Katamari MCP Server

#!/bin/bash # Katamari MCP Release Security Scan Script # This script performs comprehensive secret scanning before releases set -e # Colors for output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' # No Color # Configuration GITLEAKS_PATH="${GITLEAKS_PATH:-./.local/bin/gitleaks}" CONFIG_FILE="${CONFIG_FILE:-./.gitleaks.toml}" REPORT_FORMAT="${REPORT_FORMAT:-json}" REPORT_FILE="gitleaks-release-report-$(date +%Y%m%d-%H%M%S).${REPORT_FORMAT}" echo -e "${BLUE}🔒 Katamari MCP Release Security Scan${NC}" echo "======================================" echo "Timestamp: $(date)" echo "Report Format: ${REPORT_FORMAT}" echo "Report File: ${REPORT_FILE}" echo "" # Function to check if Gitleaks is available check_gitleaks() { if [ ! -f "$GITLEAKS_PATH" ]; then echo -e "${RED}❌ Gitleaks not found at $GITLEAKS_PATH${NC}" echo "Please install Gitleaks or set GITLEAKS_PATH environment variable" exit 1 fi echo -e "${GREEN}✅ Gitleaks found at $GITLEAKS_PATH${NC}" $GITLEAKS_PATH version echo "" } # Function to validate configuration check_config() { if [ ! -f "$CONFIG_FILE" ]; then echo -e "${RED}❌ Gitleaks config not found at $CONFIG_FILE${NC}" exit 1 fi echo -e "${GREEN}✅ Configuration file found: $CONFIG_FILE${NC}" echo "" } # Function to scan current working directory scan_current_changes() { echo -e "${BLUE}🔍 Scanning current working directory...${NC}" # Scan uncommitted changes if [ -n "$(git status --porcelain)" ]; then echo -e "${YELLOW}⚠️ Uncommitted changes detected, scanning them...${NC}" $GITLEAKS_PATH detect --source . --config "$CONFIG_FILE" --no-git --verbose --report-format "$REPORT_FORMAT" --report-path "uncommitted-$REPORT_FILE" || { echo -e "${RED}❌ Secrets found in uncommitted changes!${NC}" echo "Report saved to: uncommitted-$REPORT_FILE" return 1 } echo -e "${GREEN}✅ No secrets in uncommitted changes${NC}" else echo -e "${GREEN}✅ No uncommitted changes to scan${NC}" fi echo "" } # Function to scan entire repository history scan_full_history() { echo -e "${BLUE}🔍 Scanning entire repository history...${NC}" $GITLEAKS_PATH detect --source . --config "$CONFIG_FILE" --verbose --report-format "$REPORT_FORMAT" --report-path "$REPORT_FILE" || { echo -e "${RED}❌ Secrets found in repository history!${NC}" echo "Report saved to: $REPORT_FILE" echo "" echo -e "${YELLOW}📋 Summary of findings:${NC}" # Extract summary from JSON report if available if [ "$REPORT_FORMAT" = "json" ] && [ -f "$REPORT_FILE" ]; then # Count findings by rule echo "Secrets found by rule:" cat "$REPORT_FILE" | jq -r '.findings[] | "\(.ruleId): \(.line) in \(.file)"' | sort | uniq -c | sort -nr fi return 1 } echo -e "${GREEN}✅ No secrets found in repository history${NC}" echo "" } # Function to scan specific branch or tag scan_target() { local target="$1" if [ -n "$target" ]; then echo -e "${BLUE}🔍 Scanning specific target: $target${NC}" # Checkout the target (if different from current) current_branch=$(git rev-parse --abbrev-ref HEAD) if [ "$current_branch" != "$target" ]; then echo "Checking out $target..." git checkout "$target" || { echo -e "${RED}❌ Failed to checkout $target${NC}" return 1 } fi # Scan the target $GITLEAKS_PATH detect --source . --config "$CONFIG_FILE" --verbose --report-format "$REPORT_FORMAT" --report-path "target-$target-$REPORT_FILE" || { echo -e "${RED}❌ Secrets found in target $target!${NC}" echo "Report saved to: target-$target-$REPORT_FILE" # Return to original branch if [ "$current_branch" != "$target" ]; then git checkout "$current_branch" fi return 1 } echo -e "${GREEN}✅ No secrets found in target $target${NC}" # Return to original branch if [ "$current_branch" != "$target" ]; then git checkout "$current_branch" fi echo "" fi } # Function to show usage show_usage() { echo "Usage: $0 [OPTIONS] [TARGET]" echo "" echo "Options:" echo " -h, --help Show this help message" echo " -f, --format FORMAT Report format (json, csv, sarif) [default: json]" echo " -c, --config FILE Gitleaks config file [default: ./.gitleaks.toml]" echo " -g, --gitleaks PATH Path to gitleaks binary [default: ./.local/bin/gitleaks]" echo " --current-only Only scan current changes, not full history" echo " --no-history Skip full repository history scan" echo "" echo "Examples:" echo " $0 # Full scan of current repository" echo " $0 v1.0.0 # Scan specific tag" echo " $0 main # Scan specific branch" echo " $0 --current-only # Only scan uncommitted changes" echo " $0 -f sarif v1.0.0 # Scan tag with SARIF output" echo "" } # Parse command line arguments CURRENT_ONLY=false NO_HISTORY=false TARGET="" while [[ $# -gt 0 ]]; do case $1 in -h|--help) show_usage exit 0 ;; -f|--format) REPORT_FORMAT="$2" REPORT_FILE="gitleaks-release-report-$(date +%Y%m%d-%H%M%S).${REPORT_FORMAT}" shift 2 ;; -c|--config) CONFIG_FILE="$2" shift 2 ;; -g|--gitleaks) GITLEAKS_PATH="$2" shift 2 ;; --current-only) CURRENT_ONLY=true shift ;; --no-history) NO_HISTORY=true shift ;; -*) echo -e "${RED}❌ Unknown option: $1${NC}" show_usage exit 1 ;; *) TARGET="$1" shift ;; esac done # Main execution main() { echo -e "${BLUE}🚀 Starting Katamari MCP security scan...${NC}" echo "" # Pre-flight checks check_gitleaks check_config # Scan specific target if provided if [ -n "$TARGET" ]; then scan_target "$TARGET" else # Scan current changes scan_current_changes # Scan full history unless skipped if [ "$NO_HISTORY" = false ] && [ "$CURRENT_ONLY" = false ]; then scan_full_history fi fi echo -e "${GREEN}🎉 Security scan completed successfully!${NC}" echo -e "${GREEN}✅ No secrets detected${NC}" if [ -f "$REPORT_FILE" ]; then echo "📄 Detailed report saved to: $REPORT_FILE" fi echo "" echo -e "${BLUE}🔐 Your Katamari MCP release is ready for deployment!${NC}" } # Run main function main