import type { Tool } from '@modelcontextprotocol/sdk/types.js';
import type { CloudProvider, SecurityFinding, ComplianceCheck } from '../types/index.js';
import { Formatters } from '../utils/formatters.js';
export const securityTools: Tool[] = [
{
name: 'scan_security_issues',
description: 'Scan cloud resources for security issues',
inputSchema: {
type: 'object',
properties: {
provider: {
type: 'string',
enum: ['aws', 'azure', 'gcp'],
description: 'Cloud provider',
},
resourceId: {
type: 'string',
description: 'Specific resource ID to scan (optional)',
},
},
required: ['provider'],
},
},
{
name: 'check_compliance',
description: 'Check compliance with security standards (CIS, SOC2, etc.)',
inputSchema: {
type: 'object',
properties: {
provider: {
type: 'string',
enum: ['aws', 'azure', 'gcp'],
description: 'Cloud provider',
},
standard: {
type: 'string',
enum: ['cis', 'soc2', 'pci-dss', 'hipaa', 'general'],
description: 'Compliance standard',
default: 'general',
},
},
required: ['provider'],
},
},
{
name: 'analyze_permissions',
description: 'Analyze IAM permissions and access policies',
inputSchema: {
type: 'object',
properties: {
provider: {
type: 'string',
enum: ['aws', 'azure', 'gcp'],
description: 'Cloud provider',
},
},
required: ['provider'],
},
},
{
name: 'check_encryption',
description: 'Check encryption status of cloud resources',
inputSchema: {
type: 'object',
properties: {
provider: {
type: 'string',
enum: ['aws', 'azure', 'gcp'],
description: 'Cloud provider',
},
resourceId: {
type: 'string',
description: 'Resource ID to check',
},
resourceType: {
type: 'string',
enum: ['storage', 'database', 'instance'],
description: 'Resource type',
},
},
required: ['provider', 'resourceId', 'resourceType'],
},
},
];
export async function handleSecurityTool(name: string, args: unknown): Promise<unknown> {
const params = args as Record<string, unknown>;
const provider = params.provider as CloudProvider;
switch (name) {
case 'scan_security_issues': {
const resourceId = params.resourceId as string | undefined;
// Simplified security scanning
const findings: SecurityFinding[] = [
{
id: '1',
severity: 'medium',
title: 'Public S3 Bucket Detected',
description: 'Some S3 buckets may be publicly accessible',
resourceId: resourceId || 'all',
resourceType: 'storage',
provider,
recommendation: 'Review bucket policies and ensure proper access controls',
detectedAt: new Date(),
category: 'access-control',
},
{
id: '2',
severity: 'high',
title: 'Unencrypted Storage',
description: 'Storage resources without encryption detected',
resourceId: resourceId || 'all',
resourceType: 'storage',
provider,
recommendation: 'Enable encryption at rest for all storage resources',
detectedAt: new Date(),
category: 'encryption',
},
];
return Formatters.formatSecurityFindings(findings);
}
case 'check_compliance': {
const standard = (params.standard as string) || 'general';
const complianceCheck: ComplianceCheck = {
provider,
standard,
compliant: false,
findings: [
{
rule: 'Encryption at rest enabled',
status: 'fail',
description: 'Some resources do not have encryption enabled',
},
{
rule: 'Public access restricted',
status: 'warning',
description: 'Some resources may have public access',
},
{
rule: 'MFA enabled',
status: 'pass',
description: 'Multi-factor authentication is configured',
},
],
score: 65,
};
return Formatters.formatComplianceCheck(complianceCheck);
}
case 'analyze_permissions': {
return {
provider,
message: 'Permission analysis not yet fully implemented',
recommendations: [
'Review IAM policies regularly',
'Follow principle of least privilege',
'Enable MFA for all users',
'Audit permissions quarterly',
],
};
}
case 'check_encryption': {
const resourceId = params.resourceId as string;
const resourceType = params.resourceType as string;
return {
provider,
resourceId,
resourceType,
encrypted: false,
encryptionType: 'none',
recommendation: 'Enable encryption for this resource',
};
}
default:
throw new Error(`Unknown security tool: ${name}`);
}
}
