security-mcp 1.0.5 → 1.1.1

package/dist/gate/checks/api.js

@@ -42,5 +42,98 @@ export async function checkApi(_) {
             ]
         });
     }
+    // Multi-tenancy isolation checks
+    // 1. Tenant ID from user input
+    const tenantIdInputHits = await searchRepo({
+        query: String.raw `tenantId\s*[:=]\s*(?:req\.(?:query|params|body)|request\.(?:query|params|body))`,
+        isRegex: true,
+        maxMatches: 200
+    });
+    if (tenantIdInputHits.length > 0) {
+        findings.push({
+            id: "API_TENANT_ID_FROM_INPUT",
+            title: "Tenant ID sourced from user-controlled input — insecure direct tenant access",
+            severity: "CRITICAL",
+            evidence: tenantIdInputHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+            files: [...new Set(tenantIdInputHits.slice(0, 10).map((m) => m.file))],
+            requiredActions: [
+                "Tenant ID must come from the authenticated session/JWT claims, never from user-controlled input.",
+                "Validate that the tenant ID matches the authenticated user's tenant on every request."
+            ]
+        });
+    }
+    // 2. Missing tenant filter in DB queries (heuristic)
+    const ormQueryHits = await searchRepo({
+        query: String.raw `findAll|findMany|find\(|query\(|select\(`,
+        isRegex: true,
+        maxMatches: 200
+    });
+    const tenantScopeHits = await searchRepo({
+        query: String.raw `tenantId|tenant_id|organizationId|orgId`,
+        isRegex: true,
+        maxMatches: 200
+    });
+    if (ormQueryHits.length > 0 && tenantScopeHits.length === 0) {
+        findings.push({
+            id: "API_MISSING_TENANT_SCOPE",
+            title: "ORM queries found without tenant scoping — possible multi-tenant data leakage",
+            severity: "HIGH",
+            evidence: ormQueryHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+            files: [...new Set(ormQueryHits.slice(0, 10).map((m) => m.file))],
+            requiredActions: [
+                "All database queries in multi-tenant systems must include a tenantId/organizationId filter.",
+                "Add tenant-scoped base repository or middleware to enforce tenant isolation automatically."
+            ]
+        });
+    }
+    // 3. Shared Redis cache without tenant namespacing
+    const cacheGetHits = await searchRepo({
+        query: String.raw `cache\.get\s*\(["'][^'"]*["']`,
+        isRegex: true,
+        maxMatches: 200
+    });
+    const redisGetHits = await searchRepo({
+        query: String.raw `redis\.get\s*\(`,
+        isRegex: true,
+        maxMatches: 200
+    });
+    const tenantKeyHits = await searchRepo({
+        query: String.raw `tenantId|tenant:|orgId|userId:`,
+        isRegex: true,
+        maxMatches: 200
+    });
+    const allCacheHits = [...cacheGetHits, ...redisGetHits];
+    if (allCacheHits.length > 0 && tenantKeyHits.length === 0) {
+        findings.push({
+            id: "API_CACHE_NOT_TENANT_SCOPED",
+            title: "Cache operations found without tenant-namespaced keys",
+            severity: "HIGH",
+            evidence: allCacheHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+            files: [...new Set(allCacheHits.slice(0, 10).map((m) => m.file))],
+            requiredActions: [
+                "Prefix all cache keys with tenant ID (e.g. tenant:{id}:resource:{id}).",
+                "Never use bare resource IDs as cache keys in multi-tenant systems."
+            ]
+        });
+    }
+    // 4. Cross-tenant file access
+    const fileInputHits = await searchRepo({
+        query: String.raw `(?:readFile|writeFile|createReadStream)\s*\([^)]*(?:req\.|params\.|query\.|body\.)`,
+        isRegex: true,
+        maxMatches: 200
+    });
+    if (fileInputHits.length > 0) {
+        findings.push({
+            id: "API_FILE_PATH_FROM_INPUT",
+            title: "File operation with user-supplied path — path traversal and cross-tenant access risk",
+            severity: "CRITICAL",
+            evidence: fileInputHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+            files: [...new Set(fileInputHits.slice(0, 10).map((m) => m.file))],
+            requiredActions: [
+                "Never use user-supplied paths for file operations.",
+                "Validate paths against an allowlist of permitted paths; use a content-addressed storage key instead."
+            ]
+        });
+    }
     return findings;
 }

package/dist/gate/checks/crypto.js

@@ -0,0 +1,153 @@
+import { searchRepo } from "../../repo/search.js";
+export async function checkCrypto(_opts) {
+    const findings = [];
+    try {
+        // 1. Weak hash algorithms
+        const weakHashHits = await searchRepo({
+            query: String.raw `createHash\s*\(\s*['"](?:md5|sha1|sha-1)['"]\s*\)|hashlib\.md5|hashlib\.sha1|DigestUtils\.md5`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (weakHashHits.length > 0) {
+            findings.push({
+                id: "CRYPTO_WEAK_HASH",
+                title: "Weak hash algorithm (MD5/SHA-1) detected",
+                severity: "HIGH",
+                evidence: weakHashHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(weakHashHits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "Use SHA-256 minimum (SHA-3 recommended for new code).",
+                    "MD5/SHA-1 are broken for security purposes (NIST SP 800-131A Rev 2)."
+                ]
+            });
+        }
+        // 2. Weak symmetric ciphers
+        const weakCipherHits = await searchRepo({
+            query: String.raw `createCipheriv\s*\(\s*['"](?:des|rc4|rc2|blowfish|3des|des-ede)['"]\)|Cipher\.getInstance\(['"](?:DES|RC4|RC2|Blowfish)['"]`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (weakCipherHits.length > 0) {
+            findings.push({
+                id: "CRYPTO_WEAK_CIPHER",
+                title: "Weak symmetric cipher (DES/RC4/3DES) detected",
+                severity: "CRITICAL",
+                evidence: weakCipherHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(weakCipherHits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "Use AES-256-GCM for symmetric encryption.",
+                    "DES/RC4/3DES are prohibited by NIST SP 800-131A Rev 2."
+                ]
+            });
+        }
+        // 3. Insecure random for security use
+        const insecureRandomHits = await searchRepo({
+            query: String.raw `Math\.random\(\)|random\.random\(\)|rand\(\)|srand\(`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        const securityContextRe = /token|key|secret|password|nonce|salt|csrf|session/i;
+        const insecureSecRandom = insecureRandomHits.filter((m) => securityContextRe.test(m.preview));
+        if (insecureSecRandom.length > 0) {
+            findings.push({
+                id: "CRYPTO_INSECURE_RANDOM",
+                title: "Non-cryptographic random used in security-sensitive context",
+                severity: "HIGH",
+                evidence: insecureSecRandom.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(insecureSecRandom.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "Use crypto.randomBytes() (Node.js) for security-sensitive randomness.",
+                    "Math.random() is not cryptographically secure and must never be used for tokens, keys, or nonces."
+                ]
+            });
+        }
+        // 4. Weak JWT algorithm
+        const weakJwtHits = await searchRepo({
+            query: String.raw `algorithm\s*[:=]\s*['"]HS(?:256|384|512)['"]|sign\(.*['"]HS256['"]`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (weakJwtHits.length > 0) {
+            findings.push({
+                id: "CRYPTO_WEAK_JWT_ALGO",
+                title: "HS256/HS384/HS512 JWT algorithm detected — symmetric key shared with all verifiers",
+                severity: "HIGH",
+                evidence: weakJwtHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(weakJwtHits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "Use RS256 or ES256 for stateless JWTs.",
+                    "HS256 requires sharing the secret with every verifier — use asymmetric algorithms instead."
+                ]
+            });
+        }
+        // 5. Low PBKDF2 iterations
+        const pbkdf2Hits = await searchRepo({
+            query: String.raw `pbkdf2(?:Sync)?\s*\(`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        // Check for numeric iteration counts in the context
+        for (const hit of pbkdf2Hits) {
+            const iterMatch = /pbkdf2(?:Sync)?\s*\([^)]*?,\s*[^,]+,\s*(\d+)/.exec(hit.preview);
+            if (iterMatch) {
+                const iters = parseInt(iterMatch[1], 10);
+                if (iters < 600000) {
+                    findings.push({
+                        id: "CRYPTO_LOW_PBKDF2_ITERATIONS",
+                        title: `PBKDF2 iteration count too low (${iters} < 600,000)`,
+                        severity: "HIGH",
+                        evidence: [`${hit.file}:${hit.line}:${hit.preview}`],
+                        files: [hit.file],
+                        requiredActions: [
+                            "Use ≥ 600,000 iterations for PBKDF2-SHA256 (OWASP 2023 recommendation).",
+                            "Prefer bcrypt (cost ≥ 12) or Argon2id instead."
+                        ]
+                    });
+                    break;
+                }
+            }
+        }
+        // 6. Hardcoded IV/nonce
+        const hardcodedIvHits = await searchRepo({
+            query: String.raw `iv\s*[:=]\s*(?:Buffer\.from\(['"][0-9a-fA-F]+['"]\)|['"][0-9a-fA-F]{16,}['"])`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (hardcodedIvHits.length > 0) {
+            findings.push({
+                id: "CRYPTO_HARDCODED_IV",
+                title: "Hardcoded IV/nonce detected in cryptographic operation",
+                severity: "CRITICAL",
+                evidence: hardcodedIvHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(hardcodedIvHits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "Always generate a random IV/nonce using crypto.randomBytes(16) for AES-CBC.",
+                    "Use a 12-byte nonce for AES-GCM; never reuse IVs."
+                ]
+            });
+        }
+        // 7. ECB mode
+        const ecbModeHits = await searchRepo({
+            query: String.raw `createCipheriv\s*\(\s*['"][^'"]*-ecb['"]|AES\/ECB|Cipher\.getInstance\(['"][^'"]*ECB['"]`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (ecbModeHits.length > 0) {
+            findings.push({
+                id: "CRYPTO_ECB_MODE",
+                title: "ECB cipher mode detected — leaks plaintext patterns",
+                severity: "CRITICAL",
+                evidence: ecbModeHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(ecbModeHits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "Replace ECB mode with AES-256-GCM (authenticated encryption).",
+                    "ECB mode leaks plaintext patterns because identical blocks produce identical ciphertext."
+                ]
+            });
+        }
+    }
+    catch (err) {
+        console.warn("[checkCrypto] Internal error:", err instanceof Error ? err.message : String(err));
+    }
+    return findings;
+}

package/dist/gate/checks/database.js

@@ -0,0 +1,144 @@
+import { searchRepo } from "../../repo/search.js";
+export async function checkDatabase(_opts) {
+    const findings = [];
+    try {
+        // 1. SSL/TLS disabled in connection strings
+        const tlsDisabledHits = await searchRepo({
+            query: String.raw `sslmode=disable|ssl=false|ssl:\s*false|useSSL=false|TrustServerCertificate=true`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (tlsDisabledHits.length > 0) {
+            findings.push({
+                id: "DB_TLS_DISABLED",
+                title: "Database connection with TLS/SSL disabled detected",
+                severity: "CRITICAL",
+                evidence: tlsDisabledHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(tlsDisabledHits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "Always use sslmode=require or sslmode=verify-full for PostgreSQL.",
+                    "Never disable TLS for database connections — transmits credentials and data in plaintext."
+                ]
+            });
+        }
+        // 2. Root/admin credentials in connection strings
+        const adminCredHits = await searchRepo({
+            query: String.raw `postgresql://root:|mysql://root:|mongodb://admin:|mongodb://root:|postgres://postgres:|//sa:`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (adminCredHits.length > 0) {
+            findings.push({
+                id: "DB_ADMIN_CREDENTIALS",
+                title: "Root/admin database credentials detected in connection strings",
+                severity: "CRITICAL",
+                evidence: adminCredHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(adminCredHits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "Create a least-privilege DB user scoped to only required tables and operations.",
+                    "Never use root/admin/sa/postgres superuser credentials in application code."
+                ]
+            });
+        }
+        // 3. Plaintext credentials in ORM config
+        const hardcodedPwdHits = await searchRepo({
+            query: String.raw `password\s*[:=]\s*["'][^"'\n]{6,}["']`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        // Filter for hits near ORM/DB keywords
+        const ormKeywordRe = /database|db|sequelize|typeorm|prisma|mongoose|knex/i;
+        const ormPwdHits = hardcodedPwdHits.filter((m) => ormKeywordRe.test(m.preview));
+        if (ormPwdHits.length > 0) {
+            findings.push({
+                id: "DB_HARDCODED_PASSWORD",
+                title: "Hardcoded database password detected in ORM/DB configuration",
+                severity: "CRITICAL",
+                evidence: ormPwdHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(ormPwdHits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "Move database credentials to environment variables or a secrets manager.",
+                    "Never hardcode passwords in source code."
+                ]
+            });
+        }
+        // 4. No connection pool limits
+        const poolInitHits = await searchRepo({
+            query: String.raw `new Pool|createPool|new Sequelize|DataSource\(|createConnection`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        const poolLimitHits = await searchRepo({
+            query: String.raw `max:|pool_size|poolSize|connectionLimit`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (poolInitHits.length > 0 && poolLimitHits.length === 0) {
+            findings.push({
+                id: "DB_NO_POOL_LIMITS",
+                title: "Database connection pool initialized without explicit limits",
+                severity: "MEDIUM",
+                evidence: poolInitHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(poolInitHits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "Set connection pool limits (max, min) to prevent resource exhaustion.",
+                    "Unbounded pools can crash the database under load or be exploited for DoS."
+                ]
+            });
+        }
+        // 5. Backup encryption not configured
+        const backupHits = await searchRepo({
+            query: String.raw `backup_retention|automated_backups|backup_window`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        const encryptionHits = await searchRepo({
+            query: String.raw `encrypted|kms_key`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (backupHits.length > 0 && encryptionHits.length === 0) {
+            findings.push({
+                id: "DB_BACKUP_NOT_ENCRYPTED",
+                title: "Database backup configured without encryption",
+                severity: "HIGH",
+                evidence: backupHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(backupHits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "Enable backup encryption with a KMS key.",
+                    "Unencrypted backups expose all data if storage is compromised."
+                ]
+            });
+        }
+        // 6. SQL string concatenation (SQLi risk)
+        const sqliHits = await searchRepo({
+            query: String.raw `["']\s*\+\s*(?:req\.|params\.|query\.|body\.|user\.|input\.)`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        // Also check for template literal injection
+        const sqliTemplateHits = await searchRepo({
+            query: String.raw `\$\{.*(?:req\.|params\.|query\.|body\.)[^}]*\}`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        const allSqliHits = [...sqliHits, ...sqliTemplateHits];
+        if (allSqliHits.length > 0) {
+            findings.push({
+                id: "DB_SQL_INJECTION_RISK",
+                title: "Possible SQL injection: user input concatenated into query string",
+                severity: "CRITICAL",
+                evidence: allSqliHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(allSqliHits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "Use parameterized queries or ORM query builders — never concatenate user input into SQL.",
+                    "CWE-89: SQL injection can lead to full database compromise."
+                ]
+            });
+        }
+    }
+    catch (err) {
+        console.warn("[checkDatabase] Internal error:", err instanceof Error ? err.message : String(err));
+    }
+    return findings;
+}

package/dist/gate/checks/dependencies.js

@@ -1,5 +1,129 @@
 import fg from "fast-glob";
 import { readFileSafe } from "../../repo/fs.js";
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import { readFile } from "node:fs/promises";
+const execFileAsync = promisify(execFile);
+// 24-hour cache for OpenSSF Scorecard API responses
+const scorecardCache = new Map();
+const CACHE_TTL_MS = 24 * 60 * 60 * 1000;
+async function fetchScorecardScore(dep) {
+    try {
+        const cached = scorecardCache.get(dep);
+        if (cached && Date.now() - cached.fetchedAt < CACHE_TTL_MS) {
+            return cached.score;
+        }
+        // dep may be scoped (e.g. @org/pkg) — map to github owner/repo is heuristic
+        // We try the npm registry to find the repository
+        const controller = new AbortController();
+        const timeout = setTimeout(() => controller.abort(), 5000);
+        try {
+            const npmResp = await fetch(`https://registry.npmjs.org/${encodeURIComponent(dep)}/latest`, {
+                signal: controller.signal
+            });
+            if (!npmResp.ok)
+                return null;
+            const npmData = await npmResp.json();
+            const repoUrl = npmData?.repository?.url ?? "";
+            const ghMatch = /github\.com[/:]([^/]+\/[^/.]+)/.exec(repoUrl);
+            if (!ghMatch)
+                return null;
+            const ghPath = ghMatch[1].replace(/\.git$/, "");
+            const controller2 = new AbortController();
+            const timeout2 = setTimeout(() => controller2.abort(), 5000);
+            try {
+                const scoreResp = await fetch(`https://api.securityscorecards.dev/projects/github.com/${ghPath}`, { signal: controller2.signal });
+                if (!scoreResp.ok)
+                    return null;
+                const scoreData = await scoreResp.json();
+                const score = scoreData?.score ?? null;
+                if (score !== null) {
+                    scorecardCache.set(dep, { score, fetchedAt: Date.now() });
+                }
+                return score;
+            }
+            finally {
+                clearTimeout(timeout2);
+            }
+        }
+        finally {
+            clearTimeout(timeout);
+        }
+    }
+    catch {
+        return null;
+    }
+}
+async function checkNpmProvenance() {
+    const findings = [];
+    try {
+        // 1. npm audit signatures (npm 9+)
+        try {
+            const { stdout } = await execFileAsync("npm", ["audit", "signatures", "--json"], {
+                timeout: 30000,
+                env: process.env
+            });
+            if (stdout) {
+                let auditResult;
+                try {
+                    auditResult = JSON.parse(stdout);
+                }
+                catch {
+                    auditResult = null;
+                }
+                if (auditResult && typeof auditResult === "object") {
+                    const result = auditResult;
+                    const invalid = result["invalid"] ?? [];
+                    const missing = result["missing"] ?? [];
+                    const noProvenance = [...invalid, ...missing];
+                    if (noProvenance.length > 0) {
+                        findings.push({
+                            id: "DEP_NO_PROVENANCE",
+                            title: `${noProvenance.length} production dependencies lack npm provenance attestation`,
+                            severity: "MEDIUM",
+                            evidence: noProvenance.slice(0, 10).map((p) => typeof p === "object" && p !== null ? JSON.stringify(p).slice(0, 120) : String(p)),
+                            requiredActions: [
+                                "Require packages with npm provenance attestation (npm 9+).",
+                                "Pin dependencies to specific versions and verify signatures."
+                            ]
+                        });
+                    }
+                }
+            }
+        }
+        catch {
+            // npm not available or < v9 — skip gracefully
+        }
+        // 2. OpenSSF Scorecard for top 5 production deps
+        try {
+            const pkgRaw = await readFile("package.json", "utf8");
+            const pkg = JSON.parse(pkgRaw);
+            const prodDeps = Object.keys(pkg.dependencies ?? {}).slice(0, 5);
+            for (const dep of prodDeps) {
+                const score = await fetchScorecardScore(dep);
+                if (score !== null && score < 5.0) {
+                    findings.push({
+                        id: "DEP_LOW_SCORECARD",
+                        title: `Dependency "${dep}" has a low OpenSSF Scorecard score (${score.toFixed(1)}/10)`,
+                        severity: "MEDIUM",
+                        evidence: [`${dep}: score ${score.toFixed(1)}/10 (threshold: 5.0)`],
+                        requiredActions: [
+                            `Review the OpenSSF Scorecard for ${dep} at https://scorecard.dev.`,
+                            "Consider replacing low-scored dependencies or accepting documented risk."
+                        ]
+                    });
+                }
+            }
+        }
+        catch {
+            // package.json unreadable or API unavailable — skip
+        }
+    }
+    catch (err) {
+        console.warn("[checkNpmProvenance] Internal error:", err instanceof Error ? err.message : String(err));
+    }
+    return { findings };
+}
 export async function checkDependencies(_) {
     const findings = [];
     const manifests = await fg(["package.json"], { dot: true });
@@ -39,5 +163,7 @@ export async function checkDependencies(_) {
             requiredActions: ["Fix package.json JSON syntax."]
         });
     }
+    const provenance = await checkNpmProvenance();
+    findings.push(...provenance.findings);
     return findings;
 }