mcpsec 0.1.0 → 0.2.0

package/README.md

@@ -1,66 +1,252 @@
-# Sentinel MCP
+# mcpsec
 
-**Security scanner for Model Context Protocol (MCP) servers.**
+Security scanner for [Model Context Protocol](https://modelcontextprotocol.io/) (MCP) servers. Detects tool poisoning, credential exposure, prompt injection, SSRF, and insecure transport across all your MCP configurations.
 
-Sentinel scans your MCP configurations for security vulnerabilities including hardcoded credentials, prompt injection, tool poisoning, SSRF, and insecure transport.
+## Why
+
+MCP gives AI agents access to tools, files, databases, and APIs. A single malicious or misconfigured MCP server can:
+
+- **Steal credentials** hardcoded in config files
+- **Poison tool descriptions** to manipulate AI behavior
+- **Shadow legitimate tools** to intercept sensitive operations
+- **Exfiltrate data** via SSRF to internal services or cloud metadata endpoints
+- **Inject commands** through server arguments
+
+mcpsec finds these problems before attackers do.
 
 ## Quick Start
 
 ```bash
 # Scan all detected MCP configurations
-bun run src/cli/index.ts scan
+npx mcpsec scan
 
-# JSON output for CI/CD
-bun run src/cli/index.ts scan --json
+# Connect to running servers and scan live tools/resources
+npx mcpsec scan --live
 
 # Scan a specific config file
-bun run src/cli/index.ts scan --path ~/.cursor/mcp.json
+npx mcpsec scan --path ~/.cursor/mcp.json
+
+# JSON output for CI/CD pipelines
+npx mcpsec scan --json
+
+# Save scan as baseline for future comparison
+npx mcpsec scan --save-baseline
+
+# Compare current scan against baseline
+npx mcpsec scan --baseline
+
+# Baseline diff as JSON (for CI/CD)
+npx mcpsec scan --baseline --json
+```
+
+> Requires [Bun](https://bun.sh) runtime (`curl -fsSL https://bun.sh/install | bash`)
+
+## Example Output
+
+```
+  mcpsec - MCP Security Scanner v0.1.0
+  ──────────────────────────────────────────────────
+
+  Configurations Found
+  Claude Desktop (3 servers)
+  ~/.config/claude/claude_desktop_config.json
+    └─ filesystem
+    └─ github
+    └─ slack-mcp
+
+  Security Score
+  42/100   FAIL
+
+   2 CRITICAL   1 high  1 medium
+
+  Findings
+  ──────────────────────────────────────────────────
+
+  CRITICAL  Hardcoded API Key  [CRED-001]
+  Server: slack-mcp
+  Anthropic API key found in environment variables
+  Evidence: ANTHROPIC_API_KEY=sk-ant-api03-****
+  Fix: Use a secrets manager or environment variable reference
+
+  CRITICAL  SSRF Risk - Cloud Metadata  [SSRF-002]
+  Server: internal-proxy
+  Server URL points to AWS metadata endpoint
+  Evidence: http://169.254.169.254/latest/meta-data/
+  Fix: Remove cloud metadata URLs from MCP configurations
+
+  HIGH      Unencrypted Transport  [TRANSPORT-001]
+  Server: github
+  Server uses HTTP instead of HTTPS
+  Fix: Switch to HTTPS or use stdio transport
+
+  MEDIUM    Unverified npx Package  [SUPPLY-001]
+  Server: slack-mcp
+  Package installed via npx without version pinning
+  Fix: Pin to a specific version: npx package@1.2.3
 ```
 
-## What It Scans
+## What It Detects
+
+### Static Analysis (default)
 
 | Check | Category | Severity |
 |-------|----------|----------|
-| Hardcoded API keys (Anthropic, OpenAI, GitHub, AWS, etc.) | Credential Exposure | Critical |
-| Prompt injection in tool descriptions | Tool Poisoning | Critical |
-| Tool shadowing / hidden instructions | Tool Poisoning | Critical |
-| SSRF via server URLs (localhost, private IPs, cloud metadata) | SSRF | Critical |
+| Hardcoded API keys (Anthropic, OpenAI, GitHub, AWS, GCP, Azure, Stripe, etc.) | Credential Exposure | Critical |
+| Credentials embedded in URLs | Credential Exposure | Critical |
+| Sensitive environment variable values | Credential Exposure | High |
+| SSRF via cloud metadata endpoints (AWS, GCP, Azure) | SSRF | Critical |
+| SSRF via localhost/private IP ranges | SSRF | High |
 | Command injection in server arguments | Command Injection | Critical |
+| Prompt injection patterns in tool descriptions | Tool Poisoning | Critical |
+| Hidden instructions and tool shadowing | Tool Poisoning | Critical |
+| Privileged Docker containers (`--privileged`, host network) | Excessive Permissions | Critical |
 | Unencrypted HTTP transport | Insecure Transport | High |
-| Privileged Docker containers | Excessive Permissions | Critical |
-| Unverified npm packages via npx | Supply Chain | Medium |
-| Embedded credentials in URLs | Credential Exposure | Critical |
-| Sensitive environment variable values | Credential Exposure | High |
+| Unverified npx packages without version pinning | Supply Chain | Medium |
+
+### Live Server Scanning (`--live`)
+
+Connects to running MCP servers and inspects their actual tools, resources, and prompts:
+
+| Check | Category | Severity |
+|-------|----------|----------|
+| Dangerous tool capabilities (exec, eval, sudo, bulk delete) | Dangerous Tools | High |
+| Injection patterns in tool descriptions | Tool Poisoning | Critical |
+| Injection patterns in resource/prompt descriptions | Tool Poisoning | High |
+| SSRF in resource URI templates | SSRF | High |
+| Sensitive input schemas (password/token fields) | Credential Exposure | Medium |
+| Tool name shadowing across servers | Tool Shadowing | High |
+| Sampling capability enabled | Excessive Permissions | Medium |
 
 ## Supported Clients
 
-- Claude Desktop
-- Claude Code
-- Cursor
-- VS Code
-- Windsurf
-- Cline
+mcpsec auto-discovers configurations for:
+
+- **Claude Desktop** - `~/.config/claude/claude_desktop_config.json`
+- **Claude Code** - `~/.claude/settings.json` (project and global)
+- **Cursor** - `~/.cursor/mcp.json`
+- **VS Code** - `~/.vscode/settings.json`
+- **Windsurf** - `~/.windsurf/mcp.json`
+- **Cline** - VS Code extension settings
 
 ## Security Score
 
-Sentinel calculates a 0-100 security score:
+mcpsec calculates a 0-100 security score:
 
-- **80-100**: PASS - No critical issues
-- **50-79**: WARN - Issues found, review recommended
-- **0-49**: FAIL - Critical vulnerabilities detected
+| Score | Status | Impact |
+|-------|--------|--------|
+| 80-100 | PASS | No critical issues |
+| 50-79 | WARN | Issues found, review recommended |
+| 0-49 | FAIL | Critical vulnerabilities detected |
+
+**Scoring:** Critical = -25, High = -15, Medium = -8, Low = -3, Info = 0
+
+## GitHub Actions
+
+```yaml
+- name: MCP Security Scan
+  uses: robdtaylor/sentinel-mcp@v1
+  with:
+    config-path: path/to/mcp-config.json
+    fail-on: high  # critical, high, medium, or none
+```
 
-## Exit Codes
+### Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `config-path` | Yes | - | Path to MCP configuration file |
+| `fail-on` | No | `high` | Minimum severity to fail: `critical`, `high`, `medium`, `none` |
+
+### Outputs
+
+| Output | Description |
+|--------|-------------|
+| `score` | Security score (0-100) |
+| `status` | `pass`, `warn`, or `fail` |
+| `findings` | Total number of findings |
+| `critical` | Number of critical findings |
+| `high` | Number of high findings |
+
+### Example: Fail only on critical
+
+```yaml
+- name: MCP Security Scan
+  uses: robdtaylor/sentinel-mcp@v1
+  with:
+    config-path: .cursor/mcp.json
+    fail-on: critical
+```
+
+### Example: Use outputs in later steps
+
+```yaml
+- name: MCP Security Scan
+  id: mcpsec
+  uses: robdtaylor/sentinel-mcp@v1
+  with:
+    config-path: mcp-config.json
+    fail-on: none
+
+- name: Check results
+  run: |
+    echo "Score: ${{ steps.mcpsec.outputs.score }}"
+    echo "Critical: ${{ steps.mcpsec.outputs.critical }}"
+```
+
+### SARIF + GitHub Code Scanning
+
+Upload results to GitHub's Security tab:
+
+```yaml
+- name: MCP Security Scan
+  run: npx mcpsec scan --sarif --path mcp-config.json > results.sarif
+
+- name: Upload SARIF
+  uses: github/codeql-action/upload-sarif@v3
+  with:
+    sarif_file: results.sarif
+```
+
+### CLI in CI
+
+You can also run the CLI directly:
+
+```yaml
+- name: MCP Security Scan
+  run: npx mcpsec scan --json --path mcp-config.json > report.json
+```
+
+### Exit Codes
 
 | Code | Meaning |
 |------|---------|
-| 0 | No critical/high findings |
-| 1 | High severity findings |
-| 2 | Critical severity findings |
+| 0 | No critical or high findings |
+| 1 | High severity findings found |
+| 2 | Critical severity findings found |
+
+## CLI Reference
+
+```
+mcpsec scan [options]
+
+Options:
+  --live                   Connect to running MCP servers and scan live
+  --json                   Output results as JSON
+  --sarif                  Output results as SARIF 2.1.0 (for GitHub Code Scanning)
+  --path <file>            Scan a specific config file
+  --save-baseline [file]   Save scan results as baseline (default: .mcpsec-baseline.json)
+  --baseline [file]        Compare scan against baseline and show diff
+  --no-color               Disable colored output
+  --help, -h               Show help
+  --version, -v            Show version
+```
 
 ## Development
 
 ```bash
-# Install dependencies
+# Clone and install
+git clone https://github.com/robdtaylor/sentinel-mcp.git
+cd sentinel-mcp
 bun install
 
 # Run tests
@@ -68,8 +254,39 @@ bun test
 
 # Type check
 bun run typecheck
+
+# Run locally
+bun run src/cli/index.ts scan
+```
+
+## Architecture
+
+```
+src/
+  cli/index.ts              CLI entry point
+  lib/
+    types.ts                Core types (Finding, MCPConfigFile, Scanner)
+    injection-patterns.ts   Prompt injection / tool poisoning patterns
+    url-validator.ts        SSRF detection (cloud metadata, private IPs)
+    mcp-client.ts           MCP protocol client (stdio + HTTP)
+  scanner/
+    config-scanner.ts       Config-level checks (transport, docker, supply chain)
+    credential-scanner.ts   API key and credential detection
+    tool-scanner.ts         Injection and command injection scanning
+    live-scanner.ts         Live server tool/resource/prompt analysis
+    report.ts               Score calculation and report output
+    sarif.ts                SARIF 2.1.0 output for GitHub Code Scanning
+    baseline.ts             Baseline save/load and diff engine
 ```
 
+## Roadmap
+
+- [x] Cross-server tool shadowing detection
+- [x] GitHub Actions action (`uses: robdtaylor/sentinel-mcp@v1`)
+- [ ] MCP server registry scanning
+- [x] Baseline / diff mode (track changes between scans)
+- [x] SARIF output format (`--sarif` for GitHub Code Scanning)
+
 ## License
 
 MIT

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcpsec",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Security scanner for MCP (Model Context Protocol) servers - detects tool poisoning, credential exposure, prompt injection, and SSRF",
   "license": "MIT",
   "author": "Rob Taylor <robdtaylor@users.noreply.github.com>",

package/src/cli/index.ts

@@ -14,6 +14,14 @@ import { credentialScanner } from '../scanner/credential-scanner';
 import { toolScanner } from '../scanner/tool-scanner';
 import { liveScanner } from '../scanner/live-scanner';
 import { generateReport, printReport, printReportJSON } from '../scanner/report';
+import { printReportSARIF } from '../scanner/sarif';
+import {
+  loadBaseline,
+  saveBaseline,
+  diffFindings,
+  printBaselineDiff,
+  DEFAULT_BASELINE_PATH,
+} from '../scanner/baseline';
 import type { Finding, MCPConfigFile } from '../lib/types';
 
 // ============================================================================
@@ -27,18 +35,24 @@ const HELP = `
     mcpsec scan [options]
 
   Options:
-    --live          Connect to running MCP servers and scan live
-    --json          Output results as JSON
-    --path <file>   Scan a specific config file
-    --no-color      Disable colored output
-    --help, -h      Show this help message
-    --version, -v   Show version
+    --live                   Connect to running MCP servers and scan live
+    --json                   Output results as JSON
+    --sarif                  Output results as SARIF 2.1.0 (for GitHub Code Scanning)
+    --path <file>            Scan a specific config file
+    --save-baseline [file]   Save scan results as baseline (default: ${DEFAULT_BASELINE_PATH})
+    --baseline [file]        Compare scan against baseline and show diff
+    --no-color               Disable colored output
+    --help, -h               Show this help message
+    --version, -v            Show version
 
   Examples:
     mcpsec scan
     mcpsec scan --live
     mcpsec scan --json
     mcpsec scan --path ~/.cursor/mcp.json
+    mcpsec scan --save-baseline
+    mcpsec scan --baseline
+    mcpsec scan --baseline --json
 `;
 
 async function main() {
@@ -51,7 +65,7 @@ async function main() {
   }
 
   if (command === '--version' || command === '-v') {
-    console.log('mcpsec v0.1.0');
+    console.log('mcpsec v0.2.0');
     process.exit(0);
   }
 
@@ -63,10 +77,28 @@ async function main() {
 
   // Parse scan options
   const jsonOutput = args.includes('--json');
+  const sarifOutput = args.includes('--sarif');
   const liveMode = args.includes('--live');
   const pathIndex = args.indexOf('--path');
   const specificPath = pathIndex !== -1 ? args[pathIndex + 1] : undefined;
 
+  // Baseline flags
+  const saveBaselineIndex = args.indexOf('--save-baseline');
+  const saveBaselineMode = saveBaselineIndex !== -1;
+  const saveBaselinePath = saveBaselineMode
+    ? (args[saveBaselineIndex + 1] && !args[saveBaselineIndex + 1].startsWith('--')
+        ? args[saveBaselineIndex + 1]
+        : DEFAULT_BASELINE_PATH)
+    : undefined;
+
+  const baselineIndex = args.indexOf('--baseline');
+  const baselineMode = baselineIndex !== -1;
+  const baselinePath = baselineMode
+    ? (args[baselineIndex + 1] && !args[baselineIndex + 1].startsWith('--')
+        ? args[baselineIndex + 1]
+        : DEFAULT_BASELINE_PATH)
+    : undefined;
+
   if (args.includes('--no-color')) {
     // Disable colors by overriding environment
     process.env.NO_COLOR = '1';
@@ -135,11 +167,59 @@ async function main() {
   // Generate report
   const report = generateReport(configs, allFindings);
 
-  // Output
-  if (jsonOutput) {
-    printReportJSON(report);
+  // Save baseline if requested
+  if (saveBaselineMode && saveBaselinePath) {
+    saveBaseline(report, saveBaselinePath);
+    if (!jsonOutput && !sarifOutput) {
+      console.log(`\n  Baseline saved to ${saveBaselinePath}\n`);
+    }
+  }
+
+  // Baseline diff if requested
+  if (baselineMode && baselinePath) {
+    try {
+      const baseline = loadBaseline(baselinePath);
+      const diff = diffFindings(allFindings, baseline);
+      diff.scoreDelta = report.score - baseline.score;
+
+      if (jsonOutput) {
+        // JSON output with diff included
+        const safeReport = {
+          ...report,
+          configFiles: report.configFiles.map((c) => ({
+            path: c.path,
+            client: c.client,
+            servers: Object.keys(c.servers),
+          })),
+          diff: {
+            baselineTimestamp: diff.baselineTimestamp,
+            baselineScore: diff.baselineScore,
+            scoreDelta: diff.scoreDelta,
+            new: diff.newFindings,
+            fixed: diff.fixedFindings,
+            unchanged: diff.unchangedFindings.length,
+          },
+        };
+        console.log(JSON.stringify(safeReport, null, 2));
+      } else if (sarifOutput) {
+        printReportSARIF(report);
+      } else {
+        printReport(report);
+        printBaselineDiff(diff, report.score);
+      }
+    } catch (err) {
+      console.error(`Baseline error: ${(err as Error).message}`);
+      process.exit(1);
+    }
   } else {
-    printReport(report);
+    // Normal output (no baseline)
+    if (sarifOutput) {
+      printReportSARIF(report);
+    } else if (jsonOutput) {
+      printReportJSON(report);
+    } else {
+      printReport(report);
+    }
   }
 
   // Exit code based on findings

package/src/lib/mcp-client.ts

@@ -98,6 +98,7 @@ export async function connectStdio(
       stderr: 'pipe',
     });
 
+    const stdin = proc.stdin as import('bun').FileSink;
     const reader = new StdioReader(proc);
     let messageId = 0;
 
@@ -112,8 +113,8 @@ export async function connectStdio(
       };
 
       const line = JSON.stringify(request) + '\n';
-      proc!.stdin.write(line);
-      proc!.stdin.flush();
+      stdin.write(line);
+      stdin.flush();
 
       const response = await reader.waitForResponse(id, REQUEST_TIMEOUT);
       if (response.error) {
@@ -129,8 +130,8 @@ export async function connectStdio(
         method,
         params,
       };
-      proc!.stdin.write(JSON.stringify(notification) + '\n');
-      proc!.stdin.flush();
+      stdin.write(JSON.stringify(notification) + '\n');
+      stdin.flush();
     };
 
     // Step 1: Initialize
@@ -139,7 +140,7 @@ export async function connectStdio(
       capabilities: {},
       clientInfo: {
         name: 'sentinel-mcp',
-        version: '0.1.0',
+        version: '0.2.0',
       },
     }) as Record<string, unknown>;
 
@@ -196,7 +197,7 @@ export async function connectStdio(
     // Clean up the process
     if (proc) {
       try {
-        proc.stdin.end();
+        (proc.stdin as import('bun').FileSink).end();
         proc.kill();
       } catch {
         // Process may have already exited

package/src/lib/types.ts

@@ -49,6 +49,7 @@ export type FindingCategory =
   | 'credential-exposure'
   | 'prompt-injection'
   | 'tool-poisoning'
+  | 'tool-shadowing'
   | 'ssrf'
   | 'command-injection'
   | 'insecure-transport'
@@ -80,6 +81,19 @@ export interface ScanSummary {
   info: number;
 }
 
+// ============================================================================
+// Baseline / Diff
+// ============================================================================
+
+export interface BaselineDiff {
+  newFindings: Finding[];
+  fixedFindings: Finding[];
+  unchangedFindings: Finding[];
+  baselineTimestamp: string;
+  baselineScore: number;
+  scoreDelta: number; // current - baseline (positive = improved)
+}
+
 // ============================================================================
 // Scanner Interface
 // ============================================================================

package/src/scanner/baseline.ts

@@ -0,0 +1,187 @@
+/**
+ * Sentinel MCP - Baseline / Diff Engine
+ *
+ * Compare scan results against a saved baseline to track
+ * new findings, fixed findings, and score trends over time.
+ */
+
+import { readFileSync, writeFileSync } from 'fs';
+import type { Finding, ScanReport, BaselineDiff } from '../lib/types';
+
+export const DEFAULT_BASELINE_PATH = '.mcpsec-baseline.json';
+
+// ============================================================================
+// Fingerprinting
+// ============================================================================
+
+/**
+ * Generate a stable fingerprint for a finding.
+ * Same rule + same server + same config = same finding across scans.
+ * Evidence is excluded because it contains rotating/masked secrets.
+ */
+export function findingFingerprint(finding: Finding): string {
+  return `${finding.id}:${finding.server ?? ''}:${finding.configFile ?? ''}`;
+}
+
+// ============================================================================
+// Diff Engine
+// ============================================================================
+
+/**
+ * Diff current findings against a baseline.
+ * Returns new, fixed, and unchanged findings plus score delta.
+ */
+export function diffFindings(
+  current: Finding[],
+  baseline: ScanReport
+): BaselineDiff {
+  const baselineFingerprints = new Map<string, Finding>();
+  for (const f of baseline.findings) {
+    baselineFingerprints.set(findingFingerprint(f), f);
+  }
+
+  const currentFingerprints = new Set<string>();
+  const newFindings: Finding[] = [];
+  const unchangedFindings: Finding[] = [];
+
+  for (const f of current) {
+    const fp = findingFingerprint(f);
+    currentFingerprints.add(fp);
+
+    if (baselineFingerprints.has(fp)) {
+      unchangedFindings.push(f);
+    } else {
+      newFindings.push(f);
+    }
+  }
+
+  const fixedFindings: Finding[] = [];
+  for (const [fp, f] of baselineFingerprints) {
+    if (!currentFingerprints.has(fp)) {
+      fixedFindings.push(f);
+    }
+  }
+
+  return {
+    newFindings,
+    fixedFindings,
+    unchangedFindings,
+    baselineTimestamp: baseline.timestamp,
+    baselineScore: baseline.score,
+    scoreDelta: 0, // caller sets this after report generation
+  };
+}
+
+// ============================================================================
+// File I/O
+// ============================================================================
+
+/**
+ * Load and validate a baseline JSON file.
+ * Throws on missing file or invalid JSON.
+ */
+export function loadBaseline(path: string): ScanReport {
+  let content: string;
+  try {
+    content = readFileSync(path, 'utf-8');
+  } catch {
+    throw new Error(`Baseline file not found: ${path}`);
+  }
+
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(content);
+  } catch {
+    throw new Error(`Invalid JSON in baseline file: ${path}`);
+  }
+
+  const report = parsed as ScanReport;
+  if (!report.timestamp || !report.findings || typeof report.score !== 'number') {
+    throw new Error(`Invalid baseline format: missing required fields (timestamp, findings, score)`);
+  }
+
+  return report;
+}
+
+/**
+ * Save a scan report as baseline JSON.
+ * Strips raw config data to avoid leaking secrets (same as printReportJSON).
+ */
+export function saveBaseline(report: ScanReport, path: string): void {
+  const safeReport = {
+    ...report,
+    configFiles: report.configFiles.map((c) => ({
+      path: c.path,
+      client: c.client,
+      servers: Object.keys(c.servers),
+    })),
+  };
+
+  writeFileSync(path, JSON.stringify(safeReport, null, 2) + '\n');
+}
+
+// ============================================================================
+// Console Output
+// ============================================================================
+
+const COLORS = {
+  reset: '\x1b[0m',
+  bold: '\x1b[1m',
+  dim: '\x1b[2m',
+  red: '\x1b[31m',
+  green: '\x1b[32m',
+  yellow: '\x1b[33m',
+  cyan: '\x1b[36m',
+};
+
+/**
+ * Print a baseline diff report to the console.
+ */
+export function printBaselineDiff(diff: BaselineDiff, currentScore: number): void {
+  const delta = diff.scoreDelta;
+  const deltaStr = delta > 0 ? `+${delta}` : `${delta}`;
+  const deltaColor = delta > 0 ? COLORS.green : delta < 0 ? COLORS.red : COLORS.dim;
+
+  const dateStr = diff.baselineTimestamp.split('T')[0];
+
+  console.log();
+  console.log(`  ${COLORS.bold}Baseline Comparison${COLORS.reset}`);
+  console.log(`  ${COLORS.dim}${'─'.repeat(50)}${COLORS.reset}`);
+  console.log(`  ${COLORS.dim}Baseline:${COLORS.reset} ${DEFAULT_BASELINE_PATH} (${dateStr})`);
+  console.log(`  ${COLORS.dim}Score:${COLORS.reset}    ${diff.baselineScore} → ${currentScore}  ${deltaColor}(${deltaStr})${COLORS.reset}`);
+  console.log();
+
+  const parts: string[] = [];
+  if (diff.fixedFindings.length > 0) {
+    parts.push(`${COLORS.green}${diff.fixedFindings.length} fixed${COLORS.reset}`);
+  }
+  if (diff.newFindings.length > 0) {
+    parts.push(`${COLORS.red}${diff.newFindings.length} new${COLORS.reset}`);
+  }
+  if (diff.unchangedFindings.length > 0) {
+    parts.push(`${COLORS.dim}${diff.unchangedFindings.length} unchanged${COLORS.reset}`);
+  }
+  console.log(`  ${parts.join('   ')}`);
+
+  if (diff.fixedFindings.length > 0) {
+    console.log();
+    console.log(`  ${COLORS.green}${COLORS.bold}FIXED${COLORS.reset}`);
+    for (const f of diff.fixedFindings) {
+      const server = f.server ? ` (${f.server})` : '';
+      console.log(`    ${COLORS.green}✓${COLORS.reset} ${COLORS.dim}${f.id}${COLORS.reset}  ${f.title}${COLORS.dim}${server}${COLORS.reset}`);
+    }
+  }
+
+  if (diff.newFindings.length > 0) {
+    console.log();
+    console.log(`  ${COLORS.red}${COLORS.bold}NEW${COLORS.reset}`);
+    for (const f of diff.newFindings) {
+      const server = f.server ? ` (${f.server})` : '';
+      console.log(`    ${COLORS.red}✗${COLORS.reset} ${COLORS.dim}${f.id}${COLORS.reset}  ${f.title}${COLORS.dim}${server}${COLORS.reset}`);
+    }
+  }
+
+  console.log();
+  console.log(`  ${COLORS.dim}${'─'.repeat(50)}${COLORS.reset}`);
+  console.log();
+}

package/src/scanner/live-scanner.ts

@@ -64,6 +64,9 @@ export const liveScanner: Scanner = {
     const findings: Finding[] = [];
     let findingId = 0;
 
+    // Track tools across all servers for cross-server shadowing detection
+    const globalToolRegistry = new Map<string, { server: string; configFile: string; description: string }[]>();
+
     for (const config of configs) {
       for (const [serverName, serverConfig] of Object.entries(config.servers)) {
         // Connect to the server
@@ -100,14 +103,23 @@ export const liveScanner: Scanner = {
           `[${toolCount} tools, ${resourceCount} resources, ${promptCount} prompts]\n`
         );
 
-        // Scan tools
+        // Scan tools and register them globally
         for (const tool of info.tools) {
           const toolFindings = scanTool(tool, serverName, config.path, findingId);
           findingId += toolFindings.length;
           findings.push(...toolFindings);
+
+          // Register tool for cross-server shadowing detection
+          const entry = { server: serverName, configFile: config.path, description: tool.description || '' };
+          const existing = globalToolRegistry.get(tool.name);
+          if (existing) {
+            existing.push(entry);
+          } else {
+            globalToolRegistry.set(tool.name, [entry]);
+          }
         }
 
-        // Scan for tool shadowing across servers
+        // Check for duplicate tool names within this server
         const toolNames = info.tools.map((t) => t.name);
         const duplicateNames = findDuplicateToolNames(toolNames);
         for (const dup of duplicateNames) {
@@ -115,11 +127,11 @@ export const liveScanner: Scanner = {
             id: `LIVE-${++findingId}`,
             severity: 'high',
             category: 'tool-poisoning',
-            title: `Duplicate tool name: "${dup}"`,
-            description: `Server "${serverName}" exposes multiple tools named "${dup}". This may indicate tool shadowing.`,
+            title: `Duplicate tool name within server: "${dup}"`,
+            description: `Server "${serverName}" exposes multiple tools named "${dup}". This is unusual and may indicate a compromised server.`,
             server: serverName,
             configFile: config.path,
-            remediation: 'Investigate why the server has duplicate tool names. This is unusual and may indicate a compromised server.',
+            remediation: 'Investigate why the server has duplicate tool names.',
           });
         }
 
@@ -146,6 +158,10 @@ export const liveScanner: Scanner = {
       }
     }
 
+    // Cross-server tool shadowing detection
+    const shadowFindings = detectCrossServerShadowing(globalToolRegistry, findingId);
+    findings.push(...shadowFindings);
+
     return findings;
   },
 };
@@ -355,6 +371,55 @@ function scanCapabilities(
   return findings;
 }
 
+// ============================================================================
+// Cross-Server Tool Shadowing Detection
+// ============================================================================
+
+type ToolRegistryEntry = { server: string; configFile: string; description: string };
+
+export function detectCrossServerShadowing(
+  registry: Map<string, ToolRegistryEntry[]>,
+  startId: number
+): Finding[] {
+  const findings: Finding[] = [];
+  let findingId = startId;
+
+  for (const [toolName, entries] of registry) {
+    // Only flag if the same tool name appears on 2+ different servers
+    const uniqueServers = new Set(entries.map((e) => e.server));
+    if (uniqueServers.size < 2) continue;
+
+    // Determine severity based on description similarity
+    // If descriptions differ significantly, it's more likely a malicious shadow
+    const descriptions = entries.map((e) => e.description);
+    const allSame = descriptions.every((d) => d === descriptions[0]);
+    const severity = allSame ? 'medium' : 'high';
+
+    const serverList = entries.map((e) => `"${e.server}" (${e.configFile})`).join(', ');
+
+    findings.push({
+      id: `LIVE-${++findingId}`,
+      severity,
+      category: 'tool-shadowing',
+      title: `Cross-server tool shadowing: "${toolName}"`,
+      description:
+        `Tool "${toolName}" is exposed by ${uniqueServers.size} servers: ${serverList}. ` +
+        `When multiple servers provide the same tool name, the client may route calls to the wrong server, ` +
+        `allowing a malicious server to intercept operations meant for a legitimate one.`,
+      server: [...uniqueServers].join(', '),
+      configFile: entries[0].configFile,
+      evidence: allSame
+        ? `All servers use identical descriptions.`
+        : `Descriptions differ across servers: ${entries.map((e) => `[${e.server}]: "${truncate(e.description, 60)}"`).join(' vs ')}`,
+      remediation:
+        'Rename conflicting tools or remove the untrusted server. ' +
+        'If both servers are trusted, use tool name prefixing to disambiguate.',
+    });
+  }
+
+  return findings;
+}
+
 // ============================================================================
 // Helpers
 // ============================================================================

package/src/scanner/report.ts

@@ -6,7 +6,7 @@
 
 import type { ScanReport, ScanSummary, Finding, MCPConfigFile, ScanStatus } from '../lib/types';
 
-const VERSION = '0.1.0';
+const VERSION = '0.2.0';
 
 // ============================================================================
 // Score Calculation
@@ -150,7 +150,7 @@ export function printReport(report: ScanReport): void {
 
   // Header
   console.log();
-  console.log(`${COLORS.bold}${COLORS.cyan}  Sentinel MCP Security Scanner v${VERSION}${COLORS.reset}`);
+  console.log(`${COLORS.bold}${COLORS.cyan}  mcpsec - MCP Security Scanner v${VERSION}${COLORS.reset}`);
   console.log(`${COLORS.dim}  ${'─'.repeat(50)}${COLORS.reset}`);
   console.log();
 

package/src/scanner/sarif.ts

@@ -0,0 +1,227 @@
+/**
+ * Sentinel MCP - SARIF Output
+ *
+ * Converts scan reports to SARIF 2.1.0 format for GitHub Code Scanning
+ * and other SARIF-compatible tools.
+ *
+ * Spec: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
+ */
+
+import type { ScanReport, Finding, Severity, FindingCategory } from '../lib/types';
+
+const SARIF_SCHEMA =
+  'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json';
+const TOOL_INFO_URI = 'https://github.com/robdtaylor/sentinel-mcp';
+
+// ============================================================================
+// SARIF Types (subset of 2.1.0 spec)
+// ============================================================================
+
+interface SarifLog {
+  $schema: string;
+  version: '2.1.0';
+  runs: SarifRun[];
+}
+
+interface SarifRun {
+  tool: {
+    driver: {
+      name: string;
+      version: string;
+      informationUri: string;
+      rules: SarifRule[];
+    };
+  };
+  results: SarifResult[];
+  invocations: SarifInvocation[];
+}
+
+interface SarifRule {
+  id: string;
+  name: string;
+  shortDescription: { text: string };
+  defaultConfiguration: { level: SarifLevel };
+  properties: { tags: string[] };
+}
+
+interface SarifResult {
+  ruleId: string;
+  level: SarifLevel;
+  message: { text: string };
+  locations: SarifLocation[];
+  properties: Record<string, unknown>;
+}
+
+interface SarifLocation {
+  physicalLocation: {
+    artifactLocation: { uri: string };
+  };
+}
+
+interface SarifInvocation {
+  executionSuccessful: boolean;
+  properties: Record<string, unknown>;
+}
+
+type SarifLevel = 'error' | 'warning' | 'note' | 'none';
+
+// ============================================================================
+// Conversion
+// ============================================================================
+
+/**
+ * Map mcpsec severity to SARIF level
+ */
+function toSarifLevel(severity: Severity): SarifLevel {
+  switch (severity) {
+    case 'critical':
+    case 'high':
+      return 'error';
+    case 'medium':
+      return 'warning';
+    case 'low':
+    case 'info':
+      return 'note';
+  }
+}
+
+/**
+ * Map finding category to SARIF tags
+ */
+function categoryTags(category: FindingCategory): string[] {
+  const tags = ['security'];
+  switch (category) {
+    case 'credential-exposure':
+      tags.push('credential-exposure', 'secrets');
+      break;
+    case 'prompt-injection':
+    case 'tool-poisoning':
+    case 'tool-shadowing':
+      tags.push('tool-poisoning', 'ai-safety');
+      break;
+    case 'ssrf':
+      tags.push('ssrf', 'network');
+      break;
+    case 'command-injection':
+      tags.push('command-injection', 'injection');
+      break;
+    case 'insecure-transport':
+      tags.push('insecure-transport', 'encryption');
+      break;
+    case 'excessive-permissions':
+      tags.push('excessive-permissions', 'misconfiguration');
+      break;
+    case 'supply-chain':
+      tags.push('supply-chain', 'dependency');
+      break;
+    case 'configuration':
+      tags.push('misconfiguration');
+      break;
+  }
+  return tags;
+}
+
+/**
+ * Generate a stable rule name from a finding ID (e.g. "CRED-001" -> "HardcodedCredential")
+ */
+function ruleNameFromId(id: string): string {
+  // Strip numeric suffix and convert to PascalCase
+  return id
+    .replace(/-\d+$/, '')
+    .split('-')
+    .map((part) => part.charAt(0).toUpperCase() + part.slice(1).toLowerCase())
+    .join('');
+}
+
+/**
+ * Extract unique rules from findings
+ */
+function extractRules(findings: Finding[]): SarifRule[] {
+  const seen = new Map<string, SarifRule>();
+
+  for (const finding of findings) {
+    const ruleId = finding.id;
+    if (seen.has(ruleId)) continue;
+
+    seen.set(ruleId, {
+      id: ruleId,
+      name: ruleNameFromId(ruleId),
+      shortDescription: { text: finding.title },
+      defaultConfiguration: { level: toSarifLevel(finding.severity) },
+      properties: { tags: categoryTags(finding.category) },
+    });
+  }
+
+  return Array.from(seen.values());
+}
+
+/**
+ * Convert a finding to a SARIF result
+ */
+function toSarifResult(finding: Finding): SarifResult {
+  const uri = finding.configFile || 'unknown';
+
+  const message = [finding.description];
+  if (finding.remediation) {
+    message.push(`Fix: ${finding.remediation}`);
+  }
+
+  const properties: Record<string, unknown> = {};
+  if (finding.server) properties.server = finding.server;
+  if (finding.evidence) properties.evidence = finding.evidence;
+  if (finding.severity) properties.severity = finding.severity;
+
+  return {
+    ruleId: finding.id,
+    level: toSarifLevel(finding.severity),
+    message: { text: message.join(' ') },
+    locations: [
+      {
+        physicalLocation: {
+          artifactLocation: { uri },
+        },
+      },
+    ],
+    properties,
+  };
+}
+
+/**
+ * Convert a ScanReport to SARIF 2.1.0 log
+ */
+export function toSarif(report: ScanReport): SarifLog {
+  return {
+    $schema: SARIF_SCHEMA,
+    version: '2.1.0',
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: 'mcpsec',
+            version: report.version,
+            informationUri: TOOL_INFO_URI,
+            rules: extractRules(report.findings),
+          },
+        },
+        results: report.findings.map(toSarifResult),
+        invocations: [
+          {
+            executionSuccessful: true,
+            properties: {
+              score: report.score,
+              status: report.status,
+              timestamp: report.timestamp,
+            },
+          },
+        ],
+      },
+    ],
+  };
+}
+
+/**
+ * Print SARIF output to stdout
+ */
+export function printReportSARIF(report: ScanReport): void {
+  console.log(JSON.stringify(toSarif(report), null, 2));
+}