feat(mcp-rules): add 4 new MCP security detection rules#456
Conversation
Add the following MCP server security detection rules to expand the MCP scanning coverage from 4 to 8 rules: - mcp_ssrf: Detect SSRF via unvalidated URL/hostname arguments reaching network clients without private-address-range checks - mcp_path_traversal: Detect path traversal via unsanitized file path arguments reaching filesystem APIs without canonicalization or directory-boundary checks - mcp_insecure_deserialization: Detect RCE via caller-supplied data deserialized with unsafe serializers (pickle, marshal, yaml.load, unserialize, ObjectInputStream) - mcp_hardcoded_secrets: Detect hardcoded API keys, tokens, private keys, and passwords embedded in MCP server source code Each rule follows the existing ATR (Agent Threat Rules) format with detection criteria, strict judgment standards, and output requirements.
Code Review: feat(mcp-rules): add 4 new MCP security detection rulesOverall quality is good — well-structured prompt templates with clear vulnerability definitions and detection criteria. ✅ Strengths
|
|
Thanks for the review! Addressed the minor suggestions:
Ready for merge. |
Add the following MCP server security detection rules to expand the MCP scanning coverage from 4 to 8 rules:
Each rule follows the existing format with detection criteria, strict judgment standards, and output requirements.