You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A pluggable security scanner system for MCPProxy that runs Docker-based scanners against quarantined MCP servers before approval. The system includes scanner registry management, parallel scan execution with SARIF output normalization, approve/reject/rescan workflow with integrity baselines, and runtime integrity verification.
Files Created (New)
Core Scanner Package (internal/security/scanner/)
File
LOC
Purpose
types.go
~180
Domain types: ScannerPlugin, ScanJob, ScanReport, ScanFinding, IntegrityBaseline, etc.
registry.go
~160
Scanner registry with bundled + user JSON merge, custom scanner registration
Frontend: vue-tsc --noEmit passes, npm run build succeeds
Architecture Decisions
Docker CLI via os/exec (not Docker Go SDK) — consistent with existing codebase, no new heavy dependencies
SARIF as primary output + generic JSON fallback — universal output with backwards compatibility
Volume mount for results — simpler than docker cp TAR extraction
Bundled registry as Go constants — no external file needed for fresh install
SecurityController interface — clean separation between HTTP layer and business logic
Optional integration — securityController is nil-safe; feature disabled without configuration
PR #356 Cleanup
The original PR branch 039-security-scanner-plugins was stale — it deleted working code from main (quarantine invariants, connect feature, multiple specs). A new clean branch feat/039-security-scanner-plugins was created from current main with only the scanner spec + implementation.