security-mcp 1.3.1 → 1.3.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +356 -885
- package/defaults/cloud-controls/aws.json +10712 -0
- package/defaults/cloud-controls/azure.json +7201 -0
- package/defaults/cloud-controls/gcp.json +4061 -0
- package/defaults/control-catalog.json +24 -0
- package/dist/ci/pr-gate.js +22 -5
- package/dist/cli/index.js +73 -2
- package/dist/cli/install.js +4 -55
- package/dist/cli/onboarding.js +18 -10
- package/dist/gate/checks/agentic-instructions.js +515 -0
- package/dist/gate/checks/ai-governance.js +132 -0
- package/dist/gate/checks/ai.js +1 -1
- package/dist/gate/checks/cloud-controls.js +69 -0
- package/dist/gate/checks/crypto.js +1 -1
- package/dist/gate/checks/data-platform.js +954 -0
- package/dist/gate/checks/dependencies.js +14 -3
- package/dist/gate/checks/docker-deep.js +1236 -0
- package/dist/gate/checks/gitops.js +724 -0
- package/dist/gate/checks/iac.js +1230 -0
- package/dist/gate/checks/k8s.js +841 -1
- package/dist/gate/checks/secrets.js +49 -37
- package/dist/gate/cloud-controls/apply.js +115 -0
- package/dist/gate/cloud-controls/bicep.js +36 -0
- package/dist/gate/cloud-controls/cfn.js +125 -0
- package/dist/gate/cloud-controls/detect.js +104 -0
- package/dist/gate/cloud-controls/hcl.js +140 -0
- package/dist/gate/cloud-controls/types.js +87 -0
- package/dist/gate/exceptions.js +78 -7
- package/dist/gate/findings.js +15 -2
- package/dist/gate/policy.js +40 -3
- package/dist/gate/threat-intel.js +6 -0
- package/dist/mcp/audit-chain.js +9 -0
- package/dist/mcp/model-router.js +3 -3
- package/dist/mcp/orchestration.js +194 -41
- package/dist/mcp/server.js +124 -17
- package/dist/mcp/tool-audit.js +193 -0
- package/dist/repo/fs.js +14 -1
- package/dist/review/store.js +4 -2
- package/dist/tests/run.js +124 -1
- package/package.json +3 -3
- package/skills/advanced-dos-tester/SKILL.md +9 -0
- package/skills/agentic-instruction-auditor/SKILL.md +111 -0
- package/skills/agentic-loop-exploiter/SKILL.md +9 -0
- package/skills/ai-llm-redteam/SKILL.md +9 -0
- package/skills/ai-model-supply-chain-agent/SKILL.md +9 -0
- package/skills/algorithm-implementation-reviewer/SKILL.md +9 -0
- package/skills/android-penetration-tester/SKILL.md +9 -0
- package/skills/anti-replay-tester/SKILL.md +9 -0
- package/skills/appsec-code-auditor/SKILL.md +9 -0
- package/skills/artifact-integrity-analyst/SKILL.md +9 -0
- package/skills/attack-navigator/SKILL.md +9 -0
- package/skills/auth-session-hacker/SKILL.md +9 -0
- package/skills/aws-penetration-tester/SKILL.md +54 -0
- package/skills/azure-penetration-tester/SKILL.md +52 -0
- package/skills/binary-auth-validator/SKILL.md +9 -0
- package/skills/bot-detection-specialist/SKILL.md +9 -0
- package/skills/business-logic-attacker/SKILL.md +9 -0
- package/skills/capec-code-mapper/SKILL.md +9 -0
- package/skills/cert-pin-rotation-specialist/SKILL.md +9 -0
- package/skills/cicd-pipeline-hijacker/SKILL.md +9 -0
- package/skills/ciso-orchestrator/SKILL.md +11 -0
- package/skills/cloud-infra-specialist/SKILL.md +9 -0
- package/skills/compliance-gap-analyst/SKILL.md +9 -0
- package/skills/compliance-grc/SKILL.md +9 -0
- package/skills/compliance-lifecycle-tracker/SKILL.md +9 -0
- package/skills/container-hardening-auditor/SKILL.md +125 -0
- package/skills/credential-stuffing-specialist/SKILL.md +9 -0
- package/skills/crypto-pki-specialist/SKILL.md +9 -0
- package/skills/csa-ccm-mapper/SKILL.md +9 -0
- package/skills/csf2-governance-mapper/SKILL.md +9 -0
- package/skills/data-platform-auditor/SKILL.md +125 -0
- package/skills/deep-link-fuzzer/SKILL.md +9 -0
- package/skills/dependency-confusion-attacker/SKILL.md +9 -0
- package/skills/device-integrity-aggregator/SKILL.md +9 -0
- package/skills/dos-resilience-tester/SKILL.md +9 -0
- package/skills/dread-scorer/SKILL.md +9 -0
- package/skills/egress-policy-enforcer/SKILL.md +9 -0
- package/skills/evidence-collector/SKILL.md +9 -0
- package/skills/file-upload-attacker/SKILL.md +9 -0
- package/skills/gcp-penetration-tester/SKILL.md +51 -0
- package/skills/git-history-secret-scanner/SKILL.md +9 -0
- package/skills/gitops-delivery-auditor/SKILL.md +120 -0
- package/skills/iac-security-auditor/SKILL.md +125 -0
- package/skills/iam-privesc-graph-builder/SKILL.md +9 -0
- package/skills/incident-responder/SKILL.md +9 -0
- package/skills/injection-specialist/SKILL.md +9 -0
- package/skills/ios-security-auditor/SKILL.md +9 -0
- package/skills/json-ambiguity-tester/SKILL.md +0 -0
- package/skills/k8s-container-escaper/SKILL.md +22 -0
- package/skills/key-management-lifecycle-analyst/SKILL.md +9 -0
- package/skills/kill-switch-engineer/SKILL.md +9 -0
- package/skills/linddun-privacy-analyst/SKILL.md +9 -0
- package/skills/logic-race-fuzzer/SKILL.md +9 -0
- package/skills/mobile-api-network-attacker/SKILL.md +9 -0
- package/skills/mobile-binary-hardener/SKILL.md +9 -0
- package/skills/mobile-security-specialist/SKILL.md +9 -0
- package/skills/mobile-webview-auditor/SKILL.md +9 -0
- package/skills/model-extraction-attacker/SKILL.md +9 -0
- package/skills/multipart-abuse-tester/SKILL.md +9 -0
- package/skills/oauth-pkce-specialist/SKILL.md +9 -0
- package/skills/parser-exhaustion-tester/SKILL.md +9 -0
- package/skills/pentest-infra/SKILL.md +9 -0
- package/skills/pentest-social/SKILL.md +9 -0
- package/skills/pentest-team/SKILL.md +9 -0
- package/skills/pentest-web-api/SKILL.md +9 -0
- package/skills/privacy-flow-analyst/SKILL.md +9 -0
- package/skills/prompt-injection-specialist/SKILL.md +9 -0
- package/skills/quantum-migration-planner/SKILL.md +9 -0
- package/skills/rag-poisoning-specialist/SKILL.md +9 -0
- package/skills/registry-mirror-enforcer/SKILL.md +9 -0
- package/skills/rotation-validation-agent/SKILL.md +9 -0
- package/skills/samm-assessor/SKILL.md +9 -0
- package/skills/secrets-mask-bypass-tester/SKILL.md +9 -0
- package/skills/senior-security-engineer/SKILL.md +11 -0
- package/skills/serialization-memory-attacker/SKILL.md +9 -0
- package/skills/session-timeout-tester/SKILL.md +9 -0
- package/skills/slsa-level3-enforcer/SKILL.md +9 -0
- package/skills/slsa-provenance-enforcer/SKILL.md +9 -0
- package/skills/ssrf-detection-validator/SKILL.md +9 -0
- package/skills/step-up-auth-enforcer/SKILL.md +9 -0
- package/skills/stride-pasta-analyst/SKILL.md +9 -0
- package/skills/supply-chain-devsecops/SKILL.md +9 -0
- package/skills/threat-infrastructure-analyst/SKILL.md +9 -0
- package/skills/threat-modeler/SKILL.md +9 -0
- package/skills/tls-certificate-auditor/SKILL.md +9 -0
- package/skills/token-reuse-detector/SKILL.md +9 -0
- package/skills/trike-risk-modeler/SKILL.md +9 -0
- package/skills/unicode-homograph-tester/SKILL.md +9 -0
- package/skills/waf-rule-lifecycle-agent/SKILL.md +9 -0
- package/skills/webhook-security-tester/SKILL.md +9 -0
- package/skills/zero-trust-architect/SKILL.md +9 -0
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
import fg from "fast-glob";
|
|
2
|
+
import { readFileSafe } from "../../repo/fs.js";
|
|
3
|
+
import { detectBicep, detectCloudFormation, detectTerraform } from "../cloud-controls/detect.js";
|
|
4
|
+
import { loadCloudRules } from "../cloud-controls/types.js";
|
|
5
|
+
// .tf = Terraform (HCL); .bicep = Bicep; json/yaml/template are CloudFormation/SAM
|
|
6
|
+
// candidates (gated by a content check so arbitrary JSON/YAML is skipped cheaply).
|
|
7
|
+
const GLOBS = ["**/*.tf", "**/*.bicep", "**/*.json", "**/*.yaml", "**/*.yml", "**/*.template"];
|
|
8
|
+
const IGNORE = [
|
|
9
|
+
"**/node_modules/**",
|
|
10
|
+
"**/.git/**",
|
|
11
|
+
"**/dist/**",
|
|
12
|
+
"**/.claude/**",
|
|
13
|
+
"src/gate/**"
|
|
14
|
+
];
|
|
15
|
+
function detectForFile(file, text, rules) {
|
|
16
|
+
if (file.endsWith(".tf"))
|
|
17
|
+
return detectTerraform(file, text, rules);
|
|
18
|
+
if (file.endsWith(".bicep"))
|
|
19
|
+
return detectBicep(file, text, rules);
|
|
20
|
+
return detectCloudFormation(file, text, rules);
|
|
21
|
+
}
|
|
22
|
+
const MAX_EVIDENCE = 20;
|
|
23
|
+
function toFinding(ruleId, rule, violations) {
|
|
24
|
+
const files = Array.from(new Set(violations.map((v) => v.file)));
|
|
25
|
+
return {
|
|
26
|
+
id: ruleId,
|
|
27
|
+
title: `${rule.title} — ${rule.threat}`,
|
|
28
|
+
severity: rule.severity,
|
|
29
|
+
evidence: violations
|
|
30
|
+
.slice(0, MAX_EVIDENCE)
|
|
31
|
+
.map((v) => `${v.file}:${v.line}: ${rule.detect.resourceType} — ${v.reason}`),
|
|
32
|
+
files,
|
|
33
|
+
requiredActions: rule.requiredActions
|
|
34
|
+
};
|
|
35
|
+
}
|
|
36
|
+
/**
|
|
37
|
+
* Threat-detection pass over the FSBP/CIS cloud-control ruleset. Pure — emits
|
|
38
|
+
* Findings, never mutates files. Auto-remediation lives in cloud-controls/apply.ts
|
|
39
|
+
* and is invoked explicitly (CLI `autoharden`), not during the read-only gate.
|
|
40
|
+
*/
|
|
41
|
+
export async function checkCloudControls(opts) {
|
|
42
|
+
void opts; // matching scans the whole working tree, consistent with checkIac
|
|
43
|
+
const rules = await loadCloudRules();
|
|
44
|
+
if (rules.length === 0)
|
|
45
|
+
return [];
|
|
46
|
+
const files = await fg(GLOBS, { dot: true, followSymbolicLinks: false, ignore: IGNORE });
|
|
47
|
+
const byRule = new Map();
|
|
48
|
+
for (const file of files) {
|
|
49
|
+
let text = "";
|
|
50
|
+
try {
|
|
51
|
+
text = await readFileSafe(file);
|
|
52
|
+
}
|
|
53
|
+
catch {
|
|
54
|
+
continue;
|
|
55
|
+
}
|
|
56
|
+
for (const v of detectForFile(file, text, rules)) {
|
|
57
|
+
const list = byRule.get(v.rule.ruleId);
|
|
58
|
+
if (list)
|
|
59
|
+
list.push(v);
|
|
60
|
+
else
|
|
61
|
+
byRule.set(v.rule.ruleId, [v]);
|
|
62
|
+
}
|
|
63
|
+
}
|
|
64
|
+
const findings = [];
|
|
65
|
+
for (const [ruleId, violations] of byRule) {
|
|
66
|
+
findings.push(toFinding(ruleId, violations[0].rule, violations));
|
|
67
|
+
}
|
|
68
|
+
return findings;
|
|
69
|
+
}
|
|
@@ -186,7 +186,7 @@ async function checkRsaPaddingScheme() {
|
|
|
186
186
|
}
|
|
187
187
|
return findings;
|
|
188
188
|
}
|
|
189
|
-
async function checkShaUsedForPassword(
|
|
189
|
+
async function checkShaUsedForPassword(_weakHashHits) {
|
|
190
190
|
const findings = [];
|
|
191
191
|
// Detect SHA-256/384/512 used in password context
|
|
192
192
|
const shaPasswordHits = await searchRepo({
|