Terry-Form MCP

Overview Schema Related Servers Score Discussions

security.html•71.3 KiB

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1">  <title>Security Guide | Terry-Form MCP</title> <meta name="generator" content="Jekyll v3.9.5" /> <meta property="og:title" content="Security Guide" /> <meta name="author" content="AJ Geddes" /> <meta property="og:locale" content="en_US" /> <meta name="description" content="Comprehensive security guide for Terry-Form MCP" /> <meta property="og:description" content="Comprehensive security guide for Terry-Form MCP" /> <link rel="canonical" href="http://localhost:4000/terry-form-mcp/guides/security" /> <meta property="og:url" content="http://localhost:4000/terry-form-mcp/guides/security" /> <meta property="og:site_name" content="Terry-Form MCP" /> <meta property="og:type" content="article" /> <meta property="article:published_time" content="2025-10-06T05:22:44-05:00" /> <meta name="twitter:card" content="summary" /> <meta property="twitter:title" content="Security Guide" /> <meta name="twitter:site" content="@terryform" /> <meta name="twitter:creator" content="@AJ Geddes" /> <script type="application/ld+json"> {"@context":"https://schema.org","@type":"BlogPosting","author":{"@type":"Person","name":"AJ Geddes"},"dateModified":"2025-07-25T14:38:37-05:00","datePublished":"2025-10-06T05:22:44-05:00","description":"Comprehensive security guide for Terry-Form MCP","headline":"Security Guide","mainEntityOfPage":{"@type":"WebPage","@id":"http://localhost:4000/terry-form-mcp/guides/security"},"publisher":{"@type":"Organization","logo":{"@type":"ImageObject","url":"http://localhost:4000/terry-form-mcp/assets/images/terry-form-logo.png"},"name":"AJ Geddes"},"url":"http://localhost:4000/terry-form-mcp/guides/security"}</script>  <link rel="stylesheet" href="/terry-form-mcp/assets/css/style.css"> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.0.0/css/all.min.css"> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/themes/prism-tomorrow.min.css"> <link type="application/atom+xml" rel="alternate" href="http://localhost:4000/terry-form-mcp/feed.xml" title="Terry-Form MCP" />  <script src="https://cdn.jsdelivr.net/npm/mermaid@10/dist/mermaid.min.js"></script> <script> // Convert code.language-mermaid blocks to div.mermaid for rendering document.addEventListener('DOMContentLoaded', function() { document.querySelectorAll('code.language-mermaid').forEach(function(block) { const pre = block.parentElement; const div = document.createElement('div'); div.className = 'mermaid'; div.textContent = block.textContent; pre.parentElement.replaceChild(div, pre); }); mermaid.initialize({ startOnLoad: true, theme: window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'default' }); mermaid.init(undefined, document.querySelectorAll('.mermaid')); }); </script> </head> <body> <nav class="main-nav"> <div class="nav-container"> <a href="/terry-form-mcp/" class="nav-logo"> <img src="/terry-form-mcp/assets/images/terry-form-logo.png" alt="Terry-Form MCP"> Terry-Form MCP </a> <button class="nav-toggle" aria-label="Toggle navigation"> </button> <div class="nav-menu"> <a href="/terry-form-mcp/" class="nav-link " > Home </a> <a href="/terry-form-mcp/getting-started" class="nav-link " > Getting Started </a> <a href="/terry-form-mcp/guides/" class="nav-link " > Guides </a> <a href="/terry-form-mcp/api/" class="nav-link " > API Reference </a> <a href="/terry-form-mcp/architecture/" class="nav-link " > Architecture </a> <a href="/terry-form-mcp/tutorials/" class="nav-link " > Tutorials </a> <a href="https://github.com/aj-geddes/terry-form-mcp" class="nav-link " target="_blank" rel="noopener"> GitHub </a> </div> </div> </nav> <main class="main-content"> <div class="guide-container"> <aside class="guide-sidebar"> <h4>Guides</h4> <nav class="guide-nav"> <a href="/terry-form-mcp/guides/index" class="guide-nav-item "> Guides </a> <a href="/terry-form-mcp/guides/security" class="guide-nav-item active"> Security Guide </a> </nav> </aside> <article class="guide-content"> <header class="guide-header"> <h1>Security Guide</h1> Comprehensive security guide for Terry-Form MCP <div class="guide-meta"> 📖 <h1 id="security-guide">Security Guide</h1> Terry-Form MCP is built with security as a core principle. This guide covers security features, best practices, and configuration options. <h2 id="security-architecture">Security Architecture</h2> <pre><code class="language-mermaid">graph TB subgraph "Security Layers" A[Input Validation Layer] B[Authentication Layer] C[Authorization Layer] D[Execution Sandbox] E[Audit Layer] end subgraph "Protection Mechanisms" F[Path Traversal Protection] G[Command Injection Prevention] H[Resource Isolation] I[Rate Limiting] J[Encryption] end A --> F B --> G C --> H D --> I E --> J </code></pre> <h2 id="built-in-security-features">Built-in Security Features</h2> <h3 id="1-input-validation">1. Input Validation</h3> All inputs are validated using strict schemas: <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Example validation schema { "path": { "type": "string", "pattern": "^[a-zA-Z0-9/_-]+$", "maxLength": 255 }, "actions": { "type": "array", "items": { "enum": ["init", "validate", "plan", "fmt"] } } } </code></pre></div></div> <h3 id="2-path-traversal-protection">2. Path Traversal Protection</h3> Terry-Form prevents access outside the designated workspace: <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code>def validate_path(path: str) -> bool: # Resolve to absolute path abs_path = Path(workspace_root) / path real_path = abs_path.resolve() # Ensure path is within workspace try: real_path.relative_to(workspace_root) return True except ValueError: return False </code></pre></div></div> <h3 id="3-command-injection-prevention">3. Command Injection Prevention</h3> All subprocess executions use secure patterns: <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Secure command execution subprocess.run( ["terraform", action, *args], shell=False, # Never use shell=True cwd=workspace_path, capture_output=True ) # Variable escaping import shlex safe_value = shlex.quote(str(value)) </code></pre></div></div> <h3 id="4-action-whitelisting">4. Action Whitelisting</h3> Only safe Terraform actions are allowed by default: <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code>allowed_actions: - init - validate - plan - fmt - show - graph - providers - version blocked_actions: - apply # Requires explicit override - destroy # Requires explicit override - import # Can modify state - taint # Can modify state </code></pre></div></div> <h2 id="authentication--authorization">Authentication & Authorization</h2> <h3 id="github-app-authentication">GitHub App Authentication</h3> <pre><code class="language-mermaid">sequenceDiagram participant Client participant TerryForm participant GitHub Client->>TerryForm: Request with App ID TerryForm->>TerryForm: Generate JWT TerryForm->>GitHub: Exchange JWT for Token GitHub-->>TerryForm: Installation Token TerryForm->>GitHub: API Request GitHub-->>TerryForm: Response TerryForm-->>Client: Result </code></pre> Configuration: <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code>github: app_id: ${GITHUB_APP_ID} private_key_path: /secrets/github-app.pem webhook_secret: ${GITHUB_WEBHOOK_SECRET} permissions: contents: read metadata: read pull_requests: write </code></pre></div></div> <h3 id="api-key-authentication">API Key Authentication</h3> For web endpoints: <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// API key validation const apiKey = request.headers['x-api-key']; if (!apiKey || !isValidApiKey(apiKey)) { return response.status(401).json({ error: 'Unauthorized' }); } </code></pre></div></div> <h2 id="secure-configuration">Secure Configuration</h2> <h3 id="environment-variables">Environment Variables</h3> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Required security environment variables export WORKSPACE_ROOT="/mnt/workspace" export ALLOWED_WORKSPACE_PATHS="/mnt/workspace" export MAX_OPERATION_TIMEOUT=300 export ENABLE_APPLY=false export ENABLE_DESTROY=false # Secrets (use secret management) export TERRAFORM_CLOUD_TOKEN="${SECRET_TF_TOKEN}" export GITHUB_APP_PRIVATE_KEY="${SECRET_GH_KEY}" export API_ENCRYPTION_KEY="${SECRET_API_KEY}" </code></pre></div></div> <h3 id="docker-security">Docker Security</h3> <div class="language-dockerfile highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Run as non-root user USER terraform:terraform # Drop capabilities RUN setcap -r /usr/bin/terraform # Read-only root filesystem VOLUME ["/mnt/workspace"] </code></pre></div></div> Docker run options: <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker run \ --security-opt=no-new-privileges \ --cap-drop=ALL \ --read-only \ --tmpfs /tmp \ -v workspace:/mnt/workspace:rw \ terry-form-mcp </code></pre></div></div> <h3 id="kubernetes-security">Kubernetes Security</h3> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apiVersion: v1 kind: Pod spec: securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 1000 seccompProfile: type: RuntimeDefault containers: - name: terry-form securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL resources: limits: cpu: "2" memory: "2Gi" requests: cpu: "500m" memory: "512Mi" </code></pre></div></div> <h2 id="network-security">Network Security</h2> <h3 id="tls-configuration">TLS Configuration</h3> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code>tls: enabled: true min_version: "1.2" ciphers: - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cert_file: /certs/tls.crt key_file: /certs/tls.key </code></pre></div></div> <h3 id="network-policies">Network Policies</h3> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: terry-form-network-policy spec: podSelector: matchLabels: app: terry-form policyTypes: - Ingress - Egress ingress: - from: - podSelector: matchLabels: role: api-gateway ports: - protocol: TCP port: 3000 egress: - to: - namespaceSelector: matchLabels: name: kube-system ports: - protocol: TCP port: 53 # DNS - to: - podSelector: {} ports: - protocol: TCP port: 443 # HTTPS </code></pre></div></div> <h2 id="secret-management">Secret Management</h2> <h3 id="using-hashicorp-vault">Using HashiCorp Vault</h3> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code>import hvac client = hvac.Client(url='https://vault.example.com') client.token = os.environ['VAULT_TOKEN'] # Read secrets secrets = client.read('secret/terry-form') terraform_token = secrets['data']['terraform_cloud_token'] github_key = secrets['data']['github_app_key'] </code></pre></div></div> <h3 id="using-kubernetes-secrets">Using Kubernetes Secrets</h3> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apiVersion: v1 kind: Secret metadata: name: terry-form-secrets type: Opaque data: terraform-cloud-token: <base64-encoded-token> github-app-key: <base64-encoded-key> --- apiVersion: v1 kind: Pod spec: containers: - name: terry-form env: - name: TERRAFORM_CLOUD_TOKEN valueFrom: secretKeyRef: name: terry-form-secrets key: terraform-cloud-token </code></pre></div></div> <h2 id="audit-logging">Audit Logging</h2> <h3 id="structured-logging">Structured Logging</h3> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code>{ "timestamp": "2024-01-15T10:30:45Z", "level": "INFO", "event": "terraform_operation", "user": "ai-assistant-1", "action": "plan", "workspace": "production", "source_ip": "10.0.0.100", "duration": 12.5, "success": true, "resources_affected": 5 } </code></pre></div></div> <h3 id="audit-trail-configuration">Audit Trail Configuration</h3> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code>audit: enabled: true destinations: - type: file path: /var/log/terry-form/audit.log rotation: daily retention: 90 - type: syslog host: syslog.example.com port: 514 protocol: tcp - type: elasticsearch url: https://elastic.example.com index: terry-form-audit </code></pre></div></div> <h2 id="security-scanning">Security Scanning</h2> <h3 id="container-scanning">Container Scanning</h3> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Scan Docker image trivy image aj-geddes/terry-form-mcp:latest # Scan running container docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ aquasec/trivy container terry-form </code></pre></div></div> <h3 id="code-security-analysis">Code Security Analysis</h3> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Python security scan bandit -r . -ll # Dependency scanning safety check # SAST scanning semgrep --config=auto . </code></pre></div></div> <h2 id="incident-response">Incident Response</h2> <h3 id="security-incident-procedure">Security Incident Procedure</h3> <ol> <li>Detection: Monitor logs and alerts</li> <li>Containment: Isolate affected components</li> <li>Investigation: Analyze audit logs</li> <li>Remediation: Apply fixes</li> <li>Recovery: Restore normal operations</li> <li>Post-mortem: Document and improve</li> </ol> <h3 id="emergency-shutdown">Emergency Shutdown</h3> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Immediate shutdown kubectl delete deployment terry-form-mcp --grace-period=0 # Revoke all tokens terry-form-cli security revoke-all-tokens # Block network access iptables -A INPUT -p tcp --dport 3000 -j DROP </code></pre></div></div> <h2 id="security-checklist">Security Checklist</h2> <ul class="task-list"> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Enable TLS for all communications</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Configure authentication (API keys/OAuth)</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Set up proper RBAC policies</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Enable audit logging</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Configure secret management</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Implement rate limiting</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Set resource limits</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Enable security scanning</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Configure network policies</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Set up monitoring and alerting</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Document incident response procedures</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Regular security updates</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Vulnerability scanning</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Penetration testing</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Security training</li> </ul> <h2 id="compliance">Compliance</h2> <h3 id="soc-2-compliance">SOC 2 Compliance</h3> Terry-Form MCP supports SOC 2 compliance: <ul> <li>Security: Encryption, access controls, monitoring</li> <li>Availability: HA deployment, backup procedures</li> <li>Processing Integrity: Input validation, audit trails</li> <li>Confidentiality: Secret management, data isolation</li> <li>Privacy: Data minimization, retention policies</li> </ul> <h3 id="gdpr-compliance">GDPR Compliance</h3> <ul> <li>No personal data collection by default</li> <li>Audit logs can be configured to exclude PII</li> <li>Data retention policies configurable</li> <li>Right to erasure supported</li> </ul> <h2 id="security-resources">Security Resources</h2> <ul> <li><a href="https://owasp.org/www-project-top-ten/">OWASP Top 10</a></li> <li><a href="https://www.cisecurity.org/cis-benchmarks/">CIS Benchmarks</a></li> <li><a href="https://www.nist.gov/cyberframework">NIST Cybersecurity Framework</a></li> </ul> <hr /> <div class="alert alert-info"> Security Contact For security issues, please open an issue on <a href="https://github.com/aj-geddes/terry-form-mcp/issues/new">GitHub</a> </div> Updated: July 25, 2025 </div> </header> <div class="toc"></div> <div class="guide-body"> <h1 id="security-guide">Security Guide</h1> Terry-Form MCP is built with security as a core principle. This guide covers security features, best practices, and configuration options. <h2 id="security-architecture">Security Architecture</h2> <pre><code class="language-mermaid">graph TB subgraph "Security Layers" A[Input Validation Layer] B[Authentication Layer] C[Authorization Layer] D[Execution Sandbox] E[Audit Layer] end subgraph "Protection Mechanisms" F[Path Traversal Protection] G[Command Injection Prevention] H[Resource Isolation] I[Rate Limiting] J[Encryption] end A --> F B --> G C --> H D --> I E --> J </code></pre> <h2 id="built-in-security-features">Built-in Security Features</h2> <h3 id="1-input-validation">1. Input Validation</h3> All inputs are validated using strict schemas: <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Example validation schema { "path": { "type": "string", "pattern": "^[a-zA-Z0-9/_-]+$", "maxLength": 255 }, "actions": { "type": "array", "items": { "enum": ["init", "validate", "plan", "fmt"] } } } </code></pre></div></div> <h3 id="2-path-traversal-protection">2. Path Traversal Protection</h3> Terry-Form prevents access outside the designated workspace: <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code>def validate_path(path: str) -> bool: # Resolve to absolute path abs_path = Path(workspace_root) / path real_path = abs_path.resolve() # Ensure path is within workspace try: real_path.relative_to(workspace_root) return True except ValueError: return False </code></pre></div></div> <h3 id="3-command-injection-prevention">3. Command Injection Prevention</h3> All subprocess executions use secure patterns: <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Secure command execution subprocess.run( ["terraform", action, *args], shell=False, # Never use shell=True cwd=workspace_path, capture_output=True ) # Variable escaping import shlex safe_value = shlex.quote(str(value)) </code></pre></div></div> <h3 id="4-action-whitelisting">4. Action Whitelisting</h3> Only safe Terraform actions are allowed by default: <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code>allowed_actions: - init - validate - plan - fmt - show - graph - providers - version blocked_actions: - apply # Requires explicit override - destroy # Requires explicit override - import # Can modify state - taint # Can modify state </code></pre></div></div> <h2 id="authentication--authorization">Authentication & Authorization</h2> <h3 id="github-app-authentication">GitHub App Authentication</h3> <pre><code class="language-mermaid">sequenceDiagram participant Client participant TerryForm participant GitHub Client->>TerryForm: Request with App ID TerryForm->>TerryForm: Generate JWT TerryForm->>GitHub: Exchange JWT for Token GitHub-->>TerryForm: Installation Token TerryForm->>GitHub: API Request GitHub-->>TerryForm: Response TerryForm-->>Client: Result </code></pre> Configuration: <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code>github: app_id: ${GITHUB_APP_ID} private_key_path: /secrets/github-app.pem webhook_secret: ${GITHUB_WEBHOOK_SECRET} permissions: contents: read metadata: read pull_requests: write </code></pre></div></div> <h3 id="api-key-authentication">API Key Authentication</h3> For web endpoints: <div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// API key validation const apiKey = request.headers['x-api-key']; if (!apiKey || !isValidApiKey(apiKey)) { return response.status(401).json({ error: 'Unauthorized' }); } </code></pre></div></div> <h2 id="secure-configuration">Secure Configuration</h2> <h3 id="environment-variables">Environment Variables</h3> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Required security environment variables export WORKSPACE_ROOT="/mnt/workspace" export ALLOWED_WORKSPACE_PATHS="/mnt/workspace" export MAX_OPERATION_TIMEOUT=300 export ENABLE_APPLY=false export ENABLE_DESTROY=false # Secrets (use secret management) export TERRAFORM_CLOUD_TOKEN="${SECRET_TF_TOKEN}" export GITHUB_APP_PRIVATE_KEY="${SECRET_GH_KEY}" export API_ENCRYPTION_KEY="${SECRET_API_KEY}" </code></pre></div></div> <h3 id="docker-security">Docker Security</h3> <div class="language-dockerfile highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Run as non-root user USER terraform:terraform # Drop capabilities RUN setcap -r /usr/bin/terraform # Read-only root filesystem VOLUME ["/mnt/workspace"] </code></pre></div></div> Docker run options: <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker run \ --security-opt=no-new-privileges \ --cap-drop=ALL \ --read-only \ --tmpfs /tmp \ -v workspace:/mnt/workspace:rw \ terry-form-mcp </code></pre></div></div> <h3 id="kubernetes-security">Kubernetes Security</h3> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apiVersion: v1 kind: Pod spec: securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 1000 seccompProfile: type: RuntimeDefault containers: - name: terry-form securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: - ALL resources: limits: cpu: "2" memory: "2Gi" requests: cpu: "500m" memory: "512Mi" </code></pre></div></div> <h2 id="network-security">Network Security</h2> <h3 id="tls-configuration">TLS Configuration</h3> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code>tls: enabled: true min_version: "1.2" ciphers: - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cert_file: /certs/tls.crt key_file: /certs/tls.key </code></pre></div></div> <h3 id="network-policies">Network Policies</h3> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: terry-form-network-policy spec: podSelector: matchLabels: app: terry-form policyTypes: - Ingress - Egress ingress: - from: - podSelector: matchLabels: role: api-gateway ports: - protocol: TCP port: 3000 egress: - to: - namespaceSelector: matchLabels: name: kube-system ports: - protocol: TCP port: 53 # DNS - to: - podSelector: {} ports: - protocol: TCP port: 443 # HTTPS </code></pre></div></div> <h2 id="secret-management">Secret Management</h2> <h3 id="using-hashicorp-vault">Using HashiCorp Vault</h3> <div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code>import hvac client = hvac.Client(url='https://vault.example.com') client.token = os.environ['VAULT_TOKEN'] # Read secrets secrets = client.read('secret/terry-form') terraform_token = secrets['data']['terraform_cloud_token'] github_key = secrets['data']['github_app_key'] </code></pre></div></div> <h3 id="using-kubernetes-secrets">Using Kubernetes Secrets</h3> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apiVersion: v1 kind: Secret metadata: name: terry-form-secrets type: Opaque data: terraform-cloud-token: <base64-encoded-token> github-app-key: <base64-encoded-key> --- apiVersion: v1 kind: Pod spec: containers: - name: terry-form env: - name: TERRAFORM_CLOUD_TOKEN valueFrom: secretKeyRef: name: terry-form-secrets key: terraform-cloud-token </code></pre></div></div> <h2 id="audit-logging">Audit Logging</h2> <h3 id="structured-logging">Structured Logging</h3> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code>{ "timestamp": "2024-01-15T10:30:45Z", "level": "INFO", "event": "terraform_operation", "user": "ai-assistant-1", "action": "plan", "workspace": "production", "source_ip": "10.0.0.100", "duration": 12.5, "success": true, "resources_affected": 5 } </code></pre></div></div> <h3 id="audit-trail-configuration">Audit Trail Configuration</h3> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code>audit: enabled: true destinations: - type: file path: /var/log/terry-form/audit.log rotation: daily retention: 90 - type: syslog host: syslog.example.com port: 514 protocol: tcp - type: elasticsearch url: https://elastic.example.com index: terry-form-audit </code></pre></div></div> <h2 id="security-scanning">Security Scanning</h2> <h3 id="container-scanning">Container Scanning</h3> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Scan Docker image trivy image aj-geddes/terry-form-mcp:latest # Scan running container docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ aquasec/trivy container terry-form </code></pre></div></div> <h3 id="code-security-analysis">Code Security Analysis</h3> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Python security scan bandit -r . -ll # Dependency scanning safety check # SAST scanning semgrep --config=auto . </code></pre></div></div> <h2 id="incident-response">Incident Response</h2> <h3 id="security-incident-procedure">Security Incident Procedure</h3> <ol> <li>Detection: Monitor logs and alerts</li> <li>Containment: Isolate affected components</li> <li>Investigation: Analyze audit logs</li> <li>Remediation: Apply fixes</li> <li>Recovery: Restore normal operations</li> <li>Post-mortem: Document and improve</li> </ol> <h3 id="emergency-shutdown">Emergency Shutdown</h3> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code># Immediate shutdown kubectl delete deployment terry-form-mcp --grace-period=0 # Revoke all tokens terry-form-cli security revoke-all-tokens # Block network access iptables -A INPUT -p tcp --dport 3000 -j DROP </code></pre></div></div> <h2 id="security-checklist">Security Checklist</h2> <ul class="task-list"> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Enable TLS for all communications</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Configure authentication (API keys/OAuth)</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Set up proper RBAC policies</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Enable audit logging</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Configure secret management</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Implement rate limiting</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Set resource limits</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Enable security scanning</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Configure network policies</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Set up monitoring and alerting</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Document incident response procedures</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Regular security updates</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Vulnerability scanning</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Penetration testing</li> <li class="task-list-item"><input type="checkbox" class="task-list-item-checkbox" disabled="disabled" />Security training</li> </ul> <h2 id="compliance">Compliance</h2> <h3 id="soc-2-compliance">SOC 2 Compliance</h3> Terry-Form MCP supports SOC 2 compliance: <ul> <li>Security: Encryption, access controls, monitoring</li> <li>Availability: HA deployment, backup procedures</li> <li>Processing Integrity: Input validation, audit trails</li> <li>Confidentiality: Secret management, data isolation</li> <li>Privacy: Data minimization, retention policies</li> </ul> <h3 id="gdpr-compliance">GDPR Compliance</h3> <ul> <li>No personal data collection by default</li> <li>Audit logs can be configured to exclude PII</li> <li>Data retention policies configurable</li> <li>Right to erasure supported</li> </ul> <h2 id="security-resources">Security Resources</h2> <ul> <li><a href="https://owasp.org/www-project-top-ten/">OWASP Top 10</a></li> <li><a href="https://www.cisecurity.org/cis-benchmarks/">CIS Benchmarks</a></li> <li><a href="https://www.nist.gov/cyberframework">NIST Cybersecurity Framework</a></li> </ul> <hr /> <div class="alert alert-info"> Security Contact For security issues, please open an issue on <a href="https://github.com/aj-geddes/terry-form-mcp/issues/new">GitHub</a> </div> </div> <footer class="guide-footer"> <div class="guide-navigation"> </div> <div class="guide-feedback"> <h4>Was this guide helpful?</h4> <a href="https://github.com/aj-geddes/terry-form-mcp/issues/new?title=Guide%20Feedback:%20Security+Guide" class="feedback-link"> Provide feedback </a> </div> </footer> </article> </div> <style> .guide-container { display: grid; grid-template-columns: 250px 1fr; gap: 3rem; margin-top: 2rem; } .guide-sidebar { position: sticky; top: 80px; height: fit-content; max-height: calc(100vh - 100px); overflow-y: auto; } .guide-nav { display: flex; flex-direction: column; } .guide-nav-item { padding: 0.5rem 1rem; color: #666; text-decoration: none; border-left: 3px solid transparent; transition: all 0.2s; } .guide-nav-item:hover { color: #2196F3; background: #f8f9fa; } .guide-nav-item.active { color: #2196F3; background: #e3f2fd; border-left-color: #2196F3; font-weight: 500; } .guide-content { max-width: 800px; } .guide-header { margin-bottom: 2rem; padding-bottom: 1rem; border-bottom: 1px solid #e0e0e0; } .guide-header h1 { margin-bottom: 0.5rem; } .guide-description { font-size: 1.25rem; color: #666; margin: 0.5rem 0; } .guide-meta { display: flex; gap: 2rem; margin-top: 1rem; font-size: 0.875rem; color: #999; } .guide-body { line-height: 1.8; } .guide-body h2 { margin-top: 3rem; margin-bottom: 1rem; padding-bottom: 0.5rem; border-bottom: 1px solid #e0e0e0; } .guide-body h3 { margin-top: 2rem; } .guide-footer { margin-top: 4rem; padding-top: 2rem; border-top: 1px solid #e0e0e0; } .guide-navigation { display: flex; justify-content: space-between; margin-bottom: 3rem; } .prev-guide, .next-guide { display: inline-block; padding: 0.75rem 1.5rem; background: #f8f9fa; border-radius: 0.5rem; text-decoration: none; color: #333; transition: all 0.2s; } .prev-guide:hover, .next-guide:hover { background: #e3f2fd; color: #2196F3; } .guide-feedback { text-align: center; padding: 2rem; background: #f8f9fa; border-radius: 0.5rem; } .feedback-link { display: inline-block; padding: 0.5rem 1rem; background: #2196F3; color: white; border-radius: 0.25rem; text-decoration: none; } .feedback-link:hover { background: #1976D2; } @media (max-width: 768px) { .guide-container { grid-template-columns: 1fr; } .guide-sidebar { position: static; margin-bottom: 2rem; border-bottom: 1px solid #e0e0e0; padding-bottom: 1rem; } .guide-navigation { flex-direction: column; gap: 1rem; } } @media (prefers-color-scheme: dark) { .guide-nav-item { color: #ccc; } .guide-nav-item:hover { background: #333; } .guide-nav-item.active { background: #1e3a5f; } .guide-header { border-bottom-color: #444; } .guide-description { color: #999; } .guide-body h2 { border-bottom-color: #444; } .guide-footer { border-top-color: #444; } .prev-guide, .next-guide { background: #2a2a2a; color: #e0e0e0; } .prev-guide:hover, .next-guide:hover { background: #1e3a5f; } .guide-feedback { background: #2a2a2a; } } </style> </main> <footer class="site-footer"> <div class="footer-container"> <div class="footer-section"> <h4>Terry-Form MCP</h4> Enterprise-grade Terraform automation through Model Context Protocol <div class="social-links"> <a href="https://github.com/aj-geddes/terry-form-mcp" aria-label="GitHub"> </a> <a href="https://twitter.com/terryform" aria-label="Twitter"> </a> </div> </div> <div class="footer-section"> <h4>Documentation</h4> <ul> <li><a href="/terry-form-mcp/getting-started">Getting Started</a></li> <li><a href="/terry-form-mcp/guides/">Guides</a></li> <li><a href="/terry-form-mcp/api/">API Reference</a></li> <li><a href="/terry-form-mcp/tutorials/">Tutorials</a></li> </ul> </div> <div class="footer-section"> <h4>Community</h4> <ul> <li><a href="https://github.com/aj-geddes/terry-form-mcp/discussions">Discussions</a></li> <li><a href="https://github.com/aj-geddes/terry-form-mcp/issues">Issues</a></li> </ul> </div> <div class="footer-section"> <h4>Resources</h4> <ul> <li><a href="/terry-form-mcp/architecture/">Architecture</a></li> <li><a href="/terry-form-mcp/guides/security">Security</a></li> </ul> </div> </div> <div class="footer-bottom"> © 2025 Terry-Form MCP. Built with ❤️ by <a href="https://github.com/aj-geddes">AJ Geddes</a> </div> </footer> <script src="/terry-form-mcp/assets/js/main.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/prism.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/components/prism-bash.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/components/prism-json.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/components/prism-yaml.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/components/prism-python.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/components/prism-hcl.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/plugins/normalize-whitespace/prism-normalize-whitespace.min.js"></script> </body> </html>

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/aj-geddes/terry-form-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

security.html•71.3 KiB