security-mcp 1.1.3 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (133) hide show
  1. package/README.md +164 -185
  2. package/defaults/checklists/ai.json +20 -1
  3. package/defaults/checklists/api.json +35 -1
  4. package/defaults/checklists/infra.json +34 -1
  5. package/defaults/checklists/mobile.json +23 -1
  6. package/defaults/checklists/payments.json +15 -1
  7. package/defaults/checklists/web.json +11 -1
  8. package/defaults/control-catalog.json +200 -0
  9. package/defaults/security-policy.json +2 -2
  10. package/dist/cli/index.js +82 -5
  11. package/dist/cli/install.js +36 -6
  12. package/dist/cli/onboarding.js +6 -0
  13. package/dist/gate/baseline.js +82 -7
  14. package/dist/gate/catalog.js +10 -2
  15. package/dist/gate/checks/ai.js +757 -39
  16. package/dist/gate/checks/auth-deep.js +935 -0
  17. package/dist/gate/checks/business-logic.js +751 -0
  18. package/dist/gate/checks/ci-pipeline.js +399 -4
  19. package/dist/gate/checks/crypto.js +423 -2
  20. package/dist/gate/checks/dependencies.js +571 -15
  21. package/dist/gate/checks/graphql.js +201 -19
  22. package/dist/gate/checks/infra.js +246 -1
  23. package/dist/gate/checks/injection-deep.js +848 -0
  24. package/dist/gate/checks/k8s.js +114 -1
  25. package/dist/gate/checks/mobile-android.js +917 -3
  26. package/dist/gate/checks/mobile-ios.js +797 -5
  27. package/dist/gate/checks/required-artifacts.js +194 -0
  28. package/dist/gate/checks/runtime.js +178 -0
  29. package/dist/gate/checks/secrets.js +244 -13
  30. package/dist/gate/checks/supply-chain-deep.js +787 -0
  31. package/dist/gate/checks/web-nextjs.js +572 -48
  32. package/dist/gate/diff.js +17 -5
  33. package/dist/gate/evidence.js +8 -1
  34. package/dist/gate/exceptions.js +131 -9
  35. package/dist/gate/policy.js +282 -129
  36. package/dist/mcp/audit-chain.js +122 -28
  37. package/dist/mcp/auth.js +169 -0
  38. package/dist/mcp/learning.js +129 -4
  39. package/dist/mcp/model-router.js +158 -21
  40. package/dist/mcp/orchestration.js +186 -51
  41. package/dist/mcp/server.js +608 -94
  42. package/dist/repo/fs.js +24 -1
  43. package/dist/repo/search.js +31 -6
  44. package/dist/review/store.js +52 -1
  45. package/package.json +7 -7
  46. package/prompts/SECURITY_PROMPT.md +73 -0
  47. package/skills/_TEMPLATE/SKILL.md +99 -0
  48. package/skills/advanced-dos-tester/SKILL.md +109 -0
  49. package/skills/agentic-loop-exploiter/SKILL.md +368 -0
  50. package/skills/ai-llm-redteam/SKILL.md +104 -0
  51. package/skills/ai-model-supply-chain-agent/SKILL.md +103 -0
  52. package/skills/algorithm-implementation-reviewer/SKILL.md +98 -0
  53. package/skills/android-penetration-tester/SKILL.md +455 -46
  54. package/skills/anti-replay-tester/SKILL.md +106 -0
  55. package/skills/appsec-code-auditor/SKILL.md +120 -0
  56. package/skills/artifact-integrity-analyst/SKILL.md +441 -0
  57. package/skills/attack-navigator/SKILL.md +467 -8
  58. package/skills/auth-session-hacker/SKILL.md +128 -0
  59. package/skills/aws-penetration-tester/SKILL.md +456 -0
  60. package/skills/azure-penetration-tester/SKILL.md +490 -3
  61. package/skills/binary-auth-validator/SKILL.md +111 -0
  62. package/skills/bot-detection-specialist/SKILL.md +109 -0
  63. package/skills/business-logic-attacker/SKILL.md +231 -0
  64. package/skills/capec-code-mapper/SKILL.md +84 -0
  65. package/skills/cert-pin-rotation-specialist/SKILL.md +112 -0
  66. package/skills/cicd-pipeline-hijacker/SKILL.md +405 -0
  67. package/skills/ciso-orchestrator/SKILL.md +454 -43
  68. package/skills/cloud-infra-specialist/SKILL.md +118 -0
  69. package/skills/compliance-gap-analyst/SKILL.md +422 -0
  70. package/skills/compliance-grc/SKILL.md +85 -0
  71. package/skills/compliance-lifecycle-tracker/SKILL.md +84 -0
  72. package/skills/credential-stuffing-specialist/SKILL.md +102 -0
  73. package/skills/crypto-pki-specialist/SKILL.md +87 -0
  74. package/skills/csa-ccm-mapper/SKILL.md +84 -0
  75. package/skills/csf2-governance-mapper/SKILL.md +84 -0
  76. package/skills/deep-link-fuzzer/SKILL.md +109 -0
  77. package/skills/dependency-confusion-attacker/SKILL.md +415 -0
  78. package/skills/device-integrity-aggregator/SKILL.md +108 -0
  79. package/skills/dos-resilience-tester/SKILL.md +97 -0
  80. package/skills/dread-scorer/SKILL.md +84 -0
  81. package/skills/egress-policy-enforcer/SKILL.md +99 -0
  82. package/skills/evidence-collector/SKILL.md +98 -0
  83. package/skills/file-upload-attacker/SKILL.md +109 -0
  84. package/skills/gcp-penetration-tester/SKILL.md +459 -2
  85. package/skills/git-history-secret-scanner/SKILL.md +106 -0
  86. package/skills/iam-privesc-graph-builder/SKILL.md +152 -0
  87. package/skills/incident-responder/SKILL.md +111 -0
  88. package/skills/injection-specialist/SKILL.md +131 -0
  89. package/skills/ios-security-auditor/SKILL.md +282 -0
  90. package/skills/json-ambiguity-tester/SKILL.md +0 -0
  91. package/skills/k8s-container-escaper/SKILL.md +384 -0
  92. package/skills/key-management-lifecycle-analyst/SKILL.md +98 -0
  93. package/skills/kill-switch-engineer/SKILL.md +102 -0
  94. package/skills/linddun-privacy-analyst/SKILL.md +102 -0
  95. package/skills/logic-race-fuzzer/SKILL.md +443 -0
  96. package/skills/mobile-api-network-attacker/SKILL.md +421 -0
  97. package/skills/mobile-binary-hardener/SKILL.md +102 -0
  98. package/skills/mobile-security-specialist/SKILL.md +85 -0
  99. package/skills/mobile-webview-auditor/SKILL.md +96 -0
  100. package/skills/model-extraction-attacker/SKILL.md +219 -0
  101. package/skills/multipart-abuse-tester/SKILL.md +84 -0
  102. package/skills/oauth-pkce-specialist/SKILL.md +104 -0
  103. package/skills/parser-exhaustion-tester/SKILL.md +142 -0
  104. package/skills/pentest-infra/SKILL.md +141 -0
  105. package/skills/pentest-social/SKILL.md +201 -0
  106. package/skills/pentest-team/SKILL.md +134 -0
  107. package/skills/pentest-web-api/SKILL.md +151 -0
  108. package/skills/privacy-flow-analyst/SKILL.md +234 -0
  109. package/skills/prompt-injection-specialist/SKILL.md +394 -0
  110. package/skills/quantum-migration-planner/SKILL.md +96 -0
  111. package/skills/rag-poisoning-specialist/SKILL.md +358 -0
  112. package/skills/registry-mirror-enforcer/SKILL.md +84 -0
  113. package/skills/rotation-validation-agent/SKILL.md +112 -0
  114. package/skills/samm-assessor/SKILL.md +85 -0
  115. package/skills/secrets-mask-bypass-tester/SKILL.md +100 -0
  116. package/skills/senior-security-engineer/SKILL.md +370 -2
  117. package/skills/serialization-memory-attacker/SKILL.md +332 -0
  118. package/skills/session-timeout-tester/SKILL.md +161 -0
  119. package/skills/slsa-level3-enforcer/SKILL.md +112 -0
  120. package/skills/slsa-provenance-enforcer/SKILL.md +102 -0
  121. package/skills/ssrf-detection-validator/SKILL.md +108 -0
  122. package/skills/step-up-auth-enforcer/SKILL.md +84 -0
  123. package/skills/stride-pasta-analyst/SKILL.md +420 -0
  124. package/skills/supply-chain-devsecops/SKILL.md +98 -0
  125. package/skills/threat-infrastructure-analyst/SKILL.md +84 -0
  126. package/skills/threat-modeler/SKILL.md +85 -0
  127. package/skills/tls-certificate-auditor/SKILL.md +573 -18
  128. package/skills/token-reuse-detector/SKILL.md +95 -0
  129. package/skills/trike-risk-modeler/SKILL.md +84 -0
  130. package/skills/unicode-homograph-tester/SKILL.md +84 -0
  131. package/skills/waf-rule-lifecycle-agent/SKILL.md +97 -0
  132. package/skills/webhook-security-tester/SKILL.md +102 -0
  133. package/skills/zero-trust-architect/SKILL.md +109 -0
package/README.md CHANGED
@@ -17,15 +17,13 @@ Works with **Claude Code, GitHub Copilot, Cursor, Codex, Replit**, and any MCP-c
17
17
 
18
18
  ## Table of Contents
19
19
 
20
+ - [What's New in v1.3.0](#whats-new-in-v130)
20
21
  - [What Problem Does This Solve?](#what-problem-does-this-solve)
21
22
  - [Who Is This For?](#who-is-this-for)
22
23
  - [Two Modes - Pick Your Depth](#two-modes---pick-your-depth)
23
24
  - [Quick Start - Install in 60 Seconds](#quick-start---install-in-60-seconds)
24
- - [Step-by-Step Installation Guide](#step-by-step-installation-guide)
25
- - [Claude Code](#step-by-step-claude-code)
26
- - [Cursor](#step-by-step-cursor)
27
- - [VS Code / GitHub Copilot](#step-by-step-vs-code--github-copilot)
28
- - [Manual Configuration](#manual-configuration-any-mcp-editor)
25
+ - [Installation](#installation)
26
+ - [Verify Your Installation](#verify-your-installation)
29
27
  - [How to Run Your First Security Review](#how-to-run-your-first-security-review)
30
28
  - [CI/CD Security Gate](#cicd-security-gate)
31
29
  - [What Gets Fixed Automatically](#what-gets-fixed-automatically)
@@ -40,6 +38,117 @@ Works with **Claude Code, GitHub Copilot, Cursor, Codex, Replit**, and any MCP-c
40
38
 
41
39
  ---
42
40
 
41
+ ## What's New in v1.3.0
42
+
43
+ v1.3.0 delivers **104 new blindspot detection checks** across 7 threat domains, discovered by running a full 8-agent CISO Orchestrator pass followed by an adversarial pentest verification round. It also closes 5 critical security vulnerabilities in the gate engine itself.
44
+
45
+ ### 42 Deep Injection Patterns (was 15)
46
+
47
+ `checkInjectionDeep` now covers 42 detection patterns:
48
+
49
+ | Added in v1.3.0 | ATT&CK | What It Catches |
50
+ | --- | --- | --- |
51
+ | **SSTI (Java/PHP)** | T1059 | FreeMarker, Thymeleaf, Velocity, Twig, Smarty template injection |
52
+ | **SpEL / OGNL injection** | T1059 | Spring Expression Language and OGNL via user-controlled string eval |
53
+ | **Pickle / Java deserialization** | T1059.001 | Unsafe `pickle.loads`, `ObjectInputStream`, `readObject` on untrusted data |
54
+ | **Second-order injection** | T1059 | Data stored to DB then later executed — two-pass file-correlation check |
55
+ | **CSS injection** | T1059 | User content reflected inside `<style>` or `style=` without sanitization |
56
+ | **Elasticsearch injection** | T1059 | Dynamic query construction in Elasticsearch DSL with user input |
57
+ | **WebSocket injection** | T1059 | User-controlled data in `ws.send()` without validation |
58
+ | **SSE-CRLF** | T1059 | CRLF in Server-Sent Events `data:` field hijacking the SSE stream |
59
+ | **PDF / document injection** | T1059 | User input in PDF field generation without escaping |
60
+ | **HTTP response splitting** | T1059 | CRLF in HTTP header values |
61
+ | **Bracket-notation prototype pollution** | T1203 | `obj[key] = value` with user-controlled keys |
62
+
63
+ Plus all original patterns: XXE, SSTI multiline, LDAP, XPath, JNDI/Log4Shell, MongoDB `$where`, prototype pollution, CRLF, unsafe YAML, deserialization, path traversal, log injection, SSRF, command injection, ReDoS, SQL/ORM (Prisma, Sequelize, Knex, TypeORM), Redis `EVAL`, HTTP header injection.
64
+
65
+ ### 43 Deep Auth Patterns (was 16)
66
+
67
+ `checkAuthDeep` now covers 43 detection patterns:
68
+
69
+ | Added in v1.3.0 | CWE | What It Catches |
70
+ | --- | --- | --- |
71
+ | **JWT `kid` injection** | CWE-20 | `kid` header used as file path or SQL expression for key material |
72
+ | **JWKS URI override** | CWE-20 | Attacker-controlled `jku` / `x5u` headers pointing to external key stores |
73
+ | **OAuth client secret in repo** | CWE-798 | `client_secret` literals or env defaults checked into source |
74
+ | **Session token in URL** | CWE-598 | Session IDs in query parameters — logged by every proxy |
75
+ | **Low-entropy token** | CWE-330 | Token / secret generated with `Math.random()` or timestamp-seeded RNG |
76
+ | **Remember-me no rotation** | CWE-613 | Persistent login tokens never rotated on use |
77
+ | **Password reset single-use** | CWE-640 | Reset tokens reusable after initial redemption |
78
+ | **Account enumeration** | CWE-204 | Different error messages for valid vs. invalid usernames |
79
+ | **Bcrypt cost factor** | CWE-916 | `bcrypt.hash(pw, N)` where N < 12 |
80
+
81
+ Plus all original patterns: JWT alg:none/HS-RS confusion, session fixation, OAuth state/redirect_uri/PKCE, hardcoded JWT secret, rate limit on auth, plaintext password compare, SAML signature bypass, insecure cookie flags, refresh token rotation, API key in URL, reset token expiry, admin route without authz, timing oracle.
82
+
83
+ ### 31 Business Logic Patterns (was 8)
84
+
85
+ `checkBusinessLogic` now catches 31 patterns including 13 new e-commerce and payment abuse vectors:
86
+
87
+ - **Currency confusion** — mixed-currency arithmetic without normalization
88
+ - **Discount stacking** — coupon codes combined with promotions without stack limits
89
+ - **Order fulfillment bypass** — status transitions that skip required payment/verification steps
90
+ - **Webhook timestamp** — missing replay-window check on webhook signature verification
91
+ - **Tax / shipping parameter tamper** — client-supplied tax and shipping totals accepted server-side
92
+ - **Client-side total** — final order amount derived from a browser-supplied value
93
+ - **Referral abuse** — self-referral detection absent from referral credit logic
94
+ - **Email normalization** — `user+tag@domain.com` not normalized when enforcing unique accounts
95
+ - **Feature flag bypass** — feature flags controllable via client-supplied headers or query params
96
+ - **API version bypass** — security controls on v2 routes not enforced on legacy v1 endpoints
97
+ - **Double-spend payment** — concurrent payment requests without idempotency key enforcement
98
+ - **Free trial abuse** — trial period enforced only by client-supplied start date
99
+ - **Pagination abuse** — unlimited page size parameter enabling full-table data dump
100
+
101
+ ### 32 Supply Chain Deep Patterns (was 16)
102
+
103
+ `checkSupplyChainDeep` now covers 32 patterns. New additions detect obfuscated payloads, malicious package scripts, and exfiltration channels that bypass standard SAST tools — including keyloggers, reverse shells, cryptomining signatures, DNS exfiltration, clipboard monitoring, and more.
104
+
105
+ ### Critical Security Fixes
106
+
107
+ | ID | Severity | Fix |
108
+ | --- | --- | --- |
109
+ | **VULN-001** | CRITICAL | Dead multiline regex in `checkSecondOrderInjection` silently nulled the entire injection-deep module — replaced with two-pass file-correlation |
110
+ | **VULN-002** | HIGH | Symlink traversal in `policy.ts` glob calls — `followSymbolicLinks: false` enforced |
111
+ | **VULN-003** | HIGH | Evidence previews leaked secret values — `redactSecrets()` added to `search.ts` |
112
+ | **AUTH-OBO-01** | HIGH | Lockout off-by-one in `auth.ts` allowed 4 attempts instead of 3 |
113
+ | **META-01/03/04** | MEDIUM | Prompt injection vectors in MCP server — `_notice` framing and `sanitizePromptParam()` added |
114
+
115
+ ### Also in v1.2.1
116
+
117
+ - OWASP Top 10 now **10/10 covered** — A09 (Security Logging and Monitoring Failures) fully completed
118
+ - NIST AU-11 / PCI Req 10 log retention detection added to `checkAuthDeep`
119
+ - ISO 42001 §9.1 routing decision audit log added to model router
120
+ - `runScanners` (gitleaks / semgrep / trivy / checkov / osv-scanner) wired into the gate — was implemented but never called since v1.0; now active check 27
121
+
122
+ ### Also in v1.2.0
123
+
124
+ - **Secrets** — dotfiles glob, base64/hex decode pre-pass, 10 new token formats (Vercel, PlanetScale, Databricks, Linear, Railway, npmrc, HuggingFace, ARM, Twilio), gitleaks history scan, split-string heuristic
125
+ - **Injection** — SQL/ORM detection (Prisma `$queryRaw`, Sequelize, Knex, TypeORM), JNDI/Log4Shell, LDAP, XPath, Redis `EVAL`, ReDoS static catastrophic-backtracking patterns
126
+ - **Cryptography** — AES-CBC-without-HMAC (+ split-string evasion fix), GCM nonce reuse and timestamp IV, RSA PKCS#1v1.5, SHA-256-as-password-hash, hardcoded PBKDF2 salt, `rejectUnauthorized: false`, weak TLS min version
127
+ - **Checklists** — all 6 surface checklists updated with `automated: true` entries for every new check ID
128
+
129
+ ### MCP Caller Authentication
130
+
131
+ Protect the MCP server channel against rogue processes that obtain stdio access:
132
+
133
+ ```bash
134
+ export SECURITY_MCP_SHARED_SECRET="$(openssl rand -hex 32)"
135
+ ```
136
+
137
+ When set, every tool call is blocked until the AI agent calls `security.authenticate` with the matching token. Uses constant-time HMAC comparison (CWE-208), 3-strike lockout, and minimum 16-byte secret enforcement. Backwards-compatible — when unset, all tools are immediately available.
138
+
139
+ ### Policy HMAC Integrity Signing
140
+
141
+ Prevent tampered policy files from silently disabling severity blocking:
142
+
143
+ ```bash
144
+ export SECURITY_POLICY_HMAC_KEY="$(openssl rand -hex 32)"
145
+ npx security-mcp sign-policy
146
+ ```
147
+
148
+ When set, the gate rejects any policy file whose HMAC sidecar (`.hmac`) does not match — making it impossible to quietly change `severity_block: ["HIGH","CRITICAL"]` to `[]` without detection.
149
+
150
+ ---
151
+
43
152
  ## What Problem Does This Solve?
44
153
 
45
154
  When you use an AI coding assistant to build features fast, security is easy to skip - not because you don't care, but because:
@@ -120,169 +229,32 @@ For a full 39-agent deep audit:
120
229
 
121
230
  ---
122
231
 
123
- ## Step-by-Step Installation Guide
124
-
125
- ### Step-by-Step: Claude Code
126
-
127
- **Prerequisite:** Node.js 20+ installed. Check with `node --version`.
128
-
129
- **Step 1 - Run the installer:**
130
-
131
- ```bash
132
- npx -y security-mcp@latest install --claude-code
133
- ```
134
-
135
- This writes the MCP server config to `~/.claude/settings.json`.
136
-
137
- **Step 2 - Verify the config was written:**
138
-
139
- ```bash
140
- cat ~/.claude/settings.json
141
- ```
142
-
143
- You should see:
144
-
145
- ```json
146
- {
147
- "mcpServers": {
148
- "security-mcp": {
149
- "command": "npx",
150
- "args": ["-y", "security-mcp@latest", "serve"]
151
- }
152
- }
153
- }
154
- ```
155
-
156
- **Step 3 - Restart Claude Code** to pick up the new MCP server.
157
-
158
- **Step 4 - Verify the tools loaded.** In Claude Code, run:
159
-
160
- ```text
161
- /mcp
162
- ```
163
-
164
- You should see `security-mcp` listed as a connected server with `security.*`, `orchestration.*`, and `repo.*` tools available.
165
-
166
- **Step 5 - Run your first security review:**
167
-
168
- ```text
169
- /senior-security-engineer
170
- ```
171
-
172
- The agent will ask:
173
-
174
- - **A) Recent changes** - scans only what changed since your last commit (fastest, use daily)
175
- - **B) Full codebase** - scans everything (use for new projects or after major changes)
176
- - **C) Specific files or folders** - scans exactly what you specify
177
-
178
- Pick one and let it run.
179
-
180
- ---
181
-
182
- ### Step-by-Step: Cursor
183
-
184
- **Step 1 - Run the installer:**
185
-
186
- ```bash
187
- npx -y security-mcp@latest install --cursor
188
- ```
189
-
190
- This writes to `~/.cursor/mcp.json`.
191
-
192
- **Step 2 - Verify:**
193
-
194
- ```bash
195
- cat ~/.cursor/mcp.json
196
- ```
197
-
198
- Expected output:
199
-
200
- ```json
201
- {
202
- "mcpServers": {
203
- "security-mcp": {
204
- "command": "npx",
205
- "args": ["-y", "security-mcp@latest", "serve"]
206
- }
207
- }
208
- }
209
- ```
210
-
211
- **Step 3 - Restart Cursor.**
232
+ ## Installation
212
233
 
213
- **Step 4 - Open Cursor's MCP panel** (Settings -> MCP) and confirm `security-mcp` shows as connected.
234
+ > **Prerequisite:** Node.js 20+. Check with `node --version`.
214
235
 
215
- **Step 5 - In the Cursor AI chat, type:**
216
-
217
- ```text
218
- Use /senior-security-engineer to review my recent changes
219
- ```
220
-
221
- ---
222
-
223
- ### Step-by-Step: VS Code / GitHub Copilot
224
-
225
- **Step 1 - Run the installer:**
236
+ ### One Command Auto-detects Your Editor
226
237
 
227
238
  ```bash
228
- npx -y security-mcp@latest install --vscode
229
- ```
230
-
231
- This writes to your VS Code user `settings.json`.
232
-
233
- **Step 2 - Verify in VS Code:**
234
-
235
- Open Command Palette (`Cmd+Shift+P` / `Ctrl+Shift+P`) -> `Preferences: Open User Settings (JSON)`.
236
-
237
- You should see:
238
-
239
- ```json
240
- {
241
- "mcp.servers": {
242
- "security-mcp": {
243
- "command": "npx",
244
- "args": ["-y", "security-mcp@latest", "serve"]
245
- }
246
- }
247
- }
248
- ```
249
-
250
- **Step 3 - Restart VS Code.**
251
-
252
- **Step 4 - In GitHub Copilot Chat, type:**
253
-
254
- ```text
255
- @security-mcp run /senior-security-engineer on recent changes
239
+ npx -y security-mcp@latest install
256
240
  ```
257
241
 
258
- ---
259
-
260
- ### Manual Configuration (Any MCP Editor)
242
+ The installer detects Claude Code, Cursor, VS Code, and Windsurf automatically and writes the config to the correct location. Restart your editor when it finishes, then type `/senior-security-engineer`.
261
243
 
262
- If the installer doesn't detect your editor, or you prefer to configure manually:
263
-
264
- **Step 1 - Print the config snippet:**
244
+ ### Install for a Specific Editor
265
245
 
266
246
  ```bash
267
- npx -y security-mcp@latest config
247
+ npx -y security-mcp@latest install --claude-code # ~/.claude/settings.json
248
+ npx -y security-mcp@latest install --cursor # ~/.cursor/mcp.json
249
+ npx -y security-mcp@latest install --vscode # VS Code user settings.json
250
+ npx -y security-mcp@latest install --windsurf # ~/.windsurf/mcp.json
268
251
  ```
269
252
 
270
- **Step 2 - Copy the output** and paste it into your editor's MCP configuration file.
271
-
272
- **Claude Code** (`~/.claude/settings.json`):
253
+ ### Manual Config (Any MCP-Compatible Editor)
273
254
 
274
- ```json
275
- {
276
- "mcpServers": {
277
- "security-mcp": {
278
- "command": "npx",
279
- "args": ["-y", "security-mcp@latest", "serve"]
280
- }
281
- }
282
- }
283
- ```
255
+ Add this to your editor's MCP server config and restart:
284
256
 
285
- **Cursor** (`~/.cursor/mcp.json`):
257
+ **Claude Code** (`~/.claude/settings.json`) · **Cursor** (`~/.cursor/mcp.json`) · **Windsurf** (`~/.windsurf/mcp.json`):
286
258
 
287
259
  ```json
288
260
  {
@@ -295,7 +267,7 @@ npx -y security-mcp@latest config
295
267
  }
296
268
  ```
297
269
 
298
- **VS Code / GitHub Copilot** (`settings.json`):
270
+ **VS Code / GitHub Copilot** (user `settings.json`):
299
271
 
300
272
  ```json
301
273
  {
@@ -308,37 +280,26 @@ npx -y security-mcp@latest config
308
280
  }
309
281
  ```
310
282
 
311
- **Windsurf / Codex / Replit** - use the same `command`/`args` format your editor supports for MCP servers.
312
-
313
- **Step 3 - Restart your editor** after saving the config.
314
-
315
283
  ---
316
284
 
317
- ### Global Install (Optional)
318
-
319
- If you want the `security-mcp` binary available system-wide without `npx`:
285
+ ## Verify Your Installation
320
286
 
321
- ```bash
322
- npm install -g security-mcp@latest
323
- security-mcp install-global
324
- ```
325
-
326
- Then you can use:
287
+ After installing, confirm everything is wired up correctly:
327
288
 
328
289
  ```bash
329
- security-mcp install-global --claude-code
330
- security-mcp install-global --cursor
331
- security-mcp install-global --vscode
290
+ npx -y security-mcp@latest doctor
332
291
  ```
333
292
 
334
- ---
293
+ This checks your Node.js version, editor config files, and installed skills — and prints `[PASS]` or `[FAIL]` per check with a fix command if anything is missing.
335
294
 
336
- ### Preview Without Writing Anything
295
+ Example output:
337
296
 
338
- To see what the installer would do without making any changes:
297
+ ```text
298
+ [PASS] Node.js 22.x
299
+ [PASS] Claude Code config (~/.claude/settings.json)
300
+ [PASS] senior-security-engineer skill (~/.claude/skills/senior-security-engineer/SKILL.md)
339
301
 
340
- ```bash
341
- npx -y security-mcp@latest install --dry-run
302
+ All checks passed. Restart your editor, then type /senior-security-engineer.
342
303
  ```
343
304
 
344
305
  ---
@@ -365,7 +326,7 @@ npx -y security-mcp@latest install --dry-run
365
326
 
366
327
  1. Call `security.start_review` to create a tracked run
367
328
  2. Build a scan plan covering all relevant OWASP/NIST/ATT&CK controls
368
- 3. Run 18 security checks in parallel across secrets, dependencies, crypto, auth, injection, cloud config, AI/LLM, mobile, and more
329
+ 3. Run 20 security checks in parallel across secrets, dependencies, crypto, auth, injection, cloud config, AI/LLM, mobile, and more
369
330
  4. Write fixes directly into your code for every finding it can remediate
370
331
  5. Generate a SHA-256 attested report at `.mcp/reports/{runId}.attestation.json`
371
332
 
@@ -463,7 +424,7 @@ jobs:
463
424
 
464
425
  ### What the CI Gate Checks
465
426
 
466
- The gate runs **18 checks in parallel** against your diff:
427
+ The gate runs **24 check modules in parallel** against your diff:
467
428
 
468
429
  | Category | What It Catches |
469
430
  | --- | --- |
@@ -486,6 +447,10 @@ The gate runs **18 checks in parallel** against your diff:
486
447
  | **AI red-team** | Static + optional dynamic probes against AI endpoints |
487
448
  | **Exceptions** | Validates any active security exceptions are non-expired and properly approved |
488
449
  | **Baseline regression** | Detects when previously-satisfied controls go missing (BASELINE_REGRESSION HIGH finding injected on regression) |
450
+ | **Deep injection** | 42 patterns — XXE, SSTI (Java/PHP), SpEL/OGNL, prototype pollution, second-order injection, NoSQL/MongoDB/Redis/LDAP/XPath injection, JNDI/Log4Shell, CRLF, WebSocket injection, CSS injection, SSE-CRLF, PDF injection, HTTP response splitting, unsafe YAML, deserialization (pickle/Java), path traversal, log injection, SSRF, command injection, ReDoS, SQL/ORM (Prisma/Sequelize/Knex/TypeORM), and more |
451
+ | **Deep auth** | 43 patterns — JWT alg confusion/kid injection/JWKS override, session fixation, OAuth state/redirect_uri/PKCE/client secret, hardcoded JWT secret, rate limit, plaintext compare, SAML signature, cookie flags, token rotation, HS/RS confusion, API key in URL, reset expiry/single-use, admin route without authz, timing oracle, account enumeration, session token in URL, low-entropy token, bcrypt cost factor, and more |
452
+ | **Supply chain deep** | 32 patterns — keyloggers, reverse shells, destructive commands, credential exfiltration, env variable theft, malicious postinstall scripts, dynamic require(), base64-obfuscated exec, cryptomining, sensitive file reads, unpinned dependencies, hidden file writes, DNS exfiltration, clipboard monitoring, obfuscated DOM injection, and more |
453
+ | **Business logic** | 31 patterns — IDOR without ownership check, mass assignment, race conditions, integer overflow, currency confusion, discount stacking, order fulfillment bypass, webhook replay, tax/shipping tamper, client-side total, referral abuse, email normalization, feature flag bypass, API version bypass, double-spend, free trial abuse, pagination abuse, and more |
489
454
 
490
455
  ### Customize the Gate Policy
491
456
 
@@ -652,15 +617,18 @@ app.use(helmet({
652
617
  ┌──────────────────────────────────────────────────────────────┐
653
618
  │ Policy Gate Engine (src/gate/policy.ts) │
654
619
  │ │
655
- 18 checks run in parallel: │
620
+ 28 checks run in parallel: │
656
621
  │ checkSecrets checkDependencies checkApi checkInfra │
657
622
  │ checkCrypto checkMobileIos checkMobileAndroid │
658
623
  │ checkAi checkGraphQL checkKubernetes │
659
624
  │ checkDatabase checkDlp checkWebNextjs │
660
- │ runSbomChecks runAiRedteamChecks runRuntimeChecks ...
625
+ │ runSbomChecks runAiRedteamChecks runRuntimeChecks
626
+ │ runCiPipelineChecks runDockerChecks runScanners │
627
+ │ checkInjectionDeep (42 patterns) checkAuthDeep (43 patterns)│
628
+ │ checkSupplyChainDeep (32) checkBusinessLogic (31) │
661
629
  │ │
662
630
  │ Surface detection -> Control catalog -> Exception handling -> │
663
- │ Confidence scoring -> PASS / FAIL
631
+ Coverage manifest -> Taint map -> Confidence scoring -> PASS / FAIL
664
632
  └──────────────────────────────────────────────────────────────┘
665
633
  ```
666
634
 
@@ -684,10 +652,17 @@ User: /senior-security-engineer
684
652
  └── STRIDE + PASTA + ATT&CK template for changed surface
685
653
 
686
654
 
655
+ §0 Coverage Completeness Protocol (runs first)
656
+ ├── enumerate ALL source files → coverage-manifest.json
657
+ ├── taint-trace every user-controlled input → taint-map.json
658
+ ├── negative assertion per attack class: "FILES: N/N | RESULT: CLEAN"
659
+ └── fix verification loop: re-run check after every fix, confirm CLEAN
660
+
661
+
687
662
  security.run_pr_gate(runId, mode, targets)
688
663
  ├── git diff / glob targets -> changed files list
689
664
  ├── detectSurfaces() -> web? api? infra? mobile? ai?
690
- ├── 18 checks in parallel
665
+ ├── 28 checks in parallel (incl. deep injection + deep auth)
691
666
  ├── apply exceptions from .mcp/exceptions/
692
667
  ├── compute confidence score
693
668
  └── returns PASS/FAIL + findings[]
@@ -695,6 +670,8 @@ User: /senior-security-engineer
695
670
 
696
671
  Claude writes inline fixes for every finding
697
672
  (production-ready secure code, not suggestions)
673
+ Every HIGH/CRITICAL: FIXED with verified-clean re-run,
674
+ OR formally blocked with risk-acceptance record
698
675
 
699
676
 
700
677
  security.attest_review(runId)
@@ -853,7 +830,7 @@ Your AI uses these automatically. You don't call them directly, but understandin
853
830
  | Tool | What It Does |
854
831
  | --- | --- |
855
832
  | `security.start_review` | Starts a stateful review run; returns `runId` used to track all subsequent steps and produce the final attestation |
856
- | `security.run_pr_gate` | Runs 18 security checks in parallel; returns PASS/FAIL, findings with severity, and required actions |
833
+ | `security.run_pr_gate` | Runs 20 security checks in parallel; returns PASS/FAIL, findings with severity, and required actions |
857
834
  | `security.threat_model` | Generates a STRIDE + PASTA + ATT&CK threat model template for a specific feature or surface |
858
835
  | `security.checklist` | Returns the pre-release security checklist, optionally filtered by surface (web / api / mobile / ai / infra / payments) |
859
836
  | `security.scan_strategy` | Builds an exhaustive scan plan mapping every check to OWASP, NIST, ATT&CK, and compliance controls |
@@ -997,6 +974,8 @@ Edit `.mcp/exceptions/security-exceptions.json`:
997
974
  | `SECURITY_GATE_EXCEPTIONS` | `.mcp/exceptions/security-exceptions.json` | Path to exceptions file (must be within project directory) |
998
975
  | `SECURITY_GATE_MODE` | `full` | Set to `file_by_file` for scoped per-file scanning |
999
976
  | `SECURITY_GATE_TARGETS` | (all changed files) | Comma-separated file paths to restrict the scan surface |
977
+ | `SECURITY_MCP_SHARED_SECRET` | (none) | Authenticates MCP tool callers via constant-time HMAC; enables 3-strike lockout. Generate with `openssl rand -hex 32` |
978
+ | `SECURITY_POLICY_HMAC_KEY` | (none) | Signs the policy file so any tampering is detected at gate startup. Generate with `openssl rand -hex 32` |
1000
979
 
1001
980
  ### Integrations (all optional)
1002
981
 
@@ -1060,7 +1039,7 @@ ls ~/.claude/skills/senior-security-engineer/SKILL.md
1060
1039
 
1061
1040
  **Fix:**
1062
1041
 
1063
- 1. Check the config file was written (see editor-specific paths in [Manual Configuration](#manual-configuration-any-mcp-editor))
1042
+ 1. Check the config file was written (see editor-specific paths in [Installation](#installation))
1064
1043
  2. Fully restart the editor (quit and reopen, not just reload window)
1065
1044
  3. Check Node.js version: `node --version` - must be 20 or higher
1066
1045
 
@@ -20,6 +20,25 @@
20
20
  { "id": "ai_rag_authz", "description": "RAG retrieval enforces authorization — documents filtered by user permissions", "critical": true },
21
21
  { "id": "ai_no_pii_in_prompts", "description": "No PII, credentials, or secrets in prompt templates", "critical": true },
22
22
  { "id": "ai_fallback_handling", "description": "Model failures handled gracefully — no sensitive error details exposed to users", "critical": false },
23
- { "id": "ai_owasp_llm_top10", "description": "OWASP LLM Top 10 controls reviewed and addressed for this AI surface", "critical": true }
23
+ { "id": "ai_owasp_llm_top10", "description": "OWASP LLM Top 10 controls reviewed and addressed for this AI surface", "critical": true },
24
+ { "id": "ai_context_session_isolation", "description": "Per-user session context is strictly isolated — no cross-user context bleed in multi-tenant deployments; conversation history scoped to authenticated user ID", "critical": true },
25
+ { "id": "ai_adversarial_probe_multi_turn", "description": "Multi-turn adversarial probing complete: role-play escapes, many-shot jailbreaks, encoded payloads (base64, l33tspeak), goal hijacking across conversation resets — all documented with pass/fail", "critical": true },
26
+ { "id": "ai_tool_sandboxing", "description": "AI agent tool execution sandboxed — filesystem, network, and shell access granted only via explicit allowlist; no ambient authority; each tool call requires declared capability", "critical": true },
27
+ { "id": "ai_model_supply_chain", "description": "AI model provider and version verified — model hash or digest pinned in configuration; shadow model substitution would be detected; provider SLA and security posture documented", "critical": false },
28
+ { "id": "ai_output_length_limit", "description": "Model output length limits enforced at the API layer; unbounded generation that could exhaust context or enable token flooding is blocked; streaming responses have an abort timeout", "critical": true },
29
+ { "id": "ai_indirect_injection_external", "title": "External content ingestion paths sanitize fetched content before LLM context injection", "severity": "critical", "automated": true },
30
+ { "id": "ai_markdown_exfil", "title": "LLM output stripped of markdown images and external links before rendering to clients", "severity": "critical", "automated": true },
31
+ { "id": "ai_memory_poisoning", "title": "Long-term memory writes validated; read-back treated as untrusted input with injection guards", "severity": "critical", "automated": true },
32
+ { "id": "ai_rag_corpus_poisoning", "title": "Documents ingested into vector store pass content validation and injection scanning before upsert", "severity": "high", "automated": true },
33
+ { "id": "ai_token_smuggling", "title": "User prompt inputs stripped of zero-width Unicode, invisible characters, and homoglyphs before processing", "severity": "high", "automated": true },
34
+ { "id": "ai_privilege_escalation", "title": "Agent tool list frozen at session initialization — no runtime tool registration permitted", "severity": "critical", "automated": true },
35
+ { "id": "ai_llm_judge_manipulation", "title": "LLM-as-judge evaluation pipelines use static server-controlled scoring criteria isolated from user input", "severity": "high", "automated": true },
36
+ { "id": "ai_idor_tool_calls", "title": "Agentic tool calls that accept resource IDs enforce per-request authorization before accessing the resource", "severity": "critical", "automated": true },
37
+ { "id": "ai_context_stuffing", "title": "Application enforces maximum input token budget per request before dispatching to LLM API", "severity": "high", "automated": true },
38
+ { "id": "ai_multimodal_injection", "title": "Multimodal inputs (images, PDFs, audio) passed to vision/multimodal LLMs scanned for embedded injection payloads", "severity": "critical", "automated": true },
39
+ { "id": "ai_vector_filter_bypass", "title": "Vector store tenant isolation uses mandatory hard filters (must/AND) not optional soft filters (should/OR)", "severity": "high", "automated": true },
40
+ { "id": "ai_stream_chunk_validation", "title": "Streaming LLM response chunks validated against expected SSE schema before forwarding", "severity": "high", "automated": true },
41
+ { "id": "ai_generated_code_audit_trail", "title": "Every execution of AI-generated code, SQL, or shell commands produces an audit log entry", "severity": "high", "automated": true },
42
+ { "id": "ai_embedding_inversion", "title": "Raw embedding vectors never exposed in API responses, logs, or client storage", "severity": "medium", "automated": true }
24
43
  ]
25
44
  }
@@ -22,6 +22,40 @@
22
22
  { "id": "api_secrets_scan", "description": "Secrets scan clean — no hardcoded credentials or API keys", "critical": true },
23
23
  { "id": "api_sast_pass", "description": "SAST scan passed with no CRITICAL findings", "critical": true },
24
24
  { "id": "api_threat_model", "description": "Threat model completed and reviewed for this API surface change", "critical": true },
25
- { "id": "api_health_endpoint", "description": "Health/readiness endpoints do not expose sensitive version or config info", "critical": false }
25
+ { "id": "api_health_endpoint", "description": "Health/readiness endpoints do not expose sensitive version or config info", "critical": false },
26
+ { "id": "api_graphql_introspection", "description": "GraphQL introspection disabled in production; query depth limit ≤ 10 and complexity budget enforced to prevent resource exhaustion", "critical": true },
27
+ { "id": "api_idempotency_replay", "description": "Financial and state-changing endpoints protected against replay via idempotency keys or HMAC-timestamped signatures with a time-bound window ≤ 5 minutes", "critical": true },
28
+ { "id": "api_command_injection", "description": "No user-controlled input passed to child_process.exec, execSync, spawn with shell:true, or any shell interpreter — allowlisted command templates only", "critical": true },
29
+ { "id": "api_file_upload_validation", "description": "File upload endpoints enforce MIME type server-side (not by extension), max file size, extension allowlist, and malware scanning; files stored outside web root", "critical": true },
30
+ { "id": "api_timing_safe_equality", "description": "All sensitive equality checks (tokens, reset codes, HMAC digests, API keys) use crypto.timingSafeEqual — no string ===, indexOf, or includes comparisons", "critical": true },
31
+ { "id": "api_second_order_injection", "title": "Second-order injection prevention reviewed — data retrieved from DB never passed unsanitized to SQL/template/shell sinks", "severity": "critical", "automated": true },
32
+ { "id": "api_spel_ognl_injection", "title": "SpEL/OGNL/MVEL expression parsers do not evaluate user-controlled input", "severity": "critical", "automated": true },
33
+ { "id": "api_pickle_marshal_deserialization", "title": "Python pickle.loads/Marshal.load/PHP unserialize never called on user-supplied data", "severity": "critical", "automated": true },
34
+ { "id": "api_java_deserialization", "title": "Java ObjectInputStream.readObject/XStream/Kryo deserialization never used with untrusted data", "severity": "critical", "automated": true },
35
+ { "id": "api_elasticsearch_injection", "title": "Elasticsearch query_string and script.source do not include user input", "severity": "high", "automated": true },
36
+ { "id": "api_websocket_message_injection", "title": "WebSocket message handlers validate all incoming data before passing to sinks", "severity": "high", "automated": true },
37
+ { "id": "api_grpc_protobuf_validation", "title": "gRPC/Protobuf endpoints validate all message fields after deserialization", "severity": "high", "automated": true },
38
+ { "id": "api_nosql_field_injection", "title": "MongoDB query field values validated as scalar types — $gt/$regex stripped from user input", "severity": "high", "automated": true },
39
+ { "id": "api_http_response_splitting", "title": "HTTP response splitting prevented — writeHead/headers.set never include user CRLF sequences", "severity": "high", "automated": true },
40
+ { "id": "api_document_injection", "title": "PDF/Office document generation libraries sanitize user input — no formula injection (=CMD, =DDE)", "severity": "high", "automated": true },
41
+ { "id": "api_bracket_notation_pollution", "title": "Dynamic property assignment using user-controlled keys forbidden — bracket notation obj[userKey] validated", "severity": "high", "automated": true },
42
+ { "id": "api_jwt_kid_injection", "title": "JWT kid header sanitised before DB lookup or filesystem access", "severity": "critical", "automated": true },
43
+ { "id": "api_jwt_jwks_uri_pinned", "title": "JWKS URI pinned to static allowlist — token-supplied jwks_uri not followed", "severity": "critical", "automated": true },
44
+ { "id": "api_oauth_client_secret_hardcoded", "title": "OAuth client_secret not hardcoded in client-side code — public clients use PKCE only", "severity": "critical", "automated": true },
45
+ { "id": "api_session_token_in_url", "title": "Session identifiers never transmitted in URL query parameters", "severity": "high", "automated": true },
46
+ { "id": "api_token_entropy", "title": "Session and reset tokens generated with ≥ 16 bytes (128 bits) of cryptographic randomness", "severity": "high", "automated": true },
47
+ { "id": "api_remember_me_rotation", "title": "Persistent remember-me tokens rotated on each use, stored hashed server-side, hard-expired ≤ 30 days", "severity": "high", "automated": true },
48
+ { "id": "api_password_reset_single_use", "title": "Password reset tokens deleted or nullified immediately after first use", "severity": "high", "automated": true },
49
+ { "id": "api_account_enumeration", "title": "Login and password-reset endpoints return identical responses for invalid user vs. invalid credential", "severity": "medium", "automated": true },
50
+ { "id": "api_bcrypt_cost_factor", "title": "bcrypt cost factor ≥ 12 for all password hashing operations", "severity": "high", "automated": true },
51
+ { "id": "api_zero_iv", "title": "No all-zero or zero-filled IVs used in cipher operations — IVs generated with crypto.randomBytes", "severity": "critical", "automated": true },
52
+ { "id": "api_rsa_key_size", "title": "RSA key generation uses ≥ 2048 bits — no sub-2048 key sizes", "severity": "critical", "automated": true },
53
+ { "id": "api_dh_params", "title": "Diffie-Hellman parameters ≥ 2048 bits — no weak DH groups (modp1/2/5)", "severity": "high", "automated": true },
54
+ { "id": "api_forward_secrecy", "title": "TLS cipher suites require ECDHE or DHE — forward secrecy enforced", "severity": "high", "automated": true },
55
+ { "id": "api_graphql_resolver_injection", "title": "GraphQL resolver arguments never concatenated into raw SQL/NoSQL queries", "severity": "critical", "automated": true },
56
+ { "id": "api_graphql_batching", "title": "GraphQL alias count limited per request (≤ 15) — batching-based enumeration and DoS prevented", "severity": "high", "automated": true },
57
+ { "id": "api_sse_injection", "title": "Server-Sent Events streams strip \\r\\n from user-controlled data before writing", "severity": "high", "automated": true },
58
+ { "id": "api_oauth_referer_leakage", "title": "Referrer-Policy: no-referrer set on pages that receive OAuth tokens; tokens not in URL query params", "severity": "high", "automated": true },
59
+ { "id": "api_pagination_bounds", "title": "Pagination parameters (limit, offset, page) validated with minimum 1, maximum cap, non-negative enforcement", "severity": "medium", "automated": true }
26
60
  ]
27
61
  }
@@ -22,6 +22,39 @@
22
22
  { "id": "infra_provenance", "description": "SLSA provenance attestation generated for release artifacts", "critical": false },
23
23
  { "id": "infra_threat_model", "description": "Threat model completed and reviewed for this infrastructure change", "critical": true },
24
24
  { "id": "infra_zero_trust", "description": "Zero Trust controls applied — explicit authentication for all service-to-service calls", "critical": true },
25
- { "id": "infra_ddos_protection", "description": "DDoS protection enabled for public-facing load balancers", "critical": false }
25
+ { "id": "infra_ddos_protection", "description": "DDoS protection enabled for public-facing load balancers", "critical": false },
26
+ { "id": "infra_imdsv2_enforced", "description": "IMDSv2 enforced on all EC2/cloud instances (hop limit 1, token required); SSRF to 169.254.169.254 blocked at network layer — prevents cloud metadata credential theft", "critical": true },
27
+ { "id": "infra_egress_filtering", "description": "Egress network filtering restricts outbound connections to known-good destinations; unexpected outbound traffic triggers alerts within 15 minutes", "critical": true },
28
+ { "id": "infra_pod_security_standards", "description": "Kubernetes pods run with Restricted security context: runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation:false, seccomp profile enforced", "critical": true },
29
+ { "id": "infra_secret_rotation", "description": "All secrets and credentials have automated rotation policy with maximum rotation interval documented and enforced; rotation failures trigger immediate alerts", "critical": true },
30
+ { "id": "infra_runtime_threat_detection", "description": "Runtime threat detection enabled (Falco, GuardDuty, Defender for Cloud, or equivalent) on all compute; anomalies generate alerts within 15 minutes with documented runbook", "critical": false },
31
+ { "id": "infra_imdsv1_accessible", "title": "IMDSv1 disabled — http_tokens=required enforced on all EC2 instances", "severity": "critical", "automated": true },
32
+ { "id": "infra_lambda_url_no_auth", "title": "Lambda function URLs not configured with AuthType NONE", "severity": "critical", "automated": true },
33
+ { "id": "infra_ecr_scan_on_push", "title": "ECR repositories have scan-on-push enabled", "severity": "high", "automated": true },
34
+ { "id": "infra_ecs_host_network", "title": "ECS tasks do not use host network mode", "severity": "high", "automated": true },
35
+ { "id": "infra_cloudtrail_multiregion", "title": "CloudTrail configured as multi-region trail", "severity": "high", "automated": true },
36
+ { "id": "infra_s3_access_logging", "title": "S3 server access logging enabled on all sensitive buckets", "severity": "medium", "automated": true },
37
+ { "id": "infra_vpc_flow_logs", "title": "VPC flow logs enabled", "severity": "medium", "automated": true },
38
+ { "id": "infra_cross_account_external_id", "title": "Cross-account IAM trust policies include sts:ExternalId condition", "severity": "high", "automated": true },
39
+ { "id": "infra_gcp_default_service_account", "title": "GCP instances do not use the default Compute Engine service account", "severity": "high", "automated": true },
40
+ { "id": "infra_gcp_project_ssh_keys", "title": "No GCP project-level SSH keys configured", "severity": "medium", "automated": true },
41
+ { "id": "infra_gcp_external_ip", "title": "GCP compute instances without external IPs unless required", "severity": "medium", "automated": true },
42
+ { "id": "infra_azure_public_network_access", "title": "Azure resources do not have public_network_access_enabled=true unless required", "severity": "high", "automated": true },
43
+ { "id": "infra_deletion_protection", "title": "All databases and stateful resources have deletion_protection=true", "severity": "high", "automated": true },
44
+ { "id": "infra_vpc_endpoint_s3_ecr", "title": "VPC endpoints configured for S3/ECR — service traffic does not route over public internet", "severity": "medium", "automated": true },
45
+ { "id": "infra_guardduty_enabled", "title": "AWS GuardDuty enabled in all regions", "severity": "high", "automated": true },
46
+ { "id": "infra_security_hub_enabled", "title": "AWS Security Hub enabled for centralized findings aggregation", "severity": "medium", "automated": true },
47
+ { "id": "k8s_run_as_root", "title": "Kubernetes containers do not run as root (runAsUser: 0)", "severity": "high", "automated": true },
48
+ { "id": "k8s_capabilities_not_dropped", "title": "Container capabilities fully dropped (capabilities.drop: [ALL])", "severity": "high", "automated": true },
49
+ { "id": "k8s_nodeport_exposure", "title": "No NodePort services exposing sensitive internal services", "severity": "medium", "automated": true },
50
+ { "id": "k8s_tiller_helm_v2", "title": "Helm v2 Tiller not deployed in cluster", "severity": "critical", "automated": true },
51
+ { "id": "k8s_docker_socket_mount", "title": "Docker socket not mounted inside any Kubernetes pod", "severity": "critical", "automated": true },
52
+ { "id": "k8s_api_anonymous_auth", "title": "Kubernetes API server anonymous-auth disabled", "severity": "critical", "automated": true },
53
+ { "id": "k8s_mtls_not_strict", "title": "Istio/Linkerd PeerAuthentication enforces STRICT mTLS mode", "severity": "high", "automated": true },
54
+ { "id": "docker_no_user_directive", "title": "All Dockerfiles include USER directive — containers do not run as root", "severity": "high", "automated": true },
55
+ { "id": "docker_add_url_no_integrity", "title": "Dockerfiles do not use ADD with remote URLs without integrity verification", "severity": "high", "automated": true },
56
+ { "id": "docker_secrets_in_env", "title": "No secrets in Dockerfile ENV instructions", "severity": "critical", "automated": true },
57
+ { "id": "docker_privileged_flag", "title": "No containers started with --privileged or privileged:true", "severity": "critical", "automated": true },
58
+ { "id": "docker_socket_mount", "title": "Docker socket not mounted into any container", "severity": "critical", "automated": true }
26
59
  ]
27
60
  }