security-mcp 1.1.4 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (158) hide show
  1. package/README.md +341 -1018
  2. package/defaults/checklists/ai.json +20 -1
  3. package/defaults/checklists/api.json +35 -1
  4. package/defaults/checklists/infra.json +34 -1
  5. package/defaults/checklists/mobile.json +23 -1
  6. package/defaults/checklists/payments.json +15 -1
  7. package/defaults/checklists/web.json +11 -1
  8. package/defaults/cloud-controls/aws.json +10712 -0
  9. package/defaults/cloud-controls/azure.json +7201 -0
  10. package/defaults/cloud-controls/gcp.json +4061 -0
  11. package/defaults/control-catalog.json +24 -0
  12. package/defaults/security-policy.json +2 -2
  13. package/dist/ci/pr-gate.js +22 -5
  14. package/dist/cli/index.js +73 -2
  15. package/dist/cli/install.js +4 -55
  16. package/dist/cli/onboarding.js +18 -10
  17. package/dist/gate/baseline.js +82 -7
  18. package/dist/gate/catalog.js +10 -2
  19. package/dist/gate/checks/agentic-instructions.js +515 -0
  20. package/dist/gate/checks/ai-governance.js +132 -0
  21. package/dist/gate/checks/ai.js +757 -39
  22. package/dist/gate/checks/auth-deep.js +920 -216
  23. package/dist/gate/checks/business-logic.js +751 -0
  24. package/dist/gate/checks/ci-pipeline.js +399 -4
  25. package/dist/gate/checks/cloud-controls.js +69 -0
  26. package/dist/gate/checks/crypto.js +423 -2
  27. package/dist/gate/checks/data-platform.js +954 -0
  28. package/dist/gate/checks/dependencies.js +582 -15
  29. package/dist/gate/checks/docker-deep.js +1236 -0
  30. package/dist/gate/checks/gitops.js +724 -0
  31. package/dist/gate/checks/graphql.js +201 -19
  32. package/dist/gate/checks/iac.js +1230 -0
  33. package/dist/gate/checks/infra.js +246 -1
  34. package/dist/gate/checks/injection-deep.js +827 -184
  35. package/dist/gate/checks/k8s.js +955 -2
  36. package/dist/gate/checks/mobile-android.js +917 -3
  37. package/dist/gate/checks/mobile-ios.js +797 -5
  38. package/dist/gate/checks/required-artifacts.js +194 -0
  39. package/dist/gate/checks/runtime.js +178 -0
  40. package/dist/gate/checks/secrets.js +256 -13
  41. package/dist/gate/checks/supply-chain-deep.js +787 -0
  42. package/dist/gate/checks/web-nextjs.js +572 -48
  43. package/dist/gate/cloud-controls/apply.js +115 -0
  44. package/dist/gate/cloud-controls/bicep.js +36 -0
  45. package/dist/gate/cloud-controls/cfn.js +125 -0
  46. package/dist/gate/cloud-controls/detect.js +104 -0
  47. package/dist/gate/cloud-controls/hcl.js +140 -0
  48. package/dist/gate/cloud-controls/types.js +87 -0
  49. package/dist/gate/diff.js +17 -5
  50. package/dist/gate/evidence.js +8 -1
  51. package/dist/gate/exceptions.js +202 -9
  52. package/dist/gate/findings.js +15 -2
  53. package/dist/gate/policy.js +316 -130
  54. package/dist/gate/threat-intel.js +6 -0
  55. package/dist/mcp/audit-chain.js +131 -28
  56. package/dist/mcp/auth.js +169 -0
  57. package/dist/mcp/learning.js +129 -4
  58. package/dist/mcp/model-router.js +161 -24
  59. package/dist/mcp/orchestration.js +377 -89
  60. package/dist/mcp/server.js +460 -69
  61. package/dist/mcp/tool-audit.js +193 -0
  62. package/dist/repo/fs.js +37 -1
  63. package/dist/repo/search.js +31 -6
  64. package/dist/review/store.js +56 -3
  65. package/dist/tests/run.js +124 -1
  66. package/package.json +9 -9
  67. package/skills/_TEMPLATE/SKILL.md +99 -0
  68. package/skills/advanced-dos-tester/SKILL.md +118 -0
  69. package/skills/agentic-instruction-auditor/SKILL.md +111 -0
  70. package/skills/agentic-loop-exploiter/SKILL.md +377 -0
  71. package/skills/ai-llm-redteam/SKILL.md +113 -0
  72. package/skills/ai-model-supply-chain-agent/SKILL.md +112 -0
  73. package/skills/algorithm-implementation-reviewer/SKILL.md +107 -0
  74. package/skills/android-penetration-tester/SKILL.md +464 -46
  75. package/skills/anti-replay-tester/SKILL.md +115 -0
  76. package/skills/appsec-code-auditor/SKILL.md +94 -0
  77. package/skills/artifact-integrity-analyst/SKILL.md +450 -0
  78. package/skills/attack-navigator/SKILL.md +476 -8
  79. package/skills/auth-session-hacker/SKILL.md +111 -0
  80. package/skills/aws-penetration-tester/SKILL.md +510 -0
  81. package/skills/azure-penetration-tester/SKILL.md +542 -3
  82. package/skills/binary-auth-validator/SKILL.md +120 -0
  83. package/skills/bot-detection-specialist/SKILL.md +118 -0
  84. package/skills/business-logic-attacker/SKILL.md +240 -0
  85. package/skills/capec-code-mapper/SKILL.md +93 -0
  86. package/skills/cert-pin-rotation-specialist/SKILL.md +121 -0
  87. package/skills/cicd-pipeline-hijacker/SKILL.md +414 -0
  88. package/skills/ciso-orchestrator/SKILL.md +465 -43
  89. package/skills/cloud-infra-specialist/SKILL.md +127 -0
  90. package/skills/compliance-gap-analyst/SKILL.md +431 -0
  91. package/skills/compliance-grc/SKILL.md +94 -0
  92. package/skills/compliance-lifecycle-tracker/SKILL.md +93 -0
  93. package/skills/container-hardening-auditor/SKILL.md +125 -0
  94. package/skills/credential-stuffing-specialist/SKILL.md +111 -0
  95. package/skills/crypto-pki-specialist/SKILL.md +96 -0
  96. package/skills/csa-ccm-mapper/SKILL.md +93 -0
  97. package/skills/csf2-governance-mapper/SKILL.md +93 -0
  98. package/skills/data-platform-auditor/SKILL.md +125 -0
  99. package/skills/deep-link-fuzzer/SKILL.md +118 -0
  100. package/skills/dependency-confusion-attacker/SKILL.md +424 -0
  101. package/skills/device-integrity-aggregator/SKILL.md +117 -0
  102. package/skills/dos-resilience-tester/SKILL.md +106 -0
  103. package/skills/dread-scorer/SKILL.md +93 -0
  104. package/skills/egress-policy-enforcer/SKILL.md +108 -0
  105. package/skills/evidence-collector/SKILL.md +107 -0
  106. package/skills/file-upload-attacker/SKILL.md +118 -0
  107. package/skills/gcp-penetration-tester/SKILL.md +510 -2
  108. package/skills/git-history-secret-scanner/SKILL.md +115 -0
  109. package/skills/gitops-delivery-auditor/SKILL.md +120 -0
  110. package/skills/iac-security-auditor/SKILL.md +125 -0
  111. package/skills/iam-privesc-graph-builder/SKILL.md +161 -0
  112. package/skills/incident-responder/SKILL.md +120 -0
  113. package/skills/injection-specialist/SKILL.md +111 -0
  114. package/skills/ios-security-auditor/SKILL.md +291 -0
  115. package/skills/json-ambiguity-tester/SKILL.md +145 -0
  116. package/skills/k8s-container-escaper/SKILL.md +406 -0
  117. package/skills/key-management-lifecycle-analyst/SKILL.md +107 -0
  118. package/skills/kill-switch-engineer/SKILL.md +111 -0
  119. package/skills/linddun-privacy-analyst/SKILL.md +111 -0
  120. package/skills/logic-race-fuzzer/SKILL.md +452 -0
  121. package/skills/mobile-api-network-attacker/SKILL.md +430 -0
  122. package/skills/mobile-binary-hardener/SKILL.md +111 -0
  123. package/skills/mobile-security-specialist/SKILL.md +94 -0
  124. package/skills/mobile-webview-auditor/SKILL.md +105 -0
  125. package/skills/model-extraction-attacker/SKILL.md +228 -0
  126. package/skills/multipart-abuse-tester/SKILL.md +93 -0
  127. package/skills/oauth-pkce-specialist/SKILL.md +113 -0
  128. package/skills/parser-exhaustion-tester/SKILL.md +151 -0
  129. package/skills/pentest-infra/SKILL.md +107 -0
  130. package/skills/pentest-social/SKILL.md +210 -0
  131. package/skills/pentest-team/SKILL.md +96 -0
  132. package/skills/pentest-web-api/SKILL.md +107 -0
  133. package/skills/privacy-flow-analyst/SKILL.md +243 -0
  134. package/skills/prompt-injection-specialist/SKILL.md +403 -0
  135. package/skills/quantum-migration-planner/SKILL.md +105 -0
  136. package/skills/rag-poisoning-specialist/SKILL.md +367 -0
  137. package/skills/registry-mirror-enforcer/SKILL.md +93 -0
  138. package/skills/rotation-validation-agent/SKILL.md +121 -0
  139. package/skills/samm-assessor/SKILL.md +94 -0
  140. package/skills/secrets-mask-bypass-tester/SKILL.md +109 -0
  141. package/skills/senior-security-engineer/SKILL.md +178 -0
  142. package/skills/serialization-memory-attacker/SKILL.md +341 -0
  143. package/skills/session-timeout-tester/SKILL.md +170 -0
  144. package/skills/slsa-level3-enforcer/SKILL.md +121 -0
  145. package/skills/slsa-provenance-enforcer/SKILL.md +111 -0
  146. package/skills/ssrf-detection-validator/SKILL.md +117 -0
  147. package/skills/step-up-auth-enforcer/SKILL.md +93 -0
  148. package/skills/stride-pasta-analyst/SKILL.md +429 -0
  149. package/skills/supply-chain-devsecops/SKILL.md +107 -0
  150. package/skills/threat-infrastructure-analyst/SKILL.md +93 -0
  151. package/skills/threat-modeler/SKILL.md +94 -0
  152. package/skills/tls-certificate-auditor/SKILL.md +582 -18
  153. package/skills/token-reuse-detector/SKILL.md +104 -0
  154. package/skills/trike-risk-modeler/SKILL.md +93 -0
  155. package/skills/unicode-homograph-tester/SKILL.md +93 -0
  156. package/skills/waf-rule-lifecycle-agent/SKILL.md +106 -0
  157. package/skills/webhook-security-tester/SKILL.md +111 -0
  158. package/skills/zero-trust-architect/SKILL.md +118 -0
package/README.md CHANGED
@@ -1,381 +1,288 @@
1
- # security-mcp - AI Security Engineer for Claude Code, Cursor, Copilot & Codex
1
+ # security-mcp
2
2
 
3
3
  [![npm version](https://img.shields.io/npm/v/security-mcp.svg)](https://www.npmjs.com/package/security-mcp)
4
4
  [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
5
5
  [![Node.js](https://img.shields.io/badge/node-%3E%3D20-brightgreen.svg)](https://nodejs.org)
6
6
  [![CI](https://github.com/AbrahamOO/security-mcp/actions/workflows/security-gate.yml/badge.svg)](https://github.com/AbrahamOO/security-mcp/actions)
7
7
 
8
- **Stop shipping vulnerable code.**
8
+ An autonomous application-security engineering layer for AI-assisted development.
9
9
 
10
- **security-mcp** is a [Model Context Protocol (MCP)](https://modelcontextprotocol.io) server that gives your AI coding assistant the knowledge and tooling of a senior security engineer. Instead of just warning you about vulnerabilities, it **writes the secure code** - inline, immediately, every time.
10
+ security-mcp is a [Model Context Protocol](https://modelcontextprotocol.io) server that turns your AI coding assistant into a security engineer that does the work, not a linter that files tickets. It reads code the way an attacker does, writes the secure fix inline, and enforces a gate in CI so insecure code cannot merge. The operating mandate across the product is the same one a strong security hire would hold: roughly 90% fixing, 10% advisory.
11
11
 
12
- Works with **Claude Code, GitHub Copilot, Cursor, Codex, Replit**, and any MCP-compatible editor.
12
+ Platform and security teams can standardize their entire AppSec program on it. A solo founder can install it in a minute and ship safer code on day one. No security background is required to benefit, but nothing is dumbed down for the people who have one.
13
13
 
14
- > **One command to install. Zero security background required.**
15
-
16
- ---
17
-
18
- ## Table of Contents
19
-
20
- - [What's New in 1.1.4](#whats-new-in-114)
21
- - [What Problem Does This Solve?](#what-problem-does-this-solve)
22
- - [Who Is This For?](#who-is-this-for)
23
- - [Two Modes - Pick Your Depth](#two-modes---pick-your-depth)
24
- - [Quick Start - Install in 60 Seconds](#quick-start---install-in-60-seconds)
25
- - [Step-by-Step Installation Guide](#step-by-step-installation-guide)
26
- - [Claude Code](#step-by-step-claude-code)
27
- - [Cursor](#step-by-step-cursor)
28
- - [VS Code / GitHub Copilot](#step-by-step-vs-code--github-copilot)
29
- - [Windsurf](#step-by-step-windsurf)
30
- - [Manual Configuration](#manual-configuration-any-mcp-editor)
31
- - [Verify Your Installation](#verify-your-installation)
32
- - [How to Run Your First Security Review](#how-to-run-your-first-security-review)
33
- - [CI/CD Security Gate](#cicd-security-gate)
34
- - [What Gets Fixed Automatically](#what-gets-fixed-automatically)
35
- - [Architecture](#architecture)
36
- - [MCP Tools Reference](#mcp-tools-reference)
37
- - [Security Frameworks Applied](#security-frameworks-applied)
38
- - [Configuration](#configuration)
39
- - [Environment Variables](#environment-variables)
40
- - [The 10 Rules That Are Never Broken](#the-10-rules-that-are-never-broken)
41
- - [Troubleshooting](#troubleshooting)
42
- - [FAQ](#faq)
43
-
44
- ---
45
-
46
- ## What's New in 1.1.4
47
-
48
- ### 20 Checks (up from 18) - Deep Injection + Deep Auth Modules
49
-
50
- Two new deep-check modules run automatically for web and API surfaces:
51
-
52
- **`checkInjectionDeep`** — 11 new patterns: XXE (CWE-611), SSTI (CWE-94), prototype pollution (CWE-1321), open redirect (CWE-601), NoSQL operator injection (CWE-943), CRLF injection (CWE-113), unsafe YAML load (CWE-502), unsafe deserialization, path traversal (CWE-22), log injection (CWE-117), SSRF (CWE-918).
53
-
54
- **`checkAuthDeep`** — 12 new patterns: JWT algorithm confusion / `alg:none` (CWE-327), session fixation (CWE-384), OAuth missing state parameter (CWE-352), OAuth `redirect_uri` open redirect (CWE-601), PKCE not enforced (RFC 7636), hardcoded JWT secret (CWE-798), missing rate limit on auth endpoints (CWE-307), plaintext password comparison (CWE-256), SAML signature validation disabled (CWE-347), insecure cookie flags (CWE-1004/614), refresh token not rotated (CWE-613), JWT HS/RS confusion (CVE-2015-9235 pattern).
55
-
56
- ### Coverage Completeness Protocol (§0)
57
-
58
- Every security review now runs a mandatory 5-step protocol before reporting any result:
59
-
60
- 1. **Complete file inventory** — enumerate all source files into `coverage-manifest.json`; no attack class can be called CLEAN without checking every file.
61
- 2. **Taint tracking** — trace every user-controlled input (`req.body`, `req.query`, WebSocket, env, file uploads, external API responses) to all downstream sinks, classifying each SAFE / UNSAFE / UNRESOLVED.
62
- 3. **Negative assertions** — after each attack class: `ATTACK CLASS: {name} | FILES: N/N | PATTERNS: {list} | RESULT: CLEAN`.
63
- 4. **Fix verification loop** — after every fix, re-run the triggering check and confirm it no longer fires before advancing.
64
- 5. **All-or-nothing mandate** — every HIGH/CRITICAL finding is either FIXED (verified clean) or BLOCKED (risk-accepted, gate failing, remediation plan written to `deferred-fixes.json`).
65
-
66
- ### Enhanced Threat Model Template
67
-
68
- The `security.threat_model` tool now generates a more complete template including LINDDUN privacy threat analysis (Linking, Identifying, Non-repudiation, Detecting, Data Disclosure, Unawareness, Non-compliance), TRIKE risk matrix (actor-action-asset-risk), DREAD scoring, attack trees for the top 3 critical paths, adversary profiles mapped to ATT&CK techniques, and supply chain threat enumeration.
69
-
70
- ### Expanded Release Checklists
71
-
72
- All domain-specific release checklists now include:
73
-
74
- - **OAuth/OIDC** — PKCE with S256, state/nonce verification, exact-match `redirect_uri`, code reuse prevention, audience validation
75
- - **Business Logic** — idempotency keys on payment mutations, negative input validation, race condition testing for balance/quota/inventory
76
- - **Serialization/Injection** — XXE, SSTI, unsafe YAML, deserialization, prototype pollution, open redirect, CRLF in every checklist
77
- - **AI/LLM** — system prompt extraction resistance, multi-turn attack chains, multimodal injection, agentic tool allowlist, AML.T0054/T0057 mitigations
78
- - **Payments (PCI DSS 4.0)** — PAN masking, DOM mutation monitoring, EMV 3DS 2.2+, Magecart prevention (SRI on checkout pages)
79
- - **Observability Gate** (new) — anomaly detection baselines, SLO definitions for security events, alert fatigue review, runbook coverage
80
-
81
- ### Windsurf Support
82
-
83
- The installer now detects and configures Windsurf (`~/.windsurf/mcp.json`) automatically alongside Claude Code, Cursor, and VS Code.
84
-
85
- ### `doctor` Command
86
-
87
- Verify your installation health at any time:
14
+ Works with Claude Code, Cursor, VS Code / GitHub Copilot, Windsurf, Codex, Replit, and any MCP-compatible editor.
88
15
 
89
16
  ```bash
90
- npx -y security-mcp@latest doctor
17
+ npx -y security-mcp@latest install
91
18
  ```
92
19
 
93
- Checks Node.js version, editor configs, and skill files — prints PASS/FAIL per check with actionable fix commands.
94
-
95
20
  ---
96
21
 
97
- ## What Problem Does This Solve?
22
+ ## Table of Contents
98
23
 
99
- When you use an AI coding assistant to build features fast, security is easy to skip - not because you don't care, but because:
24
+ - [Why this exists](#why-this-exists)
25
+ - [What's new in 1.3.2](#whats-new-in-132)
26
+ - [System overview](#system-overview)
27
+ - [The two entry points](#the-two-entry-points)
28
+ - [/senior-security-engineer](#senior-security-engineer)
29
+ - [/ciso-orchestrator](#ciso-orchestrator)
30
+ - [The gate engine](#the-gate-engine)
31
+ - [Cloud security controls engine](#cloud-security-controls-engine)
32
+ - [Install](#install)
33
+ - [CI/CD gate](#cicd-gate)
34
+ - [Built for teams](#built-for-teams)
35
+ - [Self-protection and supply-chain posture](#self-protection-and-supply-chain-posture)
36
+ - [MCP tools](#mcp-tools)
37
+ - [Frameworks](#frameworks)
38
+ - [Policy and exceptions](#policy-and-exceptions)
39
+ - [Environment variables](#environment-variables)
40
+ - [The 10 non-negotiable rules](#the-10-non-negotiable-rules)
41
+ - [CLI reference](#cli-reference)
42
+ - [Documentation and disclosure](#documentation-and-disclosure)
43
+ - [License](#license)
100
44
 
101
- - Security is deep expertise that takes years to develop
102
- - Most AI assistants write working code but don't enforce secure code
103
- - Static analysis tools flag problems but don't fix them
104
- - Hiring a security team or running a pentest is expensive and slow
45
+ ---
105
46
 
106
- **security-mcp closes that gap.** It integrates a security enforcement layer directly into your AI assistant. Every code change, every PR, every new feature gets reviewed against OWASP, MITRE ATT&CK, NIST, PCI DSS, and 16 other frameworks - and the AI writes the fix immediately.
47
+ ## Why this exists
107
48
 
108
- **The result:** You ship faster AND more securely. No security background required.
49
+ Most security tooling stops at detection. It produces a list, hands it to a human, and waits. That model breaks down when AI assistants are writing the majority of the code, because the volume of change outpaces anyone's ability to triage a backlog by hand.
109
50
 
110
- ---
51
+ security-mcp inverts the default. When it finds a vulnerability it writes the production-ready fix into your working tree, re-runs the check to confirm the issue cleared, and only then moves on. The same engine runs as a deterministic gate in CI, so the contract is simple: HIGH and CRITICAL findings do not merge.
111
52
 
112
- ## Who Is This For?
53
+ You get three things from one install:
113
54
 
114
- - **Vibe coders and solo founders** building fast who need security to just work without slowing them down
115
- - **Full-stack developers** who know their code works but aren't sure if it's safe
116
- - **Startups and small teams** shipping web apps, mobile apps, APIs, and SaaS products
117
- - **AI-assisted developers** using Claude Code, Copilot, Cursor, or Codex to write most of their code
118
- - **Teams preparing for SOC 2, PCI DSS, or ISO 27001 audits** who need evidence and gap analysis
119
- - **Security-conscious engineers** who want systematic coverage, not ad-hoc reviews
120
- - **Anyone who's shipped code and thought "wait, is this actually secure?"**
55
+ - An interactive security engineer that fixes code inside your editor.
56
+ - A multi-agent security program that runs a full audit on demand.
57
+ - A standalone CI gate that needs no AI session to enforce the line.
121
58
 
122
59
  ---
123
60
 
124
- ## Two Modes - Pick Your Depth
125
-
126
- ### `/senior-security-engineer` - Your Daily Security Expert
127
-
128
- A single elite security engineer agent that reviews your code, finds vulnerabilities, and writes the fix immediately. You choose the scope: just your recent changes, your whole codebase, or specific files and folders. It covers secrets, dependencies, cryptography, injection, authentication, web headers, cloud config, AI/LLM safety, mobile, and more - all in parallel. Every finding gets an inline code fix, not a suggestion. Finishes with a SHA-256 attested report you can keep as an audit trail.
61
+ ## What's new in 1.3.2
129
62
 
130
- **Use this on every PR. Use it before you push. Use it when something feels off.**
63
+ **Cloud security controls engine.** A registry-driven engine that scans infrastructure-as-code against 998 rules mapped to AWS FSBP, CIS Benchmarks (AWS / GCP / Azure), and the Microsoft Cloud Security Benchmark, across Terraform, CloudFormation, and Bicep. Terraform violations can be auto-remediated with `security-mcp autoharden`. See [the dedicated section](#cloud-security-controls-engine).
131
64
 
132
- ### `/ciso-orchestrator` - A Full Security Program in One Command
65
+ **Two new CLI commands.** `security-mcp ci:pr-gate` runs the gate directly from `npx` and exits non-zero on HIGH/CRITICAL. `security-mcp sign-policy` HMAC-signs the active policy so tampering is detected at gate startup.
133
66
 
134
- 39 specialist agents across 3 phases. Phase 1: 7 lead agents run in parallel, each commanding its own team of sub-agents — threat modeling, deep code analysis, cloud infrastructure, supply chain, AI/LLM red team, mobile, and cryptography. Phase 2: adversarial penetration testing and compliance synthesis run in parallel after Phase 1 completes. Phase 3: findings are merged, deduplicated, and attested. Every domain has a dedicated specialist an injection attacker, a JWT/OAuth hacker, a cloud privilege escalation analyst, a prompt injection specialist, a TLS auditor, a pentest team that reads the threat model as its attack brief, and a compliance analyst mapping every finding to PCI DSS 4.0, SOC 2, ISO 27001, NIST 800-53, HIPAA, and GDPR. Agents learn from each run and improve over time. 86 specialist skills registered in the registry — loaded on demand based on detected stack. Optionally fetches live CVE, CISA KEV, and ATT&CK data. Produces a merged findings report with full compliance mapping and a signed attestation.
67
+ **The tool hardened itself.** An unsigned policy can no longer relax the gate to PASS (severity_block is floored to HIGH/CRITICAL). An unsigned exceptions file can no longer suppress HIGH/CRITICAL by default. Attestation refuses to sign anything that is not a clean PASS. There is a fully offline mode, a checksum-verified installer with no `curl | sh` path, and data at rest is written with `0o600` permissions. Details in [self-protection and supply-chain posture](#self-protection-and-supply-chain-posture).
135
68
 
136
- **Use this before major releases, compliance audits, or security reviews. -> [See the full 39-agent architecture](#ciso-orchestrator-flow-39-agents)**
69
+ Earlier releases expanded the deep-analysis pattern libraries (injection, authentication, supply chain, business logic), brought OWASP Top 10 to full coverage, and wired the industry scanners into the gate.
137
70
 
138
71
  ---
139
72
 
140
- | | `/senior-security-engineer` | `/ciso-orchestrator` |
141
- | --- | --- | --- |
142
- | **What it is** | Single expert agent | 39-agent multi-phase security program |
143
- | **Best for** | Daily development, PR reviews, targeted hardening | Pre-launch audits, compliance prep, incident response |
144
- | **Speed** | Seconds to minutes | Minutes to hours |
145
- | **Scope** | You choose: recent changes, full codebase, or specific files | Always full - every surface, every framework |
146
- | **Agents** | 1 | 39 (9 leads + 30 sub-agents) |
147
- | **Output** | Inline code fixes + SHA-256 attestation | Full domain reports + merged findings + attestation |
148
- | **API cost** | Low | High |
149
- | **Internet** | Not required | Optional (enriches findings with live CVEs, CISA KEV, MITRE ATT&CK) |
150
-
151
- **Rule of thumb:** Use `/senior-security-engineer` on every PR. Use `/ciso-orchestrator` before major releases or compliance deadlines.
73
+ ## System overview
152
74
 
153
- ---
75
+ ```mermaid
76
+ graph TD
77
+ subgraph Editor["Your editor (Claude Code, Cursor, VS Code, ...)"]
78
+ A["/senior-security-engineer"]
79
+ B["/ciso-orchestrator"]
80
+ end
154
81
 
155
- ## Quick Start - Install in 60 Seconds
82
+ A -->|MCP stdio| S["MCP server"]
83
+ B -->|MCP stdio| S
156
84
 
157
- ```bash
158
- npx -y security-mcp@latest install
159
- ```
85
+ S --> G["Gate engine (35 checks)"]
86
+ S --> O["Orchestration (39+ agents)"]
87
+ S --> C["Cloud controls (998 rules)"]
88
+ S --> P["Platform subsystems"]
160
89
 
161
- Restart your editor. Then in Claude Code:
90
+ G --> AT["SHA-256 attestation"]
91
+ O --> AT
92
+ P --> R["Model router / learning / hash chain / auth"]
162
93
 
163
- ```text
164
- /senior-security-engineer
94
+ CI["CI: security-mcp ci:pr-gate"] --> G
165
95
  ```
166
96
 
167
- That's it. The engineer will ask how you want to scope the review, then find and fix security issues in your code.
168
-
169
- For a full 39-agent deep audit:
170
-
171
- ```text
172
- /ciso-orchestrator
173
- ```
97
+ The MCP server is the trust root. Both entry-point skills, the standalone CI gate, and every supporting subsystem call into the same engine, so an interactive fix and a CI verdict are produced by identical logic.
174
98
 
175
99
  ---
176
100
 
177
- ## Step-by-Step Installation Guide
101
+ ## The two entry points
178
102
 
179
- ### Step-by-Step: Claude Code
103
+ You drive security-mcp through two skills. One is your daily security engineer. The other is a full security program you run when the stakes are high.
180
104
 
181
- **Prerequisite:** Node.js 20+ installed. Check with `node --version`.
105
+ | | `/senior-security-engineer` | `/ciso-orchestrator` |
106
+ | --- | --- | --- |
107
+ | Shape | One elite engineer agent | 39 named agents, 40+ at runtime |
108
+ | Best for | Every PR, targeted hardening | Pre-release audits, compliance prep |
109
+ | Scope | You pick: diff, full codebase, or specific paths | Full: every surface, every framework |
110
+ | Speed | Seconds to minutes | Minutes to hours |
111
+ | Output | Inline fixes + SHA-256 attested report | Merged findings, compliance mapping, signed attestation |
112
+ | Network | Not required | Optional live threat intel |
182
113
 
183
- **Step 1 - Run the installer:**
114
+ Rule of thumb: run `/senior-security-engineer` on every PR, and `/ciso-orchestrator` before a release or an audit.
184
115
 
185
- ```bash
186
- npx -y security-mcp@latest install --claude-code
187
- ```
116
+ ### /senior-security-engineer
188
117
 
189
- This writes the MCP server config to `~/.claude/settings.json`.
118
+ A single elite security-engineer agent. It operates 90% fixing, 10% advisory: it writes the secure code rather than handing you a report to act on. You pick the scope at the start (recent changes via git diff, the full codebase, or specific files and folders), and it runs a strategy pass, then the gate, then inline fixes, and finishes with a SHA-256 attested report you can keep as an audit artifact.
190
119
 
191
- **Step 2 - Verify the config was written:**
120
+ This is the daily driver. Use it on every PR.
192
121
 
193
- ```bash
194
- cat ~/.claude/settings.json
122
+ ```mermaid
123
+ graph TD
124
+ U["Invoke /senior-security-engineer"] --> SC{"Pick scope"}
125
+ SC -->|A| D["Recent changes / git diff"]
126
+ SC -->|B| F["Full codebase"]
127
+ SC -->|C| P["Specific files / folders"]
128
+ D --> ST["Build strategy"]
129
+ F --> ST
130
+ P --> ST
131
+ ST --> GT["Run gate"]
132
+ GT --> FX["Write inline fixes"]
133
+ FX --> RV["Re-run check, confirm clean"]
134
+ RV -->|remaining| FX
135
+ RV -->|clean| AT["SHA-256 attested report"]
195
136
  ```
196
137
 
197
- You should see:
138
+ ### /ciso-orchestrator
198
139
 
199
- ```json
200
- {
201
- "mcpServers": {
202
- "security-mcp": {
203
- "command": "npx",
204
- "args": ["-y", "security-mcp@latest", "serve"]
205
- }
206
- }
207
- }
208
- ```
140
+ A full security program in one command, held to the same 90% fixing, 10% advisory mandate as the single agent: every specialist writes the fix rather than filing a finding. Nine specialist lead agents command 30 sub-agents, for 39 named agents in the static spawn tree. At runtime the orchestrator dynamically spawns additional ghost and coverage agents based on cross-domain findings, so a real run typically fields 40 or more. It draws on a registry of 91 specialist skills (registry version 1.6.0), loaded on demand based on your detected stack, and covers PCI DSS 4.0, SOC 2, ISO 27001, NIST 800-53, HIPAA, and GDPR mapping.
209
141
 
210
- **Step 3 - Restart Claude Code** to pick up the new MCP server.
142
+ It runs in three phases:
211
143
 
212
- **Step 4 - Verify the tools loaded.** In Claude Code, run:
144
+ 1. **Discovery (parallel).** Seven leads run at once: threat modeling, AppSec code audit, cloud and infrastructure, supply chain, AI/LLM red team, mobile, and crypto/PKI.
145
+ 2. **Adversarial and compliance (parallel).** A penetration-test team reads Phase 1's threat model as its attack brief, while a compliance/GRC synthesizer maps findings to controls.
146
+ 3. **Synthesis.** Each agent's findings file is schema-validated and verified against that agent's signed attestation before it is trusted, then findings are merged and deduplicated, SKILL.md section coverage (§0 through §24) is verified, and a signed attestation is written. A tampered attestation chain or a findings-hash mismatch forces the gate to FAIL.
213
147
 
214
- ```text
215
- /mcp
216
- ```
148
+ ```mermaid
149
+ graph TD
150
+ ORCH["CISO orchestrator"] --> P1
151
+ ORCH --> P2
152
+ ORCH --> P3
217
153
 
218
- You should see `security-mcp` listed as a connected server with `security.*`, `orchestration.*`, and `repo.*` tools available.
154
+ subgraph P1["Phase 1: discovery (parallel)"]
155
+ TM["threat-modeler"] --> TM1["stride-pasta-analyst"] & TM2["attack-navigator"] & TM3["business-logic-attacker"] & TM4["privacy-flow-analyst"]
156
+ AC["appsec-code-auditor"] --> AC1["injection-specialist"] & AC2["auth-session-hacker"] & AC3["logic-race-fuzzer"] & AC4["serialization-memory-attacker"]
157
+ CI["cloud-infra-specialist"] --> CI1["aws/gcp/azure-pentester"] & CI2["k8s-container-escaper"]
158
+ SD["supply-chain-devsecops"] --> SD1["dependency-confusion-attacker"] & SD2["cicd-pipeline-hijacker"] & SD3["artifact-integrity-analyst"]
159
+ AI["ai-llm-redteam"] --> AI1["prompt-injection-specialist"] & AI2["model-extraction-attacker"] & AI3["rag-poisoning-specialist"] & AI4["agentic-loop-exploiter"]
160
+ MB["mobile-security-specialist"] --> MB1["ios-security-auditor"] & MB2["android-penetration-tester"] & MB3["mobile-api-network-attacker"]
161
+ CR["crypto-pki-specialist"] --> CR1["tls-certificate-auditor"] & CR2["algorithm-implementation-reviewer"] & CR3["key-management-lifecycle-analyst"]
162
+ end
219
163
 
220
- **Step 5 - Run your first security review:**
164
+ subgraph P2["Phase 2: adversarial + compliance (parallel)"]
165
+ PT["pentest-team"] --> PT1["pentest-web-api"] & PT2["pentest-infra"] & PT3["pentest-social"]
166
+ GRC["compliance-grc"] --> GRC1["evidence-collector"] & GRC2["compliance-gap-analyst"]
167
+ end
221
168
 
222
- ```text
223
- /senior-security-engineer
169
+ subgraph P3["Phase 3: synthesis"]
170
+ M["Verify attestations + merge + dedupe"] --> V["Verify §0-§24 coverage"] --> A["Signed attestation"]
171
+ end
224
172
  ```
225
173
 
226
- The agent will ask:
227
-
228
- - **A) Recent changes** - scans only what changed since your last commit (fastest, use daily)
229
- - **B) Full codebase** - scans everything (use for new projects or after major changes)
230
- - **C) Specific files or folders** - scans exactly what you specify
231
-
232
- Pick one and let it run.
174
+ Cloud, AI/LLM, and mobile sub-agents are conditional: they activate only when the relevant stack is detected, and report N/A otherwise.
233
175
 
234
176
  ---
235
177
 
236
- ### Step-by-Step: Cursor
178
+ ## The gate engine
237
179
 
238
- **Step 1 - Run the installer:**
180
+ The gate is the deterministic core. On every run it executes 35 security checks in parallel (33 distinct check modules plus 2 precomputed coverage feeds). It is surface-aware: it first detects which surfaces a change touches (web, API, infrastructure, iOS, Android, AI/LLM, agentic) and runs the relevant checks against them.
239
181
 
240
- ```bash
241
- npx -y security-mcp@latest install --cursor
182
+ ```mermaid
183
+ graph TD
184
+ PL["Load policy (HMAC-verified)"] --> SC["Resolve scope"]
185
+ SC --> CT["Classify change type"]
186
+ CT -->|docs-only| SS["Secrets scan only"]
187
+ CT -->|code| DS["Detect surfaces"]
188
+ DS --> CAT["Load catalog + scanner readiness + evidence coverage"]
189
+ CAT --> RUN["Run 35 checks in parallel"]
190
+ RUN --> SLA["Assign risk SLAs"]
191
+ SLA --> CM["Build coverage manifest"]
192
+ CM --> EX["Apply exceptions"]
193
+ EX --> CONF["Confidence score (70% coverage + 30% scanner)"]
194
+ CONF --> BL["Diff against baseline"]
195
+ BL --> VR{"Verdict by severity_block"}
196
+ VR --> PB["Persist new baseline"]
197
+ SS --> VR
242
198
  ```
243
199
 
244
- This writes to `~/.cursor/mcp.json`.
200
+ A crashed check module never disappears quietly. It becomes a HIGH coverage-gap finding, so the absence of a result is itself a result. A control that regresses from satisfied to missing against the saved baseline also becomes a HIGH finding.
245
201
 
246
- **Step 2 - Verify:**
202
+ ### Deep-analysis modules
247
203
 
248
- ```bash
249
- cat ~/.cursor/mcp.json
250
- ```
251
-
252
- Expected output:
253
-
254
- ```json
255
- {
256
- "mcpServers": {
257
- "security-mcp": {
258
- "command": "npx",
259
- "args": ["-y", "security-mcp@latest", "serve"]
260
- }
261
- }
262
- }
263
- ```
204
+ | Module | Patterns | What it targets |
205
+ | --- | --- | --- |
206
+ | Deep injection | 42 | SQL/NoSQL, SSTI, SpEL/OGNL, deserialization, CRLF, SSRF, and more |
207
+ | Deep authentication | 43 | JWT confusion, session and OAuth flaws, weak hashing, token entropy |
208
+ | Deep supply chain | 32 | Obfuscated payloads, malicious scripts, exfiltration channels |
209
+ | Business logic | 31 | IDOR, race conditions, payment and e-commerce abuse |
210
+ | Data platform | 47 | Databricks and Snowflake misconfiguration |
211
+ | Deep Docker | 49 | Container build and runtime hardening |
212
+ | GitOps | 41 | ArgoCD and Flux pipeline integrity |
213
+ | Agentic-instruction integrity | 11 | Poisoned AI agent instruction files |
214
+ | AI governance | 3 | Shadow-AI and data-to-LLM exfiltration |
264
215
 
265
- **Step 3 - Restart Cursor.**
216
+ Alongside these, the gate runs Kubernetes (70 checks), IaC (56), and dedicated modules for secrets, dependencies, crypto, web/Next.js, API, mobile (iOS and Android), GraphQL, database, DLP, SBOM, an incident-response playbook, runtime/DAST, CI pipeline hardening, and a Nuclei DAST integration.
266
217
 
267
- **Step 4 - Open Cursor's MCP panel** (Settings -> MCP) and confirm `security-mcp` shows as connected.
218
+ ### Scanner orchestration and threat intel
268
219
 
269
- **Step 5 - In the Cursor AI chat, type:**
220
+ When they are present on the host, the gate orchestrates industry scanners: gitleaks, semgrep, trivy, osv-scanner, checkov, conftest, and zaproxy. Their results fold into the same findings model.
270
221
 
271
- ```text
272
- Use /senior-security-engineer to review my recent changes
273
- ```
222
+ Live threat intelligence (cached for 24 hours) enriches the verdict: CISA KEV, EPSS (a score above 0.5 escalates severity), OpenSSF Scorecard, and the npm registry. Set `SECURITY_OFFLINE=1` to disable all third-party egress. Private and internal scoped package names are never sent to public endpoints, online or off.
274
223
 
275
224
  ---
276
225
 
277
- ### Step-by-Step: VS Code / GitHub Copilot
278
-
279
- **Step 1 - Run the installer:**
280
-
281
- ```bash
282
- npx -y security-mcp@latest install --vscode
283
- ```
284
-
285
- This writes to your VS Code user `settings.json`.
226
+ ## Cloud security controls engine
286
227
 
287
- **Step 2 - Verify in VS Code:**
228
+ A registry-driven engine scans infrastructure-as-code against 998 rules mapped to AWS Foundational Security Best Practices (FSBP), CIS Benchmarks for AWS, GCP, and Azure, and the Microsoft Cloud Security Benchmark.
288
229
 
289
- Open Command Palette (`Cmd+Shift+P` / `Ctrl+Shift+P`) -> `Preferences: Open User Settings (JSON)`.
290
-
291
- You should see:
292
-
293
- ```json
294
- {
295
- "mcp.servers": {
296
- "security-mcp": {
297
- "command": "npx",
298
- "args": ["-y", "security-mcp@latest", "serve"]
299
- }
300
- }
301
- }
302
- ```
303
-
304
- **Step 3 - Restart VS Code.**
305
-
306
- **Step 4 - In GitHub Copilot Chat, type:**
307
-
308
- ```text
309
- @security-mcp run /senior-security-engineer on recent changes
310
- ```
230
+ | Coverage | Rules |
231
+ | --- | --- |
232
+ | AWS | 483 |
233
+ | Azure | 320 |
234
+ | GCP | 195 |
235
+ | Terraform / HCL | 774 |
236
+ | CloudFormation | 128 |
237
+ | Bicep | 96 |
238
+
239
+ ```mermaid
240
+ graph TD
241
+ IAC["IaC files (TF / CFN / Bicep)"] --> DET["Detect against 998-rule registry"]
242
+ DET --> V["Violations"]
243
+ V --> AF{"Safe to auto-fix?"}
244
+ AF -->|yes, Terraform| FIX["Apply fix"]
245
+ FIX --> RD["Re-detect"]
246
+ RD -->|cleared| KEEP["Keep change"]
247
+ RD -->|not cleared| REV["Revert, report manual"]
248
+ AF -->|no| MAN["Manual action + snippet"]
249
+ ```
250
+
251
+ Terraform supports auto-remediation through `security-mcp autoharden` (use `--dry-run` to preview). The engine applies a fix, re-detects to confirm the violation actually cleared, and only then keeps the change. Anything it cannot safely auto-fix is reported as a manual action with a code snippet.
311
252
 
312
253
  ---
313
254
 
314
- ### Step-by-Step: Windsurf
255
+ ## Install
315
256
 
316
- **Step 1 - Run the installer:**
257
+ Prerequisite: Node.js 20 or higher (`node --version`).
317
258
 
318
259
  ```bash
319
260
  npx -y security-mcp@latest install
320
261
  ```
321
262
 
322
- This auto-detects Windsurf and writes to `~/.windsurf/mcp.json`.
323
-
324
- **Step 2 - Verify:**
325
-
326
- ```bash
327
- cat ~/.windsurf/mcp.json
328
- ```
329
-
330
- Expected output:
263
+ The installer auto-detects Claude Code, Cursor, VS Code, and Windsurf, and writes the config to the right place. Restart your editor, then run a review:
331
264
 
332
- ```json
333
- {
334
- "mcpServers": {
335
- "security-mcp": {
336
- "command": "npx",
337
- "args": ["-y", "security-mcp@latest", "serve"]
338
- }
339
- }
340
- }
265
+ ```text
266
+ /senior-security-engineer
341
267
  ```
342
268
 
343
- **Step 3 - Restart Windsurf.**
344
-
345
- **Step 4 - In the Windsurf AI chat, type:**
269
+ For a full audit:
346
270
 
347
271
  ```text
348
- Use /senior-security-engineer to review my recent changes
272
+ /ciso-orchestrator
349
273
  ```
350
274
 
351
- ---
352
-
353
- ### Manual Configuration (Any MCP Editor)
354
-
355
- If the installer doesn't detect your editor, or you prefer to configure manually:
356
-
357
- **Step 1 - Print the config snippet:**
275
+ Confirm the install is healthy at any time:
358
276
 
359
277
  ```bash
360
- npx -y security-mcp@latest config
278
+ npx -y security-mcp@latest doctor
361
279
  ```
362
280
 
363
- **Step 2 - Copy the output** and paste it into your editor's MCP configuration file.
364
-
365
- **Claude Code** (`~/.claude/settings.json`):
281
+ ### Manual config
366
282
 
367
- ```json
368
- {
369
- "mcpServers": {
370
- "security-mcp": {
371
- "command": "npx",
372
- "args": ["-y", "security-mcp@latest", "serve"]
373
- }
374
- }
375
- }
376
- ```
283
+ Add the server to your editor's MCP config and restart.
377
284
 
378
- **Cursor** (`~/.cursor/mcp.json`):
285
+ Claude Code (`~/.claude/settings.json`), Cursor (`~/.cursor/mcp.json`), Windsurf (`~/.windsurf/mcp.json`):
379
286
 
380
287
  ```json
381
288
  {
@@ -388,7 +295,7 @@ npx -y security-mcp@latest config
388
295
  }
389
296
  ```
390
297
 
391
- **VS Code / GitHub Copilot** (`settings.json`):
298
+ VS Code / GitHub Copilot (user `settings.json`):
392
299
 
393
300
  ```json
394
301
  {
@@ -401,153 +308,19 @@ npx -y security-mcp@latest config
401
308
  }
402
309
  ```
403
310
 
404
- **Windsurf / Codex / Replit** - use the same `command`/`args` format your editor supports for MCP servers.
405
-
406
- **Step 3 - Restart your editor** after saving the config.
407
-
408
311
  ---
409
312
 
410
- ### Global Install (Optional)
313
+ ## CI/CD gate
411
314
 
412
- If you want the `security-mcp` binary available system-wide without `npx`:
315
+ The gate runs as plain Node.js with no AI session involved, so it belongs in your pipeline as a required check.
413
316
 
414
317
  ```bash
415
- npm install -g security-mcp@latest
416
- security-mcp install-global
318
+ npx -y security-mcp@latest ci:pr-gate
417
319
  ```
418
320
 
419
- Then you can use:
420
-
421
- ```bash
422
- security-mcp install-global --claude-code
423
- security-mcp install-global --cursor
424
- security-mcp install-global --vscode
425
- ```
426
-
427
- ---
428
-
429
- ### Preview Without Writing Anything
430
-
431
- To see what the installer would do without making any changes:
432
-
433
- ```bash
434
- npx -y security-mcp@latest install --dry-run
435
- ```
436
-
437
- ---
438
-
439
- ## Verify Your Installation
440
-
441
- After installing, confirm everything is wired up correctly:
442
-
443
- ```bash
444
- npx -y security-mcp@latest doctor
445
- ```
446
-
447
- This checks your Node.js version, editor config files, and installed skills — and prints `[PASS]` or `[FAIL]` per check with a fix command if anything is missing.
448
-
449
- Example output:
450
-
451
- ```text
452
- [PASS] Node.js 22.x
453
- [PASS] Claude Code config (~/.claude/settings.json)
454
- [PASS] senior-security-engineer skill (~/.claude/skills/senior-security-engineer/SKILL.md)
455
-
456
- All checks passed. Restart your editor, then type /senior-security-engineer.
457
- ```
458
-
459
- ---
460
-
461
- ## How to Run Your First Security Review
462
-
463
- ### Daily Workflow: `/senior-security-engineer`
464
-
465
- **Step 1 - Open your project in your editor.**
466
-
467
- **Step 2 - Invoke the skill:**
468
-
469
- ```text
470
- /senior-security-engineer
471
- ```
472
-
473
- **Step 3 - Choose your scan scope when prompted:**
474
-
475
- - **Recent changes** - scans only files modified since your last commit. Use this on every PR.
476
- - **Full codebase** - scans all source files. Use when onboarding a new project.
477
- - **Specific folders** - you name the folders. Use when you know the blast radius.
321
+ It exits non-zero on HIGH or CRITICAL findings.
478
322
 
479
- **Step 4 - Watch it work.** The agent will:
480
-
481
- 1. Call `security.start_review` to create a tracked run
482
- 2. Build a scan plan covering all relevant OWASP/NIST/ATT&CK controls
483
- 3. Run 20 security checks in parallel across secrets, dependencies, crypto, auth, injection, cloud config, AI/LLM, mobile, and more
484
- 4. Write fixes directly into your code for every finding it can remediate
485
- 5. Generate a SHA-256 attested report at `.mcp/reports/{runId}.attestation.json`
486
-
487
- **Step 5 - Review the output.** Each finding shows:
488
-
489
- - What the vulnerability is and why it matters
490
- - Which attack it enables (mapped to MITRE ATT&CK and CWE)
491
- - The exact fix that was applied to your code
492
-
493
- **Step 6 - Commit with confidence.** The attestation file is your audit trail.
494
-
495
- ---
496
-
497
- ### Deep Audit: `/ciso-orchestrator`
498
-
499
- Use this before a major release, compliance deadline, or security review.
500
-
501
- **Step 1 - Invoke:**
502
-
503
- ```text
504
- /ciso-orchestrator
505
- ```
506
-
507
- **Step 2 - Answer the internet permission prompt.**
508
-
509
- The orchestrator will ask:
510
-
511
- > "I can fetch live CVE data, CISA KEV, and MITRE ATT&CK updates to improve this analysis. Allow internet access for this run? (yes/no)"
512
-
513
- - **Yes** - agents enrich findings with live threat intelligence. More accurate, more current.
514
- - **No** - agents use cached intel. Still comprehensive, no external calls made.
515
-
516
- **Step 3 - Wait for Phase 1 (7 lead agents running in parallel, each commanding their domain-specific sub-agents — 25 sub-agents total across Phase 1).**
517
-
518
- Each agent writes findings to `.mcp/agent-runs/{agentRunId}/`.
519
-
520
- **Step 4 - Wait for Phase 2 (pentest team + compliance synthesizer).**
521
-
522
- The pentest team reads Phase 1's threat model as its attack brief. The compliance agent maps every finding to PCI DSS 4.0, SOC 2, ISO 27001, NIST 800-53, HIPAA, and GDPR controls.
523
-
524
- **Step 5 - Review the merged report.**
525
-
526
- The orchestrator presents:
527
-
528
- ```text
529
- Agents: 9 leads completed (+ sub-agents)
530
- Findings: X CRITICAL / X HIGH / X MEDIUM / X LOW
531
- Remediated inline: X
532
- Open (need your decision): X
533
- SKILL.md coverage: XX% (§1-§24)
534
- Release blocked: yes / no
535
- Attestation: .mcp/reports/{runId}.attestation.json
536
- ```
537
-
538
- **Step 6 - For any open findings**, follow the required actions in the report. The agent will help you implement each fix.
539
-
540
- ---
541
-
542
- ## CI/CD Security Gate
543
-
544
- Block insecure code from merging on every pull request - no Claude session required, pure Node.js execution:
545
-
546
- ```bash
547
- npx -y security-mcp ci:pr-gate
548
- ```
549
-
550
- ### Add to GitHub Actions
323
+ ### GitHub Actions
551
324
 
552
325
  Create `.github/workflows/security-gate.yml`:
553
326
 
@@ -556,7 +329,7 @@ name: Security Gate
556
329
 
557
330
  on:
558
331
  pull_request:
559
- branches: [main, master]
332
+ branches: [main]
560
333
 
561
334
  jobs:
562
335
  security-gate:
@@ -564,529 +337,121 @@ jobs:
564
337
  steps:
565
338
  - uses: actions/checkout@v4
566
339
  with:
567
- fetch-depth: 0 # required for git diff to work
340
+ fetch-depth: 0 # required for git diff
568
341
 
569
342
  - uses: actions/setup-node@v4
570
343
  with:
571
344
  node-version: '20'
572
345
 
573
346
  - name: Block insecure code from merging
574
- run: npx -y security-mcp ci:pr-gate
347
+ run: npx -y security-mcp@latest ci:pr-gate
575
348
  env:
576
349
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
577
350
  ```
578
351
 
579
- ### What the CI Gate Checks
580
-
581
- The gate runs **20 checks in parallel** against your diff:
582
-
583
- | Category | What It Catches |
584
- | --- | --- |
585
- | **Secrets** | Hardcoded API keys, tokens, passwords, private keys (via Gitleaks patterns) |
586
- | **Dependencies** | CRITICAL/HIGH CVEs in npm/pip/go/maven packages; CISA KEV cross-check and EPSS >50% auto-escalation via live threat-intel (24h cached) |
587
- | **Cryptography** | MD5, SHA-1, DES, RC4, ECB mode, `Math.random()` for tokens, short JWT secrets |
588
- | **Authentication** | Missing rate limiting, no account lockout, JWT `alg:none`, weak session config |
589
- | **Injection** | SQL, NoSQL, command injection, path traversal, SSRF, prototype pollution |
590
- | **Web headers** | Missing CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy |
591
- | **IaC** | `0.0.0.0/0` firewall rules, public storage buckets, wildcard IAM permissions |
592
- | **AI/LLM** | `eval()` on model output, unvalidated model responses, prompt injection patterns |
593
- | **Database** | TLS disabled on connections, raw query concatenation, missing connection encryption |
594
- | **Mobile** | `android:debuggable=true`, cleartext traffic, insecure ATS config |
595
- | **GraphQL** | Introspection in production, no depth/complexity limits, batching abuse |
596
- | **Kubernetes** | Privileged containers, missing security context, hostPath mounts |
597
- | **DLP** | PII in logs, stack traces in API responses, sensitive data in error messages |
598
- | **Supply chain** | Missing lockfiles, floating version ranges (`^`, `~`), abandoned packages |
599
- | **SBOM** | Generates CycloneDX SBOM for the scanned surface |
600
- | **Runtime** | HTTP security headers and TLS config on live staging URL (if configured) |
601
- | **AI red-team** | Static + optional dynamic probes against AI endpoints |
602
- | **Exceptions** | Validates any active security exceptions are non-expired and properly approved |
603
- | **Baseline regression** | Detects when previously-satisfied controls go missing (BASELINE_REGRESSION HIGH finding injected on regression) |
604
- | **Deep injection** | XXE, SSTI, prototype pollution, open redirect, NoSQL operator injection, CRLF, unsafe YAML load, deserialization, path traversal, log injection, SSRF (11 new patterns) |
605
- | **Deep auth** | JWT algorithm confusion, session fixation, OAuth missing state, OAuth open redirect_uri, PKCE not enforced, hardcoded JWT secret, missing rate limit on auth endpoints, plaintext password compare, SAML signature disabled, insecure cookie flags, refresh token not rotated, JWT HS/RS confusion (12 new patterns) |
606
-
607
- ### Customize the Gate Policy
608
-
609
- Copy the default policy into your project and edit:
610
-
611
- ```bash
612
- mkdir -p .mcp/policies
613
- cp node_modules/security-mcp/defaults/security-policy.json .mcp/policies/security-policy.json
614
- ```
615
-
616
- Or generate one tailored to your stack:
617
-
618
- ```text
619
- Ask your AI: "Run security.generate_policy with surfaces=[web, api, ai] and cloud=aws"
620
- ```
621
-
622
- ### Add Exceptions for Known Accepted Risks
352
+ ### Optional HMAC integrity
623
353
 
624
- Copy and edit the exceptions file:
354
+ To make the policy tamper-evident, add a repository secret named `SECURITY_POLICY_HMAC_KEY` that is at least 32 bytes, then sign and commit:
625
355
 
626
356
  ```bash
627
- mkdir -p .mcp/exceptions
628
- cp node_modules/security-mcp/defaults/security-exceptions.json .mcp/exceptions/security-exceptions.json
357
+ security-mcp sign-policy
629
358
  ```
630
359
 
631
- Format:
632
-
633
- ```json
634
- {
635
- "version": "1.0.0",
636
- "exceptions": [
637
- {
638
- "id": "EX-001",
639
- "finding_ids": ["CRYPTO_WEAK_HASH"],
640
- "justification": "Legacy hash used only for non-security cache keys",
641
- "ticket": "JIRA-1234",
642
- "owner": "alice@example.com",
643
- "approver": "bob@example.com",
644
- "approval_role": "SecurityLead",
645
- "expires_on": "2025-12-31"
646
- }
647
- ]
648
- }
649
- ```
650
-
651
- Expired exceptions automatically become CRITICAL findings that block the gate.
360
+ Commit the policy file together with its generated `.hmac` sidecar. Once a key is set, the gate requires a valid signature on the policy, and a missing sidecar is rejected by design, so the key and the signature must land in the same change.
652
361
 
653
362
  ---
654
363
 
655
- ## What Gets Fixed Automatically
656
-
657
- When your AI has security-mcp active, it **writes the production-ready fix** - not a suggestion, not a warning comment:
658
-
659
- ### Secrets and Credentials
660
-
661
- | Insecure | Fixed to |
662
- | --- | --- |
663
- | `const KEY = "sk-abc123"` | `const KEY = process.env["API_KEY"]` + vault reference |
664
- | `password: "hardcoded"` in config | Environment variable + secret manager setup |
665
- | JWT signed with `"secret"` | RS256 with generated key pair, proper validation |
666
- | Bcrypt with cost factor 4 | Argon2id with `memory: 65536, iterations: 3, parallelism: 4` |
667
-
668
- ### Authentication and Authorization
364
+ ## Built for teams
669
365
 
670
- - Rate limiting middleware added to all auth endpoints (configurable thresholds)
671
- - Account lockout after N failed attempts with progressive delays
672
- - Session absolute timeout (8h) and idle timeout (30 min)
673
- - FIDO2/WebAuthn requirement flagged for admin interfaces
674
- - IDOR protection: tenant/user IDs read from JWT claims, never from request params
366
+ Four platform subsystems let a security team operate security-mcp at scale, not just run it ad hoc.
675
367
 
676
- ### Injection and Input Validation
368
+ **Multi-provider model router.** Cost-aware routing across model providers, with circuit breakers and a spend budget so a single provider outage or a runaway run cannot stall or overspend the program.
677
369
 
678
- - Zod/Yup schema validation added to every API route handler
679
- - SQL: string concatenation -> parameterized queries or tagged template literals
680
- - Command execution: `exec(userInput)` -> `spawnSync` with arg array, no shell
681
- - Path traversal: user-controlled paths validated against project boundary
682
- - SSRF: server-side HTTP clients get RFC-1918 CIDR block lists + DNS validation
370
+ **Learning engine.** Remembers confirmed patterns and false positives per project, with rate-limited false-positive suppression so noise drops over time. Routing decisions are written to an ISO 42001 audit log.
683
371
 
684
- ### Web Security Headers
372
+ **Tamper-evident attestation hash chain.** Each agent attestation is chained (`init_chain`, `attest_agent`, `verify_chain`, `get_chain`), so the audit trail cannot be silently rewritten after the fact.
685
373
 
686
- Before:
687
-
688
- ```javascript
689
- app.get("/", (req, res) => res.send(html));
690
- ```
691
-
692
- After:
693
-
694
- ```javascript
695
- app.use(helmet({
696
- contentSecurityPolicy: {
697
- directives: {
698
- defaultSrc: ["'self'"],
699
- scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.nonce}'`],
700
- }
701
- },
702
- hsts: { maxAge: 63072000, includeSubDomains: true, preload: true },
703
- frameguard: { action: "deny" },
704
- noSniff: true,
705
- referrerPolicy: { policy: "strict-origin-when-cross-origin" }
706
- }));
707
- ```
708
-
709
- ### Cloud Infrastructure
710
-
711
- - `cidr_blocks = ["0.0.0.0/0"]` -> source-restricted CIDR with comment explaining rationale
712
- - `acl = "public-read"` S3 -> Block Public Access enabled at bucket and account level
713
- - Wildcard IAM `"Action": "*"` -> least-privilege policy with specific actions
714
- - Long-lived static credentials -> IAM roles / Workload Identity / OIDC federation
715
-
716
- ### Cryptography
717
-
718
- - `crypto.createHash('md5')` -> `crypto.createHash('sha256')`
719
- - `Math.random()` for tokens -> `crypto.randomBytes(32).toString('hex')`
720
- - AES-CBC -> AES-256-GCM with per-message nonce
721
- - RSA PKCS#1 v1.5 -> RSA-OAEP or ECDH P-256
722
-
723
- ### AI / LLM Security
724
-
725
- - String-concatenated system prompts -> structured `messages` array with role separation
726
- - `eval(modelOutput)` -> `JSON.parse()` + Zod schema validation
727
- - RAG retrieval without auth check -> authorization check before and after retrieval
728
- - Unvalidated tool calls -> allowlist router that blocks unlisted tool names
374
+ **MCP caller authentication.** An optional shared-secret gate on the MCP channel uses constant-time HMAC comparison, a 3-strike lockout, and a session TTL (8 hours by default, capped at 24). When unset, the channel stays open for frictionless local use.
729
375
 
730
376
  ---
731
377
 
732
- ## Architecture
733
-
734
- ### System Overview
735
-
736
- ```text
737
- ┌───────────────────────────────────────────────────────────────┐
738
- │ Your Editor (Claude Code) │
739
- │ │
740
- │ /senior-security-engineer /ciso-orchestrator │
741
- │ (single expert agent) (39-agent security program) │
742
- │ │ │ │
743
- └──────────┼────────────────────────────────┼───────────────────┘
744
- │ │
745
- └──────────────┬─────────────────┘
746
- │ MCP protocol (stdio)
747
-
748
- ┌──────────────────────────────────────────────────────────────┐
749
- │ MCP Server (src/mcp/server.ts) │
750
- │ │
751
- │ security.* tools orchestration.* tools │
752
- │ ───────────────── ────────────────────── │
753
- │ start_review create_agent_run │
754
- │ run_pr_gate update_agent_status │
755
- │ threat_model merge_agent_findings │
756
- │ checklist ensure_skill │
757
- │ attest_review read/write_agent_memory │
758
- │ get_system_prompt check_updates / apply_updates │
759
- │ scan_strategy verify_skill_coverage │
760
- │ generate_policy │
761
- │ terraform_blueprint repo.* tools │
762
- │ generate_opa_rego ───────────── │
763
- │ generate_compliance_report read_file / search │
764
- │ notify_webhooks │
765
- │ generate_remediations │
766
- └──────────────────────────────────────────────────────────────┘
767
-
768
-
769
- ┌──────────────────────────────────────────────────────────────┐
770
- │ Policy Gate Engine (src/gate/policy.ts) │
771
- │ │
772
- │ 20 checks run in parallel: │
773
- │ checkSecrets checkDependencies checkApi checkInfra │
774
- │ checkCrypto checkMobileIos checkMobileAndroid │
775
- │ checkAi checkGraphQL checkKubernetes │
776
- │ checkDatabase checkDlp checkWebNextjs │
777
- │ runSbomChecks runAiRedteamChecks runRuntimeChecks │
778
- │ checkInjectionDeep (11 patterns) checkAuthDeep (12 patterns)│
779
- │ │
780
- │ Surface detection -> Control catalog -> Exception handling -> │
781
- │ Coverage manifest -> Taint map -> Confidence scoring -> PASS / FAIL │
782
- └──────────────────────────────────────────────────────────────┘
783
- ```
378
+ ## Self-protection and supply-chain posture
784
379
 
785
- ### `/senior-security-engineer` Flow
380
+ A security tool is part of your supply chain, so security-mcp is built to resist the same attacks it looks for. This matters most when the threat is a malicious repository or a compromised dependency trying to neutralize the gate.
786
381
 
787
- ```text
788
- User: /senior-security-engineer
789
-
790
-
791
- Claude reads SKILL.md + asks scope choice:
792
- A) Recent changes (git diff)
793
- B) Full codebase
794
- C) Specific files/folders
795
-
796
- ▼ user picks scope
797
- security.start_review(mode)
798
- └── creates .mcp/reviews/{runId}.json
799
-
800
-
801
- security.threat_model(runId, feature)
802
- └── STRIDE + PASTA + ATT&CK template for changed surface
803
-
804
-
805
- §0 Coverage Completeness Protocol (runs first)
806
- ├── enumerate ALL source files → coverage-manifest.json
807
- ├── taint-trace every user-controlled input → taint-map.json
808
- ├── negative assertion per attack class: "FILES: N/N | RESULT: CLEAN"
809
- └── fix verification loop: re-run check after every fix, confirm CLEAN
810
-
811
-
812
- security.run_pr_gate(runId, mode, targets)
813
- ├── git diff / glob targets -> changed files list
814
- ├── detectSurfaces() -> web? api? infra? mobile? ai?
815
- ├── 20 checks in parallel (incl. deep injection + deep auth)
816
- ├── apply exceptions from .mcp/exceptions/
817
- ├── compute confidence score
818
- └── returns PASS/FAIL + findings[]
819
-
820
-
821
- Claude writes inline fixes for every finding
822
- (production-ready secure code, not suggestions)
823
- Every HIGH/CRITICAL: FIXED with verified-clean re-run,
824
- OR formally blocked with risk-acceptance record
825
-
826
-
827
- security.attest_review(runId)
828
- └── .mcp/reports/{runId}.attestation.json
829
- └── SHA-256 integrity hash
830
- ```
831
-
832
- ### `/ciso-orchestrator` Flow (39 Agents)
833
-
834
- ```text
835
- User: /ciso-orchestrator
836
-
837
-
838
- CISO Orchestrator
839
- ├── orchestration.check_updates() -> prompt if new version available
840
- ├── ask internet permission -> stored for all child agents
841
- ├── scan project for stack context
842
- │ (package.json, go.mod, terraform/, .github/workflows/, Dockerfile)
843
- │ -> stackContext: { languages, frameworks, cloudProvider, hasAI, hasMobile, ... }
844
- ├── security.start_review() -> runId
845
- ├── orchestration.create_agent_run() -> agentRunId + manifest.json
846
- └── orchestration.ensure_skill(×N) -> download stack-relevant skills from 86-skill registry
847
-
848
-
849
- ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
850
- PHASE 1 - 7 leads + sub-agents (all parallel)
851
- ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
852
-
853
- Agent 1: threat-modeler
854
- ├── stride-pasta-analyst -> STRIDE matrix, PASTA 7 stages, LINDDUN, DREAD
855
- ├── attack-navigator -> ATT&CK Navigator layer + D3FEND countermeasures
856
- ├── business-logic-attacker -> attack trees per route/flow found in codebase
857
- └── privacy-flow-analyst -> GDPR/HIPAA data flows, DPIA trigger check
858
- Output: .mcp/agent-runs/{id}/threat-model.json
859
-
860
- Agent 2: appsec-code-auditor
861
- ├── injection-specialist -> SQL/NoSQL/SSTI/OS cmd/CRLF/log injection
862
- ├── auth-session-hacker -> JWT algo confusion, SAML wrap, OAuth confusion
863
- ├── logic-race-fuzzer -> race conditions, integer overflow, mass assignment
864
- └── serialization-memory-attacker -> prototype pollution, ReDoS, zip slip, sandbox escape
865
- Output: .mcp/agent-runs/{id}/appsec-findings.json
866
-
867
- Agent 3: cloud-infra-specialist
868
- ├── aws-penetration-tester -> IAM escalation, S3, Lambda, EKS (if AWS)
869
- ├── gcp-penetration-tester -> SA abuse, GCS, Cloud Run, GKE (if GCP)
870
- ├── azure-penetration-tester -> Managed Identity, AKS, Key Vault (if Azure)
871
- └── k8s-container-escaper -> privileged pods, RBAC escape, hostPath (if K8s)
872
- Output: .mcp/agent-runs/{id}/infra-findings.json
873
-
874
- Agent 4: supply-chain-devsecops
875
- ├── dependency-confusion-attacker -> CVEs, CISA KEV, typosquatting, SBOM
876
- ├── cicd-pipeline-hijacker -> pull_request_target, mutable Actions, injection
877
- └── artifact-integrity-analyst -> SLSA L3, Cosign signatures, provenance
878
- Output: .mcp/agent-runs/{id}/supply-chain-findings.json
879
-
880
- Agent 5: ai-llm-redteam (skipped if no AI stack detected)
881
- ├── prompt-injection-specialist -> direct + indirect injection, PoC payloads
882
- ├── model-extraction-attacker -> API abuse, cost amplification, rate limiting
883
- ├── rag-poisoning-specialist -> vector store isolation, metadata filter injection
884
- └── agentic-loop-exploiter -> tool blast radius, loop hijacking, allowlist gaps
885
- Output: .mcp/agent-runs/{id}/ai-findings.json
886
-
887
- Agent 6: mobile-security-specialist (skipped if no mobile detected)
888
- ├── ios-security-auditor -> Keychain, ATS, Secure Enclave, Universal Links
889
- ├── android-penetration-tester -> manifest hardening, NSC, exported components
890
- └── mobile-api-network-attacker -> cert pinning, API key extraction, token storage
891
- Output: .mcp/agent-runs/{id}/mobile-findings.json
892
-
893
- Agent 7: crypto-pki-specialist
894
- ├── tls-certificate-auditor -> TLS 1.3, AEAD ciphers, HSTS preload, OCSP, mTLS
895
- ├── algorithm-implementation-reviewer -> banned algos, Argon2id params, nonce reuse
896
- └── key-management-lifecycle-analyst -> hardcoded keys, rotation, CMEK, post-quantum
897
- Output: .mcp/agent-runs/{id}/crypto-findings.json
898
-
899
- ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
900
- Wait for all Phase 1 agents to complete
901
- ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
902
-
903
- PHASE 2 - adversarial + compliance (both parallel)
904
- ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
905
-
906
- Agent 8: pentest-team (reads threat-model.json as attack brief)
907
- ├── pentest-web-api -> OWASP Testing Guide on every route found in codebase
908
- ├── pentest-infra -> privilege escalation graph, Terraform state, cloud posture
909
- └── pentest-social -> OSINT on org, spear-phishing scenarios, insider threat model
910
- Output: .mcp/agent-runs/{id}/pentest-report.json
911
-
912
- Agent 9: compliance-grc (reads all Phase 1 findings)
913
- ├── evidence-collector -> logging schema verification, SIEM rules, audit trail
914
- └── compliance-gap-analyst -> PCI DSS 4.0, SOC 2, ISO 27001, NIST 800-53, HIPAA, GDPR
915
- Output: .mcp/agent-runs/{id}/compliance-report.json
916
-
917
- ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
918
- Wait for Phase 2 agents to complete
919
- ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
920
-
921
- PHASE 3 - synthesis (sequential)
922
- ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
923
-
924
- orchestration.merge_agent_findings() -> deduplicate + sort CRITICAL->LOW
925
- orchestration.verify_skill_coverage() -> check §1-§24 SKILL.md section coverage
926
- security.attest_review() -> SHA-256 attestation written
927
-
928
- Final report:
929
- ├── X CRITICAL / X HIGH / X MEDIUM / X LOW
930
- ├── Remediated inline: X Open: X
931
- ├── SKILL.md section coverage: XX%
932
- ├── Release blocked: yes / no
933
- └── .mcp/reports/{runId}.attestation.json
934
- ```
935
-
936
- ### Agent Memory System
937
-
938
- Every agent persists what it learns so each subsequent run is smarter:
939
-
940
- ```text
941
- ~/.security-mcp/agent-memory/{agentName}/
942
- ├── patterns.json ← confirmed attack patterns for this tech stack
943
- ├── false-positives.json ← findings to deprioritize on next run
944
- ├── remediations.json ← what fixes worked for this project
945
- ├── intel.json ← cached threat intel (refreshed every 24h)
946
- └── errors.json ← tool failure log (used for self-healing)
947
- ```
948
-
949
- ### Data Written to Your Project
950
-
951
- ```text
952
- .mcp/
953
- ├── reviews/{runId}.json ← review run state + step tracking
954
- ├── reports/{runId}.attestation.json ← SHA-256 auditable attestation
955
- ├── agent-runs/{agentRunId}/
956
- │ ├── manifest.json ← all agent statuses + current phase
957
- │ ├── threat-model.json
958
- │ ├── appsec-findings.json
959
- │ ├── infra-findings.json
960
- │ ├── supply-chain-findings.json
961
- │ ├── ai-findings.json
962
- │ ├── mobile-findings.json
963
- │ ├── crypto-findings.json
964
- │ ├── pentest-report.json
965
- │ ├── compliance-report.json
966
- │ ├── sbom.cyclonedx.json
967
- │ └── merged-findings.json ← Phase 3 deduplicated, sorted output
968
- ├── policies/security-policy.json
969
- └── exceptions/security-exceptions.json
970
- ```
382
+ - **Signed policy, exceptions, and baseline.** These files are HMAC-signed. When the policy is not signed, the gate floors `severity_block` to HIGH/CRITICAL, so an unsigned edit cannot relax the gate to PASS.
383
+ - **Exceptions cannot quietly suppress.** By default an unsigned exceptions file may not suppress HIGH/CRITICAL findings. A break-glass env var exists for scanning intentionally-vulnerable fixtures.
384
+ - **Honest attestation.** Attestation refuses to sign unless the latest gate result is PASS with all required steps complete. There are no forged green attestations.
385
+ - **Verified inter-agent payloads.** The merge step that aggregates every agent's findings is the trust sink for a whole run, so it schema-validates each agent's findings file and checks its hash against that agent's signed attestation before trusting it. Findings dedupe keeps the highest severity per id, so a same-id low-severity entry cannot shadow a real CRITICAL. A tampered chain or a findings-hash mismatch forces FAIL. Set `SECURITY_REQUIRE_AGENT_ATTESTATION=1` to fail closed unless the run is HMAC-signed, fully attested, and clean — note that an *unsigned* attestation chain is only tamper-evident, not tamper-proof, against an attacker who can write the run directory, so the HMAC key is the real boundary.
386
+ - **Per-tool-call audit trail.** Every MCP tool call is logged as one structured JSONL record (timestamp, agent id, tool, inputs, output summary, session credential, outcome) to `.mcp/audit/tool-calls.jsonl`. Secret-bearing keys and secret-shaped values (in inputs and in the output preview) are scrubbed; failed auth attempts are recorded as such, not as successes; the log rotates at 50 MB and writing never interrupts a tool call. Set `SECURITY_TOOL_AUDIT_LOG` to forward to an append-only sink.
387
+ - **Locked-down data at rest.** Findings, agent memory, and signatures are written with `0o600` file permissions.
388
+ - **Prompt-injection defense.** Tool outputs that originate from the repo are sanitized before they reach an LLM.
389
+ - **Verified installer.** Downloaded scanner binaries are verified by SHA-256, unchecksummed binaries are refused, and there is no `curl | sh` install path.
390
+ - **Air-gap mode.** `SECURITY_OFFLINE=1` produces a fully offline run with no third-party egress.
971
391
 
972
392
  ---
973
393
 
974
- ## MCP Tools Reference
394
+ ## MCP tools
975
395
 
976
- Your AI uses these automatically. You don't call them directly, but understanding what they do helps you know what's happening during a review.
396
+ Your AI calls these automatically; you rarely invoke them by hand. There are around 40, grouped into three namespaces plus two MCP prompts.
977
397
 
978
- ### Core Security Tools
398
+ ### Most useful tools
979
399
 
980
- | Tool | What It Does |
400
+ | Tool | Purpose |
981
401
  | --- | --- |
982
- | `security.start_review` | Starts a stateful review run; returns `runId` used to track all subsequent steps and produce the final attestation |
983
- | `security.run_pr_gate` | Runs 20 security checks in parallel; returns PASS/FAIL, findings with severity, and required actions |
984
- | `security.threat_model` | Generates a STRIDE + PASTA + ATT&CK threat model template for a specific feature or surface |
985
- | `security.checklist` | Returns the pre-release security checklist, optionally filtered by surface (web / api / mobile / ai / infra / payments) |
986
- | `security.scan_strategy` | Builds an exhaustive scan plan mapping every check to OWASP, NIST, ATT&CK, and compliance controls |
987
- | `security.get_system_prompt` | Returns the full security engineering directive, optionally scoped to your stack and cloud provider |
988
- | `security.generate_policy` | Generates a `security-policy.json` tailored to your active surfaces and cloud provider |
989
- | `security.terraform_hardening_blueprint` | Terraform hardening baseline with module layout, guardrails, and control mappings |
990
- | `security.generate_opa_rego` | OPA/Rego policy code for Terraform plans, CI pipelines, and Kubernetes admission |
991
- | `security.generate_compliance_report` | Maps gate findings to SOC 2, PCI-DSS, ISO 27001, NIST 800-53, HIPAA, or GDPR controls |
992
- | `security.generate_remediations` | Maps each finding ID to a concrete code-level fix template |
993
- | `security.notify_webhooks` | Sends findings to Slack, Jira, PagerDuty, or any webhook URL |
994
- | `security.self_heal_loop` | Proposes adaptive policy improvements based on recurring findings (requires explicit human approval) |
995
- | `security.attest_review` | Writes a SHA-256 integrity-hashed attestation file at `.mcp/reports/{runId}.attestation.json` |
996
- | `repo.read_file` | Reads a project file for analysis (path-traversal guarded) |
997
- | `repo.search` | Searches the codebase for patterns or regex (ReDoS guarded, max 500 matches) |
998
-
999
- ### Orchestration Tools (`/ciso-orchestrator` only)
1000
-
1001
- | Tool | What It Does |
1002
- | --- | --- |
1003
- | `orchestration.create_agent_run` | Initialises the 39-agent manifest and `.mcp/agent-runs/{id}/` directory |
1004
- | `orchestration.update_agent_status` | Agents report start/completion; automatically advances phase when all phase agents finish |
1005
- | `orchestration.merge_agent_findings` | Deduplicates findings from all agents, sorts by severity, writes `merged-findings.json` |
1006
- | `orchestration.ensure_skill` | Downloads a skill from the GitHub registry if not cached locally (`~/.claude/skills/`) |
1007
- | `orchestration.read_agent_memory` | Loads an agent's prior patterns, false-positives, remediations, and cached intel |
1008
- | `orchestration.write_agent_memory` | Persists newly learned patterns and remediations after a run |
1009
- | `orchestration.check_updates` | Checks npm and the skills manifest for newer versions of security-mcp or installed skills |
1010
- | `orchestration.apply_updates` | Returns update commands (manual) or instructions for the agent to run them (auto) |
1011
- | `orchestration.verify_skill_coverage` | Reports which SKILL.md sections §1-§24 had zero coverage findings in this run |
402
+ | `security.start_review` | Open a stateful review run and get a `runId` |
403
+ | `security.run_pr_gate` | Run the gate, return PASS/FAIL with findings |
404
+ | `security.attest_review` | Write a SHA-256 attestation (PASS-gated) |
405
+ | `security.threat_model` | STRIDE + PASTA + ATT&CK model for a surface |
406
+ | `security.scan_strategy` | Map every check to OWASP/NIST/ATT&CK controls |
407
+ | `security.generate_policy` | Generate a policy tailored to your stack |
408
+ | `security.terraform_hardening_blueprint` | Terraform hardening baseline + mappings |
409
+ | `security.generate_opa_rego` | OPA/Rego for plans, pipelines, admission |
410
+ | `security.generate_compliance_report` | Map findings to SOC 2, PCI, ISO, NIST, HIPAA, GDPR |
411
+ | `security.generate_remediations` | Concrete fix template per finding |
412
+ | `repo.read_file` / `repo.search` | Read or search the codebase (guarded) |
413
+ | `orchestration.create_agent_run` | Stand up the multi-agent run + manifest |
414
+ | `orchestration.merge_agent_findings` | Dedupe and sort findings across agents |
415
+ | `orchestration.verify_skill_coverage` | Check §0-§24 SKILL.md coverage |
416
+
417
+ ### Operational families
418
+
419
+ Beyond the tools above, the rest of the surface clusters into four families:
420
+
421
+ - **Model routing and budget.** `get_routing`, `get_model_for_task`, `track_usage`, `model_budget_status`, `get_provider_health`, `record_provider_failure`, `reset_provider_circuit`.
422
+ - **Learning and pattern memory.** `record_outcome`, `pattern_report`, `self_heal_loop`, plus `orchestration.read_agent_memory` / `write_agent_memory`.
423
+ - **Attestation hash chain.** `init_chain`, `attest_agent`, `verify_chain`, `get_chain`.
424
+ - **Caller auth and lifecycle.** `authenticate`, `logout`, plus update tools `orchestration.check_updates` / `apply_updates` and skill loading `orchestration.ensure_skill`.
425
+
426
+ Namespace counts: `security.*` (29 tools), `repo.*` (2), `orchestration.*` (9), and 2 MCP prompts.
1012
427
 
1013
428
  ---
1014
429
 
1015
- ## Security Frameworks Applied
430
+ ## Frameworks
1016
431
 
1017
- All of the following frameworks are applied automatically. You don't need to know them - they're the standards used by the world's top security teams, and security-mcp maps every finding and fix to them:
432
+ Every finding and fix maps to recognized standards. You do not need to know them to benefit; they are there so your evidence stands up to an auditor.
1018
433
 
1019
- | Framework | What It Covers |
434
+ | Domain | Standards |
1020
435
  | --- | --- |
1021
- | **OWASP Top 10** (Web + API) | The 10 most critical web and API vulnerability classes |
1022
- | **OWASP ASVS Level 2/3** | Application security verification standard - L3 for auth, payments, PII |
1023
- | **OWASP MASVS** | Mobile application security verification standard |
1024
- | **OWASP Top 10 for LLMs** | AI-specific vulnerabilities: prompt injection, training data poisoning, etc. |
1025
- | **OWASP Testing Guide** | Methodology used by pentest sub-agents for endpoint-level testing |
1026
- | **MITRE ATT&CK Enterprise + Cloud + Mobile** | Real attacker playbooks - every finding maps to a technique ID |
1027
- | **MITRE D3FEND** | Defensive countermeasure mapped to every ATT&CK technique in scope |
1028
- | **MITRE ATLAS** | Adversarial ML/AI attack techniques |
1029
- | **MITRE CAPEC** | Attack patterns used at design-time threat modeling |
1030
- | **NIST 800-53 Rev 5** | Full US government security control catalog |
1031
- | **NIST CSF 2.0** | Govern / Identify / Protect / Detect / Respond / Recover |
1032
- | **NIST 800-207** | Zero Trust Architecture - every request authenticated and authorized |
1033
- | **NIST 800-218 (SSDF)** | Secure Software Development Framework |
1034
- | **NIST AI RMF** | AI risk management: Map, Measure, Manage, Govern |
1035
- | **PCI DSS 4.0** | Payment card industry data security standard |
1036
- | **SOC 2 Type II** | Trust Services Criteria (Security, Availability, Confidentiality, PI) |
1037
- | **ISO 27001:2022 + 27002** | International information security management system |
1038
- | **ISO 42001:2023** | AI management system - applied to all LLM/AI components |
1039
- | **GDPR / CCPA / HIPAA** | Data privacy: consent, retention, breach notification, minimum necessary |
1040
- | **SLSA Level 3** | Software supply chain security - hermetic builds, signed provenance |
1041
- | **CIS Benchmarks Level 2** | Hardened cloud, OS, and container configurations |
1042
- | **CVSS v4.0 + EPSS** | Vulnerability scoring and exploit probability - EPSS > 0.5 fixed within 48h |
436
+ | OWASP | Top 10 (Web + API), ASVS L2/L3, MASVS, Top 10 for LLMs, Testing Guide |
437
+ | MITRE | ATT&CK (Enterprise + Cloud + Mobile), D3FEND, ATLAS, CAPEC |
438
+ | NIST | 800-53 Rev 5, CSF 2.0, 800-207 Zero Trust, 800-218 SSDF, AI RMF, 800-131A |
439
+ | Compliance | PCI DSS 4.0, SOC 2 Type II, ISO 27001:2022 + 27002, ISO 42001:2023, GDPR / CCPA / HIPAA |
440
+ | Supply chain and cloud | SLSA Level 3, CIS Benchmarks L2, AWS FSBP, Microsoft Cloud Security Benchmark |
441
+ | Scoring | CVSS v4.0 + EPSS |
1043
442
 
1044
443
  ---
1045
444
 
1046
- ## Configuration
1047
-
1048
- ### Customize the Security Policy
445
+ ## Policy and exceptions
1049
446
 
1050
- The policy file controls what the gate blocks, what evidence it requires, and how exceptions are handled. Copy the default and edit:
447
+ The policy lives at `.mcp/policies/security-policy.json`. Copy the default to start:
1051
448
 
1052
449
  ```bash
1053
450
  mkdir -p .mcp/policies
1054
451
  cp node_modules/security-mcp/defaults/security-policy.json .mcp/policies/security-policy.json
1055
452
  ```
1056
453
 
1057
- Key sections:
1058
-
1059
- ```json
1060
- {
1061
- "required_checks": {
1062
- "secrets_scan": { "severity_block": ["HIGH", "CRITICAL"] },
1063
- "dependency_scan": { "severity_block": ["CRITICAL"] },
1064
- "sast": { "severity_block": ["CRITICAL"] },
1065
- "iac_scan": { "severity_block": ["HIGH", "CRITICAL"] }
1066
- },
1067
- "vulnerability_slas": {
1068
- "CRITICAL": "24h",
1069
- "HIGH": "7d",
1070
- "MEDIUM": "30d",
1071
- "CISA_KEV": "24h"
1072
- },
1073
- "exceptions": {
1074
- "require_ticket": true,
1075
- "approval_roles": ["SecurityLead", "GRC", "CTO"]
1076
- }
1077
- }
1078
- ```
1079
-
1080
- ### Add a Security Exception
1081
-
1082
- When you have a finding you've consciously accepted (e.g., a CVE in a library you're actively replacing):
1083
-
1084
- ```bash
1085
- mkdir -p .mcp/exceptions
1086
- cp node_modules/security-mcp/defaults/security-exceptions.json .mcp/exceptions/security-exceptions.json
1087
- ```
1088
-
1089
- Edit `.mcp/exceptions/security-exceptions.json`:
454
+ Exceptions live at `.mcp/exceptions/security-exceptions.json`. Each entry needs `id`, `finding_ids`, `justification`, `ticket`, `owner`, `approver` (the owner cannot be the approver), `approval_role`, and `expires_on` (within 365 days):
1090
455
 
1091
456
  ```json
1092
457
  {
@@ -1095,179 +460,137 @@ Edit `.mcp/exceptions/security-exceptions.json`:
1095
460
  {
1096
461
  "id": "EX-001",
1097
462
  "finding_ids": ["DEP_CVE_CVE-2024-12345"],
1098
- "justification": "Library being replaced in sprint 42; no public exploit yet",
463
+ "justification": "Library being replaced next sprint; no public exploit",
1099
464
  "ticket": "JIRA-9999",
1100
- "owner": "your-email@company.com",
1101
- "approver": "security-lead@company.com",
465
+ "owner": "alice@example.com",
466
+ "approver": "bob@example.com",
1102
467
  "approval_role": "SecurityLead",
1103
- "expires_on": "2025-06-30"
468
+ "expires_on": "2026-12-31"
1104
469
  }
1105
470
  ]
1106
471
  }
1107
472
  ```
1108
473
 
1109
- **Expired exceptions automatically become `SECURITY_EXCEPTION_EXPIRED` CRITICAL findings** that block the gate until renewed or resolved.
474
+ Expired exceptions automatically become blocking findings until they are renewed or resolved.
1110
475
 
1111
476
  ---
1112
477
 
1113
- ## Environment Variables
478
+ ## Environment variables
1114
479
 
1115
- ### CI / Gate
480
+ ### Gate and scope
1116
481
 
1117
482
  | Variable | Default | Purpose |
1118
483
  | --- | --- | --- |
1119
- | `GITHUB_TOKEN` | set by Actions | Authenticates git operations in CI |
484
+ | `SECURITY_GATE_POLICY` | `.mcp/policies/security-policy.json` | Policy file path |
485
+ | `SECURITY_GATE_MODE` | `recent_changes` | Scan mode |
486
+ | `SECURITY_GATE_TARGETS` | (changed files) | Comma-separated paths to restrict the scan |
1120
487
  | `SECURITY_GATE_BASE_REF` | `origin/main` | Branch to diff against |
1121
488
  | `SECURITY_GATE_HEAD_REF` | `HEAD` | Branch being scanned |
1122
- | `SECURITY_GATE_POLICY` | `.mcp/policies/security-policy.json` | Path to policy file |
1123
- | `SECURITY_GATE_SCANNERS` | built-in | Path to custom scanner config (must be within project directory) |
1124
- | `SECURITY_GATE_EXCEPTIONS` | `.mcp/exceptions/security-exceptions.json` | Path to exceptions file (must be within project directory) |
1125
- | `SECURITY_GATE_MODE` | `full` | Set to `file_by_file` for scoped per-file scanning |
1126
- | `SECURITY_GATE_TARGETS` | (all changed files) | Comma-separated file paths to restrict the scan surface |
489
+ | `SECURITY_GATE_EXCEPTIONS` | (default path) | Exceptions file path |
490
+ | `SECURITY_GATE_SCANNERS` | built-in | Custom scanner config path |
491
+ | `SECURITY_GATE_EVIDENCE_MAP` | (none) | Evidence-coverage map path |
492
+ | `SECURITY_GATE_CONTROL_CATALOG` | (none) | Control-catalog path |
1127
493
 
1128
- ### Integrations (all optional)
494
+ ### Integrity and signing
1129
495
 
1130
496
  | Variable | Purpose |
1131
497
  | --- | --- |
1132
- | `SECURITY_SLACK_WEBHOOK` | Sends gate results to a Slack channel |
1133
- | `SECURITY_JIRA_URL` | Creates Jira tickets for gate failures |
1134
- | `SECURITY_JIRA_TOKEN` | Jira API token (never logged) |
1135
- | `SECURITY_JIRA_PROJECT` | Jira project key (default: `SECURITY`) |
1136
- | `SECURITY_PAGERDUTY_KEY` | Pages on-call when CRITICAL findings are found |
1137
- | `SECURITY_WEBHOOK_URL` | POST gate results as JSON to any URL |
1138
-
1139
- ### Live Scanning (optional)
1140
-
1141
- | Variable | Purpose |
1142
- | --- | --- |
1143
- | `SECURITY_STAGING_URL` | Enables live HTTP header and TLS checks against your staging environment |
1144
- | `SECURITY_AI_ENDPOINT` | Enables live jailbreak, injection, PII, and rate-limit probes against your AI endpoint |
1145
- | `SECURITY_AUTO_SBOM` | Set `true` to auto-generate a CycloneDX SBOM on each gate run |
1146
-
1147
- ---
1148
-
1149
- ## The 10 Rules That Are Never Broken
498
+ | `SECURITY_POLICY_HMAC_KEY` | Signs policy / exceptions / baseline (>=32 bytes) |
499
+ | `SECURITY_REQUIRE_SIGNED_EXCEPTIONS` | Fail closed on any unsigned exceptions file |
500
+ | `SECURITY_REQUIRE_AGENT_ATTESTATION` | Fail closed unless the agent run is signed + enforced + clean (see below) |
501
+ | `SECURITY_ALLOW_UNSIGNED_HIGH_SUPPRESSION` | Break-glass: allow unsigned HIGH/CRITICAL suppression |
502
+ | `SECURITY_ATTEST_ALLOW_INCOMPLETE` | Break-glass: attest without a complete PASS |
503
+ | `SECURITY_ATTEST_KEY` | Signs attestation files |
504
+ | `SECURITY_AUDIT_HMAC_KEY` | Signs the routing audit log and the per-agent attestation chain |
1150
505
 
1151
- No matter what your AI is asked to build, these are enforced without exception:
1152
-
1153
- 1. **No `0.0.0.0/0` firewall rules** - ingress and egress must be source-restricted
1154
- 2. **All internal services over private VPC only** - no public IPs for databases, queues, or internal APIs
1155
- 3. **Secrets in a secret manager only** - never in code, `.env` files, CI logs, or container images
1156
- 4. **TLS 1.3 for everything in transit** - TLS 1.0 and 1.1 are explicitly blocked
1157
- 5. **Passwords hashed with Argon2id or bcrypt (cost ≥ 14)** - MD5 and SHA-1 are forbidden
1158
- 6. **Every API input validated server-side with a schema** - no passing raw request data to business logic
1159
- 7. **No inline JavaScript** - Content Security Policy is nonce-based only; no `unsafe-inline` or `unsafe-eval`
1160
- 8. **Admin interfaces require FIDO2/WebAuthn passkey** - TOTP is not acceptable for admin access
1161
- 9. **Threat model before any auth, payment, or AI feature** - no design-free implementation
1162
- 10. **Zero Trust: every request authenticated and authorized regardless of origin** - no implicit network trust
1163
-
1164
- ---
1165
-
1166
- ## Troubleshooting
1167
-
1168
- ### The `/senior-security-engineer` command isn't available in my editor
1169
-
1170
- **Cause:** The skill was not installed to `~/.claude/skills/`.
1171
-
1172
- **Fix:** Re-run the installer:
1173
-
1174
- ```bash
1175
- npx -y security-mcp@latest install
1176
- ```
506
+ ### Observability
1177
507
 
1178
- Then verify the skill exists:
1179
-
1180
- ```bash
1181
- ls ~/.claude/skills/senior-security-engineer/SKILL.md
1182
- ```
1183
-
1184
- ### The MCP server doesn't appear as connected
1185
-
1186
- **Cause:** Config file was not written, or the editor wasn't restarted after config was written.
1187
-
1188
- **Fix:**
1189
-
1190
- 1. Check the config file was written (see editor-specific paths in [Manual Configuration](#manual-configuration-any-mcp-editor))
1191
- 2. Fully restart the editor (quit and reopen, not just reload window)
1192
- 3. Check Node.js version: `node --version` - must be 20 or higher
1193
-
1194
- ### The CI gate fails with "cannot find module"
1195
-
1196
- **Cause:** The dist files weren't included in the npm package, or you're referencing a path that doesn't exist.
508
+ | Variable | Default | Purpose |
509
+ | --- | --- | --- |
510
+ | `SECURITY_TOOL_AUDIT_LOG` | `.mcp/audit/tool-calls.jsonl` | Path for the per-tool-call structured audit log; point at an append-only / write-once sink for tamper-proof retention |
1197
511
 
1198
- **Fix:** Use `npx -y security-mcp@latest ci:pr-gate` which always pulls the latest published version, rather than referencing a local path.
512
+ ### Privacy and air-gap
1199
513
 
1200
- ### A finding is a false positive
514
+ | Variable | Purpose |
515
+ | --- | --- |
516
+ | `SECURITY_OFFLINE` | Disable all third-party network egress |
1201
517
 
1202
- **Fix:** Add it to `.mcp/exceptions/security-exceptions.json` with a justification, ticket, owner, and expiry date. See [Add a Security Exception](#add-a-security-exception).
518
+ ### MCP channel
1203
519
 
1204
- ### The gate is too strict for my current project stage
520
+ | Variable | Default | Purpose |
521
+ | --- | --- | --- |
522
+ | `SECURITY_MCP_SHARED_SECRET` | (none) | Require caller auth on the MCP channel |
523
+ | `SECURITY_SESSION_TTL_MS` | 8h | Session lifetime, capped at 24h |
1205
524
 
1206
- **Fix:** Edit `.mcp/policies/security-policy.json` to lower severity thresholds for your current environment. For example, set `dev` environment to only block on `CRITICAL`:
525
+ ### Remediation
1207
526
 
1208
- ```json
1209
- "environments": {
1210
- "dev": {
1211
- "severity_block": ["CRITICAL"],
1212
- "required_checks": ["secrets_scan"]
1213
- }
1214
- }
1215
- ```
527
+ | Variable | Purpose |
528
+ | --- | --- |
529
+ | `SECURITY_AGENTIC_QUARANTINE` | Handling for poisoned agent files: `strip`, `sanitize`, `quarantine`, or `off` |
1216
530
 
1217
- ### I want to update to the latest version
531
+ ### Integrations
1218
532
 
1219
- ```bash
1220
- npx -y security-mcp@latest install
1221
- ```
533
+ | Variable | Purpose |
534
+ | --- | --- |
535
+ | `SECURITY_SLACK_WEBHOOK` | Post gate results to Slack |
536
+ | `SECURITY_JIRA_URL` | Create Jira tickets for failures |
537
+ | `SECURITY_JIRA_TOKEN` | Jira API token (never logged) |
538
+ | `SECURITY_JIRA_PROJECT` | Jira project key (default `SECURITY`) |
539
+ | `SECURITY_PAGERDUTY_KEY` | Page on-call for CRITICAL findings |
540
+ | `SECURITY_WEBHOOK_URL` | POST gate results as JSON to any URL |
1222
541
 
1223
- This always pulls the latest published version. If you have it globally installed:
542
+ ### Live scanning
1224
543
 
1225
- ```bash
1226
- npm install -g security-mcp@latest
1227
- ```
544
+ | Variable | Purpose |
545
+ | --- | --- |
546
+ | `SECURITY_STAGING_URL` | Enable runtime + Nuclei DAST against staging |
547
+ | `SECURITY_AI_ENDPOINT` | Enable live AI red-team probes |
548
+ | `SECURITY_AUTO_SBOM` | Auto-generate a CycloneDX SBOM each run |
1228
549
 
1229
550
  ---
1230
551
 
1231
- ## FAQ
1232
-
1233
- **Q: Does this send my code to any external service?**
552
+ ## The 10 non-negotiable rules
1234
553
 
1235
- No. The MCP server runs locally as a Node.js process. Your code never leaves your machine. The only external calls made are to the npm registry (to check for updates) and optionally to GitHub (to download skill files) - both only if explicitly permitted. Live CVE/CISA KEV fetches during `/ciso-orchestrator` require your explicit internet permission at runtime.
554
+ No matter what the AI is asked to build, these hold:
1236
555
 
1237
- **Q: Do I need to know security to use this?**
556
+ 1. No `0.0.0.0/0` firewall rules. Ingress and egress are source-restricted.
557
+ 2. Internal services live on a private VPC only, never on public IPs.
558
+ 3. Secrets live in a secret manager only, never in code, `.env`, CI logs, or images.
559
+ 4. TLS 1.3 for everything in transit. TLS 1.0 and 1.1 are blocked.
560
+ 5. Passwords hashed with Argon2id, or bcrypt at cost 14 or higher.
561
+ 6. Every API input validated server-side with a schema.
562
+ 7. No inline JavaScript. Content Security Policy is nonce-based only.
563
+ 8. Admin interfaces require FIDO2/WebAuthn.
564
+ 9. Threat-model before any auth, payment, or AI feature.
565
+ 10. Zero Trust: every request authenticated and authorized regardless of origin.
1238
566
 
1239
- No. The tool is designed so that you don't need to understand what OWASP or ATT&CK mean. You describe what you're building, and the security engineer handles the rest.
1240
-
1241
- **Q: Will it slow down my development?**
1242
-
1243
- For daily use with `/senior-security-engineer` on recent changes, a typical review takes seconds to a few minutes. The fix is inline - you don't need to context-switch to a separate tool.
1244
-
1245
- **Q: What if it fixes something I don't want changed?**
1246
-
1247
- Everything is in your git working tree. Review the diff with `git diff`, revert anything you disagree with (`git checkout -- <file>`), and add a security exception if the finding is a false positive or accepted risk.
1248
-
1249
- **Q: Can I use this on an existing codebase with lots of issues?**
1250
-
1251
- Yes. Use `security.generate_policy` to set appropriate thresholds for your current state, add exceptions for known-accepted technical debt, and use the gate's MEDIUM/LOW findings as a backlog rather than blockers.
567
+ ---
1252
568
 
1253
- **Q: Is this a replacement for a real pentest?**
569
+ ## CLI reference
1254
570
 
1255
- No - but it covers the same ground and more, continuously, on every change. Use `/ciso-orchestrator` before major releases to get the depth of a structured security review. For compliance purposes (SOC 2, PCI DSS), the attestation files and compliance reports generated are audit-trail artifacts.
571
+ The `security-mcp` binary exposes:
1256
572
 
1257
- **Q: What AI models does this work with?**
573
+ | Command | Purpose |
574
+ | --- | --- |
575
+ | `serve` | Run the MCP server |
576
+ | `install` | Install for auto-detected editors |
577
+ | `install-global` | Install globally |
578
+ | `config` | Manage configuration |
579
+ | `doctor` (alias `verify`) | Health check |
580
+ | `autoharden` | Auto-remediate Terraform (`--dry-run` to preview) |
581
+ | `ci:pr-gate` | Run the gate in CI (non-zero exit on HIGH/CRITICAL) |
582
+ | `sign-policy` | HMAC-sign the active policy |
1258
583
 
1259
- security-mcp is model-agnostic - it's an MCP server, not a model. It works with any AI assistant that supports the MCP protocol: Claude (all models), GitHub Copilot, Cursor, Codex, and others.
584
+ ---
1260
585
 
1261
- **Q: How do I report a vulnerability in security-mcp itself?**
586
+ ## Documentation and disclosure
1262
587
 
1263
- See [SECURITY.md](SECURITY.md) for the responsible disclosure policy.
588
+ - **Deep-dive docs:** the [GitHub Wiki](https://github.com/AbrahamOO/security-mcp/wiki).
589
+ - **Contributing:** [CONTRIBUTING.md](CONTRIBUTING.md).
590
+ - **Reporting a vulnerability in security-mcp itself:** see [SECURITY.md](SECURITY.md), which uses GitHub private security advisories for responsible disclosure.
1264
591
 
1265
592
  ---
1266
593
 
1267
- ## Contributing
1268
-
1269
- See [CONTRIBUTING.md](CONTRIBUTING.md).
1270
-
1271
594
  ## License
1272
595
 
1273
- [MIT](LICENSE) - security-mcp contributors
596
+ [MIT](LICENSE)