security-mcp 1.1.0 → 1.1.2

package/dist/gate/checks/api.js

@@ -1,4 +1,7 @@
+import { sanitizeErrorMessage } from "../result.js";
 import { searchRepo } from "../../repo/search.js";
+import fg from "fast-glob";
+import { readFileSafe } from "../../repo/fs.js";
 export async function checkApi(_) {
     const findings = [];
     const zodHits = await searchRepo({ query: "zod|valibot|yup|joi", isRegex: true, maxMatches: 200 });
@@ -135,5 +138,95 @@ export async function checkApi(_) {
             ]
         });
     }
+    // 5. API schema drift (OpenAPI/Swagger spec vs code routes)
+    findings.push(...await checkApiSchemaDrift());
+    return findings;
+}
+function parseDeclaredPaths(specContent) {
+    const paths = new Set();
+    for (const match of specContent.matchAll(/^\s{0,4}(\/[a-zA-Z0-9/{}_-]+)\s*:/gm)) {
+        paths.add(match[1]);
+    }
+    return paths;
+}
+function findShadowRoutes(codeRouteHits, declaredPaths) {
+    const shadows = [];
+    for (const hit of codeRouteHits) {
+        const routeMatch = /['"](\/?[a-zA-Z0-9/{}_-]+)['"]/.exec(hit.preview);
+        if (!routeMatch)
+            continue;
+        const route = routeMatch[1].startsWith("/") ? routeMatch[1] : `/${routeMatch[1]}`;
+        const normalised = route.replaceAll(/:([a-zA-Z_]+)/g, "{$1}");
+        if (!declaredPaths.has(normalised) && !declaredPaths.has(route)) {
+            shadows.push(`${hit.file}:${hit.line} — ${route}`);
+        }
+    }
+    return shadows;
+}
+async function checkApiSchemaDrift() {
+    const findings = [];
+    try {
+        const specFiles = await fg([
+            "openapi.{yaml,yml,json}",
+            "swagger.{yaml,yml,json}",
+            "**/openapi.{yaml,yml,json}",
+            "**/swagger.{yaml,yml,json}",
+            "**/api-spec.{yaml,yml,json}",
+            "**/openapi/**/*.{yaml,yml,json}"
+        ], { ignore: ["**/node_modules/**", "**/dist/**", "**/.git/**"], dot: true });
+        const codeRouteHits = await searchRepo({
+            query: String.raw `(?:router|app|fastify|server)\.(?:get|post|put|delete|patch)\s*\(\s*['"](/[^'"]+)['"]`,
+            isRegex: true,
+            maxMatches: 300
+        });
+        if (specFiles.length === 0) {
+            if (codeRouteHits.length > 0) {
+                findings.push({
+                    id: "API_NO_OPENAPI_SPEC",
+                    title: "API routes detected but no OpenAPI/Swagger specification found",
+                    severity: "MEDIUM",
+                    evidence: codeRouteHits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                    requiredActions: [
+                        "Create an OpenAPI 3.x specification (openapi.yaml) that documents all API routes.",
+                        "An API contract enables automated schema validation, client SDK generation, and drift detection.",
+                        "Use tools like `zod-to-openapi` or `tsoa` to generate the spec from existing TypeScript code."
+                    ]
+                });
+            }
+            return findings;
+        }
+        const specContent = await readFileSafe(specFiles[0]);
+        const declaredPaths = parseDeclaredPaths(specContent);
+        const shadowRoutes = findShadowRoutes(codeRouteHits, declaredPaths);
+        if (shadowRoutes.length > 0) {
+            findings.push({
+                id: "API_SHADOW_ENDPOINT",
+                title: `${shadowRoutes.length} API route(s) in code not declared in OpenAPI spec — shadow endpoints`,
+                severity: "HIGH",
+                evidence: [...new Set(shadowRoutes)].slice(0, 15),
+                requiredActions: [
+                    "Add all undocumented routes to the OpenAPI specification.",
+                    "Shadow endpoints bypass API gateway policies, rate limiting, and schema validation.",
+                    "Automate spec generation (tsoa, zod-to-openapi) to prevent drift from recurring."
+                ]
+            });
+        }
+        if (/type:\s+object/.test(specContent) && !/properties:/.test(specContent)) {
+            findings.push({
+                id: "API_PERMISSIVE_SCHEMA",
+                title: "OpenAPI spec contains `type: object` without `properties` — accepts any payload shape",
+                severity: "MEDIUM",
+                files: [specFiles[0]],
+                requiredActions: [
+                    "Define explicit `properties` for all object schemas in the OpenAPI spec.",
+                    "Permissive schemas allow attackers to inject unexpected fields (mass assignment, prototype pollution).",
+                    "Set `additionalProperties: false` on request body schemas to enforce strict validation."
+                ]
+            });
+        }
+    }
+    catch (err) {
+        console.warn("[checkApiSchemaDrift] Internal error:", sanitizeErrorMessage(err instanceof Error ? err.message : String(err)));
+    }
     return findings;
 }

package/dist/gate/checks/ci-pipeline.js

@@ -0,0 +1,135 @@
+/**
+ * GitHub Actions CI/CD pipeline hardening checks.
+ * Covers supply chain attack vectors specific to GitHub Actions workflows.
+ */
+import { sanitizeErrorMessage } from "../result.js";
+import fg from "fast-glob";
+import { readFileSafe } from "../../repo/fs.js";
+export async function runCiPipelineChecks(_opts) {
+    const findings = [];
+    try {
+        const workflowFiles = await fg([".github/workflows/*.yml", ".github/workflows/*.yaml"], {
+            dot: true,
+            ignore: ["**/node_modules/**", "**/.git/**"]
+        });
+        if (workflowFiles.length === 0) {
+            return [];
+        }
+        const unpinnedFiles = [];
+        const pwnTargetFiles = [];
+        const secretEchoFiles = [];
+        const noPermissionsFiles = [];
+        const selfHostedFiles = [];
+        for (const file of workflowFiles) {
+            let content;
+            try {
+                content = await readFileSafe(file);
+            }
+            catch {
+                continue;
+            }
+            // Check 1: Third-party actions not pinned to a full 40-char SHA
+            // Matches `uses: owner/repo@tag` but NOT `uses: owner/repo@<40hex chars>`
+            // Also skip `uses: ./.github/actions/` (local actions are fine)
+            const actionLines = content.split("\n").filter((line) => /uses:\s+[a-zA-Z0-9_.-]+\/[a-zA-Z0-9_.-]+@/.test(line));
+            const unpinnedActions = actionLines.filter((line) => {
+                // Skip local actions
+                if (/uses:\s+\.\//.test(line))
+                    return false;
+                // Flag anything not pinned to a 40-char hex SHA
+                return !/uses:\s+[a-zA-Z0-9_.\-/]+@[0-9a-f]{40}/.test(line);
+            });
+            if (unpinnedActions.length > 0) {
+                unpinnedFiles.push(file);
+            }
+            // Check 2: pull_request_target + dynamic ref usage (pwn-request vector)
+            // Attacker controls the ref/sha when a PR from a fork triggers pull_request_target
+            if (/pull_request_target/.test(content) &&
+                /\$\{\{\s*github\.event\.pull_request\.head\.(sha|ref)\s*\}\}/.test(content)) {
+                pwnTargetFiles.push(file);
+            }
+            // Check 3: Secrets printed to logs via echo
+            if (/echo\s+\$\{\{\s*secrets\./.test(content)) {
+                secretEchoFiles.push(file);
+            }
+            // Check 4: No top-level permissions block
+            // Without explicit permissions, the default is write access to all scopes
+            if (!/^permissions:/m.test(content)) {
+                noPermissionsFiles.push(file);
+            }
+            // Check 5: Self-hosted runners (broader attack surface — runner compromise = code execution)
+            if (/runs-on:\s+self-hosted/.test(content)) {
+                selfHostedFiles.push(file);
+            }
+        }
+        if (unpinnedFiles.length > 0) {
+            findings.push({
+                id: "CI_UNPINNED_ACTION",
+                title: "GitHub Actions using mutable tags instead of pinned SHA digests",
+                severity: "HIGH",
+                files: unpinnedFiles.slice(0, 10),
+                requiredActions: [
+                    "Pin all third-party actions to a full 40-character commit SHA (e.g. `uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683`).",
+                    "Mutable tags like @v3 can be silently redirected to malicious commits — SHA pinning prevents supply chain substitution.",
+                    "Use a tool like `pin-github-action` or Dependabot to automate SHA pinning."
+                ]
+            });
+        }
+        if (pwnTargetFiles.length > 0) {
+            findings.push({
+                id: "CI_PWNTARGET_SHA",
+                title: "pull_request_target workflow uses attacker-controlled ref/SHA — pwn-request vector",
+                severity: "CRITICAL",
+                files: pwnTargetFiles.slice(0, 10),
+                requiredActions: [
+                    "Never use `${{ github.event.pull_request.head.sha }}` or `head.ref` inside a `pull_request_target` workflow that checks out or runs code from the PR.",
+                    "`pull_request_target` runs with write permissions and secrets access; the PR head is attacker-controlled.",
+                    "Use `pull_request` (not `pull_request_target`) for code that executes untrusted contributions, or add explicit guard conditions."
+                ]
+            });
+        }
+        if (secretEchoFiles.length > 0) {
+            findings.push({
+                id: "CI_SECRET_ECHO",
+                title: "GitHub Actions workflow echoes secrets to logs",
+                severity: "CRITICAL",
+                files: secretEchoFiles.slice(0, 10),
+                requiredActions: [
+                    "Remove any `echo ${{ secrets.* }}` statements — secrets printed to logs are visible to anyone with read access to the repository.",
+                    "GitHub masks known secret values in logs, but this is not reliable for all encodings.",
+                    "Pass secrets via environment variables (`env: MY_SECRET: ${{ secrets.MY_SECRET }}`) and read them in code, never echo them."
+                ]
+            });
+        }
+        if (noPermissionsFiles.length > 0) {
+            findings.push({
+                id: "CI_NO_PERMISSIONS",
+                title: "GitHub Actions workflows without explicit permissions block",
+                severity: "MEDIUM",
+                files: noPermissionsFiles.slice(0, 10),
+                requiredActions: [
+                    "Add an explicit `permissions:` block at the top of each workflow (or at the job level) to grant only the minimum required scopes.",
+                    "Without explicit permissions, the default is determined by org/repo settings — often write-all.",
+                    "Example minimal read-only: `permissions: { contents: read }`."
+                ]
+            });
+        }
+        if (selfHostedFiles.length > 0) {
+            findings.push({
+                id: "CI_SELF_HOSTED_RUNNER",
+                title: "GitHub Actions using self-hosted runners",
+                severity: "MEDIUM",
+                files: selfHostedFiles.slice(0, 10),
+                requiredActions: [
+                    "Self-hosted runners executing untrusted fork PRs can be compromised — restrict `pull_request` triggers on self-hosted runner workflows.",
+                    "Ensure self-hosted runners are ephemeral (destroyed after each job) and isolated from production networks.",
+                    "Use GitHub-hosted runners for public repositories or untrusted code paths."
+                ]
+            });
+        }
+    }
+    catch (err) {
+        console.warn("[runCiPipelineChecks] Internal error:", sanitizeErrorMessage(err instanceof Error ? err.message : String(err)));
+    }
+    return findings;
+}

package/dist/gate/checks/crypto.js

@@ -1,4 +1,31 @@
+/**
+ * Weak cryptography detection.
+ * Mapped to NIST SP 800-131A Rev 2.
+ */
+import { sanitizeErrorMessage } from "../result.js";
 import { searchRepo } from "../../repo/search.js";
+function checkPbkdf2Iterations(hits) {
+    for (const hit of hits) {
+        const iterMatch = /pbkdf2(?:Sync)?\s*\([^)]*?,\s*[^,]+,\s*(\d+)/.exec(hit.preview);
+        if (!iterMatch)
+            continue;
+        const iters = Number.parseInt(iterMatch[1], 10);
+        if (iters < 600000) {
+            return {
+                id: "CRYPTO_LOW_PBKDF2_ITERATIONS",
+                title: `PBKDF2 iteration count too low (${iters} < 600,000)`,
+                severity: "HIGH",
+                evidence: [`${hit.file}:${hit.line}:${hit.preview}`],
+                files: [hit.file],
+                requiredActions: [
+                    "Use ≥ 600,000 iterations for PBKDF2-SHA256 (OWASP 2023 recommendation).",
+                    "Prefer bcrypt (cost ≥ 12) or Argon2id instead."
+                ]
+            };
+        }
+    }
+    return null;
+}
 export async function checkCrypto(_opts) {
     const findings = [];
     try {
@@ -86,27 +113,9 @@ export async function checkCrypto(_opts) {
             isRegex: true,
             maxMatches: 200
         });
-        // Check for numeric iteration counts in the context
-        for (const hit of pbkdf2Hits) {
-            const iterMatch = /pbkdf2(?:Sync)?\s*\([^)]*?,\s*[^,]+,\s*(\d+)/.exec(hit.preview);
-            if (iterMatch) {
-                const iters = parseInt(iterMatch[1], 10);
-                if (iters < 600000) {
-                    findings.push({
-                        id: "CRYPTO_LOW_PBKDF2_ITERATIONS",
-                        title: `PBKDF2 iteration count too low (${iters} < 600,000)`,
-                        severity: "HIGH",
-                        evidence: [`${hit.file}:${hit.line}:${hit.preview}`],
-                        files: [hit.file],
-                        requiredActions: [
-                            "Use ≥ 600,000 iterations for PBKDF2-SHA256 (OWASP 2023 recommendation).",
-                            "Prefer bcrypt (cost ≥ 12) or Argon2id instead."
-                        ]
-                    });
-                    break;
-                }
-            }
-        }
+        const pbkdf2Finding = checkPbkdf2Iterations(pbkdf2Hits);
+        if (pbkdf2Finding)
+            findings.push(pbkdf2Finding);
         // 6. Hardcoded IV/nonce
         const hardcodedIvHits = await searchRepo({
             query: String.raw `iv\s*[:=]\s*(?:Buffer\.from\(['"][0-9a-fA-F]+['"]\)|['"][0-9a-fA-F]{16,}['"])`,
@@ -145,9 +154,69 @@ export async function checkCrypto(_opts) {
                 ]
             });
         }
+        // 8. Post-quantum readiness: RSA-1024
+        const rsa1024Hits = await searchRepo({
+            query: String.raw `modulusLength\s*:\s*1024|generateKeyPair\s*\(\s*['"]rsa['"][^)]*1024`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (rsa1024Hits.length > 0) {
+            findings.push({
+                id: "CRYPTO_RSA_1024",
+                title: "RSA-1024 key detected — cryptographically broken",
+                severity: "CRITICAL",
+                evidence: rsa1024Hits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(rsa1024Hits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "Upgrade to RSA-4096 minimum, or migrate to ML-DSA (FIPS 204) / SLH-DSA (FIPS 205) for new key material.",
+                    "RSA-1024 is fully broken — NIST deprecated it in 2013 (SP 800-131A).",
+                    "For TLS certificates, reissue with RSA-4096 or ECDSA P-384 immediately."
+                ]
+            });
+        }
+        // 9. Post-quantum readiness: RSA-2048 warning
+        const rsa2048Hits = await searchRepo({
+            query: String.raw `modulusLength\s*:\s*2048|generateKeyPair\s*\(\s*['"]rsa['"][^)]*2048`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (rsa2048Hits.length > 0) {
+            findings.push({
+                id: "CRYPTO_RSA_2048_PQC",
+                title: "RSA-2048 detected — quantum-vulnerable; plan migration to post-quantum algorithms",
+                severity: "MEDIUM",
+                evidence: rsa2048Hits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(rsa2048Hits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "RSA-2048 is currently secure against classical computers but will be broken by sufficiently large quantum computers.",
+                    "NIST finalized post-quantum standards in 2024: ML-KEM (FIPS 203), ML-DSA (FIPS 204), SLH-DSA (FIPS 205).",
+                    "For long-lived keys or data requiring 10+ year secrecy: migrate to ML-DSA or use a hybrid classical+PQC scheme."
+                ]
+            });
+        }
+        // 10. Post-quantum readiness: ECDSA P-256 (informational)
+        const p256Hits = await searchRepo({
+            query: String.raw `prime256v1|secp256r1|namedCurve\s*:\s*['"]P-256['"]|namedCurve\s*:\s*['"]p256['"]`,
+            isRegex: true,
+            maxMatches: 200
+        });
+        if (p256Hits.length > 0) {
+            findings.push({
+                id: "CRYPTO_ECDSA_P256_PQC",
+                title: "ECDSA P-256 detected — quantum-vulnerable in the long term",
+                severity: "LOW",
+                evidence: p256Hits.slice(0, 10).map((m) => `${m.file}:${m.line}:${m.preview}`),
+                files: [...new Set(p256Hits.slice(0, 10).map((m) => m.file))],
+                requiredActions: [
+                    "P-256 (secp256r1) is secure today but vulnerable to Shor's algorithm on a sufficiently large quantum computer.",
+                    "NIST post-quantum signature standards: ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) are the recommended replacements.",
+                    "For new systems handling sensitive long-lived data, evaluate hybrid ECDSA+ML-DSA or pure ML-DSA."
+                ]
+            });
+        }
     }
     catch (err) {
-        console.warn("[checkCrypto] Internal error:", err instanceof Error ? err.message : String(err));
+        console.warn("[checkCrypto] Internal error:", sanitizeErrorMessage(err instanceof Error ? err.message : String(err)));
     }
     return findings;
 }

package/dist/gate/checks/database.js

@@ -1,3 +1,7 @@
+/**
+ * Database security checks.
+ */
+import { sanitizeErrorMessage } from "../result.js";
 import { searchRepo } from "../../repo/search.js";
 export async function checkDatabase(_opts) {
     const findings = [];
@@ -138,7 +142,7 @@ export async function checkDatabase(_opts) {
         }
     }
     catch (err) {
-        console.warn("[checkDatabase] Internal error:", err instanceof Error ? err.message : String(err));
+        console.warn("[checkDatabase] Internal error:", sanitizeErrorMessage(err instanceof Error ? err.message : String(err)));
     }
     return findings;
 }