Skip to content

Latest commit

 

History

History
95 lines (77 loc) · 5.15 KB

File metadata and controls

95 lines (77 loc) · 5.15 KB

Autonomous Summary: Security Scanner Plugin System (Spec 039)

Branch: feat/039-security-scanner-plugins Date: 2026-04-03 Status: Implementation complete, tests passing

What Was Built

A pluggable security scanner system for MCPProxy that runs Docker-based scanners against quarantined MCP servers before approval. The system includes scanner registry management, parallel scan execution with SARIF output normalization, approve/reject/rescan workflow with integrity baselines, and runtime integrity verification.

Files Created (New)

Core Scanner Package (internal/security/scanner/)

File LOC Purpose
types.go ~180 Domain types: ScannerPlugin, ScanJob, ScanReport, ScanFinding, IntegrityBaseline, etc.
registry.go ~160 Scanner registry with bundled + user JSON merge, custom scanner registration
registry_bundled.go ~80 Bundled scanner entries: mcp-scan, cisco-mcp-scanner, semgrep-mcp, trivy-mcp
registry_test.go ~140 Registry tests: list, get, register, unregister, user override, validate
docker.go ~180 Docker CLI operations: pull, run, kill, read report, image digest
docker_test.go ~80 Docker helper tests: container naming, report reading, config validation
sarif.go ~220 SARIF 2.1.0 parser, finding normalization, risk score calculation
sarif_test.go ~250 SARIF tests: parse, normalize, level mapping, risk scores, round-trip
engine.go ~280 Scan orchestration: parallel scanner execution, timeout handling, result aggregation
engine_test.go ~260 Engine tests: resolve scanners, parse results, concurrent scan prevention, cancel
service.go ~340 Business logic: install/remove/configure scanners, start/cancel scans, approve/reject, integrity check, overview
service_test.go ~280 Service tests: list merge, configure, approve/reject workflow, overview

Storage (internal/storage/)

File LOC Purpose
scanner.go ~250 BBolt CRUD for 4 buckets: scanners, jobs, reports, baselines
scanner_test.go ~150 Storage CRUD tests for all 4 entity types

HTTP API (internal/httpapi/)

File LOC Purpose
security_scanner.go ~350 REST API handlers: 13 endpoints for scanner/scan/approve/overview
security_scanner_test.go ~300 HTTP handler tests with mock controller

CLI (cmd/mcpproxy/)

File LOC Purpose
security_cmd.go ~1150 Cobra CLI commands: scanners/install/scan/approve/reject/overview/integrity

Frontend (frontend/src/)

File LOC Purpose
views/Security.vue ~390 Web UI security dashboard with scanner management, scan trigger, report viewer

Documentation

File Purpose
docs/features/security-scanner-plugins.md Feature documentation with quick start, CLI, API reference
specs/039-security-scanner-plugins/spec.md Formal specification (speckit format)
specs/039-security-scanner-plugins/plan.md Implementation plan
specs/039-security-scanner-plugins/checklists/requirements.md Quality checklist

Files Modified

File Changes
internal/storage/models.go +4 bucket constants
internal/storage/bbolt.go +4 buckets in initBuckets()
internal/storage/manager.go +20 delegation methods for scanner CRUD
internal/config/config.go +SecurityConfig struct and field
internal/runtime/events.go +5 security event type constants
internal/runtime/event_bus.go +5 event emission methods
internal/httpapi/server.go +securityController field, +security routes
cmd/mcpproxy/main.go +security command registration
frontend/src/services/api.ts +15 security API methods
frontend/src/router/index.ts +security route
frontend/src/components/SidebarNav.vue +Security sidebar entry

Test Results

  • Scanner package: All tests pass with -race (2.1s)
  • Storage: All tests pass with -race (4.4s)
  • HTTP API: All tests pass with -race (1.7s)
  • Config: All tests pass with -race (2.8s)
  • Build: go build ./... succeeds
  • Frontend: vue-tsc --noEmit passes, npm run build succeeds

Architecture Decisions

  1. Docker CLI via os/exec (not Docker Go SDK) — consistent with existing codebase, no new heavy dependencies
  2. SARIF as primary output + generic JSON fallback — universal output with backwards compatibility
  3. Volume mount for results — simpler than docker cp TAR extraction
  4. Bundled registry as Go constants — no external file needed for fresh install
  5. SecurityController interface — clean separation between HTTP layer and business logic
  6. Optional integrationsecurityController is nil-safe; feature disabled without configuration

PR #356 Cleanup

The original PR branch 039-security-scanner-plugins was stale — it deleted working code from main (quarantine invariants, connect feature, multiple specs). A new clean branch feat/039-security-scanner-plugins was created from current main with only the scanner spec + implementation.