GCP MCP Server

# Security Policy ## Supported Versions We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating: | CVSS v3.0 | Supported Versions | | --------- | ----------------------------------------- | | 9.0-10.0 | Releases within the previous three months | | 4.0-8.9 | Most recent release | ## Reporting a Vulnerability **Please do not report security vulnerabilities through public GitHub issues.** Instead, please report them via: ### Security Contact - **Email**: jayrajiitr.16@gmail.com - **Subject**: Security Vulnerability in GCP MCP Server ### What to Include Please include the following information along with your report: - **Type of issue** (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) - **Full paths of source file(s)** related to the manifestation of the issue - **The location of the affected source code** (tag/branch/commit or direct URL) - **Any special configuration** required to reproduce the issue - **Step-by-step instructions** to reproduce the issue - **Proof-of-concept or exploit code** (if possible) - **Impact of the issue**, including how an attacker might exploit the issue This information will help us triage your report more quickly. ### Response Timeline - **Initial Response**: Within 48 hours - **Status Update**: Within 7 days - **Resolution Timeline**: Varies based on complexity ## Security Measures ### Code Security - **Static Analysis**: Automated security scanning with Bandit - **Dependency Scanning**: Regular dependency vulnerability checks - **Code Review**: All changes require security-focused review - **Input Validation**: Comprehensive input sanitization - **Error Handling**: Secure error messages that don't leak sensitive data ### Credential Security - **No Hardcoded Secrets**: No credentials stored in source code - **Secure Defaults**: Secure authentication patterns by default - **Environment Variables**: Sensitive data only through environment variables - **Documentation**: Clear security guidelines for users ### Infrastructure Security - **Container Security**: Secure Docker images with minimal attack surface - **Dependency Management**: Regular updates and vulnerability patching - **Access Controls**: Principle of least privilege - **Monitoring**: Security event logging and monitoring ## Security Best Practices for Users ### Authentication - **Use Service Accounts**: Prefer service account keys over user credentials - **Rotate Credentials**: Regularly rotate service account keys - **Least Privilege**: Grant minimal required permissions - **Environment Variables**: Store credentials in environment variables, not files ### Network Security - **TLS Encryption**: Use HTTPS for all GCP API communications - **Firewall Rules**: Restrict network access to necessary services - **VPC Networks**: Use private networks where possible ### Monitoring - **Audit Logs**: Enable and monitor GCP audit logging - **Anomaly Detection**: Monitor for unusual access patterns - **Error Monitoring**: Track and investigate authentication failures ### Configuration ```bash # Secure credential setup export GOOGLE_APPLICATION_CREDENTIALS="/secure/path/to/service-account.json" # Secure file permissions chmod 600 /secure/path/to/service-account.json # Use specific project permissions gcloud auth activate-service-account --key-file=/secure/path/to/service-account.json ``` ## Security Checklist for Contributors ### Code Changes - [ ] No hardcoded credentials or API keys - [ ] Input validation for all user inputs - [ ] Secure error handling (no sensitive data in errors) - [ ] Dependencies are up-to-date and secure - [ ] Security tests added for new functionality ### Testing - [ ] Security tests pass - [ ] Bandit security linting passes - [ ] Dependency vulnerability scan passes - [ ] Manual security review completed ### Documentation - [ ] Security implications documented - [ ] User security guidelines updated - [ ] Examples follow security best practices ## Known Security Considerations ### GCP API Access - Requires valid GCP credentials with appropriate IAM permissions - API calls are made directly to Google Cloud APIs using official client libraries - No data is stored locally beyond temporary processing ### Log Data Sensitivity - Log entries may contain sensitive information - Users should be aware of data sensitivity in their logs - No persistent storage of log data in the MCP server ### Network Communications - All communications with GCP APIs use TLS encryption - MCP protocol communications depend on the client's security configuration ## Security Updates We will provide security updates through: - **GitHub Security Advisories** - **Release Notes** - **Email notifications** to registered users - **Package repository updates** (PyPI) ## Acknowledgments We appreciate the security research community and will acknowledge researchers who report vulnerabilities responsibly. ### Hall of Fame *Contributors who have helped improve our security will be listed here.* --- **Remember**: When in doubt about security, please reach out to our security team. We'd rather address a false positive than miss a real security issue.