security-mcp 1.1.4 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (129) hide show
  1. package/README.md +116 -264
  2. package/defaults/checklists/ai.json +20 -1
  3. package/defaults/checklists/api.json +35 -1
  4. package/defaults/checklists/infra.json +34 -1
  5. package/defaults/checklists/mobile.json +23 -1
  6. package/defaults/checklists/payments.json +15 -1
  7. package/defaults/checklists/web.json +11 -1
  8. package/defaults/security-policy.json +2 -2
  9. package/dist/cli/index.js +0 -0
  10. package/dist/gate/baseline.js +82 -7
  11. package/dist/gate/catalog.js +10 -2
  12. package/dist/gate/checks/ai.js +757 -39
  13. package/dist/gate/checks/auth-deep.js +920 -216
  14. package/dist/gate/checks/business-logic.js +751 -0
  15. package/dist/gate/checks/ci-pipeline.js +399 -4
  16. package/dist/gate/checks/crypto.js +423 -2
  17. package/dist/gate/checks/dependencies.js +571 -15
  18. package/dist/gate/checks/graphql.js +201 -19
  19. package/dist/gate/checks/infra.js +246 -1
  20. package/dist/gate/checks/injection-deep.js +827 -184
  21. package/dist/gate/checks/k8s.js +114 -1
  22. package/dist/gate/checks/mobile-android.js +917 -3
  23. package/dist/gate/checks/mobile-ios.js +797 -5
  24. package/dist/gate/checks/required-artifacts.js +194 -0
  25. package/dist/gate/checks/runtime.js +178 -0
  26. package/dist/gate/checks/secrets.js +244 -13
  27. package/dist/gate/checks/supply-chain-deep.js +787 -0
  28. package/dist/gate/checks/web-nextjs.js +572 -48
  29. package/dist/gate/diff.js +17 -5
  30. package/dist/gate/evidence.js +8 -1
  31. package/dist/gate/exceptions.js +131 -9
  32. package/dist/gate/policy.js +280 -131
  33. package/dist/mcp/audit-chain.js +122 -28
  34. package/dist/mcp/auth.js +169 -0
  35. package/dist/mcp/learning.js +129 -4
  36. package/dist/mcp/model-router.js +158 -21
  37. package/dist/mcp/orchestration.js +186 -51
  38. package/dist/mcp/server.js +337 -53
  39. package/dist/repo/fs.js +24 -1
  40. package/dist/repo/search.js +31 -6
  41. package/dist/review/store.js +52 -1
  42. package/package.json +7 -7
  43. package/skills/_TEMPLATE/SKILL.md +99 -0
  44. package/skills/advanced-dos-tester/SKILL.md +109 -0
  45. package/skills/agentic-loop-exploiter/SKILL.md +368 -0
  46. package/skills/ai-llm-redteam/SKILL.md +104 -0
  47. package/skills/ai-model-supply-chain-agent/SKILL.md +103 -0
  48. package/skills/algorithm-implementation-reviewer/SKILL.md +98 -0
  49. package/skills/android-penetration-tester/SKILL.md +455 -46
  50. package/skills/anti-replay-tester/SKILL.md +106 -0
  51. package/skills/appsec-code-auditor/SKILL.md +85 -0
  52. package/skills/artifact-integrity-analyst/SKILL.md +441 -0
  53. package/skills/attack-navigator/SKILL.md +467 -8
  54. package/skills/auth-session-hacker/SKILL.md +102 -0
  55. package/skills/aws-penetration-tester/SKILL.md +456 -0
  56. package/skills/azure-penetration-tester/SKILL.md +490 -3
  57. package/skills/binary-auth-validator/SKILL.md +111 -0
  58. package/skills/bot-detection-specialist/SKILL.md +109 -0
  59. package/skills/business-logic-attacker/SKILL.md +231 -0
  60. package/skills/capec-code-mapper/SKILL.md +84 -0
  61. package/skills/cert-pin-rotation-specialist/SKILL.md +112 -0
  62. package/skills/cicd-pipeline-hijacker/SKILL.md +405 -0
  63. package/skills/ciso-orchestrator/SKILL.md +454 -43
  64. package/skills/cloud-infra-specialist/SKILL.md +118 -0
  65. package/skills/compliance-gap-analyst/SKILL.md +422 -0
  66. package/skills/compliance-grc/SKILL.md +85 -0
  67. package/skills/compliance-lifecycle-tracker/SKILL.md +84 -0
  68. package/skills/credential-stuffing-specialist/SKILL.md +102 -0
  69. package/skills/crypto-pki-specialist/SKILL.md +87 -0
  70. package/skills/csa-ccm-mapper/SKILL.md +84 -0
  71. package/skills/csf2-governance-mapper/SKILL.md +84 -0
  72. package/skills/deep-link-fuzzer/SKILL.md +109 -0
  73. package/skills/dependency-confusion-attacker/SKILL.md +415 -0
  74. package/skills/device-integrity-aggregator/SKILL.md +108 -0
  75. package/skills/dos-resilience-tester/SKILL.md +97 -0
  76. package/skills/dread-scorer/SKILL.md +84 -0
  77. package/skills/egress-policy-enforcer/SKILL.md +99 -0
  78. package/skills/evidence-collector/SKILL.md +98 -0
  79. package/skills/file-upload-attacker/SKILL.md +109 -0
  80. package/skills/gcp-penetration-tester/SKILL.md +459 -2
  81. package/skills/git-history-secret-scanner/SKILL.md +106 -0
  82. package/skills/iam-privesc-graph-builder/SKILL.md +152 -0
  83. package/skills/incident-responder/SKILL.md +111 -0
  84. package/skills/injection-specialist/SKILL.md +102 -0
  85. package/skills/ios-security-auditor/SKILL.md +282 -0
  86. package/skills/json-ambiguity-tester/SKILL.md +0 -0
  87. package/skills/k8s-container-escaper/SKILL.md +384 -0
  88. package/skills/key-management-lifecycle-analyst/SKILL.md +98 -0
  89. package/skills/kill-switch-engineer/SKILL.md +102 -0
  90. package/skills/linddun-privacy-analyst/SKILL.md +102 -0
  91. package/skills/logic-race-fuzzer/SKILL.md +443 -0
  92. package/skills/mobile-api-network-attacker/SKILL.md +421 -0
  93. package/skills/mobile-binary-hardener/SKILL.md +102 -0
  94. package/skills/mobile-security-specialist/SKILL.md +85 -0
  95. package/skills/mobile-webview-auditor/SKILL.md +96 -0
  96. package/skills/model-extraction-attacker/SKILL.md +219 -0
  97. package/skills/multipart-abuse-tester/SKILL.md +84 -0
  98. package/skills/oauth-pkce-specialist/SKILL.md +104 -0
  99. package/skills/parser-exhaustion-tester/SKILL.md +142 -0
  100. package/skills/pentest-infra/SKILL.md +98 -0
  101. package/skills/pentest-social/SKILL.md +201 -0
  102. package/skills/pentest-team/SKILL.md +87 -0
  103. package/skills/pentest-web-api/SKILL.md +98 -0
  104. package/skills/privacy-flow-analyst/SKILL.md +234 -0
  105. package/skills/prompt-injection-specialist/SKILL.md +394 -0
  106. package/skills/quantum-migration-planner/SKILL.md +96 -0
  107. package/skills/rag-poisoning-specialist/SKILL.md +358 -0
  108. package/skills/registry-mirror-enforcer/SKILL.md +84 -0
  109. package/skills/rotation-validation-agent/SKILL.md +112 -0
  110. package/skills/samm-assessor/SKILL.md +85 -0
  111. package/skills/secrets-mask-bypass-tester/SKILL.md +100 -0
  112. package/skills/senior-security-engineer/SKILL.md +167 -0
  113. package/skills/serialization-memory-attacker/SKILL.md +332 -0
  114. package/skills/session-timeout-tester/SKILL.md +161 -0
  115. package/skills/slsa-level3-enforcer/SKILL.md +112 -0
  116. package/skills/slsa-provenance-enforcer/SKILL.md +102 -0
  117. package/skills/ssrf-detection-validator/SKILL.md +108 -0
  118. package/skills/step-up-auth-enforcer/SKILL.md +84 -0
  119. package/skills/stride-pasta-analyst/SKILL.md +420 -0
  120. package/skills/supply-chain-devsecops/SKILL.md +98 -0
  121. package/skills/threat-infrastructure-analyst/SKILL.md +84 -0
  122. package/skills/threat-modeler/SKILL.md +85 -0
  123. package/skills/tls-certificate-auditor/SKILL.md +573 -18
  124. package/skills/token-reuse-detector/SKILL.md +95 -0
  125. package/skills/trike-risk-modeler/SKILL.md +84 -0
  126. package/skills/unicode-homograph-tester/SKILL.md +84 -0
  127. package/skills/waf-rule-lifecycle-agent/SKILL.md +97 -0
  128. package/skills/webhook-security-tester/SKILL.md +102 -0
  129. package/skills/zero-trust-architect/SKILL.md +109 -0
package/README.md CHANGED
@@ -17,17 +17,12 @@ Works with **Claude Code, GitHub Copilot, Cursor, Codex, Replit**, and any MCP-c
17
17
 
18
18
  ## Table of Contents
19
19
 
20
- - [What's New in 1.1.4](#whats-new-in-114)
20
+ - [What's New in v1.3.0](#whats-new-in-v130)
21
21
  - [What Problem Does This Solve?](#what-problem-does-this-solve)
22
22
  - [Who Is This For?](#who-is-this-for)
23
23
  - [Two Modes - Pick Your Depth](#two-modes---pick-your-depth)
24
24
  - [Quick Start - Install in 60 Seconds](#quick-start---install-in-60-seconds)
25
- - [Step-by-Step Installation Guide](#step-by-step-installation-guide)
26
- - [Claude Code](#step-by-step-claude-code)
27
- - [Cursor](#step-by-step-cursor)
28
- - [VS Code / GitHub Copilot](#step-by-step-vs-code--github-copilot)
29
- - [Windsurf](#step-by-step-windsurf)
30
- - [Manual Configuration](#manual-configuration-any-mcp-editor)
25
+ - [Installation](#installation)
31
26
  - [Verify Your Installation](#verify-your-installation)
32
27
  - [How to Run Your First Security Review](#how-to-run-your-first-security-review)
33
28
  - [CI/CD Security Gate](#cicd-security-gate)
@@ -43,54 +38,114 @@ Works with **Claude Code, GitHub Copilot, Cursor, Codex, Replit**, and any MCP-c
43
38
 
44
39
  ---
45
40
 
46
- ## What's New in 1.1.4
41
+ ## What's New in v1.3.0
47
42
 
48
- ### 20 Checks (up from 18) - Deep Injection + Deep Auth Modules
43
+ v1.3.0 delivers **104 new blindspot detection checks** across 7 threat domains, discovered by running a full 8-agent CISO Orchestrator pass followed by an adversarial pentest verification round. It also closes 5 critical security vulnerabilities in the gate engine itself.
49
44
 
50
- Two new deep-check modules run automatically for web and API surfaces:
45
+ ### 42 Deep Injection Patterns (was 15)
51
46
 
52
- **`checkInjectionDeep`** 11 new patterns: XXE (CWE-611), SSTI (CWE-94), prototype pollution (CWE-1321), open redirect (CWE-601), NoSQL operator injection (CWE-943), CRLF injection (CWE-113), unsafe YAML load (CWE-502), unsafe deserialization, path traversal (CWE-22), log injection (CWE-117), SSRF (CWE-918).
47
+ `checkInjectionDeep` now covers 42 detection patterns:
53
48
 
54
- **`checkAuthDeep`** 12 new patterns: JWT algorithm confusion / `alg:none` (CWE-327), session fixation (CWE-384), OAuth missing state parameter (CWE-352), OAuth `redirect_uri` open redirect (CWE-601), PKCE not enforced (RFC 7636), hardcoded JWT secret (CWE-798), missing rate limit on auth endpoints (CWE-307), plaintext password comparison (CWE-256), SAML signature validation disabled (CWE-347), insecure cookie flags (CWE-1004/614), refresh token not rotated (CWE-613), JWT HS/RS confusion (CVE-2015-9235 pattern).
49
+ | Added in v1.3.0 | ATT&CK | What It Catches |
50
+ | --- | --- | --- |
51
+ | **SSTI (Java/PHP)** | T1059 | FreeMarker, Thymeleaf, Velocity, Twig, Smarty template injection |
52
+ | **SpEL / OGNL injection** | T1059 | Spring Expression Language and OGNL via user-controlled string eval |
53
+ | **Pickle / Java deserialization** | T1059.001 | Unsafe `pickle.loads`, `ObjectInputStream`, `readObject` on untrusted data |
54
+ | **Second-order injection** | T1059 | Data stored to DB then later executed — two-pass file-correlation check |
55
+ | **CSS injection** | T1059 | User content reflected inside `<style>` or `style=` without sanitization |
56
+ | **Elasticsearch injection** | T1059 | Dynamic query construction in Elasticsearch DSL with user input |
57
+ | **WebSocket injection** | T1059 | User-controlled data in `ws.send()` without validation |
58
+ | **SSE-CRLF** | T1059 | CRLF in Server-Sent Events `data:` field hijacking the SSE stream |
59
+ | **PDF / document injection** | T1059 | User input in PDF field generation without escaping |
60
+ | **HTTP response splitting** | T1059 | CRLF in HTTP header values |
61
+ | **Bracket-notation prototype pollution** | T1203 | `obj[key] = value` with user-controlled keys |
62
+
63
+ Plus all original patterns: XXE, SSTI multiline, LDAP, XPath, JNDI/Log4Shell, MongoDB `$where`, prototype pollution, CRLF, unsafe YAML, deserialization, path traversal, log injection, SSRF, command injection, ReDoS, SQL/ORM (Prisma, Sequelize, Knex, TypeORM), Redis `EVAL`, HTTP header injection.
55
64
 
56
- ### Coverage Completeness Protocol (§0)
65
+ ### 43 Deep Auth Patterns (was 16)
57
66
 
58
- Every security review now runs a mandatory 5-step protocol before reporting any result:
67
+ `checkAuthDeep` now covers 43 detection patterns:
59
68
 
60
- 1. **Complete file inventory** — enumerate all source files into `coverage-manifest.json`; no attack class can be called CLEAN without checking every file.
61
- 2. **Taint tracking** trace every user-controlled input (`req.body`, `req.query`, WebSocket, env, file uploads, external API responses) to all downstream sinks, classifying each SAFE / UNSAFE / UNRESOLVED.
62
- 3. **Negative assertions** after each attack class: `ATTACK CLASS: {name} | FILES: N/N | PATTERNS: {list} | RESULT: CLEAN`.
63
- 4. **Fix verification loop** after every fix, re-run the triggering check and confirm it no longer fires before advancing.
64
- 5. **All-or-nothing mandate** every HIGH/CRITICAL finding is either FIXED (verified clean) or BLOCKED (risk-accepted, gate failing, remediation plan written to `deferred-fixes.json`).
69
+ | Added in v1.3.0 | CWE | What It Catches |
70
+ | --- | --- | --- |
71
+ | **JWT `kid` injection** | CWE-20 | `kid` header used as file path or SQL expression for key material |
72
+ | **JWKS URI override** | CWE-20 | Attacker-controlled `jku` / `x5u` headers pointing to external key stores |
73
+ | **OAuth client secret in repo** | CWE-798 | `client_secret` literals or env defaults checked into source |
74
+ | **Session token in URL** | CWE-598 | Session IDs in query parameters — logged by every proxy |
75
+ | **Low-entropy token** | CWE-330 | Token / secret generated with `Math.random()` or timestamp-seeded RNG |
76
+ | **Remember-me no rotation** | CWE-613 | Persistent login tokens never rotated on use |
77
+ | **Password reset single-use** | CWE-640 | Reset tokens reusable after initial redemption |
78
+ | **Account enumeration** | CWE-204 | Different error messages for valid vs. invalid usernames |
79
+ | **Bcrypt cost factor** | CWE-916 | `bcrypt.hash(pw, N)` where N < 12 |
80
+
81
+ Plus all original patterns: JWT alg:none/HS-RS confusion, session fixation, OAuth state/redirect_uri/PKCE, hardcoded JWT secret, rate limit on auth, plaintext password compare, SAML signature bypass, insecure cookie flags, refresh token rotation, API key in URL, reset token expiry, admin route without authz, timing oracle.
82
+
83
+ ### 31 Business Logic Patterns (was 8)
84
+
85
+ `checkBusinessLogic` now catches 31 patterns including 13 new e-commerce and payment abuse vectors:
86
+
87
+ - **Currency confusion** — mixed-currency arithmetic without normalization
88
+ - **Discount stacking** — coupon codes combined with promotions without stack limits
89
+ - **Order fulfillment bypass** — status transitions that skip required payment/verification steps
90
+ - **Webhook timestamp** — missing replay-window check on webhook signature verification
91
+ - **Tax / shipping parameter tamper** — client-supplied tax and shipping totals accepted server-side
92
+ - **Client-side total** — final order amount derived from a browser-supplied value
93
+ - **Referral abuse** — self-referral detection absent from referral credit logic
94
+ - **Email normalization** — `user+tag@domain.com` not normalized when enforcing unique accounts
95
+ - **Feature flag bypass** — feature flags controllable via client-supplied headers or query params
96
+ - **API version bypass** — security controls on v2 routes not enforced on legacy v1 endpoints
97
+ - **Double-spend payment** — concurrent payment requests without idempotency key enforcement
98
+ - **Free trial abuse** — trial period enforced only by client-supplied start date
99
+ - **Pagination abuse** — unlimited page size parameter enabling full-table data dump
100
+
101
+ ### 32 Supply Chain Deep Patterns (was 16)
102
+
103
+ `checkSupplyChainDeep` now covers 32 patterns. New additions detect obfuscated payloads, malicious package scripts, and exfiltration channels that bypass standard SAST tools — including keyloggers, reverse shells, cryptomining signatures, DNS exfiltration, clipboard monitoring, and more.
104
+
105
+ ### Critical Security Fixes
106
+
107
+ | ID | Severity | Fix |
108
+ | --- | --- | --- |
109
+ | **VULN-001** | CRITICAL | Dead multiline regex in `checkSecondOrderInjection` silently nulled the entire injection-deep module — replaced with two-pass file-correlation |
110
+ | **VULN-002** | HIGH | Symlink traversal in `policy.ts` glob calls — `followSymbolicLinks: false` enforced |
111
+ | **VULN-003** | HIGH | Evidence previews leaked secret values — `redactSecrets()` added to `search.ts` |
112
+ | **AUTH-OBO-01** | HIGH | Lockout off-by-one in `auth.ts` allowed 4 attempts instead of 3 |
113
+ | **META-01/03/04** | MEDIUM | Prompt injection vectors in MCP server — `_notice` framing and `sanitizePromptParam()` added |
65
114
 
66
- ### Enhanced Threat Model Template
115
+ ### Also in v1.2.1
67
116
 
68
- The `security.threat_model` tool now generates a more complete template including LINDDUN privacy threat analysis (Linking, Identifying, Non-repudiation, Detecting, Data Disclosure, Unawareness, Non-compliance), TRIKE risk matrix (actor-action-asset-risk), DREAD scoring, attack trees for the top 3 critical paths, adversary profiles mapped to ATT&CK techniques, and supply chain threat enumeration.
117
+ - OWASP Top 10 now **10/10 covered** A09 (Security Logging and Monitoring Failures) fully completed
118
+ - NIST AU-11 / PCI Req 10 log retention detection added to `checkAuthDeep`
119
+ - ISO 42001 §9.1 routing decision audit log added to model router
120
+ - `runScanners` (gitleaks / semgrep / trivy / checkov / osv-scanner) wired into the gate — was implemented but never called since v1.0; now active check 27
69
121
 
70
- ### Expanded Release Checklists
122
+ ### Also in v1.2.0
71
123
 
72
- All domain-specific release checklists now include:
124
+ - **Secrets** — dotfiles glob, base64/hex decode pre-pass, 10 new token formats (Vercel, PlanetScale, Databricks, Linear, Railway, npmrc, HuggingFace, ARM, Twilio), gitleaks history scan, split-string heuristic
125
+ - **Injection** — SQL/ORM detection (Prisma `$queryRaw`, Sequelize, Knex, TypeORM), JNDI/Log4Shell, LDAP, XPath, Redis `EVAL`, ReDoS static catastrophic-backtracking patterns
126
+ - **Cryptography** — AES-CBC-without-HMAC (+ split-string evasion fix), GCM nonce reuse and timestamp IV, RSA PKCS#1v1.5, SHA-256-as-password-hash, hardcoded PBKDF2 salt, `rejectUnauthorized: false`, weak TLS min version
127
+ - **Checklists** — all 6 surface checklists updated with `automated: true` entries for every new check ID
73
128
 
74
- - **OAuth/OIDC** PKCE with S256, state/nonce verification, exact-match `redirect_uri`, code reuse prevention, audience validation
75
- - **Business Logic** — idempotency keys on payment mutations, negative input validation, race condition testing for balance/quota/inventory
76
- - **Serialization/Injection** — XXE, SSTI, unsafe YAML, deserialization, prototype pollution, open redirect, CRLF in every checklist
77
- - **AI/LLM** — system prompt extraction resistance, multi-turn attack chains, multimodal injection, agentic tool allowlist, AML.T0054/T0057 mitigations
78
- - **Payments (PCI DSS 4.0)** — PAN masking, DOM mutation monitoring, EMV 3DS 2.2+, Magecart prevention (SRI on checkout pages)
79
- - **Observability Gate** (new) — anomaly detection baselines, SLO definitions for security events, alert fatigue review, runbook coverage
129
+ ### MCP Caller Authentication
80
130
 
81
- ### Windsurf Support
131
+ Protect the MCP server channel against rogue processes that obtain stdio access:
82
132
 
83
- The installer now detects and configures Windsurf (`~/.windsurf/mcp.json`) automatically alongside Claude Code, Cursor, and VS Code.
133
+ ```bash
134
+ export SECURITY_MCP_SHARED_SECRET="$(openssl rand -hex 32)"
135
+ ```
84
136
 
85
- ### `doctor` Command
137
+ When set, every tool call is blocked until the AI agent calls `security.authenticate` with the matching token. Uses constant-time HMAC comparison (CWE-208), 3-strike lockout, and minimum 16-byte secret enforcement. Backwards-compatible — when unset, all tools are immediately available.
86
138
 
87
- Verify your installation health at any time:
139
+ ### Policy HMAC Integrity Signing
140
+
141
+ Prevent tampered policy files from silently disabling severity blocking:
88
142
 
89
143
  ```bash
90
- npx -y security-mcp@latest doctor
144
+ export SECURITY_POLICY_HMAC_KEY="$(openssl rand -hex 32)"
145
+ npx security-mcp sign-policy
91
146
  ```
92
147
 
93
- Checks Node.js version, editor configs, and skill filesprints PASS/FAIL per check with actionable fix commands.
148
+ When set, the gate rejects any policy file whose HMAC sidecar (`.hmac`) does not match making it impossible to quietly change `severity_block: ["HIGH","CRITICAL"]` to `[]` without detection.
94
149
 
95
150
  ---
96
151
 
@@ -174,208 +229,32 @@ For a full 39-agent deep audit:
174
229
 
175
230
  ---
176
231
 
177
- ## Step-by-Step Installation Guide
178
-
179
- ### Step-by-Step: Claude Code
232
+ ## Installation
180
233
 
181
- **Prerequisite:** Node.js 20+ installed. Check with `node --version`.
234
+ > **Prerequisite:** Node.js 20+. Check with `node --version`.
182
235
 
183
- **Step 1 - Run the installer:**
184
-
185
- ```bash
186
- npx -y security-mcp@latest install --claude-code
187
- ```
188
-
189
- This writes the MCP server config to `~/.claude/settings.json`.
190
-
191
- **Step 2 - Verify the config was written:**
192
-
193
- ```bash
194
- cat ~/.claude/settings.json
195
- ```
196
-
197
- You should see:
198
-
199
- ```json
200
- {
201
- "mcpServers": {
202
- "security-mcp": {
203
- "command": "npx",
204
- "args": ["-y", "security-mcp@latest", "serve"]
205
- }
206
- }
207
- }
208
- ```
209
-
210
- **Step 3 - Restart Claude Code** to pick up the new MCP server.
211
-
212
- **Step 4 - Verify the tools loaded.** In Claude Code, run:
213
-
214
- ```text
215
- /mcp
216
- ```
217
-
218
- You should see `security-mcp` listed as a connected server with `security.*`, `orchestration.*`, and `repo.*` tools available.
219
-
220
- **Step 5 - Run your first security review:**
221
-
222
- ```text
223
- /senior-security-engineer
224
- ```
225
-
226
- The agent will ask:
227
-
228
- - **A) Recent changes** - scans only what changed since your last commit (fastest, use daily)
229
- - **B) Full codebase** - scans everything (use for new projects or after major changes)
230
- - **C) Specific files or folders** - scans exactly what you specify
231
-
232
- Pick one and let it run.
233
-
234
- ---
235
-
236
- ### Step-by-Step: Cursor
237
-
238
- **Step 1 - Run the installer:**
239
-
240
- ```bash
241
- npx -y security-mcp@latest install --cursor
242
- ```
243
-
244
- This writes to `~/.cursor/mcp.json`.
245
-
246
- **Step 2 - Verify:**
247
-
248
- ```bash
249
- cat ~/.cursor/mcp.json
250
- ```
251
-
252
- Expected output:
253
-
254
- ```json
255
- {
256
- "mcpServers": {
257
- "security-mcp": {
258
- "command": "npx",
259
- "args": ["-y", "security-mcp@latest", "serve"]
260
- }
261
- }
262
- }
263
- ```
264
-
265
- **Step 3 - Restart Cursor.**
266
-
267
- **Step 4 - Open Cursor's MCP panel** (Settings -> MCP) and confirm `security-mcp` shows as connected.
268
-
269
- **Step 5 - In the Cursor AI chat, type:**
270
-
271
- ```text
272
- Use /senior-security-engineer to review my recent changes
273
- ```
274
-
275
- ---
276
-
277
- ### Step-by-Step: VS Code / GitHub Copilot
278
-
279
- **Step 1 - Run the installer:**
280
-
281
- ```bash
282
- npx -y security-mcp@latest install --vscode
283
- ```
284
-
285
- This writes to your VS Code user `settings.json`.
286
-
287
- **Step 2 - Verify in VS Code:**
288
-
289
- Open Command Palette (`Cmd+Shift+P` / `Ctrl+Shift+P`) -> `Preferences: Open User Settings (JSON)`.
290
-
291
- You should see:
292
-
293
- ```json
294
- {
295
- "mcp.servers": {
296
- "security-mcp": {
297
- "command": "npx",
298
- "args": ["-y", "security-mcp@latest", "serve"]
299
- }
300
- }
301
- }
302
- ```
303
-
304
- **Step 3 - Restart VS Code.**
305
-
306
- **Step 4 - In GitHub Copilot Chat, type:**
307
-
308
- ```text
309
- @security-mcp run /senior-security-engineer on recent changes
310
- ```
311
-
312
- ---
313
-
314
- ### Step-by-Step: Windsurf
315
-
316
- **Step 1 - Run the installer:**
236
+ ### One Command — Auto-detects Your Editor
317
237
 
318
238
  ```bash
319
239
  npx -y security-mcp@latest install
320
240
  ```
321
241
 
322
- This auto-detects Windsurf and writes to `~/.windsurf/mcp.json`.
323
-
324
- **Step 2 - Verify:**
325
-
326
- ```bash
327
- cat ~/.windsurf/mcp.json
328
- ```
329
-
330
- Expected output:
331
-
332
- ```json
333
- {
334
- "mcpServers": {
335
- "security-mcp": {
336
- "command": "npx",
337
- "args": ["-y", "security-mcp@latest", "serve"]
338
- }
339
- }
340
- }
341
- ```
342
-
343
- **Step 3 - Restart Windsurf.**
242
+ The installer detects Claude Code, Cursor, VS Code, and Windsurf automatically and writes the config to the correct location. Restart your editor when it finishes, then type `/senior-security-engineer`.
344
243
 
345
- **Step 4 - In the Windsurf AI chat, type:**
346
-
347
- ```text
348
- Use /senior-security-engineer to review my recent changes
349
- ```
350
-
351
- ---
352
-
353
- ### Manual Configuration (Any MCP Editor)
354
-
355
- If the installer doesn't detect your editor, or you prefer to configure manually:
356
-
357
- **Step 1 - Print the config snippet:**
244
+ ### Install for a Specific Editor
358
245
 
359
246
  ```bash
360
- npx -y security-mcp@latest config
247
+ npx -y security-mcp@latest install --claude-code # ~/.claude/settings.json
248
+ npx -y security-mcp@latest install --cursor # ~/.cursor/mcp.json
249
+ npx -y security-mcp@latest install --vscode # VS Code user settings.json
250
+ npx -y security-mcp@latest install --windsurf # ~/.windsurf/mcp.json
361
251
  ```
362
252
 
363
- **Step 2 - Copy the output** and paste it into your editor's MCP configuration file.
253
+ ### Manual Config (Any MCP-Compatible Editor)
364
254
 
365
- **Claude Code** (`~/.claude/settings.json`):
366
-
367
- ```json
368
- {
369
- "mcpServers": {
370
- "security-mcp": {
371
- "command": "npx",
372
- "args": ["-y", "security-mcp@latest", "serve"]
373
- }
374
- }
375
- }
376
- ```
255
+ Add this to your editor's MCP server config and restart:
377
256
 
378
- **Cursor** (`~/.cursor/mcp.json`):
257
+ **Claude Code** (`~/.claude/settings.json`) · **Cursor** (`~/.cursor/mcp.json`) · **Windsurf** (`~/.windsurf/mcp.json`):
379
258
 
380
259
  ```json
381
260
  {
@@ -388,7 +267,7 @@ npx -y security-mcp@latest config
388
267
  }
389
268
  ```
390
269
 
391
- **VS Code / GitHub Copilot** (`settings.json`):
270
+ **VS Code / GitHub Copilot** (user `settings.json`):
392
271
 
393
272
  ```json
394
273
  {
@@ -401,39 +280,6 @@ npx -y security-mcp@latest config
401
280
  }
402
281
  ```
403
282
 
404
- **Windsurf / Codex / Replit** - use the same `command`/`args` format your editor supports for MCP servers.
405
-
406
- **Step 3 - Restart your editor** after saving the config.
407
-
408
- ---
409
-
410
- ### Global Install (Optional)
411
-
412
- If you want the `security-mcp` binary available system-wide without `npx`:
413
-
414
- ```bash
415
- npm install -g security-mcp@latest
416
- security-mcp install-global
417
- ```
418
-
419
- Then you can use:
420
-
421
- ```bash
422
- security-mcp install-global --claude-code
423
- security-mcp install-global --cursor
424
- security-mcp install-global --vscode
425
- ```
426
-
427
- ---
428
-
429
- ### Preview Without Writing Anything
430
-
431
- To see what the installer would do without making any changes:
432
-
433
- ```bash
434
- npx -y security-mcp@latest install --dry-run
435
- ```
436
-
437
283
  ---
438
284
 
439
285
  ## Verify Your Installation
@@ -578,7 +424,7 @@ jobs:
578
424
 
579
425
  ### What the CI Gate Checks
580
426
 
581
- The gate runs **20 checks in parallel** against your diff:
427
+ The gate runs **24 check modules in parallel** against your diff:
582
428
 
583
429
  | Category | What It Catches |
584
430
  | --- | --- |
@@ -601,8 +447,10 @@ The gate runs **20 checks in parallel** against your diff:
601
447
  | **AI red-team** | Static + optional dynamic probes against AI endpoints |
602
448
  | **Exceptions** | Validates any active security exceptions are non-expired and properly approved |
603
449
  | **Baseline regression** | Detects when previously-satisfied controls go missing (BASELINE_REGRESSION HIGH finding injected on regression) |
604
- | **Deep injection** | XXE, SSTI, prototype pollution, open redirect, NoSQL operator injection, CRLF, unsafe YAML load, deserialization, path traversal, log injection, SSRF (11 new patterns) |
605
- | **Deep auth** | JWT algorithm confusion, session fixation, OAuth missing state, OAuth open redirect_uri, PKCE not enforced, hardcoded JWT secret, missing rate limit on auth endpoints, plaintext password compare, SAML signature disabled, insecure cookie flags, refresh token not rotated, JWT HS/RS confusion (12 new patterns) |
450
+ | **Deep injection** | 42 patterns — XXE, SSTI (Java/PHP), SpEL/OGNL, prototype pollution, second-order injection, NoSQL/MongoDB/Redis/LDAP/XPath injection, JNDI/Log4Shell, CRLF, WebSocket injection, CSS injection, SSE-CRLF, PDF injection, HTTP response splitting, unsafe YAML, deserialization (pickle/Java), path traversal, log injection, SSRF, command injection, ReDoS, SQL/ORM (Prisma/Sequelize/Knex/TypeORM), and more |
451
+ | **Deep auth** | 43 patterns — JWT alg confusion/kid injection/JWKS override, session fixation, OAuth state/redirect_uri/PKCE/client secret, hardcoded JWT secret, rate limit, plaintext compare, SAML signature, cookie flags, token rotation, HS/RS confusion, API key in URL, reset expiry/single-use, admin route without authz, timing oracle, account enumeration, session token in URL, low-entropy token, bcrypt cost factor, and more |
452
+ | **Supply chain deep** | 32 patterns — keyloggers, reverse shells, destructive commands, credential exfiltration, env variable theft, malicious postinstall scripts, dynamic require(), base64-obfuscated exec, cryptomining, sensitive file reads, unpinned dependencies, hidden file writes, DNS exfiltration, clipboard monitoring, obfuscated DOM injection, and more |
453
+ | **Business logic** | 31 patterns — IDOR without ownership check, mass assignment, race conditions, integer overflow, currency confusion, discount stacking, order fulfillment bypass, webhook replay, tax/shipping tamper, client-side total, referral abuse, email normalization, feature flag bypass, API version bypass, double-spend, free trial abuse, pagination abuse, and more |
606
454
 
607
455
  ### Customize the Gate Policy
608
456
 
@@ -769,13 +617,15 @@ app.use(helmet({
769
617
  ┌──────────────────────────────────────────────────────────────┐
770
618
  │ Policy Gate Engine (src/gate/policy.ts) │
771
619
  │ │
772
- 20 checks run in parallel: │
620
+ 28 checks run in parallel: │
773
621
  │ checkSecrets checkDependencies checkApi checkInfra │
774
622
  │ checkCrypto checkMobileIos checkMobileAndroid │
775
623
  │ checkAi checkGraphQL checkKubernetes │
776
624
  │ checkDatabase checkDlp checkWebNextjs │
777
625
  │ runSbomChecks runAiRedteamChecks runRuntimeChecks │
778
- checkInjectionDeep (11 patterns) checkAuthDeep (12 patterns)
626
+ runCiPipelineChecks runDockerChecks runScanners
627
+ │ checkInjectionDeep (42 patterns) checkAuthDeep (43 patterns)│
628
+ │ checkSupplyChainDeep (32) checkBusinessLogic (31) │
779
629
  │ │
780
630
  │ Surface detection -> Control catalog -> Exception handling -> │
781
631
  │ Coverage manifest -> Taint map -> Confidence scoring -> PASS / FAIL │
@@ -812,7 +662,7 @@ User: /senior-security-engineer
812
662
  security.run_pr_gate(runId, mode, targets)
813
663
  ├── git diff / glob targets -> changed files list
814
664
  ├── detectSurfaces() -> web? api? infra? mobile? ai?
815
- ├── 20 checks in parallel (incl. deep injection + deep auth)
665
+ ├── 28 checks in parallel (incl. deep injection + deep auth)
816
666
  ├── apply exceptions from .mcp/exceptions/
817
667
  ├── compute confidence score
818
668
  └── returns PASS/FAIL + findings[]
@@ -1124,6 +974,8 @@ Edit `.mcp/exceptions/security-exceptions.json`:
1124
974
  | `SECURITY_GATE_EXCEPTIONS` | `.mcp/exceptions/security-exceptions.json` | Path to exceptions file (must be within project directory) |
1125
975
  | `SECURITY_GATE_MODE` | `full` | Set to `file_by_file` for scoped per-file scanning |
1126
976
  | `SECURITY_GATE_TARGETS` | (all changed files) | Comma-separated file paths to restrict the scan surface |
977
+ | `SECURITY_MCP_SHARED_SECRET` | (none) | Authenticates MCP tool callers via constant-time HMAC; enables 3-strike lockout. Generate with `openssl rand -hex 32` |
978
+ | `SECURITY_POLICY_HMAC_KEY` | (none) | Signs the policy file so any tampering is detected at gate startup. Generate with `openssl rand -hex 32` |
1127
979
 
1128
980
  ### Integrations (all optional)
1129
981
 
@@ -1187,7 +1039,7 @@ ls ~/.claude/skills/senior-security-engineer/SKILL.md
1187
1039
 
1188
1040
  **Fix:**
1189
1041
 
1190
- 1. Check the config file was written (see editor-specific paths in [Manual Configuration](#manual-configuration-any-mcp-editor))
1042
+ 1. Check the config file was written (see editor-specific paths in [Installation](#installation))
1191
1043
  2. Fully restart the editor (quit and reopen, not just reload window)
1192
1044
  3. Check Node.js version: `node --version` - must be 20 or higher
1193
1045
 
@@ -20,6 +20,25 @@
20
20
  { "id": "ai_rag_authz", "description": "RAG retrieval enforces authorization — documents filtered by user permissions", "critical": true },
21
21
  { "id": "ai_no_pii_in_prompts", "description": "No PII, credentials, or secrets in prompt templates", "critical": true },
22
22
  { "id": "ai_fallback_handling", "description": "Model failures handled gracefully — no sensitive error details exposed to users", "critical": false },
23
- { "id": "ai_owasp_llm_top10", "description": "OWASP LLM Top 10 controls reviewed and addressed for this AI surface", "critical": true }
23
+ { "id": "ai_owasp_llm_top10", "description": "OWASP LLM Top 10 controls reviewed and addressed for this AI surface", "critical": true },
24
+ { "id": "ai_context_session_isolation", "description": "Per-user session context is strictly isolated — no cross-user context bleed in multi-tenant deployments; conversation history scoped to authenticated user ID", "critical": true },
25
+ { "id": "ai_adversarial_probe_multi_turn", "description": "Multi-turn adversarial probing complete: role-play escapes, many-shot jailbreaks, encoded payloads (base64, l33tspeak), goal hijacking across conversation resets — all documented with pass/fail", "critical": true },
26
+ { "id": "ai_tool_sandboxing", "description": "AI agent tool execution sandboxed — filesystem, network, and shell access granted only via explicit allowlist; no ambient authority; each tool call requires declared capability", "critical": true },
27
+ { "id": "ai_model_supply_chain", "description": "AI model provider and version verified — model hash or digest pinned in configuration; shadow model substitution would be detected; provider SLA and security posture documented", "critical": false },
28
+ { "id": "ai_output_length_limit", "description": "Model output length limits enforced at the API layer; unbounded generation that could exhaust context or enable token flooding is blocked; streaming responses have an abort timeout", "critical": true },
29
+ { "id": "ai_indirect_injection_external", "title": "External content ingestion paths sanitize fetched content before LLM context injection", "severity": "critical", "automated": true },
30
+ { "id": "ai_markdown_exfil", "title": "LLM output stripped of markdown images and external links before rendering to clients", "severity": "critical", "automated": true },
31
+ { "id": "ai_memory_poisoning", "title": "Long-term memory writes validated; read-back treated as untrusted input with injection guards", "severity": "critical", "automated": true },
32
+ { "id": "ai_rag_corpus_poisoning", "title": "Documents ingested into vector store pass content validation and injection scanning before upsert", "severity": "high", "automated": true },
33
+ { "id": "ai_token_smuggling", "title": "User prompt inputs stripped of zero-width Unicode, invisible characters, and homoglyphs before processing", "severity": "high", "automated": true },
34
+ { "id": "ai_privilege_escalation", "title": "Agent tool list frozen at session initialization — no runtime tool registration permitted", "severity": "critical", "automated": true },
35
+ { "id": "ai_llm_judge_manipulation", "title": "LLM-as-judge evaluation pipelines use static server-controlled scoring criteria isolated from user input", "severity": "high", "automated": true },
36
+ { "id": "ai_idor_tool_calls", "title": "Agentic tool calls that accept resource IDs enforce per-request authorization before accessing the resource", "severity": "critical", "automated": true },
37
+ { "id": "ai_context_stuffing", "title": "Application enforces maximum input token budget per request before dispatching to LLM API", "severity": "high", "automated": true },
38
+ { "id": "ai_multimodal_injection", "title": "Multimodal inputs (images, PDFs, audio) passed to vision/multimodal LLMs scanned for embedded injection payloads", "severity": "critical", "automated": true },
39
+ { "id": "ai_vector_filter_bypass", "title": "Vector store tenant isolation uses mandatory hard filters (must/AND) not optional soft filters (should/OR)", "severity": "high", "automated": true },
40
+ { "id": "ai_stream_chunk_validation", "title": "Streaming LLM response chunks validated against expected SSE schema before forwarding", "severity": "high", "automated": true },
41
+ { "id": "ai_generated_code_audit_trail", "title": "Every execution of AI-generated code, SQL, or shell commands produces an audit log entry", "severity": "high", "automated": true },
42
+ { "id": "ai_embedding_inversion", "title": "Raw embedding vectors never exposed in API responses, logs, or client storage", "severity": "medium", "automated": true }
24
43
  ]
25
44
  }
@@ -22,6 +22,40 @@
22
22
  { "id": "api_secrets_scan", "description": "Secrets scan clean — no hardcoded credentials or API keys", "critical": true },
23
23
  { "id": "api_sast_pass", "description": "SAST scan passed with no CRITICAL findings", "critical": true },
24
24
  { "id": "api_threat_model", "description": "Threat model completed and reviewed for this API surface change", "critical": true },
25
- { "id": "api_health_endpoint", "description": "Health/readiness endpoints do not expose sensitive version or config info", "critical": false }
25
+ { "id": "api_health_endpoint", "description": "Health/readiness endpoints do not expose sensitive version or config info", "critical": false },
26
+ { "id": "api_graphql_introspection", "description": "GraphQL introspection disabled in production; query depth limit ≤ 10 and complexity budget enforced to prevent resource exhaustion", "critical": true },
27
+ { "id": "api_idempotency_replay", "description": "Financial and state-changing endpoints protected against replay via idempotency keys or HMAC-timestamped signatures with a time-bound window ≤ 5 minutes", "critical": true },
28
+ { "id": "api_command_injection", "description": "No user-controlled input passed to child_process.exec, execSync, spawn with shell:true, or any shell interpreter — allowlisted command templates only", "critical": true },
29
+ { "id": "api_file_upload_validation", "description": "File upload endpoints enforce MIME type server-side (not by extension), max file size, extension allowlist, and malware scanning; files stored outside web root", "critical": true },
30
+ { "id": "api_timing_safe_equality", "description": "All sensitive equality checks (tokens, reset codes, HMAC digests, API keys) use crypto.timingSafeEqual — no string ===, indexOf, or includes comparisons", "critical": true },
31
+ { "id": "api_second_order_injection", "title": "Second-order injection prevention reviewed — data retrieved from DB never passed unsanitized to SQL/template/shell sinks", "severity": "critical", "automated": true },
32
+ { "id": "api_spel_ognl_injection", "title": "SpEL/OGNL/MVEL expression parsers do not evaluate user-controlled input", "severity": "critical", "automated": true },
33
+ { "id": "api_pickle_marshal_deserialization", "title": "Python pickle.loads/Marshal.load/PHP unserialize never called on user-supplied data", "severity": "critical", "automated": true },
34
+ { "id": "api_java_deserialization", "title": "Java ObjectInputStream.readObject/XStream/Kryo deserialization never used with untrusted data", "severity": "critical", "automated": true },
35
+ { "id": "api_elasticsearch_injection", "title": "Elasticsearch query_string and script.source do not include user input", "severity": "high", "automated": true },
36
+ { "id": "api_websocket_message_injection", "title": "WebSocket message handlers validate all incoming data before passing to sinks", "severity": "high", "automated": true },
37
+ { "id": "api_grpc_protobuf_validation", "title": "gRPC/Protobuf endpoints validate all message fields after deserialization", "severity": "high", "automated": true },
38
+ { "id": "api_nosql_field_injection", "title": "MongoDB query field values validated as scalar types — $gt/$regex stripped from user input", "severity": "high", "automated": true },
39
+ { "id": "api_http_response_splitting", "title": "HTTP response splitting prevented — writeHead/headers.set never include user CRLF sequences", "severity": "high", "automated": true },
40
+ { "id": "api_document_injection", "title": "PDF/Office document generation libraries sanitize user input — no formula injection (=CMD, =DDE)", "severity": "high", "automated": true },
41
+ { "id": "api_bracket_notation_pollution", "title": "Dynamic property assignment using user-controlled keys forbidden — bracket notation obj[userKey] validated", "severity": "high", "automated": true },
42
+ { "id": "api_jwt_kid_injection", "title": "JWT kid header sanitised before DB lookup or filesystem access", "severity": "critical", "automated": true },
43
+ { "id": "api_jwt_jwks_uri_pinned", "title": "JWKS URI pinned to static allowlist — token-supplied jwks_uri not followed", "severity": "critical", "automated": true },
44
+ { "id": "api_oauth_client_secret_hardcoded", "title": "OAuth client_secret not hardcoded in client-side code — public clients use PKCE only", "severity": "critical", "automated": true },
45
+ { "id": "api_session_token_in_url", "title": "Session identifiers never transmitted in URL query parameters", "severity": "high", "automated": true },
46
+ { "id": "api_token_entropy", "title": "Session and reset tokens generated with ≥ 16 bytes (128 bits) of cryptographic randomness", "severity": "high", "automated": true },
47
+ { "id": "api_remember_me_rotation", "title": "Persistent remember-me tokens rotated on each use, stored hashed server-side, hard-expired ≤ 30 days", "severity": "high", "automated": true },
48
+ { "id": "api_password_reset_single_use", "title": "Password reset tokens deleted or nullified immediately after first use", "severity": "high", "automated": true },
49
+ { "id": "api_account_enumeration", "title": "Login and password-reset endpoints return identical responses for invalid user vs. invalid credential", "severity": "medium", "automated": true },
50
+ { "id": "api_bcrypt_cost_factor", "title": "bcrypt cost factor ≥ 12 for all password hashing operations", "severity": "high", "automated": true },
51
+ { "id": "api_zero_iv", "title": "No all-zero or zero-filled IVs used in cipher operations — IVs generated with crypto.randomBytes", "severity": "critical", "automated": true },
52
+ { "id": "api_rsa_key_size", "title": "RSA key generation uses ≥ 2048 bits — no sub-2048 key sizes", "severity": "critical", "automated": true },
53
+ { "id": "api_dh_params", "title": "Diffie-Hellman parameters ≥ 2048 bits — no weak DH groups (modp1/2/5)", "severity": "high", "automated": true },
54
+ { "id": "api_forward_secrecy", "title": "TLS cipher suites require ECDHE or DHE — forward secrecy enforced", "severity": "high", "automated": true },
55
+ { "id": "api_graphql_resolver_injection", "title": "GraphQL resolver arguments never concatenated into raw SQL/NoSQL queries", "severity": "critical", "automated": true },
56
+ { "id": "api_graphql_batching", "title": "GraphQL alias count limited per request (≤ 15) — batching-based enumeration and DoS prevented", "severity": "high", "automated": true },
57
+ { "id": "api_sse_injection", "title": "Server-Sent Events streams strip \\r\\n from user-controlled data before writing", "severity": "high", "automated": true },
58
+ { "id": "api_oauth_referer_leakage", "title": "Referrer-Policy: no-referrer set on pages that receive OAuth tokens; tokens not in URL query params", "severity": "high", "automated": true },
59
+ { "id": "api_pagination_bounds", "title": "Pagination parameters (limit, offset, page) validated with minimum 1, maximum cap, non-negative enforcement", "severity": "medium", "automated": true }
26
60
  ]
27
61
  }
@@ -22,6 +22,39 @@
22
22
  { "id": "infra_provenance", "description": "SLSA provenance attestation generated for release artifacts", "critical": false },
23
23
  { "id": "infra_threat_model", "description": "Threat model completed and reviewed for this infrastructure change", "critical": true },
24
24
  { "id": "infra_zero_trust", "description": "Zero Trust controls applied — explicit authentication for all service-to-service calls", "critical": true },
25
- { "id": "infra_ddos_protection", "description": "DDoS protection enabled for public-facing load balancers", "critical": false }
25
+ { "id": "infra_ddos_protection", "description": "DDoS protection enabled for public-facing load balancers", "critical": false },
26
+ { "id": "infra_imdsv2_enforced", "description": "IMDSv2 enforced on all EC2/cloud instances (hop limit 1, token required); SSRF to 169.254.169.254 blocked at network layer — prevents cloud metadata credential theft", "critical": true },
27
+ { "id": "infra_egress_filtering", "description": "Egress network filtering restricts outbound connections to known-good destinations; unexpected outbound traffic triggers alerts within 15 minutes", "critical": true },
28
+ { "id": "infra_pod_security_standards", "description": "Kubernetes pods run with Restricted security context: runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation:false, seccomp profile enforced", "critical": true },
29
+ { "id": "infra_secret_rotation", "description": "All secrets and credentials have automated rotation policy with maximum rotation interval documented and enforced; rotation failures trigger immediate alerts", "critical": true },
30
+ { "id": "infra_runtime_threat_detection", "description": "Runtime threat detection enabled (Falco, GuardDuty, Defender for Cloud, or equivalent) on all compute; anomalies generate alerts within 15 minutes with documented runbook", "critical": false },
31
+ { "id": "infra_imdsv1_accessible", "title": "IMDSv1 disabled — http_tokens=required enforced on all EC2 instances", "severity": "critical", "automated": true },
32
+ { "id": "infra_lambda_url_no_auth", "title": "Lambda function URLs not configured with AuthType NONE", "severity": "critical", "automated": true },
33
+ { "id": "infra_ecr_scan_on_push", "title": "ECR repositories have scan-on-push enabled", "severity": "high", "automated": true },
34
+ { "id": "infra_ecs_host_network", "title": "ECS tasks do not use host network mode", "severity": "high", "automated": true },
35
+ { "id": "infra_cloudtrail_multiregion", "title": "CloudTrail configured as multi-region trail", "severity": "high", "automated": true },
36
+ { "id": "infra_s3_access_logging", "title": "S3 server access logging enabled on all sensitive buckets", "severity": "medium", "automated": true },
37
+ { "id": "infra_vpc_flow_logs", "title": "VPC flow logs enabled", "severity": "medium", "automated": true },
38
+ { "id": "infra_cross_account_external_id", "title": "Cross-account IAM trust policies include sts:ExternalId condition", "severity": "high", "automated": true },
39
+ { "id": "infra_gcp_default_service_account", "title": "GCP instances do not use the default Compute Engine service account", "severity": "high", "automated": true },
40
+ { "id": "infra_gcp_project_ssh_keys", "title": "No GCP project-level SSH keys configured", "severity": "medium", "automated": true },
41
+ { "id": "infra_gcp_external_ip", "title": "GCP compute instances without external IPs unless required", "severity": "medium", "automated": true },
42
+ { "id": "infra_azure_public_network_access", "title": "Azure resources do not have public_network_access_enabled=true unless required", "severity": "high", "automated": true },
43
+ { "id": "infra_deletion_protection", "title": "All databases and stateful resources have deletion_protection=true", "severity": "high", "automated": true },
44
+ { "id": "infra_vpc_endpoint_s3_ecr", "title": "VPC endpoints configured for S3/ECR — service traffic does not route over public internet", "severity": "medium", "automated": true },
45
+ { "id": "infra_guardduty_enabled", "title": "AWS GuardDuty enabled in all regions", "severity": "high", "automated": true },
46
+ { "id": "infra_security_hub_enabled", "title": "AWS Security Hub enabled for centralized findings aggregation", "severity": "medium", "automated": true },
47
+ { "id": "k8s_run_as_root", "title": "Kubernetes containers do not run as root (runAsUser: 0)", "severity": "high", "automated": true },
48
+ { "id": "k8s_capabilities_not_dropped", "title": "Container capabilities fully dropped (capabilities.drop: [ALL])", "severity": "high", "automated": true },
49
+ { "id": "k8s_nodeport_exposure", "title": "No NodePort services exposing sensitive internal services", "severity": "medium", "automated": true },
50
+ { "id": "k8s_tiller_helm_v2", "title": "Helm v2 Tiller not deployed in cluster", "severity": "critical", "automated": true },
51
+ { "id": "k8s_docker_socket_mount", "title": "Docker socket not mounted inside any Kubernetes pod", "severity": "critical", "automated": true },
52
+ { "id": "k8s_api_anonymous_auth", "title": "Kubernetes API server anonymous-auth disabled", "severity": "critical", "automated": true },
53
+ { "id": "k8s_mtls_not_strict", "title": "Istio/Linkerd PeerAuthentication enforces STRICT mTLS mode", "severity": "high", "automated": true },
54
+ { "id": "docker_no_user_directive", "title": "All Dockerfiles include USER directive — containers do not run as root", "severity": "high", "automated": true },
55
+ { "id": "docker_add_url_no_integrity", "title": "Dockerfiles do not use ADD with remote URLs without integrity verification", "severity": "high", "automated": true },
56
+ { "id": "docker_secrets_in_env", "title": "No secrets in Dockerfile ENV instructions", "severity": "critical", "automated": true },
57
+ { "id": "docker_privileged_flag", "title": "No containers started with --privileged or privileged:true", "severity": "critical", "automated": true },
58
+ { "id": "docker_socket_mount", "title": "Docker socket not mounted into any container", "severity": "critical", "automated": true }
26
59
  ]
27
60
  }