SAST MCP Server

# Output File Feature - Implementation Complete ## Summary The `output_file` parameter has been successfully implemented for the MCP-SAST-Server. This feature allows scans to save their full results to a file and return only a summary, avoiding the 25,000 token limit errors. ## Changes Made ### 1. Client Side (`sast_mcp_client.py`) ✅ Added `output_file` parameter to `semgrep_scan()` function ✅ Parameter accepts Windows path format (e.g., `F:/work/Resola/Security-Reports/results.json`) ✅ Updated function documentation ### 2. Server Side (`sast_server.py`) ✅ Created `save_scan_output_to_file()` helper function ✅ Automatic Windows → Linux path resolution (F:/ → /mnt/work) ✅ Automatic directory creation if needed ✅ Smart summary generation (counts findings by severity for Semgrep) ✅ Token-saving response truncation ✅ Updated `/api/sast/semgrep` endpoint to handle `output_file` ## How To Use ### Basic Usage (Without output_file) ```python # Returns full results in response (may hit token limit for large scans) semgrep_scan( target="/f/work/Resola/Deca/deca-tables-api", config="auto" ) ``` ### With output_file (Recommended) ```python # Saves full results to file, returns only summary semgrep_scan( target="/f/work/Resola/Deca/deca-tables-api", config="auto", output_format="json", output_file="F:/work/Resola/Security-Reports/Deca/deca-tables-api/semgrep-results.json" ) ``` ### Example Response With output_file ```json { "success": true, "return_code": 0, "stdout_truncated": true, "stdout": "[Output saved to F:/work/Resola/Security-Reports/Deca/deca-tables-api/semgrep-results.json]\n\nSummary: {\n \"total_findings\": 14,\n \"by_severity\": {\n \"ERROR\": 2,\n \"WARNING\": 4,\n \"INFO\": 8\n }\n}", "output_file_info": { "file_saved": true, "windows_path": "F:/work/Resola/Security-Reports/Deca/deca-tables-api/semgrep-results.json", "linux_path": "/mnt/work/work/Resola/Security-Reports/Deca/deca-tables-api/semgrep-results.json", "file_size_bytes": 470365, "summary": { "total_findings": 14, "by_severity": { "ERROR": 2, "WARNING": 4, "INFO": 8 } } } } ``` ## Benefits ✅ **No More Token Limit Errors**: Response is ~300 tokens instead of 40,000+ ✅ **Full Results Preserved**: Complete scan output saved to file ✅ **Smart Summaries**: Get finding counts and severity breakdown instantly ✅ **Path Auto-Resolution**: Windows paths automatically converted to Linux mount paths ✅ **Directory Auto-Creation**: Output directories created automatically if missing ## Deployment Steps ### On Kali Linux (Server) 1. Copy updated `sast_server.py` to your Kali server 2. Restart the SAST server: ```bash # Kill existing server pkill -f sast_server.py # Start updated server cd /mnt/work/work/Resola/Pentesting/05-Tools/MCP-SAST-Server python3 sast_server.py --port 6000 # Or run in background nohup python3 sast_server.py --port 6000 > sast_server.log 2>&1 & ``` ### On Windows (Client) 1. Updated `sast_mcp_client.py` is already in place 2. Restart Claude Code to reload the MCP client: - Close Claude Code completely - Reopen in your project directory - MCP server will auto-reconnect with new parameters ## Testing Run a test scan with output_file: ```bash # In Claude Code, run: Use semgrep_scan with: - target: "/f/work/Resola/Deca/deca-tables-api" - config: "auto" - output_format: "json" - output_file: "F:/work/Resola/Security-Reports/test-semgrep.json" ``` Verify: 1. Check response includes `output_file_info` with `file_saved: true` 2. Check file exists: `ls -la F:/work/Resola/Security-Reports/test-semgrep.json` 3. Verify response is small (~300 tokens, not 40,000+) ## Next Steps ### To Add output_file to Other Tools Apply the same pattern to other MCP tools: 1. **Client side** (`sast_mcp_client.py`): - Add `output_file: str = ""` parameter - Add to data dict: `"output_file": output_file` - Update docstring 2. **Server side** (`sast_server.py`): - Extract parameter: `output_file = params.get("output_file", "")` - After `execute_command()`, add: ```python if output_file and result.get("stdout"): file_info = save_scan_output_to_file(output_file, result["stdout"], output_format) result["output_file_info"] = file_info if file_info.get("file_saved"): result["stdout_truncated"] = True result["stdout"] = f"[Output saved to {file_info['windows_path']}]\\n\\nSummary: {json.dumps(file_info['summary'], indent=2)}" if "parsed_output" in result: del result["parsed_output"] ``` ### Priority Tools to Update 1. ✅ semgrep_scan - DONE 2. ⏳ npm_audit - High priority 3. ⏳ gitleaks_scan - High priority 4. ⏳ trufflehog_scan - High priority 5. ⏳ bearer_scan - Medium priority 6. ⏳ trivy_scan - Medium priority 7. ⏳ graudit_scan - Low priority (text output, usually small) ## Rollback If issues occur, restore from backups: ```bash cd /f/work/Resola/Pentesting/05-Tools/MCP-SAST-Server cp sast_mcp_client.py.backup sast_mcp_client.py cp sast_server.py.backup sast_server.py ``` Then restart both server (Kali) and Claude Code (Windows). ## Files Modified - `sast_mcp_client.py` - Added output_file to semgrep_scan() - `sast_server.py` - Added save_scan_output_to_file() and updated semgrep endpoint - `sast_mcp_client.py.backup` - Original backup - `sast_server.py.backup` - Original backup Created: 2025-11-14 Status: ✅ Ready for Testing