security-mcp 1.1.4 → 1.3.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +341 -1018
- package/defaults/checklists/ai.json +20 -1
- package/defaults/checklists/api.json +35 -1
- package/defaults/checklists/infra.json +34 -1
- package/defaults/checklists/mobile.json +23 -1
- package/defaults/checklists/payments.json +15 -1
- package/defaults/checklists/web.json +11 -1
- package/defaults/cloud-controls/aws.json +10712 -0
- package/defaults/cloud-controls/azure.json +7201 -0
- package/defaults/cloud-controls/gcp.json +4061 -0
- package/defaults/control-catalog.json +24 -0
- package/defaults/security-policy.json +2 -2
- package/dist/ci/pr-gate.js +22 -5
- package/dist/cli/index.js +73 -2
- package/dist/cli/install.js +4 -55
- package/dist/cli/onboarding.js +18 -10
- package/dist/gate/baseline.js +82 -7
- package/dist/gate/catalog.js +10 -2
- package/dist/gate/checks/agentic-instructions.js +515 -0
- package/dist/gate/checks/ai-governance.js +132 -0
- package/dist/gate/checks/ai.js +757 -39
- package/dist/gate/checks/auth-deep.js +920 -216
- package/dist/gate/checks/business-logic.js +751 -0
- package/dist/gate/checks/ci-pipeline.js +399 -4
- package/dist/gate/checks/cloud-controls.js +69 -0
- package/dist/gate/checks/crypto.js +423 -2
- package/dist/gate/checks/data-platform.js +954 -0
- package/dist/gate/checks/dependencies.js +582 -15
- package/dist/gate/checks/docker-deep.js +1236 -0
- package/dist/gate/checks/gitops.js +724 -0
- package/dist/gate/checks/graphql.js +201 -19
- package/dist/gate/checks/iac.js +1230 -0
- package/dist/gate/checks/infra.js +246 -1
- package/dist/gate/checks/injection-deep.js +827 -184
- package/dist/gate/checks/k8s.js +955 -2
- package/dist/gate/checks/mobile-android.js +917 -3
- package/dist/gate/checks/mobile-ios.js +797 -5
- package/dist/gate/checks/required-artifacts.js +194 -0
- package/dist/gate/checks/runtime.js +178 -0
- package/dist/gate/checks/secrets.js +256 -13
- package/dist/gate/checks/supply-chain-deep.js +787 -0
- package/dist/gate/checks/web-nextjs.js +572 -48
- package/dist/gate/cloud-controls/apply.js +115 -0
- package/dist/gate/cloud-controls/bicep.js +36 -0
- package/dist/gate/cloud-controls/cfn.js +125 -0
- package/dist/gate/cloud-controls/detect.js +104 -0
- package/dist/gate/cloud-controls/hcl.js +140 -0
- package/dist/gate/cloud-controls/types.js +87 -0
- package/dist/gate/diff.js +17 -5
- package/dist/gate/evidence.js +8 -1
- package/dist/gate/exceptions.js +202 -9
- package/dist/gate/findings.js +15 -2
- package/dist/gate/policy.js +316 -130
- package/dist/gate/threat-intel.js +6 -0
- package/dist/mcp/audit-chain.js +131 -28
- package/dist/mcp/auth.js +169 -0
- package/dist/mcp/learning.js +129 -4
- package/dist/mcp/model-router.js +161 -24
- package/dist/mcp/orchestration.js +377 -89
- package/dist/mcp/server.js +460 -69
- package/dist/mcp/tool-audit.js +193 -0
- package/dist/repo/fs.js +37 -1
- package/dist/repo/search.js +31 -6
- package/dist/review/store.js +56 -3
- package/dist/tests/run.js +124 -1
- package/package.json +9 -9
- package/skills/_TEMPLATE/SKILL.md +99 -0
- package/skills/advanced-dos-tester/SKILL.md +118 -0
- package/skills/agentic-instruction-auditor/SKILL.md +111 -0
- package/skills/agentic-loop-exploiter/SKILL.md +377 -0
- package/skills/ai-llm-redteam/SKILL.md +113 -0
- package/skills/ai-model-supply-chain-agent/SKILL.md +112 -0
- package/skills/algorithm-implementation-reviewer/SKILL.md +107 -0
- package/skills/android-penetration-tester/SKILL.md +464 -46
- package/skills/anti-replay-tester/SKILL.md +115 -0
- package/skills/appsec-code-auditor/SKILL.md +94 -0
- package/skills/artifact-integrity-analyst/SKILL.md +450 -0
- package/skills/attack-navigator/SKILL.md +476 -8
- package/skills/auth-session-hacker/SKILL.md +111 -0
- package/skills/aws-penetration-tester/SKILL.md +510 -0
- package/skills/azure-penetration-tester/SKILL.md +542 -3
- package/skills/binary-auth-validator/SKILL.md +120 -0
- package/skills/bot-detection-specialist/SKILL.md +118 -0
- package/skills/business-logic-attacker/SKILL.md +240 -0
- package/skills/capec-code-mapper/SKILL.md +93 -0
- package/skills/cert-pin-rotation-specialist/SKILL.md +121 -0
- package/skills/cicd-pipeline-hijacker/SKILL.md +414 -0
- package/skills/ciso-orchestrator/SKILL.md +465 -43
- package/skills/cloud-infra-specialist/SKILL.md +127 -0
- package/skills/compliance-gap-analyst/SKILL.md +431 -0
- package/skills/compliance-grc/SKILL.md +94 -0
- package/skills/compliance-lifecycle-tracker/SKILL.md +93 -0
- package/skills/container-hardening-auditor/SKILL.md +125 -0
- package/skills/credential-stuffing-specialist/SKILL.md +111 -0
- package/skills/crypto-pki-specialist/SKILL.md +96 -0
- package/skills/csa-ccm-mapper/SKILL.md +93 -0
- package/skills/csf2-governance-mapper/SKILL.md +93 -0
- package/skills/data-platform-auditor/SKILL.md +125 -0
- package/skills/deep-link-fuzzer/SKILL.md +118 -0
- package/skills/dependency-confusion-attacker/SKILL.md +424 -0
- package/skills/device-integrity-aggregator/SKILL.md +117 -0
- package/skills/dos-resilience-tester/SKILL.md +106 -0
- package/skills/dread-scorer/SKILL.md +93 -0
- package/skills/egress-policy-enforcer/SKILL.md +108 -0
- package/skills/evidence-collector/SKILL.md +107 -0
- package/skills/file-upload-attacker/SKILL.md +118 -0
- package/skills/gcp-penetration-tester/SKILL.md +510 -2
- package/skills/git-history-secret-scanner/SKILL.md +115 -0
- package/skills/gitops-delivery-auditor/SKILL.md +120 -0
- package/skills/iac-security-auditor/SKILL.md +125 -0
- package/skills/iam-privesc-graph-builder/SKILL.md +161 -0
- package/skills/incident-responder/SKILL.md +120 -0
- package/skills/injection-specialist/SKILL.md +111 -0
- package/skills/ios-security-auditor/SKILL.md +291 -0
- package/skills/json-ambiguity-tester/SKILL.md +145 -0
- package/skills/k8s-container-escaper/SKILL.md +406 -0
- package/skills/key-management-lifecycle-analyst/SKILL.md +107 -0
- package/skills/kill-switch-engineer/SKILL.md +111 -0
- package/skills/linddun-privacy-analyst/SKILL.md +111 -0
- package/skills/logic-race-fuzzer/SKILL.md +452 -0
- package/skills/mobile-api-network-attacker/SKILL.md +430 -0
- package/skills/mobile-binary-hardener/SKILL.md +111 -0
- package/skills/mobile-security-specialist/SKILL.md +94 -0
- package/skills/mobile-webview-auditor/SKILL.md +105 -0
- package/skills/model-extraction-attacker/SKILL.md +228 -0
- package/skills/multipart-abuse-tester/SKILL.md +93 -0
- package/skills/oauth-pkce-specialist/SKILL.md +113 -0
- package/skills/parser-exhaustion-tester/SKILL.md +151 -0
- package/skills/pentest-infra/SKILL.md +107 -0
- package/skills/pentest-social/SKILL.md +210 -0
- package/skills/pentest-team/SKILL.md +96 -0
- package/skills/pentest-web-api/SKILL.md +107 -0
- package/skills/privacy-flow-analyst/SKILL.md +243 -0
- package/skills/prompt-injection-specialist/SKILL.md +403 -0
- package/skills/quantum-migration-planner/SKILL.md +105 -0
- package/skills/rag-poisoning-specialist/SKILL.md +367 -0
- package/skills/registry-mirror-enforcer/SKILL.md +93 -0
- package/skills/rotation-validation-agent/SKILL.md +121 -0
- package/skills/samm-assessor/SKILL.md +94 -0
- package/skills/secrets-mask-bypass-tester/SKILL.md +109 -0
- package/skills/senior-security-engineer/SKILL.md +178 -0
- package/skills/serialization-memory-attacker/SKILL.md +341 -0
- package/skills/session-timeout-tester/SKILL.md +170 -0
- package/skills/slsa-level3-enforcer/SKILL.md +121 -0
- package/skills/slsa-provenance-enforcer/SKILL.md +111 -0
- package/skills/ssrf-detection-validator/SKILL.md +117 -0
- package/skills/step-up-auth-enforcer/SKILL.md +93 -0
- package/skills/stride-pasta-analyst/SKILL.md +429 -0
- package/skills/supply-chain-devsecops/SKILL.md +107 -0
- package/skills/threat-infrastructure-analyst/SKILL.md +93 -0
- package/skills/threat-modeler/SKILL.md +94 -0
- package/skills/tls-certificate-auditor/SKILL.md +582 -18
- package/skills/token-reuse-detector/SKILL.md +104 -0
- package/skills/trike-risk-modeler/SKILL.md +93 -0
- package/skills/unicode-homograph-tester/SKILL.md +93 -0
- package/skills/waf-rule-lifecycle-agent/SKILL.md +106 -0
- package/skills/webhook-security-tester/SKILL.md +111 -0
- package/skills/zero-trust-architect/SKILL.md +118 -0
package/README.md
CHANGED
|
@@ -1,381 +1,288 @@
|
|
|
1
|
-
# security-mcp
|
|
1
|
+
# security-mcp
|
|
2
2
|
|
|
3
3
|
[](https://www.npmjs.com/package/security-mcp)
|
|
4
4
|
[](LICENSE)
|
|
5
5
|
[](https://nodejs.org)
|
|
6
6
|
[](https://github.com/AbrahamOO/security-mcp/actions)
|
|
7
7
|
|
|
8
|
-
|
|
8
|
+
An autonomous application-security engineering layer for AI-assisted development.
|
|
9
9
|
|
|
10
|
-
|
|
10
|
+
security-mcp is a [Model Context Protocol](https://modelcontextprotocol.io) server that turns your AI coding assistant into a security engineer that does the work, not a linter that files tickets. It reads code the way an attacker does, writes the secure fix inline, and enforces a gate in CI so insecure code cannot merge. The operating mandate across the product is the same one a strong security hire would hold: roughly 90% fixing, 10% advisory.
|
|
11
11
|
|
|
12
|
-
|
|
12
|
+
Platform and security teams can standardize their entire AppSec program on it. A solo founder can install it in a minute and ship safer code on day one. No security background is required to benefit, but nothing is dumbed down for the people who have one.
|
|
13
13
|
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
---
|
|
17
|
-
|
|
18
|
-
## Table of Contents
|
|
19
|
-
|
|
20
|
-
- [What's New in 1.1.4](#whats-new-in-114)
|
|
21
|
-
- [What Problem Does This Solve?](#what-problem-does-this-solve)
|
|
22
|
-
- [Who Is This For?](#who-is-this-for)
|
|
23
|
-
- [Two Modes - Pick Your Depth](#two-modes---pick-your-depth)
|
|
24
|
-
- [Quick Start - Install in 60 Seconds](#quick-start---install-in-60-seconds)
|
|
25
|
-
- [Step-by-Step Installation Guide](#step-by-step-installation-guide)
|
|
26
|
-
- [Claude Code](#step-by-step-claude-code)
|
|
27
|
-
- [Cursor](#step-by-step-cursor)
|
|
28
|
-
- [VS Code / GitHub Copilot](#step-by-step-vs-code--github-copilot)
|
|
29
|
-
- [Windsurf](#step-by-step-windsurf)
|
|
30
|
-
- [Manual Configuration](#manual-configuration-any-mcp-editor)
|
|
31
|
-
- [Verify Your Installation](#verify-your-installation)
|
|
32
|
-
- [How to Run Your First Security Review](#how-to-run-your-first-security-review)
|
|
33
|
-
- [CI/CD Security Gate](#cicd-security-gate)
|
|
34
|
-
- [What Gets Fixed Automatically](#what-gets-fixed-automatically)
|
|
35
|
-
- [Architecture](#architecture)
|
|
36
|
-
- [MCP Tools Reference](#mcp-tools-reference)
|
|
37
|
-
- [Security Frameworks Applied](#security-frameworks-applied)
|
|
38
|
-
- [Configuration](#configuration)
|
|
39
|
-
- [Environment Variables](#environment-variables)
|
|
40
|
-
- [The 10 Rules That Are Never Broken](#the-10-rules-that-are-never-broken)
|
|
41
|
-
- [Troubleshooting](#troubleshooting)
|
|
42
|
-
- [FAQ](#faq)
|
|
43
|
-
|
|
44
|
-
---
|
|
45
|
-
|
|
46
|
-
## What's New in 1.1.4
|
|
47
|
-
|
|
48
|
-
### 20 Checks (up from 18) - Deep Injection + Deep Auth Modules
|
|
49
|
-
|
|
50
|
-
Two new deep-check modules run automatically for web and API surfaces:
|
|
51
|
-
|
|
52
|
-
**`checkInjectionDeep`** — 11 new patterns: XXE (CWE-611), SSTI (CWE-94), prototype pollution (CWE-1321), open redirect (CWE-601), NoSQL operator injection (CWE-943), CRLF injection (CWE-113), unsafe YAML load (CWE-502), unsafe deserialization, path traversal (CWE-22), log injection (CWE-117), SSRF (CWE-918).
|
|
53
|
-
|
|
54
|
-
**`checkAuthDeep`** — 12 new patterns: JWT algorithm confusion / `alg:none` (CWE-327), session fixation (CWE-384), OAuth missing state parameter (CWE-352), OAuth `redirect_uri` open redirect (CWE-601), PKCE not enforced (RFC 7636), hardcoded JWT secret (CWE-798), missing rate limit on auth endpoints (CWE-307), plaintext password comparison (CWE-256), SAML signature validation disabled (CWE-347), insecure cookie flags (CWE-1004/614), refresh token not rotated (CWE-613), JWT HS/RS confusion (CVE-2015-9235 pattern).
|
|
55
|
-
|
|
56
|
-
### Coverage Completeness Protocol (§0)
|
|
57
|
-
|
|
58
|
-
Every security review now runs a mandatory 5-step protocol before reporting any result:
|
|
59
|
-
|
|
60
|
-
1. **Complete file inventory** — enumerate all source files into `coverage-manifest.json`; no attack class can be called CLEAN without checking every file.
|
|
61
|
-
2. **Taint tracking** — trace every user-controlled input (`req.body`, `req.query`, WebSocket, env, file uploads, external API responses) to all downstream sinks, classifying each SAFE / UNSAFE / UNRESOLVED.
|
|
62
|
-
3. **Negative assertions** — after each attack class: `ATTACK CLASS: {name} | FILES: N/N | PATTERNS: {list} | RESULT: CLEAN`.
|
|
63
|
-
4. **Fix verification loop** — after every fix, re-run the triggering check and confirm it no longer fires before advancing.
|
|
64
|
-
5. **All-or-nothing mandate** — every HIGH/CRITICAL finding is either FIXED (verified clean) or BLOCKED (risk-accepted, gate failing, remediation plan written to `deferred-fixes.json`).
|
|
65
|
-
|
|
66
|
-
### Enhanced Threat Model Template
|
|
67
|
-
|
|
68
|
-
The `security.threat_model` tool now generates a more complete template including LINDDUN privacy threat analysis (Linking, Identifying, Non-repudiation, Detecting, Data Disclosure, Unawareness, Non-compliance), TRIKE risk matrix (actor-action-asset-risk), DREAD scoring, attack trees for the top 3 critical paths, adversary profiles mapped to ATT&CK techniques, and supply chain threat enumeration.
|
|
69
|
-
|
|
70
|
-
### Expanded Release Checklists
|
|
71
|
-
|
|
72
|
-
All domain-specific release checklists now include:
|
|
73
|
-
|
|
74
|
-
- **OAuth/OIDC** — PKCE with S256, state/nonce verification, exact-match `redirect_uri`, code reuse prevention, audience validation
|
|
75
|
-
- **Business Logic** — idempotency keys on payment mutations, negative input validation, race condition testing for balance/quota/inventory
|
|
76
|
-
- **Serialization/Injection** — XXE, SSTI, unsafe YAML, deserialization, prototype pollution, open redirect, CRLF in every checklist
|
|
77
|
-
- **AI/LLM** — system prompt extraction resistance, multi-turn attack chains, multimodal injection, agentic tool allowlist, AML.T0054/T0057 mitigations
|
|
78
|
-
- **Payments (PCI DSS 4.0)** — PAN masking, DOM mutation monitoring, EMV 3DS 2.2+, Magecart prevention (SRI on checkout pages)
|
|
79
|
-
- **Observability Gate** (new) — anomaly detection baselines, SLO definitions for security events, alert fatigue review, runbook coverage
|
|
80
|
-
|
|
81
|
-
### Windsurf Support
|
|
82
|
-
|
|
83
|
-
The installer now detects and configures Windsurf (`~/.windsurf/mcp.json`) automatically alongside Claude Code, Cursor, and VS Code.
|
|
84
|
-
|
|
85
|
-
### `doctor` Command
|
|
86
|
-
|
|
87
|
-
Verify your installation health at any time:
|
|
14
|
+
Works with Claude Code, Cursor, VS Code / GitHub Copilot, Windsurf, Codex, Replit, and any MCP-compatible editor.
|
|
88
15
|
|
|
89
16
|
```bash
|
|
90
|
-
npx -y security-mcp@latest
|
|
17
|
+
npx -y security-mcp@latest install
|
|
91
18
|
```
|
|
92
19
|
|
|
93
|
-
Checks Node.js version, editor configs, and skill files — prints PASS/FAIL per check with actionable fix commands.
|
|
94
|
-
|
|
95
20
|
---
|
|
96
21
|
|
|
97
|
-
##
|
|
22
|
+
## Table of Contents
|
|
98
23
|
|
|
99
|
-
|
|
24
|
+
- [Why this exists](#why-this-exists)
|
|
25
|
+
- [What's new in 1.3.2](#whats-new-in-132)
|
|
26
|
+
- [System overview](#system-overview)
|
|
27
|
+
- [The two entry points](#the-two-entry-points)
|
|
28
|
+
- [/senior-security-engineer](#senior-security-engineer)
|
|
29
|
+
- [/ciso-orchestrator](#ciso-orchestrator)
|
|
30
|
+
- [The gate engine](#the-gate-engine)
|
|
31
|
+
- [Cloud security controls engine](#cloud-security-controls-engine)
|
|
32
|
+
- [Install](#install)
|
|
33
|
+
- [CI/CD gate](#cicd-gate)
|
|
34
|
+
- [Built for teams](#built-for-teams)
|
|
35
|
+
- [Self-protection and supply-chain posture](#self-protection-and-supply-chain-posture)
|
|
36
|
+
- [MCP tools](#mcp-tools)
|
|
37
|
+
- [Frameworks](#frameworks)
|
|
38
|
+
- [Policy and exceptions](#policy-and-exceptions)
|
|
39
|
+
- [Environment variables](#environment-variables)
|
|
40
|
+
- [The 10 non-negotiable rules](#the-10-non-negotiable-rules)
|
|
41
|
+
- [CLI reference](#cli-reference)
|
|
42
|
+
- [Documentation and disclosure](#documentation-and-disclosure)
|
|
43
|
+
- [License](#license)
|
|
100
44
|
|
|
101
|
-
|
|
102
|
-
- Most AI assistants write working code but don't enforce secure code
|
|
103
|
-
- Static analysis tools flag problems but don't fix them
|
|
104
|
-
- Hiring a security team or running a pentest is expensive and slow
|
|
45
|
+
---
|
|
105
46
|
|
|
106
|
-
|
|
47
|
+
## Why this exists
|
|
107
48
|
|
|
108
|
-
|
|
49
|
+
Most security tooling stops at detection. It produces a list, hands it to a human, and waits. That model breaks down when AI assistants are writing the majority of the code, because the volume of change outpaces anyone's ability to triage a backlog by hand.
|
|
109
50
|
|
|
110
|
-
|
|
51
|
+
security-mcp inverts the default. When it finds a vulnerability it writes the production-ready fix into your working tree, re-runs the check to confirm the issue cleared, and only then moves on. The same engine runs as a deterministic gate in CI, so the contract is simple: HIGH and CRITICAL findings do not merge.
|
|
111
52
|
|
|
112
|
-
|
|
53
|
+
You get three things from one install:
|
|
113
54
|
|
|
114
|
-
-
|
|
115
|
-
-
|
|
116
|
-
-
|
|
117
|
-
- **AI-assisted developers** using Claude Code, Copilot, Cursor, or Codex to write most of their code
|
|
118
|
-
- **Teams preparing for SOC 2, PCI DSS, or ISO 27001 audits** who need evidence and gap analysis
|
|
119
|
-
- **Security-conscious engineers** who want systematic coverage, not ad-hoc reviews
|
|
120
|
-
- **Anyone who's shipped code and thought "wait, is this actually secure?"**
|
|
55
|
+
- An interactive security engineer that fixes code inside your editor.
|
|
56
|
+
- A multi-agent security program that runs a full audit on demand.
|
|
57
|
+
- A standalone CI gate that needs no AI session to enforce the line.
|
|
121
58
|
|
|
122
59
|
---
|
|
123
60
|
|
|
124
|
-
##
|
|
125
|
-
|
|
126
|
-
### `/senior-security-engineer` - Your Daily Security Expert
|
|
127
|
-
|
|
128
|
-
A single elite security engineer agent that reviews your code, finds vulnerabilities, and writes the fix immediately. You choose the scope: just your recent changes, your whole codebase, or specific files and folders. It covers secrets, dependencies, cryptography, injection, authentication, web headers, cloud config, AI/LLM safety, mobile, and more - all in parallel. Every finding gets an inline code fix, not a suggestion. Finishes with a SHA-256 attested report you can keep as an audit trail.
|
|
61
|
+
## What's new in 1.3.2
|
|
129
62
|
|
|
130
|
-
**
|
|
63
|
+
**Cloud security controls engine.** A registry-driven engine that scans infrastructure-as-code against 998 rules mapped to AWS FSBP, CIS Benchmarks (AWS / GCP / Azure), and the Microsoft Cloud Security Benchmark, across Terraform, CloudFormation, and Bicep. Terraform violations can be auto-remediated with `security-mcp autoharden`. See [the dedicated section](#cloud-security-controls-engine).
|
|
131
64
|
|
|
132
|
-
|
|
65
|
+
**Two new CLI commands.** `security-mcp ci:pr-gate` runs the gate directly from `npx` and exits non-zero on HIGH/CRITICAL. `security-mcp sign-policy` HMAC-signs the active policy so tampering is detected at gate startup.
|
|
133
66
|
|
|
134
|
-
|
|
67
|
+
**The tool hardened itself.** An unsigned policy can no longer relax the gate to PASS (severity_block is floored to HIGH/CRITICAL). An unsigned exceptions file can no longer suppress HIGH/CRITICAL by default. Attestation refuses to sign anything that is not a clean PASS. There is a fully offline mode, a checksum-verified installer with no `curl | sh` path, and data at rest is written with `0o600` permissions. Details in [self-protection and supply-chain posture](#self-protection-and-supply-chain-posture).
|
|
135
68
|
|
|
136
|
-
|
|
69
|
+
Earlier releases expanded the deep-analysis pattern libraries (injection, authentication, supply chain, business logic), brought OWASP Top 10 to full coverage, and wired the industry scanners into the gate.
|
|
137
70
|
|
|
138
71
|
---
|
|
139
72
|
|
|
140
|
-
|
|
141
|
-
| --- | --- | --- |
|
|
142
|
-
| **What it is** | Single expert agent | 39-agent multi-phase security program |
|
|
143
|
-
| **Best for** | Daily development, PR reviews, targeted hardening | Pre-launch audits, compliance prep, incident response |
|
|
144
|
-
| **Speed** | Seconds to minutes | Minutes to hours |
|
|
145
|
-
| **Scope** | You choose: recent changes, full codebase, or specific files | Always full - every surface, every framework |
|
|
146
|
-
| **Agents** | 1 | 39 (9 leads + 30 sub-agents) |
|
|
147
|
-
| **Output** | Inline code fixes + SHA-256 attestation | Full domain reports + merged findings + attestation |
|
|
148
|
-
| **API cost** | Low | High |
|
|
149
|
-
| **Internet** | Not required | Optional (enriches findings with live CVEs, CISA KEV, MITRE ATT&CK) |
|
|
150
|
-
|
|
151
|
-
**Rule of thumb:** Use `/senior-security-engineer` on every PR. Use `/ciso-orchestrator` before major releases or compliance deadlines.
|
|
73
|
+
## System overview
|
|
152
74
|
|
|
153
|
-
|
|
75
|
+
```mermaid
|
|
76
|
+
graph TD
|
|
77
|
+
subgraph Editor["Your editor (Claude Code, Cursor, VS Code, ...)"]
|
|
78
|
+
A["/senior-security-engineer"]
|
|
79
|
+
B["/ciso-orchestrator"]
|
|
80
|
+
end
|
|
154
81
|
|
|
155
|
-
|
|
82
|
+
A -->|MCP stdio| S["MCP server"]
|
|
83
|
+
B -->|MCP stdio| S
|
|
156
84
|
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
85
|
+
S --> G["Gate engine (35 checks)"]
|
|
86
|
+
S --> O["Orchestration (39+ agents)"]
|
|
87
|
+
S --> C["Cloud controls (998 rules)"]
|
|
88
|
+
S --> P["Platform subsystems"]
|
|
160
89
|
|
|
161
|
-
|
|
90
|
+
G --> AT["SHA-256 attestation"]
|
|
91
|
+
O --> AT
|
|
92
|
+
P --> R["Model router / learning / hash chain / auth"]
|
|
162
93
|
|
|
163
|
-
|
|
164
|
-
/senior-security-engineer
|
|
94
|
+
CI["CI: security-mcp ci:pr-gate"] --> G
|
|
165
95
|
```
|
|
166
96
|
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
For a full 39-agent deep audit:
|
|
170
|
-
|
|
171
|
-
```text
|
|
172
|
-
/ciso-orchestrator
|
|
173
|
-
```
|
|
97
|
+
The MCP server is the trust root. Both entry-point skills, the standalone CI gate, and every supporting subsystem call into the same engine, so an interactive fix and a CI verdict are produced by identical logic.
|
|
174
98
|
|
|
175
99
|
---
|
|
176
100
|
|
|
177
|
-
##
|
|
101
|
+
## The two entry points
|
|
178
102
|
|
|
179
|
-
|
|
103
|
+
You drive security-mcp through two skills. One is your daily security engineer. The other is a full security program you run when the stakes are high.
|
|
180
104
|
|
|
181
|
-
|
|
105
|
+
| | `/senior-security-engineer` | `/ciso-orchestrator` |
|
|
106
|
+
| --- | --- | --- |
|
|
107
|
+
| Shape | One elite engineer agent | 39 named agents, 40+ at runtime |
|
|
108
|
+
| Best for | Every PR, targeted hardening | Pre-release audits, compliance prep |
|
|
109
|
+
| Scope | You pick: diff, full codebase, or specific paths | Full: every surface, every framework |
|
|
110
|
+
| Speed | Seconds to minutes | Minutes to hours |
|
|
111
|
+
| Output | Inline fixes + SHA-256 attested report | Merged findings, compliance mapping, signed attestation |
|
|
112
|
+
| Network | Not required | Optional live threat intel |
|
|
182
113
|
|
|
183
|
-
|
|
114
|
+
Rule of thumb: run `/senior-security-engineer` on every PR, and `/ciso-orchestrator` before a release or an audit.
|
|
184
115
|
|
|
185
|
-
|
|
186
|
-
npx -y security-mcp@latest install --claude-code
|
|
187
|
-
```
|
|
116
|
+
### /senior-security-engineer
|
|
188
117
|
|
|
189
|
-
|
|
118
|
+
A single elite security-engineer agent. It operates 90% fixing, 10% advisory: it writes the secure code rather than handing you a report to act on. You pick the scope at the start (recent changes via git diff, the full codebase, or specific files and folders), and it runs a strategy pass, then the gate, then inline fixes, and finishes with a SHA-256 attested report you can keep as an audit artifact.
|
|
190
119
|
|
|
191
|
-
|
|
120
|
+
This is the daily driver. Use it on every PR.
|
|
192
121
|
|
|
193
|
-
```
|
|
194
|
-
|
|
122
|
+
```mermaid
|
|
123
|
+
graph TD
|
|
124
|
+
U["Invoke /senior-security-engineer"] --> SC{"Pick scope"}
|
|
125
|
+
SC -->|A| D["Recent changes / git diff"]
|
|
126
|
+
SC -->|B| F["Full codebase"]
|
|
127
|
+
SC -->|C| P["Specific files / folders"]
|
|
128
|
+
D --> ST["Build strategy"]
|
|
129
|
+
F --> ST
|
|
130
|
+
P --> ST
|
|
131
|
+
ST --> GT["Run gate"]
|
|
132
|
+
GT --> FX["Write inline fixes"]
|
|
133
|
+
FX --> RV["Re-run check, confirm clean"]
|
|
134
|
+
RV -->|remaining| FX
|
|
135
|
+
RV -->|clean| AT["SHA-256 attested report"]
|
|
195
136
|
```
|
|
196
137
|
|
|
197
|
-
|
|
138
|
+
### /ciso-orchestrator
|
|
198
139
|
|
|
199
|
-
|
|
200
|
-
{
|
|
201
|
-
"mcpServers": {
|
|
202
|
-
"security-mcp": {
|
|
203
|
-
"command": "npx",
|
|
204
|
-
"args": ["-y", "security-mcp@latest", "serve"]
|
|
205
|
-
}
|
|
206
|
-
}
|
|
207
|
-
}
|
|
208
|
-
```
|
|
140
|
+
A full security program in one command, held to the same 90% fixing, 10% advisory mandate as the single agent: every specialist writes the fix rather than filing a finding. Nine specialist lead agents command 30 sub-agents, for 39 named agents in the static spawn tree. At runtime the orchestrator dynamically spawns additional ghost and coverage agents based on cross-domain findings, so a real run typically fields 40 or more. It draws on a registry of 91 specialist skills (registry version 1.6.0), loaded on demand based on your detected stack, and covers PCI DSS 4.0, SOC 2, ISO 27001, NIST 800-53, HIPAA, and GDPR mapping.
|
|
209
141
|
|
|
210
|
-
|
|
142
|
+
It runs in three phases:
|
|
211
143
|
|
|
212
|
-
**
|
|
144
|
+
1. **Discovery (parallel).** Seven leads run at once: threat modeling, AppSec code audit, cloud and infrastructure, supply chain, AI/LLM red team, mobile, and crypto/PKI.
|
|
145
|
+
2. **Adversarial and compliance (parallel).** A penetration-test team reads Phase 1's threat model as its attack brief, while a compliance/GRC synthesizer maps findings to controls.
|
|
146
|
+
3. **Synthesis.** Each agent's findings file is schema-validated and verified against that agent's signed attestation before it is trusted, then findings are merged and deduplicated, SKILL.md section coverage (§0 through §24) is verified, and a signed attestation is written. A tampered attestation chain or a findings-hash mismatch forces the gate to FAIL.
|
|
213
147
|
|
|
214
|
-
```
|
|
215
|
-
|
|
216
|
-
|
|
148
|
+
```mermaid
|
|
149
|
+
graph TD
|
|
150
|
+
ORCH["CISO orchestrator"] --> P1
|
|
151
|
+
ORCH --> P2
|
|
152
|
+
ORCH --> P3
|
|
217
153
|
|
|
218
|
-
|
|
154
|
+
subgraph P1["Phase 1: discovery (parallel)"]
|
|
155
|
+
TM["threat-modeler"] --> TM1["stride-pasta-analyst"] & TM2["attack-navigator"] & TM3["business-logic-attacker"] & TM4["privacy-flow-analyst"]
|
|
156
|
+
AC["appsec-code-auditor"] --> AC1["injection-specialist"] & AC2["auth-session-hacker"] & AC3["logic-race-fuzzer"] & AC4["serialization-memory-attacker"]
|
|
157
|
+
CI["cloud-infra-specialist"] --> CI1["aws/gcp/azure-pentester"] & CI2["k8s-container-escaper"]
|
|
158
|
+
SD["supply-chain-devsecops"] --> SD1["dependency-confusion-attacker"] & SD2["cicd-pipeline-hijacker"] & SD3["artifact-integrity-analyst"]
|
|
159
|
+
AI["ai-llm-redteam"] --> AI1["prompt-injection-specialist"] & AI2["model-extraction-attacker"] & AI3["rag-poisoning-specialist"] & AI4["agentic-loop-exploiter"]
|
|
160
|
+
MB["mobile-security-specialist"] --> MB1["ios-security-auditor"] & MB2["android-penetration-tester"] & MB3["mobile-api-network-attacker"]
|
|
161
|
+
CR["crypto-pki-specialist"] --> CR1["tls-certificate-auditor"] & CR2["algorithm-implementation-reviewer"] & CR3["key-management-lifecycle-analyst"]
|
|
162
|
+
end
|
|
219
163
|
|
|
220
|
-
|
|
164
|
+
subgraph P2["Phase 2: adversarial + compliance (parallel)"]
|
|
165
|
+
PT["pentest-team"] --> PT1["pentest-web-api"] & PT2["pentest-infra"] & PT3["pentest-social"]
|
|
166
|
+
GRC["compliance-grc"] --> GRC1["evidence-collector"] & GRC2["compliance-gap-analyst"]
|
|
167
|
+
end
|
|
221
168
|
|
|
222
|
-
|
|
223
|
-
|
|
169
|
+
subgraph P3["Phase 3: synthesis"]
|
|
170
|
+
M["Verify attestations + merge + dedupe"] --> V["Verify §0-§24 coverage"] --> A["Signed attestation"]
|
|
171
|
+
end
|
|
224
172
|
```
|
|
225
173
|
|
|
226
|
-
|
|
227
|
-
|
|
228
|
-
- **A) Recent changes** - scans only what changed since your last commit (fastest, use daily)
|
|
229
|
-
- **B) Full codebase** - scans everything (use for new projects or after major changes)
|
|
230
|
-
- **C) Specific files or folders** - scans exactly what you specify
|
|
231
|
-
|
|
232
|
-
Pick one and let it run.
|
|
174
|
+
Cloud, AI/LLM, and mobile sub-agents are conditional: they activate only when the relevant stack is detected, and report N/A otherwise.
|
|
233
175
|
|
|
234
176
|
---
|
|
235
177
|
|
|
236
|
-
|
|
178
|
+
## The gate engine
|
|
237
179
|
|
|
238
|
-
|
|
180
|
+
The gate is the deterministic core. On every run it executes 35 security checks in parallel (33 distinct check modules plus 2 precomputed coverage feeds). It is surface-aware: it first detects which surfaces a change touches (web, API, infrastructure, iOS, Android, AI/LLM, agentic) and runs the relevant checks against them.
|
|
239
181
|
|
|
240
|
-
```
|
|
241
|
-
|
|
182
|
+
```mermaid
|
|
183
|
+
graph TD
|
|
184
|
+
PL["Load policy (HMAC-verified)"] --> SC["Resolve scope"]
|
|
185
|
+
SC --> CT["Classify change type"]
|
|
186
|
+
CT -->|docs-only| SS["Secrets scan only"]
|
|
187
|
+
CT -->|code| DS["Detect surfaces"]
|
|
188
|
+
DS --> CAT["Load catalog + scanner readiness + evidence coverage"]
|
|
189
|
+
CAT --> RUN["Run 35 checks in parallel"]
|
|
190
|
+
RUN --> SLA["Assign risk SLAs"]
|
|
191
|
+
SLA --> CM["Build coverage manifest"]
|
|
192
|
+
CM --> EX["Apply exceptions"]
|
|
193
|
+
EX --> CONF["Confidence score (70% coverage + 30% scanner)"]
|
|
194
|
+
CONF --> BL["Diff against baseline"]
|
|
195
|
+
BL --> VR{"Verdict by severity_block"}
|
|
196
|
+
VR --> PB["Persist new baseline"]
|
|
197
|
+
SS --> VR
|
|
242
198
|
```
|
|
243
199
|
|
|
244
|
-
|
|
200
|
+
A crashed check module never disappears quietly. It becomes a HIGH coverage-gap finding, so the absence of a result is itself a result. A control that regresses from satisfied to missing against the saved baseline also becomes a HIGH finding.
|
|
245
201
|
|
|
246
|
-
|
|
202
|
+
### Deep-analysis modules
|
|
247
203
|
|
|
248
|
-
|
|
249
|
-
|
|
250
|
-
|
|
251
|
-
|
|
252
|
-
|
|
253
|
-
|
|
254
|
-
|
|
255
|
-
|
|
256
|
-
|
|
257
|
-
|
|
258
|
-
|
|
259
|
-
"args": ["-y", "security-mcp@latest", "serve"]
|
|
260
|
-
}
|
|
261
|
-
}
|
|
262
|
-
}
|
|
263
|
-
```
|
|
204
|
+
| Module | Patterns | What it targets |
|
|
205
|
+
| --- | --- | --- |
|
|
206
|
+
| Deep injection | 42 | SQL/NoSQL, SSTI, SpEL/OGNL, deserialization, CRLF, SSRF, and more |
|
|
207
|
+
| Deep authentication | 43 | JWT confusion, session and OAuth flaws, weak hashing, token entropy |
|
|
208
|
+
| Deep supply chain | 32 | Obfuscated payloads, malicious scripts, exfiltration channels |
|
|
209
|
+
| Business logic | 31 | IDOR, race conditions, payment and e-commerce abuse |
|
|
210
|
+
| Data platform | 47 | Databricks and Snowflake misconfiguration |
|
|
211
|
+
| Deep Docker | 49 | Container build and runtime hardening |
|
|
212
|
+
| GitOps | 41 | ArgoCD and Flux pipeline integrity |
|
|
213
|
+
| Agentic-instruction integrity | 11 | Poisoned AI agent instruction files |
|
|
214
|
+
| AI governance | 3 | Shadow-AI and data-to-LLM exfiltration |
|
|
264
215
|
|
|
265
|
-
|
|
216
|
+
Alongside these, the gate runs Kubernetes (70 checks), IaC (56), and dedicated modules for secrets, dependencies, crypto, web/Next.js, API, mobile (iOS and Android), GraphQL, database, DLP, SBOM, an incident-response playbook, runtime/DAST, CI pipeline hardening, and a Nuclei DAST integration.
|
|
266
217
|
|
|
267
|
-
|
|
218
|
+
### Scanner orchestration and threat intel
|
|
268
219
|
|
|
269
|
-
|
|
220
|
+
When they are present on the host, the gate orchestrates industry scanners: gitleaks, semgrep, trivy, osv-scanner, checkov, conftest, and zaproxy. Their results fold into the same findings model.
|
|
270
221
|
|
|
271
|
-
|
|
272
|
-
Use /senior-security-engineer to review my recent changes
|
|
273
|
-
```
|
|
222
|
+
Live threat intelligence (cached for 24 hours) enriches the verdict: CISA KEV, EPSS (a score above 0.5 escalates severity), OpenSSF Scorecard, and the npm registry. Set `SECURITY_OFFLINE=1` to disable all third-party egress. Private and internal scoped package names are never sent to public endpoints, online or off.
|
|
274
223
|
|
|
275
224
|
---
|
|
276
225
|
|
|
277
|
-
|
|
278
|
-
|
|
279
|
-
**Step 1 - Run the installer:**
|
|
280
|
-
|
|
281
|
-
```bash
|
|
282
|
-
npx -y security-mcp@latest install --vscode
|
|
283
|
-
```
|
|
284
|
-
|
|
285
|
-
This writes to your VS Code user `settings.json`.
|
|
226
|
+
## Cloud security controls engine
|
|
286
227
|
|
|
287
|
-
|
|
228
|
+
A registry-driven engine scans infrastructure-as-code against 998 rules mapped to AWS Foundational Security Best Practices (FSBP), CIS Benchmarks for AWS, GCP, and Azure, and the Microsoft Cloud Security Benchmark.
|
|
288
229
|
|
|
289
|
-
|
|
290
|
-
|
|
291
|
-
|
|
292
|
-
|
|
293
|
-
|
|
294
|
-
|
|
295
|
-
|
|
296
|
-
|
|
297
|
-
|
|
298
|
-
|
|
299
|
-
|
|
300
|
-
|
|
301
|
-
|
|
302
|
-
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
|
|
306
|
-
|
|
307
|
-
|
|
308
|
-
```
|
|
309
|
-
|
|
310
|
-
|
|
230
|
+
| Coverage | Rules |
|
|
231
|
+
| --- | --- |
|
|
232
|
+
| AWS | 483 |
|
|
233
|
+
| Azure | 320 |
|
|
234
|
+
| GCP | 195 |
|
|
235
|
+
| Terraform / HCL | 774 |
|
|
236
|
+
| CloudFormation | 128 |
|
|
237
|
+
| Bicep | 96 |
|
|
238
|
+
|
|
239
|
+
```mermaid
|
|
240
|
+
graph TD
|
|
241
|
+
IAC["IaC files (TF / CFN / Bicep)"] --> DET["Detect against 998-rule registry"]
|
|
242
|
+
DET --> V["Violations"]
|
|
243
|
+
V --> AF{"Safe to auto-fix?"}
|
|
244
|
+
AF -->|yes, Terraform| FIX["Apply fix"]
|
|
245
|
+
FIX --> RD["Re-detect"]
|
|
246
|
+
RD -->|cleared| KEEP["Keep change"]
|
|
247
|
+
RD -->|not cleared| REV["Revert, report manual"]
|
|
248
|
+
AF -->|no| MAN["Manual action + snippet"]
|
|
249
|
+
```
|
|
250
|
+
|
|
251
|
+
Terraform supports auto-remediation through `security-mcp autoharden` (use `--dry-run` to preview). The engine applies a fix, re-detects to confirm the violation actually cleared, and only then keeps the change. Anything it cannot safely auto-fix is reported as a manual action with a code snippet.
|
|
311
252
|
|
|
312
253
|
---
|
|
313
254
|
|
|
314
|
-
|
|
255
|
+
## Install
|
|
315
256
|
|
|
316
|
-
|
|
257
|
+
Prerequisite: Node.js 20 or higher (`node --version`).
|
|
317
258
|
|
|
318
259
|
```bash
|
|
319
260
|
npx -y security-mcp@latest install
|
|
320
261
|
```
|
|
321
262
|
|
|
322
|
-
|
|
323
|
-
|
|
324
|
-
**Step 2 - Verify:**
|
|
325
|
-
|
|
326
|
-
```bash
|
|
327
|
-
cat ~/.windsurf/mcp.json
|
|
328
|
-
```
|
|
329
|
-
|
|
330
|
-
Expected output:
|
|
263
|
+
The installer auto-detects Claude Code, Cursor, VS Code, and Windsurf, and writes the config to the right place. Restart your editor, then run a review:
|
|
331
264
|
|
|
332
|
-
```
|
|
333
|
-
|
|
334
|
-
"mcpServers": {
|
|
335
|
-
"security-mcp": {
|
|
336
|
-
"command": "npx",
|
|
337
|
-
"args": ["-y", "security-mcp@latest", "serve"]
|
|
338
|
-
}
|
|
339
|
-
}
|
|
340
|
-
}
|
|
265
|
+
```text
|
|
266
|
+
/senior-security-engineer
|
|
341
267
|
```
|
|
342
268
|
|
|
343
|
-
|
|
344
|
-
|
|
345
|
-
**Step 4 - In the Windsurf AI chat, type:**
|
|
269
|
+
For a full audit:
|
|
346
270
|
|
|
347
271
|
```text
|
|
348
|
-
|
|
272
|
+
/ciso-orchestrator
|
|
349
273
|
```
|
|
350
274
|
|
|
351
|
-
|
|
352
|
-
|
|
353
|
-
### Manual Configuration (Any MCP Editor)
|
|
354
|
-
|
|
355
|
-
If the installer doesn't detect your editor, or you prefer to configure manually:
|
|
356
|
-
|
|
357
|
-
**Step 1 - Print the config snippet:**
|
|
275
|
+
Confirm the install is healthy at any time:
|
|
358
276
|
|
|
359
277
|
```bash
|
|
360
|
-
npx -y security-mcp@latest
|
|
278
|
+
npx -y security-mcp@latest doctor
|
|
361
279
|
```
|
|
362
280
|
|
|
363
|
-
|
|
364
|
-
|
|
365
|
-
**Claude Code** (`~/.claude/settings.json`):
|
|
281
|
+
### Manual config
|
|
366
282
|
|
|
367
|
-
|
|
368
|
-
{
|
|
369
|
-
"mcpServers": {
|
|
370
|
-
"security-mcp": {
|
|
371
|
-
"command": "npx",
|
|
372
|
-
"args": ["-y", "security-mcp@latest", "serve"]
|
|
373
|
-
}
|
|
374
|
-
}
|
|
375
|
-
}
|
|
376
|
-
```
|
|
283
|
+
Add the server to your editor's MCP config and restart.
|
|
377
284
|
|
|
378
|
-
|
|
285
|
+
Claude Code (`~/.claude/settings.json`), Cursor (`~/.cursor/mcp.json`), Windsurf (`~/.windsurf/mcp.json`):
|
|
379
286
|
|
|
380
287
|
```json
|
|
381
288
|
{
|
|
@@ -388,7 +295,7 @@ npx -y security-mcp@latest config
|
|
|
388
295
|
}
|
|
389
296
|
```
|
|
390
297
|
|
|
391
|
-
|
|
298
|
+
VS Code / GitHub Copilot (user `settings.json`):
|
|
392
299
|
|
|
393
300
|
```json
|
|
394
301
|
{
|
|
@@ -401,153 +308,19 @@ npx -y security-mcp@latest config
|
|
|
401
308
|
}
|
|
402
309
|
```
|
|
403
310
|
|
|
404
|
-
**Windsurf / Codex / Replit** - use the same `command`/`args` format your editor supports for MCP servers.
|
|
405
|
-
|
|
406
|
-
**Step 3 - Restart your editor** after saving the config.
|
|
407
|
-
|
|
408
311
|
---
|
|
409
312
|
|
|
410
|
-
|
|
313
|
+
## CI/CD gate
|
|
411
314
|
|
|
412
|
-
|
|
315
|
+
The gate runs as plain Node.js with no AI session involved, so it belongs in your pipeline as a required check.
|
|
413
316
|
|
|
414
317
|
```bash
|
|
415
|
-
|
|
416
|
-
security-mcp install-global
|
|
318
|
+
npx -y security-mcp@latest ci:pr-gate
|
|
417
319
|
```
|
|
418
320
|
|
|
419
|
-
|
|
420
|
-
|
|
421
|
-
```bash
|
|
422
|
-
security-mcp install-global --claude-code
|
|
423
|
-
security-mcp install-global --cursor
|
|
424
|
-
security-mcp install-global --vscode
|
|
425
|
-
```
|
|
426
|
-
|
|
427
|
-
---
|
|
428
|
-
|
|
429
|
-
### Preview Without Writing Anything
|
|
430
|
-
|
|
431
|
-
To see what the installer would do without making any changes:
|
|
432
|
-
|
|
433
|
-
```bash
|
|
434
|
-
npx -y security-mcp@latest install --dry-run
|
|
435
|
-
```
|
|
436
|
-
|
|
437
|
-
---
|
|
438
|
-
|
|
439
|
-
## Verify Your Installation
|
|
440
|
-
|
|
441
|
-
After installing, confirm everything is wired up correctly:
|
|
442
|
-
|
|
443
|
-
```bash
|
|
444
|
-
npx -y security-mcp@latest doctor
|
|
445
|
-
```
|
|
446
|
-
|
|
447
|
-
This checks your Node.js version, editor config files, and installed skills — and prints `[PASS]` or `[FAIL]` per check with a fix command if anything is missing.
|
|
448
|
-
|
|
449
|
-
Example output:
|
|
450
|
-
|
|
451
|
-
```text
|
|
452
|
-
[PASS] Node.js 22.x
|
|
453
|
-
[PASS] Claude Code config (~/.claude/settings.json)
|
|
454
|
-
[PASS] senior-security-engineer skill (~/.claude/skills/senior-security-engineer/SKILL.md)
|
|
455
|
-
|
|
456
|
-
All checks passed. Restart your editor, then type /senior-security-engineer.
|
|
457
|
-
```
|
|
458
|
-
|
|
459
|
-
---
|
|
460
|
-
|
|
461
|
-
## How to Run Your First Security Review
|
|
462
|
-
|
|
463
|
-
### Daily Workflow: `/senior-security-engineer`
|
|
464
|
-
|
|
465
|
-
**Step 1 - Open your project in your editor.**
|
|
466
|
-
|
|
467
|
-
**Step 2 - Invoke the skill:**
|
|
468
|
-
|
|
469
|
-
```text
|
|
470
|
-
/senior-security-engineer
|
|
471
|
-
```
|
|
472
|
-
|
|
473
|
-
**Step 3 - Choose your scan scope when prompted:**
|
|
474
|
-
|
|
475
|
-
- **Recent changes** - scans only files modified since your last commit. Use this on every PR.
|
|
476
|
-
- **Full codebase** - scans all source files. Use when onboarding a new project.
|
|
477
|
-
- **Specific folders** - you name the folders. Use when you know the blast radius.
|
|
321
|
+
It exits non-zero on HIGH or CRITICAL findings.
|
|
478
322
|
|
|
479
|
-
|
|
480
|
-
|
|
481
|
-
1. Call `security.start_review` to create a tracked run
|
|
482
|
-
2. Build a scan plan covering all relevant OWASP/NIST/ATT&CK controls
|
|
483
|
-
3. Run 20 security checks in parallel across secrets, dependencies, crypto, auth, injection, cloud config, AI/LLM, mobile, and more
|
|
484
|
-
4. Write fixes directly into your code for every finding it can remediate
|
|
485
|
-
5. Generate a SHA-256 attested report at `.mcp/reports/{runId}.attestation.json`
|
|
486
|
-
|
|
487
|
-
**Step 5 - Review the output.** Each finding shows:
|
|
488
|
-
|
|
489
|
-
- What the vulnerability is and why it matters
|
|
490
|
-
- Which attack it enables (mapped to MITRE ATT&CK and CWE)
|
|
491
|
-
- The exact fix that was applied to your code
|
|
492
|
-
|
|
493
|
-
**Step 6 - Commit with confidence.** The attestation file is your audit trail.
|
|
494
|
-
|
|
495
|
-
---
|
|
496
|
-
|
|
497
|
-
### Deep Audit: `/ciso-orchestrator`
|
|
498
|
-
|
|
499
|
-
Use this before a major release, compliance deadline, or security review.
|
|
500
|
-
|
|
501
|
-
**Step 1 - Invoke:**
|
|
502
|
-
|
|
503
|
-
```text
|
|
504
|
-
/ciso-orchestrator
|
|
505
|
-
```
|
|
506
|
-
|
|
507
|
-
**Step 2 - Answer the internet permission prompt.**
|
|
508
|
-
|
|
509
|
-
The orchestrator will ask:
|
|
510
|
-
|
|
511
|
-
> "I can fetch live CVE data, CISA KEV, and MITRE ATT&CK updates to improve this analysis. Allow internet access for this run? (yes/no)"
|
|
512
|
-
|
|
513
|
-
- **Yes** - agents enrich findings with live threat intelligence. More accurate, more current.
|
|
514
|
-
- **No** - agents use cached intel. Still comprehensive, no external calls made.
|
|
515
|
-
|
|
516
|
-
**Step 3 - Wait for Phase 1 (7 lead agents running in parallel, each commanding their domain-specific sub-agents — 25 sub-agents total across Phase 1).**
|
|
517
|
-
|
|
518
|
-
Each agent writes findings to `.mcp/agent-runs/{agentRunId}/`.
|
|
519
|
-
|
|
520
|
-
**Step 4 - Wait for Phase 2 (pentest team + compliance synthesizer).**
|
|
521
|
-
|
|
522
|
-
The pentest team reads Phase 1's threat model as its attack brief. The compliance agent maps every finding to PCI DSS 4.0, SOC 2, ISO 27001, NIST 800-53, HIPAA, and GDPR controls.
|
|
523
|
-
|
|
524
|
-
**Step 5 - Review the merged report.**
|
|
525
|
-
|
|
526
|
-
The orchestrator presents:
|
|
527
|
-
|
|
528
|
-
```text
|
|
529
|
-
Agents: 9 leads completed (+ sub-agents)
|
|
530
|
-
Findings: X CRITICAL / X HIGH / X MEDIUM / X LOW
|
|
531
|
-
Remediated inline: X
|
|
532
|
-
Open (need your decision): X
|
|
533
|
-
SKILL.md coverage: XX% (§1-§24)
|
|
534
|
-
Release blocked: yes / no
|
|
535
|
-
Attestation: .mcp/reports/{runId}.attestation.json
|
|
536
|
-
```
|
|
537
|
-
|
|
538
|
-
**Step 6 - For any open findings**, follow the required actions in the report. The agent will help you implement each fix.
|
|
539
|
-
|
|
540
|
-
---
|
|
541
|
-
|
|
542
|
-
## CI/CD Security Gate
|
|
543
|
-
|
|
544
|
-
Block insecure code from merging on every pull request - no Claude session required, pure Node.js execution:
|
|
545
|
-
|
|
546
|
-
```bash
|
|
547
|
-
npx -y security-mcp ci:pr-gate
|
|
548
|
-
```
|
|
549
|
-
|
|
550
|
-
### Add to GitHub Actions
|
|
323
|
+
### GitHub Actions
|
|
551
324
|
|
|
552
325
|
Create `.github/workflows/security-gate.yml`:
|
|
553
326
|
|
|
@@ -556,7 +329,7 @@ name: Security Gate
|
|
|
556
329
|
|
|
557
330
|
on:
|
|
558
331
|
pull_request:
|
|
559
|
-
branches: [main
|
|
332
|
+
branches: [main]
|
|
560
333
|
|
|
561
334
|
jobs:
|
|
562
335
|
security-gate:
|
|
@@ -564,529 +337,121 @@ jobs:
|
|
|
564
337
|
steps:
|
|
565
338
|
- uses: actions/checkout@v4
|
|
566
339
|
with:
|
|
567
|
-
fetch-depth: 0
|
|
340
|
+
fetch-depth: 0 # required for git diff
|
|
568
341
|
|
|
569
342
|
- uses: actions/setup-node@v4
|
|
570
343
|
with:
|
|
571
344
|
node-version: '20'
|
|
572
345
|
|
|
573
346
|
- name: Block insecure code from merging
|
|
574
|
-
run: npx -y security-mcp ci:pr-gate
|
|
347
|
+
run: npx -y security-mcp@latest ci:pr-gate
|
|
575
348
|
env:
|
|
576
349
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
577
350
|
```
|
|
578
351
|
|
|
579
|
-
###
|
|
580
|
-
|
|
581
|
-
The gate runs **20 checks in parallel** against your diff:
|
|
582
|
-
|
|
583
|
-
| Category | What It Catches |
|
|
584
|
-
| --- | --- |
|
|
585
|
-
| **Secrets** | Hardcoded API keys, tokens, passwords, private keys (via Gitleaks patterns) |
|
|
586
|
-
| **Dependencies** | CRITICAL/HIGH CVEs in npm/pip/go/maven packages; CISA KEV cross-check and EPSS >50% auto-escalation via live threat-intel (24h cached) |
|
|
587
|
-
| **Cryptography** | MD5, SHA-1, DES, RC4, ECB mode, `Math.random()` for tokens, short JWT secrets |
|
|
588
|
-
| **Authentication** | Missing rate limiting, no account lockout, JWT `alg:none`, weak session config |
|
|
589
|
-
| **Injection** | SQL, NoSQL, command injection, path traversal, SSRF, prototype pollution |
|
|
590
|
-
| **Web headers** | Missing CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy |
|
|
591
|
-
| **IaC** | `0.0.0.0/0` firewall rules, public storage buckets, wildcard IAM permissions |
|
|
592
|
-
| **AI/LLM** | `eval()` on model output, unvalidated model responses, prompt injection patterns |
|
|
593
|
-
| **Database** | TLS disabled on connections, raw query concatenation, missing connection encryption |
|
|
594
|
-
| **Mobile** | `android:debuggable=true`, cleartext traffic, insecure ATS config |
|
|
595
|
-
| **GraphQL** | Introspection in production, no depth/complexity limits, batching abuse |
|
|
596
|
-
| **Kubernetes** | Privileged containers, missing security context, hostPath mounts |
|
|
597
|
-
| **DLP** | PII in logs, stack traces in API responses, sensitive data in error messages |
|
|
598
|
-
| **Supply chain** | Missing lockfiles, floating version ranges (`^`, `~`), abandoned packages |
|
|
599
|
-
| **SBOM** | Generates CycloneDX SBOM for the scanned surface |
|
|
600
|
-
| **Runtime** | HTTP security headers and TLS config on live staging URL (if configured) |
|
|
601
|
-
| **AI red-team** | Static + optional dynamic probes against AI endpoints |
|
|
602
|
-
| **Exceptions** | Validates any active security exceptions are non-expired and properly approved |
|
|
603
|
-
| **Baseline regression** | Detects when previously-satisfied controls go missing (BASELINE_REGRESSION HIGH finding injected on regression) |
|
|
604
|
-
| **Deep injection** | XXE, SSTI, prototype pollution, open redirect, NoSQL operator injection, CRLF, unsafe YAML load, deserialization, path traversal, log injection, SSRF (11 new patterns) |
|
|
605
|
-
| **Deep auth** | JWT algorithm confusion, session fixation, OAuth missing state, OAuth open redirect_uri, PKCE not enforced, hardcoded JWT secret, missing rate limit on auth endpoints, plaintext password compare, SAML signature disabled, insecure cookie flags, refresh token not rotated, JWT HS/RS confusion (12 new patterns) |
|
|
606
|
-
|
|
607
|
-
### Customize the Gate Policy
|
|
608
|
-
|
|
609
|
-
Copy the default policy into your project and edit:
|
|
610
|
-
|
|
611
|
-
```bash
|
|
612
|
-
mkdir -p .mcp/policies
|
|
613
|
-
cp node_modules/security-mcp/defaults/security-policy.json .mcp/policies/security-policy.json
|
|
614
|
-
```
|
|
615
|
-
|
|
616
|
-
Or generate one tailored to your stack:
|
|
617
|
-
|
|
618
|
-
```text
|
|
619
|
-
Ask your AI: "Run security.generate_policy with surfaces=[web, api, ai] and cloud=aws"
|
|
620
|
-
```
|
|
621
|
-
|
|
622
|
-
### Add Exceptions for Known Accepted Risks
|
|
352
|
+
### Optional HMAC integrity
|
|
623
353
|
|
|
624
|
-
|
|
354
|
+
To make the policy tamper-evident, add a repository secret named `SECURITY_POLICY_HMAC_KEY` that is at least 32 bytes, then sign and commit:
|
|
625
355
|
|
|
626
356
|
```bash
|
|
627
|
-
|
|
628
|
-
cp node_modules/security-mcp/defaults/security-exceptions.json .mcp/exceptions/security-exceptions.json
|
|
357
|
+
security-mcp sign-policy
|
|
629
358
|
```
|
|
630
359
|
|
|
631
|
-
|
|
632
|
-
|
|
633
|
-
```json
|
|
634
|
-
{
|
|
635
|
-
"version": "1.0.0",
|
|
636
|
-
"exceptions": [
|
|
637
|
-
{
|
|
638
|
-
"id": "EX-001",
|
|
639
|
-
"finding_ids": ["CRYPTO_WEAK_HASH"],
|
|
640
|
-
"justification": "Legacy hash used only for non-security cache keys",
|
|
641
|
-
"ticket": "JIRA-1234",
|
|
642
|
-
"owner": "alice@example.com",
|
|
643
|
-
"approver": "bob@example.com",
|
|
644
|
-
"approval_role": "SecurityLead",
|
|
645
|
-
"expires_on": "2025-12-31"
|
|
646
|
-
}
|
|
647
|
-
]
|
|
648
|
-
}
|
|
649
|
-
```
|
|
650
|
-
|
|
651
|
-
Expired exceptions automatically become CRITICAL findings that block the gate.
|
|
360
|
+
Commit the policy file together with its generated `.hmac` sidecar. Once a key is set, the gate requires a valid signature on the policy, and a missing sidecar is rejected by design, so the key and the signature must land in the same change.
|
|
652
361
|
|
|
653
362
|
---
|
|
654
363
|
|
|
655
|
-
##
|
|
656
|
-
|
|
657
|
-
When your AI has security-mcp active, it **writes the production-ready fix** - not a suggestion, not a warning comment:
|
|
658
|
-
|
|
659
|
-
### Secrets and Credentials
|
|
660
|
-
|
|
661
|
-
| Insecure | Fixed to |
|
|
662
|
-
| --- | --- |
|
|
663
|
-
| `const KEY = "sk-abc123"` | `const KEY = process.env["API_KEY"]` + vault reference |
|
|
664
|
-
| `password: "hardcoded"` in config | Environment variable + secret manager setup |
|
|
665
|
-
| JWT signed with `"secret"` | RS256 with generated key pair, proper validation |
|
|
666
|
-
| Bcrypt with cost factor 4 | Argon2id with `memory: 65536, iterations: 3, parallelism: 4` |
|
|
667
|
-
|
|
668
|
-
### Authentication and Authorization
|
|
364
|
+
## Built for teams
|
|
669
365
|
|
|
670
|
-
|
|
671
|
-
- Account lockout after N failed attempts with progressive delays
|
|
672
|
-
- Session absolute timeout (8h) and idle timeout (30 min)
|
|
673
|
-
- FIDO2/WebAuthn requirement flagged for admin interfaces
|
|
674
|
-
- IDOR protection: tenant/user IDs read from JWT claims, never from request params
|
|
366
|
+
Four platform subsystems let a security team operate security-mcp at scale, not just run it ad hoc.
|
|
675
367
|
|
|
676
|
-
|
|
368
|
+
**Multi-provider model router.** Cost-aware routing across model providers, with circuit breakers and a spend budget so a single provider outage or a runaway run cannot stall or overspend the program.
|
|
677
369
|
|
|
678
|
-
-
|
|
679
|
-
- SQL: string concatenation -> parameterized queries or tagged template literals
|
|
680
|
-
- Command execution: `exec(userInput)` -> `spawnSync` with arg array, no shell
|
|
681
|
-
- Path traversal: user-controlled paths validated against project boundary
|
|
682
|
-
- SSRF: server-side HTTP clients get RFC-1918 CIDR block lists + DNS validation
|
|
370
|
+
**Learning engine.** Remembers confirmed patterns and false positives per project, with rate-limited false-positive suppression so noise drops over time. Routing decisions are written to an ISO 42001 audit log.
|
|
683
371
|
|
|
684
|
-
|
|
372
|
+
**Tamper-evident attestation hash chain.** Each agent attestation is chained (`init_chain`, `attest_agent`, `verify_chain`, `get_chain`), so the audit trail cannot be silently rewritten after the fact.
|
|
685
373
|
|
|
686
|
-
|
|
687
|
-
|
|
688
|
-
```javascript
|
|
689
|
-
app.get("/", (req, res) => res.send(html));
|
|
690
|
-
```
|
|
691
|
-
|
|
692
|
-
After:
|
|
693
|
-
|
|
694
|
-
```javascript
|
|
695
|
-
app.use(helmet({
|
|
696
|
-
contentSecurityPolicy: {
|
|
697
|
-
directives: {
|
|
698
|
-
defaultSrc: ["'self'"],
|
|
699
|
-
scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.nonce}'`],
|
|
700
|
-
}
|
|
701
|
-
},
|
|
702
|
-
hsts: { maxAge: 63072000, includeSubDomains: true, preload: true },
|
|
703
|
-
frameguard: { action: "deny" },
|
|
704
|
-
noSniff: true,
|
|
705
|
-
referrerPolicy: { policy: "strict-origin-when-cross-origin" }
|
|
706
|
-
}));
|
|
707
|
-
```
|
|
708
|
-
|
|
709
|
-
### Cloud Infrastructure
|
|
710
|
-
|
|
711
|
-
- `cidr_blocks = ["0.0.0.0/0"]` -> source-restricted CIDR with comment explaining rationale
|
|
712
|
-
- `acl = "public-read"` S3 -> Block Public Access enabled at bucket and account level
|
|
713
|
-
- Wildcard IAM `"Action": "*"` -> least-privilege policy with specific actions
|
|
714
|
-
- Long-lived static credentials -> IAM roles / Workload Identity / OIDC federation
|
|
715
|
-
|
|
716
|
-
### Cryptography
|
|
717
|
-
|
|
718
|
-
- `crypto.createHash('md5')` -> `crypto.createHash('sha256')`
|
|
719
|
-
- `Math.random()` for tokens -> `crypto.randomBytes(32).toString('hex')`
|
|
720
|
-
- AES-CBC -> AES-256-GCM with per-message nonce
|
|
721
|
-
- RSA PKCS#1 v1.5 -> RSA-OAEP or ECDH P-256
|
|
722
|
-
|
|
723
|
-
### AI / LLM Security
|
|
724
|
-
|
|
725
|
-
- String-concatenated system prompts -> structured `messages` array with role separation
|
|
726
|
-
- `eval(modelOutput)` -> `JSON.parse()` + Zod schema validation
|
|
727
|
-
- RAG retrieval without auth check -> authorization check before and after retrieval
|
|
728
|
-
- Unvalidated tool calls -> allowlist router that blocks unlisted tool names
|
|
374
|
+
**MCP caller authentication.** An optional shared-secret gate on the MCP channel uses constant-time HMAC comparison, a 3-strike lockout, and a session TTL (8 hours by default, capped at 24). When unset, the channel stays open for frictionless local use.
|
|
729
375
|
|
|
730
376
|
---
|
|
731
377
|
|
|
732
|
-
##
|
|
733
|
-
|
|
734
|
-
### System Overview
|
|
735
|
-
|
|
736
|
-
```text
|
|
737
|
-
┌───────────────────────────────────────────────────────────────┐
|
|
738
|
-
│ Your Editor (Claude Code) │
|
|
739
|
-
│ │
|
|
740
|
-
│ /senior-security-engineer /ciso-orchestrator │
|
|
741
|
-
│ (single expert agent) (39-agent security program) │
|
|
742
|
-
│ │ │ │
|
|
743
|
-
└──────────┼────────────────────────────────┼───────────────────┘
|
|
744
|
-
│ │
|
|
745
|
-
└──────────────┬─────────────────┘
|
|
746
|
-
│ MCP protocol (stdio)
|
|
747
|
-
▼
|
|
748
|
-
┌──────────────────────────────────────────────────────────────┐
|
|
749
|
-
│ MCP Server (src/mcp/server.ts) │
|
|
750
|
-
│ │
|
|
751
|
-
│ security.* tools orchestration.* tools │
|
|
752
|
-
│ ───────────────── ────────────────────── │
|
|
753
|
-
│ start_review create_agent_run │
|
|
754
|
-
│ run_pr_gate update_agent_status │
|
|
755
|
-
│ threat_model merge_agent_findings │
|
|
756
|
-
│ checklist ensure_skill │
|
|
757
|
-
│ attest_review read/write_agent_memory │
|
|
758
|
-
│ get_system_prompt check_updates / apply_updates │
|
|
759
|
-
│ scan_strategy verify_skill_coverage │
|
|
760
|
-
│ generate_policy │
|
|
761
|
-
│ terraform_blueprint repo.* tools │
|
|
762
|
-
│ generate_opa_rego ───────────── │
|
|
763
|
-
│ generate_compliance_report read_file / search │
|
|
764
|
-
│ notify_webhooks │
|
|
765
|
-
│ generate_remediations │
|
|
766
|
-
└──────────────────────────────────────────────────────────────┘
|
|
767
|
-
│
|
|
768
|
-
▼
|
|
769
|
-
┌──────────────────────────────────────────────────────────────┐
|
|
770
|
-
│ Policy Gate Engine (src/gate/policy.ts) │
|
|
771
|
-
│ │
|
|
772
|
-
│ 20 checks run in parallel: │
|
|
773
|
-
│ checkSecrets checkDependencies checkApi checkInfra │
|
|
774
|
-
│ checkCrypto checkMobileIos checkMobileAndroid │
|
|
775
|
-
│ checkAi checkGraphQL checkKubernetes │
|
|
776
|
-
│ checkDatabase checkDlp checkWebNextjs │
|
|
777
|
-
│ runSbomChecks runAiRedteamChecks runRuntimeChecks │
|
|
778
|
-
│ checkInjectionDeep (11 patterns) checkAuthDeep (12 patterns)│
|
|
779
|
-
│ │
|
|
780
|
-
│ Surface detection -> Control catalog -> Exception handling -> │
|
|
781
|
-
│ Coverage manifest -> Taint map -> Confidence scoring -> PASS / FAIL │
|
|
782
|
-
└──────────────────────────────────────────────────────────────┘
|
|
783
|
-
```
|
|
378
|
+
## Self-protection and supply-chain posture
|
|
784
379
|
|
|
785
|
-
|
|
380
|
+
A security tool is part of your supply chain, so security-mcp is built to resist the same attacks it looks for. This matters most when the threat is a malicious repository or a compromised dependency trying to neutralize the gate.
|
|
786
381
|
|
|
787
|
-
|
|
788
|
-
|
|
789
|
-
|
|
790
|
-
|
|
791
|
-
|
|
792
|
-
|
|
793
|
-
|
|
794
|
-
|
|
795
|
-
|
|
796
|
-
▼ user picks scope
|
|
797
|
-
security.start_review(mode)
|
|
798
|
-
└── creates .mcp/reviews/{runId}.json
|
|
799
|
-
│
|
|
800
|
-
▼
|
|
801
|
-
security.threat_model(runId, feature)
|
|
802
|
-
└── STRIDE + PASTA + ATT&CK template for changed surface
|
|
803
|
-
│
|
|
804
|
-
▼
|
|
805
|
-
§0 Coverage Completeness Protocol (runs first)
|
|
806
|
-
├── enumerate ALL source files → coverage-manifest.json
|
|
807
|
-
├── taint-trace every user-controlled input → taint-map.json
|
|
808
|
-
├── negative assertion per attack class: "FILES: N/N | RESULT: CLEAN"
|
|
809
|
-
└── fix verification loop: re-run check after every fix, confirm CLEAN
|
|
810
|
-
│
|
|
811
|
-
▼
|
|
812
|
-
security.run_pr_gate(runId, mode, targets)
|
|
813
|
-
├── git diff / glob targets -> changed files list
|
|
814
|
-
├── detectSurfaces() -> web? api? infra? mobile? ai?
|
|
815
|
-
├── 20 checks in parallel (incl. deep injection + deep auth)
|
|
816
|
-
├── apply exceptions from .mcp/exceptions/
|
|
817
|
-
├── compute confidence score
|
|
818
|
-
└── returns PASS/FAIL + findings[]
|
|
819
|
-
│
|
|
820
|
-
▼
|
|
821
|
-
Claude writes inline fixes for every finding
|
|
822
|
-
(production-ready secure code, not suggestions)
|
|
823
|
-
Every HIGH/CRITICAL: FIXED with verified-clean re-run,
|
|
824
|
-
OR formally blocked with risk-acceptance record
|
|
825
|
-
│
|
|
826
|
-
▼
|
|
827
|
-
security.attest_review(runId)
|
|
828
|
-
└── .mcp/reports/{runId}.attestation.json
|
|
829
|
-
└── SHA-256 integrity hash
|
|
830
|
-
```
|
|
831
|
-
|
|
832
|
-
### `/ciso-orchestrator` Flow (39 Agents)
|
|
833
|
-
|
|
834
|
-
```text
|
|
835
|
-
User: /ciso-orchestrator
|
|
836
|
-
│
|
|
837
|
-
▼
|
|
838
|
-
CISO Orchestrator
|
|
839
|
-
├── orchestration.check_updates() -> prompt if new version available
|
|
840
|
-
├── ask internet permission -> stored for all child agents
|
|
841
|
-
├── scan project for stack context
|
|
842
|
-
│ (package.json, go.mod, terraform/, .github/workflows/, Dockerfile)
|
|
843
|
-
│ -> stackContext: { languages, frameworks, cloudProvider, hasAI, hasMobile, ... }
|
|
844
|
-
├── security.start_review() -> runId
|
|
845
|
-
├── orchestration.create_agent_run() -> agentRunId + manifest.json
|
|
846
|
-
└── orchestration.ensure_skill(×N) -> download stack-relevant skills from 86-skill registry
|
|
847
|
-
│
|
|
848
|
-
▼
|
|
849
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
850
|
-
PHASE 1 - 7 leads + sub-agents (all parallel)
|
|
851
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
852
|
-
|
|
853
|
-
Agent 1: threat-modeler
|
|
854
|
-
├── stride-pasta-analyst -> STRIDE matrix, PASTA 7 stages, LINDDUN, DREAD
|
|
855
|
-
├── attack-navigator -> ATT&CK Navigator layer + D3FEND countermeasures
|
|
856
|
-
├── business-logic-attacker -> attack trees per route/flow found in codebase
|
|
857
|
-
└── privacy-flow-analyst -> GDPR/HIPAA data flows, DPIA trigger check
|
|
858
|
-
Output: .mcp/agent-runs/{id}/threat-model.json
|
|
859
|
-
|
|
860
|
-
Agent 2: appsec-code-auditor
|
|
861
|
-
├── injection-specialist -> SQL/NoSQL/SSTI/OS cmd/CRLF/log injection
|
|
862
|
-
├── auth-session-hacker -> JWT algo confusion, SAML wrap, OAuth confusion
|
|
863
|
-
├── logic-race-fuzzer -> race conditions, integer overflow, mass assignment
|
|
864
|
-
└── serialization-memory-attacker -> prototype pollution, ReDoS, zip slip, sandbox escape
|
|
865
|
-
Output: .mcp/agent-runs/{id}/appsec-findings.json
|
|
866
|
-
|
|
867
|
-
Agent 3: cloud-infra-specialist
|
|
868
|
-
├── aws-penetration-tester -> IAM escalation, S3, Lambda, EKS (if AWS)
|
|
869
|
-
├── gcp-penetration-tester -> SA abuse, GCS, Cloud Run, GKE (if GCP)
|
|
870
|
-
├── azure-penetration-tester -> Managed Identity, AKS, Key Vault (if Azure)
|
|
871
|
-
└── k8s-container-escaper -> privileged pods, RBAC escape, hostPath (if K8s)
|
|
872
|
-
Output: .mcp/agent-runs/{id}/infra-findings.json
|
|
873
|
-
|
|
874
|
-
Agent 4: supply-chain-devsecops
|
|
875
|
-
├── dependency-confusion-attacker -> CVEs, CISA KEV, typosquatting, SBOM
|
|
876
|
-
├── cicd-pipeline-hijacker -> pull_request_target, mutable Actions, injection
|
|
877
|
-
└── artifact-integrity-analyst -> SLSA L3, Cosign signatures, provenance
|
|
878
|
-
Output: .mcp/agent-runs/{id}/supply-chain-findings.json
|
|
879
|
-
|
|
880
|
-
Agent 5: ai-llm-redteam (skipped if no AI stack detected)
|
|
881
|
-
├── prompt-injection-specialist -> direct + indirect injection, PoC payloads
|
|
882
|
-
├── model-extraction-attacker -> API abuse, cost amplification, rate limiting
|
|
883
|
-
├── rag-poisoning-specialist -> vector store isolation, metadata filter injection
|
|
884
|
-
└── agentic-loop-exploiter -> tool blast radius, loop hijacking, allowlist gaps
|
|
885
|
-
Output: .mcp/agent-runs/{id}/ai-findings.json
|
|
886
|
-
|
|
887
|
-
Agent 6: mobile-security-specialist (skipped if no mobile detected)
|
|
888
|
-
├── ios-security-auditor -> Keychain, ATS, Secure Enclave, Universal Links
|
|
889
|
-
├── android-penetration-tester -> manifest hardening, NSC, exported components
|
|
890
|
-
└── mobile-api-network-attacker -> cert pinning, API key extraction, token storage
|
|
891
|
-
Output: .mcp/agent-runs/{id}/mobile-findings.json
|
|
892
|
-
|
|
893
|
-
Agent 7: crypto-pki-specialist
|
|
894
|
-
├── tls-certificate-auditor -> TLS 1.3, AEAD ciphers, HSTS preload, OCSP, mTLS
|
|
895
|
-
├── algorithm-implementation-reviewer -> banned algos, Argon2id params, nonce reuse
|
|
896
|
-
└── key-management-lifecycle-analyst -> hardcoded keys, rotation, CMEK, post-quantum
|
|
897
|
-
Output: .mcp/agent-runs/{id}/crypto-findings.json
|
|
898
|
-
|
|
899
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
900
|
-
Wait for all Phase 1 agents to complete
|
|
901
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
902
|
-
|
|
903
|
-
PHASE 2 - adversarial + compliance (both parallel)
|
|
904
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
905
|
-
|
|
906
|
-
Agent 8: pentest-team (reads threat-model.json as attack brief)
|
|
907
|
-
├── pentest-web-api -> OWASP Testing Guide on every route found in codebase
|
|
908
|
-
├── pentest-infra -> privilege escalation graph, Terraform state, cloud posture
|
|
909
|
-
└── pentest-social -> OSINT on org, spear-phishing scenarios, insider threat model
|
|
910
|
-
Output: .mcp/agent-runs/{id}/pentest-report.json
|
|
911
|
-
|
|
912
|
-
Agent 9: compliance-grc (reads all Phase 1 findings)
|
|
913
|
-
├── evidence-collector -> logging schema verification, SIEM rules, audit trail
|
|
914
|
-
└── compliance-gap-analyst -> PCI DSS 4.0, SOC 2, ISO 27001, NIST 800-53, HIPAA, GDPR
|
|
915
|
-
Output: .mcp/agent-runs/{id}/compliance-report.json
|
|
916
|
-
|
|
917
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
918
|
-
Wait for Phase 2 agents to complete
|
|
919
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
920
|
-
|
|
921
|
-
PHASE 3 - synthesis (sequential)
|
|
922
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
923
|
-
|
|
924
|
-
orchestration.merge_agent_findings() -> deduplicate + sort CRITICAL->LOW
|
|
925
|
-
orchestration.verify_skill_coverage() -> check §1-§24 SKILL.md section coverage
|
|
926
|
-
security.attest_review() -> SHA-256 attestation written
|
|
927
|
-
|
|
928
|
-
Final report:
|
|
929
|
-
├── X CRITICAL / X HIGH / X MEDIUM / X LOW
|
|
930
|
-
├── Remediated inline: X Open: X
|
|
931
|
-
├── SKILL.md section coverage: XX%
|
|
932
|
-
├── Release blocked: yes / no
|
|
933
|
-
└── .mcp/reports/{runId}.attestation.json
|
|
934
|
-
```
|
|
935
|
-
|
|
936
|
-
### Agent Memory System
|
|
937
|
-
|
|
938
|
-
Every agent persists what it learns so each subsequent run is smarter:
|
|
939
|
-
|
|
940
|
-
```text
|
|
941
|
-
~/.security-mcp/agent-memory/{agentName}/
|
|
942
|
-
├── patterns.json ← confirmed attack patterns for this tech stack
|
|
943
|
-
├── false-positives.json ← findings to deprioritize on next run
|
|
944
|
-
├── remediations.json ← what fixes worked for this project
|
|
945
|
-
├── intel.json ← cached threat intel (refreshed every 24h)
|
|
946
|
-
└── errors.json ← tool failure log (used for self-healing)
|
|
947
|
-
```
|
|
948
|
-
|
|
949
|
-
### Data Written to Your Project
|
|
950
|
-
|
|
951
|
-
```text
|
|
952
|
-
.mcp/
|
|
953
|
-
├── reviews/{runId}.json ← review run state + step tracking
|
|
954
|
-
├── reports/{runId}.attestation.json ← SHA-256 auditable attestation
|
|
955
|
-
├── agent-runs/{agentRunId}/
|
|
956
|
-
│ ├── manifest.json ← all agent statuses + current phase
|
|
957
|
-
│ ├── threat-model.json
|
|
958
|
-
│ ├── appsec-findings.json
|
|
959
|
-
│ ├── infra-findings.json
|
|
960
|
-
│ ├── supply-chain-findings.json
|
|
961
|
-
│ ├── ai-findings.json
|
|
962
|
-
│ ├── mobile-findings.json
|
|
963
|
-
│ ├── crypto-findings.json
|
|
964
|
-
│ ├── pentest-report.json
|
|
965
|
-
│ ├── compliance-report.json
|
|
966
|
-
│ ├── sbom.cyclonedx.json
|
|
967
|
-
│ └── merged-findings.json ← Phase 3 deduplicated, sorted output
|
|
968
|
-
├── policies/security-policy.json
|
|
969
|
-
└── exceptions/security-exceptions.json
|
|
970
|
-
```
|
|
382
|
+
- **Signed policy, exceptions, and baseline.** These files are HMAC-signed. When the policy is not signed, the gate floors `severity_block` to HIGH/CRITICAL, so an unsigned edit cannot relax the gate to PASS.
|
|
383
|
+
- **Exceptions cannot quietly suppress.** By default an unsigned exceptions file may not suppress HIGH/CRITICAL findings. A break-glass env var exists for scanning intentionally-vulnerable fixtures.
|
|
384
|
+
- **Honest attestation.** Attestation refuses to sign unless the latest gate result is PASS with all required steps complete. There are no forged green attestations.
|
|
385
|
+
- **Verified inter-agent payloads.** The merge step that aggregates every agent's findings is the trust sink for a whole run, so it schema-validates each agent's findings file and checks its hash against that agent's signed attestation before trusting it. Findings dedupe keeps the highest severity per id, so a same-id low-severity entry cannot shadow a real CRITICAL. A tampered chain or a findings-hash mismatch forces FAIL. Set `SECURITY_REQUIRE_AGENT_ATTESTATION=1` to fail closed unless the run is HMAC-signed, fully attested, and clean — note that an *unsigned* attestation chain is only tamper-evident, not tamper-proof, against an attacker who can write the run directory, so the HMAC key is the real boundary.
|
|
386
|
+
- **Per-tool-call audit trail.** Every MCP tool call is logged as one structured JSONL record (timestamp, agent id, tool, inputs, output summary, session credential, outcome) to `.mcp/audit/tool-calls.jsonl`. Secret-bearing keys and secret-shaped values (in inputs and in the output preview) are scrubbed; failed auth attempts are recorded as such, not as successes; the log rotates at 50 MB and writing never interrupts a tool call. Set `SECURITY_TOOL_AUDIT_LOG` to forward to an append-only sink.
|
|
387
|
+
- **Locked-down data at rest.** Findings, agent memory, and signatures are written with `0o600` file permissions.
|
|
388
|
+
- **Prompt-injection defense.** Tool outputs that originate from the repo are sanitized before they reach an LLM.
|
|
389
|
+
- **Verified installer.** Downloaded scanner binaries are verified by SHA-256, unchecksummed binaries are refused, and there is no `curl | sh` install path.
|
|
390
|
+
- **Air-gap mode.** `SECURITY_OFFLINE=1` produces a fully offline run with no third-party egress.
|
|
971
391
|
|
|
972
392
|
---
|
|
973
393
|
|
|
974
|
-
## MCP
|
|
394
|
+
## MCP tools
|
|
975
395
|
|
|
976
|
-
Your AI
|
|
396
|
+
Your AI calls these automatically; you rarely invoke them by hand. There are around 40, grouped into three namespaces plus two MCP prompts.
|
|
977
397
|
|
|
978
|
-
###
|
|
398
|
+
### Most useful tools
|
|
979
399
|
|
|
980
|
-
| Tool |
|
|
400
|
+
| Tool | Purpose |
|
|
981
401
|
| --- | --- |
|
|
982
|
-
| `security.start_review` |
|
|
983
|
-
| `security.run_pr_gate` |
|
|
984
|
-
| `security.
|
|
985
|
-
| `security.
|
|
986
|
-
| `security.scan_strategy` |
|
|
987
|
-
| `security.
|
|
988
|
-
| `security.
|
|
989
|
-
| `security.
|
|
990
|
-
| `security.
|
|
991
|
-
| `security.
|
|
992
|
-
| `
|
|
993
|
-
| `
|
|
994
|
-
| `
|
|
995
|
-
| `
|
|
996
|
-
|
|
997
|
-
|
|
998
|
-
|
|
999
|
-
|
|
1000
|
-
|
|
1001
|
-
|
|
1002
|
-
|
|
1003
|
-
|
|
1004
|
-
|
|
1005
|
-
|
|
1006
|
-
|
|
1007
|
-
| `orchestration.read_agent_memory` | Loads an agent's prior patterns, false-positives, remediations, and cached intel |
|
|
1008
|
-
| `orchestration.write_agent_memory` | Persists newly learned patterns and remediations after a run |
|
|
1009
|
-
| `orchestration.check_updates` | Checks npm and the skills manifest for newer versions of security-mcp or installed skills |
|
|
1010
|
-
| `orchestration.apply_updates` | Returns update commands (manual) or instructions for the agent to run them (auto) |
|
|
1011
|
-
| `orchestration.verify_skill_coverage` | Reports which SKILL.md sections §1-§24 had zero coverage findings in this run |
|
|
402
|
+
| `security.start_review` | Open a stateful review run and get a `runId` |
|
|
403
|
+
| `security.run_pr_gate` | Run the gate, return PASS/FAIL with findings |
|
|
404
|
+
| `security.attest_review` | Write a SHA-256 attestation (PASS-gated) |
|
|
405
|
+
| `security.threat_model` | STRIDE + PASTA + ATT&CK model for a surface |
|
|
406
|
+
| `security.scan_strategy` | Map every check to OWASP/NIST/ATT&CK controls |
|
|
407
|
+
| `security.generate_policy` | Generate a policy tailored to your stack |
|
|
408
|
+
| `security.terraform_hardening_blueprint` | Terraform hardening baseline + mappings |
|
|
409
|
+
| `security.generate_opa_rego` | OPA/Rego for plans, pipelines, admission |
|
|
410
|
+
| `security.generate_compliance_report` | Map findings to SOC 2, PCI, ISO, NIST, HIPAA, GDPR |
|
|
411
|
+
| `security.generate_remediations` | Concrete fix template per finding |
|
|
412
|
+
| `repo.read_file` / `repo.search` | Read or search the codebase (guarded) |
|
|
413
|
+
| `orchestration.create_agent_run` | Stand up the multi-agent run + manifest |
|
|
414
|
+
| `orchestration.merge_agent_findings` | Dedupe and sort findings across agents |
|
|
415
|
+
| `orchestration.verify_skill_coverage` | Check §0-§24 SKILL.md coverage |
|
|
416
|
+
|
|
417
|
+
### Operational families
|
|
418
|
+
|
|
419
|
+
Beyond the tools above, the rest of the surface clusters into four families:
|
|
420
|
+
|
|
421
|
+
- **Model routing and budget.** `get_routing`, `get_model_for_task`, `track_usage`, `model_budget_status`, `get_provider_health`, `record_provider_failure`, `reset_provider_circuit`.
|
|
422
|
+
- **Learning and pattern memory.** `record_outcome`, `pattern_report`, `self_heal_loop`, plus `orchestration.read_agent_memory` / `write_agent_memory`.
|
|
423
|
+
- **Attestation hash chain.** `init_chain`, `attest_agent`, `verify_chain`, `get_chain`.
|
|
424
|
+
- **Caller auth and lifecycle.** `authenticate`, `logout`, plus update tools `orchestration.check_updates` / `apply_updates` and skill loading `orchestration.ensure_skill`.
|
|
425
|
+
|
|
426
|
+
Namespace counts: `security.*` (29 tools), `repo.*` (2), `orchestration.*` (9), and 2 MCP prompts.
|
|
1012
427
|
|
|
1013
428
|
---
|
|
1014
429
|
|
|
1015
|
-
##
|
|
430
|
+
## Frameworks
|
|
1016
431
|
|
|
1017
|
-
|
|
432
|
+
Every finding and fix maps to recognized standards. You do not need to know them to benefit; they are there so your evidence stands up to an auditor.
|
|
1018
433
|
|
|
1019
|
-
|
|
|
434
|
+
| Domain | Standards |
|
|
1020
435
|
| --- | --- |
|
|
1021
|
-
|
|
|
1022
|
-
|
|
|
1023
|
-
|
|
|
1024
|
-
|
|
|
1025
|
-
|
|
|
1026
|
-
|
|
|
1027
|
-
| **MITRE D3FEND** | Defensive countermeasure mapped to every ATT&CK technique in scope |
|
|
1028
|
-
| **MITRE ATLAS** | Adversarial ML/AI attack techniques |
|
|
1029
|
-
| **MITRE CAPEC** | Attack patterns used at design-time threat modeling |
|
|
1030
|
-
| **NIST 800-53 Rev 5** | Full US government security control catalog |
|
|
1031
|
-
| **NIST CSF 2.0** | Govern / Identify / Protect / Detect / Respond / Recover |
|
|
1032
|
-
| **NIST 800-207** | Zero Trust Architecture - every request authenticated and authorized |
|
|
1033
|
-
| **NIST 800-218 (SSDF)** | Secure Software Development Framework |
|
|
1034
|
-
| **NIST AI RMF** | AI risk management: Map, Measure, Manage, Govern |
|
|
1035
|
-
| **PCI DSS 4.0** | Payment card industry data security standard |
|
|
1036
|
-
| **SOC 2 Type II** | Trust Services Criteria (Security, Availability, Confidentiality, PI) |
|
|
1037
|
-
| **ISO 27001:2022 + 27002** | International information security management system |
|
|
1038
|
-
| **ISO 42001:2023** | AI management system - applied to all LLM/AI components |
|
|
1039
|
-
| **GDPR / CCPA / HIPAA** | Data privacy: consent, retention, breach notification, minimum necessary |
|
|
1040
|
-
| **SLSA Level 3** | Software supply chain security - hermetic builds, signed provenance |
|
|
1041
|
-
| **CIS Benchmarks Level 2** | Hardened cloud, OS, and container configurations |
|
|
1042
|
-
| **CVSS v4.0 + EPSS** | Vulnerability scoring and exploit probability - EPSS > 0.5 fixed within 48h |
|
|
436
|
+
| OWASP | Top 10 (Web + API), ASVS L2/L3, MASVS, Top 10 for LLMs, Testing Guide |
|
|
437
|
+
| MITRE | ATT&CK (Enterprise + Cloud + Mobile), D3FEND, ATLAS, CAPEC |
|
|
438
|
+
| NIST | 800-53 Rev 5, CSF 2.0, 800-207 Zero Trust, 800-218 SSDF, AI RMF, 800-131A |
|
|
439
|
+
| Compliance | PCI DSS 4.0, SOC 2 Type II, ISO 27001:2022 + 27002, ISO 42001:2023, GDPR / CCPA / HIPAA |
|
|
440
|
+
| Supply chain and cloud | SLSA Level 3, CIS Benchmarks L2, AWS FSBP, Microsoft Cloud Security Benchmark |
|
|
441
|
+
| Scoring | CVSS v4.0 + EPSS |
|
|
1043
442
|
|
|
1044
443
|
---
|
|
1045
444
|
|
|
1046
|
-
##
|
|
1047
|
-
|
|
1048
|
-
### Customize the Security Policy
|
|
445
|
+
## Policy and exceptions
|
|
1049
446
|
|
|
1050
|
-
The policy
|
|
447
|
+
The policy lives at `.mcp/policies/security-policy.json`. Copy the default to start:
|
|
1051
448
|
|
|
1052
449
|
```bash
|
|
1053
450
|
mkdir -p .mcp/policies
|
|
1054
451
|
cp node_modules/security-mcp/defaults/security-policy.json .mcp/policies/security-policy.json
|
|
1055
452
|
```
|
|
1056
453
|
|
|
1057
|
-
|
|
1058
|
-
|
|
1059
|
-
```json
|
|
1060
|
-
{
|
|
1061
|
-
"required_checks": {
|
|
1062
|
-
"secrets_scan": { "severity_block": ["HIGH", "CRITICAL"] },
|
|
1063
|
-
"dependency_scan": { "severity_block": ["CRITICAL"] },
|
|
1064
|
-
"sast": { "severity_block": ["CRITICAL"] },
|
|
1065
|
-
"iac_scan": { "severity_block": ["HIGH", "CRITICAL"] }
|
|
1066
|
-
},
|
|
1067
|
-
"vulnerability_slas": {
|
|
1068
|
-
"CRITICAL": "24h",
|
|
1069
|
-
"HIGH": "7d",
|
|
1070
|
-
"MEDIUM": "30d",
|
|
1071
|
-
"CISA_KEV": "24h"
|
|
1072
|
-
},
|
|
1073
|
-
"exceptions": {
|
|
1074
|
-
"require_ticket": true,
|
|
1075
|
-
"approval_roles": ["SecurityLead", "GRC", "CTO"]
|
|
1076
|
-
}
|
|
1077
|
-
}
|
|
1078
|
-
```
|
|
1079
|
-
|
|
1080
|
-
### Add a Security Exception
|
|
1081
|
-
|
|
1082
|
-
When you have a finding you've consciously accepted (e.g., a CVE in a library you're actively replacing):
|
|
1083
|
-
|
|
1084
|
-
```bash
|
|
1085
|
-
mkdir -p .mcp/exceptions
|
|
1086
|
-
cp node_modules/security-mcp/defaults/security-exceptions.json .mcp/exceptions/security-exceptions.json
|
|
1087
|
-
```
|
|
1088
|
-
|
|
1089
|
-
Edit `.mcp/exceptions/security-exceptions.json`:
|
|
454
|
+
Exceptions live at `.mcp/exceptions/security-exceptions.json`. Each entry needs `id`, `finding_ids`, `justification`, `ticket`, `owner`, `approver` (the owner cannot be the approver), `approval_role`, and `expires_on` (within 365 days):
|
|
1090
455
|
|
|
1091
456
|
```json
|
|
1092
457
|
{
|
|
@@ -1095,179 +460,137 @@ Edit `.mcp/exceptions/security-exceptions.json`:
|
|
|
1095
460
|
{
|
|
1096
461
|
"id": "EX-001",
|
|
1097
462
|
"finding_ids": ["DEP_CVE_CVE-2024-12345"],
|
|
1098
|
-
"justification": "Library being replaced
|
|
463
|
+
"justification": "Library being replaced next sprint; no public exploit",
|
|
1099
464
|
"ticket": "JIRA-9999",
|
|
1100
|
-
"owner": "
|
|
1101
|
-
"approver": "
|
|
465
|
+
"owner": "alice@example.com",
|
|
466
|
+
"approver": "bob@example.com",
|
|
1102
467
|
"approval_role": "SecurityLead",
|
|
1103
|
-
"expires_on": "
|
|
468
|
+
"expires_on": "2026-12-31"
|
|
1104
469
|
}
|
|
1105
470
|
]
|
|
1106
471
|
}
|
|
1107
472
|
```
|
|
1108
473
|
|
|
1109
|
-
|
|
474
|
+
Expired exceptions automatically become blocking findings until they are renewed or resolved.
|
|
1110
475
|
|
|
1111
476
|
---
|
|
1112
477
|
|
|
1113
|
-
## Environment
|
|
478
|
+
## Environment variables
|
|
1114
479
|
|
|
1115
|
-
###
|
|
480
|
+
### Gate and scope
|
|
1116
481
|
|
|
1117
482
|
| Variable | Default | Purpose |
|
|
1118
483
|
| --- | --- | --- |
|
|
1119
|
-
| `
|
|
484
|
+
| `SECURITY_GATE_POLICY` | `.mcp/policies/security-policy.json` | Policy file path |
|
|
485
|
+
| `SECURITY_GATE_MODE` | `recent_changes` | Scan mode |
|
|
486
|
+
| `SECURITY_GATE_TARGETS` | (changed files) | Comma-separated paths to restrict the scan |
|
|
1120
487
|
| `SECURITY_GATE_BASE_REF` | `origin/main` | Branch to diff against |
|
|
1121
488
|
| `SECURITY_GATE_HEAD_REF` | `HEAD` | Branch being scanned |
|
|
1122
|
-
| `
|
|
1123
|
-
| `SECURITY_GATE_SCANNERS` | built-in |
|
|
1124
|
-
| `
|
|
1125
|
-
| `
|
|
1126
|
-
| `SECURITY_GATE_TARGETS` | (all changed files) | Comma-separated file paths to restrict the scan surface |
|
|
489
|
+
| `SECURITY_GATE_EXCEPTIONS` | (default path) | Exceptions file path |
|
|
490
|
+
| `SECURITY_GATE_SCANNERS` | built-in | Custom scanner config path |
|
|
491
|
+
| `SECURITY_GATE_EVIDENCE_MAP` | (none) | Evidence-coverage map path |
|
|
492
|
+
| `SECURITY_GATE_CONTROL_CATALOG` | (none) | Control-catalog path |
|
|
1127
493
|
|
|
1128
|
-
###
|
|
494
|
+
### Integrity and signing
|
|
1129
495
|
|
|
1130
496
|
| Variable | Purpose |
|
|
1131
497
|
| --- | --- |
|
|
1132
|
-
| `
|
|
1133
|
-
| `
|
|
1134
|
-
| `
|
|
1135
|
-
| `
|
|
1136
|
-
| `
|
|
1137
|
-
| `
|
|
1138
|
-
|
|
1139
|
-
### Live Scanning (optional)
|
|
1140
|
-
|
|
1141
|
-
| Variable | Purpose |
|
|
1142
|
-
| --- | --- |
|
|
1143
|
-
| `SECURITY_STAGING_URL` | Enables live HTTP header and TLS checks against your staging environment |
|
|
1144
|
-
| `SECURITY_AI_ENDPOINT` | Enables live jailbreak, injection, PII, and rate-limit probes against your AI endpoint |
|
|
1145
|
-
| `SECURITY_AUTO_SBOM` | Set `true` to auto-generate a CycloneDX SBOM on each gate run |
|
|
1146
|
-
|
|
1147
|
-
---
|
|
1148
|
-
|
|
1149
|
-
## The 10 Rules That Are Never Broken
|
|
498
|
+
| `SECURITY_POLICY_HMAC_KEY` | Signs policy / exceptions / baseline (>=32 bytes) |
|
|
499
|
+
| `SECURITY_REQUIRE_SIGNED_EXCEPTIONS` | Fail closed on any unsigned exceptions file |
|
|
500
|
+
| `SECURITY_REQUIRE_AGENT_ATTESTATION` | Fail closed unless the agent run is signed + enforced + clean (see below) |
|
|
501
|
+
| `SECURITY_ALLOW_UNSIGNED_HIGH_SUPPRESSION` | Break-glass: allow unsigned HIGH/CRITICAL suppression |
|
|
502
|
+
| `SECURITY_ATTEST_ALLOW_INCOMPLETE` | Break-glass: attest without a complete PASS |
|
|
503
|
+
| `SECURITY_ATTEST_KEY` | Signs attestation files |
|
|
504
|
+
| `SECURITY_AUDIT_HMAC_KEY` | Signs the routing audit log and the per-agent attestation chain |
|
|
1150
505
|
|
|
1151
|
-
|
|
1152
|
-
|
|
1153
|
-
1. **No `0.0.0.0/0` firewall rules** - ingress and egress must be source-restricted
|
|
1154
|
-
2. **All internal services over private VPC only** - no public IPs for databases, queues, or internal APIs
|
|
1155
|
-
3. **Secrets in a secret manager only** - never in code, `.env` files, CI logs, or container images
|
|
1156
|
-
4. **TLS 1.3 for everything in transit** - TLS 1.0 and 1.1 are explicitly blocked
|
|
1157
|
-
5. **Passwords hashed with Argon2id or bcrypt (cost ≥ 14)** - MD5 and SHA-1 are forbidden
|
|
1158
|
-
6. **Every API input validated server-side with a schema** - no passing raw request data to business logic
|
|
1159
|
-
7. **No inline JavaScript** - Content Security Policy is nonce-based only; no `unsafe-inline` or `unsafe-eval`
|
|
1160
|
-
8. **Admin interfaces require FIDO2/WebAuthn passkey** - TOTP is not acceptable for admin access
|
|
1161
|
-
9. **Threat model before any auth, payment, or AI feature** - no design-free implementation
|
|
1162
|
-
10. **Zero Trust: every request authenticated and authorized regardless of origin** - no implicit network trust
|
|
1163
|
-
|
|
1164
|
-
---
|
|
1165
|
-
|
|
1166
|
-
## Troubleshooting
|
|
1167
|
-
|
|
1168
|
-
### The `/senior-security-engineer` command isn't available in my editor
|
|
1169
|
-
|
|
1170
|
-
**Cause:** The skill was not installed to `~/.claude/skills/`.
|
|
1171
|
-
|
|
1172
|
-
**Fix:** Re-run the installer:
|
|
1173
|
-
|
|
1174
|
-
```bash
|
|
1175
|
-
npx -y security-mcp@latest install
|
|
1176
|
-
```
|
|
506
|
+
### Observability
|
|
1177
507
|
|
|
1178
|
-
|
|
1179
|
-
|
|
1180
|
-
|
|
1181
|
-
ls ~/.claude/skills/senior-security-engineer/SKILL.md
|
|
1182
|
-
```
|
|
1183
|
-
|
|
1184
|
-
### The MCP server doesn't appear as connected
|
|
1185
|
-
|
|
1186
|
-
**Cause:** Config file was not written, or the editor wasn't restarted after config was written.
|
|
1187
|
-
|
|
1188
|
-
**Fix:**
|
|
1189
|
-
|
|
1190
|
-
1. Check the config file was written (see editor-specific paths in [Manual Configuration](#manual-configuration-any-mcp-editor))
|
|
1191
|
-
2. Fully restart the editor (quit and reopen, not just reload window)
|
|
1192
|
-
3. Check Node.js version: `node --version` - must be 20 or higher
|
|
1193
|
-
|
|
1194
|
-
### The CI gate fails with "cannot find module"
|
|
1195
|
-
|
|
1196
|
-
**Cause:** The dist files weren't included in the npm package, or you're referencing a path that doesn't exist.
|
|
508
|
+
| Variable | Default | Purpose |
|
|
509
|
+
| --- | --- | --- |
|
|
510
|
+
| `SECURITY_TOOL_AUDIT_LOG` | `.mcp/audit/tool-calls.jsonl` | Path for the per-tool-call structured audit log; point at an append-only / write-once sink for tamper-proof retention |
|
|
1197
511
|
|
|
1198
|
-
|
|
512
|
+
### Privacy and air-gap
|
|
1199
513
|
|
|
1200
|
-
|
|
514
|
+
| Variable | Purpose |
|
|
515
|
+
| --- | --- |
|
|
516
|
+
| `SECURITY_OFFLINE` | Disable all third-party network egress |
|
|
1201
517
|
|
|
1202
|
-
|
|
518
|
+
### MCP channel
|
|
1203
519
|
|
|
1204
|
-
|
|
520
|
+
| Variable | Default | Purpose |
|
|
521
|
+
| --- | --- | --- |
|
|
522
|
+
| `SECURITY_MCP_SHARED_SECRET` | (none) | Require caller auth on the MCP channel |
|
|
523
|
+
| `SECURITY_SESSION_TTL_MS` | 8h | Session lifetime, capped at 24h |
|
|
1205
524
|
|
|
1206
|
-
|
|
525
|
+
### Remediation
|
|
1207
526
|
|
|
1208
|
-
|
|
1209
|
-
|
|
1210
|
-
|
|
1211
|
-
"severity_block": ["CRITICAL"],
|
|
1212
|
-
"required_checks": ["secrets_scan"]
|
|
1213
|
-
}
|
|
1214
|
-
}
|
|
1215
|
-
```
|
|
527
|
+
| Variable | Purpose |
|
|
528
|
+
| --- | --- |
|
|
529
|
+
| `SECURITY_AGENTIC_QUARANTINE` | Handling for poisoned agent files: `strip`, `sanitize`, `quarantine`, or `off` |
|
|
1216
530
|
|
|
1217
|
-
###
|
|
531
|
+
### Integrations
|
|
1218
532
|
|
|
1219
|
-
|
|
1220
|
-
|
|
1221
|
-
|
|
533
|
+
| Variable | Purpose |
|
|
534
|
+
| --- | --- |
|
|
535
|
+
| `SECURITY_SLACK_WEBHOOK` | Post gate results to Slack |
|
|
536
|
+
| `SECURITY_JIRA_URL` | Create Jira tickets for failures |
|
|
537
|
+
| `SECURITY_JIRA_TOKEN` | Jira API token (never logged) |
|
|
538
|
+
| `SECURITY_JIRA_PROJECT` | Jira project key (default `SECURITY`) |
|
|
539
|
+
| `SECURITY_PAGERDUTY_KEY` | Page on-call for CRITICAL findings |
|
|
540
|
+
| `SECURITY_WEBHOOK_URL` | POST gate results as JSON to any URL |
|
|
1222
541
|
|
|
1223
|
-
|
|
542
|
+
### Live scanning
|
|
1224
543
|
|
|
1225
|
-
|
|
1226
|
-
|
|
1227
|
-
|
|
544
|
+
| Variable | Purpose |
|
|
545
|
+
| --- | --- |
|
|
546
|
+
| `SECURITY_STAGING_URL` | Enable runtime + Nuclei DAST against staging |
|
|
547
|
+
| `SECURITY_AI_ENDPOINT` | Enable live AI red-team probes |
|
|
548
|
+
| `SECURITY_AUTO_SBOM` | Auto-generate a CycloneDX SBOM each run |
|
|
1228
549
|
|
|
1229
550
|
---
|
|
1230
551
|
|
|
1231
|
-
##
|
|
1232
|
-
|
|
1233
|
-
**Q: Does this send my code to any external service?**
|
|
552
|
+
## The 10 non-negotiable rules
|
|
1234
553
|
|
|
1235
|
-
No
|
|
554
|
+
No matter what the AI is asked to build, these hold:
|
|
1236
555
|
|
|
1237
|
-
|
|
556
|
+
1. No `0.0.0.0/0` firewall rules. Ingress and egress are source-restricted.
|
|
557
|
+
2. Internal services live on a private VPC only, never on public IPs.
|
|
558
|
+
3. Secrets live in a secret manager only, never in code, `.env`, CI logs, or images.
|
|
559
|
+
4. TLS 1.3 for everything in transit. TLS 1.0 and 1.1 are blocked.
|
|
560
|
+
5. Passwords hashed with Argon2id, or bcrypt at cost 14 or higher.
|
|
561
|
+
6. Every API input validated server-side with a schema.
|
|
562
|
+
7. No inline JavaScript. Content Security Policy is nonce-based only.
|
|
563
|
+
8. Admin interfaces require FIDO2/WebAuthn.
|
|
564
|
+
9. Threat-model before any auth, payment, or AI feature.
|
|
565
|
+
10. Zero Trust: every request authenticated and authorized regardless of origin.
|
|
1238
566
|
|
|
1239
|
-
|
|
1240
|
-
|
|
1241
|
-
**Q: Will it slow down my development?**
|
|
1242
|
-
|
|
1243
|
-
For daily use with `/senior-security-engineer` on recent changes, a typical review takes seconds to a few minutes. The fix is inline - you don't need to context-switch to a separate tool.
|
|
1244
|
-
|
|
1245
|
-
**Q: What if it fixes something I don't want changed?**
|
|
1246
|
-
|
|
1247
|
-
Everything is in your git working tree. Review the diff with `git diff`, revert anything you disagree with (`git checkout -- <file>`), and add a security exception if the finding is a false positive or accepted risk.
|
|
1248
|
-
|
|
1249
|
-
**Q: Can I use this on an existing codebase with lots of issues?**
|
|
1250
|
-
|
|
1251
|
-
Yes. Use `security.generate_policy` to set appropriate thresholds for your current state, add exceptions for known-accepted technical debt, and use the gate's MEDIUM/LOW findings as a backlog rather than blockers.
|
|
567
|
+
---
|
|
1252
568
|
|
|
1253
|
-
|
|
569
|
+
## CLI reference
|
|
1254
570
|
|
|
1255
|
-
|
|
571
|
+
The `security-mcp` binary exposes:
|
|
1256
572
|
|
|
1257
|
-
|
|
573
|
+
| Command | Purpose |
|
|
574
|
+
| --- | --- |
|
|
575
|
+
| `serve` | Run the MCP server |
|
|
576
|
+
| `install` | Install for auto-detected editors |
|
|
577
|
+
| `install-global` | Install globally |
|
|
578
|
+
| `config` | Manage configuration |
|
|
579
|
+
| `doctor` (alias `verify`) | Health check |
|
|
580
|
+
| `autoharden` | Auto-remediate Terraform (`--dry-run` to preview) |
|
|
581
|
+
| `ci:pr-gate` | Run the gate in CI (non-zero exit on HIGH/CRITICAL) |
|
|
582
|
+
| `sign-policy` | HMAC-sign the active policy |
|
|
1258
583
|
|
|
1259
|
-
|
|
584
|
+
---
|
|
1260
585
|
|
|
1261
|
-
|
|
586
|
+
## Documentation and disclosure
|
|
1262
587
|
|
|
1263
|
-
|
|
588
|
+
- **Deep-dive docs:** the [GitHub Wiki](https://github.com/AbrahamOO/security-mcp/wiki).
|
|
589
|
+
- **Contributing:** [CONTRIBUTING.md](CONTRIBUTING.md).
|
|
590
|
+
- **Reporting a vulnerability in security-mcp itself:** see [SECURITY.md](SECURITY.md), which uses GitHub private security advisories for responsible disclosure.
|
|
1264
591
|
|
|
1265
592
|
---
|
|
1266
593
|
|
|
1267
|
-
## Contributing
|
|
1268
|
-
|
|
1269
|
-
See [CONTRIBUTING.md](CONTRIBUTING.md).
|
|
1270
|
-
|
|
1271
594
|
## License
|
|
1272
595
|
|
|
1273
|
-
[MIT](LICENSE)
|
|
596
|
+
[MIT](LICENSE)
|