Planned integration for automated security scanning in CI/CD pipelines
Performs security vulnerability scanning of npm dependencies through package.json analysis
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Security Scanner MCPscan this code for security issues"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
π Security Scanner MCP
AIκ° μμ±ν μ½λμ 보μ μ·¨μ½μ μ μλμΌλ‘ κ²μΆνκ³ , μμ κΉμ§ μ μνλ μ§λ₯ν 보μ ννΈλ MCP μλ²μ λλ€.
νκ΅μ΄ | English | π Documentation
Demo
μ νμνκ°μ?
AIκ° μμ±ν μ½λμλ 보μ μ·¨μ½μ μ΄ 322% λ λ§λ€λ μ°κ΅¬ κ²°κ³Όκ° μμ΅λλ€.
μ΄ MCPλ λ¨μ κ²μ¬λ₯Ό λμ΄μ:
π‘ μλμΌλ‘ μμ μ½λλ₯Ό μ μνκ³
ποΈ IaC (Dockerfile, Kubernetes, Terraform)κΉμ§ κ²μ¬νλ©°
π Mermaid λ€μ΄μ΄κ·Έλ¨κ³Ό SARIF 리ν¬νΈλ₯Ό μμ±νκ³
π³ Docker μλλ°μ€μμ μμ νκ² μ€νν μ μμ΅λλ€.
μ½λλ₯Ό 컀λ°νκΈ° μ , ν΄λΌμ°λμ λ°°ν¬νκΈ° μ , ν λ²λ§ κ²μ¬νλ©΄ λ©λλ€.
β¨ μ£Όμ κΈ°λ₯
π― μ½λ 보μ μ€μΊ
Tool | μ€λͺ |
| μ’ ν© λ³΄μ μ€μΊ - λͺ¨λ κ²μ¬λ₯Ό νλ²μ μν |
| νλμ½λ©λ API ν€, λΉλ°λ²νΈ, ν ν° κ²μΆ |
| SQL/NoSQL/Command Injection μ·¨μ½μ κ²μ¬ |
| Cross-Site Scripting μ·¨μ½μ κ²μ¬ |
| μνΈν μ·¨μ½μ (μ½ν ν΄μ, λΆμμ ν λλ€ λ±) |
| μΈμ¦/μΈμ μ·¨μ½μ (JWT, μΏ ν€, CORS λ±) |
| νμΌ/κ²½λ‘ μ·¨μ½μ (Path Traversal, μ λ‘λ λ±) |
| package.json λ±μμ μ·¨μ½ν μμ‘΄μ± κ²μ¬ |
ποΈ Infrastructure as Code (IaC) μ€μΊ
Tool | μ€λͺ |
| Dockerfile, Kubernetes, Terraform 보μ κ²μ¬ |
Dockerfile: CIS Docker Benchmark κΈ°λ° 15κ° κ·μΉ
Kubernetes: Pod Security Standards (PSS) κΈ°λ° 13κ° κ·μΉ
Terraform: AWS/GCP/Azure 보μ μ€μ 15κ° κ·μΉ
π οΈ μλ μμ & κ³ κΈ κΈ°λ₯
Tool | μ€λͺ |
| μ·¨μ½μ μ λν μμ λ μ½λ μλ μμ± |
| Mermaid λ€μ΄μ΄κ·Έλ¨ + SARIF + CVE μ 보 μ’ ν© λ¦¬ν¬νΈ |
| Docker 격리 νκ²½μμ μμ νκ² μ€μΊ μ€ν |
μ€μΉ
npmμμ μ€μΉ (κΆμ₯)
npm install -g security-scanner-mcpλλ μμ€μμ λΉλ
git clone https://github.com/ongjin/security-scanner-mcp.git
cd security-scanner-mcp
npm install && npm run buildClaude Codeμ λ±λ‘
# npm μ μ μ€μΉ ν
claude mcp add --scope project security-scanner -- security-scanner-mcp
# λλ μμ€μμ λΉλν κ²½μ°
claude mcp add --scope project security-scanner -- node /path/to/security-scanner-mcp/dist/index.jsλΉ λ₯Έ μ€μ (λꡬ μλ νμ©)
λ§€λ² λꡬ μ¬μ© μΉμΈμ λλ₯΄λ κ²μ΄ λ²κ±°λ‘λ€λ©΄, μλ λ°©λ²μΌλ‘ μλ νμ©μ μ€μ νμΈμ.
π₯οΈ Claude Desktop App μ¬μ©μ
Claude μ±μ μ¬μμν©λλ€.
security-scannerλꡬλ₯Ό μ¬μ©νλ 첫 λ²μ§Έ μ§λ¬Έμ λμ§λλ€.μλ¦Όμ°½μ΄ λ¨λ©΄ "Always allow requests from this server" 체ν¬λ°μ€λ₯Ό ν΄λ¦νκ³ Allowλ₯Ό λλ₯΄μΈμ. (μ΄νμλ λ¬»μ§ μκ³ μ€νλ©λλ€.)
β¨οΈ Claude Code (CLI) μ¬μ©μ
ν°λ―Έλ νκ²½(claude λͺ
λ Ήμ΄)μ μ¬μ© μ€μ΄λΌλ©΄ κΆν κ΄λ¦¬ λͺ
λ Ήμ΄λ₯Ό μ¬μ©νμΈμ.
ν°λ―Έλμμ
claudeλ₯Ό μ€νν©λλ€.ν둬ννΈ μ λ ₯μ°½μ
/permissionsλ₯Ό μ λ ₯νκ³ μν°λ₯Ό μΉ©λλ€.Global Permissions (λλ Project Permissions) > Allowed Toolsλ₯Ό μ νν©λλ€.
mcp__security-scanner__scan-securityλ§ μ λ ₯νκ±°λ, λͺ¨λ λꡬλ₯Ό νμ©νλ €λ©΄mcp__security-scanner__*λ₯Ό μ λ ₯ν©λλ€.
π‘ Tip: λλΆλΆμ κ²½μ°
scan-securityνλλ§ νμ©ν΄λ μΆ©λΆν©λλ€. μ΄ λκ΅¬κ° λͺ¨λ 보μ κ²μ¬λ₯Ό ν΅ν©ν΄μ μννκΈ° λλ¬Έμ λλ€.
μ¬μ© μμ
π κΈ°λ³Έ μ½λ μ€μΊ
λ: μ΄ μ½λ 보μ κ²μ¬ν΄μ€
const apiKey = "AIzaSyC1234567890abcdef";
const query = `SELECT * FROM users WHERE id = ${userId}`;
element.innerHTML = userInput;
Claude: [scan-security νΈμΆ]
## β οΈ λ³΄μ μ·¨μ½μ λ°κ²¬!
### π΄ Critical (1κ°)
- **Google API Key** (λΌμΈ 1)
- Google API Keyκ° μ½λμ νλμ½λ©λμ΄ μμ΅λλ€
- π‘ ν΄κ²°μ±
: νκ²½λ³μλ‘ κ΄λ¦¬νκ³ , API ν€ μ ν μ€μ νκΈ°
### π High (2κ°)
- **Template Literal SQL** (λΌμΈ 2)
- ν
νλ¦Ώ 리ν°λ΄λ‘ SQL 쿼리μ λ³μλ₯Ό μ½μ
νκ³ μμ΅λλ€
- π‘ ν΄κ²°μ±
: Prepared Statementλ₯Ό μ¬μ©νμΈμ
- **innerHTML Assignment** (λΌμΈ 3)
- innerHTMLμ λμ κ°μ ν λΉνκ³ μμ΅λλ€
- π‘ ν΄κ²°μ±
: textContentλ₯Ό μ¬μ©νκ±°λ DOMPurifyλ‘ sanitizeνμΈμπ οΈ μλ μμ λ°κΈ°
λ: innerHTML μ·¨μ½μ μμ μ½λ 보μ¬μ€
Claude: [get-fix-suggestion νΈμΆ]
## β
μμ λ μ½λ
// β Before (μ·¨μ½)
element.innerHTML = userInput;
// β
After (μμ )
element.textContent = userInput;
// λλ HTMLμ΄ νμν κ²½μ°:
import DOMPurify from 'dompurify';
element.innerHTML = DOMPurify.sanitize(userInput);ποΈ IaC νμΌ κ²μ¬
λ: Dockerfile 보μ κ²μ¬ν΄μ€
Claude: [scan-iac νΈμΆ]
## π³ Dockerfile 보μ μ·¨μ½μ λ°κ²¬!
### π΄ Critical (2κ°)
- **DOC001**: root μ¬μ©μλ‘ μ€ν
- π‘ ν΄κ²°μ±
: USER λͺ
λ ΉμΌλ‘ non-root μ¬μ©μ μ€μ
- **DOC005**: νλμ½λ©λ μν¬λ¦Ώ
- π‘ ν΄κ²°μ±
: ARGμ λΉλ μν¬λ¦Ώ μ¬μ©
### π High (3κ°)
- **DOC002**: latest νκ·Έ μ¬μ©
- π‘ ν΄κ²°μ±
: λͺ
μμ λ²μ νκ·Έ μ¬μ© (μ: node:20-alpine)
...π μ’ ν© λ¦¬ν¬νΈ μμ±
λ: μ 체 보μ 리ν¬νΈλ₯Ό Mermaid λ€μ΄μ΄κ·Έλ¨μΌλ‘ 보μ¬μ€
Claude: [generate-security-report νΈμΆ]
# π‘οΈ λ³΄μ μ€μΊ λμ보λ
## π μ 체 μμ½
μ΄ **8κ°**μ μ·¨μ½μ μ΄ λ°κ²¬λμμ΅λλ€.
## π― μ¬κ°λλ³ λΆν¬
```mermaid
pie title μ¬κ°λλ³ μ·¨μ½μ λΆν¬
"π΄ Critical" : 2
"π High" : 3
"π‘ Medium" : 2
"π’ Low" : 1
\```
## βοΈ κ°λ₯ν 곡격 μλ리μ€
```mermaid
flowchart TD
Start([곡격μ]) --> Recon[μ μ°°]
Recon --> Secrets[νλμ½λ©λ<br/>μν¬λ¦Ώ λ°κ²¬]
Secrets --> Access[μΈμ¦ μ°ν]
...
\```
+ SARIF 리ν¬νΈ (GitHub Code Scanning νΈν)
+ CVE/OWASP μμΈ μ 보π³ μλλ°μ€μμ μμ νκ² μ€ν
λ: μ΄ μ½λλ₯Ό μλλ°μ€μμ μμ νκ² κ²μ¬ν΄μ€
Claude: [scan-in-sandbox νΈμΆ]
## π³ μλλ°μ€ μ€μΊ κ²°κ³Ό
β
**μ€μΊ μλ£**
### π μλλ°μ€ μ€μ
- **λ©λͺ¨λ¦¬ μ ν**: 512MB
- **CPU μ ν**: 0.5 μ½μ΄
- **νμμμ**: 30000ms
- **λ€νΈμν¬**: λΉνμ±ν
- **κΆν**: μ΅μ κΆνκ²μΆνλ μ·¨μ½μ
π νλμ½λ©λ μν¬λ¦Ώ
AWS Access Key / Secret Key
Google API Key / OAuth Secret
GitHub Token / Slack Token
Database Connection String
Private Key (RSA, EC λ±)
JWT Token
Kakao / Naver API Key
Stripe / Twilio API Key
π Injection
SQL Injection (λ¬Έμμ΄ μ°κ²°, ν νλ¦Ώ 리ν°λ΄)
NoSQL Injection (MongoDB)
Command Injection (exec, spawn)
LDAP Injection
π XSS
dangerouslySetInnerHTML (React)
innerHTML / outerHTML
jQuery .html() / Vue v-html
eval() / new Function()
document.write()
π μνΈν
μ½ν ν΄μ (MD5, SHA1)
μμ νμ§ μμ λλ€ (Math.random)
νλμ½λ©λ μνΈν ν€/IV
SSL μΈμ¦μ κ²μ¦ λΉνμ±ν
μ·¨μ½ν TLS λ²μ (1.0, 1.1)
π μΈμ¦/μΈμ
JWT μ€μ μ€λ₯ (none μκ³ λ¦¬μ¦, λ§λ£ μμ)
μμ νμ§ μμ μΏ ν€ μ€μ
CORS μμΌλμΉ΄λ
μ½ν λΉλ°λ²νΈ μ μ±
π νμΌ/κ²½λ‘
Path Traversal
μνν νμΌ μμ
μμ νμ§ μμ νμΌ μ λ‘λ
Zip Slip (Java)
Pickle μμ§λ ¬ν (Python)
ποΈ Infrastructure as Code
Dockerfile (CIS Docker Benchmark):
root μ¬μ©μλ‘ μ€ν
νλμ½λ©λ μν¬λ¦Ώ
latest νκ·Έ μ¬μ©
λΆνμν ν¬νΈ λ ΈμΆ
ν¬μ€μ²΄ν¬ λλ½
Kubernetes (Pod Security Standards):
Privileged 컨ν μ΄λ
Root μ€ν
Host λ€νΈμν¬/PID/IPC μ¬μ©
μνν Capability μΆκ°
Resource limit λ―Έμ€μ
Terraform (Multi-Cloud):
κ³΅κ° IP ν λΉ
μνΈν λ―Έμ€μ
λ°©νλ²½ μ 체 μ€ν (0.0.0.0/0)
Public μ κ·Ό κ°λ₯ 리μμ€
π¦ μ·¨μ½ν μμ‘΄μ±
npm audit μ°λ
Python requirements.txt κ²μ¬
Go go.mod κ²μ¬
μ§μ μΈμ΄
β JavaScript / TypeScript
β Python
β Java
β Go
β Dockerfile
β Kubernetes YAML
β Terraform HCL
π¨ 리ν¬νΈ ν¬λ§·
Markdown: μ½κΈ° μ¬μ΄ ν μ€νΈ 리ν¬νΈ
Mermaid: μκ°ν λ€μ΄μ΄κ·Έλ¨ (Pie, Bar, Flowchart)
SARIF: GitHub Code Scanning / VS Code νΈν ν¬λ§·
CVE Enrichment: NVD λ°μ΄ν°λ² μ΄μ€ μ°λ
OWASP Mapping: OWASP Top 10:2021 + CWE 맀ν
π³ Docker μλλ°μ€
μ μμ μΈ μ½λλ‘λΆν° νΈμ€νΈλ₯Ό 보νΈνκΈ° μν΄ Docker 격리 νκ²½μμ μ€μΊμ μ€νν μ μμ΅λλ€.
Docker μ΄λ―Έμ§ μ€λΉ
Docker Hubμμ pull (κΆμ₯)
# 미리 λΉλλ μ΄λ―Έμ§ λ€μ΄λ‘λ (Trivy, GitLeaks, Checkov ν¬ν¨)
docker pull ongjin/security-scanner-mcp:latest
docker tag ongjin/security-scanner-mcp:latest security-scanner-mcp:latestν¬ν¨λ μΈλΆ 보μ λꡬ:
Trivy v0.50.4 - 컨ν μ΄λ/IaC μ·¨μ½μ μ€μΊλ
GitLeaks v8.18.4 - μν¬λ¦Ώ νμ§
Checkov - Infrastructure as Code 보μ μ€μΊλ
μμ€μμ μ§μ λΉλ (μ νμ¬ν)
npm run docker:buildμ°Έκ³ : λΉλμλ 5-10λΆ μ λ μμλλ©°, μ΄λ―Έμ§ ν¬κΈ°λ μ½ 500MBμ λλ€.
μλλ°μ€μμ μ€μΊ μ€ν
Claude Codeμμ:
scan-in-sandbox νΈμΆλ³΄μ μ€μ :
λ©λͺ¨λ¦¬ μ ν: 128MB ~ 2GB
CPU μ ν: 0.1 ~ 2.0 μ½μ΄
νμμμ: 5μ΄ ~ 5λΆ
λ€νΈμν¬: κΈ°λ³Έ λΉνμ±ν
νμΌμμ€ν : μ½κΈ° μ μ©
κΆν: μ΅μ κΆν (no-new-privileges, drop all capabilities)
λ°λͺ¨
# λ°λͺ¨ μ€ν
npm run demoμν€ν μ²
src/
βββ index.ts # MCP μλ² (12κ° λꡬ)
βββ scanners/ # μ½λ μ€μΊλ (8κ°)
β βββ secrets.ts
β βββ injection.ts
β βββ xss.ts
β βββ ...
βββ iac-scanners/ # IaC μ€μΊλ (3κ°)
β βββ dockerfile.ts # 15κ° κ·μΉ
β βββ kubernetes.ts # 13κ° κ·μΉ
β βββ terraform.ts # 15κ° κ·μΉ
βββ remediation/ # μλ μμ
β βββ code-fixer.ts # AST κΈ°λ° μ½λ λ³ν
β βββ templates/ # μμ ν
νλ¦Ώ
βββ reporting/ # 리ν¬ν
β βββ mermaid-generator.ts # λ€μ΄μ΄κ·Έλ¨ μμ±
β βββ sarif-generator.ts # SARIF ν¬λ§·
β βββ markdown-formatter.ts
βββ external/ # μΈλΆ API
β βββ cve-lookup.ts # NVD API μ°λ
β βββ owasp-database.ts # OWASP Top 10 DB
βββ sandbox/ # μλλ°μ€
βββ docker-manager.ts # Docker μ€ν κ΄λ¦¬π₯οΈ CLI λͺ¨λ (CI/CD ν΅ν©)
Claude μμ΄ λ 립μ μΌλ‘ μ€νν μ μλ CLI λͺ¨λλ₯Ό μ 곡ν©λλ€. Jenkins, GitHub Actions, GitLab CI λ± μ΄λμλ μ¬μ© κ°λ₯ν©λλ€.
κΈ°λ³Έ μ¬μ©λ²
# νμΌ μ€μΊ
npx security-scanner-mcp scan ./src/app.js
# λλ ν 리 μ€μΊ
npx security-scanner-mcp scan ./src
# κ²°κ³Όλ₯Ό νμΌλ‘ μ μ₯
npx security-scanner-mcp scan ./src --output report.txtμΆλ ₯ ν¬λ§·
# JSON ν¬λ§· (νμ±μ©)
npx security-scanner-mcp scan ./src --format json
# SARIF ν¬λ§· (GitHub Code Scanning νΈν)
npx security-scanner-mcp scan ./src --format sarif --output report.sarifCI/CD μ΅μ
# Critical μ·¨μ½μ λ°κ²¬ μ λΉλ μ€ν¨ (exit code 1)
npx security-scanner-mcp scan ./src --fail-on critical
# High μ΄μ μ·¨μ½μ λ°κ²¬ μ λΉλ μ€ν¨
npx security-scanner-mcp scan ./src --fail-on high
# νΉμ νμΌλ§ ν¬ν¨
npx security-scanner-mcp scan ./src --include "*.ts,*.js"
# νΉμ ν΄λ μ μΈ
npx security-scanner-mcp scan ./src --exclude "node_modules,dist,test"Jenkins μμ
pipeline {
agent any
stages {
stage('Security Scan') {
steps {
sh 'npx security-scanner-mcp scan ./src --format json --output security-report.json --fail-on high'
}
}
}
post {
always {
archiveArtifacts artifacts: 'security-report.json', fingerprint: true
}
}
}GitHub Actions μμ
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Security Scan
run: npx security-scanner-mcp scan ./src --format sarif --output results.sarif --fail-on critical
- name: Upload SARIF to GitHub
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarifGitLab CI μμ
security_scan:
stage: test
script:
- npx security-scanner-mcp scan ./src --format json --output gl-security-report.json --fail-on high
artifacts:
reports:
security: gl-security-report.jsonλ‘λ맡
OWASP Top 10 κΈ°λ° κ²μ¬
λ€μ€ μΈμ΄ μ§μ (JS/TS/Python/Java/Go)
IaC μ€μΊ (Dockerfile, Kubernetes, Terraform)
μλ μμ μ μ κΈ°λ₯ (AST κΈ°λ°)
κ³ κΈ λ¦¬ν¬ν (Mermaid, SARIF)
μΈλΆ μ·¨μ½μ DB μ°λ (NVD, OWASP)
Docker μλλ°μ€ μ€ν
CLI λͺ¨λ (CI/CD νμ΄νλΌμΈ ν΅ν©)
GitHub Actions Marketplace λ±λ‘
VS Code νμ₯
κΈ°μ¬νκΈ°
PR νμν©λλ€! νΉν λ€μ κΈ°μ¬λ₯Ό κΈ°λ€λ¦½λλ€:
μλ‘μ΄ λ³΄μ ν¨ν΄ μΆκ°
λ€λ₯Έ μΈμ΄ μ§μ (Rust, C#, PHP λ±)
IaC κ·μΉ νμ₯ (Ansible, CloudFormation λ±)
λ¬Έμ κ°μ
λΌμ΄μ μ€
MIT
Made with β€οΈ by zerry
λ¨μ μ€μΊλλ₯Ό λμ΄, μ§λ₯ν 보μ ννΈλλ‘.