security-mcp 1.3.3 → 1.3.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +22 -94
- package/package.json +4 -2
package/README.md
CHANGED
|
@@ -22,7 +22,7 @@ npx -y security-mcp@latest install
|
|
|
22
22
|
## Table of Contents
|
|
23
23
|
|
|
24
24
|
- [Why this exists](#why-this-exists)
|
|
25
|
-
- [What's new in 1.3.
|
|
25
|
+
- [What's new in 1.3.3](#whats-new-in-133)
|
|
26
26
|
- [System overview](#system-overview)
|
|
27
27
|
- [The two entry points](#the-two-entry-points)
|
|
28
28
|
- [/senior-security-engineer](#senior-security-engineer)
|
|
@@ -58,13 +58,15 @@ You get three things from one install:
|
|
|
58
58
|
|
|
59
59
|
---
|
|
60
60
|
|
|
61
|
-
## What's new in 1.3.
|
|
61
|
+
## What's new in 1.3.3
|
|
62
62
|
|
|
63
|
-
**
|
|
63
|
+
**Inter-agent payload integrity.** `orchestration.merge_agent_findings` is the single trust sink for a whole agent run, so it now validates every agent's findings against a strict schema and verifies each file's hash against that agent's signed attestation before the findings reach the gate. With an attestation chain present it runs **enforced**: unattested or tampered agent files are rejected, and a hash mismatch or failed chain forces the gate to FAIL even with zero findings. Set `SECURITY_REQUIRE_AGENT_ATTESTATION` to fail closed unless the run is HMAC-signed, enforced, and chain-valid.
|
|
64
64
|
|
|
65
|
-
**
|
|
65
|
+
**Per-tool-call audit log.** Every MCP tool invocation emits one structured JSONL record with the eight mandatory fields — timestamp, agent id, tool, input parameters (secrets redacted), output (outcome + size + truncated preview), credentials used (session id, never the secret), user context, and outcome status — to `.mcp/audit/tool-calls.jsonl` (`0o600`). Point `SECURITY_TOOL_AUDIT_LOG` at an append-only sink for tamper-proof retention. Logging never interrupts tool execution.
|
|
66
66
|
|
|
67
|
-
|
|
67
|
+
Both close gaps from an agentic-AI threat model of security-mcp's own multi-agent system and were hardened through a three-agent adversarial review (highest-severity-wins dedupe, secret/PII value scrubbing in the audit preview, honest unsigned-chain reporting). See the [CHANGELOG](CHANGELOG.md) for the full list and accepted residual risk.
|
|
68
|
+
|
|
69
|
+
**1.3.2 — cloud security controls engine.** A registry-driven engine that scans infrastructure-as-code against 998 rules mapped to AWS FSBP, CIS Benchmarks (AWS / GCP / Azure), and the Microsoft Cloud Security Benchmark, across Terraform, CloudFormation, and Bicep. Terraform violations can be auto-remediated with `security-mcp autoharden` ([dedicated section](#cloud-security-controls-engine)). It also added the `security-mcp ci:pr-gate` and `sign-policy` CLI commands, and hardened the tool against itself (unsigned policies and exceptions can no longer relax the gate; data at rest is written `0o600`) — see [self-protection and supply-chain posture](#self-protection-and-supply-chain-posture).
|
|
68
70
|
|
|
69
71
|
Earlier releases expanded the deep-analysis pattern libraries (injection, authentication, supply chain, business logic), brought OWASP Top 10 to full coverage, and wired the industry scanners into the gate.
|
|
70
72
|
|
|
@@ -72,27 +74,9 @@ Earlier releases expanded the deep-analysis pattern libraries (injection, authen
|
|
|
72
74
|
|
|
73
75
|
## System overview
|
|
74
76
|
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
A["/senior-security-engineer"]
|
|
79
|
-
B["/ciso-orchestrator"]
|
|
80
|
-
end
|
|
81
|
-
|
|
82
|
-
A -->|MCP stdio| S["MCP server"]
|
|
83
|
-
B -->|MCP stdio| S
|
|
84
|
-
|
|
85
|
-
S --> G["Gate engine (35 checks)"]
|
|
86
|
-
S --> O["Orchestration (39+ agents)"]
|
|
87
|
-
S --> C["Cloud controls (998 rules)"]
|
|
88
|
-
S --> P["Platform subsystems"]
|
|
89
|
-
|
|
90
|
-
G --> AT["SHA-256 attestation"]
|
|
91
|
-
O --> AT
|
|
92
|
-
P --> R["Model router / learning / hash chain / auth"]
|
|
93
|
-
|
|
94
|
-
CI["CI: security-mcp ci:pr-gate"] --> G
|
|
95
|
-
```
|
|
77
|
+
<p align="center">
|
|
78
|
+
<img src="https://raw.githubusercontent.com/AbrahamOO/security-mcp/main/assets/diagrams/system-overview.svg" alt="System overview: editor skills and CI both call the same MCP server, which drives the gate engine, orchestration, cloud controls, and platform subsystems into a shared attestation." width="820">
|
|
79
|
+
</p>
|
|
96
80
|
|
|
97
81
|
The MCP server is the trust root. Both entry-point skills, the standalone CI gate, and every supporting subsystem call into the same engine, so an interactive fix and a CI verdict are produced by identical logic.
|
|
98
82
|
|
|
@@ -119,21 +103,9 @@ A single elite security-engineer agent. It operates 90% fixing, 10% advisory: it
|
|
|
119
103
|
|
|
120
104
|
This is the daily driver. Use it on every PR.
|
|
121
105
|
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
SC -->|A| D["Recent changes / git diff"]
|
|
126
|
-
SC -->|B| F["Full codebase"]
|
|
127
|
-
SC -->|C| P["Specific files / folders"]
|
|
128
|
-
D --> ST["Build strategy"]
|
|
129
|
-
F --> ST
|
|
130
|
-
P --> ST
|
|
131
|
-
ST --> GT["Run gate"]
|
|
132
|
-
GT --> FX["Write inline fixes"]
|
|
133
|
-
FX --> RV["Re-run check, confirm clean"]
|
|
134
|
-
RV -->|remaining| FX
|
|
135
|
-
RV -->|clean| AT["SHA-256 attested report"]
|
|
136
|
-
```
|
|
106
|
+
<p align="center">
|
|
107
|
+
<img src="https://raw.githubusercontent.com/AbrahamOO/security-mcp/main/assets/diagrams/senior-security-engineer.svg" alt="senior-security-engineer flow: pick scope, build strategy, run gate, write inline fixes, re-run until clean, then emit a SHA-256 attested report." width="720">
|
|
108
|
+
</p>
|
|
137
109
|
|
|
138
110
|
### /ciso-orchestrator
|
|
139
111
|
|
|
@@ -145,31 +117,9 @@ It runs in three phases:
|
|
|
145
117
|
2. **Adversarial and compliance (parallel).** A penetration-test team reads Phase 1's threat model as its attack brief, while a compliance/GRC synthesizer maps findings to controls.
|
|
146
118
|
3. **Synthesis.** Each agent's findings file is schema-validated and verified against that agent's signed attestation before it is trusted, then findings are merged and deduplicated, SKILL.md section coverage (§0 through §24) is verified, and a signed attestation is written. A tampered attestation chain or a findings-hash mismatch forces the gate to FAIL.
|
|
147
119
|
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
ORCH --> P2
|
|
152
|
-
ORCH --> P3
|
|
153
|
-
|
|
154
|
-
subgraph P1["Phase 1: discovery (parallel)"]
|
|
155
|
-
TM["threat-modeler"] --> TM1["stride-pasta-analyst"] & TM2["attack-navigator"] & TM3["business-logic-attacker"] & TM4["privacy-flow-analyst"]
|
|
156
|
-
AC["appsec-code-auditor"] --> AC1["injection-specialist"] & AC2["auth-session-hacker"] & AC3["logic-race-fuzzer"] & AC4["serialization-memory-attacker"]
|
|
157
|
-
CI["cloud-infra-specialist"] --> CI1["aws/gcp/azure-pentester"] & CI2["k8s-container-escaper"]
|
|
158
|
-
SD["supply-chain-devsecops"] --> SD1["dependency-confusion-attacker"] & SD2["cicd-pipeline-hijacker"] & SD3["artifact-integrity-analyst"]
|
|
159
|
-
AI["ai-llm-redteam"] --> AI1["prompt-injection-specialist"] & AI2["model-extraction-attacker"] & AI3["rag-poisoning-specialist"] & AI4["agentic-loop-exploiter"]
|
|
160
|
-
MB["mobile-security-specialist"] --> MB1["ios-security-auditor"] & MB2["android-penetration-tester"] & MB3["mobile-api-network-attacker"]
|
|
161
|
-
CR["crypto-pki-specialist"] --> CR1["tls-certificate-auditor"] & CR2["algorithm-implementation-reviewer"] & CR3["key-management-lifecycle-analyst"]
|
|
162
|
-
end
|
|
163
|
-
|
|
164
|
-
subgraph P2["Phase 2: adversarial + compliance (parallel)"]
|
|
165
|
-
PT["pentest-team"] --> PT1["pentest-web-api"] & PT2["pentest-infra"] & PT3["pentest-social"]
|
|
166
|
-
GRC["compliance-grc"] --> GRC1["evidence-collector"] & GRC2["compliance-gap-analyst"]
|
|
167
|
-
end
|
|
168
|
-
|
|
169
|
-
subgraph P3["Phase 3: synthesis"]
|
|
170
|
-
M["Verify attestations + merge + dedupe"] --> V["Verify §0-§24 coverage"] --> A["Signed attestation"]
|
|
171
|
-
end
|
|
172
|
-
```
|
|
120
|
+
<p align="center">
|
|
121
|
+
<img src="https://raw.githubusercontent.com/AbrahamOO/security-mcp/main/assets/diagrams/ciso-orchestrator.svg" alt="ciso-orchestrator spawn tree: Phase 1 discovery leads and sub-agents in parallel, Phase 2 pentest and compliance teams, Phase 3 attestation verification, merge, coverage check, and signed attestation." width="940">
|
|
122
|
+
</p>
|
|
173
123
|
|
|
174
124
|
Cloud, AI/LLM, and mobile sub-agents are conditional: they activate only when the relevant stack is detected, and report N/A otherwise.
|
|
175
125
|
|
|
@@ -179,23 +129,9 @@ Cloud, AI/LLM, and mobile sub-agents are conditional: they activate only when th
|
|
|
179
129
|
|
|
180
130
|
The gate is the deterministic core. On every run it executes 35 security checks in parallel (33 distinct check modules plus 2 precomputed coverage feeds). It is surface-aware: it first detects which surfaces a change touches (web, API, infrastructure, iOS, Android, AI/LLM, agentic) and runs the relevant checks against them.
|
|
181
131
|
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
|
|
185
|
-
SC --> CT["Classify change type"]
|
|
186
|
-
CT -->|docs-only| SS["Secrets scan only"]
|
|
187
|
-
CT -->|code| DS["Detect surfaces"]
|
|
188
|
-
DS --> CAT["Load catalog + scanner readiness + evidence coverage"]
|
|
189
|
-
CAT --> RUN["Run 35 checks in parallel"]
|
|
190
|
-
RUN --> SLA["Assign risk SLAs"]
|
|
191
|
-
SLA --> CM["Build coverage manifest"]
|
|
192
|
-
CM --> EX["Apply exceptions"]
|
|
193
|
-
EX --> CONF["Confidence score (70% coverage + 30% scanner)"]
|
|
194
|
-
CONF --> BL["Diff against baseline"]
|
|
195
|
-
BL --> VR{"Verdict by severity_block"}
|
|
196
|
-
VR --> PB["Persist new baseline"]
|
|
197
|
-
SS --> VR
|
|
198
|
-
```
|
|
132
|
+
<p align="center">
|
|
133
|
+
<img src="https://raw.githubusercontent.com/AbrahamOO/security-mcp/main/assets/diagrams/gate-engine.svg" alt="Gate engine pipeline: load HMAC-verified policy, resolve scope, classify change, detect surfaces, run 35 checks in parallel, assign SLAs, build coverage manifest, apply exceptions, score confidence, diff against baseline, and produce a verdict." width="760">
|
|
134
|
+
</p>
|
|
199
135
|
|
|
200
136
|
A crashed check module never disappears quietly. It becomes a HIGH coverage-gap finding, so the absence of a result is itself a result. A control that regresses from satisfied to missing against the saved baseline also becomes a HIGH finding.
|
|
201
137
|
|
|
@@ -236,17 +172,9 @@ A registry-driven engine scans infrastructure-as-code against 998 rules mapped t
|
|
|
236
172
|
| CloudFormation | 128 |
|
|
237
173
|
| Bicep | 96 |
|
|
238
174
|
|
|
239
|
-
|
|
240
|
-
|
|
241
|
-
|
|
242
|
-
DET --> V["Violations"]
|
|
243
|
-
V --> AF{"Safe to auto-fix?"}
|
|
244
|
-
AF -->|yes, Terraform| FIX["Apply fix"]
|
|
245
|
-
FIX --> RD["Re-detect"]
|
|
246
|
-
RD -->|cleared| KEEP["Keep change"]
|
|
247
|
-
RD -->|not cleared| REV["Revert, report manual"]
|
|
248
|
-
AF -->|no| MAN["Manual action + snippet"]
|
|
249
|
-
```
|
|
175
|
+
<p align="center">
|
|
176
|
+
<img src="https://raw.githubusercontent.com/AbrahamOO/security-mcp/main/assets/diagrams/cloud-controls.svg" alt="Cloud controls flow: detect IaC against the 998-rule registry, surface violations, auto-fix safe Terraform cases then re-detect to confirm, revert if not cleared, and report anything unsafe as a manual action with a snippet." width="720">
|
|
177
|
+
</p>
|
|
250
178
|
|
|
251
179
|
Terraform supports auto-remediation through `security-mcp autoharden` (use `--dry-run` to preview). The engine applies a fix, re-detects to confirm the violation actually cleared, and only then keeps the change. Anything it cannot safely auto-fix is reported as a manual action with a code snippet.
|
|
252
180
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "security-mcp",
|
|
3
|
-
"version": "1.3.
|
|
3
|
+
"version": "1.3.4",
|
|
4
4
|
"description": "AI security MCP server and enforcement gate for Claude Code, Cursor, GitHub Copilot, Codex, Replit, and any MCP-compatible editor. Applies OWASP, MITRE ATT&CK, NIST, Zero Trust, PCI DSS, SOC 2, and ISO 27001.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"license": "MIT",
|
|
@@ -58,6 +58,8 @@
|
|
|
58
58
|
"start": "node dist/cli/index.js serve",
|
|
59
59
|
"mcp:server": "node dist/mcp/server.js",
|
|
60
60
|
"ci:pr-gate": "node dist/ci/pr-gate.js",
|
|
61
|
+
"version:bump": "node scripts/bump-version.mjs",
|
|
62
|
+
"version:check": "node scripts/check-version.mjs",
|
|
61
63
|
"test": "npm run build && node dist/tests/run.js"
|
|
62
64
|
},
|
|
63
65
|
"dependencies": {
|
|
@@ -69,7 +71,7 @@
|
|
|
69
71
|
},
|
|
70
72
|
"overrides": {
|
|
71
73
|
"express-rate-limit": "8.5.2",
|
|
72
|
-
"hono": "4.12.
|
|
74
|
+
"hono": "4.12.26"
|
|
73
75
|
},
|
|
74
76
|
"devDependencies": {
|
|
75
77
|
"@eslint/js": "^9.22.0",
|