security-mcp 1.3.1 → 1.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (131) hide show
  1. package/README.md +286 -887
  2. package/defaults/cloud-controls/aws.json +10712 -0
  3. package/defaults/cloud-controls/azure.json +7201 -0
  4. package/defaults/cloud-controls/gcp.json +4061 -0
  5. package/defaults/control-catalog.json +24 -0
  6. package/dist/ci/pr-gate.js +22 -5
  7. package/dist/cli/index.js +73 -2
  8. package/dist/cli/install.js +4 -55
  9. package/dist/cli/onboarding.js +18 -10
  10. package/dist/gate/checks/agentic-instructions.js +515 -0
  11. package/dist/gate/checks/ai-governance.js +132 -0
  12. package/dist/gate/checks/ai.js +1 -1
  13. package/dist/gate/checks/cloud-controls.js +69 -0
  14. package/dist/gate/checks/crypto.js +1 -1
  15. package/dist/gate/checks/data-platform.js +954 -0
  16. package/dist/gate/checks/dependencies.js +14 -3
  17. package/dist/gate/checks/docker-deep.js +1236 -0
  18. package/dist/gate/checks/gitops.js +724 -0
  19. package/dist/gate/checks/iac.js +1230 -0
  20. package/dist/gate/checks/k8s.js +841 -1
  21. package/dist/gate/checks/secrets.js +49 -37
  22. package/dist/gate/cloud-controls/apply.js +115 -0
  23. package/dist/gate/cloud-controls/bicep.js +36 -0
  24. package/dist/gate/cloud-controls/cfn.js +125 -0
  25. package/dist/gate/cloud-controls/detect.js +104 -0
  26. package/dist/gate/cloud-controls/hcl.js +140 -0
  27. package/dist/gate/cloud-controls/types.js +87 -0
  28. package/dist/gate/exceptions.js +78 -7
  29. package/dist/gate/findings.js +15 -2
  30. package/dist/gate/policy.js +40 -3
  31. package/dist/gate/threat-intel.js +6 -0
  32. package/dist/mcp/audit-chain.js +9 -0
  33. package/dist/mcp/model-router.js +3 -3
  34. package/dist/mcp/orchestration.js +194 -41
  35. package/dist/mcp/server.js +124 -17
  36. package/dist/mcp/tool-audit.js +193 -0
  37. package/dist/repo/fs.js +14 -1
  38. package/dist/review/store.js +4 -2
  39. package/dist/tests/run.js +124 -1
  40. package/package.json +6 -4
  41. package/skills/advanced-dos-tester/SKILL.md +9 -0
  42. package/skills/agentic-instruction-auditor/SKILL.md +111 -0
  43. package/skills/agentic-loop-exploiter/SKILL.md +9 -0
  44. package/skills/ai-llm-redteam/SKILL.md +9 -0
  45. package/skills/ai-model-supply-chain-agent/SKILL.md +9 -0
  46. package/skills/algorithm-implementation-reviewer/SKILL.md +9 -0
  47. package/skills/android-penetration-tester/SKILL.md +9 -0
  48. package/skills/anti-replay-tester/SKILL.md +9 -0
  49. package/skills/appsec-code-auditor/SKILL.md +9 -0
  50. package/skills/artifact-integrity-analyst/SKILL.md +9 -0
  51. package/skills/attack-navigator/SKILL.md +9 -0
  52. package/skills/auth-session-hacker/SKILL.md +9 -0
  53. package/skills/aws-penetration-tester/SKILL.md +54 -0
  54. package/skills/azure-penetration-tester/SKILL.md +52 -0
  55. package/skills/binary-auth-validator/SKILL.md +9 -0
  56. package/skills/bot-detection-specialist/SKILL.md +9 -0
  57. package/skills/business-logic-attacker/SKILL.md +9 -0
  58. package/skills/capec-code-mapper/SKILL.md +9 -0
  59. package/skills/cert-pin-rotation-specialist/SKILL.md +9 -0
  60. package/skills/cicd-pipeline-hijacker/SKILL.md +9 -0
  61. package/skills/ciso-orchestrator/SKILL.md +11 -0
  62. package/skills/cloud-infra-specialist/SKILL.md +9 -0
  63. package/skills/compliance-gap-analyst/SKILL.md +9 -0
  64. package/skills/compliance-grc/SKILL.md +9 -0
  65. package/skills/compliance-lifecycle-tracker/SKILL.md +9 -0
  66. package/skills/container-hardening-auditor/SKILL.md +125 -0
  67. package/skills/credential-stuffing-specialist/SKILL.md +9 -0
  68. package/skills/crypto-pki-specialist/SKILL.md +9 -0
  69. package/skills/csa-ccm-mapper/SKILL.md +9 -0
  70. package/skills/csf2-governance-mapper/SKILL.md +9 -0
  71. package/skills/data-platform-auditor/SKILL.md +125 -0
  72. package/skills/deep-link-fuzzer/SKILL.md +9 -0
  73. package/skills/dependency-confusion-attacker/SKILL.md +9 -0
  74. package/skills/device-integrity-aggregator/SKILL.md +9 -0
  75. package/skills/dos-resilience-tester/SKILL.md +9 -0
  76. package/skills/dread-scorer/SKILL.md +9 -0
  77. package/skills/egress-policy-enforcer/SKILL.md +9 -0
  78. package/skills/evidence-collector/SKILL.md +9 -0
  79. package/skills/file-upload-attacker/SKILL.md +9 -0
  80. package/skills/gcp-penetration-tester/SKILL.md +51 -0
  81. package/skills/git-history-secret-scanner/SKILL.md +9 -0
  82. package/skills/gitops-delivery-auditor/SKILL.md +120 -0
  83. package/skills/iac-security-auditor/SKILL.md +125 -0
  84. package/skills/iam-privesc-graph-builder/SKILL.md +9 -0
  85. package/skills/incident-responder/SKILL.md +9 -0
  86. package/skills/injection-specialist/SKILL.md +9 -0
  87. package/skills/ios-security-auditor/SKILL.md +9 -0
  88. package/skills/json-ambiguity-tester/SKILL.md +0 -0
  89. package/skills/k8s-container-escaper/SKILL.md +22 -0
  90. package/skills/key-management-lifecycle-analyst/SKILL.md +9 -0
  91. package/skills/kill-switch-engineer/SKILL.md +9 -0
  92. package/skills/linddun-privacy-analyst/SKILL.md +9 -0
  93. package/skills/logic-race-fuzzer/SKILL.md +9 -0
  94. package/skills/mobile-api-network-attacker/SKILL.md +9 -0
  95. package/skills/mobile-binary-hardener/SKILL.md +9 -0
  96. package/skills/mobile-security-specialist/SKILL.md +9 -0
  97. package/skills/mobile-webview-auditor/SKILL.md +9 -0
  98. package/skills/model-extraction-attacker/SKILL.md +9 -0
  99. package/skills/multipart-abuse-tester/SKILL.md +9 -0
  100. package/skills/oauth-pkce-specialist/SKILL.md +9 -0
  101. package/skills/parser-exhaustion-tester/SKILL.md +9 -0
  102. package/skills/pentest-infra/SKILL.md +9 -0
  103. package/skills/pentest-social/SKILL.md +9 -0
  104. package/skills/pentest-team/SKILL.md +9 -0
  105. package/skills/pentest-web-api/SKILL.md +9 -0
  106. package/skills/privacy-flow-analyst/SKILL.md +9 -0
  107. package/skills/prompt-injection-specialist/SKILL.md +9 -0
  108. package/skills/quantum-migration-planner/SKILL.md +9 -0
  109. package/skills/rag-poisoning-specialist/SKILL.md +9 -0
  110. package/skills/registry-mirror-enforcer/SKILL.md +9 -0
  111. package/skills/rotation-validation-agent/SKILL.md +9 -0
  112. package/skills/samm-assessor/SKILL.md +9 -0
  113. package/skills/secrets-mask-bypass-tester/SKILL.md +9 -0
  114. package/skills/senior-security-engineer/SKILL.md +11 -0
  115. package/skills/serialization-memory-attacker/SKILL.md +9 -0
  116. package/skills/session-timeout-tester/SKILL.md +9 -0
  117. package/skills/slsa-level3-enforcer/SKILL.md +9 -0
  118. package/skills/slsa-provenance-enforcer/SKILL.md +9 -0
  119. package/skills/ssrf-detection-validator/SKILL.md +9 -0
  120. package/skills/step-up-auth-enforcer/SKILL.md +9 -0
  121. package/skills/stride-pasta-analyst/SKILL.md +9 -0
  122. package/skills/supply-chain-devsecops/SKILL.md +9 -0
  123. package/skills/threat-infrastructure-analyst/SKILL.md +9 -0
  124. package/skills/threat-modeler/SKILL.md +9 -0
  125. package/skills/tls-certificate-auditor/SKILL.md +9 -0
  126. package/skills/token-reuse-detector/SKILL.md +9 -0
  127. package/skills/trike-risk-modeler/SKILL.md +9 -0
  128. package/skills/unicode-homograph-tester/SKILL.md +9 -0
  129. package/skills/waf-rule-lifecycle-agent/SKILL.md +9 -0
  130. package/skills/webhook-security-tester/SKILL.md +9 -0
  131. package/skills/zero-trust-architect/SKILL.md +9 -0
package/README.md CHANGED
@@ -1,260 +1,216 @@
1
- # security-mcp - AI Security Engineer for Claude Code, Cursor, Copilot & Codex
1
+ # security-mcp
2
2
 
3
3
  [![npm version](https://img.shields.io/npm/v/security-mcp.svg)](https://www.npmjs.com/package/security-mcp)
4
4
  [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
5
5
  [![Node.js](https://img.shields.io/badge/node-%3E%3D20-brightgreen.svg)](https://nodejs.org)
6
6
  [![CI](https://github.com/AbrahamOO/security-mcp/actions/workflows/security-gate.yml/badge.svg)](https://github.com/AbrahamOO/security-mcp/actions)
7
7
 
8
- **Stop shipping vulnerable code.**
8
+ An autonomous application-security engineering layer for AI-assisted development.
9
9
 
10
- **security-mcp** is a [Model Context Protocol (MCP)](https://modelcontextprotocol.io) server that gives your AI coding assistant the knowledge and tooling of a senior security engineer. Instead of just warning you about vulnerabilities, it **writes the secure code** - inline, immediately, every time.
10
+ security-mcp is a [Model Context Protocol](https://modelcontextprotocol.io) server that turns your AI coding assistant into a security engineer that does the work, not a linter that files tickets. It reads code the way an attacker does, writes the secure fix inline, and enforces a gate in CI so insecure code cannot merge. The operating mandate across the product is the same one a strong security hire would hold: roughly 90% fixing, 10% advisory.
11
11
 
12
- Works with **Claude Code, GitHub Copilot, Cursor, Codex, Replit**, and any MCP-compatible editor.
12
+ Platform and security teams can standardize their entire AppSec program on it. A solo founder can install it in a minute and ship safer code on day one. No security background is required to benefit, but nothing is dumbed down for the people who have one.
13
13
 
14
- > **One command to install. Zero security background required.**
14
+ Works with Claude Code, Cursor, VS Code / GitHub Copilot, Windsurf, Codex, Replit, and any MCP-compatible editor.
15
+
16
+ ```bash
17
+ npx -y security-mcp@latest install
18
+ ```
15
19
 
16
20
  ---
17
21
 
18
22
  ## Table of Contents
19
23
 
20
- - [What's New in v1.3.0](#whats-new-in-v130)
21
- - [What Problem Does This Solve?](#what-problem-does-this-solve)
22
- - [Who Is This For?](#who-is-this-for)
23
- - [Two Modes - Pick Your Depth](#two-modes---pick-your-depth)
24
- - [Quick Start - Install in 60 Seconds](#quick-start---install-in-60-seconds)
25
- - [Installation](#installation)
26
- - [Verify Your Installation](#verify-your-installation)
27
- - [How to Run Your First Security Review](#how-to-run-your-first-security-review)
28
- - [CI/CD Security Gate](#cicd-security-gate)
29
- - [What Gets Fixed Automatically](#what-gets-fixed-automatically)
30
- - [Architecture](#architecture)
31
- - [MCP Tools Reference](#mcp-tools-reference)
32
- - [Security Frameworks Applied](#security-frameworks-applied)
33
- - [Configuration](#configuration)
34
- - [Environment Variables](#environment-variables)
35
- - [The 10 Rules That Are Never Broken](#the-10-rules-that-are-never-broken)
36
- - [Troubleshooting](#troubleshooting)
37
- - [FAQ](#faq)
24
+ - [Why this exists](#why-this-exists)
25
+ - [What's new in 1.3.3](#whats-new-in-133)
26
+ - [System overview](#system-overview)
27
+ - [The two entry points](#the-two-entry-points)
28
+ - [/senior-security-engineer](#senior-security-engineer)
29
+ - [/ciso-orchestrator](#ciso-orchestrator)
30
+ - [The gate engine](#the-gate-engine)
31
+ - [Cloud security controls engine](#cloud-security-controls-engine)
32
+ - [Install](#install)
33
+ - [CI/CD gate](#cicd-gate)
34
+ - [Built for teams](#built-for-teams)
35
+ - [Self-protection and supply-chain posture](#self-protection-and-supply-chain-posture)
36
+ - [MCP tools](#mcp-tools)
37
+ - [Frameworks](#frameworks)
38
+ - [Policy and exceptions](#policy-and-exceptions)
39
+ - [Environment variables](#environment-variables)
40
+ - [The 10 non-negotiable rules](#the-10-non-negotiable-rules)
41
+ - [CLI reference](#cli-reference)
42
+ - [Documentation and disclosure](#documentation-and-disclosure)
43
+ - [License](#license)
38
44
 
39
45
  ---
40
46
 
41
- ## What's New in v1.3.0
47
+ ## Why this exists
42
48
 
43
- v1.3.0 delivers **104 new blindspot detection checks** across 7 threat domains, discovered by running a full 8-agent CISO Orchestrator pass followed by an adversarial pentest verification round. It also closes 5 critical security vulnerabilities in the gate engine itself.
49
+ Most security tooling stops at detection. It produces a list, hands it to a human, and waits. That model breaks down when AI assistants are writing the majority of the code, because the volume of change outpaces anyone's ability to triage a backlog by hand.
44
50
 
45
- ### 42 Deep Injection Patterns (was 15)
51
+ security-mcp inverts the default. When it finds a vulnerability it writes the production-ready fix into your working tree, re-runs the check to confirm the issue cleared, and only then moves on. The same engine runs as a deterministic gate in CI, so the contract is simple: HIGH and CRITICAL findings do not merge.
46
52
 
47
- `checkInjectionDeep` now covers 42 detection patterns:
53
+ You get three things from one install:
48
54
 
49
- | Added in v1.3.0 | ATT&CK | What It Catches |
50
- | --- | --- | --- |
51
- | **SSTI (Java/PHP)** | T1059 | FreeMarker, Thymeleaf, Velocity, Twig, Smarty template injection |
52
- | **SpEL / OGNL injection** | T1059 | Spring Expression Language and OGNL via user-controlled string eval |
53
- | **Pickle / Java deserialization** | T1059.001 | Unsafe `pickle.loads`, `ObjectInputStream`, `readObject` on untrusted data |
54
- | **Second-order injection** | T1059 | Data stored to DB then later executed — two-pass file-correlation check |
55
- | **CSS injection** | T1059 | User content reflected inside `<style>` or `style=` without sanitization |
56
- | **Elasticsearch injection** | T1059 | Dynamic query construction in Elasticsearch DSL with user input |
57
- | **WebSocket injection** | T1059 | User-controlled data in `ws.send()` without validation |
58
- | **SSE-CRLF** | T1059 | CRLF in Server-Sent Events `data:` field hijacking the SSE stream |
59
- | **PDF / document injection** | T1059 | User input in PDF field generation without escaping |
60
- | **HTTP response splitting** | T1059 | CRLF in HTTP header values |
61
- | **Bracket-notation prototype pollution** | T1203 | `obj[key] = value` with user-controlled keys |
55
+ - An interactive security engineer that fixes code inside your editor.
56
+ - A multi-agent security program that runs a full audit on demand.
57
+ - A standalone CI gate that needs no AI session to enforce the line.
62
58
 
63
- Plus all original patterns: XXE, SSTI multiline, LDAP, XPath, JNDI/Log4Shell, MongoDB `$where`, prototype pollution, CRLF, unsafe YAML, deserialization, path traversal, log injection, SSRF, command injection, ReDoS, SQL/ORM (Prisma, Sequelize, Knex, TypeORM), Redis `EVAL`, HTTP header injection.
59
+ ---
64
60
 
65
- ### 43 Deep Auth Patterns (was 16)
61
+ ## What's new in 1.3.3
66
62
 
67
- `checkAuthDeep` now covers 43 detection patterns:
63
+ **Inter-agent payload integrity.** `orchestration.merge_agent_findings` is the single trust sink for a whole agent run, so it now validates every agent's findings against a strict schema and verifies each file's hash against that agent's signed attestation before the findings reach the gate. With an attestation chain present it runs **enforced**: unattested or tampered agent files are rejected, and a hash mismatch or failed chain forces the gate to FAIL even with zero findings. Set `SECURITY_REQUIRE_AGENT_ATTESTATION` to fail closed unless the run is HMAC-signed, enforced, and chain-valid.
68
64
 
69
- | Added in v1.3.0 | CWE | What It Catches |
70
- | --- | --- | --- |
71
- | **JWT `kid` injection** | CWE-20 | `kid` header used as file path or SQL expression for key material |
72
- | **JWKS URI override** | CWE-20 | Attacker-controlled `jku` / `x5u` headers pointing to external key stores |
73
- | **OAuth client secret in repo** | CWE-798 | `client_secret` literals or env defaults checked into source |
74
- | **Session token in URL** | CWE-598 | Session IDs in query parameters — logged by every proxy |
75
- | **Low-entropy token** | CWE-330 | Token / secret generated with `Math.random()` or timestamp-seeded RNG |
76
- | **Remember-me no rotation** | CWE-613 | Persistent login tokens never rotated on use |
77
- | **Password reset single-use** | CWE-640 | Reset tokens reusable after initial redemption |
78
- | **Account enumeration** | CWE-204 | Different error messages for valid vs. invalid usernames |
79
- | **Bcrypt cost factor** | CWE-916 | `bcrypt.hash(pw, N)` where N < 12 |
80
-
81
- Plus all original patterns: JWT alg:none/HS-RS confusion, session fixation, OAuth state/redirect_uri/PKCE, hardcoded JWT secret, rate limit on auth, plaintext password compare, SAML signature bypass, insecure cookie flags, refresh token rotation, API key in URL, reset token expiry, admin route without authz, timing oracle.
82
-
83
- ### 31 Business Logic Patterns (was 8)
84
-
85
- `checkBusinessLogic` now catches 31 patterns including 13 new e-commerce and payment abuse vectors:
86
-
87
- - **Currency confusion** — mixed-currency arithmetic without normalization
88
- - **Discount stacking** — coupon codes combined with promotions without stack limits
89
- - **Order fulfillment bypass** — status transitions that skip required payment/verification steps
90
- - **Webhook timestamp** — missing replay-window check on webhook signature verification
91
- - **Tax / shipping parameter tamper** — client-supplied tax and shipping totals accepted server-side
92
- - **Client-side total** — final order amount derived from a browser-supplied value
93
- - **Referral abuse** — self-referral detection absent from referral credit logic
94
- - **Email normalization** — `user+tag@domain.com` not normalized when enforcing unique accounts
95
- - **Feature flag bypass** — feature flags controllable via client-supplied headers or query params
96
- - **API version bypass** — security controls on v2 routes not enforced on legacy v1 endpoints
97
- - **Double-spend payment** — concurrent payment requests without idempotency key enforcement
98
- - **Free trial abuse** — trial period enforced only by client-supplied start date
99
- - **Pagination abuse** — unlimited page size parameter enabling full-table data dump
100
-
101
- ### 32 Supply Chain Deep Patterns (was 16)
102
-
103
- `checkSupplyChainDeep` now covers 32 patterns. New additions detect obfuscated payloads, malicious package scripts, and exfiltration channels that bypass standard SAST tools — including keyloggers, reverse shells, cryptomining signatures, DNS exfiltration, clipboard monitoring, and more.
104
-
105
- ### Critical Security Fixes
106
-
107
- | ID | Severity | Fix |
108
- | --- | --- | --- |
109
- | **VULN-001** | CRITICAL | Dead multiline regex in `checkSecondOrderInjection` silently nulled the entire injection-deep module — replaced with two-pass file-correlation |
110
- | **VULN-002** | HIGH | Symlink traversal in `policy.ts` glob calls — `followSymbolicLinks: false` enforced |
111
- | **VULN-003** | HIGH | Evidence previews leaked secret values — `redactSecrets()` added to `search.ts` |
112
- | **AUTH-OBO-01** | HIGH | Lockout off-by-one in `auth.ts` allowed 4 attempts instead of 3 |
113
- | **META-01/03/04** | MEDIUM | Prompt injection vectors in MCP server — `_notice` framing and `sanitizePromptParam()` added |
65
+ **Per-tool-call audit log.** Every MCP tool invocation emits one structured JSONL record with the eight mandatory fields — timestamp, agent id, tool, input parameters (secrets redacted), output (outcome + size + truncated preview), credentials used (session id, never the secret), user context, and outcome status — to `.mcp/audit/tool-calls.jsonl` (`0o600`). Point `SECURITY_TOOL_AUDIT_LOG` at an append-only sink for tamper-proof retention. Logging never interrupts tool execution.
114
66
 
115
- ### Also in v1.2.1
67
+ Both close gaps from an agentic-AI threat model of security-mcp's own multi-agent system and were hardened through a three-agent adversarial review (highest-severity-wins dedupe, secret/PII value scrubbing in the audit preview, honest unsigned-chain reporting). See the [CHANGELOG](CHANGELOG.md) for the full list and accepted residual risk.
116
68
 
117
- - OWASP Top 10 now **10/10 covered** A09 (Security Logging and Monitoring Failures) fully completed
118
- - NIST AU-11 / PCI Req 10 log retention detection added to `checkAuthDeep`
119
- - ISO 42001 §9.1 routing decision audit log added to model router
120
- - `runScanners` (gitleaks / semgrep / trivy / checkov / osv-scanner) wired into the gate — was implemented but never called since v1.0; now active check 27
69
+ **1.3.2 — cloud security controls engine.** A registry-driven engine that scans infrastructure-as-code against 998 rules mapped to AWS FSBP, CIS Benchmarks (AWS / GCP / Azure), and the Microsoft Cloud Security Benchmark, across Terraform, CloudFormation, and Bicep. Terraform violations can be auto-remediated with `security-mcp autoharden` ([dedicated section](#cloud-security-controls-engine)). It also added the `security-mcp ci:pr-gate` and `sign-policy` CLI commands, and hardened the tool against itself (unsigned policies and exceptions can no longer relax the gate; data at rest is written `0o600`) — see [self-protection and supply-chain posture](#self-protection-and-supply-chain-posture).
121
70
 
122
- ### Also in v1.2.0
71
+ Earlier releases expanded the deep-analysis pattern libraries (injection, authentication, supply chain, business logic), brought OWASP Top 10 to full coverage, and wired the industry scanners into the gate.
123
72
 
124
- - **Secrets** — dotfiles glob, base64/hex decode pre-pass, 10 new token formats (Vercel, PlanetScale, Databricks, Linear, Railway, npmrc, HuggingFace, ARM, Twilio), gitleaks history scan, split-string heuristic
125
- - **Injection** — SQL/ORM detection (Prisma `$queryRaw`, Sequelize, Knex, TypeORM), JNDI/Log4Shell, LDAP, XPath, Redis `EVAL`, ReDoS static catastrophic-backtracking patterns
126
- - **Cryptography** — AES-CBC-without-HMAC (+ split-string evasion fix), GCM nonce reuse and timestamp IV, RSA PKCS#1v1.5, SHA-256-as-password-hash, hardcoded PBKDF2 salt, `rejectUnauthorized: false`, weak TLS min version
127
- - **Checklists** — all 6 surface checklists updated with `automated: true` entries for every new check ID
73
+ ---
128
74
 
129
- ### MCP Caller Authentication
75
+ ## System overview
130
76
 
131
- Protect the MCP server channel against rogue processes that obtain stdio access:
77
+ <p align="center">
78
+ <img src="https://raw.githubusercontent.com/AbrahamOO/security-mcp/main/assets/diagrams/system-overview.svg" alt="System overview: editor skills and CI both call the same MCP server, which drives the gate engine, orchestration, cloud controls, and platform subsystems into a shared attestation." width="820">
79
+ </p>
132
80
 
133
- ```bash
134
- export SECURITY_MCP_SHARED_SECRET="$(openssl rand -hex 32)"
135
- ```
81
+ The MCP server is the trust root. Both entry-point skills, the standalone CI gate, and every supporting subsystem call into the same engine, so an interactive fix and a CI verdict are produced by identical logic.
136
82
 
137
- When set, every tool call is blocked until the AI agent calls `security.authenticate` with the matching token. Uses constant-time HMAC comparison (CWE-208), 3-strike lockout, and minimum 16-byte secret enforcement. Backwards-compatible — when unset, all tools are immediately available.
83
+ ---
138
84
 
139
- ### Policy HMAC Integrity Signing
85
+ ## The two entry points
140
86
 
141
- Prevent tampered policy files from silently disabling severity blocking:
87
+ You drive security-mcp through two skills. One is your daily security engineer. The other is a full security program you run when the stakes are high.
142
88
 
143
- ```bash
144
- export SECURITY_POLICY_HMAC_KEY="$(openssl rand -hex 32)"
145
- npx security-mcp sign-policy
146
- ```
89
+ | | `/senior-security-engineer` | `/ciso-orchestrator` |
90
+ | --- | --- | --- |
91
+ | Shape | One elite engineer agent | 39 named agents, 40+ at runtime |
92
+ | Best for | Every PR, targeted hardening | Pre-release audits, compliance prep |
93
+ | Scope | You pick: diff, full codebase, or specific paths | Full: every surface, every framework |
94
+ | Speed | Seconds to minutes | Minutes to hours |
95
+ | Output | Inline fixes + SHA-256 attested report | Merged findings, compliance mapping, signed attestation |
96
+ | Network | Not required | Optional live threat intel |
147
97
 
148
- When set, the gate rejects any policy file whose HMAC sidecar (`.hmac`) does not match making it impossible to quietly change `severity_block: ["HIGH","CRITICAL"]` to `[]` without detection.
98
+ Rule of thumb: run `/senior-security-engineer` on every PR, and `/ciso-orchestrator` before a release or an audit.
149
99
 
150
- ---
100
+ ### /senior-security-engineer
151
101
 
152
- ## What Problem Does This Solve?
102
+ A single elite security-engineer agent. It operates 90% fixing, 10% advisory: it writes the secure code rather than handing you a report to act on. You pick the scope at the start (recent changes via git diff, the full codebase, or specific files and folders), and it runs a strategy pass, then the gate, then inline fixes, and finishes with a SHA-256 attested report you can keep as an audit artifact.
153
103
 
154
- When you use an AI coding assistant to build features fast, security is easy to skip - not because you don't care, but because:
104
+ This is the daily driver. Use it on every PR.
155
105
 
156
- - Security is deep expertise that takes years to develop
157
- - Most AI assistants write working code but don't enforce secure code
158
- - Static analysis tools flag problems but don't fix them
159
- - Hiring a security team or running a pentest is expensive and slow
106
+ <p align="center">
107
+ <img src="https://raw.githubusercontent.com/AbrahamOO/security-mcp/main/assets/diagrams/senior-security-engineer.svg" alt="senior-security-engineer flow: pick scope, build strategy, run gate, write inline fixes, re-run until clean, then emit a SHA-256 attested report." width="720">
108
+ </p>
160
109
 
161
- **security-mcp closes that gap.** It integrates a security enforcement layer directly into your AI assistant. Every code change, every PR, every new feature gets reviewed against OWASP, MITRE ATT&CK, NIST, PCI DSS, and 16 other frameworks - and the AI writes the fix immediately.
110
+ ### /ciso-orchestrator
162
111
 
163
- **The result:** You ship faster AND more securely. No security background required.
112
+ A full security program in one command, held to the same 90% fixing, 10% advisory mandate as the single agent: every specialist writes the fix rather than filing a finding. Nine specialist lead agents command 30 sub-agents, for 39 named agents in the static spawn tree. At runtime the orchestrator dynamically spawns additional ghost and coverage agents based on cross-domain findings, so a real run typically fields 40 or more. It draws on a registry of 91 specialist skills (registry version 1.6.0), loaded on demand based on your detected stack, and covers PCI DSS 4.0, SOC 2, ISO 27001, NIST 800-53, HIPAA, and GDPR mapping.
164
113
 
165
- ---
114
+ It runs in three phases:
115
+
116
+ 1. **Discovery (parallel).** Seven leads run at once: threat modeling, AppSec code audit, cloud and infrastructure, supply chain, AI/LLM red team, mobile, and crypto/PKI.
117
+ 2. **Adversarial and compliance (parallel).** A penetration-test team reads Phase 1's threat model as its attack brief, while a compliance/GRC synthesizer maps findings to controls.
118
+ 3. **Synthesis.** Each agent's findings file is schema-validated and verified against that agent's signed attestation before it is trusted, then findings are merged and deduplicated, SKILL.md section coverage (§0 through §24) is verified, and a signed attestation is written. A tampered attestation chain or a findings-hash mismatch forces the gate to FAIL.
166
119
 
167
- ## Who Is This For?
120
+ <p align="center">
121
+ <img src="https://raw.githubusercontent.com/AbrahamOO/security-mcp/main/assets/diagrams/ciso-orchestrator.svg" alt="ciso-orchestrator spawn tree: Phase 1 discovery leads and sub-agents in parallel, Phase 2 pentest and compliance teams, Phase 3 attestation verification, merge, coverage check, and signed attestation." width="940">
122
+ </p>
168
123
 
169
- - **Vibe coders and solo founders** building fast who need security to just work without slowing them down
170
- - **Full-stack developers** who know their code works but aren't sure if it's safe
171
- - **Startups and small teams** shipping web apps, mobile apps, APIs, and SaaS products
172
- - **AI-assisted developers** using Claude Code, Copilot, Cursor, or Codex to write most of their code
173
- - **Teams preparing for SOC 2, PCI DSS, or ISO 27001 audits** who need evidence and gap analysis
174
- - **Security-conscious engineers** who want systematic coverage, not ad-hoc reviews
175
- - **Anyone who's shipped code and thought "wait, is this actually secure?"**
124
+ Cloud, AI/LLM, and mobile sub-agents are conditional: they activate only when the relevant stack is detected, and report N/A otherwise.
176
125
 
177
126
  ---
178
127
 
179
- ## Two Modes - Pick Your Depth
128
+ ## The gate engine
180
129
 
181
- ### `/senior-security-engineer` - Your Daily Security Expert
130
+ The gate is the deterministic core. On every run it executes 35 security checks in parallel (33 distinct check modules plus 2 precomputed coverage feeds). It is surface-aware: it first detects which surfaces a change touches (web, API, infrastructure, iOS, Android, AI/LLM, agentic) and runs the relevant checks against them.
182
131
 
183
- A single elite security engineer agent that reviews your code, finds vulnerabilities, and writes the fix immediately. You choose the scope: just your recent changes, your whole codebase, or specific files and folders. It covers secrets, dependencies, cryptography, injection, authentication, web headers, cloud config, AI/LLM safety, mobile, and more - all in parallel. Every finding gets an inline code fix, not a suggestion. Finishes with a SHA-256 attested report you can keep as an audit trail.
132
+ <p align="center">
133
+ <img src="https://raw.githubusercontent.com/AbrahamOO/security-mcp/main/assets/diagrams/gate-engine.svg" alt="Gate engine pipeline: load HMAC-verified policy, resolve scope, classify change, detect surfaces, run 35 checks in parallel, assign SLAs, build coverage manifest, apply exceptions, score confidence, diff against baseline, and produce a verdict." width="760">
134
+ </p>
135
+
136
+ A crashed check module never disappears quietly. It becomes a HIGH coverage-gap finding, so the absence of a result is itself a result. A control that regresses from satisfied to missing against the saved baseline also becomes a HIGH finding.
137
+
138
+ ### Deep-analysis modules
139
+
140
+ | Module | Patterns | What it targets |
141
+ | --- | --- | --- |
142
+ | Deep injection | 42 | SQL/NoSQL, SSTI, SpEL/OGNL, deserialization, CRLF, SSRF, and more |
143
+ | Deep authentication | 43 | JWT confusion, session and OAuth flaws, weak hashing, token entropy |
144
+ | Deep supply chain | 32 | Obfuscated payloads, malicious scripts, exfiltration channels |
145
+ | Business logic | 31 | IDOR, race conditions, payment and e-commerce abuse |
146
+ | Data platform | 47 | Databricks and Snowflake misconfiguration |
147
+ | Deep Docker | 49 | Container build and runtime hardening |
148
+ | GitOps | 41 | ArgoCD and Flux pipeline integrity |
149
+ | Agentic-instruction integrity | 11 | Poisoned AI agent instruction files |
150
+ | AI governance | 3 | Shadow-AI and data-to-LLM exfiltration |
184
151
 
185
- **Use this on every PR. Use it before you push. Use it when something feels off.**
152
+ Alongside these, the gate runs Kubernetes (70 checks), IaC (56), and dedicated modules for secrets, dependencies, crypto, web/Next.js, API, mobile (iOS and Android), GraphQL, database, DLP, SBOM, an incident-response playbook, runtime/DAST, CI pipeline hardening, and a Nuclei DAST integration.
186
153
 
187
- ### `/ciso-orchestrator` - A Full Security Program in One Command
154
+ ### Scanner orchestration and threat intel
188
155
 
189
- 39 specialist agents across 3 phases. Phase 1: 7 lead agents run in parallel, each commanding its own team of sub-agents — threat modeling, deep code analysis, cloud infrastructure, supply chain, AI/LLM red team, mobile, and cryptography. Phase 2: adversarial penetration testing and compliance synthesis run in parallel after Phase 1 completes. Phase 3: findings are merged, deduplicated, and attested. Every domain has a dedicated specialist — an injection attacker, a JWT/OAuth hacker, a cloud privilege escalation analyst, a prompt injection specialist, a TLS auditor, a pentest team that reads the threat model as its attack brief, and a compliance analyst mapping every finding to PCI DSS 4.0, SOC 2, ISO 27001, NIST 800-53, HIPAA, and GDPR. Agents learn from each run and improve over time. 86 specialist skills registered in the registry — loaded on demand based on detected stack. Optionally fetches live CVE, CISA KEV, and ATT&CK data. Produces a merged findings report with full compliance mapping and a signed attestation.
156
+ When they are present on the host, the gate orchestrates industry scanners: gitleaks, semgrep, trivy, osv-scanner, checkov, conftest, and zaproxy. Their results fold into the same findings model.
190
157
 
191
- **Use this before major releases, compliance audits, or security reviews. -> [See the full 39-agent architecture](#ciso-orchestrator-flow-39-agents)**
158
+ Live threat intelligence (cached for 24 hours) enriches the verdict: CISA KEV, EPSS (a score above 0.5 escalates severity), OpenSSF Scorecard, and the npm registry. Set `SECURITY_OFFLINE=1` to disable all third-party egress. Private and internal scoped package names are never sent to public endpoints, online or off.
192
159
 
193
160
  ---
194
161
 
195
- | | `/senior-security-engineer` | `/ciso-orchestrator` |
196
- | --- | --- | --- |
197
- | **What it is** | Single expert agent | 39-agent multi-phase security program |
198
- | **Best for** | Daily development, PR reviews, targeted hardening | Pre-launch audits, compliance prep, incident response |
199
- | **Speed** | Seconds to minutes | Minutes to hours |
200
- | **Scope** | You choose: recent changes, full codebase, or specific files | Always full - every surface, every framework |
201
- | **Agents** | 1 | 39 (9 leads + 30 sub-agents) |
202
- | **Output** | Inline code fixes + SHA-256 attestation | Full domain reports + merged findings + attestation |
203
- | **API cost** | Low | High |
204
- | **Internet** | Not required | Optional (enriches findings with live CVEs, CISA KEV, MITRE ATT&CK) |
162
+ ## Cloud security controls engine
205
163
 
206
- **Rule of thumb:** Use `/senior-security-engineer` on every PR. Use `/ciso-orchestrator` before major releases or compliance deadlines.
164
+ A registry-driven engine scans infrastructure-as-code against 998 rules mapped to AWS Foundational Security Best Practices (FSBP), CIS Benchmarks for AWS, GCP, and Azure, and the Microsoft Cloud Security Benchmark.
165
+
166
+ | Coverage | Rules |
167
+ | --- | --- |
168
+ | AWS | 483 |
169
+ | Azure | 320 |
170
+ | GCP | 195 |
171
+ | Terraform / HCL | 774 |
172
+ | CloudFormation | 128 |
173
+ | Bicep | 96 |
174
+
175
+ <p align="center">
176
+ <img src="https://raw.githubusercontent.com/AbrahamOO/security-mcp/main/assets/diagrams/cloud-controls.svg" alt="Cloud controls flow: detect IaC against the 998-rule registry, surface violations, auto-fix safe Terraform cases then re-detect to confirm, revert if not cleared, and report anything unsafe as a manual action with a snippet." width="720">
177
+ </p>
178
+
179
+ Terraform supports auto-remediation through `security-mcp autoharden` (use `--dry-run` to preview). The engine applies a fix, re-detects to confirm the violation actually cleared, and only then keeps the change. Anything it cannot safely auto-fix is reported as a manual action with a code snippet.
207
180
 
208
181
  ---
209
182
 
210
- ## Quick Start - Install in 60 Seconds
183
+ ## Install
184
+
185
+ Prerequisite: Node.js 20 or higher (`node --version`).
211
186
 
212
187
  ```bash
213
188
  npx -y security-mcp@latest install
214
189
  ```
215
190
 
216
- Restart your editor. Then in Claude Code:
191
+ The installer auto-detects Claude Code, Cursor, VS Code, and Windsurf, and writes the config to the right place. Restart your editor, then run a review:
217
192
 
218
193
  ```text
219
194
  /senior-security-engineer
220
195
  ```
221
196
 
222
- That's it. The engineer will ask how you want to scope the review, then find and fix security issues in your code.
223
-
224
- For a full 39-agent deep audit:
197
+ For a full audit:
225
198
 
226
199
  ```text
227
200
  /ciso-orchestrator
228
201
  ```
229
202
 
230
- ---
231
-
232
- ## Installation
233
-
234
- > **Prerequisite:** Node.js 20+. Check with `node --version`.
235
-
236
- ### One Command — Auto-detects Your Editor
203
+ Confirm the install is healthy at any time:
237
204
 
238
205
  ```bash
239
- npx -y security-mcp@latest install
240
- ```
241
-
242
- The installer detects Claude Code, Cursor, VS Code, and Windsurf automatically and writes the config to the correct location. Restart your editor when it finishes, then type `/senior-security-engineer`.
243
-
244
- ### Install for a Specific Editor
245
-
246
- ```bash
247
- npx -y security-mcp@latest install --claude-code # ~/.claude/settings.json
248
- npx -y security-mcp@latest install --cursor # ~/.cursor/mcp.json
249
- npx -y security-mcp@latest install --vscode # VS Code user settings.json
250
- npx -y security-mcp@latest install --windsurf # ~/.windsurf/mcp.json
206
+ npx -y security-mcp@latest doctor
251
207
  ```
252
208
 
253
- ### Manual Config (Any MCP-Compatible Editor)
209
+ ### Manual config
254
210
 
255
- Add this to your editor's MCP server config and restart:
211
+ Add the server to your editor's MCP config and restart.
256
212
 
257
- **Claude Code** (`~/.claude/settings.json`) · **Cursor** (`~/.cursor/mcp.json`) · **Windsurf** (`~/.windsurf/mcp.json`):
213
+ Claude Code (`~/.claude/settings.json`), Cursor (`~/.cursor/mcp.json`), Windsurf (`~/.windsurf/mcp.json`):
258
214
 
259
215
  ```json
260
216
  {
@@ -267,7 +223,7 @@ Add this to your editor's MCP server config and restart:
267
223
  }
268
224
  ```
269
225
 
270
- **VS Code / GitHub Copilot** (user `settings.json`):
226
+ VS Code / GitHub Copilot (user `settings.json`):
271
227
 
272
228
  ```json
273
229
  {
@@ -282,118 +238,17 @@ Add this to your editor's MCP server config and restart:
282
238
 
283
239
  ---
284
240
 
285
- ## Verify Your Installation
241
+ ## CI/CD gate
286
242
 
287
- After installing, confirm everything is wired up correctly:
243
+ The gate runs as plain Node.js with no AI session involved, so it belongs in your pipeline as a required check.
288
244
 
289
245
  ```bash
290
- npx -y security-mcp@latest doctor
291
- ```
292
-
293
- This checks your Node.js version, editor config files, and installed skills — and prints `[PASS]` or `[FAIL]` per check with a fix command if anything is missing.
294
-
295
- Example output:
296
-
297
- ```text
298
- [PASS] Node.js 22.x
299
- [PASS] Claude Code config (~/.claude/settings.json)
300
- [PASS] senior-security-engineer skill (~/.claude/skills/senior-security-engineer/SKILL.md)
301
-
302
- All checks passed. Restart your editor, then type /senior-security-engineer.
303
- ```
304
-
305
- ---
306
-
307
- ## How to Run Your First Security Review
308
-
309
- ### Daily Workflow: `/senior-security-engineer`
310
-
311
- **Step 1 - Open your project in your editor.**
312
-
313
- **Step 2 - Invoke the skill:**
314
-
315
- ```text
316
- /senior-security-engineer
317
- ```
318
-
319
- **Step 3 - Choose your scan scope when prompted:**
320
-
321
- - **Recent changes** - scans only files modified since your last commit. Use this on every PR.
322
- - **Full codebase** - scans all source files. Use when onboarding a new project.
323
- - **Specific folders** - you name the folders. Use when you know the blast radius.
324
-
325
- **Step 4 - Watch it work.** The agent will:
326
-
327
- 1. Call `security.start_review` to create a tracked run
328
- 2. Build a scan plan covering all relevant OWASP/NIST/ATT&CK controls
329
- 3. Run 20 security checks in parallel across secrets, dependencies, crypto, auth, injection, cloud config, AI/LLM, mobile, and more
330
- 4. Write fixes directly into your code for every finding it can remediate
331
- 5. Generate a SHA-256 attested report at `.mcp/reports/{runId}.attestation.json`
332
-
333
- **Step 5 - Review the output.** Each finding shows:
334
-
335
- - What the vulnerability is and why it matters
336
- - Which attack it enables (mapped to MITRE ATT&CK and CWE)
337
- - The exact fix that was applied to your code
338
-
339
- **Step 6 - Commit with confidence.** The attestation file is your audit trail.
340
-
341
- ---
342
-
343
- ### Deep Audit: `/ciso-orchestrator`
344
-
345
- Use this before a major release, compliance deadline, or security review.
346
-
347
- **Step 1 - Invoke:**
348
-
349
- ```text
350
- /ciso-orchestrator
246
+ npx -y security-mcp@latest ci:pr-gate
351
247
  ```
352
248
 
353
- **Step 2 - Answer the internet permission prompt.**
354
-
355
- The orchestrator will ask:
356
-
357
- > "I can fetch live CVE data, CISA KEV, and MITRE ATT&CK updates to improve this analysis. Allow internet access for this run? (yes/no)"
358
-
359
- - **Yes** - agents enrich findings with live threat intelligence. More accurate, more current.
360
- - **No** - agents use cached intel. Still comprehensive, no external calls made.
361
-
362
- **Step 3 - Wait for Phase 1 (7 lead agents running in parallel, each commanding their domain-specific sub-agents — 25 sub-agents total across Phase 1).**
363
-
364
- Each agent writes findings to `.mcp/agent-runs/{agentRunId}/`.
365
-
366
- **Step 4 - Wait for Phase 2 (pentest team + compliance synthesizer).**
367
-
368
- The pentest team reads Phase 1's threat model as its attack brief. The compliance agent maps every finding to PCI DSS 4.0, SOC 2, ISO 27001, NIST 800-53, HIPAA, and GDPR controls.
369
-
370
- **Step 5 - Review the merged report.**
371
-
372
- The orchestrator presents:
373
-
374
- ```text
375
- Agents: 9 leads completed (+ sub-agents)
376
- Findings: X CRITICAL / X HIGH / X MEDIUM / X LOW
377
- Remediated inline: X
378
- Open (need your decision): X
379
- SKILL.md coverage: XX% (§1-§24)
380
- Release blocked: yes / no
381
- Attestation: .mcp/reports/{runId}.attestation.json
382
- ```
383
-
384
- **Step 6 - For any open findings**, follow the required actions in the report. The agent will help you implement each fix.
385
-
386
- ---
387
-
388
- ## CI/CD Security Gate
389
-
390
- Block insecure code from merging on every pull request - no Claude session required, pure Node.js execution:
391
-
392
- ```bash
393
- npx -y security-mcp ci:pr-gate
394
- ```
249
+ It exits non-zero on HIGH or CRITICAL findings.
395
250
 
396
- ### Add to GitHub Actions
251
+ ### GitHub Actions
397
252
 
398
253
  Create `.github/workflows/security-gate.yml`:
399
254
 
@@ -402,7 +257,7 @@ name: Security Gate
402
257
 
403
258
  on:
404
259
  pull_request:
405
- branches: [main, master]
260
+ branches: [main]
406
261
 
407
262
  jobs:
408
263
  security-gate:
@@ -410,533 +265,121 @@ jobs:
410
265
  steps:
411
266
  - uses: actions/checkout@v4
412
267
  with:
413
- fetch-depth: 0 # required for git diff to work
268
+ fetch-depth: 0 # required for git diff
414
269
 
415
270
  - uses: actions/setup-node@v4
416
271
  with:
417
272
  node-version: '20'
418
273
 
419
274
  - name: Block insecure code from merging
420
- run: npx -y security-mcp ci:pr-gate
275
+ run: npx -y security-mcp@latest ci:pr-gate
421
276
  env:
422
277
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
423
278
  ```
424
279
 
425
- ### What the CI Gate Checks
426
-
427
- The gate runs **24 check modules in parallel** against your diff:
428
-
429
- | Category | What It Catches |
430
- | --- | --- |
431
- | **Secrets** | Hardcoded API keys, tokens, passwords, private keys (via Gitleaks patterns) |
432
- | **Dependencies** | CRITICAL/HIGH CVEs in npm/pip/go/maven packages; CISA KEV cross-check and EPSS >50% auto-escalation via live threat-intel (24h cached) |
433
- | **Cryptography** | MD5, SHA-1, DES, RC4, ECB mode, `Math.random()` for tokens, short JWT secrets |
434
- | **Authentication** | Missing rate limiting, no account lockout, JWT `alg:none`, weak session config |
435
- | **Injection** | SQL, NoSQL, command injection, path traversal, SSRF, prototype pollution |
436
- | **Web headers** | Missing CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy |
437
- | **IaC** | `0.0.0.0/0` firewall rules, public storage buckets, wildcard IAM permissions |
438
- | **AI/LLM** | `eval()` on model output, unvalidated model responses, prompt injection patterns |
439
- | **Database** | TLS disabled on connections, raw query concatenation, missing connection encryption |
440
- | **Mobile** | `android:debuggable=true`, cleartext traffic, insecure ATS config |
441
- | **GraphQL** | Introspection in production, no depth/complexity limits, batching abuse |
442
- | **Kubernetes** | Privileged containers, missing security context, hostPath mounts |
443
- | **DLP** | PII in logs, stack traces in API responses, sensitive data in error messages |
444
- | **Supply chain** | Missing lockfiles, floating version ranges (`^`, `~`), abandoned packages |
445
- | **SBOM** | Generates CycloneDX SBOM for the scanned surface |
446
- | **Runtime** | HTTP security headers and TLS config on live staging URL (if configured) |
447
- | **AI red-team** | Static + optional dynamic probes against AI endpoints |
448
- | **Exceptions** | Validates any active security exceptions are non-expired and properly approved |
449
- | **Baseline regression** | Detects when previously-satisfied controls go missing (BASELINE_REGRESSION HIGH finding injected on regression) |
450
- | **Deep injection** | 42 patterns — XXE, SSTI (Java/PHP), SpEL/OGNL, prototype pollution, second-order injection, NoSQL/MongoDB/Redis/LDAP/XPath injection, JNDI/Log4Shell, CRLF, WebSocket injection, CSS injection, SSE-CRLF, PDF injection, HTTP response splitting, unsafe YAML, deserialization (pickle/Java), path traversal, log injection, SSRF, command injection, ReDoS, SQL/ORM (Prisma/Sequelize/Knex/TypeORM), and more |
451
- | **Deep auth** | 43 patterns — JWT alg confusion/kid injection/JWKS override, session fixation, OAuth state/redirect_uri/PKCE/client secret, hardcoded JWT secret, rate limit, plaintext compare, SAML signature, cookie flags, token rotation, HS/RS confusion, API key in URL, reset expiry/single-use, admin route without authz, timing oracle, account enumeration, session token in URL, low-entropy token, bcrypt cost factor, and more |
452
- | **Supply chain deep** | 32 patterns — keyloggers, reverse shells, destructive commands, credential exfiltration, env variable theft, malicious postinstall scripts, dynamic require(), base64-obfuscated exec, cryptomining, sensitive file reads, unpinned dependencies, hidden file writes, DNS exfiltration, clipboard monitoring, obfuscated DOM injection, and more |
453
- | **Business logic** | 31 patterns — IDOR without ownership check, mass assignment, race conditions, integer overflow, currency confusion, discount stacking, order fulfillment bypass, webhook replay, tax/shipping tamper, client-side total, referral abuse, email normalization, feature flag bypass, API version bypass, double-spend, free trial abuse, pagination abuse, and more |
454
-
455
- ### Customize the Gate Policy
456
-
457
- Copy the default policy into your project and edit:
458
-
459
- ```bash
460
- mkdir -p .mcp/policies
461
- cp node_modules/security-mcp/defaults/security-policy.json .mcp/policies/security-policy.json
462
- ```
463
-
464
- Or generate one tailored to your stack:
465
-
466
- ```text
467
- Ask your AI: "Run security.generate_policy with surfaces=[web, api, ai] and cloud=aws"
468
- ```
469
-
470
- ### Add Exceptions for Known Accepted Risks
280
+ ### Optional HMAC integrity
471
281
 
472
- Copy and edit the exceptions file:
282
+ To make the policy tamper-evident, add a repository secret named `SECURITY_POLICY_HMAC_KEY` that is at least 32 bytes, then sign and commit:
473
283
 
474
284
  ```bash
475
- mkdir -p .mcp/exceptions
476
- cp node_modules/security-mcp/defaults/security-exceptions.json .mcp/exceptions/security-exceptions.json
285
+ security-mcp sign-policy
477
286
  ```
478
287
 
479
- Format:
480
-
481
- ```json
482
- {
483
- "version": "1.0.0",
484
- "exceptions": [
485
- {
486
- "id": "EX-001",
487
- "finding_ids": ["CRYPTO_WEAK_HASH"],
488
- "justification": "Legacy hash used only for non-security cache keys",
489
- "ticket": "JIRA-1234",
490
- "owner": "alice@example.com",
491
- "approver": "bob@example.com",
492
- "approval_role": "SecurityLead",
493
- "expires_on": "2025-12-31"
494
- }
495
- ]
496
- }
497
- ```
498
-
499
- Expired exceptions automatically become CRITICAL findings that block the gate.
288
+ Commit the policy file together with its generated `.hmac` sidecar. Once a key is set, the gate requires a valid signature on the policy, and a missing sidecar is rejected by design, so the key and the signature must land in the same change.
500
289
 
501
290
  ---
502
291
 
503
- ## What Gets Fixed Automatically
504
-
505
- When your AI has security-mcp active, it **writes the production-ready fix** - not a suggestion, not a warning comment:
506
-
507
- ### Secrets and Credentials
508
-
509
- | Insecure | Fixed to |
510
- | --- | --- |
511
- | `const KEY = "sk-abc123"` | `const KEY = process.env["API_KEY"]` + vault reference |
512
- | `password: "hardcoded"` in config | Environment variable + secret manager setup |
513
- | JWT signed with `"secret"` | RS256 with generated key pair, proper validation |
514
- | Bcrypt with cost factor 4 | Argon2id with `memory: 65536, iterations: 3, parallelism: 4` |
515
-
516
- ### Authentication and Authorization
517
-
518
- - Rate limiting middleware added to all auth endpoints (configurable thresholds)
519
- - Account lockout after N failed attempts with progressive delays
520
- - Session absolute timeout (8h) and idle timeout (30 min)
521
- - FIDO2/WebAuthn requirement flagged for admin interfaces
522
- - IDOR protection: tenant/user IDs read from JWT claims, never from request params
523
-
524
- ### Injection and Input Validation
525
-
526
- - Zod/Yup schema validation added to every API route handler
527
- - SQL: string concatenation -> parameterized queries or tagged template literals
528
- - Command execution: `exec(userInput)` -> `spawnSync` with arg array, no shell
529
- - Path traversal: user-controlled paths validated against project boundary
530
- - SSRF: server-side HTTP clients get RFC-1918 CIDR block lists + DNS validation
531
-
532
- ### Web Security Headers
533
-
534
- Before:
535
-
536
- ```javascript
537
- app.get("/", (req, res) => res.send(html));
538
- ```
539
-
540
- After:
541
-
542
- ```javascript
543
- app.use(helmet({
544
- contentSecurityPolicy: {
545
- directives: {
546
- defaultSrc: ["'self'"],
547
- scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.nonce}'`],
548
- }
549
- },
550
- hsts: { maxAge: 63072000, includeSubDomains: true, preload: true },
551
- frameguard: { action: "deny" },
552
- noSniff: true,
553
- referrerPolicy: { policy: "strict-origin-when-cross-origin" }
554
- }));
555
- ```
556
-
557
- ### Cloud Infrastructure
292
+ ## Built for teams
558
293
 
559
- - `cidr_blocks = ["0.0.0.0/0"]` -> source-restricted CIDR with comment explaining rationale
560
- - `acl = "public-read"` S3 -> Block Public Access enabled at bucket and account level
561
- - Wildcard IAM `"Action": "*"` -> least-privilege policy with specific actions
562
- - Long-lived static credentials -> IAM roles / Workload Identity / OIDC federation
294
+ Four platform subsystems let a security team operate security-mcp at scale, not just run it ad hoc.
563
295
 
564
- ### Cryptography
296
+ **Multi-provider model router.** Cost-aware routing across model providers, with circuit breakers and a spend budget so a single provider outage or a runaway run cannot stall or overspend the program.
565
297
 
566
- - `crypto.createHash('md5')` -> `crypto.createHash('sha256')`
567
- - `Math.random()` for tokens -> `crypto.randomBytes(32).toString('hex')`
568
- - AES-CBC -> AES-256-GCM with per-message nonce
569
- - RSA PKCS#1 v1.5 -> RSA-OAEP or ECDH P-256
298
+ **Learning engine.** Remembers confirmed patterns and false positives per project, with rate-limited false-positive suppression so noise drops over time. Routing decisions are written to an ISO 42001 audit log.
570
299
 
571
- ### AI / LLM Security
300
+ **Tamper-evident attestation hash chain.** Each agent attestation is chained (`init_chain`, `attest_agent`, `verify_chain`, `get_chain`), so the audit trail cannot be silently rewritten after the fact.
572
301
 
573
- - String-concatenated system prompts -> structured `messages` array with role separation
574
- - `eval(modelOutput)` -> `JSON.parse()` + Zod schema validation
575
- - RAG retrieval without auth check -> authorization check before and after retrieval
576
- - Unvalidated tool calls -> allowlist router that blocks unlisted tool names
302
+ **MCP caller authentication.** An optional shared-secret gate on the MCP channel uses constant-time HMAC comparison, a 3-strike lockout, and a session TTL (8 hours by default, capped at 24). When unset, the channel stays open for frictionless local use.
577
303
 
578
304
  ---
579
305
 
580
- ## Architecture
581
-
582
- ### System Overview
583
-
584
- ```text
585
- ┌───────────────────────────────────────────────────────────────┐
586
- │ Your Editor (Claude Code) │
587
- │ │
588
- │ /senior-security-engineer /ciso-orchestrator │
589
- │ (single expert agent) (39-agent security program) │
590
- │ │ │ │
591
- └──────────┼────────────────────────────────┼───────────────────┘
592
- │ │
593
- └──────────────┬─────────────────┘
594
- │ MCP protocol (stdio)
595
-
596
- ┌──────────────────────────────────────────────────────────────┐
597
- │ MCP Server (src/mcp/server.ts) │
598
- │ │
599
- │ security.* tools orchestration.* tools │
600
- │ ───────────────── ────────────────────── │
601
- │ start_review create_agent_run │
602
- │ run_pr_gate update_agent_status │
603
- │ threat_model merge_agent_findings │
604
- │ checklist ensure_skill │
605
- │ attest_review read/write_agent_memory │
606
- │ get_system_prompt check_updates / apply_updates │
607
- │ scan_strategy verify_skill_coverage │
608
- │ generate_policy │
609
- │ terraform_blueprint repo.* tools │
610
- │ generate_opa_rego ───────────── │
611
- │ generate_compliance_report read_file / search │
612
- │ notify_webhooks │
613
- │ generate_remediations │
614
- └──────────────────────────────────────────────────────────────┘
615
-
616
-
617
- ┌──────────────────────────────────────────────────────────────┐
618
- │ Policy Gate Engine (src/gate/policy.ts) │
619
- │ │
620
- │ 28 checks run in parallel: │
621
- │ checkSecrets checkDependencies checkApi checkInfra │
622
- │ checkCrypto checkMobileIos checkMobileAndroid │
623
- │ checkAi checkGraphQL checkKubernetes │
624
- │ checkDatabase checkDlp checkWebNextjs │
625
- │ runSbomChecks runAiRedteamChecks runRuntimeChecks │
626
- │ runCiPipelineChecks runDockerChecks runScanners │
627
- │ checkInjectionDeep (42 patterns) checkAuthDeep (43 patterns)│
628
- │ checkSupplyChainDeep (32) checkBusinessLogic (31) │
629
- │ │
630
- │ Surface detection -> Control catalog -> Exception handling -> │
631
- │ Coverage manifest -> Taint map -> Confidence scoring -> PASS / FAIL │
632
- └──────────────────────────────────────────────────────────────┘
633
- ```
634
-
635
- ### `/senior-security-engineer` Flow
636
-
637
- ```text
638
- User: /senior-security-engineer
639
-
640
-
641
- Claude reads SKILL.md + asks scope choice:
642
- A) Recent changes (git diff)
643
- B) Full codebase
644
- C) Specific files/folders
645
-
646
- ▼ user picks scope
647
- security.start_review(mode)
648
- └── creates .mcp/reviews/{runId}.json
649
-
650
-
651
- security.threat_model(runId, feature)
652
- └── STRIDE + PASTA + ATT&CK template for changed surface
653
-
654
-
655
- §0 Coverage Completeness Protocol (runs first)
656
- ├── enumerate ALL source files → coverage-manifest.json
657
- ├── taint-trace every user-controlled input → taint-map.json
658
- ├── negative assertion per attack class: "FILES: N/N | RESULT: CLEAN"
659
- └── fix verification loop: re-run check after every fix, confirm CLEAN
660
-
661
-
662
- security.run_pr_gate(runId, mode, targets)
663
- ├── git diff / glob targets -> changed files list
664
- ├── detectSurfaces() -> web? api? infra? mobile? ai?
665
- ├── 28 checks in parallel (incl. deep injection + deep auth)
666
- ├── apply exceptions from .mcp/exceptions/
667
- ├── compute confidence score
668
- └── returns PASS/FAIL + findings[]
669
-
670
-
671
- Claude writes inline fixes for every finding
672
- (production-ready secure code, not suggestions)
673
- Every HIGH/CRITICAL: FIXED with verified-clean re-run,
674
- OR formally blocked with risk-acceptance record
675
-
676
-
677
- security.attest_review(runId)
678
- └── .mcp/reports/{runId}.attestation.json
679
- └── SHA-256 integrity hash
680
- ```
681
-
682
- ### `/ciso-orchestrator` Flow (39 Agents)
683
-
684
- ```text
685
- User: /ciso-orchestrator
686
-
687
-
688
- CISO Orchestrator
689
- ├── orchestration.check_updates() -> prompt if new version available
690
- ├── ask internet permission -> stored for all child agents
691
- ├── scan project for stack context
692
- │ (package.json, go.mod, terraform/, .github/workflows/, Dockerfile)
693
- │ -> stackContext: { languages, frameworks, cloudProvider, hasAI, hasMobile, ... }
694
- ├── security.start_review() -> runId
695
- ├── orchestration.create_agent_run() -> agentRunId + manifest.json
696
- └── orchestration.ensure_skill(×N) -> download stack-relevant skills from 86-skill registry
697
-
698
-
699
- ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
700
- PHASE 1 - 7 leads + sub-agents (all parallel)
701
- ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
702
-
703
- Agent 1: threat-modeler
704
- ├── stride-pasta-analyst -> STRIDE matrix, PASTA 7 stages, LINDDUN, DREAD
705
- ├── attack-navigator -> ATT&CK Navigator layer + D3FEND countermeasures
706
- ├── business-logic-attacker -> attack trees per route/flow found in codebase
707
- └── privacy-flow-analyst -> GDPR/HIPAA data flows, DPIA trigger check
708
- Output: .mcp/agent-runs/{id}/threat-model.json
709
-
710
- Agent 2: appsec-code-auditor
711
- ├── injection-specialist -> SQL/NoSQL/SSTI/OS cmd/CRLF/log injection
712
- ├── auth-session-hacker -> JWT algo confusion, SAML wrap, OAuth confusion
713
- ├── logic-race-fuzzer -> race conditions, integer overflow, mass assignment
714
- └── serialization-memory-attacker -> prototype pollution, ReDoS, zip slip, sandbox escape
715
- Output: .mcp/agent-runs/{id}/appsec-findings.json
716
-
717
- Agent 3: cloud-infra-specialist
718
- ├── aws-penetration-tester -> IAM escalation, S3, Lambda, EKS (if AWS)
719
- ├── gcp-penetration-tester -> SA abuse, GCS, Cloud Run, GKE (if GCP)
720
- ├── azure-penetration-tester -> Managed Identity, AKS, Key Vault (if Azure)
721
- └── k8s-container-escaper -> privileged pods, RBAC escape, hostPath (if K8s)
722
- Output: .mcp/agent-runs/{id}/infra-findings.json
723
-
724
- Agent 4: supply-chain-devsecops
725
- ├── dependency-confusion-attacker -> CVEs, CISA KEV, typosquatting, SBOM
726
- ├── cicd-pipeline-hijacker -> pull_request_target, mutable Actions, injection
727
- └── artifact-integrity-analyst -> SLSA L3, Cosign signatures, provenance
728
- Output: .mcp/agent-runs/{id}/supply-chain-findings.json
729
-
730
- Agent 5: ai-llm-redteam (skipped if no AI stack detected)
731
- ├── prompt-injection-specialist -> direct + indirect injection, PoC payloads
732
- ├── model-extraction-attacker -> API abuse, cost amplification, rate limiting
733
- ├── rag-poisoning-specialist -> vector store isolation, metadata filter injection
734
- └── agentic-loop-exploiter -> tool blast radius, loop hijacking, allowlist gaps
735
- Output: .mcp/agent-runs/{id}/ai-findings.json
736
-
737
- Agent 6: mobile-security-specialist (skipped if no mobile detected)
738
- ├── ios-security-auditor -> Keychain, ATS, Secure Enclave, Universal Links
739
- ├── android-penetration-tester -> manifest hardening, NSC, exported components
740
- └── mobile-api-network-attacker -> cert pinning, API key extraction, token storage
741
- Output: .mcp/agent-runs/{id}/mobile-findings.json
742
-
743
- Agent 7: crypto-pki-specialist
744
- ├── tls-certificate-auditor -> TLS 1.3, AEAD ciphers, HSTS preload, OCSP, mTLS
745
- ├── algorithm-implementation-reviewer -> banned algos, Argon2id params, nonce reuse
746
- └── key-management-lifecycle-analyst -> hardcoded keys, rotation, CMEK, post-quantum
747
- Output: .mcp/agent-runs/{id}/crypto-findings.json
748
-
749
- ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
750
- Wait for all Phase 1 agents to complete
751
- ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
752
-
753
- PHASE 2 - adversarial + compliance (both parallel)
754
- ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
755
-
756
- Agent 8: pentest-team (reads threat-model.json as attack brief)
757
- ├── pentest-web-api -> OWASP Testing Guide on every route found in codebase
758
- ├── pentest-infra -> privilege escalation graph, Terraform state, cloud posture
759
- └── pentest-social -> OSINT on org, spear-phishing scenarios, insider threat model
760
- Output: .mcp/agent-runs/{id}/pentest-report.json
761
-
762
- Agent 9: compliance-grc (reads all Phase 1 findings)
763
- ├── evidence-collector -> logging schema verification, SIEM rules, audit trail
764
- └── compliance-gap-analyst -> PCI DSS 4.0, SOC 2, ISO 27001, NIST 800-53, HIPAA, GDPR
765
- Output: .mcp/agent-runs/{id}/compliance-report.json
766
-
767
- ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
768
- Wait for Phase 2 agents to complete
769
- ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
770
-
771
- PHASE 3 - synthesis (sequential)
772
- ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
773
-
774
- orchestration.merge_agent_findings() -> deduplicate + sort CRITICAL->LOW
775
- orchestration.verify_skill_coverage() -> check §1-§24 SKILL.md section coverage
776
- security.attest_review() -> SHA-256 attestation written
777
-
778
- Final report:
779
- ├── X CRITICAL / X HIGH / X MEDIUM / X LOW
780
- ├── Remediated inline: X Open: X
781
- ├── SKILL.md section coverage: XX%
782
- ├── Release blocked: yes / no
783
- └── .mcp/reports/{runId}.attestation.json
784
- ```
785
-
786
- ### Agent Memory System
787
-
788
- Every agent persists what it learns so each subsequent run is smarter:
306
+ ## Self-protection and supply-chain posture
789
307
 
790
- ```text
791
- ~/.security-mcp/agent-memory/{agentName}/
792
- ├── patterns.json ← confirmed attack patterns for this tech stack
793
- ├── false-positives.json ← findings to deprioritize on next run
794
- ├── remediations.json ← what fixes worked for this project
795
- ├── intel.json ← cached threat intel (refreshed every 24h)
796
- └── errors.json ← tool failure log (used for self-healing)
797
- ```
308
+ A security tool is part of your supply chain, so security-mcp is built to resist the same attacks it looks for. This matters most when the threat is a malicious repository or a compromised dependency trying to neutralize the gate.
798
309
 
799
- ### Data Written to Your Project
800
-
801
- ```text
802
- .mcp/
803
- ├── reviews/{runId}.json ← review run state + step tracking
804
- ├── reports/{runId}.attestation.json ← SHA-256 auditable attestation
805
- ├── agent-runs/{agentRunId}/
806
- │ ├── manifest.json ← all agent statuses + current phase
807
- │ ├── threat-model.json
808
- │ ├── appsec-findings.json
809
- │ ├── infra-findings.json
810
- │ ├── supply-chain-findings.json
811
- │ ├── ai-findings.json
812
- │ ├── mobile-findings.json
813
- │ ├── crypto-findings.json
814
- │ ├── pentest-report.json
815
- │ ├── compliance-report.json
816
- │ ├── sbom.cyclonedx.json
817
- │ └── merged-findings.json ← Phase 3 deduplicated, sorted output
818
- ├── policies/security-policy.json
819
- └── exceptions/security-exceptions.json
820
- ```
310
+ - **Signed policy, exceptions, and baseline.** These files are HMAC-signed. When the policy is not signed, the gate floors `severity_block` to HIGH/CRITICAL, so an unsigned edit cannot relax the gate to PASS.
311
+ - **Exceptions cannot quietly suppress.** By default an unsigned exceptions file may not suppress HIGH/CRITICAL findings. A break-glass env var exists for scanning intentionally-vulnerable fixtures.
312
+ - **Honest attestation.** Attestation refuses to sign unless the latest gate result is PASS with all required steps complete. There are no forged green attestations.
313
+ - **Verified inter-agent payloads.** The merge step that aggregates every agent's findings is the trust sink for a whole run, so it schema-validates each agent's findings file and checks its hash against that agent's signed attestation before trusting it. Findings dedupe keeps the highest severity per id, so a same-id low-severity entry cannot shadow a real CRITICAL. A tampered chain or a findings-hash mismatch forces FAIL. Set `SECURITY_REQUIRE_AGENT_ATTESTATION=1` to fail closed unless the run is HMAC-signed, fully attested, and clean — note that an *unsigned* attestation chain is only tamper-evident, not tamper-proof, against an attacker who can write the run directory, so the HMAC key is the real boundary.
314
+ - **Per-tool-call audit trail.** Every MCP tool call is logged as one structured JSONL record (timestamp, agent id, tool, inputs, output summary, session credential, outcome) to `.mcp/audit/tool-calls.jsonl`. Secret-bearing keys and secret-shaped values (in inputs and in the output preview) are scrubbed; failed auth attempts are recorded as such, not as successes; the log rotates at 50 MB and writing never interrupts a tool call. Set `SECURITY_TOOL_AUDIT_LOG` to forward to an append-only sink.
315
+ - **Locked-down data at rest.** Findings, agent memory, and signatures are written with `0o600` file permissions.
316
+ - **Prompt-injection defense.** Tool outputs that originate from the repo are sanitized before they reach an LLM.
317
+ - **Verified installer.** Downloaded scanner binaries are verified by SHA-256, unchecksummed binaries are refused, and there is no `curl | sh` install path.
318
+ - **Air-gap mode.** `SECURITY_OFFLINE=1` produces a fully offline run with no third-party egress.
821
319
 
822
320
  ---
823
321
 
824
- ## MCP Tools Reference
322
+ ## MCP tools
825
323
 
826
- Your AI uses these automatically. You don't call them directly, but understanding what they do helps you know what's happening during a review.
324
+ Your AI calls these automatically; you rarely invoke them by hand. There are around 40, grouped into three namespaces plus two MCP prompts.
827
325
 
828
- ### Core Security Tools
326
+ ### Most useful tools
829
327
 
830
- | Tool | What It Does |
831
- | --- | --- |
832
- | `security.start_review` | Starts a stateful review run; returns `runId` used to track all subsequent steps and produce the final attestation |
833
- | `security.run_pr_gate` | Runs 20 security checks in parallel; returns PASS/FAIL, findings with severity, and required actions |
834
- | `security.threat_model` | Generates a STRIDE + PASTA + ATT&CK threat model template for a specific feature or surface |
835
- | `security.checklist` | Returns the pre-release security checklist, optionally filtered by surface (web / api / mobile / ai / infra / payments) |
836
- | `security.scan_strategy` | Builds an exhaustive scan plan mapping every check to OWASP, NIST, ATT&CK, and compliance controls |
837
- | `security.get_system_prompt` | Returns the full security engineering directive, optionally scoped to your stack and cloud provider |
838
- | `security.generate_policy` | Generates a `security-policy.json` tailored to your active surfaces and cloud provider |
839
- | `security.terraform_hardening_blueprint` | Terraform hardening baseline with module layout, guardrails, and control mappings |
840
- | `security.generate_opa_rego` | OPA/Rego policy code for Terraform plans, CI pipelines, and Kubernetes admission |
841
- | `security.generate_compliance_report` | Maps gate findings to SOC 2, PCI-DSS, ISO 27001, NIST 800-53, HIPAA, or GDPR controls |
842
- | `security.generate_remediations` | Maps each finding ID to a concrete code-level fix template |
843
- | `security.notify_webhooks` | Sends findings to Slack, Jira, PagerDuty, or any webhook URL |
844
- | `security.self_heal_loop` | Proposes adaptive policy improvements based on recurring findings (requires explicit human approval) |
845
- | `security.attest_review` | Writes a SHA-256 integrity-hashed attestation file at `.mcp/reports/{runId}.attestation.json` |
846
- | `repo.read_file` | Reads a project file for analysis (path-traversal guarded) |
847
- | `repo.search` | Searches the codebase for patterns or regex (ReDoS guarded, max 500 matches) |
848
-
849
- ### Orchestration Tools (`/ciso-orchestrator` only)
850
-
851
- | Tool | What It Does |
328
+ | Tool | Purpose |
852
329
  | --- | --- |
853
- | `orchestration.create_agent_run` | Initialises the 39-agent manifest and `.mcp/agent-runs/{id}/` directory |
854
- | `orchestration.update_agent_status` | Agents report start/completion; automatically advances phase when all phase agents finish |
855
- | `orchestration.merge_agent_findings` | Deduplicates findings from all agents, sorts by severity, writes `merged-findings.json` |
856
- | `orchestration.ensure_skill` | Downloads a skill from the GitHub registry if not cached locally (`~/.claude/skills/`) |
857
- | `orchestration.read_agent_memory` | Loads an agent's prior patterns, false-positives, remediations, and cached intel |
858
- | `orchestration.write_agent_memory` | Persists newly learned patterns and remediations after a run |
859
- | `orchestration.check_updates` | Checks npm and the skills manifest for newer versions of security-mcp or installed skills |
860
- | `orchestration.apply_updates` | Returns update commands (manual) or instructions for the agent to run them (auto) |
861
- | `orchestration.verify_skill_coverage` | Reports which SKILL.md sections §1-§24 had zero coverage findings in this run |
330
+ | `security.start_review` | Open a stateful review run and get a `runId` |
331
+ | `security.run_pr_gate` | Run the gate, return PASS/FAIL with findings |
332
+ | `security.attest_review` | Write a SHA-256 attestation (PASS-gated) |
333
+ | `security.threat_model` | STRIDE + PASTA + ATT&CK model for a surface |
334
+ | `security.scan_strategy` | Map every check to OWASP/NIST/ATT&CK controls |
335
+ | `security.generate_policy` | Generate a policy tailored to your stack |
336
+ | `security.terraform_hardening_blueprint` | Terraform hardening baseline + mappings |
337
+ | `security.generate_opa_rego` | OPA/Rego for plans, pipelines, admission |
338
+ | `security.generate_compliance_report` | Map findings to SOC 2, PCI, ISO, NIST, HIPAA, GDPR |
339
+ | `security.generate_remediations` | Concrete fix template per finding |
340
+ | `repo.read_file` / `repo.search` | Read or search the codebase (guarded) |
341
+ | `orchestration.create_agent_run` | Stand up the multi-agent run + manifest |
342
+ | `orchestration.merge_agent_findings` | Dedupe and sort findings across agents |
343
+ | `orchestration.verify_skill_coverage` | Check §0-§24 SKILL.md coverage |
344
+
345
+ ### Operational families
346
+
347
+ Beyond the tools above, the rest of the surface clusters into four families:
348
+
349
+ - **Model routing and budget.** `get_routing`, `get_model_for_task`, `track_usage`, `model_budget_status`, `get_provider_health`, `record_provider_failure`, `reset_provider_circuit`.
350
+ - **Learning and pattern memory.** `record_outcome`, `pattern_report`, `self_heal_loop`, plus `orchestration.read_agent_memory` / `write_agent_memory`.
351
+ - **Attestation hash chain.** `init_chain`, `attest_agent`, `verify_chain`, `get_chain`.
352
+ - **Caller auth and lifecycle.** `authenticate`, `logout`, plus update tools `orchestration.check_updates` / `apply_updates` and skill loading `orchestration.ensure_skill`.
353
+
354
+ Namespace counts: `security.*` (29 tools), `repo.*` (2), `orchestration.*` (9), and 2 MCP prompts.
862
355
 
863
356
  ---
864
357
 
865
- ## Security Frameworks Applied
358
+ ## Frameworks
866
359
 
867
- All of the following frameworks are applied automatically. You don't need to know them - they're the standards used by the world's top security teams, and security-mcp maps every finding and fix to them:
360
+ Every finding and fix maps to recognized standards. You do not need to know them to benefit; they are there so your evidence stands up to an auditor.
868
361
 
869
- | Framework | What It Covers |
362
+ | Domain | Standards |
870
363
  | --- | --- |
871
- | **OWASP Top 10** (Web + API) | The 10 most critical web and API vulnerability classes |
872
- | **OWASP ASVS Level 2/3** | Application security verification standard - L3 for auth, payments, PII |
873
- | **OWASP MASVS** | Mobile application security verification standard |
874
- | **OWASP Top 10 for LLMs** | AI-specific vulnerabilities: prompt injection, training data poisoning, etc. |
875
- | **OWASP Testing Guide** | Methodology used by pentest sub-agents for endpoint-level testing |
876
- | **MITRE ATT&CK Enterprise + Cloud + Mobile** | Real attacker playbooks - every finding maps to a technique ID |
877
- | **MITRE D3FEND** | Defensive countermeasure mapped to every ATT&CK technique in scope |
878
- | **MITRE ATLAS** | Adversarial ML/AI attack techniques |
879
- | **MITRE CAPEC** | Attack patterns used at design-time threat modeling |
880
- | **NIST 800-53 Rev 5** | Full US government security control catalog |
881
- | **NIST CSF 2.0** | Govern / Identify / Protect / Detect / Respond / Recover |
882
- | **NIST 800-207** | Zero Trust Architecture - every request authenticated and authorized |
883
- | **NIST 800-218 (SSDF)** | Secure Software Development Framework |
884
- | **NIST AI RMF** | AI risk management: Map, Measure, Manage, Govern |
885
- | **PCI DSS 4.0** | Payment card industry data security standard |
886
- | **SOC 2 Type II** | Trust Services Criteria (Security, Availability, Confidentiality, PI) |
887
- | **ISO 27001:2022 + 27002** | International information security management system |
888
- | **ISO 42001:2023** | AI management system - applied to all LLM/AI components |
889
- | **GDPR / CCPA / HIPAA** | Data privacy: consent, retention, breach notification, minimum necessary |
890
- | **SLSA Level 3** | Software supply chain security - hermetic builds, signed provenance |
891
- | **CIS Benchmarks Level 2** | Hardened cloud, OS, and container configurations |
892
- | **CVSS v4.0 + EPSS** | Vulnerability scoring and exploit probability - EPSS > 0.5 fixed within 48h |
364
+ | OWASP | Top 10 (Web + API), ASVS L2/L3, MASVS, Top 10 for LLMs, Testing Guide |
365
+ | MITRE | ATT&CK (Enterprise + Cloud + Mobile), D3FEND, ATLAS, CAPEC |
366
+ | NIST | 800-53 Rev 5, CSF 2.0, 800-207 Zero Trust, 800-218 SSDF, AI RMF, 800-131A |
367
+ | Compliance | PCI DSS 4.0, SOC 2 Type II, ISO 27001:2022 + 27002, ISO 42001:2023, GDPR / CCPA / HIPAA |
368
+ | Supply chain and cloud | SLSA Level 3, CIS Benchmarks L2, AWS FSBP, Microsoft Cloud Security Benchmark |
369
+ | Scoring | CVSS v4.0 + EPSS |
893
370
 
894
371
  ---
895
372
 
896
- ## Configuration
373
+ ## Policy and exceptions
897
374
 
898
- ### Customize the Security Policy
899
-
900
- The policy file controls what the gate blocks, what evidence it requires, and how exceptions are handled. Copy the default and edit:
375
+ The policy lives at `.mcp/policies/security-policy.json`. Copy the default to start:
901
376
 
902
377
  ```bash
903
378
  mkdir -p .mcp/policies
904
379
  cp node_modules/security-mcp/defaults/security-policy.json .mcp/policies/security-policy.json
905
380
  ```
906
381
 
907
- Key sections:
908
-
909
- ```json
910
- {
911
- "required_checks": {
912
- "secrets_scan": { "severity_block": ["HIGH", "CRITICAL"] },
913
- "dependency_scan": { "severity_block": ["CRITICAL"] },
914
- "sast": { "severity_block": ["CRITICAL"] },
915
- "iac_scan": { "severity_block": ["HIGH", "CRITICAL"] }
916
- },
917
- "vulnerability_slas": {
918
- "CRITICAL": "24h",
919
- "HIGH": "7d",
920
- "MEDIUM": "30d",
921
- "CISA_KEV": "24h"
922
- },
923
- "exceptions": {
924
- "require_ticket": true,
925
- "approval_roles": ["SecurityLead", "GRC", "CTO"]
926
- }
927
- }
928
- ```
929
-
930
- ### Add a Security Exception
931
-
932
- When you have a finding you've consciously accepted (e.g., a CVE in a library you're actively replacing):
933
-
934
- ```bash
935
- mkdir -p .mcp/exceptions
936
- cp node_modules/security-mcp/defaults/security-exceptions.json .mcp/exceptions/security-exceptions.json
937
- ```
938
-
939
- Edit `.mcp/exceptions/security-exceptions.json`:
382
+ Exceptions live at `.mcp/exceptions/security-exceptions.json`. Each entry needs `id`, `finding_ids`, `justification`, `ticket`, `owner`, `approver` (the owner cannot be the approver), `approval_role`, and `expires_on` (within 365 days):
940
383
 
941
384
  ```json
942
385
  {
@@ -945,181 +388,137 @@ Edit `.mcp/exceptions/security-exceptions.json`:
945
388
  {
946
389
  "id": "EX-001",
947
390
  "finding_ids": ["DEP_CVE_CVE-2024-12345"],
948
- "justification": "Library being replaced in sprint 42; no public exploit yet",
391
+ "justification": "Library being replaced next sprint; no public exploit",
949
392
  "ticket": "JIRA-9999",
950
- "owner": "your-email@company.com",
951
- "approver": "security-lead@company.com",
393
+ "owner": "alice@example.com",
394
+ "approver": "bob@example.com",
952
395
  "approval_role": "SecurityLead",
953
- "expires_on": "2025-06-30"
396
+ "expires_on": "2026-12-31"
954
397
  }
955
398
  ]
956
399
  }
957
400
  ```
958
401
 
959
- **Expired exceptions automatically become `SECURITY_EXCEPTION_EXPIRED` CRITICAL findings** that block the gate until renewed or resolved.
402
+ Expired exceptions automatically become blocking findings until they are renewed or resolved.
960
403
 
961
404
  ---
962
405
 
963
- ## Environment Variables
406
+ ## Environment variables
964
407
 
965
- ### CI / Gate
408
+ ### Gate and scope
966
409
 
967
410
  | Variable | Default | Purpose |
968
411
  | --- | --- | --- |
969
- | `GITHUB_TOKEN` | set by Actions | Authenticates git operations in CI |
412
+ | `SECURITY_GATE_POLICY` | `.mcp/policies/security-policy.json` | Policy file path |
413
+ | `SECURITY_GATE_MODE` | `recent_changes` | Scan mode |
414
+ | `SECURITY_GATE_TARGETS` | (changed files) | Comma-separated paths to restrict the scan |
970
415
  | `SECURITY_GATE_BASE_REF` | `origin/main` | Branch to diff against |
971
416
  | `SECURITY_GATE_HEAD_REF` | `HEAD` | Branch being scanned |
972
- | `SECURITY_GATE_POLICY` | `.mcp/policies/security-policy.json` | Path to policy file |
973
- | `SECURITY_GATE_SCANNERS` | built-in | Path to custom scanner config (must be within project directory) |
974
- | `SECURITY_GATE_EXCEPTIONS` | `.mcp/exceptions/security-exceptions.json` | Path to exceptions file (must be within project directory) |
975
- | `SECURITY_GATE_MODE` | `full` | Set to `file_by_file` for scoped per-file scanning |
976
- | `SECURITY_GATE_TARGETS` | (all changed files) | Comma-separated file paths to restrict the scan surface |
977
- | `SECURITY_MCP_SHARED_SECRET` | (none) | Authenticates MCP tool callers via constant-time HMAC; enables 3-strike lockout. Generate with `openssl rand -hex 32` |
978
- | `SECURITY_POLICY_HMAC_KEY` | (none) | Signs the policy file so any tampering is detected at gate startup. Generate with `openssl rand -hex 32` |
417
+ | `SECURITY_GATE_EXCEPTIONS` | (default path) | Exceptions file path |
418
+ | `SECURITY_GATE_SCANNERS` | built-in | Custom scanner config path |
419
+ | `SECURITY_GATE_EVIDENCE_MAP` | (none) | Evidence-coverage map path |
420
+ | `SECURITY_GATE_CONTROL_CATALOG` | (none) | Control-catalog path |
979
421
 
980
- ### Integrations (all optional)
422
+ ### Integrity and signing
981
423
 
982
424
  | Variable | Purpose |
983
425
  | --- | --- |
984
- | `SECURITY_SLACK_WEBHOOK` | Sends gate results to a Slack channel |
985
- | `SECURITY_JIRA_URL` | Creates Jira tickets for gate failures |
986
- | `SECURITY_JIRA_TOKEN` | Jira API token (never logged) |
987
- | `SECURITY_JIRA_PROJECT` | Jira project key (default: `SECURITY`) |
988
- | `SECURITY_PAGERDUTY_KEY` | Pages on-call when CRITICAL findings are found |
989
- | `SECURITY_WEBHOOK_URL` | POST gate results as JSON to any URL |
426
+ | `SECURITY_POLICY_HMAC_KEY` | Signs policy / exceptions / baseline (>=32 bytes) |
427
+ | `SECURITY_REQUIRE_SIGNED_EXCEPTIONS` | Fail closed on any unsigned exceptions file |
428
+ | `SECURITY_REQUIRE_AGENT_ATTESTATION` | Fail closed unless the agent run is signed + enforced + clean (see below) |
429
+ | `SECURITY_ALLOW_UNSIGNED_HIGH_SUPPRESSION` | Break-glass: allow unsigned HIGH/CRITICAL suppression |
430
+ | `SECURITY_ATTEST_ALLOW_INCOMPLETE` | Break-glass: attest without a complete PASS |
431
+ | `SECURITY_ATTEST_KEY` | Signs attestation files |
432
+ | `SECURITY_AUDIT_HMAC_KEY` | Signs the routing audit log and the per-agent attestation chain |
990
433
 
991
- ### Live Scanning (optional)
992
-
993
- | Variable | Purpose |
994
- | --- | --- |
995
- | `SECURITY_STAGING_URL` | Enables live HTTP header and TLS checks against your staging environment |
996
- | `SECURITY_AI_ENDPOINT` | Enables live jailbreak, injection, PII, and rate-limit probes against your AI endpoint |
997
- | `SECURITY_AUTO_SBOM` | Set `true` to auto-generate a CycloneDX SBOM on each gate run |
434
+ ### Observability
998
435
 
999
- ---
1000
-
1001
- ## The 10 Rules That Are Never Broken
1002
-
1003
- No matter what your AI is asked to build, these are enforced without exception:
1004
-
1005
- 1. **No `0.0.0.0/0` firewall rules** - ingress and egress must be source-restricted
1006
- 2. **All internal services over private VPC only** - no public IPs for databases, queues, or internal APIs
1007
- 3. **Secrets in a secret manager only** - never in code, `.env` files, CI logs, or container images
1008
- 4. **TLS 1.3 for everything in transit** - TLS 1.0 and 1.1 are explicitly blocked
1009
- 5. **Passwords hashed with Argon2id or bcrypt (cost ≥ 14)** - MD5 and SHA-1 are forbidden
1010
- 6. **Every API input validated server-side with a schema** - no passing raw request data to business logic
1011
- 7. **No inline JavaScript** - Content Security Policy is nonce-based only; no `unsafe-inline` or `unsafe-eval`
1012
- 8. **Admin interfaces require FIDO2/WebAuthn passkey** - TOTP is not acceptable for admin access
1013
- 9. **Threat model before any auth, payment, or AI feature** - no design-free implementation
1014
- 10. **Zero Trust: every request authenticated and authorized regardless of origin** - no implicit network trust
1015
-
1016
- ---
1017
-
1018
- ## Troubleshooting
1019
-
1020
- ### The `/senior-security-engineer` command isn't available in my editor
1021
-
1022
- **Cause:** The skill was not installed to `~/.claude/skills/`.
1023
-
1024
- **Fix:** Re-run the installer:
1025
-
1026
- ```bash
1027
- npx -y security-mcp@latest install
1028
- ```
1029
-
1030
- Then verify the skill exists:
1031
-
1032
- ```bash
1033
- ls ~/.claude/skills/senior-security-engineer/SKILL.md
1034
- ```
1035
-
1036
- ### The MCP server doesn't appear as connected
1037
-
1038
- **Cause:** Config file was not written, or the editor wasn't restarted after config was written.
1039
-
1040
- **Fix:**
1041
-
1042
- 1. Check the config file was written (see editor-specific paths in [Installation](#installation))
1043
- 2. Fully restart the editor (quit and reopen, not just reload window)
1044
- 3. Check Node.js version: `node --version` - must be 20 or higher
1045
-
1046
- ### The CI gate fails with "cannot find module"
1047
-
1048
- **Cause:** The dist files weren't included in the npm package, or you're referencing a path that doesn't exist.
436
+ | Variable | Default | Purpose |
437
+ | --- | --- | --- |
438
+ | `SECURITY_TOOL_AUDIT_LOG` | `.mcp/audit/tool-calls.jsonl` | Path for the per-tool-call structured audit log; point at an append-only / write-once sink for tamper-proof retention |
1049
439
 
1050
- **Fix:** Use `npx -y security-mcp@latest ci:pr-gate` which always pulls the latest published version, rather than referencing a local path.
440
+ ### Privacy and air-gap
1051
441
 
1052
- ### A finding is a false positive
442
+ | Variable | Purpose |
443
+ | --- | --- |
444
+ | `SECURITY_OFFLINE` | Disable all third-party network egress |
1053
445
 
1054
- **Fix:** Add it to `.mcp/exceptions/security-exceptions.json` with a justification, ticket, owner, and expiry date. See [Add a Security Exception](#add-a-security-exception).
446
+ ### MCP channel
1055
447
 
1056
- ### The gate is too strict for my current project stage
448
+ | Variable | Default | Purpose |
449
+ | --- | --- | --- |
450
+ | `SECURITY_MCP_SHARED_SECRET` | (none) | Require caller auth on the MCP channel |
451
+ | `SECURITY_SESSION_TTL_MS` | 8h | Session lifetime, capped at 24h |
1057
452
 
1058
- **Fix:** Edit `.mcp/policies/security-policy.json` to lower severity thresholds for your current environment. For example, set `dev` environment to only block on `CRITICAL`:
453
+ ### Remediation
1059
454
 
1060
- ```json
1061
- "environments": {
1062
- "dev": {
1063
- "severity_block": ["CRITICAL"],
1064
- "required_checks": ["secrets_scan"]
1065
- }
1066
- }
1067
- ```
455
+ | Variable | Purpose |
456
+ | --- | --- |
457
+ | `SECURITY_AGENTIC_QUARANTINE` | Handling for poisoned agent files: `strip`, `sanitize`, `quarantine`, or `off` |
1068
458
 
1069
- ### I want to update to the latest version
459
+ ### Integrations
1070
460
 
1071
- ```bash
1072
- npx -y security-mcp@latest install
1073
- ```
461
+ | Variable | Purpose |
462
+ | --- | --- |
463
+ | `SECURITY_SLACK_WEBHOOK` | Post gate results to Slack |
464
+ | `SECURITY_JIRA_URL` | Create Jira tickets for failures |
465
+ | `SECURITY_JIRA_TOKEN` | Jira API token (never logged) |
466
+ | `SECURITY_JIRA_PROJECT` | Jira project key (default `SECURITY`) |
467
+ | `SECURITY_PAGERDUTY_KEY` | Page on-call for CRITICAL findings |
468
+ | `SECURITY_WEBHOOK_URL` | POST gate results as JSON to any URL |
1074
469
 
1075
- This always pulls the latest published version. If you have it globally installed:
470
+ ### Live scanning
1076
471
 
1077
- ```bash
1078
- npm install -g security-mcp@latest
1079
- ```
472
+ | Variable | Purpose |
473
+ | --- | --- |
474
+ | `SECURITY_STAGING_URL` | Enable runtime + Nuclei DAST against staging |
475
+ | `SECURITY_AI_ENDPOINT` | Enable live AI red-team probes |
476
+ | `SECURITY_AUTO_SBOM` | Auto-generate a CycloneDX SBOM each run |
1080
477
 
1081
478
  ---
1082
479
 
1083
- ## FAQ
1084
-
1085
- **Q: Does this send my code to any external service?**
1086
-
1087
- No. The MCP server runs locally as a Node.js process. Your code never leaves your machine. The only external calls made are to the npm registry (to check for updates) and optionally to GitHub (to download skill files) - both only if explicitly permitted. Live CVE/CISA KEV fetches during `/ciso-orchestrator` require your explicit internet permission at runtime.
1088
-
1089
- **Q: Do I need to know security to use this?**
1090
-
1091
- No. The tool is designed so that you don't need to understand what OWASP or ATT&CK mean. You describe what you're building, and the security engineer handles the rest.
1092
-
1093
- **Q: Will it slow down my development?**
480
+ ## The 10 non-negotiable rules
1094
481
 
1095
- For daily use with `/senior-security-engineer` on recent changes, a typical review takes seconds to a few minutes. The fix is inline - you don't need to context-switch to a separate tool.
482
+ No matter what the AI is asked to build, these hold:
1096
483
 
1097
- **Q: What if it fixes something I don't want changed?**
484
+ 1. No `0.0.0.0/0` firewall rules. Ingress and egress are source-restricted.
485
+ 2. Internal services live on a private VPC only, never on public IPs.
486
+ 3. Secrets live in a secret manager only, never in code, `.env`, CI logs, or images.
487
+ 4. TLS 1.3 for everything in transit. TLS 1.0 and 1.1 are blocked.
488
+ 5. Passwords hashed with Argon2id, or bcrypt at cost 14 or higher.
489
+ 6. Every API input validated server-side with a schema.
490
+ 7. No inline JavaScript. Content Security Policy is nonce-based only.
491
+ 8. Admin interfaces require FIDO2/WebAuthn.
492
+ 9. Threat-model before any auth, payment, or AI feature.
493
+ 10. Zero Trust: every request authenticated and authorized regardless of origin.
1098
494
 
1099
- Everything is in your git working tree. Review the diff with `git diff`, revert anything you disagree with (`git checkout -- <file>`), and add a security exception if the finding is a false positive or accepted risk.
1100
-
1101
- **Q: Can I use this on an existing codebase with lots of issues?**
1102
-
1103
- Yes. Use `security.generate_policy` to set appropriate thresholds for your current state, add exceptions for known-accepted technical debt, and use the gate's MEDIUM/LOW findings as a backlog rather than blockers.
495
+ ---
1104
496
 
1105
- **Q: Is this a replacement for a real pentest?**
497
+ ## CLI reference
1106
498
 
1107
- No - but it covers the same ground and more, continuously, on every change. Use `/ciso-orchestrator` before major releases to get the depth of a structured security review. For compliance purposes (SOC 2, PCI DSS), the attestation files and compliance reports generated are audit-trail artifacts.
499
+ The `security-mcp` binary exposes:
1108
500
 
1109
- **Q: What AI models does this work with?**
501
+ | Command | Purpose |
502
+ | --- | --- |
503
+ | `serve` | Run the MCP server |
504
+ | `install` | Install for auto-detected editors |
505
+ | `install-global` | Install globally |
506
+ | `config` | Manage configuration |
507
+ | `doctor` (alias `verify`) | Health check |
508
+ | `autoharden` | Auto-remediate Terraform (`--dry-run` to preview) |
509
+ | `ci:pr-gate` | Run the gate in CI (non-zero exit on HIGH/CRITICAL) |
510
+ | `sign-policy` | HMAC-sign the active policy |
1110
511
 
1111
- security-mcp is model-agnostic - it's an MCP server, not a model. It works with any AI assistant that supports the MCP protocol: Claude (all models), GitHub Copilot, Cursor, Codex, and others.
512
+ ---
1112
513
 
1113
- **Q: How do I report a vulnerability in security-mcp itself?**
514
+ ## Documentation and disclosure
1114
515
 
1115
- See [SECURITY.md](SECURITY.md) for the responsible disclosure policy.
516
+ - **Deep-dive docs:** the [GitHub Wiki](https://github.com/AbrahamOO/security-mcp/wiki).
517
+ - **Contributing:** [CONTRIBUTING.md](CONTRIBUTING.md).
518
+ - **Reporting a vulnerability in security-mcp itself:** see [SECURITY.md](SECURITY.md), which uses GitHub private security advisories for responsible disclosure.
1116
519
 
1117
520
  ---
1118
521
 
1119
- ## Contributing
1120
-
1121
- See [CONTRIBUTING.md](CONTRIBUTING.md).
1122
-
1123
522
  ## License
1124
523
 
1125
- [MIT](LICENSE) - security-mcp contributors
524
+ [MIT](LICENSE)