security-mcp 1.3.1 → 1.3.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +286 -887
- package/defaults/cloud-controls/aws.json +10712 -0
- package/defaults/cloud-controls/azure.json +7201 -0
- package/defaults/cloud-controls/gcp.json +4061 -0
- package/defaults/control-catalog.json +24 -0
- package/dist/ci/pr-gate.js +22 -5
- package/dist/cli/index.js +73 -2
- package/dist/cli/install.js +4 -55
- package/dist/cli/onboarding.js +18 -10
- package/dist/gate/checks/agentic-instructions.js +515 -0
- package/dist/gate/checks/ai-governance.js +132 -0
- package/dist/gate/checks/ai.js +1 -1
- package/dist/gate/checks/cloud-controls.js +69 -0
- package/dist/gate/checks/crypto.js +1 -1
- package/dist/gate/checks/data-platform.js +954 -0
- package/dist/gate/checks/dependencies.js +14 -3
- package/dist/gate/checks/docker-deep.js +1236 -0
- package/dist/gate/checks/gitops.js +724 -0
- package/dist/gate/checks/iac.js +1230 -0
- package/dist/gate/checks/k8s.js +841 -1
- package/dist/gate/checks/secrets.js +49 -37
- package/dist/gate/cloud-controls/apply.js +115 -0
- package/dist/gate/cloud-controls/bicep.js +36 -0
- package/dist/gate/cloud-controls/cfn.js +125 -0
- package/dist/gate/cloud-controls/detect.js +104 -0
- package/dist/gate/cloud-controls/hcl.js +140 -0
- package/dist/gate/cloud-controls/types.js +87 -0
- package/dist/gate/exceptions.js +78 -7
- package/dist/gate/findings.js +15 -2
- package/dist/gate/policy.js +40 -3
- package/dist/gate/threat-intel.js +6 -0
- package/dist/mcp/audit-chain.js +9 -0
- package/dist/mcp/model-router.js +3 -3
- package/dist/mcp/orchestration.js +194 -41
- package/dist/mcp/server.js +124 -17
- package/dist/mcp/tool-audit.js +193 -0
- package/dist/repo/fs.js +14 -1
- package/dist/review/store.js +4 -2
- package/dist/tests/run.js +124 -1
- package/package.json +6 -4
- package/skills/advanced-dos-tester/SKILL.md +9 -0
- package/skills/agentic-instruction-auditor/SKILL.md +111 -0
- package/skills/agentic-loop-exploiter/SKILL.md +9 -0
- package/skills/ai-llm-redteam/SKILL.md +9 -0
- package/skills/ai-model-supply-chain-agent/SKILL.md +9 -0
- package/skills/algorithm-implementation-reviewer/SKILL.md +9 -0
- package/skills/android-penetration-tester/SKILL.md +9 -0
- package/skills/anti-replay-tester/SKILL.md +9 -0
- package/skills/appsec-code-auditor/SKILL.md +9 -0
- package/skills/artifact-integrity-analyst/SKILL.md +9 -0
- package/skills/attack-navigator/SKILL.md +9 -0
- package/skills/auth-session-hacker/SKILL.md +9 -0
- package/skills/aws-penetration-tester/SKILL.md +54 -0
- package/skills/azure-penetration-tester/SKILL.md +52 -0
- package/skills/binary-auth-validator/SKILL.md +9 -0
- package/skills/bot-detection-specialist/SKILL.md +9 -0
- package/skills/business-logic-attacker/SKILL.md +9 -0
- package/skills/capec-code-mapper/SKILL.md +9 -0
- package/skills/cert-pin-rotation-specialist/SKILL.md +9 -0
- package/skills/cicd-pipeline-hijacker/SKILL.md +9 -0
- package/skills/ciso-orchestrator/SKILL.md +11 -0
- package/skills/cloud-infra-specialist/SKILL.md +9 -0
- package/skills/compliance-gap-analyst/SKILL.md +9 -0
- package/skills/compliance-grc/SKILL.md +9 -0
- package/skills/compliance-lifecycle-tracker/SKILL.md +9 -0
- package/skills/container-hardening-auditor/SKILL.md +125 -0
- package/skills/credential-stuffing-specialist/SKILL.md +9 -0
- package/skills/crypto-pki-specialist/SKILL.md +9 -0
- package/skills/csa-ccm-mapper/SKILL.md +9 -0
- package/skills/csf2-governance-mapper/SKILL.md +9 -0
- package/skills/data-platform-auditor/SKILL.md +125 -0
- package/skills/deep-link-fuzzer/SKILL.md +9 -0
- package/skills/dependency-confusion-attacker/SKILL.md +9 -0
- package/skills/device-integrity-aggregator/SKILL.md +9 -0
- package/skills/dos-resilience-tester/SKILL.md +9 -0
- package/skills/dread-scorer/SKILL.md +9 -0
- package/skills/egress-policy-enforcer/SKILL.md +9 -0
- package/skills/evidence-collector/SKILL.md +9 -0
- package/skills/file-upload-attacker/SKILL.md +9 -0
- package/skills/gcp-penetration-tester/SKILL.md +51 -0
- package/skills/git-history-secret-scanner/SKILL.md +9 -0
- package/skills/gitops-delivery-auditor/SKILL.md +120 -0
- package/skills/iac-security-auditor/SKILL.md +125 -0
- package/skills/iam-privesc-graph-builder/SKILL.md +9 -0
- package/skills/incident-responder/SKILL.md +9 -0
- package/skills/injection-specialist/SKILL.md +9 -0
- package/skills/ios-security-auditor/SKILL.md +9 -0
- package/skills/json-ambiguity-tester/SKILL.md +0 -0
- package/skills/k8s-container-escaper/SKILL.md +22 -0
- package/skills/key-management-lifecycle-analyst/SKILL.md +9 -0
- package/skills/kill-switch-engineer/SKILL.md +9 -0
- package/skills/linddun-privacy-analyst/SKILL.md +9 -0
- package/skills/logic-race-fuzzer/SKILL.md +9 -0
- package/skills/mobile-api-network-attacker/SKILL.md +9 -0
- package/skills/mobile-binary-hardener/SKILL.md +9 -0
- package/skills/mobile-security-specialist/SKILL.md +9 -0
- package/skills/mobile-webview-auditor/SKILL.md +9 -0
- package/skills/model-extraction-attacker/SKILL.md +9 -0
- package/skills/multipart-abuse-tester/SKILL.md +9 -0
- package/skills/oauth-pkce-specialist/SKILL.md +9 -0
- package/skills/parser-exhaustion-tester/SKILL.md +9 -0
- package/skills/pentest-infra/SKILL.md +9 -0
- package/skills/pentest-social/SKILL.md +9 -0
- package/skills/pentest-team/SKILL.md +9 -0
- package/skills/pentest-web-api/SKILL.md +9 -0
- package/skills/privacy-flow-analyst/SKILL.md +9 -0
- package/skills/prompt-injection-specialist/SKILL.md +9 -0
- package/skills/quantum-migration-planner/SKILL.md +9 -0
- package/skills/rag-poisoning-specialist/SKILL.md +9 -0
- package/skills/registry-mirror-enforcer/SKILL.md +9 -0
- package/skills/rotation-validation-agent/SKILL.md +9 -0
- package/skills/samm-assessor/SKILL.md +9 -0
- package/skills/secrets-mask-bypass-tester/SKILL.md +9 -0
- package/skills/senior-security-engineer/SKILL.md +11 -0
- package/skills/serialization-memory-attacker/SKILL.md +9 -0
- package/skills/session-timeout-tester/SKILL.md +9 -0
- package/skills/slsa-level3-enforcer/SKILL.md +9 -0
- package/skills/slsa-provenance-enforcer/SKILL.md +9 -0
- package/skills/ssrf-detection-validator/SKILL.md +9 -0
- package/skills/step-up-auth-enforcer/SKILL.md +9 -0
- package/skills/stride-pasta-analyst/SKILL.md +9 -0
- package/skills/supply-chain-devsecops/SKILL.md +9 -0
- package/skills/threat-infrastructure-analyst/SKILL.md +9 -0
- package/skills/threat-modeler/SKILL.md +9 -0
- package/skills/tls-certificate-auditor/SKILL.md +9 -0
- package/skills/token-reuse-detector/SKILL.md +9 -0
- package/skills/trike-risk-modeler/SKILL.md +9 -0
- package/skills/unicode-homograph-tester/SKILL.md +9 -0
- package/skills/waf-rule-lifecycle-agent/SKILL.md +9 -0
- package/skills/webhook-security-tester/SKILL.md +9 -0
- package/skills/zero-trust-architect/SKILL.md +9 -0
package/README.md
CHANGED
|
@@ -1,260 +1,216 @@
|
|
|
1
|
-
# security-mcp
|
|
1
|
+
# security-mcp
|
|
2
2
|
|
|
3
3
|
[](https://www.npmjs.com/package/security-mcp)
|
|
4
4
|
[](LICENSE)
|
|
5
5
|
[](https://nodejs.org)
|
|
6
6
|
[](https://github.com/AbrahamOO/security-mcp/actions)
|
|
7
7
|
|
|
8
|
-
|
|
8
|
+
An autonomous application-security engineering layer for AI-assisted development.
|
|
9
9
|
|
|
10
|
-
|
|
10
|
+
security-mcp is a [Model Context Protocol](https://modelcontextprotocol.io) server that turns your AI coding assistant into a security engineer that does the work, not a linter that files tickets. It reads code the way an attacker does, writes the secure fix inline, and enforces a gate in CI so insecure code cannot merge. The operating mandate across the product is the same one a strong security hire would hold: roughly 90% fixing, 10% advisory.
|
|
11
11
|
|
|
12
|
-
|
|
12
|
+
Platform and security teams can standardize their entire AppSec program on it. A solo founder can install it in a minute and ship safer code on day one. No security background is required to benefit, but nothing is dumbed down for the people who have one.
|
|
13
13
|
|
|
14
|
-
|
|
14
|
+
Works with Claude Code, Cursor, VS Code / GitHub Copilot, Windsurf, Codex, Replit, and any MCP-compatible editor.
|
|
15
|
+
|
|
16
|
+
```bash
|
|
17
|
+
npx -y security-mcp@latest install
|
|
18
|
+
```
|
|
15
19
|
|
|
16
20
|
---
|
|
17
21
|
|
|
18
22
|
## Table of Contents
|
|
19
23
|
|
|
20
|
-
- [
|
|
21
|
-
- [What
|
|
22
|
-
- [
|
|
23
|
-
- [
|
|
24
|
-
- [
|
|
25
|
-
- [
|
|
26
|
-
- [
|
|
27
|
-
- [
|
|
28
|
-
- [
|
|
29
|
-
- [
|
|
30
|
-
- [
|
|
31
|
-
- [
|
|
32
|
-
- [
|
|
33
|
-
- [
|
|
34
|
-
- [
|
|
35
|
-
- [
|
|
36
|
-
- [
|
|
37
|
-
- [
|
|
24
|
+
- [Why this exists](#why-this-exists)
|
|
25
|
+
- [What's new in 1.3.3](#whats-new-in-133)
|
|
26
|
+
- [System overview](#system-overview)
|
|
27
|
+
- [The two entry points](#the-two-entry-points)
|
|
28
|
+
- [/senior-security-engineer](#senior-security-engineer)
|
|
29
|
+
- [/ciso-orchestrator](#ciso-orchestrator)
|
|
30
|
+
- [The gate engine](#the-gate-engine)
|
|
31
|
+
- [Cloud security controls engine](#cloud-security-controls-engine)
|
|
32
|
+
- [Install](#install)
|
|
33
|
+
- [CI/CD gate](#cicd-gate)
|
|
34
|
+
- [Built for teams](#built-for-teams)
|
|
35
|
+
- [Self-protection and supply-chain posture](#self-protection-and-supply-chain-posture)
|
|
36
|
+
- [MCP tools](#mcp-tools)
|
|
37
|
+
- [Frameworks](#frameworks)
|
|
38
|
+
- [Policy and exceptions](#policy-and-exceptions)
|
|
39
|
+
- [Environment variables](#environment-variables)
|
|
40
|
+
- [The 10 non-negotiable rules](#the-10-non-negotiable-rules)
|
|
41
|
+
- [CLI reference](#cli-reference)
|
|
42
|
+
- [Documentation and disclosure](#documentation-and-disclosure)
|
|
43
|
+
- [License](#license)
|
|
38
44
|
|
|
39
45
|
---
|
|
40
46
|
|
|
41
|
-
##
|
|
47
|
+
## Why this exists
|
|
42
48
|
|
|
43
|
-
|
|
49
|
+
Most security tooling stops at detection. It produces a list, hands it to a human, and waits. That model breaks down when AI assistants are writing the majority of the code, because the volume of change outpaces anyone's ability to triage a backlog by hand.
|
|
44
50
|
|
|
45
|
-
|
|
51
|
+
security-mcp inverts the default. When it finds a vulnerability it writes the production-ready fix into your working tree, re-runs the check to confirm the issue cleared, and only then moves on. The same engine runs as a deterministic gate in CI, so the contract is simple: HIGH and CRITICAL findings do not merge.
|
|
46
52
|
|
|
47
|
-
|
|
53
|
+
You get three things from one install:
|
|
48
54
|
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
| **SpEL / OGNL injection** | T1059 | Spring Expression Language and OGNL via user-controlled string eval |
|
|
53
|
-
| **Pickle / Java deserialization** | T1059.001 | Unsafe `pickle.loads`, `ObjectInputStream`, `readObject` on untrusted data |
|
|
54
|
-
| **Second-order injection** | T1059 | Data stored to DB then later executed — two-pass file-correlation check |
|
|
55
|
-
| **CSS injection** | T1059 | User content reflected inside `<style>` or `style=` without sanitization |
|
|
56
|
-
| **Elasticsearch injection** | T1059 | Dynamic query construction in Elasticsearch DSL with user input |
|
|
57
|
-
| **WebSocket injection** | T1059 | User-controlled data in `ws.send()` without validation |
|
|
58
|
-
| **SSE-CRLF** | T1059 | CRLF in Server-Sent Events `data:` field hijacking the SSE stream |
|
|
59
|
-
| **PDF / document injection** | T1059 | User input in PDF field generation without escaping |
|
|
60
|
-
| **HTTP response splitting** | T1059 | CRLF in HTTP header values |
|
|
61
|
-
| **Bracket-notation prototype pollution** | T1203 | `obj[key] = value` with user-controlled keys |
|
|
55
|
+
- An interactive security engineer that fixes code inside your editor.
|
|
56
|
+
- A multi-agent security program that runs a full audit on demand.
|
|
57
|
+
- A standalone CI gate that needs no AI session to enforce the line.
|
|
62
58
|
|
|
63
|
-
|
|
59
|
+
---
|
|
64
60
|
|
|
65
|
-
|
|
61
|
+
## What's new in 1.3.3
|
|
66
62
|
|
|
67
|
-
`
|
|
63
|
+
**Inter-agent payload integrity.** `orchestration.merge_agent_findings` is the single trust sink for a whole agent run, so it now validates every agent's findings against a strict schema and verifies each file's hash against that agent's signed attestation before the findings reach the gate. With an attestation chain present it runs **enforced**: unattested or tampered agent files are rejected, and a hash mismatch or failed chain forces the gate to FAIL even with zero findings. Set `SECURITY_REQUIRE_AGENT_ATTESTATION` to fail closed unless the run is HMAC-signed, enforced, and chain-valid.
|
|
68
64
|
|
|
69
|
-
|
|
70
|
-
| --- | --- | --- |
|
|
71
|
-
| **JWT `kid` injection** | CWE-20 | `kid` header used as file path or SQL expression for key material |
|
|
72
|
-
| **JWKS URI override** | CWE-20 | Attacker-controlled `jku` / `x5u` headers pointing to external key stores |
|
|
73
|
-
| **OAuth client secret in repo** | CWE-798 | `client_secret` literals or env defaults checked into source |
|
|
74
|
-
| **Session token in URL** | CWE-598 | Session IDs in query parameters — logged by every proxy |
|
|
75
|
-
| **Low-entropy token** | CWE-330 | Token / secret generated with `Math.random()` or timestamp-seeded RNG |
|
|
76
|
-
| **Remember-me no rotation** | CWE-613 | Persistent login tokens never rotated on use |
|
|
77
|
-
| **Password reset single-use** | CWE-640 | Reset tokens reusable after initial redemption |
|
|
78
|
-
| **Account enumeration** | CWE-204 | Different error messages for valid vs. invalid usernames |
|
|
79
|
-
| **Bcrypt cost factor** | CWE-916 | `bcrypt.hash(pw, N)` where N < 12 |
|
|
80
|
-
|
|
81
|
-
Plus all original patterns: JWT alg:none/HS-RS confusion, session fixation, OAuth state/redirect_uri/PKCE, hardcoded JWT secret, rate limit on auth, plaintext password compare, SAML signature bypass, insecure cookie flags, refresh token rotation, API key in URL, reset token expiry, admin route without authz, timing oracle.
|
|
82
|
-
|
|
83
|
-
### 31 Business Logic Patterns (was 8)
|
|
84
|
-
|
|
85
|
-
`checkBusinessLogic` now catches 31 patterns including 13 new e-commerce and payment abuse vectors:
|
|
86
|
-
|
|
87
|
-
- **Currency confusion** — mixed-currency arithmetic without normalization
|
|
88
|
-
- **Discount stacking** — coupon codes combined with promotions without stack limits
|
|
89
|
-
- **Order fulfillment bypass** — status transitions that skip required payment/verification steps
|
|
90
|
-
- **Webhook timestamp** — missing replay-window check on webhook signature verification
|
|
91
|
-
- **Tax / shipping parameter tamper** — client-supplied tax and shipping totals accepted server-side
|
|
92
|
-
- **Client-side total** — final order amount derived from a browser-supplied value
|
|
93
|
-
- **Referral abuse** — self-referral detection absent from referral credit logic
|
|
94
|
-
- **Email normalization** — `user+tag@domain.com` not normalized when enforcing unique accounts
|
|
95
|
-
- **Feature flag bypass** — feature flags controllable via client-supplied headers or query params
|
|
96
|
-
- **API version bypass** — security controls on v2 routes not enforced on legacy v1 endpoints
|
|
97
|
-
- **Double-spend payment** — concurrent payment requests without idempotency key enforcement
|
|
98
|
-
- **Free trial abuse** — trial period enforced only by client-supplied start date
|
|
99
|
-
- **Pagination abuse** — unlimited page size parameter enabling full-table data dump
|
|
100
|
-
|
|
101
|
-
### 32 Supply Chain Deep Patterns (was 16)
|
|
102
|
-
|
|
103
|
-
`checkSupplyChainDeep` now covers 32 patterns. New additions detect obfuscated payloads, malicious package scripts, and exfiltration channels that bypass standard SAST tools — including keyloggers, reverse shells, cryptomining signatures, DNS exfiltration, clipboard monitoring, and more.
|
|
104
|
-
|
|
105
|
-
### Critical Security Fixes
|
|
106
|
-
|
|
107
|
-
| ID | Severity | Fix |
|
|
108
|
-
| --- | --- | --- |
|
|
109
|
-
| **VULN-001** | CRITICAL | Dead multiline regex in `checkSecondOrderInjection` silently nulled the entire injection-deep module — replaced with two-pass file-correlation |
|
|
110
|
-
| **VULN-002** | HIGH | Symlink traversal in `policy.ts` glob calls — `followSymbolicLinks: false` enforced |
|
|
111
|
-
| **VULN-003** | HIGH | Evidence previews leaked secret values — `redactSecrets()` added to `search.ts` |
|
|
112
|
-
| **AUTH-OBO-01** | HIGH | Lockout off-by-one in `auth.ts` allowed 4 attempts instead of 3 |
|
|
113
|
-
| **META-01/03/04** | MEDIUM | Prompt injection vectors in MCP server — `_notice` framing and `sanitizePromptParam()` added |
|
|
65
|
+
**Per-tool-call audit log.** Every MCP tool invocation emits one structured JSONL record with the eight mandatory fields — timestamp, agent id, tool, input parameters (secrets redacted), output (outcome + size + truncated preview), credentials used (session id, never the secret), user context, and outcome status — to `.mcp/audit/tool-calls.jsonl` (`0o600`). Point `SECURITY_TOOL_AUDIT_LOG` at an append-only sink for tamper-proof retention. Logging never interrupts tool execution.
|
|
114
66
|
|
|
115
|
-
|
|
67
|
+
Both close gaps from an agentic-AI threat model of security-mcp's own multi-agent system and were hardened through a three-agent adversarial review (highest-severity-wins dedupe, secret/PII value scrubbing in the audit preview, honest unsigned-chain reporting). See the [CHANGELOG](CHANGELOG.md) for the full list and accepted residual risk.
|
|
116
68
|
|
|
117
|
-
-
|
|
118
|
-
- NIST AU-11 / PCI Req 10 log retention detection added to `checkAuthDeep`
|
|
119
|
-
- ISO 42001 §9.1 routing decision audit log added to model router
|
|
120
|
-
- `runScanners` (gitleaks / semgrep / trivy / checkov / osv-scanner) wired into the gate — was implemented but never called since v1.0; now active check 27
|
|
69
|
+
**1.3.2 — cloud security controls engine.** A registry-driven engine that scans infrastructure-as-code against 998 rules mapped to AWS FSBP, CIS Benchmarks (AWS / GCP / Azure), and the Microsoft Cloud Security Benchmark, across Terraform, CloudFormation, and Bicep. Terraform violations can be auto-remediated with `security-mcp autoharden` ([dedicated section](#cloud-security-controls-engine)). It also added the `security-mcp ci:pr-gate` and `sign-policy` CLI commands, and hardened the tool against itself (unsigned policies and exceptions can no longer relax the gate; data at rest is written `0o600`) — see [self-protection and supply-chain posture](#self-protection-and-supply-chain-posture).
|
|
121
70
|
|
|
122
|
-
|
|
71
|
+
Earlier releases expanded the deep-analysis pattern libraries (injection, authentication, supply chain, business logic), brought OWASP Top 10 to full coverage, and wired the industry scanners into the gate.
|
|
123
72
|
|
|
124
|
-
|
|
125
|
-
- **Injection** — SQL/ORM detection (Prisma `$queryRaw`, Sequelize, Knex, TypeORM), JNDI/Log4Shell, LDAP, XPath, Redis `EVAL`, ReDoS static catastrophic-backtracking patterns
|
|
126
|
-
- **Cryptography** — AES-CBC-without-HMAC (+ split-string evasion fix), GCM nonce reuse and timestamp IV, RSA PKCS#1v1.5, SHA-256-as-password-hash, hardcoded PBKDF2 salt, `rejectUnauthorized: false`, weak TLS min version
|
|
127
|
-
- **Checklists** — all 6 surface checklists updated with `automated: true` entries for every new check ID
|
|
73
|
+
---
|
|
128
74
|
|
|
129
|
-
|
|
75
|
+
## System overview
|
|
130
76
|
|
|
131
|
-
|
|
77
|
+
<p align="center">
|
|
78
|
+
<img src="https://raw.githubusercontent.com/AbrahamOO/security-mcp/main/assets/diagrams/system-overview.svg" alt="System overview: editor skills and CI both call the same MCP server, which drives the gate engine, orchestration, cloud controls, and platform subsystems into a shared attestation." width="820">
|
|
79
|
+
</p>
|
|
132
80
|
|
|
133
|
-
|
|
134
|
-
export SECURITY_MCP_SHARED_SECRET="$(openssl rand -hex 32)"
|
|
135
|
-
```
|
|
81
|
+
The MCP server is the trust root. Both entry-point skills, the standalone CI gate, and every supporting subsystem call into the same engine, so an interactive fix and a CI verdict are produced by identical logic.
|
|
136
82
|
|
|
137
|
-
|
|
83
|
+
---
|
|
138
84
|
|
|
139
|
-
|
|
85
|
+
## The two entry points
|
|
140
86
|
|
|
141
|
-
|
|
87
|
+
You drive security-mcp through two skills. One is your daily security engineer. The other is a full security program you run when the stakes are high.
|
|
142
88
|
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
89
|
+
| | `/senior-security-engineer` | `/ciso-orchestrator` |
|
|
90
|
+
| --- | --- | --- |
|
|
91
|
+
| Shape | One elite engineer agent | 39 named agents, 40+ at runtime |
|
|
92
|
+
| Best for | Every PR, targeted hardening | Pre-release audits, compliance prep |
|
|
93
|
+
| Scope | You pick: diff, full codebase, or specific paths | Full: every surface, every framework |
|
|
94
|
+
| Speed | Seconds to minutes | Minutes to hours |
|
|
95
|
+
| Output | Inline fixes + SHA-256 attested report | Merged findings, compliance mapping, signed attestation |
|
|
96
|
+
| Network | Not required | Optional live threat intel |
|
|
147
97
|
|
|
148
|
-
|
|
98
|
+
Rule of thumb: run `/senior-security-engineer` on every PR, and `/ciso-orchestrator` before a release or an audit.
|
|
149
99
|
|
|
150
|
-
|
|
100
|
+
### /senior-security-engineer
|
|
151
101
|
|
|
152
|
-
|
|
102
|
+
A single elite security-engineer agent. It operates 90% fixing, 10% advisory: it writes the secure code rather than handing you a report to act on. You pick the scope at the start (recent changes via git diff, the full codebase, or specific files and folders), and it runs a strategy pass, then the gate, then inline fixes, and finishes with a SHA-256 attested report you can keep as an audit artifact.
|
|
153
103
|
|
|
154
|
-
|
|
104
|
+
This is the daily driver. Use it on every PR.
|
|
155
105
|
|
|
156
|
-
|
|
157
|
-
-
|
|
158
|
-
|
|
159
|
-
- Hiring a security team or running a pentest is expensive and slow
|
|
106
|
+
<p align="center">
|
|
107
|
+
<img src="https://raw.githubusercontent.com/AbrahamOO/security-mcp/main/assets/diagrams/senior-security-engineer.svg" alt="senior-security-engineer flow: pick scope, build strategy, run gate, write inline fixes, re-run until clean, then emit a SHA-256 attested report." width="720">
|
|
108
|
+
</p>
|
|
160
109
|
|
|
161
|
-
|
|
110
|
+
### /ciso-orchestrator
|
|
162
111
|
|
|
163
|
-
|
|
112
|
+
A full security program in one command, held to the same 90% fixing, 10% advisory mandate as the single agent: every specialist writes the fix rather than filing a finding. Nine specialist lead agents command 30 sub-agents, for 39 named agents in the static spawn tree. At runtime the orchestrator dynamically spawns additional ghost and coverage agents based on cross-domain findings, so a real run typically fields 40 or more. It draws on a registry of 91 specialist skills (registry version 1.6.0), loaded on demand based on your detected stack, and covers PCI DSS 4.0, SOC 2, ISO 27001, NIST 800-53, HIPAA, and GDPR mapping.
|
|
164
113
|
|
|
165
|
-
|
|
114
|
+
It runs in three phases:
|
|
115
|
+
|
|
116
|
+
1. **Discovery (parallel).** Seven leads run at once: threat modeling, AppSec code audit, cloud and infrastructure, supply chain, AI/LLM red team, mobile, and crypto/PKI.
|
|
117
|
+
2. **Adversarial and compliance (parallel).** A penetration-test team reads Phase 1's threat model as its attack brief, while a compliance/GRC synthesizer maps findings to controls.
|
|
118
|
+
3. **Synthesis.** Each agent's findings file is schema-validated and verified against that agent's signed attestation before it is trusted, then findings are merged and deduplicated, SKILL.md section coverage (§0 through §24) is verified, and a signed attestation is written. A tampered attestation chain or a findings-hash mismatch forces the gate to FAIL.
|
|
166
119
|
|
|
167
|
-
|
|
120
|
+
<p align="center">
|
|
121
|
+
<img src="https://raw.githubusercontent.com/AbrahamOO/security-mcp/main/assets/diagrams/ciso-orchestrator.svg" alt="ciso-orchestrator spawn tree: Phase 1 discovery leads and sub-agents in parallel, Phase 2 pentest and compliance teams, Phase 3 attestation verification, merge, coverage check, and signed attestation." width="940">
|
|
122
|
+
</p>
|
|
168
123
|
|
|
169
|
-
|
|
170
|
-
- **Full-stack developers** who know their code works but aren't sure if it's safe
|
|
171
|
-
- **Startups and small teams** shipping web apps, mobile apps, APIs, and SaaS products
|
|
172
|
-
- **AI-assisted developers** using Claude Code, Copilot, Cursor, or Codex to write most of their code
|
|
173
|
-
- **Teams preparing for SOC 2, PCI DSS, or ISO 27001 audits** who need evidence and gap analysis
|
|
174
|
-
- **Security-conscious engineers** who want systematic coverage, not ad-hoc reviews
|
|
175
|
-
- **Anyone who's shipped code and thought "wait, is this actually secure?"**
|
|
124
|
+
Cloud, AI/LLM, and mobile sub-agents are conditional: they activate only when the relevant stack is detected, and report N/A otherwise.
|
|
176
125
|
|
|
177
126
|
---
|
|
178
127
|
|
|
179
|
-
##
|
|
128
|
+
## The gate engine
|
|
180
129
|
|
|
181
|
-
|
|
130
|
+
The gate is the deterministic core. On every run it executes 35 security checks in parallel (33 distinct check modules plus 2 precomputed coverage feeds). It is surface-aware: it first detects which surfaces a change touches (web, API, infrastructure, iOS, Android, AI/LLM, agentic) and runs the relevant checks against them.
|
|
182
131
|
|
|
183
|
-
|
|
132
|
+
<p align="center">
|
|
133
|
+
<img src="https://raw.githubusercontent.com/AbrahamOO/security-mcp/main/assets/diagrams/gate-engine.svg" alt="Gate engine pipeline: load HMAC-verified policy, resolve scope, classify change, detect surfaces, run 35 checks in parallel, assign SLAs, build coverage manifest, apply exceptions, score confidence, diff against baseline, and produce a verdict." width="760">
|
|
134
|
+
</p>
|
|
135
|
+
|
|
136
|
+
A crashed check module never disappears quietly. It becomes a HIGH coverage-gap finding, so the absence of a result is itself a result. A control that regresses from satisfied to missing against the saved baseline also becomes a HIGH finding.
|
|
137
|
+
|
|
138
|
+
### Deep-analysis modules
|
|
139
|
+
|
|
140
|
+
| Module | Patterns | What it targets |
|
|
141
|
+
| --- | --- | --- |
|
|
142
|
+
| Deep injection | 42 | SQL/NoSQL, SSTI, SpEL/OGNL, deserialization, CRLF, SSRF, and more |
|
|
143
|
+
| Deep authentication | 43 | JWT confusion, session and OAuth flaws, weak hashing, token entropy |
|
|
144
|
+
| Deep supply chain | 32 | Obfuscated payloads, malicious scripts, exfiltration channels |
|
|
145
|
+
| Business logic | 31 | IDOR, race conditions, payment and e-commerce abuse |
|
|
146
|
+
| Data platform | 47 | Databricks and Snowflake misconfiguration |
|
|
147
|
+
| Deep Docker | 49 | Container build and runtime hardening |
|
|
148
|
+
| GitOps | 41 | ArgoCD and Flux pipeline integrity |
|
|
149
|
+
| Agentic-instruction integrity | 11 | Poisoned AI agent instruction files |
|
|
150
|
+
| AI governance | 3 | Shadow-AI and data-to-LLM exfiltration |
|
|
184
151
|
|
|
185
|
-
|
|
152
|
+
Alongside these, the gate runs Kubernetes (70 checks), IaC (56), and dedicated modules for secrets, dependencies, crypto, web/Next.js, API, mobile (iOS and Android), GraphQL, database, DLP, SBOM, an incident-response playbook, runtime/DAST, CI pipeline hardening, and a Nuclei DAST integration.
|
|
186
153
|
|
|
187
|
-
###
|
|
154
|
+
### Scanner orchestration and threat intel
|
|
188
155
|
|
|
189
|
-
|
|
156
|
+
When they are present on the host, the gate orchestrates industry scanners: gitleaks, semgrep, trivy, osv-scanner, checkov, conftest, and zaproxy. Their results fold into the same findings model.
|
|
190
157
|
|
|
191
|
-
|
|
158
|
+
Live threat intelligence (cached for 24 hours) enriches the verdict: CISA KEV, EPSS (a score above 0.5 escalates severity), OpenSSF Scorecard, and the npm registry. Set `SECURITY_OFFLINE=1` to disable all third-party egress. Private and internal scoped package names are never sent to public endpoints, online or off.
|
|
192
159
|
|
|
193
160
|
---
|
|
194
161
|
|
|
195
|
-
|
|
196
|
-
| --- | --- | --- |
|
|
197
|
-
| **What it is** | Single expert agent | 39-agent multi-phase security program |
|
|
198
|
-
| **Best for** | Daily development, PR reviews, targeted hardening | Pre-launch audits, compliance prep, incident response |
|
|
199
|
-
| **Speed** | Seconds to minutes | Minutes to hours |
|
|
200
|
-
| **Scope** | You choose: recent changes, full codebase, or specific files | Always full - every surface, every framework |
|
|
201
|
-
| **Agents** | 1 | 39 (9 leads + 30 sub-agents) |
|
|
202
|
-
| **Output** | Inline code fixes + SHA-256 attestation | Full domain reports + merged findings + attestation |
|
|
203
|
-
| **API cost** | Low | High |
|
|
204
|
-
| **Internet** | Not required | Optional (enriches findings with live CVEs, CISA KEV, MITRE ATT&CK) |
|
|
162
|
+
## Cloud security controls engine
|
|
205
163
|
|
|
206
|
-
|
|
164
|
+
A registry-driven engine scans infrastructure-as-code against 998 rules mapped to AWS Foundational Security Best Practices (FSBP), CIS Benchmarks for AWS, GCP, and Azure, and the Microsoft Cloud Security Benchmark.
|
|
165
|
+
|
|
166
|
+
| Coverage | Rules |
|
|
167
|
+
| --- | --- |
|
|
168
|
+
| AWS | 483 |
|
|
169
|
+
| Azure | 320 |
|
|
170
|
+
| GCP | 195 |
|
|
171
|
+
| Terraform / HCL | 774 |
|
|
172
|
+
| CloudFormation | 128 |
|
|
173
|
+
| Bicep | 96 |
|
|
174
|
+
|
|
175
|
+
<p align="center">
|
|
176
|
+
<img src="https://raw.githubusercontent.com/AbrahamOO/security-mcp/main/assets/diagrams/cloud-controls.svg" alt="Cloud controls flow: detect IaC against the 998-rule registry, surface violations, auto-fix safe Terraform cases then re-detect to confirm, revert if not cleared, and report anything unsafe as a manual action with a snippet." width="720">
|
|
177
|
+
</p>
|
|
178
|
+
|
|
179
|
+
Terraform supports auto-remediation through `security-mcp autoharden` (use `--dry-run` to preview). The engine applies a fix, re-detects to confirm the violation actually cleared, and only then keeps the change. Anything it cannot safely auto-fix is reported as a manual action with a code snippet.
|
|
207
180
|
|
|
208
181
|
---
|
|
209
182
|
|
|
210
|
-
##
|
|
183
|
+
## Install
|
|
184
|
+
|
|
185
|
+
Prerequisite: Node.js 20 or higher (`node --version`).
|
|
211
186
|
|
|
212
187
|
```bash
|
|
213
188
|
npx -y security-mcp@latest install
|
|
214
189
|
```
|
|
215
190
|
|
|
216
|
-
Restart your editor
|
|
191
|
+
The installer auto-detects Claude Code, Cursor, VS Code, and Windsurf, and writes the config to the right place. Restart your editor, then run a review:
|
|
217
192
|
|
|
218
193
|
```text
|
|
219
194
|
/senior-security-engineer
|
|
220
195
|
```
|
|
221
196
|
|
|
222
|
-
|
|
223
|
-
|
|
224
|
-
For a full 39-agent deep audit:
|
|
197
|
+
For a full audit:
|
|
225
198
|
|
|
226
199
|
```text
|
|
227
200
|
/ciso-orchestrator
|
|
228
201
|
```
|
|
229
202
|
|
|
230
|
-
|
|
231
|
-
|
|
232
|
-
## Installation
|
|
233
|
-
|
|
234
|
-
> **Prerequisite:** Node.js 20+. Check with `node --version`.
|
|
235
|
-
|
|
236
|
-
### One Command — Auto-detects Your Editor
|
|
203
|
+
Confirm the install is healthy at any time:
|
|
237
204
|
|
|
238
205
|
```bash
|
|
239
|
-
npx -y security-mcp@latest
|
|
240
|
-
```
|
|
241
|
-
|
|
242
|
-
The installer detects Claude Code, Cursor, VS Code, and Windsurf automatically and writes the config to the correct location. Restart your editor when it finishes, then type `/senior-security-engineer`.
|
|
243
|
-
|
|
244
|
-
### Install for a Specific Editor
|
|
245
|
-
|
|
246
|
-
```bash
|
|
247
|
-
npx -y security-mcp@latest install --claude-code # ~/.claude/settings.json
|
|
248
|
-
npx -y security-mcp@latest install --cursor # ~/.cursor/mcp.json
|
|
249
|
-
npx -y security-mcp@latest install --vscode # VS Code user settings.json
|
|
250
|
-
npx -y security-mcp@latest install --windsurf # ~/.windsurf/mcp.json
|
|
206
|
+
npx -y security-mcp@latest doctor
|
|
251
207
|
```
|
|
252
208
|
|
|
253
|
-
### Manual
|
|
209
|
+
### Manual config
|
|
254
210
|
|
|
255
|
-
Add
|
|
211
|
+
Add the server to your editor's MCP config and restart.
|
|
256
212
|
|
|
257
|
-
|
|
213
|
+
Claude Code (`~/.claude/settings.json`), Cursor (`~/.cursor/mcp.json`), Windsurf (`~/.windsurf/mcp.json`):
|
|
258
214
|
|
|
259
215
|
```json
|
|
260
216
|
{
|
|
@@ -267,7 +223,7 @@ Add this to your editor's MCP server config and restart:
|
|
|
267
223
|
}
|
|
268
224
|
```
|
|
269
225
|
|
|
270
|
-
|
|
226
|
+
VS Code / GitHub Copilot (user `settings.json`):
|
|
271
227
|
|
|
272
228
|
```json
|
|
273
229
|
{
|
|
@@ -282,118 +238,17 @@ Add this to your editor's MCP server config and restart:
|
|
|
282
238
|
|
|
283
239
|
---
|
|
284
240
|
|
|
285
|
-
##
|
|
241
|
+
## CI/CD gate
|
|
286
242
|
|
|
287
|
-
|
|
243
|
+
The gate runs as plain Node.js with no AI session involved, so it belongs in your pipeline as a required check.
|
|
288
244
|
|
|
289
245
|
```bash
|
|
290
|
-
npx -y security-mcp@latest
|
|
291
|
-
```
|
|
292
|
-
|
|
293
|
-
This checks your Node.js version, editor config files, and installed skills — and prints `[PASS]` or `[FAIL]` per check with a fix command if anything is missing.
|
|
294
|
-
|
|
295
|
-
Example output:
|
|
296
|
-
|
|
297
|
-
```text
|
|
298
|
-
[PASS] Node.js 22.x
|
|
299
|
-
[PASS] Claude Code config (~/.claude/settings.json)
|
|
300
|
-
[PASS] senior-security-engineer skill (~/.claude/skills/senior-security-engineer/SKILL.md)
|
|
301
|
-
|
|
302
|
-
All checks passed. Restart your editor, then type /senior-security-engineer.
|
|
303
|
-
```
|
|
304
|
-
|
|
305
|
-
---
|
|
306
|
-
|
|
307
|
-
## How to Run Your First Security Review
|
|
308
|
-
|
|
309
|
-
### Daily Workflow: `/senior-security-engineer`
|
|
310
|
-
|
|
311
|
-
**Step 1 - Open your project in your editor.**
|
|
312
|
-
|
|
313
|
-
**Step 2 - Invoke the skill:**
|
|
314
|
-
|
|
315
|
-
```text
|
|
316
|
-
/senior-security-engineer
|
|
317
|
-
```
|
|
318
|
-
|
|
319
|
-
**Step 3 - Choose your scan scope when prompted:**
|
|
320
|
-
|
|
321
|
-
- **Recent changes** - scans only files modified since your last commit. Use this on every PR.
|
|
322
|
-
- **Full codebase** - scans all source files. Use when onboarding a new project.
|
|
323
|
-
- **Specific folders** - you name the folders. Use when you know the blast radius.
|
|
324
|
-
|
|
325
|
-
**Step 4 - Watch it work.** The agent will:
|
|
326
|
-
|
|
327
|
-
1. Call `security.start_review` to create a tracked run
|
|
328
|
-
2. Build a scan plan covering all relevant OWASP/NIST/ATT&CK controls
|
|
329
|
-
3. Run 20 security checks in parallel across secrets, dependencies, crypto, auth, injection, cloud config, AI/LLM, mobile, and more
|
|
330
|
-
4. Write fixes directly into your code for every finding it can remediate
|
|
331
|
-
5. Generate a SHA-256 attested report at `.mcp/reports/{runId}.attestation.json`
|
|
332
|
-
|
|
333
|
-
**Step 5 - Review the output.** Each finding shows:
|
|
334
|
-
|
|
335
|
-
- What the vulnerability is and why it matters
|
|
336
|
-
- Which attack it enables (mapped to MITRE ATT&CK and CWE)
|
|
337
|
-
- The exact fix that was applied to your code
|
|
338
|
-
|
|
339
|
-
**Step 6 - Commit with confidence.** The attestation file is your audit trail.
|
|
340
|
-
|
|
341
|
-
---
|
|
342
|
-
|
|
343
|
-
### Deep Audit: `/ciso-orchestrator`
|
|
344
|
-
|
|
345
|
-
Use this before a major release, compliance deadline, or security review.
|
|
346
|
-
|
|
347
|
-
**Step 1 - Invoke:**
|
|
348
|
-
|
|
349
|
-
```text
|
|
350
|
-
/ciso-orchestrator
|
|
246
|
+
npx -y security-mcp@latest ci:pr-gate
|
|
351
247
|
```
|
|
352
248
|
|
|
353
|
-
|
|
354
|
-
|
|
355
|
-
The orchestrator will ask:
|
|
356
|
-
|
|
357
|
-
> "I can fetch live CVE data, CISA KEV, and MITRE ATT&CK updates to improve this analysis. Allow internet access for this run? (yes/no)"
|
|
358
|
-
|
|
359
|
-
- **Yes** - agents enrich findings with live threat intelligence. More accurate, more current.
|
|
360
|
-
- **No** - agents use cached intel. Still comprehensive, no external calls made.
|
|
361
|
-
|
|
362
|
-
**Step 3 - Wait for Phase 1 (7 lead agents running in parallel, each commanding their domain-specific sub-agents — 25 sub-agents total across Phase 1).**
|
|
363
|
-
|
|
364
|
-
Each agent writes findings to `.mcp/agent-runs/{agentRunId}/`.
|
|
365
|
-
|
|
366
|
-
**Step 4 - Wait for Phase 2 (pentest team + compliance synthesizer).**
|
|
367
|
-
|
|
368
|
-
The pentest team reads Phase 1's threat model as its attack brief. The compliance agent maps every finding to PCI DSS 4.0, SOC 2, ISO 27001, NIST 800-53, HIPAA, and GDPR controls.
|
|
369
|
-
|
|
370
|
-
**Step 5 - Review the merged report.**
|
|
371
|
-
|
|
372
|
-
The orchestrator presents:
|
|
373
|
-
|
|
374
|
-
```text
|
|
375
|
-
Agents: 9 leads completed (+ sub-agents)
|
|
376
|
-
Findings: X CRITICAL / X HIGH / X MEDIUM / X LOW
|
|
377
|
-
Remediated inline: X
|
|
378
|
-
Open (need your decision): X
|
|
379
|
-
SKILL.md coverage: XX% (§1-§24)
|
|
380
|
-
Release blocked: yes / no
|
|
381
|
-
Attestation: .mcp/reports/{runId}.attestation.json
|
|
382
|
-
```
|
|
383
|
-
|
|
384
|
-
**Step 6 - For any open findings**, follow the required actions in the report. The agent will help you implement each fix.
|
|
385
|
-
|
|
386
|
-
---
|
|
387
|
-
|
|
388
|
-
## CI/CD Security Gate
|
|
389
|
-
|
|
390
|
-
Block insecure code from merging on every pull request - no Claude session required, pure Node.js execution:
|
|
391
|
-
|
|
392
|
-
```bash
|
|
393
|
-
npx -y security-mcp ci:pr-gate
|
|
394
|
-
```
|
|
249
|
+
It exits non-zero on HIGH or CRITICAL findings.
|
|
395
250
|
|
|
396
|
-
###
|
|
251
|
+
### GitHub Actions
|
|
397
252
|
|
|
398
253
|
Create `.github/workflows/security-gate.yml`:
|
|
399
254
|
|
|
@@ -402,7 +257,7 @@ name: Security Gate
|
|
|
402
257
|
|
|
403
258
|
on:
|
|
404
259
|
pull_request:
|
|
405
|
-
branches: [main
|
|
260
|
+
branches: [main]
|
|
406
261
|
|
|
407
262
|
jobs:
|
|
408
263
|
security-gate:
|
|
@@ -410,533 +265,121 @@ jobs:
|
|
|
410
265
|
steps:
|
|
411
266
|
- uses: actions/checkout@v4
|
|
412
267
|
with:
|
|
413
|
-
fetch-depth: 0
|
|
268
|
+
fetch-depth: 0 # required for git diff
|
|
414
269
|
|
|
415
270
|
- uses: actions/setup-node@v4
|
|
416
271
|
with:
|
|
417
272
|
node-version: '20'
|
|
418
273
|
|
|
419
274
|
- name: Block insecure code from merging
|
|
420
|
-
run: npx -y security-mcp ci:pr-gate
|
|
275
|
+
run: npx -y security-mcp@latest ci:pr-gate
|
|
421
276
|
env:
|
|
422
277
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
423
278
|
```
|
|
424
279
|
|
|
425
|
-
###
|
|
426
|
-
|
|
427
|
-
The gate runs **24 check modules in parallel** against your diff:
|
|
428
|
-
|
|
429
|
-
| Category | What It Catches |
|
|
430
|
-
| --- | --- |
|
|
431
|
-
| **Secrets** | Hardcoded API keys, tokens, passwords, private keys (via Gitleaks patterns) |
|
|
432
|
-
| **Dependencies** | CRITICAL/HIGH CVEs in npm/pip/go/maven packages; CISA KEV cross-check and EPSS >50% auto-escalation via live threat-intel (24h cached) |
|
|
433
|
-
| **Cryptography** | MD5, SHA-1, DES, RC4, ECB mode, `Math.random()` for tokens, short JWT secrets |
|
|
434
|
-
| **Authentication** | Missing rate limiting, no account lockout, JWT `alg:none`, weak session config |
|
|
435
|
-
| **Injection** | SQL, NoSQL, command injection, path traversal, SSRF, prototype pollution |
|
|
436
|
-
| **Web headers** | Missing CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy |
|
|
437
|
-
| **IaC** | `0.0.0.0/0` firewall rules, public storage buckets, wildcard IAM permissions |
|
|
438
|
-
| **AI/LLM** | `eval()` on model output, unvalidated model responses, prompt injection patterns |
|
|
439
|
-
| **Database** | TLS disabled on connections, raw query concatenation, missing connection encryption |
|
|
440
|
-
| **Mobile** | `android:debuggable=true`, cleartext traffic, insecure ATS config |
|
|
441
|
-
| **GraphQL** | Introspection in production, no depth/complexity limits, batching abuse |
|
|
442
|
-
| **Kubernetes** | Privileged containers, missing security context, hostPath mounts |
|
|
443
|
-
| **DLP** | PII in logs, stack traces in API responses, sensitive data in error messages |
|
|
444
|
-
| **Supply chain** | Missing lockfiles, floating version ranges (`^`, `~`), abandoned packages |
|
|
445
|
-
| **SBOM** | Generates CycloneDX SBOM for the scanned surface |
|
|
446
|
-
| **Runtime** | HTTP security headers and TLS config on live staging URL (if configured) |
|
|
447
|
-
| **AI red-team** | Static + optional dynamic probes against AI endpoints |
|
|
448
|
-
| **Exceptions** | Validates any active security exceptions are non-expired and properly approved |
|
|
449
|
-
| **Baseline regression** | Detects when previously-satisfied controls go missing (BASELINE_REGRESSION HIGH finding injected on regression) |
|
|
450
|
-
| **Deep injection** | 42 patterns — XXE, SSTI (Java/PHP), SpEL/OGNL, prototype pollution, second-order injection, NoSQL/MongoDB/Redis/LDAP/XPath injection, JNDI/Log4Shell, CRLF, WebSocket injection, CSS injection, SSE-CRLF, PDF injection, HTTP response splitting, unsafe YAML, deserialization (pickle/Java), path traversal, log injection, SSRF, command injection, ReDoS, SQL/ORM (Prisma/Sequelize/Knex/TypeORM), and more |
|
|
451
|
-
| **Deep auth** | 43 patterns — JWT alg confusion/kid injection/JWKS override, session fixation, OAuth state/redirect_uri/PKCE/client secret, hardcoded JWT secret, rate limit, plaintext compare, SAML signature, cookie flags, token rotation, HS/RS confusion, API key in URL, reset expiry/single-use, admin route without authz, timing oracle, account enumeration, session token in URL, low-entropy token, bcrypt cost factor, and more |
|
|
452
|
-
| **Supply chain deep** | 32 patterns — keyloggers, reverse shells, destructive commands, credential exfiltration, env variable theft, malicious postinstall scripts, dynamic require(), base64-obfuscated exec, cryptomining, sensitive file reads, unpinned dependencies, hidden file writes, DNS exfiltration, clipboard monitoring, obfuscated DOM injection, and more |
|
|
453
|
-
| **Business logic** | 31 patterns — IDOR without ownership check, mass assignment, race conditions, integer overflow, currency confusion, discount stacking, order fulfillment bypass, webhook replay, tax/shipping tamper, client-side total, referral abuse, email normalization, feature flag bypass, API version bypass, double-spend, free trial abuse, pagination abuse, and more |
|
|
454
|
-
|
|
455
|
-
### Customize the Gate Policy
|
|
456
|
-
|
|
457
|
-
Copy the default policy into your project and edit:
|
|
458
|
-
|
|
459
|
-
```bash
|
|
460
|
-
mkdir -p .mcp/policies
|
|
461
|
-
cp node_modules/security-mcp/defaults/security-policy.json .mcp/policies/security-policy.json
|
|
462
|
-
```
|
|
463
|
-
|
|
464
|
-
Or generate one tailored to your stack:
|
|
465
|
-
|
|
466
|
-
```text
|
|
467
|
-
Ask your AI: "Run security.generate_policy with surfaces=[web, api, ai] and cloud=aws"
|
|
468
|
-
```
|
|
469
|
-
|
|
470
|
-
### Add Exceptions for Known Accepted Risks
|
|
280
|
+
### Optional HMAC integrity
|
|
471
281
|
|
|
472
|
-
|
|
282
|
+
To make the policy tamper-evident, add a repository secret named `SECURITY_POLICY_HMAC_KEY` that is at least 32 bytes, then sign and commit:
|
|
473
283
|
|
|
474
284
|
```bash
|
|
475
|
-
|
|
476
|
-
cp node_modules/security-mcp/defaults/security-exceptions.json .mcp/exceptions/security-exceptions.json
|
|
285
|
+
security-mcp sign-policy
|
|
477
286
|
```
|
|
478
287
|
|
|
479
|
-
|
|
480
|
-
|
|
481
|
-
```json
|
|
482
|
-
{
|
|
483
|
-
"version": "1.0.0",
|
|
484
|
-
"exceptions": [
|
|
485
|
-
{
|
|
486
|
-
"id": "EX-001",
|
|
487
|
-
"finding_ids": ["CRYPTO_WEAK_HASH"],
|
|
488
|
-
"justification": "Legacy hash used only for non-security cache keys",
|
|
489
|
-
"ticket": "JIRA-1234",
|
|
490
|
-
"owner": "alice@example.com",
|
|
491
|
-
"approver": "bob@example.com",
|
|
492
|
-
"approval_role": "SecurityLead",
|
|
493
|
-
"expires_on": "2025-12-31"
|
|
494
|
-
}
|
|
495
|
-
]
|
|
496
|
-
}
|
|
497
|
-
```
|
|
498
|
-
|
|
499
|
-
Expired exceptions automatically become CRITICAL findings that block the gate.
|
|
288
|
+
Commit the policy file together with its generated `.hmac` sidecar. Once a key is set, the gate requires a valid signature on the policy, and a missing sidecar is rejected by design, so the key and the signature must land in the same change.
|
|
500
289
|
|
|
501
290
|
---
|
|
502
291
|
|
|
503
|
-
##
|
|
504
|
-
|
|
505
|
-
When your AI has security-mcp active, it **writes the production-ready fix** - not a suggestion, not a warning comment:
|
|
506
|
-
|
|
507
|
-
### Secrets and Credentials
|
|
508
|
-
|
|
509
|
-
| Insecure | Fixed to |
|
|
510
|
-
| --- | --- |
|
|
511
|
-
| `const KEY = "sk-abc123"` | `const KEY = process.env["API_KEY"]` + vault reference |
|
|
512
|
-
| `password: "hardcoded"` in config | Environment variable + secret manager setup |
|
|
513
|
-
| JWT signed with `"secret"` | RS256 with generated key pair, proper validation |
|
|
514
|
-
| Bcrypt with cost factor 4 | Argon2id with `memory: 65536, iterations: 3, parallelism: 4` |
|
|
515
|
-
|
|
516
|
-
### Authentication and Authorization
|
|
517
|
-
|
|
518
|
-
- Rate limiting middleware added to all auth endpoints (configurable thresholds)
|
|
519
|
-
- Account lockout after N failed attempts with progressive delays
|
|
520
|
-
- Session absolute timeout (8h) and idle timeout (30 min)
|
|
521
|
-
- FIDO2/WebAuthn requirement flagged for admin interfaces
|
|
522
|
-
- IDOR protection: tenant/user IDs read from JWT claims, never from request params
|
|
523
|
-
|
|
524
|
-
### Injection and Input Validation
|
|
525
|
-
|
|
526
|
-
- Zod/Yup schema validation added to every API route handler
|
|
527
|
-
- SQL: string concatenation -> parameterized queries or tagged template literals
|
|
528
|
-
- Command execution: `exec(userInput)` -> `spawnSync` with arg array, no shell
|
|
529
|
-
- Path traversal: user-controlled paths validated against project boundary
|
|
530
|
-
- SSRF: server-side HTTP clients get RFC-1918 CIDR block lists + DNS validation
|
|
531
|
-
|
|
532
|
-
### Web Security Headers
|
|
533
|
-
|
|
534
|
-
Before:
|
|
535
|
-
|
|
536
|
-
```javascript
|
|
537
|
-
app.get("/", (req, res) => res.send(html));
|
|
538
|
-
```
|
|
539
|
-
|
|
540
|
-
After:
|
|
541
|
-
|
|
542
|
-
```javascript
|
|
543
|
-
app.use(helmet({
|
|
544
|
-
contentSecurityPolicy: {
|
|
545
|
-
directives: {
|
|
546
|
-
defaultSrc: ["'self'"],
|
|
547
|
-
scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.nonce}'`],
|
|
548
|
-
}
|
|
549
|
-
},
|
|
550
|
-
hsts: { maxAge: 63072000, includeSubDomains: true, preload: true },
|
|
551
|
-
frameguard: { action: "deny" },
|
|
552
|
-
noSniff: true,
|
|
553
|
-
referrerPolicy: { policy: "strict-origin-when-cross-origin" }
|
|
554
|
-
}));
|
|
555
|
-
```
|
|
556
|
-
|
|
557
|
-
### Cloud Infrastructure
|
|
292
|
+
## Built for teams
|
|
558
293
|
|
|
559
|
-
|
|
560
|
-
- `acl = "public-read"` S3 -> Block Public Access enabled at bucket and account level
|
|
561
|
-
- Wildcard IAM `"Action": "*"` -> least-privilege policy with specific actions
|
|
562
|
-
- Long-lived static credentials -> IAM roles / Workload Identity / OIDC federation
|
|
294
|
+
Four platform subsystems let a security team operate security-mcp at scale, not just run it ad hoc.
|
|
563
295
|
|
|
564
|
-
|
|
296
|
+
**Multi-provider model router.** Cost-aware routing across model providers, with circuit breakers and a spend budget so a single provider outage or a runaway run cannot stall or overspend the program.
|
|
565
297
|
|
|
566
|
-
-
|
|
567
|
-
- `Math.random()` for tokens -> `crypto.randomBytes(32).toString('hex')`
|
|
568
|
-
- AES-CBC -> AES-256-GCM with per-message nonce
|
|
569
|
-
- RSA PKCS#1 v1.5 -> RSA-OAEP or ECDH P-256
|
|
298
|
+
**Learning engine.** Remembers confirmed patterns and false positives per project, with rate-limited false-positive suppression so noise drops over time. Routing decisions are written to an ISO 42001 audit log.
|
|
570
299
|
|
|
571
|
-
|
|
300
|
+
**Tamper-evident attestation hash chain.** Each agent attestation is chained (`init_chain`, `attest_agent`, `verify_chain`, `get_chain`), so the audit trail cannot be silently rewritten after the fact.
|
|
572
301
|
|
|
573
|
-
-
|
|
574
|
-
- `eval(modelOutput)` -> `JSON.parse()` + Zod schema validation
|
|
575
|
-
- RAG retrieval without auth check -> authorization check before and after retrieval
|
|
576
|
-
- Unvalidated tool calls -> allowlist router that blocks unlisted tool names
|
|
302
|
+
**MCP caller authentication.** An optional shared-secret gate on the MCP channel uses constant-time HMAC comparison, a 3-strike lockout, and a session TTL (8 hours by default, capped at 24). When unset, the channel stays open for frictionless local use.
|
|
577
303
|
|
|
578
304
|
---
|
|
579
305
|
|
|
580
|
-
##
|
|
581
|
-
|
|
582
|
-
### System Overview
|
|
583
|
-
|
|
584
|
-
```text
|
|
585
|
-
┌───────────────────────────────────────────────────────────────┐
|
|
586
|
-
│ Your Editor (Claude Code) │
|
|
587
|
-
│ │
|
|
588
|
-
│ /senior-security-engineer /ciso-orchestrator │
|
|
589
|
-
│ (single expert agent) (39-agent security program) │
|
|
590
|
-
│ │ │ │
|
|
591
|
-
└──────────┼────────────────────────────────┼───────────────────┘
|
|
592
|
-
│ │
|
|
593
|
-
└──────────────┬─────────────────┘
|
|
594
|
-
│ MCP protocol (stdio)
|
|
595
|
-
▼
|
|
596
|
-
┌──────────────────────────────────────────────────────────────┐
|
|
597
|
-
│ MCP Server (src/mcp/server.ts) │
|
|
598
|
-
│ │
|
|
599
|
-
│ security.* tools orchestration.* tools │
|
|
600
|
-
│ ───────────────── ────────────────────── │
|
|
601
|
-
│ start_review create_agent_run │
|
|
602
|
-
│ run_pr_gate update_agent_status │
|
|
603
|
-
│ threat_model merge_agent_findings │
|
|
604
|
-
│ checklist ensure_skill │
|
|
605
|
-
│ attest_review read/write_agent_memory │
|
|
606
|
-
│ get_system_prompt check_updates / apply_updates │
|
|
607
|
-
│ scan_strategy verify_skill_coverage │
|
|
608
|
-
│ generate_policy │
|
|
609
|
-
│ terraform_blueprint repo.* tools │
|
|
610
|
-
│ generate_opa_rego ───────────── │
|
|
611
|
-
│ generate_compliance_report read_file / search │
|
|
612
|
-
│ notify_webhooks │
|
|
613
|
-
│ generate_remediations │
|
|
614
|
-
└──────────────────────────────────────────────────────────────┘
|
|
615
|
-
│
|
|
616
|
-
▼
|
|
617
|
-
┌──────────────────────────────────────────────────────────────┐
|
|
618
|
-
│ Policy Gate Engine (src/gate/policy.ts) │
|
|
619
|
-
│ │
|
|
620
|
-
│ 28 checks run in parallel: │
|
|
621
|
-
│ checkSecrets checkDependencies checkApi checkInfra │
|
|
622
|
-
│ checkCrypto checkMobileIos checkMobileAndroid │
|
|
623
|
-
│ checkAi checkGraphQL checkKubernetes │
|
|
624
|
-
│ checkDatabase checkDlp checkWebNextjs │
|
|
625
|
-
│ runSbomChecks runAiRedteamChecks runRuntimeChecks │
|
|
626
|
-
│ runCiPipelineChecks runDockerChecks runScanners │
|
|
627
|
-
│ checkInjectionDeep (42 patterns) checkAuthDeep (43 patterns)│
|
|
628
|
-
│ checkSupplyChainDeep (32) checkBusinessLogic (31) │
|
|
629
|
-
│ │
|
|
630
|
-
│ Surface detection -> Control catalog -> Exception handling -> │
|
|
631
|
-
│ Coverage manifest -> Taint map -> Confidence scoring -> PASS / FAIL │
|
|
632
|
-
└──────────────────────────────────────────────────────────────┘
|
|
633
|
-
```
|
|
634
|
-
|
|
635
|
-
### `/senior-security-engineer` Flow
|
|
636
|
-
|
|
637
|
-
```text
|
|
638
|
-
User: /senior-security-engineer
|
|
639
|
-
│
|
|
640
|
-
▼
|
|
641
|
-
Claude reads SKILL.md + asks scope choice:
|
|
642
|
-
A) Recent changes (git diff)
|
|
643
|
-
B) Full codebase
|
|
644
|
-
C) Specific files/folders
|
|
645
|
-
│
|
|
646
|
-
▼ user picks scope
|
|
647
|
-
security.start_review(mode)
|
|
648
|
-
└── creates .mcp/reviews/{runId}.json
|
|
649
|
-
│
|
|
650
|
-
▼
|
|
651
|
-
security.threat_model(runId, feature)
|
|
652
|
-
└── STRIDE + PASTA + ATT&CK template for changed surface
|
|
653
|
-
│
|
|
654
|
-
▼
|
|
655
|
-
§0 Coverage Completeness Protocol (runs first)
|
|
656
|
-
├── enumerate ALL source files → coverage-manifest.json
|
|
657
|
-
├── taint-trace every user-controlled input → taint-map.json
|
|
658
|
-
├── negative assertion per attack class: "FILES: N/N | RESULT: CLEAN"
|
|
659
|
-
└── fix verification loop: re-run check after every fix, confirm CLEAN
|
|
660
|
-
│
|
|
661
|
-
▼
|
|
662
|
-
security.run_pr_gate(runId, mode, targets)
|
|
663
|
-
├── git diff / glob targets -> changed files list
|
|
664
|
-
├── detectSurfaces() -> web? api? infra? mobile? ai?
|
|
665
|
-
├── 28 checks in parallel (incl. deep injection + deep auth)
|
|
666
|
-
├── apply exceptions from .mcp/exceptions/
|
|
667
|
-
├── compute confidence score
|
|
668
|
-
└── returns PASS/FAIL + findings[]
|
|
669
|
-
│
|
|
670
|
-
▼
|
|
671
|
-
Claude writes inline fixes for every finding
|
|
672
|
-
(production-ready secure code, not suggestions)
|
|
673
|
-
Every HIGH/CRITICAL: FIXED with verified-clean re-run,
|
|
674
|
-
OR formally blocked with risk-acceptance record
|
|
675
|
-
│
|
|
676
|
-
▼
|
|
677
|
-
security.attest_review(runId)
|
|
678
|
-
└── .mcp/reports/{runId}.attestation.json
|
|
679
|
-
└── SHA-256 integrity hash
|
|
680
|
-
```
|
|
681
|
-
|
|
682
|
-
### `/ciso-orchestrator` Flow (39 Agents)
|
|
683
|
-
|
|
684
|
-
```text
|
|
685
|
-
User: /ciso-orchestrator
|
|
686
|
-
│
|
|
687
|
-
▼
|
|
688
|
-
CISO Orchestrator
|
|
689
|
-
├── orchestration.check_updates() -> prompt if new version available
|
|
690
|
-
├── ask internet permission -> stored for all child agents
|
|
691
|
-
├── scan project for stack context
|
|
692
|
-
│ (package.json, go.mod, terraform/, .github/workflows/, Dockerfile)
|
|
693
|
-
│ -> stackContext: { languages, frameworks, cloudProvider, hasAI, hasMobile, ... }
|
|
694
|
-
├── security.start_review() -> runId
|
|
695
|
-
├── orchestration.create_agent_run() -> agentRunId + manifest.json
|
|
696
|
-
└── orchestration.ensure_skill(×N) -> download stack-relevant skills from 86-skill registry
|
|
697
|
-
│
|
|
698
|
-
▼
|
|
699
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
700
|
-
PHASE 1 - 7 leads + sub-agents (all parallel)
|
|
701
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
702
|
-
|
|
703
|
-
Agent 1: threat-modeler
|
|
704
|
-
├── stride-pasta-analyst -> STRIDE matrix, PASTA 7 stages, LINDDUN, DREAD
|
|
705
|
-
├── attack-navigator -> ATT&CK Navigator layer + D3FEND countermeasures
|
|
706
|
-
├── business-logic-attacker -> attack trees per route/flow found in codebase
|
|
707
|
-
└── privacy-flow-analyst -> GDPR/HIPAA data flows, DPIA trigger check
|
|
708
|
-
Output: .mcp/agent-runs/{id}/threat-model.json
|
|
709
|
-
|
|
710
|
-
Agent 2: appsec-code-auditor
|
|
711
|
-
├── injection-specialist -> SQL/NoSQL/SSTI/OS cmd/CRLF/log injection
|
|
712
|
-
├── auth-session-hacker -> JWT algo confusion, SAML wrap, OAuth confusion
|
|
713
|
-
├── logic-race-fuzzer -> race conditions, integer overflow, mass assignment
|
|
714
|
-
└── serialization-memory-attacker -> prototype pollution, ReDoS, zip slip, sandbox escape
|
|
715
|
-
Output: .mcp/agent-runs/{id}/appsec-findings.json
|
|
716
|
-
|
|
717
|
-
Agent 3: cloud-infra-specialist
|
|
718
|
-
├── aws-penetration-tester -> IAM escalation, S3, Lambda, EKS (if AWS)
|
|
719
|
-
├── gcp-penetration-tester -> SA abuse, GCS, Cloud Run, GKE (if GCP)
|
|
720
|
-
├── azure-penetration-tester -> Managed Identity, AKS, Key Vault (if Azure)
|
|
721
|
-
└── k8s-container-escaper -> privileged pods, RBAC escape, hostPath (if K8s)
|
|
722
|
-
Output: .mcp/agent-runs/{id}/infra-findings.json
|
|
723
|
-
|
|
724
|
-
Agent 4: supply-chain-devsecops
|
|
725
|
-
├── dependency-confusion-attacker -> CVEs, CISA KEV, typosquatting, SBOM
|
|
726
|
-
├── cicd-pipeline-hijacker -> pull_request_target, mutable Actions, injection
|
|
727
|
-
└── artifact-integrity-analyst -> SLSA L3, Cosign signatures, provenance
|
|
728
|
-
Output: .mcp/agent-runs/{id}/supply-chain-findings.json
|
|
729
|
-
|
|
730
|
-
Agent 5: ai-llm-redteam (skipped if no AI stack detected)
|
|
731
|
-
├── prompt-injection-specialist -> direct + indirect injection, PoC payloads
|
|
732
|
-
├── model-extraction-attacker -> API abuse, cost amplification, rate limiting
|
|
733
|
-
├── rag-poisoning-specialist -> vector store isolation, metadata filter injection
|
|
734
|
-
└── agentic-loop-exploiter -> tool blast radius, loop hijacking, allowlist gaps
|
|
735
|
-
Output: .mcp/agent-runs/{id}/ai-findings.json
|
|
736
|
-
|
|
737
|
-
Agent 6: mobile-security-specialist (skipped if no mobile detected)
|
|
738
|
-
├── ios-security-auditor -> Keychain, ATS, Secure Enclave, Universal Links
|
|
739
|
-
├── android-penetration-tester -> manifest hardening, NSC, exported components
|
|
740
|
-
└── mobile-api-network-attacker -> cert pinning, API key extraction, token storage
|
|
741
|
-
Output: .mcp/agent-runs/{id}/mobile-findings.json
|
|
742
|
-
|
|
743
|
-
Agent 7: crypto-pki-specialist
|
|
744
|
-
├── tls-certificate-auditor -> TLS 1.3, AEAD ciphers, HSTS preload, OCSP, mTLS
|
|
745
|
-
├── algorithm-implementation-reviewer -> banned algos, Argon2id params, nonce reuse
|
|
746
|
-
└── key-management-lifecycle-analyst -> hardcoded keys, rotation, CMEK, post-quantum
|
|
747
|
-
Output: .mcp/agent-runs/{id}/crypto-findings.json
|
|
748
|
-
|
|
749
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
750
|
-
Wait for all Phase 1 agents to complete
|
|
751
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
752
|
-
|
|
753
|
-
PHASE 2 - adversarial + compliance (both parallel)
|
|
754
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
755
|
-
|
|
756
|
-
Agent 8: pentest-team (reads threat-model.json as attack brief)
|
|
757
|
-
├── pentest-web-api -> OWASP Testing Guide on every route found in codebase
|
|
758
|
-
├── pentest-infra -> privilege escalation graph, Terraform state, cloud posture
|
|
759
|
-
└── pentest-social -> OSINT on org, spear-phishing scenarios, insider threat model
|
|
760
|
-
Output: .mcp/agent-runs/{id}/pentest-report.json
|
|
761
|
-
|
|
762
|
-
Agent 9: compliance-grc (reads all Phase 1 findings)
|
|
763
|
-
├── evidence-collector -> logging schema verification, SIEM rules, audit trail
|
|
764
|
-
└── compliance-gap-analyst -> PCI DSS 4.0, SOC 2, ISO 27001, NIST 800-53, HIPAA, GDPR
|
|
765
|
-
Output: .mcp/agent-runs/{id}/compliance-report.json
|
|
766
|
-
|
|
767
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
768
|
-
Wait for Phase 2 agents to complete
|
|
769
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
770
|
-
|
|
771
|
-
PHASE 3 - synthesis (sequential)
|
|
772
|
-
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
|
|
773
|
-
|
|
774
|
-
orchestration.merge_agent_findings() -> deduplicate + sort CRITICAL->LOW
|
|
775
|
-
orchestration.verify_skill_coverage() -> check §1-§24 SKILL.md section coverage
|
|
776
|
-
security.attest_review() -> SHA-256 attestation written
|
|
777
|
-
|
|
778
|
-
Final report:
|
|
779
|
-
├── X CRITICAL / X HIGH / X MEDIUM / X LOW
|
|
780
|
-
├── Remediated inline: X Open: X
|
|
781
|
-
├── SKILL.md section coverage: XX%
|
|
782
|
-
├── Release blocked: yes / no
|
|
783
|
-
└── .mcp/reports/{runId}.attestation.json
|
|
784
|
-
```
|
|
785
|
-
|
|
786
|
-
### Agent Memory System
|
|
787
|
-
|
|
788
|
-
Every agent persists what it learns so each subsequent run is smarter:
|
|
306
|
+
## Self-protection and supply-chain posture
|
|
789
307
|
|
|
790
|
-
|
|
791
|
-
~/.security-mcp/agent-memory/{agentName}/
|
|
792
|
-
├── patterns.json ← confirmed attack patterns for this tech stack
|
|
793
|
-
├── false-positives.json ← findings to deprioritize on next run
|
|
794
|
-
├── remediations.json ← what fixes worked for this project
|
|
795
|
-
├── intel.json ← cached threat intel (refreshed every 24h)
|
|
796
|
-
└── errors.json ← tool failure log (used for self-healing)
|
|
797
|
-
```
|
|
308
|
+
A security tool is part of your supply chain, so security-mcp is built to resist the same attacks it looks for. This matters most when the threat is a malicious repository or a compromised dependency trying to neutralize the gate.
|
|
798
309
|
|
|
799
|
-
|
|
800
|
-
|
|
801
|
-
|
|
802
|
-
.
|
|
803
|
-
|
|
804
|
-
|
|
805
|
-
|
|
806
|
-
|
|
807
|
-
|
|
808
|
-
│ ├── appsec-findings.json
|
|
809
|
-
│ ├── infra-findings.json
|
|
810
|
-
│ ├── supply-chain-findings.json
|
|
811
|
-
│ ├── ai-findings.json
|
|
812
|
-
│ ├── mobile-findings.json
|
|
813
|
-
│ ├── crypto-findings.json
|
|
814
|
-
│ ├── pentest-report.json
|
|
815
|
-
│ ├── compliance-report.json
|
|
816
|
-
│ ├── sbom.cyclonedx.json
|
|
817
|
-
│ └── merged-findings.json ← Phase 3 deduplicated, sorted output
|
|
818
|
-
├── policies/security-policy.json
|
|
819
|
-
└── exceptions/security-exceptions.json
|
|
820
|
-
```
|
|
310
|
+
- **Signed policy, exceptions, and baseline.** These files are HMAC-signed. When the policy is not signed, the gate floors `severity_block` to HIGH/CRITICAL, so an unsigned edit cannot relax the gate to PASS.
|
|
311
|
+
- **Exceptions cannot quietly suppress.** By default an unsigned exceptions file may not suppress HIGH/CRITICAL findings. A break-glass env var exists for scanning intentionally-vulnerable fixtures.
|
|
312
|
+
- **Honest attestation.** Attestation refuses to sign unless the latest gate result is PASS with all required steps complete. There are no forged green attestations.
|
|
313
|
+
- **Verified inter-agent payloads.** The merge step that aggregates every agent's findings is the trust sink for a whole run, so it schema-validates each agent's findings file and checks its hash against that agent's signed attestation before trusting it. Findings dedupe keeps the highest severity per id, so a same-id low-severity entry cannot shadow a real CRITICAL. A tampered chain or a findings-hash mismatch forces FAIL. Set `SECURITY_REQUIRE_AGENT_ATTESTATION=1` to fail closed unless the run is HMAC-signed, fully attested, and clean — note that an *unsigned* attestation chain is only tamper-evident, not tamper-proof, against an attacker who can write the run directory, so the HMAC key is the real boundary.
|
|
314
|
+
- **Per-tool-call audit trail.** Every MCP tool call is logged as one structured JSONL record (timestamp, agent id, tool, inputs, output summary, session credential, outcome) to `.mcp/audit/tool-calls.jsonl`. Secret-bearing keys and secret-shaped values (in inputs and in the output preview) are scrubbed; failed auth attempts are recorded as such, not as successes; the log rotates at 50 MB and writing never interrupts a tool call. Set `SECURITY_TOOL_AUDIT_LOG` to forward to an append-only sink.
|
|
315
|
+
- **Locked-down data at rest.** Findings, agent memory, and signatures are written with `0o600` file permissions.
|
|
316
|
+
- **Prompt-injection defense.** Tool outputs that originate from the repo are sanitized before they reach an LLM.
|
|
317
|
+
- **Verified installer.** Downloaded scanner binaries are verified by SHA-256, unchecksummed binaries are refused, and there is no `curl | sh` install path.
|
|
318
|
+
- **Air-gap mode.** `SECURITY_OFFLINE=1` produces a fully offline run with no third-party egress.
|
|
821
319
|
|
|
822
320
|
---
|
|
823
321
|
|
|
824
|
-
## MCP
|
|
322
|
+
## MCP tools
|
|
825
323
|
|
|
826
|
-
Your AI
|
|
324
|
+
Your AI calls these automatically; you rarely invoke them by hand. There are around 40, grouped into three namespaces plus two MCP prompts.
|
|
827
325
|
|
|
828
|
-
###
|
|
326
|
+
### Most useful tools
|
|
829
327
|
|
|
830
|
-
| Tool |
|
|
831
|
-
| --- | --- |
|
|
832
|
-
| `security.start_review` | Starts a stateful review run; returns `runId` used to track all subsequent steps and produce the final attestation |
|
|
833
|
-
| `security.run_pr_gate` | Runs 20 security checks in parallel; returns PASS/FAIL, findings with severity, and required actions |
|
|
834
|
-
| `security.threat_model` | Generates a STRIDE + PASTA + ATT&CK threat model template for a specific feature or surface |
|
|
835
|
-
| `security.checklist` | Returns the pre-release security checklist, optionally filtered by surface (web / api / mobile / ai / infra / payments) |
|
|
836
|
-
| `security.scan_strategy` | Builds an exhaustive scan plan mapping every check to OWASP, NIST, ATT&CK, and compliance controls |
|
|
837
|
-
| `security.get_system_prompt` | Returns the full security engineering directive, optionally scoped to your stack and cloud provider |
|
|
838
|
-
| `security.generate_policy` | Generates a `security-policy.json` tailored to your active surfaces and cloud provider |
|
|
839
|
-
| `security.terraform_hardening_blueprint` | Terraform hardening baseline with module layout, guardrails, and control mappings |
|
|
840
|
-
| `security.generate_opa_rego` | OPA/Rego policy code for Terraform plans, CI pipelines, and Kubernetes admission |
|
|
841
|
-
| `security.generate_compliance_report` | Maps gate findings to SOC 2, PCI-DSS, ISO 27001, NIST 800-53, HIPAA, or GDPR controls |
|
|
842
|
-
| `security.generate_remediations` | Maps each finding ID to a concrete code-level fix template |
|
|
843
|
-
| `security.notify_webhooks` | Sends findings to Slack, Jira, PagerDuty, or any webhook URL |
|
|
844
|
-
| `security.self_heal_loop` | Proposes adaptive policy improvements based on recurring findings (requires explicit human approval) |
|
|
845
|
-
| `security.attest_review` | Writes a SHA-256 integrity-hashed attestation file at `.mcp/reports/{runId}.attestation.json` |
|
|
846
|
-
| `repo.read_file` | Reads a project file for analysis (path-traversal guarded) |
|
|
847
|
-
| `repo.search` | Searches the codebase for patterns or regex (ReDoS guarded, max 500 matches) |
|
|
848
|
-
|
|
849
|
-
### Orchestration Tools (`/ciso-orchestrator` only)
|
|
850
|
-
|
|
851
|
-
| Tool | What It Does |
|
|
328
|
+
| Tool | Purpose |
|
|
852
329
|
| --- | --- |
|
|
853
|
-
| `
|
|
854
|
-
| `
|
|
855
|
-
| `
|
|
856
|
-
| `
|
|
857
|
-
| `
|
|
858
|
-
| `
|
|
859
|
-
| `
|
|
860
|
-
| `
|
|
861
|
-
| `
|
|
330
|
+
| `security.start_review` | Open a stateful review run and get a `runId` |
|
|
331
|
+
| `security.run_pr_gate` | Run the gate, return PASS/FAIL with findings |
|
|
332
|
+
| `security.attest_review` | Write a SHA-256 attestation (PASS-gated) |
|
|
333
|
+
| `security.threat_model` | STRIDE + PASTA + ATT&CK model for a surface |
|
|
334
|
+
| `security.scan_strategy` | Map every check to OWASP/NIST/ATT&CK controls |
|
|
335
|
+
| `security.generate_policy` | Generate a policy tailored to your stack |
|
|
336
|
+
| `security.terraform_hardening_blueprint` | Terraform hardening baseline + mappings |
|
|
337
|
+
| `security.generate_opa_rego` | OPA/Rego for plans, pipelines, admission |
|
|
338
|
+
| `security.generate_compliance_report` | Map findings to SOC 2, PCI, ISO, NIST, HIPAA, GDPR |
|
|
339
|
+
| `security.generate_remediations` | Concrete fix template per finding |
|
|
340
|
+
| `repo.read_file` / `repo.search` | Read or search the codebase (guarded) |
|
|
341
|
+
| `orchestration.create_agent_run` | Stand up the multi-agent run + manifest |
|
|
342
|
+
| `orchestration.merge_agent_findings` | Dedupe and sort findings across agents |
|
|
343
|
+
| `orchestration.verify_skill_coverage` | Check §0-§24 SKILL.md coverage |
|
|
344
|
+
|
|
345
|
+
### Operational families
|
|
346
|
+
|
|
347
|
+
Beyond the tools above, the rest of the surface clusters into four families:
|
|
348
|
+
|
|
349
|
+
- **Model routing and budget.** `get_routing`, `get_model_for_task`, `track_usage`, `model_budget_status`, `get_provider_health`, `record_provider_failure`, `reset_provider_circuit`.
|
|
350
|
+
- **Learning and pattern memory.** `record_outcome`, `pattern_report`, `self_heal_loop`, plus `orchestration.read_agent_memory` / `write_agent_memory`.
|
|
351
|
+
- **Attestation hash chain.** `init_chain`, `attest_agent`, `verify_chain`, `get_chain`.
|
|
352
|
+
- **Caller auth and lifecycle.** `authenticate`, `logout`, plus update tools `orchestration.check_updates` / `apply_updates` and skill loading `orchestration.ensure_skill`.
|
|
353
|
+
|
|
354
|
+
Namespace counts: `security.*` (29 tools), `repo.*` (2), `orchestration.*` (9), and 2 MCP prompts.
|
|
862
355
|
|
|
863
356
|
---
|
|
864
357
|
|
|
865
|
-
##
|
|
358
|
+
## Frameworks
|
|
866
359
|
|
|
867
|
-
|
|
360
|
+
Every finding and fix maps to recognized standards. You do not need to know them to benefit; they are there so your evidence stands up to an auditor.
|
|
868
361
|
|
|
869
|
-
|
|
|
362
|
+
| Domain | Standards |
|
|
870
363
|
| --- | --- |
|
|
871
|
-
|
|
|
872
|
-
|
|
|
873
|
-
|
|
|
874
|
-
|
|
|
875
|
-
|
|
|
876
|
-
|
|
|
877
|
-
| **MITRE D3FEND** | Defensive countermeasure mapped to every ATT&CK technique in scope |
|
|
878
|
-
| **MITRE ATLAS** | Adversarial ML/AI attack techniques |
|
|
879
|
-
| **MITRE CAPEC** | Attack patterns used at design-time threat modeling |
|
|
880
|
-
| **NIST 800-53 Rev 5** | Full US government security control catalog |
|
|
881
|
-
| **NIST CSF 2.0** | Govern / Identify / Protect / Detect / Respond / Recover |
|
|
882
|
-
| **NIST 800-207** | Zero Trust Architecture - every request authenticated and authorized |
|
|
883
|
-
| **NIST 800-218 (SSDF)** | Secure Software Development Framework |
|
|
884
|
-
| **NIST AI RMF** | AI risk management: Map, Measure, Manage, Govern |
|
|
885
|
-
| **PCI DSS 4.0** | Payment card industry data security standard |
|
|
886
|
-
| **SOC 2 Type II** | Trust Services Criteria (Security, Availability, Confidentiality, PI) |
|
|
887
|
-
| **ISO 27001:2022 + 27002** | International information security management system |
|
|
888
|
-
| **ISO 42001:2023** | AI management system - applied to all LLM/AI components |
|
|
889
|
-
| **GDPR / CCPA / HIPAA** | Data privacy: consent, retention, breach notification, minimum necessary |
|
|
890
|
-
| **SLSA Level 3** | Software supply chain security - hermetic builds, signed provenance |
|
|
891
|
-
| **CIS Benchmarks Level 2** | Hardened cloud, OS, and container configurations |
|
|
892
|
-
| **CVSS v4.0 + EPSS** | Vulnerability scoring and exploit probability - EPSS > 0.5 fixed within 48h |
|
|
364
|
+
| OWASP | Top 10 (Web + API), ASVS L2/L3, MASVS, Top 10 for LLMs, Testing Guide |
|
|
365
|
+
| MITRE | ATT&CK (Enterprise + Cloud + Mobile), D3FEND, ATLAS, CAPEC |
|
|
366
|
+
| NIST | 800-53 Rev 5, CSF 2.0, 800-207 Zero Trust, 800-218 SSDF, AI RMF, 800-131A |
|
|
367
|
+
| Compliance | PCI DSS 4.0, SOC 2 Type II, ISO 27001:2022 + 27002, ISO 42001:2023, GDPR / CCPA / HIPAA |
|
|
368
|
+
| Supply chain and cloud | SLSA Level 3, CIS Benchmarks L2, AWS FSBP, Microsoft Cloud Security Benchmark |
|
|
369
|
+
| Scoring | CVSS v4.0 + EPSS |
|
|
893
370
|
|
|
894
371
|
---
|
|
895
372
|
|
|
896
|
-
##
|
|
373
|
+
## Policy and exceptions
|
|
897
374
|
|
|
898
|
-
|
|
899
|
-
|
|
900
|
-
The policy file controls what the gate blocks, what evidence it requires, and how exceptions are handled. Copy the default and edit:
|
|
375
|
+
The policy lives at `.mcp/policies/security-policy.json`. Copy the default to start:
|
|
901
376
|
|
|
902
377
|
```bash
|
|
903
378
|
mkdir -p .mcp/policies
|
|
904
379
|
cp node_modules/security-mcp/defaults/security-policy.json .mcp/policies/security-policy.json
|
|
905
380
|
```
|
|
906
381
|
|
|
907
|
-
|
|
908
|
-
|
|
909
|
-
```json
|
|
910
|
-
{
|
|
911
|
-
"required_checks": {
|
|
912
|
-
"secrets_scan": { "severity_block": ["HIGH", "CRITICAL"] },
|
|
913
|
-
"dependency_scan": { "severity_block": ["CRITICAL"] },
|
|
914
|
-
"sast": { "severity_block": ["CRITICAL"] },
|
|
915
|
-
"iac_scan": { "severity_block": ["HIGH", "CRITICAL"] }
|
|
916
|
-
},
|
|
917
|
-
"vulnerability_slas": {
|
|
918
|
-
"CRITICAL": "24h",
|
|
919
|
-
"HIGH": "7d",
|
|
920
|
-
"MEDIUM": "30d",
|
|
921
|
-
"CISA_KEV": "24h"
|
|
922
|
-
},
|
|
923
|
-
"exceptions": {
|
|
924
|
-
"require_ticket": true,
|
|
925
|
-
"approval_roles": ["SecurityLead", "GRC", "CTO"]
|
|
926
|
-
}
|
|
927
|
-
}
|
|
928
|
-
```
|
|
929
|
-
|
|
930
|
-
### Add a Security Exception
|
|
931
|
-
|
|
932
|
-
When you have a finding you've consciously accepted (e.g., a CVE in a library you're actively replacing):
|
|
933
|
-
|
|
934
|
-
```bash
|
|
935
|
-
mkdir -p .mcp/exceptions
|
|
936
|
-
cp node_modules/security-mcp/defaults/security-exceptions.json .mcp/exceptions/security-exceptions.json
|
|
937
|
-
```
|
|
938
|
-
|
|
939
|
-
Edit `.mcp/exceptions/security-exceptions.json`:
|
|
382
|
+
Exceptions live at `.mcp/exceptions/security-exceptions.json`. Each entry needs `id`, `finding_ids`, `justification`, `ticket`, `owner`, `approver` (the owner cannot be the approver), `approval_role`, and `expires_on` (within 365 days):
|
|
940
383
|
|
|
941
384
|
```json
|
|
942
385
|
{
|
|
@@ -945,181 +388,137 @@ Edit `.mcp/exceptions/security-exceptions.json`:
|
|
|
945
388
|
{
|
|
946
389
|
"id": "EX-001",
|
|
947
390
|
"finding_ids": ["DEP_CVE_CVE-2024-12345"],
|
|
948
|
-
"justification": "Library being replaced
|
|
391
|
+
"justification": "Library being replaced next sprint; no public exploit",
|
|
949
392
|
"ticket": "JIRA-9999",
|
|
950
|
-
"owner": "
|
|
951
|
-
"approver": "
|
|
393
|
+
"owner": "alice@example.com",
|
|
394
|
+
"approver": "bob@example.com",
|
|
952
395
|
"approval_role": "SecurityLead",
|
|
953
|
-
"expires_on": "
|
|
396
|
+
"expires_on": "2026-12-31"
|
|
954
397
|
}
|
|
955
398
|
]
|
|
956
399
|
}
|
|
957
400
|
```
|
|
958
401
|
|
|
959
|
-
|
|
402
|
+
Expired exceptions automatically become blocking findings until they are renewed or resolved.
|
|
960
403
|
|
|
961
404
|
---
|
|
962
405
|
|
|
963
|
-
## Environment
|
|
406
|
+
## Environment variables
|
|
964
407
|
|
|
965
|
-
###
|
|
408
|
+
### Gate and scope
|
|
966
409
|
|
|
967
410
|
| Variable | Default | Purpose |
|
|
968
411
|
| --- | --- | --- |
|
|
969
|
-
| `
|
|
412
|
+
| `SECURITY_GATE_POLICY` | `.mcp/policies/security-policy.json` | Policy file path |
|
|
413
|
+
| `SECURITY_GATE_MODE` | `recent_changes` | Scan mode |
|
|
414
|
+
| `SECURITY_GATE_TARGETS` | (changed files) | Comma-separated paths to restrict the scan |
|
|
970
415
|
| `SECURITY_GATE_BASE_REF` | `origin/main` | Branch to diff against |
|
|
971
416
|
| `SECURITY_GATE_HEAD_REF` | `HEAD` | Branch being scanned |
|
|
972
|
-
| `
|
|
973
|
-
| `SECURITY_GATE_SCANNERS` | built-in |
|
|
974
|
-
| `
|
|
975
|
-
| `
|
|
976
|
-
| `SECURITY_GATE_TARGETS` | (all changed files) | Comma-separated file paths to restrict the scan surface |
|
|
977
|
-
| `SECURITY_MCP_SHARED_SECRET` | (none) | Authenticates MCP tool callers via constant-time HMAC; enables 3-strike lockout. Generate with `openssl rand -hex 32` |
|
|
978
|
-
| `SECURITY_POLICY_HMAC_KEY` | (none) | Signs the policy file so any tampering is detected at gate startup. Generate with `openssl rand -hex 32` |
|
|
417
|
+
| `SECURITY_GATE_EXCEPTIONS` | (default path) | Exceptions file path |
|
|
418
|
+
| `SECURITY_GATE_SCANNERS` | built-in | Custom scanner config path |
|
|
419
|
+
| `SECURITY_GATE_EVIDENCE_MAP` | (none) | Evidence-coverage map path |
|
|
420
|
+
| `SECURITY_GATE_CONTROL_CATALOG` | (none) | Control-catalog path |
|
|
979
421
|
|
|
980
|
-
###
|
|
422
|
+
### Integrity and signing
|
|
981
423
|
|
|
982
424
|
| Variable | Purpose |
|
|
983
425
|
| --- | --- |
|
|
984
|
-
| `
|
|
985
|
-
| `
|
|
986
|
-
| `
|
|
987
|
-
| `
|
|
988
|
-
| `
|
|
989
|
-
| `
|
|
426
|
+
| `SECURITY_POLICY_HMAC_KEY` | Signs policy / exceptions / baseline (>=32 bytes) |
|
|
427
|
+
| `SECURITY_REQUIRE_SIGNED_EXCEPTIONS` | Fail closed on any unsigned exceptions file |
|
|
428
|
+
| `SECURITY_REQUIRE_AGENT_ATTESTATION` | Fail closed unless the agent run is signed + enforced + clean (see below) |
|
|
429
|
+
| `SECURITY_ALLOW_UNSIGNED_HIGH_SUPPRESSION` | Break-glass: allow unsigned HIGH/CRITICAL suppression |
|
|
430
|
+
| `SECURITY_ATTEST_ALLOW_INCOMPLETE` | Break-glass: attest without a complete PASS |
|
|
431
|
+
| `SECURITY_ATTEST_KEY` | Signs attestation files |
|
|
432
|
+
| `SECURITY_AUDIT_HMAC_KEY` | Signs the routing audit log and the per-agent attestation chain |
|
|
990
433
|
|
|
991
|
-
###
|
|
992
|
-
|
|
993
|
-
| Variable | Purpose |
|
|
994
|
-
| --- | --- |
|
|
995
|
-
| `SECURITY_STAGING_URL` | Enables live HTTP header and TLS checks against your staging environment |
|
|
996
|
-
| `SECURITY_AI_ENDPOINT` | Enables live jailbreak, injection, PII, and rate-limit probes against your AI endpoint |
|
|
997
|
-
| `SECURITY_AUTO_SBOM` | Set `true` to auto-generate a CycloneDX SBOM on each gate run |
|
|
434
|
+
### Observability
|
|
998
435
|
|
|
999
|
-
|
|
1000
|
-
|
|
1001
|
-
|
|
1002
|
-
|
|
1003
|
-
No matter what your AI is asked to build, these are enforced without exception:
|
|
1004
|
-
|
|
1005
|
-
1. **No `0.0.0.0/0` firewall rules** - ingress and egress must be source-restricted
|
|
1006
|
-
2. **All internal services over private VPC only** - no public IPs for databases, queues, or internal APIs
|
|
1007
|
-
3. **Secrets in a secret manager only** - never in code, `.env` files, CI logs, or container images
|
|
1008
|
-
4. **TLS 1.3 for everything in transit** - TLS 1.0 and 1.1 are explicitly blocked
|
|
1009
|
-
5. **Passwords hashed with Argon2id or bcrypt (cost ≥ 14)** - MD5 and SHA-1 are forbidden
|
|
1010
|
-
6. **Every API input validated server-side with a schema** - no passing raw request data to business logic
|
|
1011
|
-
7. **No inline JavaScript** - Content Security Policy is nonce-based only; no `unsafe-inline` or `unsafe-eval`
|
|
1012
|
-
8. **Admin interfaces require FIDO2/WebAuthn passkey** - TOTP is not acceptable for admin access
|
|
1013
|
-
9. **Threat model before any auth, payment, or AI feature** - no design-free implementation
|
|
1014
|
-
10. **Zero Trust: every request authenticated and authorized regardless of origin** - no implicit network trust
|
|
1015
|
-
|
|
1016
|
-
---
|
|
1017
|
-
|
|
1018
|
-
## Troubleshooting
|
|
1019
|
-
|
|
1020
|
-
### The `/senior-security-engineer` command isn't available in my editor
|
|
1021
|
-
|
|
1022
|
-
**Cause:** The skill was not installed to `~/.claude/skills/`.
|
|
1023
|
-
|
|
1024
|
-
**Fix:** Re-run the installer:
|
|
1025
|
-
|
|
1026
|
-
```bash
|
|
1027
|
-
npx -y security-mcp@latest install
|
|
1028
|
-
```
|
|
1029
|
-
|
|
1030
|
-
Then verify the skill exists:
|
|
1031
|
-
|
|
1032
|
-
```bash
|
|
1033
|
-
ls ~/.claude/skills/senior-security-engineer/SKILL.md
|
|
1034
|
-
```
|
|
1035
|
-
|
|
1036
|
-
### The MCP server doesn't appear as connected
|
|
1037
|
-
|
|
1038
|
-
**Cause:** Config file was not written, or the editor wasn't restarted after config was written.
|
|
1039
|
-
|
|
1040
|
-
**Fix:**
|
|
1041
|
-
|
|
1042
|
-
1. Check the config file was written (see editor-specific paths in [Installation](#installation))
|
|
1043
|
-
2. Fully restart the editor (quit and reopen, not just reload window)
|
|
1044
|
-
3. Check Node.js version: `node --version` - must be 20 or higher
|
|
1045
|
-
|
|
1046
|
-
### The CI gate fails with "cannot find module"
|
|
1047
|
-
|
|
1048
|
-
**Cause:** The dist files weren't included in the npm package, or you're referencing a path that doesn't exist.
|
|
436
|
+
| Variable | Default | Purpose |
|
|
437
|
+
| --- | --- | --- |
|
|
438
|
+
| `SECURITY_TOOL_AUDIT_LOG` | `.mcp/audit/tool-calls.jsonl` | Path for the per-tool-call structured audit log; point at an append-only / write-once sink for tamper-proof retention |
|
|
1049
439
|
|
|
1050
|
-
|
|
440
|
+
### Privacy and air-gap
|
|
1051
441
|
|
|
1052
|
-
|
|
442
|
+
| Variable | Purpose |
|
|
443
|
+
| --- | --- |
|
|
444
|
+
| `SECURITY_OFFLINE` | Disable all third-party network egress |
|
|
1053
445
|
|
|
1054
|
-
|
|
446
|
+
### MCP channel
|
|
1055
447
|
|
|
1056
|
-
|
|
448
|
+
| Variable | Default | Purpose |
|
|
449
|
+
| --- | --- | --- |
|
|
450
|
+
| `SECURITY_MCP_SHARED_SECRET` | (none) | Require caller auth on the MCP channel |
|
|
451
|
+
| `SECURITY_SESSION_TTL_MS` | 8h | Session lifetime, capped at 24h |
|
|
1057
452
|
|
|
1058
|
-
|
|
453
|
+
### Remediation
|
|
1059
454
|
|
|
1060
|
-
|
|
1061
|
-
|
|
1062
|
-
|
|
1063
|
-
"severity_block": ["CRITICAL"],
|
|
1064
|
-
"required_checks": ["secrets_scan"]
|
|
1065
|
-
}
|
|
1066
|
-
}
|
|
1067
|
-
```
|
|
455
|
+
| Variable | Purpose |
|
|
456
|
+
| --- | --- |
|
|
457
|
+
| `SECURITY_AGENTIC_QUARANTINE` | Handling for poisoned agent files: `strip`, `sanitize`, `quarantine`, or `off` |
|
|
1068
458
|
|
|
1069
|
-
###
|
|
459
|
+
### Integrations
|
|
1070
460
|
|
|
1071
|
-
|
|
1072
|
-
|
|
1073
|
-
|
|
461
|
+
| Variable | Purpose |
|
|
462
|
+
| --- | --- |
|
|
463
|
+
| `SECURITY_SLACK_WEBHOOK` | Post gate results to Slack |
|
|
464
|
+
| `SECURITY_JIRA_URL` | Create Jira tickets for failures |
|
|
465
|
+
| `SECURITY_JIRA_TOKEN` | Jira API token (never logged) |
|
|
466
|
+
| `SECURITY_JIRA_PROJECT` | Jira project key (default `SECURITY`) |
|
|
467
|
+
| `SECURITY_PAGERDUTY_KEY` | Page on-call for CRITICAL findings |
|
|
468
|
+
| `SECURITY_WEBHOOK_URL` | POST gate results as JSON to any URL |
|
|
1074
469
|
|
|
1075
|
-
|
|
470
|
+
### Live scanning
|
|
1076
471
|
|
|
1077
|
-
|
|
1078
|
-
|
|
1079
|
-
|
|
472
|
+
| Variable | Purpose |
|
|
473
|
+
| --- | --- |
|
|
474
|
+
| `SECURITY_STAGING_URL` | Enable runtime + Nuclei DAST against staging |
|
|
475
|
+
| `SECURITY_AI_ENDPOINT` | Enable live AI red-team probes |
|
|
476
|
+
| `SECURITY_AUTO_SBOM` | Auto-generate a CycloneDX SBOM each run |
|
|
1080
477
|
|
|
1081
478
|
---
|
|
1082
479
|
|
|
1083
|
-
##
|
|
1084
|
-
|
|
1085
|
-
**Q: Does this send my code to any external service?**
|
|
1086
|
-
|
|
1087
|
-
No. The MCP server runs locally as a Node.js process. Your code never leaves your machine. The only external calls made are to the npm registry (to check for updates) and optionally to GitHub (to download skill files) - both only if explicitly permitted. Live CVE/CISA KEV fetches during `/ciso-orchestrator` require your explicit internet permission at runtime.
|
|
1088
|
-
|
|
1089
|
-
**Q: Do I need to know security to use this?**
|
|
1090
|
-
|
|
1091
|
-
No. The tool is designed so that you don't need to understand what OWASP or ATT&CK mean. You describe what you're building, and the security engineer handles the rest.
|
|
1092
|
-
|
|
1093
|
-
**Q: Will it slow down my development?**
|
|
480
|
+
## The 10 non-negotiable rules
|
|
1094
481
|
|
|
1095
|
-
|
|
482
|
+
No matter what the AI is asked to build, these hold:
|
|
1096
483
|
|
|
1097
|
-
|
|
484
|
+
1. No `0.0.0.0/0` firewall rules. Ingress and egress are source-restricted.
|
|
485
|
+
2. Internal services live on a private VPC only, never on public IPs.
|
|
486
|
+
3. Secrets live in a secret manager only, never in code, `.env`, CI logs, or images.
|
|
487
|
+
4. TLS 1.3 for everything in transit. TLS 1.0 and 1.1 are blocked.
|
|
488
|
+
5. Passwords hashed with Argon2id, or bcrypt at cost 14 or higher.
|
|
489
|
+
6. Every API input validated server-side with a schema.
|
|
490
|
+
7. No inline JavaScript. Content Security Policy is nonce-based only.
|
|
491
|
+
8. Admin interfaces require FIDO2/WebAuthn.
|
|
492
|
+
9. Threat-model before any auth, payment, or AI feature.
|
|
493
|
+
10. Zero Trust: every request authenticated and authorized regardless of origin.
|
|
1098
494
|
|
|
1099
|
-
|
|
1100
|
-
|
|
1101
|
-
**Q: Can I use this on an existing codebase with lots of issues?**
|
|
1102
|
-
|
|
1103
|
-
Yes. Use `security.generate_policy` to set appropriate thresholds for your current state, add exceptions for known-accepted technical debt, and use the gate's MEDIUM/LOW findings as a backlog rather than blockers.
|
|
495
|
+
---
|
|
1104
496
|
|
|
1105
|
-
|
|
497
|
+
## CLI reference
|
|
1106
498
|
|
|
1107
|
-
|
|
499
|
+
The `security-mcp` binary exposes:
|
|
1108
500
|
|
|
1109
|
-
|
|
501
|
+
| Command | Purpose |
|
|
502
|
+
| --- | --- |
|
|
503
|
+
| `serve` | Run the MCP server |
|
|
504
|
+
| `install` | Install for auto-detected editors |
|
|
505
|
+
| `install-global` | Install globally |
|
|
506
|
+
| `config` | Manage configuration |
|
|
507
|
+
| `doctor` (alias `verify`) | Health check |
|
|
508
|
+
| `autoharden` | Auto-remediate Terraform (`--dry-run` to preview) |
|
|
509
|
+
| `ci:pr-gate` | Run the gate in CI (non-zero exit on HIGH/CRITICAL) |
|
|
510
|
+
| `sign-policy` | HMAC-sign the active policy |
|
|
1110
511
|
|
|
1111
|
-
|
|
512
|
+
---
|
|
1112
513
|
|
|
1113
|
-
|
|
514
|
+
## Documentation and disclosure
|
|
1114
515
|
|
|
1115
|
-
|
|
516
|
+
- **Deep-dive docs:** the [GitHub Wiki](https://github.com/AbrahamOO/security-mcp/wiki).
|
|
517
|
+
- **Contributing:** [CONTRIBUTING.md](CONTRIBUTING.md).
|
|
518
|
+
- **Reporting a vulnerability in security-mcp itself:** see [SECURITY.md](SECURITY.md), which uses GitHub private security advisories for responsible disclosure.
|
|
1116
519
|
|
|
1117
520
|
---
|
|
1118
521
|
|
|
1119
|
-
## Contributing
|
|
1120
|
-
|
|
1121
|
-
See [CONTRIBUTING.md](CONTRIBUTING.md).
|
|
1122
|
-
|
|
1123
522
|
## License
|
|
1124
523
|
|
|
1125
|
-
[MIT](LICENSE)
|
|
524
|
+
[MIT](LICENSE)
|