F01\u4E1A\u7EA7\u652F\u6301\u5BA2\u6237\uFF09"],
+    environment_control: ["\u975E\u6838\u5FC3\u7CFB\u7EDF\u5728\u62A4\u7F51\u671F\u95F4\u5173\u95ED", "\u6D4B\u8BD5/\u5F00\u53D1\u73AF\u5883\u5173\u95ED\u6216\u4E0E\u751F\u4EA7\u4FDD\u6301\u540C\u7B49\u5B89\u5168\u57FA\u7EBF", "\u786E\u8BA4\u54EA\u4E9B\u73AF\u5883\u53EF\u4EE5\u7D27\u6025\u5173\u505C\uFF0C\u907F\u514D\u653B\u51FB\u6269\u6563"],
+    post_review: ["\u9488\u5BF9\u653B\u51FB\u62A5\u544A\u9010\u9879\u5E94\u7B54\u4E0E\u4FEE\u590D", "\u4E0E\u5B89\u5168\u56E2\u961F\u5EFA\u7ACB\u5468\u671F\u6027\u5B89\u5168\u7EF4\u62A4\u6D41\u7A0B", "\u6301\u7EED\u8865\u5168\u5B89\u5168\u98CE\u9669"]
+  },
   // HW Checklist (full composite)
   hwChecklist: `
 \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550
@@ -4060,6 +4093,39 @@ var enI18n = {
       action: "Install SSM Agent and configure Patch Manager"
     }
   },
+  // HW Defense HTML Report
+  hwReportTitle: "HW Defense Security Assessment Report",
+  hwAutoCheck: "Automated Checks",
+  hwManualCheck: "Manual Verification Items",
+  hwNoAutoCheck: "No automated checks for this section",
+  hwClean: "No issues found",
+  hwTotalFindings: "Total Findings",
+  hwSectionsChecked: "Sections Checked",
+  hwAutoVerified: "Auto-Verified",
+  hwManualPending: "Manual Pending",
+  hwManualCount: (n) => `${n} manual item${n === 1 ? "" : "s"}`,
+  hwAffectedResources: (n) => `View affected resources (${n})`,
+  hwRemediation: "Remediation",
+  hwSectionNames: {
+    attack_surface: { name: "Attack Surface Reduction", icon: "\u{1F3AF}" },
+    vulnerability_patch: { name: "Vulnerability & Patch Management", icon: "\u{1FA79}" },
+    identity_credential: { name: "Identity & Credential Security", icon: "\u{1F511}" },
+    transport_security: { name: "Transport & Instance Security", icon: "\u{1F512}" },
+    security_services: { name: "Security Service Status", icon: "\u{1F6E1}\uFE0F" },
+    emergency_response: { name: "Emergency Response Readiness", icon: "\u{1F6A8}" },
+    environment_control: { name: "Environment Control", icon: "\u{1F3D7}\uFE0F" },
+    post_review: { name: "Post-Drill Optimization", icon: "\u{1F4CA}" }
+  },
+  hwManualItems: {
+    attack_surface: ["Draw ingress/egress path architecture diagram, mark all Internet/DX dedicated line paths"],
+    vulnerability_patch: ["Contact security vendors for simulated attack drills (penetration testing)", "Monitor AWS security advisories (known vulnerabilities and patches)"],
+    identity_credential: ["All IAM users must have MFA enabled", "Access key rotation cycle \u2264 90 days", "Avoid shared account usage", "No plaintext passwords in S3/Lambda/application code"],
+    transport_security: ["Verify all external-facing services use TLS 1.2+", "Check internal service-to-service communication encryption"],
+    security_services: ["Verify Security Hub is enabled with standards configured", "Verify GuardDuty is enabled in all regions", "Verify CloudTrail multi-region logging is enabled", "Verify Config Rules are configured"],
+    emergency_response: ["Prepare dedicated isolation security groups (no Inbound/Outbound rules)", "Establish instance isolation SOP: Alert \u2192 Investigate \u2192 Block attacker IP \u2192 Network isolation \u2192 Security response \u2192 Log attack details", "Form 7\xD724 monitoring rapid response team", "Create dedicated communication channels for the drill period (Teams/Slack/Chime)", "Establish WAR-ROOM connection with AWS TAM (Enterprise Support customers)"],
+    environment_control: ["Shut down non-critical systems during the drill period", "Shut down test/dev environments or maintain same security baseline as production", "Confirm which environments can be emergency-stopped to prevent attack propagation"],
+    post_review: ["Address and remediate each item from the attack report", "Establish periodic security maintenance processes with the security team", "Continuously fill security risk gaps"]
+  },
   // HW Checklist (full composite)
   hwChecklist: `
 \u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550
@@ -8234,6 +8300,374 @@ ${naNote}
 </html>`;
 }
+// src/tools/hw-report.ts
+function esc2(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+function safeUrl2(url) {
+  try {
+    const u = new URL(url);
+    if (u.protocol === "https:" || u.protocol === "http:") return url;
+    return null;
+  } catch {
+    return null;
+  }
+}
+function escWithLinks2(s) {
+  const parts = s.split(/(https?:\/\/\S+)/);
+  return parts.map((part, i) => {
+    if (i % 2 === 1) {
+      const safe = safeUrl2(part);
+      if (safe) {
+        return `<a href="${esc2(safe)}" style="color:#60a5fa" target="_blank" rel="noopener">${esc2(part)}</a>`;
+      }
+      return esc2(part);
+    }
+    return esc2(part);
+  }).join("");
+}
+var SEVERITY_ORDER3 = ["CRITICAL", "HIGH", "MEDIUM", "LOW"];
+var HW_SECTIONS = [
+  {
+    id: "attack_surface",
+    autoModules: ["network_reachability", "dns_dangling", "public_access_verify", "waf_coverage"],
+    shKeywords: ["network", "public", "exposure", "port", "waf", "firewall", "vpc", "securitygroup"]
+  },
+  {
+    id: "vulnerability_patch",
+    autoModules: ["patch_compliance_findings"],
+    shKeywords: ["vulnerability", "patch", "cve", "inspector", "software"]
+  },
+  {
+    id: "identity_credential",
+    autoModules: ["iam_privilege_escalation", "secret_exposure"],
+    shKeywords: ["iam", "access", "privilege", "credential", "password", "mfa", "key rotation"]
+  },
+  {
+    id: "transport_security",
+    autoModules: ["ssl_certificate", "imdsv2_enforcement"],
+    shKeywords: ["ssl", "tls", "certificate", "imds", "metadata"]
+  },
+  {
+    id: "security_services",
+    autoModules: ["service_detection"],
+    shKeywords: []
+  },
+  {
+    id: "emergency_response",
+    autoModules: [],
+    shKeywords: []
+  },
+  {
+    id: "environment_control",
+    autoModules: [],
+    shKeywords: []
+  },
+  {
+    id: "post_review",
+    autoModules: [],
+    shKeywords: []
+  }
+];
+function hwCss() {
+  return `
+    *{margin:0;padding:0;box-sizing:border-box}
+    body{background:#0f172a;color:#f8fafc;font-family:Inter,system-ui,-apple-system,sans-serif;line-height:1.6;font-size:14px}
+    .container{max-width:900px;margin:0 auto;padding:40px 24px}
+    header{text-align:center;margin-bottom:40px;border-bottom:1px solid #334155;padding-bottom:24px}
+    header h1{font-size:28px;font-weight:700;margin-bottom:8px;letter-spacing:-0.5px}
+    .meta{color:#94a3b8;font-size:13px}
+    h2{font-size:20px;font-weight:600;margin:32px 0 16px;padding-bottom:8px;border-bottom:1px solid #334155}
+    h3{font-size:16px;font-weight:600;margin:16px 0 8px}
+    h4{font-size:14px;font-weight:600;margin:12px 0 4px}
+    .summary-cards{display:flex;gap:12px;flex-wrap:wrap;margin-bottom:32px;justify-content:center}
+    .summary-card{background:#1e293b;border:1px solid #334155;border-radius:8px;padding:16px 20px;text-align:center;min-width:100px;flex:1}
+    .summary-card .stat-count{font-size:28px;font-weight:700}
+    .summary-card .stat-label{font-size:12px;color:#94a3b8;margin-top:2px}
+    .badge{display:inline-block;padding:2px 10px;border-radius:4px;font-size:11px;font-weight:700;letter-spacing:0.5px;color:#fff}
+    .badge-critical{background:#ef4444}
+    .badge-high{background:#f97316}
+    .badge-medium{background:#eab308;color:#1e293b}
+    .badge-low{background:#22c55e;color:#1e293b}
+    .hw-section{background:#1e293b;border:1px solid #334155;border-radius:8px;margin-bottom:16px;overflow:hidden}
+    .hw-section>summary{cursor:pointer;padding:16px 20px;display:flex;align-items:center;gap:12px;list-style:none;font-size:16px;font-weight:600;user-select:none;flex-wrap:wrap}
+    .hw-section>summary::-webkit-details-marker{display:none}
+    .hw-section>summary::marker{content:""}
+    .hw-section>summary::after{content:"\\25B6";font-size:12px;color:#64748b;flex-shrink:0;transition:transform 0.2s;margin-left:auto}
+    .hw-section[open]>summary::after{transform:rotate(90deg)}
+    .hw-section[open]>summary{border-bottom:1px solid #334155}
+    .hw-section-body{padding:16px 20px}
+    .hw-section-icon{font-size:20px}
+    .hw-section-title{flex:1}
+    .hw-section-stats{display:inline-flex;gap:8px;font-size:12px;flex-wrap:wrap}
+    .hw-section-stats .badge{font-size:10px;padding:1px 8px}
+    .hw-auto-section{margin-bottom:16px}
+    .hw-auto-section h4{color:#60a5fa;margin-bottom:8px}
+    .hw-manual-section h4{color:#fbbf24;margin-bottom:8px}
+    .hw-clean{color:#22c55e;font-size:14px;padding:8px 12px;background:rgba(34,197,94,0.1);border-radius:6px}
+    .hw-no-auto{color:#94a3b8;font-size:14px;padding:8px 12px;background:rgba(148,163,184,0.08);border-radius:6px}
+    .hw-manual-item{display:flex;align-items:flex-start;gap:8px;padding:6px 12px;margin-bottom:4px;font-size:14px;color:#cbd5e1;border-radius:4px;background:rgba(148,163,184,0.06)}
+    .hw-manual-checkbox{color:#fbbf24;font-size:16px;flex-shrink:0}
+    .finding-card{display:flex;align-items:center;gap:8px;padding:8px 12px;margin-bottom:4px;border-radius:6px;border-left:4px solid #334155;background:rgba(30,41,59,0.5);flex-wrap:wrap}
+    .sev-critical{border-left-color:#ef4444}
+    .sev-high{border-left-color:#f97316}
+    .sev-medium{border-left-color:#eab308}
+    .sev-low{border-left-color:#22c55e}
+    .finding-title-text{font-weight:600;font-size:13px;flex:1;min-width:200px}
+    .finding-resource{color:#94a3b8;font-size:12px;max-width:300px;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}
+    .finding-card>details{width:100%;margin-top:4px}
+    .finding-card>details>summary{cursor:pointer;font-size:12px;color:#60a5fa;user-select:none}
+    .finding-card-body{padding:8px 0}
+    .finding-card-body p{color:#cbd5e1;font-size:13px;margin-bottom:4px}
+    .finding-card-body ol{padding-left:20px}
+    .finding-card-body li{color:#cbd5e1;font-size:13px;margin-bottom:2px}
+    .hw-finding-group{background:#1e293b;border:1px solid #334155;border-radius:8px;padding:12px 16px;margin-bottom:8px}
+    .hw-finding-header{display:flex;align-items:center;gap:8px}
+    .hw-finding-title{color:#e2e8f0;font-size:14px;flex:1}
+    .hw-finding-count{color:#94a3b8;font-size:13px;font-weight:600;background:#334155;padding:2px 8px;border-radius:4px}
+    .hw-finding-resources{padding:8px 0}
+    .hw-resource-item{font-size:12px;color:#94a3b8;padding:2px 0;font-family:monospace}
+    .hw-finding-remediation{border-top:1px solid #334155;margin-top:8px;padding-top:8px}
+    .hw-finding-remediation ol{margin:4px 0;padding-left:20px;font-size:13px;color:#cbd5e1}
+    footer{margin-top:48px;padding-top:24px;border-top:1px solid #334155;text-align:center}
+    footer p{color:#64748b;font-size:12px;margin-bottom:4px}
+    @media print{
+      body{background:#fff;color:#1e293b;-webkit-print-color-adjust:exact;print-color-adjust:exact}
+      .container{max-width:100%;padding:20px}
+      .hw-section,.summary-card,.finding-card{background:#fff;border:1px solid #e2e8f0}
+      .badge{border:1px solid}
+      header{border-bottom-color:#e2e8f0}
+      h2{border-bottom-color:#e2e8f0}
+      footer{border-top-color:#e2e8f0}
+      .summary-card .stat-label{color:#64748b}
+      .finding-title-text{color:#1e293b}
+      .finding-resource{color:#64748b}
+      .finding-card-body p,.finding-card-body li{color:#475569}
+      .hw-section[open]>summary{border-bottom-color:#e2e8f0}
+      .hw-manual-item{color:#475569}
+      details{display:block}
+      details>summary{display:block}
+      details>:not(summary){display:block !important}
+    }
+  `;
+}
+function generateHwDefenseHtmlReport(scanResults, lang) {
+  const t = getI18n(lang ?? "zh");
+  const htmlLang = (lang ?? "zh") === "zh" ? "zh-CN" : "en";
+  const { accountId, region, scanStart } = scanResults;
+  const date = scanStart.split("T")[0];
+  const scanTime = scanStart.replace("T", " ").replace(/\.\d+Z$/, " UTC");
+  const moduleMap = /* @__PURE__ */ new Map();
+  for (const mod of scanResults.modules) {
+    const findings = mod.findings.map((f) => ({ ...f, module: f.module ?? mod.module }));
+    moduleMap.set(mod.module, findings);
+  }
+  const assignedShFindings = /* @__PURE__ */ new Set();
+  function shFindingKey(f) {
+    return `${f.title}|${f.resourceId}|${f.resourceArn}`;
+  }
+  const sectionResults = [];
+  for (const section of HW_SECTIONS) {
+    const findings = [];
+    for (const mod of section.autoModules) {
+      if (mod === "security_hub_findings") continue;
+      const modFindings = moduleMap.get(mod) ?? [];
+      findings.push(...modFindings);
+    }
+    if (section.shKeywords.length > 0) {
+      const shFindings = moduleMap.get("security_hub_findings") ?? [];
+      for (const f of shFindings) {
+        const key = shFindingKey(f);
+        if (assignedShFindings.has(key)) continue;
+        const searchText = `${f.title} ${f.description} ${f.impact}`.toLowerCase();
+        if (section.shKeywords.some((kw) => searchText.includes(kw))) {
+          findings.push(f);
+          assignedShFindings.add(key);
+        }
+      }
+    }
+    const hasAutoModules = section.autoModules.length > 0 || section.shKeywords.length > 0;
+    const hasAutoResults = hasAutoModules && (section.autoModules.some((m) => moduleMap.has(m)) || section.shKeywords.length > 0 && moduleMap.has("security_hub_findings"));
+    const manualItems = t.hwManualItems[section.id] ?? [];
+    sectionResults.push({
+      id: section.id,
+      findings,
+      manualItems,
+      hasAutoModules,
+      hasAutoResults
+    });
+  }
+  const totalFindings = sectionResults.reduce((sum, s) => sum + s.findings.length, 0);
+  const sectionsChecked = sectionResults.filter((s) => s.hasAutoResults || s.manualItems.length > 0).length;
+  const autoVerified = sectionResults.filter((s) => s.hasAutoResults).length;
+  const totalManualItems = sectionResults.reduce((sum, s) => sum + s.manualItems.length, 0);
+  function groupFindings(findings) {
+    const groups = /* @__PURE__ */ new Map();
+    const groupTitles = /* @__PURE__ */ new Map();
+    for (const f of findings) {
+      const cveMatch = f.title.match(/CVE-\d{4}-\d+/i);
+      if (cveMatch) {
+        const key2 = `cve:${cveMatch[0].toUpperCase()}`;
+        if (!groups.has(key2)) {
+          groups.set(key2, []);
+          groupTitles.set(key2, f.title);
+        }
+        groups.get(key2).push(f);
+        continue;
+      }
+      const controlMatch = f.title.match(/[A-Z]+\.\d+/);
+      if (controlMatch) {
+        const key2 = `ctrl:${controlMatch[0]}`;
+        if (!groups.has(key2)) {
+          groups.set(key2, []);
+          groupTitles.set(key2, f.title);
+        }
+        groups.get(key2).push(f);
+        continue;
+      }
+      const key = `title:${f.title}`;
+      if (!groups.has(key)) {
+        groups.set(key, []);
+        groupTitles.set(key, f.title);
+      }
+      groups.get(key).push(f);
+    }
+    const result = [];
+    for (const [key, gFindings] of groups) {
+      let highestSeverity = "LOW";
+      for (const f of gFindings) {
+        if (SEVERITY_ORDER3.indexOf(f.severity) < SEVERITY_ORDER3.indexOf(highestSeverity)) {
+          highestSeverity = f.severity;
+        }
+      }
+      result.push({ title: groupTitles.get(key), findings: gFindings, highestSeverity });
+    }
+    return result;
+  }
+  const renderGroup = (group) => {
+    const sev = group.highestSeverity.toLowerCase();
+    const count = group.findings.length;
+    const first = group.findings[0];
+    const resourceItems = group.findings.map((f) => `<div class="hw-resource-item">${esc2(f.resourceId)} &mdash; ${esc2(f.resourceArn)}</div>`).join("\n");
+    const remediationSteps = first.remediationSteps.map((s) => `<li>${escWithLinks2(s)}</li>`).join("");
+    return `<div class="hw-finding-group">
+  <div class="hw-finding-header">
+    <span class="badge badge-${esc2(sev)}">${esc2(group.highestSeverity)}</span>
+    <span class="hw-finding-title">${esc2(group.title)}</span>
+    <span class="hw-finding-count">&times;${count}</span>
+  </div>
+  <details>
+    <summary>${t.hwAffectedResources(count)}</summary>
+    <div class="hw-finding-resources">
+      ${resourceItems}
+    </div>
+    <div class="hw-finding-remediation">
+      <strong>${esc2(t.hwRemediation)}:</strong>
+      <ol>${remediationSteps}</ol>
+    </div>
+  </details>
+</div>`;
+  };
+  const sectionsHtml = sectionResults.map((section) => {
+    const meta = t.hwSectionNames[section.id];
+    if (!meta) return "";
+    const sectionName = meta.name;
+    const sectionIcon = meta.icon ?? "";
+    const statBadges = [];
+    if (section.findings.length > 0) {
+      const sevCounts = {};
+      for (const f of section.findings) {
+        sevCounts[f.severity] = (sevCounts[f.severity] ?? 0) + 1;
+      }
+      for (const sev of SEVERITY_ORDER3) {
+        if (sevCounts[sev]) {
+          statBadges.push(
+            `<span class="badge badge-${sev.toLowerCase()}">${sevCounts[sev]} ${sev}</span>`
+          );
+        }
+      }
+    } else if (section.hasAutoResults) {
+      statBadges.push(`<span style="color:#22c55e;font-size:12px">&#10003; ${esc2(t.hwClean)}</span>`);
+    }
+    if (section.manualItems.length > 0) {
+      statBadges.push(`<span style="color:#fbbf24;font-size:12px">&#9744; ${esc2(t.hwManualCount(section.manualItems.length))}</span>`);
+    }
+    let autoHtml;
+    if (!section.hasAutoModules) {
+      autoHtml = `<div class="hw-no-auto">&#9898; ${esc2(t.hwNoAutoCheck)}</div>`;
+    } else if (!section.hasAutoResults) {
+      autoHtml = `<div class="hw-no-auto">&#9898; ${esc2(t.hwNoAutoCheck)}</div>`;
+    } else if (section.findings.length === 0) {
+      autoHtml = `<div class="hw-clean">&#10004; ${esc2(t.hwClean)}</div>`;
+    } else {
+      const sorted = [...section.findings].sort((a, b) => {
+        const sevDiff = SEVERITY_ORDER3.indexOf(a.severity) - SEVERITY_ORDER3.indexOf(b.severity);
+        if (sevDiff !== 0) return sevDiff;
+        return b.riskScore - a.riskScore;
+      });
+      const groups = groupFindings(sorted);
+      autoHtml = groups.map(renderGroup).join("\n");
+    }
+    let manualHtml = "";
+    if (section.manualItems.length > 0) {
+      const items = section.manualItems.map((item) => `<div class="hw-manual-item"><span class="hw-manual-checkbox">&#9633;</span>${esc2(item)}</div>`).join("\n");
+      manualHtml = `
+        <div class="hw-manual-section">
+          <h4>&#128203; ${esc2(t.hwManualCheck)}</h4>
+          ${items}
+        </div>`;
+    }
+    return `<details class="hw-section">
+  <summary>
+    <span class="hw-section-icon">${esc2(sectionIcon)}</span>
+    <span class="hw-section-title">${esc2(sectionName)}</span>
+    <span class="hw-section-stats">${statBadges.join(" ")}</span>
+  </summary>
+  <div class="hw-section-body">
+    <div class="hw-auto-section">
+      <h4>&#129302; ${esc2(t.hwAutoCheck)}</h4>
+      ${autoHtml}
+    </div>
+    ${manualHtml}
+  </div>
+</details>`;
+  }).filter(Boolean).join("\n");
+  const findingsColor = totalFindings === 0 ? "#22c55e" : totalFindings <= 5 ? "#eab308" : "#ef4444";
+  return `<!DOCTYPE html>
+<html lang="${htmlLang}">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>${esc2(t.hwReportTitle)} &mdash; ${esc2(date)}</title>
+<style>${hwCss()}</style>
+</head>
+<body>
+<div class="container">
+<header>
+  <h1>&#128737;&#65039; ${esc2(t.hwReportTitle)}</h1>
+  <div class="meta">${esc2(t.account)}: ${esc2(accountId)} | ${esc2(t.region)}: ${esc2(region)} | ${esc2(t.scanTime)}: ${esc2(scanTime)}</div>
+</header>
+<section class="summary-cards">
+  <div class="summary-card"><div class="stat-count" style="color:${findingsColor}">${totalFindings}</div><div class="stat-label">${esc2(t.hwTotalFindings)}</div></div>
+  <div class="summary-card"><div class="stat-count" style="color:#60a5fa">${sectionsChecked}</div><div class="stat-label">${esc2(t.hwSectionsChecked)}</div></div>
+  <div class="summary-card"><div class="stat-count" style="color:#22c55e">${autoVerified}</div><div class="stat-label">${esc2(t.hwAutoVerified)}</div></div>
+  <div class="summary-card"><div class="stat-count" style="color:#fbbf24">${totalManualItems}</div><div class="stat-label">${esc2(t.hwManualPending)}</div></div>
+</section>
+${sectionsHtml}
+<footer>
+  <p>${esc2(t.generatedBy)} v${VERSION}</p>
+</footer>
+</div>
+</body>
+</html>`;
+}
 // src/tools/save-results.ts
 import { writeFileSync, readFileSync, mkdirSync, existsSync } from "fs";
 import { join } from "path";
@@ -8304,7 +8738,7 @@ function saveResults(scanResults, outputDir) {
 }
 // src/tools/scan-groups.ts
-var SEVERITY_ORDER3 = {
+var SEVERITY_ORDER4 = {
   LOW: 0,
   MEDIUM: 1,
   HIGH: 2,
@@ -8313,8 +8747,8 @@ var SEVERITY_ORDER3 = {
 function applyFindingsFilter(moduleName, findings, filter) {
   let result = findings;
   if (filter.minSeverity) {
-    const minLevel = SEVERITY_ORDER3[filter.minSeverity.toUpperCase()] ?? 0;
-    result = result.filter((f) => (SEVERITY_ORDER3[f.severity] ?? 0) >= minLevel);
+    const minLevel = SEVERITY_ORDER4[filter.minSeverity.toUpperCase()] ?? 0;
+    result = result.filter((f) => (SEVERITY_ORDER4[f.severity] ?? 0) >= minLevel);
   }
   if (moduleName === "security_hub_findings" && filter.securityHubCategories?.length) {
     const keywords = filter.securityHubCategories;
@@ -8348,10 +8782,10 @@ var SCAN_GROUPS = {
   },
   hw_defense: {
     name: "\u62A4\u7F51\u84DD\u961F\u52A0\u56FA",
-    description: "\u62A4\u7F51\u524D\u5B89\u5168\u81EA\u67E5 \u2014 \u653B\u51FB\u9762+\u5F31\u70B9\u8BC4\u4F30",
-    modules: ["service_detection", "secret_exposure", "network_reachability", "dns_dangling", "ssl_certificate", "iam_privilege_escalation", "security_hub_findings", "guardduty_findings", "inspector_findings", "config_rules_findings", "access_analyzer_findings", "patch_compliance_findings", "imdsv2_enforcement", "waf_coverage"],
+    description: "\u62A4\u7F51\u524D\u5B89\u5168\u81EA\u67E5 \u2014 \u653B\u51FB\u8005\u89C6\u89D2\u7684\u653B\u51FB\u9762+\u5F31\u70B9\u8BC4\u4F30",
+    modules: ["service_detection", "network_reachability", "dns_dangling", "public_access_verify", "ssl_certificate", "waf_coverage", "imdsv2_enforcement", "secret_exposure", "iam_privilege_escalation", "patch_compliance_findings", "security_hub_findings"],
     findingsFilter: {
-      guardDutyTypes: ["Backdoor", "Trojan", "PenTest", "CryptoCurrency"],
+      securityHubCategories: ["network", "public", "exposure", "port", "WAF", "vulnerability", "patch", "IAM", "iam", "access", "privilege", "secret", "credential", "password", "IMDS", "firewall", "VPC", "vpc", "SecurityGroup", "securitygroup", "CVE", "cve", "Inspector", "inspector", "software", "MFA", "mfa", "key rotation", "SSL", "ssl", "TLS", "tls", "certificate", "metadata", "CloudTrail", "cloudtrail", "logging", "audit", "encryption"],
       minSeverity: "MEDIUM"
     }
   },
@@ -8873,6 +9307,7 @@ function createServer(defaultRegion) {
           const summaryContent = content[0];
           if (summaryContent && summaryContent.type === "text") {
             summaryContent.text += "\n\n" + getHwDefenseChecklist(lang ?? "zh");
+            summaryContent.text += "\n\n\u{1F4A1} Tip: Call generate_hw_defense_report with these scan results to get a dedicated HTML report organized by HW Defense SOP checklist categories.";
           }
         }
         return { content };
@@ -8971,6 +9406,23 @@ function createServer(defaultRegion) {
       }
     }
   );
+  server.tool(
+    "generate_hw_defense_report",
+    "Generate an HTML report organized by HW Defense (\u62A4\u7F51) SOP checklist categories. Save as .html file.",
+    {
+      scan_results: z.string().describe("JSON string of FullScanResult from scan_group hw_defense or scan_all"),
+      lang: z.enum(["zh", "en"]).optional().describe("Report language (default: zh)")
+    },
+    async ({ scan_results, lang }) => {
+      try {
+        const parsed = JSON.parse(scan_results);
+        const report = generateHwDefenseHtmlReport(parsed, lang ?? "zh");
+        return { content: [{ type: "text", text: report }] };
+      } catch (err) {
+        return { content: [{ type: "text", text: `Error: ${err instanceof Error ? err.message : String(err)}` }], isError: true };
+      }
+    }
+  );
   server.tool(
     "generate_maturity_report",
     "Generate a security maturity assessment report from scan_all results. Requires service_detection module output. Read-only.",
@@ -9267,6 +9719,7 @@ export {
   calculateScore,
   createServer,
   generateHtmlReport,
+  generateHwDefenseHtmlReport,
   generateMarkdownReport,
   generateMlps3HtmlReport,
   getCurrentAccountId,