security-mcp 1.0.4 → 1.1.0

package/dist/gate/evidence.js

@@ -0,0 +1,116 @@
+import { readFile } from "node:fs/promises";
+import fg from "fast-glob";
+import { dirname, join, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import { loadControlCatalog, controlApplies } from "./catalog.js";
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const PKG_ROOT = resolve(__dirname, "../..");
+async function loadEvidenceMap() {
+    const overridePath = process.env["SECURITY_GATE_EVIDENCE_MAP"];
+    if (overridePath) {
+        const raw = await readFile(join(process.cwd(), overridePath), "utf-8");
+        return JSON.parse(raw);
+    }
+    try {
+        const raw = await readFile(join(process.cwd(), ".mcp", "mappings", "evidence-map.json"), "utf-8");
+        return JSON.parse(raw);
+    }
+    catch {
+        const raw = await readFile(join(PKG_ROOT, "defaults", "evidence-map.json"), "utf-8");
+        return JSON.parse(raw);
+    }
+}
+function getPolicyControl(policy, control) {
+    return policy.requirements.find((requirement) => requirement.id === control.id);
+}
+export async function evaluateEvidenceCoverage(opts) {
+    const evidenceMap = await loadEvidenceMap();
+    const catalog = await loadControlCatalog();
+    const findings = [];
+    const controls = [];
+    for (const control of catalog.controls) {
+        if (!controlApplies(control, opts.surfaces)) {
+            controls.push({
+                id: control.id,
+                description: control.description,
+                automation: control.automation,
+                frameworks: control.frameworks,
+                status: "not_applicable",
+                details: ["Surface not in scope for this review."]
+            });
+            continue;
+        }
+        if (control.automation !== "evidence") {
+            controls.push({
+                id: control.id,
+                description: control.description,
+                automation: control.automation,
+                frameworks: control.frameworks,
+                status: "not_applicable",
+                details: ["Resolved outside evidence coverage evaluation."]
+            });
+            continue;
+        }
+        const policyControl = getPolicyControl(opts.policy, control);
+        const evidenceIds = policyControl?.evidence ?? control.evidence ?? [];
+        const missingMappings = evidenceIds.filter((evidenceId) => !evidenceMap[evidenceId]);
+        if (missingMappings.length > 0) {
+            findings.push({
+                id: "EVIDENCE_MAPPING_MISSING",
+                title: `Evidence mapping missing for control ${control.id}`,
+                severity: "HIGH",
+                evidence: missingMappings,
+                requiredActions: [
+                    "Add the missing evidence IDs to .mcp/mappings/evidence-map.json.",
+                    "Map each control to file globs that prove the control exists."
+                ]
+            });
+        }
+        const matchedEvidence = [];
+        const missingEvidence = [];
+        for (const evidenceId of evidenceIds) {
+            const globs = evidenceMap[evidenceId] ?? [];
+            const matches = await fg(globs, {
+                dot: true,
+                onlyFiles: true,
+                ignore: ["**/node_modules/**", "**/.git/**", "**/dist/**"]
+            });
+            if (matches.length === 0) {
+                missingEvidence.push(evidenceId);
+            }
+            else {
+                matchedEvidence.push(`${evidenceId}: ${matches[0]}`);
+            }
+        }
+        if (missingEvidence.length > 0) {
+            findings.push({
+                id: "CONTROL_EVIDENCE_MISSING",
+                title: `Required evidence missing for control ${control.id}`,
+                severity: "HIGH",
+                evidence: missingEvidence,
+                requiredActions: [
+                    `Implement or surface evidence for control ${control.id}.`,
+                    "Add or update code, tests, or config so the evidence globs resolve."
+                ]
+            });
+            controls.push({
+                id: control.id,
+                description: control.description,
+                automation: control.automation,
+                frameworks: control.frameworks,
+                status: "missing",
+                details: missingEvidence
+            });
+            continue;
+        }
+        controls.push({
+            id: control.id,
+            description: control.description,
+            automation: control.automation,
+            frameworks: control.frameworks,
+            status: "satisfied",
+            details: matchedEvidence
+        });
+    }
+    return { findings, controls };
+}

package/dist/gate/exceptions.js

@@ -0,0 +1,85 @@
+import { readFile } from "node:fs/promises";
+import { dirname, join, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import { z } from "zod";
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const PKG_ROOT = resolve(__dirname, "../..");
+const ExceptionSchema = z.object({
+    id: z.string(),
+    finding_ids: z.array(z.string()).default([]),
+    control_ids: z.array(z.string()).default([]),
+    justification: z.string(),
+    ticket: z.string().optional(),
+    owner: z.string(),
+    approver: z.string(),
+    approval_role: z.string(),
+    expires_on: z.string()
+});
+const ExceptionFileSchema = z.object({
+    version: z.string(),
+    exceptions: z.array(ExceptionSchema).default([])
+});
+async function readExceptionsJson() {
+    const overridePath = process.env["SECURITY_GATE_EXCEPTIONS"];
+    if (overridePath) {
+        return await readFile(join(process.cwd(), overridePath), "utf-8");
+    }
+    try {
+        return await readFile(join(process.cwd(), ".mcp", "exceptions", "security-exceptions.json"), "utf-8");
+    }
+    catch {
+        return await readFile(join(PKG_ROOT, "defaults", "security-exceptions.json"), "utf-8");
+    }
+}
+export async function loadSecurityExceptions() {
+    const raw = await readExceptionsJson();
+    return ExceptionFileSchema.parse(JSON.parse(raw)).exceptions;
+}
+export async function applySecurityExceptions(findings) {
+    const exceptions = await loadSecurityExceptions();
+    const active = [];
+    const suppressed = [];
+    const exceptionFindings = [];
+    const activeControlExceptionIds = new Set();
+    for (const entry of exceptions) {
+        const expiresAt = new Date(entry.expires_on);
+        if (!Number.isNaN(expiresAt.getTime()) && expiresAt.getTime() >= Date.now()) {
+            for (const controlId of entry.control_ids) {
+                activeControlExceptionIds.add(controlId);
+            }
+        }
+    }
+    for (const finding of findings) {
+        const match = exceptions.find((entry) => entry.finding_ids.includes(finding.id));
+        if (!match) {
+            active.push(finding);
+            continue;
+        }
+        const expiresAt = new Date(match.expires_on);
+        if (Number.isNaN(expiresAt.getTime()) || expiresAt.getTime() < Date.now()) {
+            active.push(finding);
+            exceptionFindings.push({
+                id: "SECURITY_EXCEPTION_EXPIRED",
+                title: `Security exception ${match.id} is expired or invalid`,
+                severity: "HIGH",
+                evidence: [`Finding: ${finding.id}`, `Owner: ${match.owner}`, `Expires: ${match.expires_on}`],
+                requiredActions: [
+                    "Renew or remove the expired exception.",
+                    "Resolve the underlying finding or obtain a new approved exception."
+                ]
+            });
+            continue;
+        }
+        suppressed.push({
+            finding,
+            exceptionId: match.id,
+            expiresOn: match.expires_on
+        });
+    }
+    return {
+        findings: active,
+        suppressed,
+        exceptionFindings,
+        activeControlExceptionIds: Array.from(activeControlExceptionIds)
+    };
+}

package/dist/gate/policy.js

@@ -1,4 +1,5 @@
 import { z } from "zod";
+import fg from "fast-glob";
 import { getChangedFiles } from "./diff.js";
 import { detectSurfaces } from "./findings.js";
 import { checkRequiredArtifacts } from "./checks/required-artifacts.js";
@@ -10,7 +11,20 @@ import { checkInfra } from "./checks/infra.js";
 import { checkMobileIos } from "./checks/mobile-ios.js";
 import { checkMobileAndroid } from "./checks/mobile-android.js";
 import { checkAi } from "./checks/ai.js";
+import { checkScannerReadiness } from "./checks/scanners.js";
+import { evaluateEvidenceCoverage } from "./evidence.js";
+import { applySecurityExceptions } from "./exceptions.js";
+import { controlApplies, loadControlCatalog } from "./catalog.js";
 import { readFileSafe } from "../repo/fs.js";
+import { checkGraphQL } from "./checks/graphql.js";
+import { checkKubernetes } from "./checks/k8s.js";
+import { checkDatabase } from "./checks/database.js";
+import { checkCrypto } from "./checks/crypto.js";
+import { checkDlp } from "./checks/dlp.js";
+import { runSbomChecks } from "./checks/sbom.js";
+import { runPlaybookChecks } from "./checks/playbook.js";
+import { runAiRedteamChecks } from "./checks/ai-redteam.js";
+import { runRuntimeChecks } from "./checks/runtime.js";
 const PolicySchema = z.object({
     name: z.string(),
     version: z.string(),
@@ -29,40 +43,198 @@ const PolicySchema = z.object({
     }))
         .default([])
 });
+const SCOPE_IGNORE_GLOBS = ["**/node_modules/**", "**/.git/**", "**/dist/**"];
+const SAFE_SCOPE_TARGET_RE = /^[a-zA-Z0-9_./-]+$/;
+function validateScopeTarget(target) {
+    if (!target || target.includes("..") || target.startsWith("/") || !SAFE_SCOPE_TARGET_RE.test(target)) {
+        throw new Error(`Invalid scope target "${target}". Use a relative file/folder path with alphanumerics, "_", "-", ".", "/".`);
+    }
+}
+function normalizeTargets(targets) {
+    return (targets ?? []).map((t) => t.trim()).filter(Boolean);
+}
+async function resolveScopedFiles(opts) {
+    if (opts.mode === "recent_changes") {
+        return await getChangedFiles({ baseRef: opts.baseRef, headRef: opts.headRef });
+    }
+    const targets = normalizeTargets(opts.targets);
+    if (targets.length === 0) {
+        throw new Error(`Scan mode "${opts.mode}" requires "targets". ` +
+            `Provide one or more relative paths (folders for folder_by_folder, files for file_by_file).`);
+    }
+    for (const target of targets)
+        validateScopeTarget(target);
+    if (opts.mode === "file_by_file") {
+        const files = await fg(targets, {
+            onlyFiles: true,
+            dot: true,
+            ignore: SCOPE_IGNORE_GLOBS
+        });
+        return Array.from(new Set(files)).sort();
+    }
+    const folderGlobs = targets.map((target) => `${target.replace(/\/+$/, "")}/**/*`);
+    const files = await fg(folderGlobs, {
+        onlyFiles: true,
+        dot: true,
+        ignore: SCOPE_IGNORE_GLOBS
+    });
+    return Array.from(new Set(files)).sort();
+}
 export async function loadPolicy(policyPath) {
     const raw = await readFileSafe(policyPath);
     const parsed = JSON.parse(raw);
     return PolicySchema.parse(parsed);
 }
+/**
+ * Classify the change type based on file paths to apply appropriate gate tier.
+ */
+function classifyChangeType(files) {
+    if (files.length === 0)
+        return "general";
+    const allMatch = (pattern) => files.every((f) => pattern.test(f));
+    const anyMatch = (pattern) => files.some((f) => pattern.test(f));
+    if (allMatch(/\.(md|txt|rst)$|\/docs\/|README/i))
+        return "docs";
+    if (anyMatch(/\/payment|\/stripe|\/checkout|\/billing|\/invoice/i))
+        return "payment";
+    if (anyMatch(/\/auth|\/login|\/session|\/token|\/jwt|\/oauth|\/permission/i))
+        return "auth";
+    if (anyMatch(/\.tf$|Dockerfile|\.yaml$|\.yml$|\/k8s\/|\/helm\//))
+        return "infra";
+    if (anyMatch(/\/ai\/|\/llm\/|\/agent\/|\/prompt/i))
+        return "ai";
+    if (allMatch(/\.(json|env|config\..+|toml|yaml|yml)$/))
+        return "config";
+    return "general";
+}
 export async function runPrGate(opts) {
     const policy = await loadPolicy(opts.policyPath);
-    const changedFiles = await getChangedFiles({
+    const mode = opts.mode ?? "recent_changes";
+    const targets = normalizeTargets(opts.targets);
+    const changedFiles = await resolveScopedFiles({
+        mode,
+        targets,
         baseRef: opts.baseRef ?? "origin/main",
         headRef: opts.headRef ?? "HEAD"
     });
+    // Classify the change type to apply appropriate gate tier
+    const changeType = classifyChangeType(changedFiles);
     const surfaces = detectSurfaces(changedFiles);
-    const findings = [
-        // Required artifacts first: threat models/checklists.
-        ...(await checkRequiredArtifacts({ policy, changedFiles })),
-        // Baseline scans / checks
-        ...(await checkSecrets({ changedFiles })),
-        ...(await checkDependencies({ changedFiles })),
-        // Surface-specific checks (only run if that surface is impacted or exists)
-        ...(surfaces.web ? await checkWebNextjs({ changedFiles }) : []),
-        ...(surfaces.api ? await checkApi({ changedFiles }) : []),
-        ...(surfaces.infra ? await checkInfra({ changedFiles }) : []),
-        ...(surfaces.mobileIos ? await checkMobileIos({ changedFiles }) : []),
-        ...(surfaces.mobileAndroid ? await checkMobileAndroid({ changedFiles }) : []),
-        ...(surfaces.ai ? await checkAi({ changedFiles }) : [])
+    const catalog = await loadControlCatalog();
+    const scannerReadiness = await checkScannerReadiness({ surfaces });
+    const evidenceCoverage = await evaluateEvidenceCoverage({ policy, surfaces });
+    let rawFindings;
+    // "docs" tier: only run secrets check to avoid unnecessary overhead
+    if (changeType === "docs") {
+        rawFindings = await checkSecrets({ changedFiles });
+    }
+    else {
+        // Run all independent checks in parallel
+        const checkResults = await Promise.allSettled([
+            checkRequiredArtifacts({ policy, changedFiles }),
+            checkSecrets({ changedFiles }),
+            checkDependencies({ changedFiles }),
+            Promise.resolve(scannerReadiness.findings),
+            Promise.resolve(evidenceCoverage.findings),
+            surfaces.web ? checkWebNextjs({ changedFiles }) : Promise.resolve([]),
+            surfaces.api ? checkApi({ changedFiles }) : Promise.resolve([]),
+            surfaces.infra ? checkInfra({ changedFiles }) : Promise.resolve([]),
+            surfaces.mobileIos ? checkMobileIos({ changedFiles }) : Promise.resolve([]),
+            surfaces.mobileAndroid ? checkMobileAndroid({ changedFiles }) : Promise.resolve([]),
+            surfaces.ai ? checkAi({ changedFiles }) : Promise.resolve([]),
+            checkGraphQL({ changedFiles }),
+            checkKubernetes({ changedFiles }),
+            checkDatabase({ changedFiles }),
+            checkCrypto({ changedFiles }),
+            checkDlp({ changedFiles }),
+            runSbomChecks({ changedFiles, targets }),
+            runPlaybookChecks({ changedFiles, surfaces }),
+            surfaces.ai ? runAiRedteamChecks({ changedFiles }) : Promise.resolve([]),
+            process.env["SECURITY_STAGING_URL"] ? runRuntimeChecks({ targets, changedFiles }) : Promise.resolve([])
+        ]);
+        rawFindings = [];
+        for (const result of checkResults) {
+            if (result.status === "fulfilled") {
+                rawFindings.push(...result.value);
+            }
+            else {
+                console.warn("[policy] Check failed:", result.reason);
+            }
+        }
+    }
+    const toolingCoverage = catalog.controls
+        .filter((control) => control.automation === "tooling" && controlApplies(control, surfaces))
+        .map((control) => {
+        const required = control.required_scanners ?? [];
+        const missing = required.filter((scannerId) => !scannerReadiness.configured.includes(scannerId) || scannerReadiness.missing.includes(scannerId));
+        return {
+            id: control.id,
+            description: control.description,
+            automation: control.automation,
+            frameworks: control.frameworks,
+            status: missing.length > 0 ? "missing" : "satisfied",
+            details: missing.length > 0 ? missing : required
+        };
+    });
+    const controlCoverage = [
+        ...evidenceCoverage.controls.filter((control) => control.automation === "evidence"),
+        ...toolingCoverage
     ];
-    const status = findings.some((f) => f.severity === "HIGH" || f.severity === "CRITICAL")
+    const exceptionResult = await applySecurityExceptions(rawFindings);
+    const controlCoverageWithExceptions = controlCoverage.map((control) => {
+        if (exceptionResult.activeControlExceptionIds.includes(control.id) && control.status === "missing") {
+            return {
+                ...control,
+                status: "risk_accepted",
+                details: [...control.details, "Covered by an active approved control exception."]
+            };
+        }
+        return control;
+    });
+    const findings = [...exceptionResult.findings, ...exceptionResult.exceptionFindings];
+    // Apply risk-based adaptive gating tier overrides
+    let effectiveFindings = findings;
+    if (changeType === "payment") {
+        // Payment changes: treat as prod-equivalent — block on all HIGH+
+        effectiveFindings = findings;
+    }
+    else if (changeType === "auth") {
+        // Auth changes: always block on HIGH+ even in dev
+        effectiveFindings = findings;
+    }
+    const relevantControls = controlCoverageWithExceptions.filter((control) => control.status !== "not_applicable");
+    const satisfiedControls = relevantControls.filter((control) => control.status === "satisfied").length;
+    const riskAcceptedControls = relevantControls.filter((control) => control.status === "risk_accepted").length;
+    const automatedCoverage = relevantControls.length === 0
+        ? 100
+        : Math.round((((satisfiedControls) + (riskAcceptedControls * 0.5)) / relevantControls.length) * 100);
+    const scannerScore = scannerReadiness.configured.length === 0
+        ? 0
+        : Math.round(((scannerReadiness.configured.length - scannerReadiness.missing.length) / scannerReadiness.configured.length) * 100);
+    const confidenceScore = Math.max(0, Math.min(100, Math.round((automatedCoverage * 0.7) + (scannerScore * 0.3))));
+    const missingControls = relevantControls.filter((control) => control.status === "missing").length;
+    const status = effectiveFindings.some((f) => f.severity === "HIGH" || f.severity === "CRITICAL")
         ? "FAIL"
         : "PASS";
     return {
         status,
         policyVersion: policy.version,
         evaluatedAt: new Date().toISOString(),
-        scope: { changedFiles, surfaces },
-        findings
+        scope: { mode, targets, changedFiles, surfaces },
+        findings: effectiveFindings,
+        suppressedFindings: exceptionResult.suppressed,
+        controlCoverage: controlCoverageWithExceptions,
+        scannerReadiness: {
+            configured: scannerReadiness.configured,
+            missing: scannerReadiness.missing
+        },
+        confidence: {
+            score: confidenceScore,
+            automatedCoverage,
+            missingControls,
+            riskAcceptedControls,
+            scannerReadiness: scannerScore,
+            summary: `Automated coverage ${automatedCoverage}%, scanner readiness ${scannerScore}%, missing controls ${missingControls}, risk-accepted controls ${riskAcceptedControls}. Change type: ${changeType}.`
+        }
     };
 }

package/dist/gate/threat-intel.js

@@ -0,0 +1,157 @@
+/**
+ * Threat Intelligence Feed Integration
+ * Fetches CISA KEV and EPSS scores for CVE prioritization.
+ */
+import { mkdir, readFile, writeFile } from "node:fs/promises";
+import { join } from "node:path";
+const CISA_KEV_URL = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json";
+const EPSS_API_BASE = "https://api.first.org/data/v1/epss";
+const CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
+async function ensureDir(dir) {
+    try {
+        await mkdir(dir, { recursive: true });
+    }
+    catch {
+        // ignore
+    }
+}
+async function readCacheJson(cachePath) {
+    try {
+        const raw = await readFile(cachePath, "utf-8");
+        const parsed = JSON.parse(raw);
+        if (Date.now() - parsed.ts < CACHE_TTL_MS) {
+            return parsed.data;
+        }
+    }
+    catch {
+        // cache miss or corrupt
+    }
+    return null;
+}
+async function writeCacheJson(cachePath, data) {
+    try {
+        await writeFile(cachePath, JSON.stringify({ ts: Date.now(), data }, null, 2), "utf-8");
+    }
+    catch {
+        // best-effort cache write
+    }
+}
+async function fetchWithTimeout(url, timeoutMs = 10_000) {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+        const res = await fetch(url, { signal: controller.signal });
+        return res;
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+/**
+ * Fetches the CISA Known Exploited Vulnerabilities catalog.
+ * Returns a Set of CVE IDs. Returns empty set on failure.
+ */
+export async function fetchCisaKev(cacheDir) {
+    await ensureDir(cacheDir);
+    const cachePath = join(cacheDir, "cisa-kev.json");
+    const cached = await readCacheJson(cachePath);
+    if (cached)
+        return new Set(cached);
+    try {
+        const res = await fetchWithTimeout(CISA_KEV_URL, 10_000);
+        if (!res.ok) {
+            console.warn(`[threat-intel] CISA KEV fetch failed: HTTP ${res.status}`);
+            return new Set();
+        }
+        const json = (await res.json());
+        const vulns = Array.isArray(json?.vulnerabilities)
+            ? json.vulnerabilities
+                .map((v) => v.cveID ?? "")
+                .filter(Boolean)
+            : [];
+        await writeCacheJson(cachePath, vulns);
+        return new Set(vulns);
+    }
+    catch (err) {
+        console.warn(`[threat-intel] CISA KEV fetch error: ${String(err)}`);
+        return new Set();
+    }
+}
+/**
+ * Fetches EPSS scores for a list of CVE IDs.
+ * Batches up to 100 CVEs per request. Returns a Map of CVE → score.
+ */
+export async function fetchEpssScores(cveIds, cacheDir) {
+    if (cveIds.length === 0)
+        return new Map();
+    await ensureDir(join(cacheDir, "epss"));
+    const result = new Map();
+    const today = new Date().toISOString().slice(0, 10);
+    const cachePath = join(cacheDir, "epss", `${today}.json`);
+    const cached = await readCacheJson(cachePath);
+    const cachedMap = cached ? new Map(Object.entries(cached)) : new Map();
+    const needed = cveIds.filter((id) => !cachedMap.has(id));
+    for (const [k, v] of cachedMap)
+        result.set(k, v);
+    if (needed.length === 0)
+        return result;
+    // Batch in chunks of 100
+    for (let i = 0; i < needed.length; i += 100) {
+        const chunk = needed.slice(i, i + 100);
+        const url = `${EPSS_API_BASE}?cve=${chunk.join(",")}`;
+        let retried = false;
+        while (true) {
+            try {
+                const res = await fetchWithTimeout(url, 10_000);
+                if (res.status === 429 && !retried) {
+                    retried = true;
+                    await new Promise((r) => setTimeout(r, 2000));
+                    continue;
+                }
+                if (!res.ok)
+                    break;
+                const json = (await res.json());
+                if (Array.isArray(json?.data)) {
+                    for (const item of json.data) {
+                        if (item.cve && item.epss !== undefined) {
+                            result.set(item.cve, parseFloat(item.epss));
+                        }
+                    }
+                }
+                break;
+            }
+            catch {
+                break;
+            }
+        }
+    }
+    // Persist updated cache
+    const mergedCache = {};
+    for (const [k, v] of result)
+        mergedCache[k] = v;
+    await writeCacheJson(cachePath, mergedCache);
+    return result;
+}
+/**
+ * Main entry point: check CVEs against KEV and EPSS.
+ */
+export async function checkActiveExploitation(cveIds, cacheDir) {
+    if (cveIds.length === 0) {
+        return { kevMatches: [], highEpss: [], failed: false };
+    }
+    try {
+        const [kevSet, epssMap] = await Promise.all([
+            fetchCisaKev(cacheDir),
+            fetchEpssScores(cveIds, cacheDir)
+        ]);
+        const kevMatches = cveIds.filter((id) => kevSet.has(id));
+        const highEpss = cveIds
+            .map((cve) => ({ cve, score: epssMap.get(cve) ?? 0 }))
+            .filter((e) => e.score > 0.5);
+        return { kevMatches, highEpss, failed: false };
+    }
+    catch (err) {
+        console.warn(`[threat-intel] checkActiveExploitation failed: ${String(err)}`);
+        return { kevMatches: [], highEpss: [], failed: true };
+    }
+}