security-mcp 1.3.1 → 1.3.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +356 -885
- package/defaults/cloud-controls/aws.json +10712 -0
- package/defaults/cloud-controls/azure.json +7201 -0
- package/defaults/cloud-controls/gcp.json +4061 -0
- package/defaults/control-catalog.json +24 -0
- package/dist/ci/pr-gate.js +22 -5
- package/dist/cli/index.js +73 -2
- package/dist/cli/install.js +4 -55
- package/dist/cli/onboarding.js +18 -10
- package/dist/gate/checks/agentic-instructions.js +515 -0
- package/dist/gate/checks/ai-governance.js +132 -0
- package/dist/gate/checks/ai.js +1 -1
- package/dist/gate/checks/cloud-controls.js +69 -0
- package/dist/gate/checks/crypto.js +1 -1
- package/dist/gate/checks/data-platform.js +954 -0
- package/dist/gate/checks/dependencies.js +14 -3
- package/dist/gate/checks/docker-deep.js +1236 -0
- package/dist/gate/checks/gitops.js +724 -0
- package/dist/gate/checks/iac.js +1230 -0
- package/dist/gate/checks/k8s.js +841 -1
- package/dist/gate/checks/secrets.js +49 -37
- package/dist/gate/cloud-controls/apply.js +115 -0
- package/dist/gate/cloud-controls/bicep.js +36 -0
- package/dist/gate/cloud-controls/cfn.js +125 -0
- package/dist/gate/cloud-controls/detect.js +104 -0
- package/dist/gate/cloud-controls/hcl.js +140 -0
- package/dist/gate/cloud-controls/types.js +87 -0
- package/dist/gate/exceptions.js +78 -7
- package/dist/gate/findings.js +15 -2
- package/dist/gate/policy.js +40 -3
- package/dist/gate/threat-intel.js +6 -0
- package/dist/mcp/audit-chain.js +9 -0
- package/dist/mcp/model-router.js +3 -3
- package/dist/mcp/orchestration.js +194 -41
- package/dist/mcp/server.js +124 -17
- package/dist/mcp/tool-audit.js +193 -0
- package/dist/repo/fs.js +14 -1
- package/dist/review/store.js +4 -2
- package/dist/tests/run.js +124 -1
- package/package.json +3 -3
- package/skills/advanced-dos-tester/SKILL.md +9 -0
- package/skills/agentic-instruction-auditor/SKILL.md +111 -0
- package/skills/agentic-loop-exploiter/SKILL.md +9 -0
- package/skills/ai-llm-redteam/SKILL.md +9 -0
- package/skills/ai-model-supply-chain-agent/SKILL.md +9 -0
- package/skills/algorithm-implementation-reviewer/SKILL.md +9 -0
- package/skills/android-penetration-tester/SKILL.md +9 -0
- package/skills/anti-replay-tester/SKILL.md +9 -0
- package/skills/appsec-code-auditor/SKILL.md +9 -0
- package/skills/artifact-integrity-analyst/SKILL.md +9 -0
- package/skills/attack-navigator/SKILL.md +9 -0
- package/skills/auth-session-hacker/SKILL.md +9 -0
- package/skills/aws-penetration-tester/SKILL.md +54 -0
- package/skills/azure-penetration-tester/SKILL.md +52 -0
- package/skills/binary-auth-validator/SKILL.md +9 -0
- package/skills/bot-detection-specialist/SKILL.md +9 -0
- package/skills/business-logic-attacker/SKILL.md +9 -0
- package/skills/capec-code-mapper/SKILL.md +9 -0
- package/skills/cert-pin-rotation-specialist/SKILL.md +9 -0
- package/skills/cicd-pipeline-hijacker/SKILL.md +9 -0
- package/skills/ciso-orchestrator/SKILL.md +11 -0
- package/skills/cloud-infra-specialist/SKILL.md +9 -0
- package/skills/compliance-gap-analyst/SKILL.md +9 -0
- package/skills/compliance-grc/SKILL.md +9 -0
- package/skills/compliance-lifecycle-tracker/SKILL.md +9 -0
- package/skills/container-hardening-auditor/SKILL.md +125 -0
- package/skills/credential-stuffing-specialist/SKILL.md +9 -0
- package/skills/crypto-pki-specialist/SKILL.md +9 -0
- package/skills/csa-ccm-mapper/SKILL.md +9 -0
- package/skills/csf2-governance-mapper/SKILL.md +9 -0
- package/skills/data-platform-auditor/SKILL.md +125 -0
- package/skills/deep-link-fuzzer/SKILL.md +9 -0
- package/skills/dependency-confusion-attacker/SKILL.md +9 -0
- package/skills/device-integrity-aggregator/SKILL.md +9 -0
- package/skills/dos-resilience-tester/SKILL.md +9 -0
- package/skills/dread-scorer/SKILL.md +9 -0
- package/skills/egress-policy-enforcer/SKILL.md +9 -0
- package/skills/evidence-collector/SKILL.md +9 -0
- package/skills/file-upload-attacker/SKILL.md +9 -0
- package/skills/gcp-penetration-tester/SKILL.md +51 -0
- package/skills/git-history-secret-scanner/SKILL.md +9 -0
- package/skills/gitops-delivery-auditor/SKILL.md +120 -0
- package/skills/iac-security-auditor/SKILL.md +125 -0
- package/skills/iam-privesc-graph-builder/SKILL.md +9 -0
- package/skills/incident-responder/SKILL.md +9 -0
- package/skills/injection-specialist/SKILL.md +9 -0
- package/skills/ios-security-auditor/SKILL.md +9 -0
- package/skills/json-ambiguity-tester/SKILL.md +0 -0
- package/skills/k8s-container-escaper/SKILL.md +22 -0
- package/skills/key-management-lifecycle-analyst/SKILL.md +9 -0
- package/skills/kill-switch-engineer/SKILL.md +9 -0
- package/skills/linddun-privacy-analyst/SKILL.md +9 -0
- package/skills/logic-race-fuzzer/SKILL.md +9 -0
- package/skills/mobile-api-network-attacker/SKILL.md +9 -0
- package/skills/mobile-binary-hardener/SKILL.md +9 -0
- package/skills/mobile-security-specialist/SKILL.md +9 -0
- package/skills/mobile-webview-auditor/SKILL.md +9 -0
- package/skills/model-extraction-attacker/SKILL.md +9 -0
- package/skills/multipart-abuse-tester/SKILL.md +9 -0
- package/skills/oauth-pkce-specialist/SKILL.md +9 -0
- package/skills/parser-exhaustion-tester/SKILL.md +9 -0
- package/skills/pentest-infra/SKILL.md +9 -0
- package/skills/pentest-social/SKILL.md +9 -0
- package/skills/pentest-team/SKILL.md +9 -0
- package/skills/pentest-web-api/SKILL.md +9 -0
- package/skills/privacy-flow-analyst/SKILL.md +9 -0
- package/skills/prompt-injection-specialist/SKILL.md +9 -0
- package/skills/quantum-migration-planner/SKILL.md +9 -0
- package/skills/rag-poisoning-specialist/SKILL.md +9 -0
- package/skills/registry-mirror-enforcer/SKILL.md +9 -0
- package/skills/rotation-validation-agent/SKILL.md +9 -0
- package/skills/samm-assessor/SKILL.md +9 -0
- package/skills/secrets-mask-bypass-tester/SKILL.md +9 -0
- package/skills/senior-security-engineer/SKILL.md +11 -0
- package/skills/serialization-memory-attacker/SKILL.md +9 -0
- package/skills/session-timeout-tester/SKILL.md +9 -0
- package/skills/slsa-level3-enforcer/SKILL.md +9 -0
- package/skills/slsa-provenance-enforcer/SKILL.md +9 -0
- package/skills/ssrf-detection-validator/SKILL.md +9 -0
- package/skills/step-up-auth-enforcer/SKILL.md +9 -0
- package/skills/stride-pasta-analyst/SKILL.md +9 -0
- package/skills/supply-chain-devsecops/SKILL.md +9 -0
- package/skills/threat-infrastructure-analyst/SKILL.md +9 -0
- package/skills/threat-modeler/SKILL.md +9 -0
- package/skills/tls-certificate-auditor/SKILL.md +9 -0
- package/skills/token-reuse-detector/SKILL.md +9 -0
- package/skills/trike-risk-modeler/SKILL.md +9 -0
- package/skills/unicode-homograph-tester/SKILL.md +9 -0
- package/skills/waf-rule-lifecycle-agent/SKILL.md +9 -0
- package/skills/webhook-security-tester/SKILL.md +9 -0
- package/skills/zero-trust-architect/SKILL.md +9 -0
package/README.md
CHANGED
|
@@ -1,260 +1,288 @@
|
|
|
1
|
-
# security-mcp
|
|
1
|
+
# security-mcp
|
|
2
2
|
|
|
3
3
|
[](https://www.npmjs.com/package/security-mcp)
|
|
4
4
|
[](LICENSE)
|
|
5
5
|
[](https://nodejs.org)
|
|
6
6
|
[](https://github.com/AbrahamOO/security-mcp/actions)
|
|
7
7
|
|
|
8
|
-
|
|
8
|
+
An autonomous application-security engineering layer for AI-assisted development.
|
|
9
9
|
|
|
10
|
-
|
|
10
|
+
security-mcp is a [Model Context Protocol](https://modelcontextprotocol.io) server that turns your AI coding assistant into a security engineer that does the work, not a linter that files tickets. It reads code the way an attacker does, writes the secure fix inline, and enforces a gate in CI so insecure code cannot merge. The operating mandate across the product is the same one a strong security hire would hold: roughly 90% fixing, 10% advisory.
|
|
11
11
|
|
|
12
|
-
|
|
12
|
+
Platform and security teams can standardize their entire AppSec program on it. A solo founder can install it in a minute and ship safer code on day one. No security background is required to benefit, but nothing is dumbed down for the people who have one.
|
|
13
13
|
|
|
14
|
-
|
|
14
|
+
Works with Claude Code, Cursor, VS Code / GitHub Copilot, Windsurf, Codex, Replit, and any MCP-compatible editor.
|
|
15
|
+
|
|
16
|
+
```bash
|
|
17
|
+
npx -y security-mcp@latest install
|
|
18
|
+
```
|
|
15
19
|
|
|
16
20
|
---
|
|
17
21
|
|
|
18
22
|
## Table of Contents
|
|
19
23
|
|
|
20
|
-
- [
|
|
21
|
-
- [What
|
|
22
|
-
- [
|
|
23
|
-
- [
|
|
24
|
-
- [
|
|
25
|
-
- [
|
|
26
|
-
- [
|
|
27
|
-
- [
|
|
28
|
-
- [
|
|
29
|
-
- [
|
|
30
|
-
- [
|
|
31
|
-
- [
|
|
32
|
-
- [
|
|
33
|
-
- [
|
|
34
|
-
- [
|
|
35
|
-
- [
|
|
36
|
-
- [
|
|
37
|
-
- [
|
|
24
|
+
- [Why this exists](#why-this-exists)
|
|
25
|
+
- [What's new in 1.3.2](#whats-new-in-132)
|
|
26
|
+
- [System overview](#system-overview)
|
|
27
|
+
- [The two entry points](#the-two-entry-points)
|
|
28
|
+
- [/senior-security-engineer](#senior-security-engineer)
|
|
29
|
+
- [/ciso-orchestrator](#ciso-orchestrator)
|
|
30
|
+
- [The gate engine](#the-gate-engine)
|
|
31
|
+
- [Cloud security controls engine](#cloud-security-controls-engine)
|
|
32
|
+
- [Install](#install)
|
|
33
|
+
- [CI/CD gate](#cicd-gate)
|
|
34
|
+
- [Built for teams](#built-for-teams)
|
|
35
|
+
- [Self-protection and supply-chain posture](#self-protection-and-supply-chain-posture)
|
|
36
|
+
- [MCP tools](#mcp-tools)
|
|
37
|
+
- [Frameworks](#frameworks)
|
|
38
|
+
- [Policy and exceptions](#policy-and-exceptions)
|
|
39
|
+
- [Environment variables](#environment-variables)
|
|
40
|
+
- [The 10 non-negotiable rules](#the-10-non-negotiable-rules)
|
|
41
|
+
- [CLI reference](#cli-reference)
|
|
42
|
+
- [Documentation and disclosure](#documentation-and-disclosure)
|
|
43
|
+
- [License](#license)
|
|
38
44
|
|
|
39
45
|
---
|
|
40
46
|
|
|
41
|
-
##
|
|
47
|
+
## Why this exists
|
|
42
48
|
|
|
43
|
-
|
|
49
|
+
Most security tooling stops at detection. It produces a list, hands it to a human, and waits. That model breaks down when AI assistants are writing the majority of the code, because the volume of change outpaces anyone's ability to triage a backlog by hand.
|
|
44
50
|
|
|
45
|
-
|
|
51
|
+
security-mcp inverts the default. When it finds a vulnerability it writes the production-ready fix into your working tree, re-runs the check to confirm the issue cleared, and only then moves on. The same engine runs as a deterministic gate in CI, so the contract is simple: HIGH and CRITICAL findings do not merge.
|
|
46
52
|
|
|
47
|
-
|
|
53
|
+
You get three things from one install:
|
|
48
54
|
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
| **SpEL / OGNL injection** | T1059 | Spring Expression Language and OGNL via user-controlled string eval |
|
|
53
|
-
| **Pickle / Java deserialization** | T1059.001 | Unsafe `pickle.loads`, `ObjectInputStream`, `readObject` on untrusted data |
|
|
54
|
-
| **Second-order injection** | T1059 | Data stored to DB then later executed — two-pass file-correlation check |
|
|
55
|
-
| **CSS injection** | T1059 | User content reflected inside `<style>` or `style=` without sanitization |
|
|
56
|
-
| **Elasticsearch injection** | T1059 | Dynamic query construction in Elasticsearch DSL with user input |
|
|
57
|
-
| **WebSocket injection** | T1059 | User-controlled data in `ws.send()` without validation |
|
|
58
|
-
| **SSE-CRLF** | T1059 | CRLF in Server-Sent Events `data:` field hijacking the SSE stream |
|
|
59
|
-
| **PDF / document injection** | T1059 | User input in PDF field generation without escaping |
|
|
60
|
-
| **HTTP response splitting** | T1059 | CRLF in HTTP header values |
|
|
61
|
-
| **Bracket-notation prototype pollution** | T1203 | `obj[key] = value` with user-controlled keys |
|
|
55
|
+
- An interactive security engineer that fixes code inside your editor.
|
|
56
|
+
- A multi-agent security program that runs a full audit on demand.
|
|
57
|
+
- A standalone CI gate that needs no AI session to enforce the line.
|
|
62
58
|
|
|
63
|
-
|
|
59
|
+
---
|
|
64
60
|
|
|
65
|
-
|
|
61
|
+
## What's new in 1.3.2
|
|
66
62
|
|
|
67
|
-
`
|
|
63
|
+
**Cloud security controls engine.** A registry-driven engine that scans infrastructure-as-code against 998 rules mapped to AWS FSBP, CIS Benchmarks (AWS / GCP / Azure), and the Microsoft Cloud Security Benchmark, across Terraform, CloudFormation, and Bicep. Terraform violations can be auto-remediated with `security-mcp autoharden`. See [the dedicated section](#cloud-security-controls-engine).
|
|
68
64
|
|
|
69
|
-
|
|
70
|
-
| --- | --- | --- |
|
|
71
|
-
| **JWT `kid` injection** | CWE-20 | `kid` header used as file path or SQL expression for key material |
|
|
72
|
-
| **JWKS URI override** | CWE-20 | Attacker-controlled `jku` / `x5u` headers pointing to external key stores |
|
|
73
|
-
| **OAuth client secret in repo** | CWE-798 | `client_secret` literals or env defaults checked into source |
|
|
74
|
-
| **Session token in URL** | CWE-598 | Session IDs in query parameters — logged by every proxy |
|
|
75
|
-
| **Low-entropy token** | CWE-330 | Token / secret generated with `Math.random()` or timestamp-seeded RNG |
|
|
76
|
-
| **Remember-me no rotation** | CWE-613 | Persistent login tokens never rotated on use |
|
|
77
|
-
| **Password reset single-use** | CWE-640 | Reset tokens reusable after initial redemption |
|
|
78
|
-
| **Account enumeration** | CWE-204 | Different error messages for valid vs. invalid usernames |
|
|
79
|
-
| **Bcrypt cost factor** | CWE-916 | `bcrypt.hash(pw, N)` where N < 12 |
|
|
80
|
-
|
|
81
|
-
Plus all original patterns: JWT alg:none/HS-RS confusion, session fixation, OAuth state/redirect_uri/PKCE, hardcoded JWT secret, rate limit on auth, plaintext password compare, SAML signature bypass, insecure cookie flags, refresh token rotation, API key in URL, reset token expiry, admin route without authz, timing oracle.
|
|
82
|
-
|
|
83
|
-
### 31 Business Logic Patterns (was 8)
|
|
84
|
-
|
|
85
|
-
`checkBusinessLogic` now catches 31 patterns including 13 new e-commerce and payment abuse vectors:
|
|
86
|
-
|
|
87
|
-
- **Currency confusion** — mixed-currency arithmetic without normalization
|
|
88
|
-
- **Discount stacking** — coupon codes combined with promotions without stack limits
|
|
89
|
-
- **Order fulfillment bypass** — status transitions that skip required payment/verification steps
|
|
90
|
-
- **Webhook timestamp** — missing replay-window check on webhook signature verification
|
|
91
|
-
- **Tax / shipping parameter tamper** — client-supplied tax and shipping totals accepted server-side
|
|
92
|
-
- **Client-side total** — final order amount derived from a browser-supplied value
|
|
93
|
-
- **Referral abuse** — self-referral detection absent from referral credit logic
|
|
94
|
-
- **Email normalization** — `user+tag@domain.com` not normalized when enforcing unique accounts
|
|
95
|
-
- **Feature flag bypass** — feature flags controllable via client-supplied headers or query params
|
|
96
|
-
- **API version bypass** — security controls on v2 routes not enforced on legacy v1 endpoints
|
|
97
|
-
- **Double-spend payment** — concurrent payment requests without idempotency key enforcement
|
|
98
|
-
- **Free trial abuse** — trial period enforced only by client-supplied start date
|
|
99
|
-
- **Pagination abuse** — unlimited page size parameter enabling full-table data dump
|
|
100
|
-
|
|
101
|
-
### 32 Supply Chain Deep Patterns (was 16)
|
|
102
|
-
|
|
103
|
-
`checkSupplyChainDeep` now covers 32 patterns. New additions detect obfuscated payloads, malicious package scripts, and exfiltration channels that bypass standard SAST tools — including keyloggers, reverse shells, cryptomining signatures, DNS exfiltration, clipboard monitoring, and more.
|
|
104
|
-
|
|
105
|
-
### Critical Security Fixes
|
|
106
|
-
|
|
107
|
-
| ID | Severity | Fix |
|
|
108
|
-
| --- | --- | --- |
|
|
109
|
-
| **VULN-001** | CRITICAL | Dead multiline regex in `checkSecondOrderInjection` silently nulled the entire injection-deep module — replaced with two-pass file-correlation |
|
|
110
|
-
| **VULN-002** | HIGH | Symlink traversal in `policy.ts` glob calls — `followSymbolicLinks: false` enforced |
|
|
111
|
-
| **VULN-003** | HIGH | Evidence previews leaked secret values — `redactSecrets()` added to `search.ts` |
|
|
112
|
-
| **AUTH-OBO-01** | HIGH | Lockout off-by-one in `auth.ts` allowed 4 attempts instead of 3 |
|
|
113
|
-
| **META-01/03/04** | MEDIUM | Prompt injection vectors in MCP server — `_notice` framing and `sanitizePromptParam()` added |
|
|
65
|
+
**Two new CLI commands.** `security-mcp ci:pr-gate` runs the gate directly from `npx` and exits non-zero on HIGH/CRITICAL. `security-mcp sign-policy` HMAC-signs the active policy so tampering is detected at gate startup.
|
|
114
66
|
|
|
115
|
-
|
|
67
|
+
**The tool hardened itself.** An unsigned policy can no longer relax the gate to PASS (severity_block is floored to HIGH/CRITICAL). An unsigned exceptions file can no longer suppress HIGH/CRITICAL by default. Attestation refuses to sign anything that is not a clean PASS. There is a fully offline mode, a checksum-verified installer with no `curl | sh` path, and data at rest is written with `0o600` permissions. Details in [self-protection and supply-chain posture](#self-protection-and-supply-chain-posture).
|
|
116
68
|
|
|
117
|
-
- OWASP Top 10
|
|
118
|
-
- NIST AU-11 / PCI Req 10 log retention detection added to `checkAuthDeep`
|
|
119
|
-
- ISO 42001 §9.1 routing decision audit log added to model router
|
|
120
|
-
- `runScanners` (gitleaks / semgrep / trivy / checkov / osv-scanner) wired into the gate — was implemented but never called since v1.0; now active check 27
|
|
69
|
+
Earlier releases expanded the deep-analysis pattern libraries (injection, authentication, supply chain, business logic), brought OWASP Top 10 to full coverage, and wired the industry scanners into the gate.
|
|
121
70
|
|
|
122
|
-
|
|
71
|
+
---
|
|
123
72
|
|
|
124
|
-
|
|
125
|
-
- **Injection** — SQL/ORM detection (Prisma `$queryRaw`, Sequelize, Knex, TypeORM), JNDI/Log4Shell, LDAP, XPath, Redis `EVAL`, ReDoS static catastrophic-backtracking patterns
|
|
126
|
-
- **Cryptography** — AES-CBC-without-HMAC (+ split-string evasion fix), GCM nonce reuse and timestamp IV, RSA PKCS#1v1.5, SHA-256-as-password-hash, hardcoded PBKDF2 salt, `rejectUnauthorized: false`, weak TLS min version
|
|
127
|
-
- **Checklists** — all 6 surface checklists updated with `automated: true` entries for every new check ID
|
|
73
|
+
## System overview
|
|
128
74
|
|
|
129
|
-
|
|
75
|
+
```mermaid
|
|
76
|
+
graph TD
|
|
77
|
+
subgraph Editor["Your editor (Claude Code, Cursor, VS Code, ...)"]
|
|
78
|
+
A["/senior-security-engineer"]
|
|
79
|
+
B["/ciso-orchestrator"]
|
|
80
|
+
end
|
|
130
81
|
|
|
131
|
-
|
|
82
|
+
A -->|MCP stdio| S["MCP server"]
|
|
83
|
+
B -->|MCP stdio| S
|
|
132
84
|
|
|
133
|
-
|
|
134
|
-
|
|
85
|
+
S --> G["Gate engine (35 checks)"]
|
|
86
|
+
S --> O["Orchestration (39+ agents)"]
|
|
87
|
+
S --> C["Cloud controls (998 rules)"]
|
|
88
|
+
S --> P["Platform subsystems"]
|
|
89
|
+
|
|
90
|
+
G --> AT["SHA-256 attestation"]
|
|
91
|
+
O --> AT
|
|
92
|
+
P --> R["Model router / learning / hash chain / auth"]
|
|
93
|
+
|
|
94
|
+
CI["CI: security-mcp ci:pr-gate"] --> G
|
|
135
95
|
```
|
|
136
96
|
|
|
137
|
-
|
|
97
|
+
The MCP server is the trust root. Both entry-point skills, the standalone CI gate, and every supporting subsystem call into the same engine, so an interactive fix and a CI verdict are produced by identical logic.
|
|
138
98
|
|
|
139
|
-
|
|
99
|
+
---
|
|
140
100
|
|
|
141
|
-
|
|
101
|
+
## The two entry points
|
|
142
102
|
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
103
|
+
You drive security-mcp through two skills. One is your daily security engineer. The other is a full security program you run when the stakes are high.
|
|
104
|
+
|
|
105
|
+
| | `/senior-security-engineer` | `/ciso-orchestrator` |
|
|
106
|
+
| --- | --- | --- |
|
|
107
|
+
| Shape | One elite engineer agent | 39 named agents, 40+ at runtime |
|
|
108
|
+
| Best for | Every PR, targeted hardening | Pre-release audits, compliance prep |
|
|
109
|
+
| Scope | You pick: diff, full codebase, or specific paths | Full: every surface, every framework |
|
|
110
|
+
| Speed | Seconds to minutes | Minutes to hours |
|
|
111
|
+
| Output | Inline fixes + SHA-256 attested report | Merged findings, compliance mapping, signed attestation |
|
|
112
|
+
| Network | Not required | Optional live threat intel |
|
|
113
|
+
|
|
114
|
+
Rule of thumb: run `/senior-security-engineer` on every PR, and `/ciso-orchestrator` before a release or an audit.
|
|
115
|
+
|
|
116
|
+
### /senior-security-engineer
|
|
117
|
+
|
|
118
|
+
A single elite security-engineer agent. It operates 90% fixing, 10% advisory: it writes the secure code rather than handing you a report to act on. You pick the scope at the start (recent changes via git diff, the full codebase, or specific files and folders), and it runs a strategy pass, then the gate, then inline fixes, and finishes with a SHA-256 attested report you can keep as an audit artifact.
|
|
119
|
+
|
|
120
|
+
This is the daily driver. Use it on every PR.
|
|
121
|
+
|
|
122
|
+
```mermaid
|
|
123
|
+
graph TD
|
|
124
|
+
U["Invoke /senior-security-engineer"] --> SC{"Pick scope"}
|
|
125
|
+
SC -->|A| D["Recent changes / git diff"]
|
|
126
|
+
SC -->|B| F["Full codebase"]
|
|
127
|
+
SC -->|C| P["Specific files / folders"]
|
|
128
|
+
D --> ST["Build strategy"]
|
|
129
|
+
F --> ST
|
|
130
|
+
P --> ST
|
|
131
|
+
ST --> GT["Run gate"]
|
|
132
|
+
GT --> FX["Write inline fixes"]
|
|
133
|
+
FX --> RV["Re-run check, confirm clean"]
|
|
134
|
+
RV -->|remaining| FX
|
|
135
|
+
RV -->|clean| AT["SHA-256 attested report"]
|
|
146
136
|
```
|
|
147
137
|
|
|
148
|
-
|
|
138
|
+
### /ciso-orchestrator
|
|
149
139
|
|
|
150
|
-
|
|
140
|
+
A full security program in one command, held to the same 90% fixing, 10% advisory mandate as the single agent: every specialist writes the fix rather than filing a finding. Nine specialist lead agents command 30 sub-agents, for 39 named agents in the static spawn tree. At runtime the orchestrator dynamically spawns additional ghost and coverage agents based on cross-domain findings, so a real run typically fields 40 or more. It draws on a registry of 91 specialist skills (registry version 1.6.0), loaded on demand based on your detected stack, and covers PCI DSS 4.0, SOC 2, ISO 27001, NIST 800-53, HIPAA, and GDPR mapping.
|
|
151
141
|
|
|
152
|
-
|
|
142
|
+
It runs in three phases:
|
|
153
143
|
|
|
154
|
-
|
|
144
|
+
1. **Discovery (parallel).** Seven leads run at once: threat modeling, AppSec code audit, cloud and infrastructure, supply chain, AI/LLM red team, mobile, and crypto/PKI.
|
|
145
|
+
2. **Adversarial and compliance (parallel).** A penetration-test team reads Phase 1's threat model as its attack brief, while a compliance/GRC synthesizer maps findings to controls.
|
|
146
|
+
3. **Synthesis.** Each agent's findings file is schema-validated and verified against that agent's signed attestation before it is trusted, then findings are merged and deduplicated, SKILL.md section coverage (§0 through §24) is verified, and a signed attestation is written. A tampered attestation chain or a findings-hash mismatch forces the gate to FAIL.
|
|
155
147
|
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
148
|
+
```mermaid
|
|
149
|
+
graph TD
|
|
150
|
+
ORCH["CISO orchestrator"] --> P1
|
|
151
|
+
ORCH --> P2
|
|
152
|
+
ORCH --> P3
|
|
160
153
|
|
|
161
|
-
|
|
154
|
+
subgraph P1["Phase 1: discovery (parallel)"]
|
|
155
|
+
TM["threat-modeler"] --> TM1["stride-pasta-analyst"] & TM2["attack-navigator"] & TM3["business-logic-attacker"] & TM4["privacy-flow-analyst"]
|
|
156
|
+
AC["appsec-code-auditor"] --> AC1["injection-specialist"] & AC2["auth-session-hacker"] & AC3["logic-race-fuzzer"] & AC4["serialization-memory-attacker"]
|
|
157
|
+
CI["cloud-infra-specialist"] --> CI1["aws/gcp/azure-pentester"] & CI2["k8s-container-escaper"]
|
|
158
|
+
SD["supply-chain-devsecops"] --> SD1["dependency-confusion-attacker"] & SD2["cicd-pipeline-hijacker"] & SD3["artifact-integrity-analyst"]
|
|
159
|
+
AI["ai-llm-redteam"] --> AI1["prompt-injection-specialist"] & AI2["model-extraction-attacker"] & AI3["rag-poisoning-specialist"] & AI4["agentic-loop-exploiter"]
|
|
160
|
+
MB["mobile-security-specialist"] --> MB1["ios-security-auditor"] & MB2["android-penetration-tester"] & MB3["mobile-api-network-attacker"]
|
|
161
|
+
CR["crypto-pki-specialist"] --> CR1["tls-certificate-auditor"] & CR2["algorithm-implementation-reviewer"] & CR3["key-management-lifecycle-analyst"]
|
|
162
|
+
end
|
|
162
163
|
|
|
163
|
-
|
|
164
|
+
subgraph P2["Phase 2: adversarial + compliance (parallel)"]
|
|
165
|
+
PT["pentest-team"] --> PT1["pentest-web-api"] & PT2["pentest-infra"] & PT3["pentest-social"]
|
|
166
|
+
GRC["compliance-grc"] --> GRC1["evidence-collector"] & GRC2["compliance-gap-analyst"]
|
|
167
|
+
end
|
|
168
|
+
|
|
169
|
+
subgraph P3["Phase 3: synthesis"]
|
|
170
|
+
M["Verify attestations + merge + dedupe"] --> V["Verify §0-§24 coverage"] --> A["Signed attestation"]
|
|
171
|
+
end
|
|
172
|
+
```
|
|
173
|
+
|
|
174
|
+
Cloud, AI/LLM, and mobile sub-agents are conditional: they activate only when the relevant stack is detected, and report N/A otherwise.
|
|
164
175
|
|
|
165
176
|
---
|
|
166
177
|
|
|
167
|
-
##
|
|
178
|
+
## The gate engine
|
|
168
179
|
|
|
169
|
-
|
|
170
|
-
- **Full-stack developers** who know their code works but aren't sure if it's safe
|
|
171
|
-
- **Startups and small teams** shipping web apps, mobile apps, APIs, and SaaS products
|
|
172
|
-
- **AI-assisted developers** using Claude Code, Copilot, Cursor, or Codex to write most of their code
|
|
173
|
-
- **Teams preparing for SOC 2, PCI DSS, or ISO 27001 audits** who need evidence and gap analysis
|
|
174
|
-
- **Security-conscious engineers** who want systematic coverage, not ad-hoc reviews
|
|
175
|
-
- **Anyone who's shipped code and thought "wait, is this actually secure?"**
|
|
180
|
+
The gate is the deterministic core. On every run it executes 35 security checks in parallel (33 distinct check modules plus 2 precomputed coverage feeds). It is surface-aware: it first detects which surfaces a change touches (web, API, infrastructure, iOS, Android, AI/LLM, agentic) and runs the relevant checks against them.
|
|
176
181
|
|
|
177
|
-
|
|
182
|
+
```mermaid
|
|
183
|
+
graph TD
|
|
184
|
+
PL["Load policy (HMAC-verified)"] --> SC["Resolve scope"]
|
|
185
|
+
SC --> CT["Classify change type"]
|
|
186
|
+
CT -->|docs-only| SS["Secrets scan only"]
|
|
187
|
+
CT -->|code| DS["Detect surfaces"]
|
|
188
|
+
DS --> CAT["Load catalog + scanner readiness + evidence coverage"]
|
|
189
|
+
CAT --> RUN["Run 35 checks in parallel"]
|
|
190
|
+
RUN --> SLA["Assign risk SLAs"]
|
|
191
|
+
SLA --> CM["Build coverage manifest"]
|
|
192
|
+
CM --> EX["Apply exceptions"]
|
|
193
|
+
EX --> CONF["Confidence score (70% coverage + 30% scanner)"]
|
|
194
|
+
CONF --> BL["Diff against baseline"]
|
|
195
|
+
BL --> VR{"Verdict by severity_block"}
|
|
196
|
+
VR --> PB["Persist new baseline"]
|
|
197
|
+
SS --> VR
|
|
198
|
+
```
|
|
178
199
|
|
|
179
|
-
|
|
200
|
+
A crashed check module never disappears quietly. It becomes a HIGH coverage-gap finding, so the absence of a result is itself a result. A control that regresses from satisfied to missing against the saved baseline also becomes a HIGH finding.
|
|
180
201
|
|
|
181
|
-
###
|
|
202
|
+
### Deep-analysis modules
|
|
182
203
|
|
|
183
|
-
|
|
204
|
+
| Module | Patterns | What it targets |
|
|
205
|
+
| --- | --- | --- |
|
|
206
|
+
| Deep injection | 42 | SQL/NoSQL, SSTI, SpEL/OGNL, deserialization, CRLF, SSRF, and more |
|
|
207
|
+
| Deep authentication | 43 | JWT confusion, session and OAuth flaws, weak hashing, token entropy |
|
|
208
|
+
| Deep supply chain | 32 | Obfuscated payloads, malicious scripts, exfiltration channels |
|
|
209
|
+
| Business logic | 31 | IDOR, race conditions, payment and e-commerce abuse |
|
|
210
|
+
| Data platform | 47 | Databricks and Snowflake misconfiguration |
|
|
211
|
+
| Deep Docker | 49 | Container build and runtime hardening |
|
|
212
|
+
| GitOps | 41 | ArgoCD and Flux pipeline integrity |
|
|
213
|
+
| Agentic-instruction integrity | 11 | Poisoned AI agent instruction files |
|
|
214
|
+
| AI governance | 3 | Shadow-AI and data-to-LLM exfiltration |
|
|
184
215
|
|
|
185
|
-
|
|
216
|
+
Alongside these, the gate runs Kubernetes (70 checks), IaC (56), and dedicated modules for secrets, dependencies, crypto, web/Next.js, API, mobile (iOS and Android), GraphQL, database, DLP, SBOM, an incident-response playbook, runtime/DAST, CI pipeline hardening, and a Nuclei DAST integration.
|
|
186
217
|
|
|
187
|
-
###
|
|
218
|
+
### Scanner orchestration and threat intel
|
|
188
219
|
|
|
189
|
-
|
|
220
|
+
When they are present on the host, the gate orchestrates industry scanners: gitleaks, semgrep, trivy, osv-scanner, checkov, conftest, and zaproxy. Their results fold into the same findings model.
|
|
190
221
|
|
|
191
|
-
|
|
222
|
+
Live threat intelligence (cached for 24 hours) enriches the verdict: CISA KEV, EPSS (a score above 0.5 escalates severity), OpenSSF Scorecard, and the npm registry. Set `SECURITY_OFFLINE=1` to disable all third-party egress. Private and internal scoped package names are never sent to public endpoints, online or off.
|
|
192
223
|
|
|
193
224
|
---
|
|
194
225
|
|
|
195
|
-
|
|
196
|
-
| --- | --- | --- |
|
|
197
|
-
| **What it is** | Single expert agent | 39-agent multi-phase security program |
|
|
198
|
-
| **Best for** | Daily development, PR reviews, targeted hardening | Pre-launch audits, compliance prep, incident response |
|
|
199
|
-
| **Speed** | Seconds to minutes | Minutes to hours |
|
|
200
|
-
| **Scope** | You choose: recent changes, full codebase, or specific files | Always full - every surface, every framework |
|
|
201
|
-
| **Agents** | 1 | 39 (9 leads + 30 sub-agents) |
|
|
202
|
-
| **Output** | Inline code fixes + SHA-256 attestation | Full domain reports + merged findings + attestation |
|
|
203
|
-
| **API cost** | Low | High |
|
|
204
|
-
| **Internet** | Not required | Optional (enriches findings with live CVEs, CISA KEV, MITRE ATT&CK) |
|
|
226
|
+
## Cloud security controls engine
|
|
205
227
|
|
|
206
|
-
|
|
228
|
+
A registry-driven engine scans infrastructure-as-code against 998 rules mapped to AWS Foundational Security Best Practices (FSBP), CIS Benchmarks for AWS, GCP, and Azure, and the Microsoft Cloud Security Benchmark.
|
|
229
|
+
|
|
230
|
+
| Coverage | Rules |
|
|
231
|
+
| --- | --- |
|
|
232
|
+
| AWS | 483 |
|
|
233
|
+
| Azure | 320 |
|
|
234
|
+
| GCP | 195 |
|
|
235
|
+
| Terraform / HCL | 774 |
|
|
236
|
+
| CloudFormation | 128 |
|
|
237
|
+
| Bicep | 96 |
|
|
238
|
+
|
|
239
|
+
```mermaid
|
|
240
|
+
graph TD
|
|
241
|
+
IAC["IaC files (TF / CFN / Bicep)"] --> DET["Detect against 998-rule registry"]
|
|
242
|
+
DET --> V["Violations"]
|
|
243
|
+
V --> AF{"Safe to auto-fix?"}
|
|
244
|
+
AF -->|yes, Terraform| FIX["Apply fix"]
|
|
245
|
+
FIX --> RD["Re-detect"]
|
|
246
|
+
RD -->|cleared| KEEP["Keep change"]
|
|
247
|
+
RD -->|not cleared| REV["Revert, report manual"]
|
|
248
|
+
AF -->|no| MAN["Manual action + snippet"]
|
|
249
|
+
```
|
|
250
|
+
|
|
251
|
+
Terraform supports auto-remediation through `security-mcp autoharden` (use `--dry-run` to preview). The engine applies a fix, re-detects to confirm the violation actually cleared, and only then keeps the change. Anything it cannot safely auto-fix is reported as a manual action with a code snippet.
|
|
207
252
|
|
|
208
253
|
---
|
|
209
254
|
|
|
210
|
-
##
|
|
255
|
+
## Install
|
|
256
|
+
|
|
257
|
+
Prerequisite: Node.js 20 or higher (`node --version`).
|
|
211
258
|
|
|
212
259
|
```bash
|
|
213
260
|
npx -y security-mcp@latest install
|
|
214
261
|
```
|
|
215
262
|
|
|
216
|
-
Restart your editor
|
|
263
|
+
The installer auto-detects Claude Code, Cursor, VS Code, and Windsurf, and writes the config to the right place. Restart your editor, then run a review:
|
|
217
264
|
|
|
218
265
|
```text
|
|
219
266
|
/senior-security-engineer
|
|
220
267
|
```
|
|
221
268
|
|
|
222
|
-
|
|
223
|
-
|
|
224
|
-
For a full 39-agent deep audit:
|
|
269
|
+
For a full audit:
|
|
225
270
|
|
|
226
271
|
```text
|
|
227
272
|
/ciso-orchestrator
|
|
228
273
|
```
|
|
229
274
|
|
|
230
|
-
|
|
231
|
-
|
|
232
|
-
## Installation
|
|
233
|
-
|
|
234
|
-
> **Prerequisite:** Node.js 20+. Check with `node --version`.
|
|
235
|
-
|
|
236
|
-
### One Command — Auto-detects Your Editor
|
|
275
|
+
Confirm the install is healthy at any time:
|
|
237
276
|
|
|
238
277
|
```bash
|
|
239
|
-
npx -y security-mcp@latest
|
|
240
|
-
```
|
|
241
|
-
|
|
242
|
-
The installer detects Claude Code, Cursor, VS Code, and Windsurf automatically and writes the config to the correct location. Restart your editor when it finishes, then type `/senior-security-engineer`.
|
|
243
|
-
|
|
244
|
-
### Install for a Specific Editor
|
|
245
|
-
|
|
246
|
-
```bash
|
|
247
|
-
npx -y security-mcp@latest install --claude-code # ~/.claude/settings.json
|
|
248
|
-
npx -y security-mcp@latest install --cursor # ~/.cursor/mcp.json
|
|
249
|
-
npx -y security-mcp@latest install --vscode # VS Code user settings.json
|
|
250
|
-
npx -y security-mcp@latest install --windsurf # ~/.windsurf/mcp.json
|
|
278
|
+
npx -y security-mcp@latest doctor
|
|
251
279
|
```
|
|
252
280
|
|
|
253
|
-
### Manual
|
|
281
|
+
### Manual config
|
|
254
282
|
|
|
255
|
-
Add
|
|
283
|
+
Add the server to your editor's MCP config and restart.
|
|
256
284
|
|
|
257
|
-
|
|
285
|
+
Claude Code (`~/.claude/settings.json`), Cursor (`~/.cursor/mcp.json`), Windsurf (`~/.windsurf/mcp.json`):
|
|
258
286
|
|
|
259
287
|
```json
|
|
260
288
|
{
|
|
@@ -267,7 +295,7 @@ Add this to your editor's MCP server config and restart:
|
|
|
267
295
|
}
|
|
268
296
|
```
|
|
269
297
|
|
|
270
|
-
|
|
298
|
+
VS Code / GitHub Copilot (user `settings.json`):
|
|
271
299
|
|
|
272
300
|
```json
|
|
273
301
|
{
|
|
@@ -282,118 +310,17 @@ Add this to your editor's MCP server config and restart:
|
|
|
282
310
|
|
|
283
311
|
---
|
|
284
312
|
|
|
285
|
-
##
|
|
313
|
+
## CI/CD gate
|
|
286
314
|
|
|
287
|
-
|
|
315
|
+
The gate runs as plain Node.js with no AI session involved, so it belongs in your pipeline as a required check.
|
|
288
316
|
|
|
289
317
|
```bash
|
|
290
|
-
npx -y security-mcp@latest
|
|
291
|
-
```
|
|
292
|
-
|
|
293
|
-
This checks your Node.js version, editor config files, and installed skills — and prints `[PASS]` or `[FAIL]` per check with a fix command if anything is missing.
|
|
294
|
-
|
|
295
|
-
Example output:
|
|
296
|
-
|
|
297
|
-
```text
|
|
298
|
-
[PASS] Node.js 22.x
|
|
299
|
-
[PASS] Claude Code config (~/.claude/settings.json)
|
|
300
|
-
[PASS] senior-security-engineer skill (~/.claude/skills/senior-security-engineer/SKILL.md)
|
|
301
|
-
|
|
302
|
-
All checks passed. Restart your editor, then type /senior-security-engineer.
|
|
303
|
-
```
|
|
304
|
-
|
|
305
|
-
---
|
|
306
|
-
|
|
307
|
-
## How to Run Your First Security Review
|
|
308
|
-
|
|
309
|
-
### Daily Workflow: `/senior-security-engineer`
|
|
310
|
-
|
|
311
|
-
**Step 1 - Open your project in your editor.**
|
|
312
|
-
|
|
313
|
-
**Step 2 - Invoke the skill:**
|
|
314
|
-
|
|
315
|
-
```text
|
|
316
|
-
/senior-security-engineer
|
|
318
|
+
npx -y security-mcp@latest ci:pr-gate
|
|
317
319
|
```
|
|
318
320
|
|
|
319
|
-
|
|
320
|
-
|
|
321
|
-
- **Recent changes** - scans only files modified since your last commit. Use this on every PR.
|
|
322
|
-
- **Full codebase** - scans all source files. Use when onboarding a new project.
|
|
323
|
-
- **Specific folders** - you name the folders. Use when you know the blast radius.
|
|
324
|
-
|
|
325
|
-
**Step 4 - Watch it work.** The agent will:
|
|
326
|
-
|
|
327
|
-
1. Call `security.start_review` to create a tracked run
|
|
328
|
-
2. Build a scan plan covering all relevant OWASP/NIST/ATT&CK controls
|
|
329
|
-
3. Run 20 security checks in parallel across secrets, dependencies, crypto, auth, injection, cloud config, AI/LLM, mobile, and more
|
|
330
|
-
4. Write fixes directly into your code for every finding it can remediate
|
|
331
|
-
5. Generate a SHA-256 attested report at `.mcp/reports/{runId}.attestation.json`
|
|
332
|
-
|
|
333
|
-
**Step 5 - Review the output.** Each finding shows:
|
|
334
|
-
|
|
335
|
-
- What the vulnerability is and why it matters
|
|
336
|
-
- Which attack it enables (mapped to MITRE ATT&CK and CWE)
|
|
337
|
-
- The exact fix that was applied to your code
|
|
338
|
-
|
|
339
|
-
**Step 6 - Commit with confidence.** The attestation file is your audit trail.
|
|
321
|
+
It exits non-zero on HIGH or CRITICAL findings.
|
|
340
322
|
|
|
341
|
-
|
|
342
|
-
|
|
343
|
-
### Deep Audit: `/ciso-orchestrator`
|
|
344
|
-
|
|
345
|
-
Use this before a major release, compliance deadline, or security review.
|
|
346
|
-
|
|
347
|
-
**Step 1 - Invoke:**
|
|
348
|
-
|
|
349
|
-
```text
|
|
350
|
-
/ciso-orchestrator
|
|
351
|
-
```
|
|
352
|
-
|
|
353
|
-
**Step 2 - Answer the internet permission prompt.**
|
|
354
|
-
|
|
355
|
-
The orchestrator will ask:
|
|
356
|
-
|
|
357
|
-
> "I can fetch live CVE data, CISA KEV, and MITRE ATT&CK updates to improve this analysis. Allow internet access for this run? (yes/no)"
|
|
358
|
-
|
|
359
|
-
- **Yes** - agents enrich findings with live threat intelligence. More accurate, more current.
|
|
360
|
-
- **No** - agents use cached intel. Still comprehensive, no external calls made.
|
|
361
|
-
|
|
362
|
-
**Step 3 - Wait for Phase 1 (7 lead agents running in parallel, each commanding their domain-specific sub-agents — 25 sub-agents total across Phase 1).**
|
|
363
|
-
|
|
364
|
-
Each agent writes findings to `.mcp/agent-runs/{agentRunId}/`.
|
|
365
|
-
|
|
366
|
-
**Step 4 - Wait for Phase 2 (pentest team + compliance synthesizer).**
|
|
367
|
-
|
|
368
|
-
The pentest team reads Phase 1's threat model as its attack brief. The compliance agent maps every finding to PCI DSS 4.0, SOC 2, ISO 27001, NIST 800-53, HIPAA, and GDPR controls.
|
|
369
|
-
|
|
370
|
-
**Step 5 - Review the merged report.**
|
|
371
|
-
|
|
372
|
-
The orchestrator presents:
|
|
373
|
-
|
|
374
|
-
```text
|
|
375
|
-
Agents: 9 leads completed (+ sub-agents)
|
|
376
|
-
Findings: X CRITICAL / X HIGH / X MEDIUM / X LOW
|
|
377
|
-
Remediated inline: X
|
|
378
|
-
Open (need your decision): X
|
|
379
|
-
SKILL.md coverage: XX% (§1-§24)
|
|
380
|
-
Release blocked: yes / no
|
|
381
|
-
Attestation: .mcp/reports/{runId}.attestation.json
|
|
382
|
-
```
|
|
383
|
-
|
|
384
|
-
**Step 6 - For any open findings**, follow the required actions in the report. The agent will help you implement each fix.
|
|
385
|
-
|
|
386
|
-
---
|
|
387
|
-
|
|
388
|
-
## CI/CD Security Gate
|
|
389
|
-
|
|
390
|
-
Block insecure code from merging on every pull request - no Claude session required, pure Node.js execution:
|
|
391
|
-
|
|
392
|
-
```bash
|
|
393
|
-
npx -y security-mcp ci:pr-gate
|
|
394
|
-
```
|
|
395
|
-
|
|
396
|
-
### Add to GitHub Actions
|
|
323
|
+
### GitHub Actions
|
|
397
324
|
|
|
398
325
|
Create `.github/workflows/security-gate.yml`:
|
|
399
326
|
|
|
@@ -402,7 +329,7 @@ name: Security Gate
|
|
|
402
329
|
|
|
403
330
|
on:
|
|
404
331
|
pull_request:
|
|
405
|
-
branches: [main
|
|
332
|
+
branches: [main]
|
|
406
333
|
|
|
407
334
|
jobs:
|
|
408
335
|
security-gate:
|
|
@@ -410,533 +337,121 @@ jobs:
|
|
|
410
337
|
steps:
|
|
411
338
|
- uses: actions/checkout@v4
|
|
412
339
|
with:
|
|
413
|
-
fetch-depth: 0
|
|
340
|
+
fetch-depth: 0 # required for git diff
|
|
414
341
|
|
|
415
342
|
- uses: actions/setup-node@v4
|
|
416
343
|
with:
|
|
417
344
|
node-version: '20'
|
|
418
345
|
|
|
419
346
|
- name: Block insecure code from merging
|
|
420
|
-
run: npx -y security-mcp ci:pr-gate
|
|
347
|
+
run: npx -y security-mcp@latest ci:pr-gate
|
|
421
348
|
env:
|
|
422
349
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
423
350
|
```
|
|
424
351
|
|
|
425
|
-
###
|
|
426
|
-
|
|
427
|
-
The gate runs **24 check modules in parallel** against your diff:
|
|
428
|
-
|
|
429
|
-
| Category | What It Catches |
|
|
430
|
-
| --- | --- |
|
|
431
|
-
| **Secrets** | Hardcoded API keys, tokens, passwords, private keys (via Gitleaks patterns) |
|
|
432
|
-
| **Dependencies** | CRITICAL/HIGH CVEs in npm/pip/go/maven packages; CISA KEV cross-check and EPSS >50% auto-escalation via live threat-intel (24h cached) |
|
|
433
|
-
| **Cryptography** | MD5, SHA-1, DES, RC4, ECB mode, `Math.random()` for tokens, short JWT secrets |
|
|
434
|
-
| **Authentication** | Missing rate limiting, no account lockout, JWT `alg:none`, weak session config |
|
|
435
|
-
| **Injection** | SQL, NoSQL, command injection, path traversal, SSRF, prototype pollution |
|
|
436
|
-
| **Web headers** | Missing CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy |
|
|
437
|
-
| **IaC** | `0.0.0.0/0` firewall rules, public storage buckets, wildcard IAM permissions |
|
|
438
|
-
| **AI/LLM** | `eval()` on model output, unvalidated model responses, prompt injection patterns |
|
|
439
|
-
| **Database** | TLS disabled on connections, raw query concatenation, missing connection encryption |
|
|
440
|
-
| **Mobile** | `android:debuggable=true`, cleartext traffic, insecure ATS config |
|
|
441
|
-
| **GraphQL** | Introspection in production, no depth/complexity limits, batching abuse |
|
|
442
|
-
| **Kubernetes** | Privileged containers, missing security context, hostPath mounts |
|
|
443
|
-
| **DLP** | PII in logs, stack traces in API responses, sensitive data in error messages |
|
|
444
|
-
| **Supply chain** | Missing lockfiles, floating version ranges (`^`, `~`), abandoned packages |
|
|
445
|
-
| **SBOM** | Generates CycloneDX SBOM for the scanned surface |
|
|
446
|
-
| **Runtime** | HTTP security headers and TLS config on live staging URL (if configured) |
|
|
447
|
-
| **AI red-team** | Static + optional dynamic probes against AI endpoints |
|
|
448
|
-
| **Exceptions** | Validates any active security exceptions are non-expired and properly approved |
|
|
449
|
-
| **Baseline regression** | Detects when previously-satisfied controls go missing (BASELINE_REGRESSION HIGH finding injected on regression) |
|
|
450
|
-
| **Deep injection** | 42 patterns — XXE, SSTI (Java/PHP), SpEL/OGNL, prototype pollution, second-order injection, NoSQL/MongoDB/Redis/LDAP/XPath injection, JNDI/Log4Shell, CRLF, WebSocket injection, CSS injection, SSE-CRLF, PDF injection, HTTP response splitting, unsafe YAML, deserialization (pickle/Java), path traversal, log injection, SSRF, command injection, ReDoS, SQL/ORM (Prisma/Sequelize/Knex/TypeORM), and more |
|
|
451
|
-
| **Deep auth** | 43 patterns — JWT alg confusion/kid injection/JWKS override, session fixation, OAuth state/redirect_uri/PKCE/client secret, hardcoded JWT secret, rate limit, plaintext compare, SAML signature, cookie flags, token rotation, HS/RS confusion, API key in URL, reset expiry/single-use, admin route without authz, timing oracle, account enumeration, session token in URL, low-entropy token, bcrypt cost factor, and more |
|
|
452
|
-
| **Supply chain deep** | 32 patterns — keyloggers, reverse shells, destructive commands, credential exfiltration, env variable theft, malicious postinstall scripts, dynamic require(), base64-obfuscated exec, cryptomining, sensitive file reads, unpinned dependencies, hidden file writes, DNS exfiltration, clipboard monitoring, obfuscated DOM injection, and more |
|
|
453
|
-
| **Business logic** | 31 patterns — IDOR without ownership check, mass assignment, race conditions, integer overflow, currency confusion, discount stacking, order fulfillment bypass, webhook replay, tax/shipping tamper, client-side total, referral abuse, email normalization, feature flag bypass, API version bypass, double-spend, free trial abuse, pagination abuse, and more |
|
|
454
|
-
|
|
455
|
-
### Customize the Gate Policy
|
|
456
|
-
|
|
457
|
-
Copy the default policy into your project and edit:
|
|
458
|
-
|
|
459
|
-
```bash
|
|
460
|
-
mkdir -p .mcp/policies
|
|
461
|
-
cp node_modules/security-mcp/defaults/security-policy.json .mcp/policies/security-policy.json
|
|
462
|
-
```
|
|
463
|
-
|
|
464
|
-
Or generate one tailored to your stack:
|
|
465
|
-
|
|
466
|
-
```text
|
|
467
|
-
Ask your AI: "Run security.generate_policy with surfaces=[web, api, ai] and cloud=aws"
|
|
468
|
-
```
|
|
469
|
-
|
|
470
|
-
### Add Exceptions for Known Accepted Risks
|
|
352
|
+
### Optional HMAC integrity
|
|
471
353
|
|
|
472
|
-
|
|
354
|
+
To make the policy tamper-evident, add a repository secret named `SECURITY_POLICY_HMAC_KEY` that is at least 32 bytes, then sign and commit:
|
|
473
355
|
|
|
474
356
|
```bash
|
|
475
|
-
|
|
476
|
-
cp node_modules/security-mcp/defaults/security-exceptions.json .mcp/exceptions/security-exceptions.json
|
|
357
|
+
security-mcp sign-policy
|
|
477
358
|
```
|
|
478
359
|
|
|
479
|
-
|
|
480
|
-
|
|
481
|
-
```json
|
|
482
|
-
{
|
|
483
|
-
"version": "1.0.0",
|
|
484
|
-
"exceptions": [
|
|
485
|
-
{
|
|
486
|
-
"id": "EX-001",
|
|
487
|
-
"finding_ids": ["CRYPTO_WEAK_HASH"],
|
|
488
|
-
"justification": "Legacy hash used only for non-security cache keys",
|
|
489
|
-
"ticket": "JIRA-1234",
|
|
490
|
-
"owner": "alice@example.com",
|
|
491
|
-
"approver": "bob@example.com",
|
|
492
|
-
"approval_role": "SecurityLead",
|
|
493
|
-
"expires_on": "2025-12-31"
|
|
494
|
-
}
|
|
495
|
-
]
|
|
496
|
-
}
|
|
497
|
-
```
|
|
498
|
-
|
|
499
|
-
Expired exceptions automatically become CRITICAL findings that block the gate.
|
|
360
|
+
Commit the policy file together with its generated `.hmac` sidecar. Once a key is set, the gate requires a valid signature on the policy, and a missing sidecar is rejected by design, so the key and the signature must land in the same change.
|
|
500
361
|
|
|
501
362
|
---
|
|
502
363
|
|
|
503
|
-
##
|
|
504
|
-
|
|
505
|
-
When your AI has security-mcp active, it **writes the production-ready fix** - not a suggestion, not a warning comment:
|
|
506
|
-
|
|
507
|
-
### Secrets and Credentials
|
|
508
|
-
|
|
509
|
-
| Insecure | Fixed to |
|
|
510
|
-
| --- | --- |
|
|
511
|
-
| `const KEY = "sk-abc123"` | `const KEY = process.env["API_KEY"]` + vault reference |
|
|
512
|
-
| `password: "hardcoded"` in config | Environment variable + secret manager setup |
|
|
513
|
-
| JWT signed with `"secret"` | RS256 with generated key pair, proper validation |
|
|
514
|
-
| Bcrypt with cost factor 4 | Argon2id with `memory: 65536, iterations: 3, parallelism: 4` |
|
|
515
|
-
|
|
516
|
-
### Authentication and Authorization
|
|
517
|
-
|
|
518
|
-
- Rate limiting middleware added to all auth endpoints (configurable thresholds)
|
|
519
|
-
- Account lockout after N failed attempts with progressive delays
|
|
520
|
-
- Session absolute timeout (8h) and idle timeout (30 min)
|
|
521
|
-
- FIDO2/WebAuthn requirement flagged for admin interfaces
|
|
522
|
-
- IDOR protection: tenant/user IDs read from JWT claims, never from request params
|
|
523
|
-
|
|
524
|
-
### Injection and Input Validation
|
|
364
|
+
## Built for teams
|
|
525
365
|
|
|
526
|
-
-
|
|
527
|
-
- SQL: string concatenation -> parameterized queries or tagged template literals
|
|
528
|
-
- Command execution: `exec(userInput)` -> `spawnSync` with arg array, no shell
|
|
529
|
-
- Path traversal: user-controlled paths validated against project boundary
|
|
530
|
-
- SSRF: server-side HTTP clients get RFC-1918 CIDR block lists + DNS validation
|
|
366
|
+
Four platform subsystems let a security team operate security-mcp at scale, not just run it ad hoc.
|
|
531
367
|
|
|
532
|
-
|
|
368
|
+
**Multi-provider model router.** Cost-aware routing across model providers, with circuit breakers and a spend budget so a single provider outage or a runaway run cannot stall or overspend the program.
|
|
533
369
|
|
|
534
|
-
|
|
370
|
+
**Learning engine.** Remembers confirmed patterns and false positives per project, with rate-limited false-positive suppression so noise drops over time. Routing decisions are written to an ISO 42001 audit log.
|
|
535
371
|
|
|
536
|
-
|
|
537
|
-
app.get("/", (req, res) => res.send(html));
|
|
538
|
-
```
|
|
539
|
-
|
|
540
|
-
After:
|
|
372
|
+
**Tamper-evident attestation hash chain.** Each agent attestation is chained (`init_chain`, `attest_agent`, `verify_chain`, `get_chain`), so the audit trail cannot be silently rewritten after the fact.
|
|
541
373
|
|
|
542
|
-
|
|
543
|
-
app.use(helmet({
|
|
544
|
-
contentSecurityPolicy: {
|
|
545
|
-
directives: {
|
|
546
|
-
defaultSrc: ["'self'"],
|
|
547
|
-
scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.nonce}'`],
|
|
548
|
-
}
|
|
549
|
-
},
|
|
550
|
-
hsts: { maxAge: 63072000, includeSubDomains: true, preload: true },
|
|
551
|
-
frameguard: { action: "deny" },
|
|
552
|
-
noSniff: true,
|
|
553
|
-
referrerPolicy: { policy: "strict-origin-when-cross-origin" }
|
|
554
|
-
}));
|
|
555
|
-
```
|
|
556
|
-
|
|
557
|
-
### Cloud Infrastructure
|
|
558
|
-
|
|
559
|
-
- `cidr_blocks = ["0.0.0.0/0"]` -> source-restricted CIDR with comment explaining rationale
|
|
560
|
-
- `acl = "public-read"` S3 -> Block Public Access enabled at bucket and account level
|
|
561
|
-
- Wildcard IAM `"Action": "*"` -> least-privilege policy with specific actions
|
|
562
|
-
- Long-lived static credentials -> IAM roles / Workload Identity / OIDC federation
|
|
563
|
-
|
|
564
|
-
### Cryptography
|
|
565
|
-
|
|
566
|
-
- `crypto.createHash('md5')` -> `crypto.createHash('sha256')`
|
|
567
|
-
- `Math.random()` for tokens -> `crypto.randomBytes(32).toString('hex')`
|
|
568
|
-
- AES-CBC -> AES-256-GCM with per-message nonce
|
|
569
|
-
- RSA PKCS#1 v1.5 -> RSA-OAEP or ECDH P-256
|
|
570
|
-
|
|
571
|
-
### AI / LLM Security
|
|
572
|
-
|
|
573
|
-
- String-concatenated system prompts -> structured `messages` array with role separation
|
|
574
|
-
- `eval(modelOutput)` -> `JSON.parse()` + Zod schema validation
|
|
575
|
-
- RAG retrieval without auth check -> authorization check before and after retrieval
|
|
576
|
-
- Unvalidated tool calls -> allowlist router that blocks unlisted tool names
|
|
374
|
+
**MCP caller authentication.** An optional shared-secret gate on the MCP channel uses constant-time HMAC comparison, a 3-strike lockout, and a session TTL (8 hours by default, capped at 24). When unset, the channel stays open for frictionless local use.
|
|
577
375
|
|
|
578
376
|
---
|
|
579
377
|
|
|
580
|
-
##
|
|
378
|
+
## Self-protection and supply-chain posture
|
|
581
379
|
|
|
582
|
-
|
|
380
|
+
A security tool is part of your supply chain, so security-mcp is built to resist the same attacks it looks for. This matters most when the threat is a malicious repository or a compromised dependency trying to neutralize the gate.
|
|
583
381
|
|
|
584
|
-
|
|
585
|
-
|
|
586
|
-
|
|
587
|
-
|
|
588
|
-
|
|
589
|
-
|
|
590
|
-
|
|
591
|
-
|
|
592
|
-
|
|
593
|
-
└──────────────┬─────────────────┘
|
|
594
|
-
│ MCP protocol (stdio)
|
|
595
|
-
▼
|
|
596
|
-
┌──────────────────────────────────────────────────────────────┐
|
|
597
|
-
│ MCP Server (src/mcp/server.ts) │
|
|
598
|
-
│ │
|
|
599
|
-
│ security.* tools orchestration.* tools │
|
|
600
|
-
│ ───────────────── ────────────────────── │
|
|
601
|
-
│ start_review create_agent_run │
|
|
602
|
-
│ run_pr_gate update_agent_status │
|
|
603
|
-
│ threat_model merge_agent_findings │
|
|
604
|
-
│ checklist ensure_skill │
|
|
605
|
-
│ attest_review read/write_agent_memory │
|
|
606
|
-
│ get_system_prompt check_updates / apply_updates │
|
|
607
|
-
│ scan_strategy verify_skill_coverage │
|
|
608
|
-
│ generate_policy │
|
|
609
|
-
│ terraform_blueprint repo.* tools │
|
|
610
|
-
│ generate_opa_rego ───────────── │
|
|
611
|
-
│ generate_compliance_report read_file / search │
|
|
612
|
-
│ notify_webhooks │
|
|
613
|
-
│ generate_remediations │
|
|
614
|
-
└──────────────────────────────────────────────────────────────┘
|
|
615
|
-
│
|
|
616
|
-
▼
|
|
617
|
-
┌──────────────────────────────────────────────────────────────┐
|
|
618
|
-
│ Policy Gate Engine (src/gate/policy.ts) │
|
|
619
|
-
│ │
|
|
620
|
-
│ 28 checks run in parallel: │
|
|
621
|
-
│ checkSecrets checkDependencies checkApi checkInfra │
|
|
622
|
-
│ checkCrypto checkMobileIos checkMobileAndroid │
|
|
623
|
-
│ checkAi checkGraphQL checkKubernetes │
|
|
624
|
-
│ checkDatabase checkDlp checkWebNextjs │
|
|
625
|
-
│ runSbomChecks runAiRedteamChecks runRuntimeChecks │
|
|
626
|
-
│ runCiPipelineChecks runDockerChecks runScanners │
|
|
627
|
-
│ checkInjectionDeep (42 patterns) checkAuthDeep (43 patterns)│
|
|
628
|
-
│ checkSupplyChainDeep (32) checkBusinessLogic (31) │
|
|
629
|
-
│ │
|
|
630
|
-
│ Surface detection -> Control catalog -> Exception handling -> │
|
|
631
|
-
│ Coverage manifest -> Taint map -> Confidence scoring -> PASS / FAIL │
|
|
632
|
-
└──────────────────────────────────────────────────────────────┘
|
|
633
|
-
```
|
|
634
|
-
|
|
635
|
-
### `/senior-security-engineer` Flow
|
|
636
|
-
|
|
637
|
-
```text
|
|
638
|
-
User: /senior-security-engineer
|
|
639
|
-
│
|
|
640
|
-
▼
|
|
641
|
-
Claude reads SKILL.md + asks scope choice:
|
|
642
|
-
A) Recent changes (git diff)
|
|
643
|
-
B) Full codebase
|
|
644
|
-
C) Specific files/folders
|
|
645
|
-
│
|
|
646
|
-
▼ user picks scope
|
|
647
|
-
security.start_review(mode)
|
|
648
|
-
└── creates .mcp/reviews/{runId}.json
|
|
649
|
-
│
|
|
650
|
-
▼
|
|
651
|
-
security.threat_model(runId, feature)
|
|
652
|
-
└── STRIDE + PASTA + ATT&CK template for changed surface
|
|
653
|
-
│
|
|
654
|
-
▼
|
|
655
|
-
§0 Coverage Completeness Protocol (runs first)
|
|
656
|
-
├── enumerate ALL source files → coverage-manifest.json
|
|
657
|
-
├── taint-trace every user-controlled input → taint-map.json
|
|
658
|
-
├── negative assertion per attack class: "FILES: N/N | RESULT: CLEAN"
|
|
659
|
-
└── fix verification loop: re-run check after every fix, confirm CLEAN
|
|
660
|
-
│
|
|
661
|
-
▼
|
|
662
|
-
security.run_pr_gate(runId, mode, targets)
|
|
663
|
-
├── git diff / glob targets -> changed files list
|
|
664
|
-
├── detectSurfaces() -> web? api? infra? mobile? ai?
|
|
665
|
-
├── 28 checks in parallel (incl. deep injection + deep auth)
|
|
666
|
-
├── apply exceptions from .mcp/exceptions/
|
|
667
|
-
├── compute confidence score
|
|
668
|
-
└── returns PASS/FAIL + findings[]
|
|
669
|
-
│
|
|
670
|
-
▼
|
|
671
|
-
Claude writes inline fixes for every finding
|
|
672
|
-
(production-ready secure code, not suggestions)
|
|
673
|
-
Every HIGH/CRITICAL: FIXED with verified-clean re-run,
|
|
674
|
-
OR formally blocked with risk-acceptance record
|
|
675
|
-
│
|
|
676
|
-
▼
|
|
677
|
-
security.attest_review(runId)
|
|
678
|
-
└── .mcp/reports/{runId}.attestation.json
|
|
679
|
-
└── SHA-256 integrity hash
|
|
680
|
-
```
|
|
681
|
-
|
|
682
|
-
### `/ciso-orchestrator` Flow (39 Agents)
|
|
683
|
-
|
|
684
|
-
```text
|
|
685
|
-
User: /ciso-orchestrator
|
|
686
|
-
│
|
|
687
|
-
▼
|
|
688
|
-
CISO Orchestrator
|
|
689
|
-
├── orchestration.check_updates() -> prompt if new version available
|
|
690
|
-
├── ask internet permission -> stored for all child agents
|
|
691
|
-
├── scan project for stack context
|
|
692
|
-
│ (package.json, go.mod, terraform/, .github/workflows/, Dockerfile)
|
|
693
|
-
│ -> stackContext: { languages, frameworks, cloudProvider, hasAI, hasMobile, ... }
|
|
694
|
-
├── security.start_review() -> runId
|
|
695
|
-
├── orchestration.create_agent_run() -> agentRunId + manifest.json
|
|
696
|
-
└── orchestration.ensure_skill(×N) -> download stack-relevant skills from 86-skill registry
|
|
697
|
-
│
|
|
698
|
-
▼
|
|
699
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
700
|
-
PHASE 1 - 7 leads + sub-agents (all parallel)
|
|
701
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
702
|
-
|
|
703
|
-
Agent 1: threat-modeler
|
|
704
|
-
├── stride-pasta-analyst -> STRIDE matrix, PASTA 7 stages, LINDDUN, DREAD
|
|
705
|
-
├── attack-navigator -> ATT&CK Navigator layer + D3FEND countermeasures
|
|
706
|
-
├── business-logic-attacker -> attack trees per route/flow found in codebase
|
|
707
|
-
└── privacy-flow-analyst -> GDPR/HIPAA data flows, DPIA trigger check
|
|
708
|
-
Output: .mcp/agent-runs/{id}/threat-model.json
|
|
709
|
-
|
|
710
|
-
Agent 2: appsec-code-auditor
|
|
711
|
-
├── injection-specialist -> SQL/NoSQL/SSTI/OS cmd/CRLF/log injection
|
|
712
|
-
├── auth-session-hacker -> JWT algo confusion, SAML wrap, OAuth confusion
|
|
713
|
-
├── logic-race-fuzzer -> race conditions, integer overflow, mass assignment
|
|
714
|
-
└── serialization-memory-attacker -> prototype pollution, ReDoS, zip slip, sandbox escape
|
|
715
|
-
Output: .mcp/agent-runs/{id}/appsec-findings.json
|
|
716
|
-
|
|
717
|
-
Agent 3: cloud-infra-specialist
|
|
718
|
-
├── aws-penetration-tester -> IAM escalation, S3, Lambda, EKS (if AWS)
|
|
719
|
-
├── gcp-penetration-tester -> SA abuse, GCS, Cloud Run, GKE (if GCP)
|
|
720
|
-
├── azure-penetration-tester -> Managed Identity, AKS, Key Vault (if Azure)
|
|
721
|
-
└── k8s-container-escaper -> privileged pods, RBAC escape, hostPath (if K8s)
|
|
722
|
-
Output: .mcp/agent-runs/{id}/infra-findings.json
|
|
723
|
-
|
|
724
|
-
Agent 4: supply-chain-devsecops
|
|
725
|
-
├── dependency-confusion-attacker -> CVEs, CISA KEV, typosquatting, SBOM
|
|
726
|
-
├── cicd-pipeline-hijacker -> pull_request_target, mutable Actions, injection
|
|
727
|
-
└── artifact-integrity-analyst -> SLSA L3, Cosign signatures, provenance
|
|
728
|
-
Output: .mcp/agent-runs/{id}/supply-chain-findings.json
|
|
729
|
-
|
|
730
|
-
Agent 5: ai-llm-redteam (skipped if no AI stack detected)
|
|
731
|
-
├── prompt-injection-specialist -> direct + indirect injection, PoC payloads
|
|
732
|
-
├── model-extraction-attacker -> API abuse, cost amplification, rate limiting
|
|
733
|
-
├── rag-poisoning-specialist -> vector store isolation, metadata filter injection
|
|
734
|
-
└── agentic-loop-exploiter -> tool blast radius, loop hijacking, allowlist gaps
|
|
735
|
-
Output: .mcp/agent-runs/{id}/ai-findings.json
|
|
736
|
-
|
|
737
|
-
Agent 6: mobile-security-specialist (skipped if no mobile detected)
|
|
738
|
-
├── ios-security-auditor -> Keychain, ATS, Secure Enclave, Universal Links
|
|
739
|
-
├── android-penetration-tester -> manifest hardening, NSC, exported components
|
|
740
|
-
└── mobile-api-network-attacker -> cert pinning, API key extraction, token storage
|
|
741
|
-
Output: .mcp/agent-runs/{id}/mobile-findings.json
|
|
742
|
-
|
|
743
|
-
Agent 7: crypto-pki-specialist
|
|
744
|
-
├── tls-certificate-auditor -> TLS 1.3, AEAD ciphers, HSTS preload, OCSP, mTLS
|
|
745
|
-
├── algorithm-implementation-reviewer -> banned algos, Argon2id params, nonce reuse
|
|
746
|
-
└── key-management-lifecycle-analyst -> hardcoded keys, rotation, CMEK, post-quantum
|
|
747
|
-
Output: .mcp/agent-runs/{id}/crypto-findings.json
|
|
748
|
-
|
|
749
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
750
|
-
Wait for all Phase 1 agents to complete
|
|
751
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
752
|
-
|
|
753
|
-
PHASE 2 - adversarial + compliance (both parallel)
|
|
754
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
755
|
-
|
|
756
|
-
Agent 8: pentest-team (reads threat-model.json as attack brief)
|
|
757
|
-
├── pentest-web-api -> OWASP Testing Guide on every route found in codebase
|
|
758
|
-
├── pentest-infra -> privilege escalation graph, Terraform state, cloud posture
|
|
759
|
-
└── pentest-social -> OSINT on org, spear-phishing scenarios, insider threat model
|
|
760
|
-
Output: .mcp/agent-runs/{id}/pentest-report.json
|
|
761
|
-
|
|
762
|
-
Agent 9: compliance-grc (reads all Phase 1 findings)
|
|
763
|
-
├── evidence-collector -> logging schema verification, SIEM rules, audit trail
|
|
764
|
-
└── compliance-gap-analyst -> PCI DSS 4.0, SOC 2, ISO 27001, NIST 800-53, HIPAA, GDPR
|
|
765
|
-
Output: .mcp/agent-runs/{id}/compliance-report.json
|
|
766
|
-
|
|
767
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
768
|
-
Wait for Phase 2 agents to complete
|
|
769
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
770
|
-
|
|
771
|
-
PHASE 3 - synthesis (sequential)
|
|
772
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
773
|
-
|
|
774
|
-
orchestration.merge_agent_findings() -> deduplicate + sort CRITICAL->LOW
|
|
775
|
-
orchestration.verify_skill_coverage() -> check §1-§24 SKILL.md section coverage
|
|
776
|
-
security.attest_review() -> SHA-256 attestation written
|
|
777
|
-
|
|
778
|
-
Final report:
|
|
779
|
-
├── X CRITICAL / X HIGH / X MEDIUM / X LOW
|
|
780
|
-
├── Remediated inline: X Open: X
|
|
781
|
-
├── SKILL.md section coverage: XX%
|
|
782
|
-
├── Release blocked: yes / no
|
|
783
|
-
└── .mcp/reports/{runId}.attestation.json
|
|
784
|
-
```
|
|
785
|
-
|
|
786
|
-
### Agent Memory System
|
|
787
|
-
|
|
788
|
-
Every agent persists what it learns so each subsequent run is smarter:
|
|
789
|
-
|
|
790
|
-
```text
|
|
791
|
-
~/.security-mcp/agent-memory/{agentName}/
|
|
792
|
-
├── patterns.json ← confirmed attack patterns for this tech stack
|
|
793
|
-
├── false-positives.json ← findings to deprioritize on next run
|
|
794
|
-
├── remediations.json ← what fixes worked for this project
|
|
795
|
-
├── intel.json ← cached threat intel (refreshed every 24h)
|
|
796
|
-
└── errors.json ← tool failure log (used for self-healing)
|
|
797
|
-
```
|
|
798
|
-
|
|
799
|
-
### Data Written to Your Project
|
|
800
|
-
|
|
801
|
-
```text
|
|
802
|
-
.mcp/
|
|
803
|
-
├── reviews/{runId}.json ← review run state + step tracking
|
|
804
|
-
├── reports/{runId}.attestation.json ← SHA-256 auditable attestation
|
|
805
|
-
├── agent-runs/{agentRunId}/
|
|
806
|
-
│ ├── manifest.json ← all agent statuses + current phase
|
|
807
|
-
│ ├── threat-model.json
|
|
808
|
-
│ ├── appsec-findings.json
|
|
809
|
-
│ ├── infra-findings.json
|
|
810
|
-
│ ├── supply-chain-findings.json
|
|
811
|
-
│ ├── ai-findings.json
|
|
812
|
-
│ ├── mobile-findings.json
|
|
813
|
-
│ ├── crypto-findings.json
|
|
814
|
-
│ ├── pentest-report.json
|
|
815
|
-
│ ├── compliance-report.json
|
|
816
|
-
│ ├── sbom.cyclonedx.json
|
|
817
|
-
│ └── merged-findings.json ← Phase 3 deduplicated, sorted output
|
|
818
|
-
├── policies/security-policy.json
|
|
819
|
-
└── exceptions/security-exceptions.json
|
|
820
|
-
```
|
|
382
|
+
- **Signed policy, exceptions, and baseline.** These files are HMAC-signed. When the policy is not signed, the gate floors `severity_block` to HIGH/CRITICAL, so an unsigned edit cannot relax the gate to PASS.
|
|
383
|
+
- **Exceptions cannot quietly suppress.** By default an unsigned exceptions file may not suppress HIGH/CRITICAL findings. A break-glass env var exists for scanning intentionally-vulnerable fixtures.
|
|
384
|
+
- **Honest attestation.** Attestation refuses to sign unless the latest gate result is PASS with all required steps complete. There are no forged green attestations.
|
|
385
|
+
- **Verified inter-agent payloads.** The merge step that aggregates every agent's findings is the trust sink for a whole run, so it schema-validates each agent's findings file and checks its hash against that agent's signed attestation before trusting it. Findings dedupe keeps the highest severity per id, so a same-id low-severity entry cannot shadow a real CRITICAL. A tampered chain or a findings-hash mismatch forces FAIL. Set `SECURITY_REQUIRE_AGENT_ATTESTATION=1` to fail closed unless the run is HMAC-signed, fully attested, and clean — note that an *unsigned* attestation chain is only tamper-evident, not tamper-proof, against an attacker who can write the run directory, so the HMAC key is the real boundary.
|
|
386
|
+
- **Per-tool-call audit trail.** Every MCP tool call is logged as one structured JSONL record (timestamp, agent id, tool, inputs, output summary, session credential, outcome) to `.mcp/audit/tool-calls.jsonl`. Secret-bearing keys and secret-shaped values (in inputs and in the output preview) are scrubbed; failed auth attempts are recorded as such, not as successes; the log rotates at 50 MB and writing never interrupts a tool call. Set `SECURITY_TOOL_AUDIT_LOG` to forward to an append-only sink.
|
|
387
|
+
- **Locked-down data at rest.** Findings, agent memory, and signatures are written with `0o600` file permissions.
|
|
388
|
+
- **Prompt-injection defense.** Tool outputs that originate from the repo are sanitized before they reach an LLM.
|
|
389
|
+
- **Verified installer.** Downloaded scanner binaries are verified by SHA-256, unchecksummed binaries are refused, and there is no `curl | sh` install path.
|
|
390
|
+
- **Air-gap mode.** `SECURITY_OFFLINE=1` produces a fully offline run with no third-party egress.
|
|
821
391
|
|
|
822
392
|
---
|
|
823
393
|
|
|
824
|
-
## MCP
|
|
394
|
+
## MCP tools
|
|
825
395
|
|
|
826
|
-
Your AI
|
|
396
|
+
Your AI calls these automatically; you rarely invoke them by hand. There are around 40, grouped into three namespaces plus two MCP prompts.
|
|
827
397
|
|
|
828
|
-
###
|
|
398
|
+
### Most useful tools
|
|
829
399
|
|
|
830
|
-
| Tool |
|
|
400
|
+
| Tool | Purpose |
|
|
831
401
|
| --- | --- |
|
|
832
|
-
| `security.start_review` |
|
|
833
|
-
| `security.run_pr_gate` |
|
|
834
|
-
| `security.
|
|
835
|
-
| `security.
|
|
836
|
-
| `security.scan_strategy` |
|
|
837
|
-
| `security.
|
|
838
|
-
| `security.
|
|
839
|
-
| `security.
|
|
840
|
-
| `security.
|
|
841
|
-
| `security.
|
|
842
|
-
| `
|
|
843
|
-
| `
|
|
844
|
-
| `
|
|
845
|
-
| `
|
|
846
|
-
|
|
847
|
-
|
|
848
|
-
|
|
849
|
-
|
|
850
|
-
|
|
851
|
-
|
|
852
|
-
|
|
853
|
-
|
|
854
|
-
|
|
855
|
-
|
|
856
|
-
|
|
857
|
-
| `orchestration.read_agent_memory` | Loads an agent's prior patterns, false-positives, remediations, and cached intel |
|
|
858
|
-
| `orchestration.write_agent_memory` | Persists newly learned patterns and remediations after a run |
|
|
859
|
-
| `orchestration.check_updates` | Checks npm and the skills manifest for newer versions of security-mcp or installed skills |
|
|
860
|
-
| `orchestration.apply_updates` | Returns update commands (manual) or instructions for the agent to run them (auto) |
|
|
861
|
-
| `orchestration.verify_skill_coverage` | Reports which SKILL.md sections §1-§24 had zero coverage findings in this run |
|
|
402
|
+
| `security.start_review` | Open a stateful review run and get a `runId` |
|
|
403
|
+
| `security.run_pr_gate` | Run the gate, return PASS/FAIL with findings |
|
|
404
|
+
| `security.attest_review` | Write a SHA-256 attestation (PASS-gated) |
|
|
405
|
+
| `security.threat_model` | STRIDE + PASTA + ATT&CK model for a surface |
|
|
406
|
+
| `security.scan_strategy` | Map every check to OWASP/NIST/ATT&CK controls |
|
|
407
|
+
| `security.generate_policy` | Generate a policy tailored to your stack |
|
|
408
|
+
| `security.terraform_hardening_blueprint` | Terraform hardening baseline + mappings |
|
|
409
|
+
| `security.generate_opa_rego` | OPA/Rego for plans, pipelines, admission |
|
|
410
|
+
| `security.generate_compliance_report` | Map findings to SOC 2, PCI, ISO, NIST, HIPAA, GDPR |
|
|
411
|
+
| `security.generate_remediations` | Concrete fix template per finding |
|
|
412
|
+
| `repo.read_file` / `repo.search` | Read or search the codebase (guarded) |
|
|
413
|
+
| `orchestration.create_agent_run` | Stand up the multi-agent run + manifest |
|
|
414
|
+
| `orchestration.merge_agent_findings` | Dedupe and sort findings across agents |
|
|
415
|
+
| `orchestration.verify_skill_coverage` | Check §0-§24 SKILL.md coverage |
|
|
416
|
+
|
|
417
|
+
### Operational families
|
|
418
|
+
|
|
419
|
+
Beyond the tools above, the rest of the surface clusters into four families:
|
|
420
|
+
|
|
421
|
+
- **Model routing and budget.** `get_routing`, `get_model_for_task`, `track_usage`, `model_budget_status`, `get_provider_health`, `record_provider_failure`, `reset_provider_circuit`.
|
|
422
|
+
- **Learning and pattern memory.** `record_outcome`, `pattern_report`, `self_heal_loop`, plus `orchestration.read_agent_memory` / `write_agent_memory`.
|
|
423
|
+
- **Attestation hash chain.** `init_chain`, `attest_agent`, `verify_chain`, `get_chain`.
|
|
424
|
+
- **Caller auth and lifecycle.** `authenticate`, `logout`, plus update tools `orchestration.check_updates` / `apply_updates` and skill loading `orchestration.ensure_skill`.
|
|
425
|
+
|
|
426
|
+
Namespace counts: `security.*` (29 tools), `repo.*` (2), `orchestration.*` (9), and 2 MCP prompts.
|
|
862
427
|
|
|
863
428
|
---
|
|
864
429
|
|
|
865
|
-
##
|
|
430
|
+
## Frameworks
|
|
866
431
|
|
|
867
|
-
|
|
432
|
+
Every finding and fix maps to recognized standards. You do not need to know them to benefit; they are there so your evidence stands up to an auditor.
|
|
868
433
|
|
|
869
|
-
|
|
|
434
|
+
| Domain | Standards |
|
|
870
435
|
| --- | --- |
|
|
871
|
-
|
|
|
872
|
-
|
|
|
873
|
-
|
|
|
874
|
-
|
|
|
875
|
-
|
|
|
876
|
-
|
|
|
877
|
-
| **MITRE D3FEND** | Defensive countermeasure mapped to every ATT&CK technique in scope |
|
|
878
|
-
| **MITRE ATLAS** | Adversarial ML/AI attack techniques |
|
|
879
|
-
| **MITRE CAPEC** | Attack patterns used at design-time threat modeling |
|
|
880
|
-
| **NIST 800-53 Rev 5** | Full US government security control catalog |
|
|
881
|
-
| **NIST CSF 2.0** | Govern / Identify / Protect / Detect / Respond / Recover |
|
|
882
|
-
| **NIST 800-207** | Zero Trust Architecture - every request authenticated and authorized |
|
|
883
|
-
| **NIST 800-218 (SSDF)** | Secure Software Development Framework |
|
|
884
|
-
| **NIST AI RMF** | AI risk management: Map, Measure, Manage, Govern |
|
|
885
|
-
| **PCI DSS 4.0** | Payment card industry data security standard |
|
|
886
|
-
| **SOC 2 Type II** | Trust Services Criteria (Security, Availability, Confidentiality, PI) |
|
|
887
|
-
| **ISO 27001:2022 + 27002** | International information security management system |
|
|
888
|
-
| **ISO 42001:2023** | AI management system - applied to all LLM/AI components |
|
|
889
|
-
| **GDPR / CCPA / HIPAA** | Data privacy: consent, retention, breach notification, minimum necessary |
|
|
890
|
-
| **SLSA Level 3** | Software supply chain security - hermetic builds, signed provenance |
|
|
891
|
-
| **CIS Benchmarks Level 2** | Hardened cloud, OS, and container configurations |
|
|
892
|
-
| **CVSS v4.0 + EPSS** | Vulnerability scoring and exploit probability - EPSS > 0.5 fixed within 48h |
|
|
436
|
+
| OWASP | Top 10 (Web + API), ASVS L2/L3, MASVS, Top 10 for LLMs, Testing Guide |
|
|
437
|
+
| MITRE | ATT&CK (Enterprise + Cloud + Mobile), D3FEND, ATLAS, CAPEC |
|
|
438
|
+
| NIST | 800-53 Rev 5, CSF 2.0, 800-207 Zero Trust, 800-218 SSDF, AI RMF, 800-131A |
|
|
439
|
+
| Compliance | PCI DSS 4.0, SOC 2 Type II, ISO 27001:2022 + 27002, ISO 42001:2023, GDPR / CCPA / HIPAA |
|
|
440
|
+
| Supply chain and cloud | SLSA Level 3, CIS Benchmarks L2, AWS FSBP, Microsoft Cloud Security Benchmark |
|
|
441
|
+
| Scoring | CVSS v4.0 + EPSS |
|
|
893
442
|
|
|
894
443
|
---
|
|
895
444
|
|
|
896
|
-
##
|
|
897
|
-
|
|
898
|
-
### Customize the Security Policy
|
|
445
|
+
## Policy and exceptions
|
|
899
446
|
|
|
900
|
-
The policy
|
|
447
|
+
The policy lives at `.mcp/policies/security-policy.json`. Copy the default to start:
|
|
901
448
|
|
|
902
449
|
```bash
|
|
903
450
|
mkdir -p .mcp/policies
|
|
904
451
|
cp node_modules/security-mcp/defaults/security-policy.json .mcp/policies/security-policy.json
|
|
905
452
|
```
|
|
906
453
|
|
|
907
|
-
|
|
908
|
-
|
|
909
|
-
```json
|
|
910
|
-
{
|
|
911
|
-
"required_checks": {
|
|
912
|
-
"secrets_scan": { "severity_block": ["HIGH", "CRITICAL"] },
|
|
913
|
-
"dependency_scan": { "severity_block": ["CRITICAL"] },
|
|
914
|
-
"sast": { "severity_block": ["CRITICAL"] },
|
|
915
|
-
"iac_scan": { "severity_block": ["HIGH", "CRITICAL"] }
|
|
916
|
-
},
|
|
917
|
-
"vulnerability_slas": {
|
|
918
|
-
"CRITICAL": "24h",
|
|
919
|
-
"HIGH": "7d",
|
|
920
|
-
"MEDIUM": "30d",
|
|
921
|
-
"CISA_KEV": "24h"
|
|
922
|
-
},
|
|
923
|
-
"exceptions": {
|
|
924
|
-
"require_ticket": true,
|
|
925
|
-
"approval_roles": ["SecurityLead", "GRC", "CTO"]
|
|
926
|
-
}
|
|
927
|
-
}
|
|
928
|
-
```
|
|
929
|
-
|
|
930
|
-
### Add a Security Exception
|
|
931
|
-
|
|
932
|
-
When you have a finding you've consciously accepted (e.g., a CVE in a library you're actively replacing):
|
|
933
|
-
|
|
934
|
-
```bash
|
|
935
|
-
mkdir -p .mcp/exceptions
|
|
936
|
-
cp node_modules/security-mcp/defaults/security-exceptions.json .mcp/exceptions/security-exceptions.json
|
|
937
|
-
```
|
|
938
|
-
|
|
939
|
-
Edit `.mcp/exceptions/security-exceptions.json`:
|
|
454
|
+
Exceptions live at `.mcp/exceptions/security-exceptions.json`. Each entry needs `id`, `finding_ids`, `justification`, `ticket`, `owner`, `approver` (the owner cannot be the approver), `approval_role`, and `expires_on` (within 365 days):
|
|
940
455
|
|
|
941
456
|
```json
|
|
942
457
|
{
|
|
@@ -945,181 +460,137 @@ Edit `.mcp/exceptions/security-exceptions.json`:
|
|
|
945
460
|
{
|
|
946
461
|
"id": "EX-001",
|
|
947
462
|
"finding_ids": ["DEP_CVE_CVE-2024-12345"],
|
|
948
|
-
"justification": "Library being replaced
|
|
463
|
+
"justification": "Library being replaced next sprint; no public exploit",
|
|
949
464
|
"ticket": "JIRA-9999",
|
|
950
|
-
"owner": "
|
|
951
|
-
"approver": "
|
|
465
|
+
"owner": "alice@example.com",
|
|
466
|
+
"approver": "bob@example.com",
|
|
952
467
|
"approval_role": "SecurityLead",
|
|
953
|
-
"expires_on": "
|
|
468
|
+
"expires_on": "2026-12-31"
|
|
954
469
|
}
|
|
955
470
|
]
|
|
956
471
|
}
|
|
957
472
|
```
|
|
958
473
|
|
|
959
|
-
|
|
474
|
+
Expired exceptions automatically become blocking findings until they are renewed or resolved.
|
|
960
475
|
|
|
961
476
|
---
|
|
962
477
|
|
|
963
|
-
## Environment
|
|
478
|
+
## Environment variables
|
|
964
479
|
|
|
965
|
-
###
|
|
480
|
+
### Gate and scope
|
|
966
481
|
|
|
967
482
|
| Variable | Default | Purpose |
|
|
968
483
|
| --- | --- | --- |
|
|
969
|
-
| `
|
|
484
|
+
| `SECURITY_GATE_POLICY` | `.mcp/policies/security-policy.json` | Policy file path |
|
|
485
|
+
| `SECURITY_GATE_MODE` | `recent_changes` | Scan mode |
|
|
486
|
+
| `SECURITY_GATE_TARGETS` | (changed files) | Comma-separated paths to restrict the scan |
|
|
970
487
|
| `SECURITY_GATE_BASE_REF` | `origin/main` | Branch to diff against |
|
|
971
488
|
| `SECURITY_GATE_HEAD_REF` | `HEAD` | Branch being scanned |
|
|
972
|
-
| `
|
|
973
|
-
| `SECURITY_GATE_SCANNERS` | built-in |
|
|
974
|
-
| `
|
|
975
|
-
| `
|
|
976
|
-
| `SECURITY_GATE_TARGETS` | (all changed files) | Comma-separated file paths to restrict the scan surface |
|
|
977
|
-
| `SECURITY_MCP_SHARED_SECRET` | (none) | Authenticates MCP tool callers via constant-time HMAC; enables 3-strike lockout. Generate with `openssl rand -hex 32` |
|
|
978
|
-
| `SECURITY_POLICY_HMAC_KEY` | (none) | Signs the policy file so any tampering is detected at gate startup. Generate with `openssl rand -hex 32` |
|
|
489
|
+
| `SECURITY_GATE_EXCEPTIONS` | (default path) | Exceptions file path |
|
|
490
|
+
| `SECURITY_GATE_SCANNERS` | built-in | Custom scanner config path |
|
|
491
|
+
| `SECURITY_GATE_EVIDENCE_MAP` | (none) | Evidence-coverage map path |
|
|
492
|
+
| `SECURITY_GATE_CONTROL_CATALOG` | (none) | Control-catalog path |
|
|
979
493
|
|
|
980
|
-
###
|
|
494
|
+
### Integrity and signing
|
|
981
495
|
|
|
982
496
|
| Variable | Purpose |
|
|
983
497
|
| --- | --- |
|
|
984
|
-
| `
|
|
985
|
-
| `
|
|
986
|
-
| `
|
|
987
|
-
| `
|
|
988
|
-
| `
|
|
989
|
-
| `
|
|
498
|
+
| `SECURITY_POLICY_HMAC_KEY` | Signs policy / exceptions / baseline (>=32 bytes) |
|
|
499
|
+
| `SECURITY_REQUIRE_SIGNED_EXCEPTIONS` | Fail closed on any unsigned exceptions file |
|
|
500
|
+
| `SECURITY_REQUIRE_AGENT_ATTESTATION` | Fail closed unless the agent run is signed + enforced + clean (see below) |
|
|
501
|
+
| `SECURITY_ALLOW_UNSIGNED_HIGH_SUPPRESSION` | Break-glass: allow unsigned HIGH/CRITICAL suppression |
|
|
502
|
+
| `SECURITY_ATTEST_ALLOW_INCOMPLETE` | Break-glass: attest without a complete PASS |
|
|
503
|
+
| `SECURITY_ATTEST_KEY` | Signs attestation files |
|
|
504
|
+
| `SECURITY_AUDIT_HMAC_KEY` | Signs the routing audit log and the per-agent attestation chain |
|
|
990
505
|
|
|
991
|
-
###
|
|
506
|
+
### Observability
|
|
992
507
|
|
|
993
|
-
| Variable | Purpose |
|
|
994
|
-
| --- | --- |
|
|
995
|
-
| `
|
|
996
|
-
| `SECURITY_AI_ENDPOINT` | Enables live jailbreak, injection, PII, and rate-limit probes against your AI endpoint |
|
|
997
|
-
| `SECURITY_AUTO_SBOM` | Set `true` to auto-generate a CycloneDX SBOM on each gate run |
|
|
998
|
-
|
|
999
|
-
---
|
|
1000
|
-
|
|
1001
|
-
## The 10 Rules That Are Never Broken
|
|
1002
|
-
|
|
1003
|
-
No matter what your AI is asked to build, these are enforced without exception:
|
|
1004
|
-
|
|
1005
|
-
1. **No `0.0.0.0/0` firewall rules** - ingress and egress must be source-restricted
|
|
1006
|
-
2. **All internal services over private VPC only** - no public IPs for databases, queues, or internal APIs
|
|
1007
|
-
3. **Secrets in a secret manager only** - never in code, `.env` files, CI logs, or container images
|
|
1008
|
-
4. **TLS 1.3 for everything in transit** - TLS 1.0 and 1.1 are explicitly blocked
|
|
1009
|
-
5. **Passwords hashed with Argon2id or bcrypt (cost ≥ 14)** - MD5 and SHA-1 are forbidden
|
|
1010
|
-
6. **Every API input validated server-side with a schema** - no passing raw request data to business logic
|
|
1011
|
-
7. **No inline JavaScript** - Content Security Policy is nonce-based only; no `unsafe-inline` or `unsafe-eval`
|
|
1012
|
-
8. **Admin interfaces require FIDO2/WebAuthn passkey** - TOTP is not acceptable for admin access
|
|
1013
|
-
9. **Threat model before any auth, payment, or AI feature** - no design-free implementation
|
|
1014
|
-
10. **Zero Trust: every request authenticated and authorized regardless of origin** - no implicit network trust
|
|
1015
|
-
|
|
1016
|
-
---
|
|
1017
|
-
|
|
1018
|
-
## Troubleshooting
|
|
1019
|
-
|
|
1020
|
-
### The `/senior-security-engineer` command isn't available in my editor
|
|
1021
|
-
|
|
1022
|
-
**Cause:** The skill was not installed to `~/.claude/skills/`.
|
|
1023
|
-
|
|
1024
|
-
**Fix:** Re-run the installer:
|
|
1025
|
-
|
|
1026
|
-
```bash
|
|
1027
|
-
npx -y security-mcp@latest install
|
|
1028
|
-
```
|
|
1029
|
-
|
|
1030
|
-
Then verify the skill exists:
|
|
1031
|
-
|
|
1032
|
-
```bash
|
|
1033
|
-
ls ~/.claude/skills/senior-security-engineer/SKILL.md
|
|
1034
|
-
```
|
|
1035
|
-
|
|
1036
|
-
### The MCP server doesn't appear as connected
|
|
1037
|
-
|
|
1038
|
-
**Cause:** Config file was not written, or the editor wasn't restarted after config was written.
|
|
1039
|
-
|
|
1040
|
-
**Fix:**
|
|
1041
|
-
|
|
1042
|
-
1. Check the config file was written (see editor-specific paths in [Installation](#installation))
|
|
1043
|
-
2. Fully restart the editor (quit and reopen, not just reload window)
|
|
1044
|
-
3. Check Node.js version: `node --version` - must be 20 or higher
|
|
1045
|
-
|
|
1046
|
-
### The CI gate fails with "cannot find module"
|
|
1047
|
-
|
|
1048
|
-
**Cause:** The dist files weren't included in the npm package, or you're referencing a path that doesn't exist.
|
|
508
|
+
| Variable | Default | Purpose |
|
|
509
|
+
| --- | --- | --- |
|
|
510
|
+
| `SECURITY_TOOL_AUDIT_LOG` | `.mcp/audit/tool-calls.jsonl` | Path for the per-tool-call structured audit log; point at an append-only / write-once sink for tamper-proof retention |
|
|
1049
511
|
|
|
1050
|
-
|
|
512
|
+
### Privacy and air-gap
|
|
1051
513
|
|
|
1052
|
-
|
|
514
|
+
| Variable | Purpose |
|
|
515
|
+
| --- | --- |
|
|
516
|
+
| `SECURITY_OFFLINE` | Disable all third-party network egress |
|
|
1053
517
|
|
|
1054
|
-
|
|
518
|
+
### MCP channel
|
|
1055
519
|
|
|
1056
|
-
|
|
520
|
+
| Variable | Default | Purpose |
|
|
521
|
+
| --- | --- | --- |
|
|
522
|
+
| `SECURITY_MCP_SHARED_SECRET` | (none) | Require caller auth on the MCP channel |
|
|
523
|
+
| `SECURITY_SESSION_TTL_MS` | 8h | Session lifetime, capped at 24h |
|
|
1057
524
|
|
|
1058
|
-
|
|
525
|
+
### Remediation
|
|
1059
526
|
|
|
1060
|
-
|
|
1061
|
-
|
|
1062
|
-
|
|
1063
|
-
"severity_block": ["CRITICAL"],
|
|
1064
|
-
"required_checks": ["secrets_scan"]
|
|
1065
|
-
}
|
|
1066
|
-
}
|
|
1067
|
-
```
|
|
527
|
+
| Variable | Purpose |
|
|
528
|
+
| --- | --- |
|
|
529
|
+
| `SECURITY_AGENTIC_QUARANTINE` | Handling for poisoned agent files: `strip`, `sanitize`, `quarantine`, or `off` |
|
|
1068
530
|
|
|
1069
|
-
###
|
|
531
|
+
### Integrations
|
|
1070
532
|
|
|
1071
|
-
|
|
1072
|
-
|
|
1073
|
-
|
|
533
|
+
| Variable | Purpose |
|
|
534
|
+
| --- | --- |
|
|
535
|
+
| `SECURITY_SLACK_WEBHOOK` | Post gate results to Slack |
|
|
536
|
+
| `SECURITY_JIRA_URL` | Create Jira tickets for failures |
|
|
537
|
+
| `SECURITY_JIRA_TOKEN` | Jira API token (never logged) |
|
|
538
|
+
| `SECURITY_JIRA_PROJECT` | Jira project key (default `SECURITY`) |
|
|
539
|
+
| `SECURITY_PAGERDUTY_KEY` | Page on-call for CRITICAL findings |
|
|
540
|
+
| `SECURITY_WEBHOOK_URL` | POST gate results as JSON to any URL |
|
|
1074
541
|
|
|
1075
|
-
|
|
542
|
+
### Live scanning
|
|
1076
543
|
|
|
1077
|
-
|
|
1078
|
-
|
|
1079
|
-
|
|
544
|
+
| Variable | Purpose |
|
|
545
|
+
| --- | --- |
|
|
546
|
+
| `SECURITY_STAGING_URL` | Enable runtime + Nuclei DAST against staging |
|
|
547
|
+
| `SECURITY_AI_ENDPOINT` | Enable live AI red-team probes |
|
|
548
|
+
| `SECURITY_AUTO_SBOM` | Auto-generate a CycloneDX SBOM each run |
|
|
1080
549
|
|
|
1081
550
|
---
|
|
1082
551
|
|
|
1083
|
-
##
|
|
1084
|
-
|
|
1085
|
-
**Q: Does this send my code to any external service?**
|
|
1086
|
-
|
|
1087
|
-
No. The MCP server runs locally as a Node.js process. Your code never leaves your machine. The only external calls made are to the npm registry (to check for updates) and optionally to GitHub (to download skill files) - both only if explicitly permitted. Live CVE/CISA KEV fetches during `/ciso-orchestrator` require your explicit internet permission at runtime.
|
|
1088
|
-
|
|
1089
|
-
**Q: Do I need to know security to use this?**
|
|
1090
|
-
|
|
1091
|
-
No. The tool is designed so that you don't need to understand what OWASP or ATT&CK mean. You describe what you're building, and the security engineer handles the rest.
|
|
1092
|
-
|
|
1093
|
-
**Q: Will it slow down my development?**
|
|
552
|
+
## The 10 non-negotiable rules
|
|
1094
553
|
|
|
1095
|
-
|
|
554
|
+
No matter what the AI is asked to build, these hold:
|
|
1096
555
|
|
|
1097
|
-
|
|
556
|
+
1. No `0.0.0.0/0` firewall rules. Ingress and egress are source-restricted.
|
|
557
|
+
2. Internal services live on a private VPC only, never on public IPs.
|
|
558
|
+
3. Secrets live in a secret manager only, never in code, `.env`, CI logs, or images.
|
|
559
|
+
4. TLS 1.3 for everything in transit. TLS 1.0 and 1.1 are blocked.
|
|
560
|
+
5. Passwords hashed with Argon2id, or bcrypt at cost 14 or higher.
|
|
561
|
+
6. Every API input validated server-side with a schema.
|
|
562
|
+
7. No inline JavaScript. Content Security Policy is nonce-based only.
|
|
563
|
+
8. Admin interfaces require FIDO2/WebAuthn.
|
|
564
|
+
9. Threat-model before any auth, payment, or AI feature.
|
|
565
|
+
10. Zero Trust: every request authenticated and authorized regardless of origin.
|
|
1098
566
|
|
|
1099
|
-
|
|
1100
|
-
|
|
1101
|
-
**Q: Can I use this on an existing codebase with lots of issues?**
|
|
1102
|
-
|
|
1103
|
-
Yes. Use `security.generate_policy` to set appropriate thresholds for your current state, add exceptions for known-accepted technical debt, and use the gate's MEDIUM/LOW findings as a backlog rather than blockers.
|
|
567
|
+
---
|
|
1104
568
|
|
|
1105
|
-
|
|
569
|
+
## CLI reference
|
|
1106
570
|
|
|
1107
|
-
|
|
571
|
+
The `security-mcp` binary exposes:
|
|
1108
572
|
|
|
1109
|
-
|
|
573
|
+
| Command | Purpose |
|
|
574
|
+
| --- | --- |
|
|
575
|
+
| `serve` | Run the MCP server |
|
|
576
|
+
| `install` | Install for auto-detected editors |
|
|
577
|
+
| `install-global` | Install globally |
|
|
578
|
+
| `config` | Manage configuration |
|
|
579
|
+
| `doctor` (alias `verify`) | Health check |
|
|
580
|
+
| `autoharden` | Auto-remediate Terraform (`--dry-run` to preview) |
|
|
581
|
+
| `ci:pr-gate` | Run the gate in CI (non-zero exit on HIGH/CRITICAL) |
|
|
582
|
+
| `sign-policy` | HMAC-sign the active policy |
|
|
1110
583
|
|
|
1111
|
-
|
|
584
|
+
---
|
|
1112
585
|
|
|
1113
|
-
|
|
586
|
+
## Documentation and disclosure
|
|
1114
587
|
|
|
1115
|
-
|
|
588
|
+
- **Deep-dive docs:** the [GitHub Wiki](https://github.com/AbrahamOO/security-mcp/wiki).
|
|
589
|
+
- **Contributing:** [CONTRIBUTING.md](CONTRIBUTING.md).
|
|
590
|
+
- **Reporting a vulnerability in security-mcp itself:** see [SECURITY.md](SECURITY.md), which uses GitHub private security advisories for responsible disclosure.
|
|
1116
591
|
|
|
1117
592
|
---
|
|
1118
593
|
|
|
1119
|
-
## Contributing
|
|
1120
|
-
|
|
1121
|
-
See [CONTRIBUTING.md](CONTRIBUTING.md).
|
|
1122
|
-
|
|
1123
594
|
## License
|
|
1124
595
|
|
|
1125
|
-
[MIT](LICENSE)
|
|
596
|
+
[MIT](LICENSE)
|