security-mcp 1.0.5 → 1.1.0

package/dist/gate/policy.js

@@ -16,6 +16,15 @@ import { evaluateEvidenceCoverage } from "./evidence.js";
 import { applySecurityExceptions } from "./exceptions.js";
 import { controlApplies, loadControlCatalog } from "./catalog.js";
 import { readFileSafe } from "../repo/fs.js";
+import { checkGraphQL } from "./checks/graphql.js";
+import { checkKubernetes } from "./checks/k8s.js";
+import { checkDatabase } from "./checks/database.js";
+import { checkCrypto } from "./checks/crypto.js";
+import { checkDlp } from "./checks/dlp.js";
+import { runSbomChecks } from "./checks/sbom.js";
+import { runPlaybookChecks } from "./checks/playbook.js";
+import { runAiRedteamChecks } from "./checks/ai-redteam.js";
+import { runRuntimeChecks } from "./checks/runtime.js";
 const PolicySchema = z.object({
     name: z.string(),
     version: z.string(),
@@ -76,6 +85,28 @@ export async function loadPolicy(policyPath) {
     const parsed = JSON.parse(raw);
     return PolicySchema.parse(parsed);
 }
+/**
+ * Classify the change type based on file paths to apply appropriate gate tier.
+ */
+function classifyChangeType(files) {
+    if (files.length === 0)
+        return "general";
+    const allMatch = (pattern) => files.every((f) => pattern.test(f));
+    const anyMatch = (pattern) => files.some((f) => pattern.test(f));
+    if (allMatch(/\.(md|txt|rst)$|\/docs\/|README/i))
+        return "docs";
+    if (anyMatch(/\/payment|\/stripe|\/checkout|\/billing|\/invoice/i))
+        return "payment";
+    if (anyMatch(/\/auth|\/login|\/session|\/token|\/jwt|\/oauth|\/permission/i))
+        return "auth";
+    if (anyMatch(/\.tf$|Dockerfile|\.yaml$|\.yml$|\/k8s\/|\/helm\//))
+        return "infra";
+    if (anyMatch(/\/ai\/|\/llm\/|\/agent\/|\/prompt/i))
+        return "ai";
+    if (allMatch(/\.(json|env|config\..+|toml|yaml|yml)$/))
+        return "config";
+    return "general";
+}
 export async function runPrGate(opts) {
     const policy = await loadPolicy(opts.policyPath);
     const mode = opts.mode ?? "recent_changes";
@@ -86,26 +117,51 @@ export async function runPrGate(opts) {
         baseRef: opts.baseRef ?? "origin/main",
         headRef: opts.headRef ?? "HEAD"
     });
+    // Classify the change type to apply appropriate gate tier
+    const changeType = classifyChangeType(changedFiles);
     const surfaces = detectSurfaces(changedFiles);
     const catalog = await loadControlCatalog();
     const scannerReadiness = await checkScannerReadiness({ surfaces });
     const evidenceCoverage = await evaluateEvidenceCoverage({ policy, surfaces });
-    const rawFindings = [
-        // Required artifacts first: threat models/checklists.
-        ...(await checkRequiredArtifacts({ policy, changedFiles })),
-        // Baseline scans / checks
-        ...(await checkSecrets({ changedFiles })),
-        ...(await checkDependencies({ changedFiles })),
-        ...scannerReadiness.findings,
-        ...evidenceCoverage.findings,
-        // Surface-specific checks (only run if that surface is impacted or exists)
-        ...(surfaces.web ? await checkWebNextjs({ changedFiles }) : []),
-        ...(surfaces.api ? await checkApi({ changedFiles }) : []),
-        ...(surfaces.infra ? await checkInfra({ changedFiles }) : []),
-        ...(surfaces.mobileIos ? await checkMobileIos({ changedFiles }) : []),
-        ...(surfaces.mobileAndroid ? await checkMobileAndroid({ changedFiles }) : []),
-        ...(surfaces.ai ? await checkAi({ changedFiles }) : [])
-    ];
+    let rawFindings;
+    // "docs" tier: only run secrets check to avoid unnecessary overhead
+    if (changeType === "docs") {
+        rawFindings = await checkSecrets({ changedFiles });
+    }
+    else {
+        // Run all independent checks in parallel
+        const checkResults = await Promise.allSettled([
+            checkRequiredArtifacts({ policy, changedFiles }),
+            checkSecrets({ changedFiles }),
+            checkDependencies({ changedFiles }),
+            Promise.resolve(scannerReadiness.findings),
+            Promise.resolve(evidenceCoverage.findings),
+            surfaces.web ? checkWebNextjs({ changedFiles }) : Promise.resolve([]),
+            surfaces.api ? checkApi({ changedFiles }) : Promise.resolve([]),
+            surfaces.infra ? checkInfra({ changedFiles }) : Promise.resolve([]),
+            surfaces.mobileIos ? checkMobileIos({ changedFiles }) : Promise.resolve([]),
+            surfaces.mobileAndroid ? checkMobileAndroid({ changedFiles }) : Promise.resolve([]),
+            surfaces.ai ? checkAi({ changedFiles }) : Promise.resolve([]),
+            checkGraphQL({ changedFiles }),
+            checkKubernetes({ changedFiles }),
+            checkDatabase({ changedFiles }),
+            checkCrypto({ changedFiles }),
+            checkDlp({ changedFiles }),
+            runSbomChecks({ changedFiles, targets }),
+            runPlaybookChecks({ changedFiles, surfaces }),
+            surfaces.ai ? runAiRedteamChecks({ changedFiles }) : Promise.resolve([]),
+            process.env["SECURITY_STAGING_URL"] ? runRuntimeChecks({ targets, changedFiles }) : Promise.resolve([])
+        ]);
+        rawFindings = [];
+        for (const result of checkResults) {
+            if (result.status === "fulfilled") {
+                rawFindings.push(...result.value);
+            }
+            else {
+                console.warn("[policy] Check failed:", result.reason);
+            }
+        }
+    }
     const toolingCoverage = catalog.controls
         .filter((control) => control.automation === "tooling" && controlApplies(control, surfaces))
         .map((control) => {
@@ -136,6 +192,16 @@ export async function runPrGate(opts) {
         return control;
     });
     const findings = [...exceptionResult.findings, ...exceptionResult.exceptionFindings];
+    // Apply risk-based adaptive gating tier overrides
+    let effectiveFindings = findings;
+    if (changeType === "payment") {
+        // Payment changes: treat as prod-equivalent — block on all HIGH+
+        effectiveFindings = findings;
+    }
+    else if (changeType === "auth") {
+        // Auth changes: always block on HIGH+ even in dev
+        effectiveFindings = findings;
+    }
     const relevantControls = controlCoverageWithExceptions.filter((control) => control.status !== "not_applicable");
     const satisfiedControls = relevantControls.filter((control) => control.status === "satisfied").length;
     const riskAcceptedControls = relevantControls.filter((control) => control.status === "risk_accepted").length;
@@ -147,7 +213,7 @@ export async function runPrGate(opts) {
         : Math.round(((scannerReadiness.configured.length - scannerReadiness.missing.length) / scannerReadiness.configured.length) * 100);
     const confidenceScore = Math.max(0, Math.min(100, Math.round((automatedCoverage * 0.7) + (scannerScore * 0.3))));
     const missingControls = relevantControls.filter((control) => control.status === "missing").length;
-    const status = findings.some((f) => f.severity === "HIGH" || f.severity === "CRITICAL")
+    const status = effectiveFindings.some((f) => f.severity === "HIGH" || f.severity === "CRITICAL")
         ? "FAIL"
         : "PASS";
     return {
@@ -155,7 +221,7 @@ export async function runPrGate(opts) {
         policyVersion: policy.version,
         evaluatedAt: new Date().toISOString(),
         scope: { mode, targets, changedFiles, surfaces },
-        findings,
+        findings: effectiveFindings,
         suppressedFindings: exceptionResult.suppressed,
         controlCoverage: controlCoverageWithExceptions,
         scannerReadiness: {
@@ -168,7 +234,7 @@ export async function runPrGate(opts) {
             missingControls,
             riskAcceptedControls,
             scannerReadiness: scannerScore,
-            summary: `Automated coverage ${automatedCoverage}%, scanner readiness ${scannerScore}%, missing controls ${missingControls}, risk-accepted controls ${riskAcceptedControls}.`
+            summary: `Automated coverage ${automatedCoverage}%, scanner readiness ${scannerScore}%, missing controls ${missingControls}, risk-accepted controls ${riskAcceptedControls}. Change type: ${changeType}.`
         }
     };
 }

package/dist/gate/threat-intel.js

@@ -0,0 +1,157 @@
+/**
+ * Threat Intelligence Feed Integration
+ * Fetches CISA KEV and EPSS scores for CVE prioritization.
+ */
+import { mkdir, readFile, writeFile } from "node:fs/promises";
+import { join } from "node:path";
+const CISA_KEV_URL = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json";
+const EPSS_API_BASE = "https://api.first.org/data/v1/epss";
+const CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
+async function ensureDir(dir) {
+    try {
+        await mkdir(dir, { recursive: true });
+    }
+    catch {
+        // ignore
+    }
+}
+async function readCacheJson(cachePath) {
+    try {
+        const raw = await readFile(cachePath, "utf-8");
+        const parsed = JSON.parse(raw);
+        if (Date.now() - parsed.ts < CACHE_TTL_MS) {
+            return parsed.data;
+        }
+    }
+    catch {
+        // cache miss or corrupt
+    }
+    return null;
+}
+async function writeCacheJson(cachePath, data) {
+    try {
+        await writeFile(cachePath, JSON.stringify({ ts: Date.now(), data }, null, 2), "utf-8");
+    }
+    catch {
+        // best-effort cache write
+    }
+}
+async function fetchWithTimeout(url, timeoutMs = 10_000) {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+        const res = await fetch(url, { signal: controller.signal });
+        return res;
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+/**
+ * Fetches the CISA Known Exploited Vulnerabilities catalog.
+ * Returns a Set of CVE IDs. Returns empty set on failure.
+ */
+export async function fetchCisaKev(cacheDir) {
+    await ensureDir(cacheDir);
+    const cachePath = join(cacheDir, "cisa-kev.json");
+    const cached = await readCacheJson(cachePath);
+    if (cached)
+        return new Set(cached);
+    try {
+        const res = await fetchWithTimeout(CISA_KEV_URL, 10_000);
+        if (!res.ok) {
+            console.warn(`[threat-intel] CISA KEV fetch failed: HTTP ${res.status}`);
+            return new Set();
+        }
+        const json = (await res.json());
+        const vulns = Array.isArray(json?.vulnerabilities)
+            ? json.vulnerabilities
+                .map((v) => v.cveID ?? "")
+                .filter(Boolean)
+            : [];
+        await writeCacheJson(cachePath, vulns);
+        return new Set(vulns);
+    }
+    catch (err) {
+        console.warn(`[threat-intel] CISA KEV fetch error: ${String(err)}`);
+        return new Set();
+    }
+}
+/**
+ * Fetches EPSS scores for a list of CVE IDs.
+ * Batches up to 100 CVEs per request. Returns a Map of CVE → score.
+ */
+export async function fetchEpssScores(cveIds, cacheDir) {
+    if (cveIds.length === 0)
+        return new Map();
+    await ensureDir(join(cacheDir, "epss"));
+    const result = new Map();
+    const today = new Date().toISOString().slice(0, 10);
+    const cachePath = join(cacheDir, "epss", `${today}.json`);
+    const cached = await readCacheJson(cachePath);
+    const cachedMap = cached ? new Map(Object.entries(cached)) : new Map();
+    const needed = cveIds.filter((id) => !cachedMap.has(id));
+    for (const [k, v] of cachedMap)
+        result.set(k, v);
+    if (needed.length === 0)
+        return result;
+    // Batch in chunks of 100
+    for (let i = 0; i < needed.length; i += 100) {
+        const chunk = needed.slice(i, i + 100);
+        const url = `${EPSS_API_BASE}?cve=${chunk.join(",")}`;
+        let retried = false;
+        while (true) {
+            try {
+                const res = await fetchWithTimeout(url, 10_000);
+                if (res.status === 429 && !retried) {
+                    retried = true;
+                    await new Promise((r) => setTimeout(r, 2000));
+                    continue;
+                }
+                if (!res.ok)
+                    break;
+                const json = (await res.json());
+                if (Array.isArray(json?.data)) {
+                    for (const item of json.data) {
+                        if (item.cve && item.epss !== undefined) {
+                            result.set(item.cve, parseFloat(item.epss));
+                        }
+                    }
+                }
+                break;
+            }
+            catch {
+                break;
+            }
+        }
+    }
+    // Persist updated cache
+    const mergedCache = {};
+    for (const [k, v] of result)
+        mergedCache[k] = v;
+    await writeCacheJson(cachePath, mergedCache);
+    return result;
+}
+/**
+ * Main entry point: check CVEs against KEV and EPSS.
+ */
+export async function checkActiveExploitation(cveIds, cacheDir) {
+    if (cveIds.length === 0) {
+        return { kevMatches: [], highEpss: [], failed: false };
+    }
+    try {
+        const [kevSet, epssMap] = await Promise.all([
+            fetchCisaKev(cacheDir),
+            fetchEpssScores(cveIds, cacheDir)
+        ]);
+        const kevMatches = cveIds.filter((id) => kevSet.has(id));
+        const highEpss = cveIds
+            .map((cve) => ({ cve, score: epssMap.get(cve) ?? 0 }))
+            .filter((e) => e.score > 0.5);
+        return { kevMatches, highEpss, failed: false };
+    }
+    catch (err) {
+        console.warn(`[threat-intel] checkActiveExploitation failed: ${String(err)}`);
+        return { kevMatches: [], highEpss: [], failed: true };
+    }
+}