Scan Go source files for payment handlers missing structured audit logging (PCI DSS 10.2.1). Detects: missing logging, unstructured-only logging (fmt/log), and reports handlers with structured logging. Framework-aware: supports net/http, gin, echo handler signatures. Default: returns response_shape "summary" with by_severity counts, a capped by_rule histogram (top 10 + more_rules), and top 3 per severity findings - plus a pagination.next_cursor for drill-down. Prefer this for mixed queries; min_severity / rule_filter drop to response_shape "flat" but still carry summary.by_severity + summary.by_rule for full-scan context. Follow the cursor for the full paginated list. Use include_tests / exclude_patterns / min_severity / rule_filter for a filtered flat response.

Scan Go source files for weak authentication: hardcoded passwords (PCI DSS 8.3.1), password policy with minimum length below 12 (PCI DSS 8.3.6), and payment routes missing MFA middleware (PCI DSS 8.4.2). Default: returns response_shape "summary" with by_severity counts, a capped by_rule histogram (top 10 + more_rules), and top 3 per severity findings - plus a pagination.next_cursor for drill-down. Prefer this for mixed queries; min_severity / rule_filter drop to response_shape "flat" but still carry summary.by_severity + summary.by_rule for full-scan context. Follow the cursor for the full paginated list. Use include_tests / exclude_patterns / min_severity / rule_filter for a filtered flat response. Maps findings to PCI DSS 8.3.1, 8.3.6, 8.4.2.

Scan Go source and config files for unsafe data retention: Redis/DB storage of CVV/PAN without TTL (PCI DSS 3.2.1), config files missing TTL on sensitive keys (PCI DSS 3.3.1), and incorrect memory zeroing timing after authorization. Scans .go, .yaml, .json, .toml files. Default: returns response_shape "summary" with by_severity counts, a capped by_rule histogram (top 10 + more_rules), and top 3 per severity findings - plus a pagination.next_cursor for drill-down. Prefer this for mixed queries; min_severity / rule_filter drop to response_shape "flat" but still carry summary.by_severity + summary.by_rule for full-scan context. Follow the cursor for the full paginated list. Use include_tests / exclude_patterns / min_severity / rule_filter for a filtered flat response. Maps findings to PCI DSS 3.2.1, 3.3.1.

Scan go.mod dependencies for known vulnerabilities (PCI DSS 6.3.3). Bulk-downloads the public OSV Go vulnerability snapshot and intersects locally against go.mod, matching the govulncheck privacy model. No module names are sent to OSV.dev. Cache TTL: 24h fresh, 24h-7d revalidate via ETag, >7d force-refresh. Run update_vulnerability_db first to bootstrap the cache for air-gapped environments. Default: returns response_shape "summary" with by_severity counts, a capped by_rule histogram (top 10 + more_rules), and top 1 per severity findings - plus a pagination.next_cursor for drill-down. Prefer this for mixed queries; min_severity / rule_filter drop to response_shape "flat" but still carry summary.by_severity + summary.by_rule for full-scan context. Follow the cursor for the full paginated list. Use min_severity / rule_filter / positive limit for a filtered flat response. Maps findings to PCI DSS 6.3.3.

Scan Go source files for encryption violations: weak hash algorithms (md5/sha1) with context scoring, hardcoded encryption keys/IVs, and plain HTTP URLs. Default: returns response_shape "summary" with by_severity counts, a capped by_rule histogram (top 10 + more_rules), and top 3 per severity findings - plus a pagination.next_cursor for drill-down. Prefer this for mixed queries; min_severity / rule_filter drop to response_shape "flat" but still carry summary.by_severity + summary.by_rule for full-scan context. Follow the cursor for the full paginated list. Use include_tests / exclude_patterns / min_severity / rule_filter for a filtered flat response. Maps findings to PCI DSS 6.2.4, 4.2.1.

Scan Go source files for payment handler error disclosure: detects err.Error() in http.Error, fmt.Fprintf with error variables, w.Write with error bytes, and json.Encode of errors. Default: returns response_shape "summary" with by_severity counts, a capped by_rule histogram (top 10 + more_rules), and top 3 per severity findings - plus a pagination.next_cursor for drill-down. Prefer this for mixed queries; min_severity / rule_filter drop to response_shape "flat" but still carry summary.by_severity + summary.by_rule for full-scan context. Follow the cursor for the full paginated list. Use include_tests / exclude_patterns / min_severity / rule_filter for a filtered flat response. Maps findings to PCI DSS 6.2.4.

Scan Go source files and HTML templates for payment page script security violations (PCI DSS 6.4.3, 11.6.1). Detects: missing Content-Security-Policy headers in Go payment handlers, unsafe-inline/unsafe-eval in CSP, external scripts without SRI (integrity attribute) in HTML templates, inline scripts without nonce attribute. Framework-aware: supports net/http, gin, echo handler signatures. Default: returns response_shape "summary" with by_severity counts, a capped by_rule histogram (top 10 + more_rules), and top 3 per severity findings - plus a pagination.next_cursor for drill-down. Prefer this for mixed queries; min_severity / rule_filter drop to response_shape "flat" but still carry summary.by_severity + summary.by_rule for full-scan context. Follow the cursor for the full paginated list. Use include_tests / exclude_patterns / min_severity / rule_filter for a filtered flat response. Maps findings to PCI DSS 6.4.3, 11.6.1.

Scan configuration files (.env, .yaml, .json, .toml) for hardcoded secrets: API keys, passwords, tokens, and connection strings with embedded credentials. Default: returns response_shape "summary" with by_severity counts, a capped by_rule histogram (top 10 + more_rules), and top 3 per severity findings - plus a pagination.next_cursor for drill-down. Prefer this for mixed queries; min_severity / rule_filter drop to response_shape "flat" but still carry summary.by_severity + summary.by_rule for full-scan context. Follow the cursor for the full paginated list. Use include_tests / exclude_patterns / min_severity / rule_filter for a filtered flat response. Maps findings to PCI DSS 8.6.2.

Scan Go source files for TLS configuration violations: InsecureSkipVerify, weak MinVersion (below TLS 1.2), missing MinVersion, and prohibited cipher suites (RC4, 3DES, NULL). Default: returns response_shape "summary" with by_severity counts, a capped by_rule histogram (top 10 + more_rules), and top 3 per severity findings - plus a pagination.next_cursor for drill-down. Prefer this for mixed queries; min_severity / rule_filter drop to response_shape "flat" but still carry summary.by_severity + summary.by_rule for full-scan context. Follow the cursor for the full paginated list. Use include_tests / exclude_patterns / min_severity / rule_filter for a filtered flat response. Maps findings to PCI DSS 4.2.1.

Look up a PCI DSS v4.0.1 requirement by ID. Returns title, description, and testing procedure.

Raw PCI DSS v4.0.1 compliance report without AI triage — intended for CI gates, audit artifacts, and requirement-level pass/fail lists. For interactive "scan this project" prompts call triage_findings instead. Default unfiltered call returns a compact summary (metadata, totals, requirement_statuses, top 20 findings per severity, cursor for follow-up). Supply min_severity / rule_filter / limit to get a paged flat list (60 per page with cursor), or cursor= to resume a prior session (10-minute TTL). min_severity / rule_filter drop the response to shape "flat" but still carry summary.by_severity + summary.by_rule for full-scan context. Taint analysis is ON by default; set include_taint=false for fast dev iteration.

Generate a CycloneDX v1.6 SBOM for a Go project. Default behavior: writes sbom.json (or sbom.xml when format=xml) next to the scanned go.mod and returns metadata only (output_path, size_bytes, component_count, unknown_licenses). Override the destination with output_path (must be absolute). Pass inline=true to return the serialized SBOM in the MCP response instead (capped at 64 KB; returns SBOM_TOO_LARGE above that). Parses go.mod + go.sum offline against the local GOMODCACHE; cache-miss modules surface as UNKNOWN-LICENSE. Satisfies PCI DSS 6.3.2 (software inventory, mandatory since March 2025).

Default: returns response_shape "summary" with by_severity counts, a capped by_rule histogram (top 10 + more_rules), and top 3 per severity findings - plus a pagination.next_cursor for drill-down. Prefer this for mixed queries; min_severity / rule_filter drop to response_shape "flat" but still carry summary.by_severity + summary.by_rule for full-scan context. Follow the cursor for the full paginated list. Use include_tests / exclude_patterns for a filtered flat response. Maps findings to PCI DSS 3.3.1, 3.4.1, 3.5.1.

Run all PCI DSS v4.0.1 scanners + AI-assisted prioritization + file:line enrichment on a Go project in a single call. Default: response_shape "summary" with by_severity counts, a capped by_rule histogram (top 10 + more_rules), and top 1 per severity enriched finding, plus pagination.next_cursor for drill-down. min_severity / rule_filter drop the response to shape "flat" but still carry summary.by_severity + summary.by_rule for full-scan context. Follow the cursor for the full paginated list.

Download fresh OSV Go vulnerability snapshot to local cache for offline scanning. Downloads from gs://osv-vulnerabilities/Go/all.zip (~7.5MB). This is the ONLY tool that makes network requests. Cache stored at PCI_MCP_CACHE_DIR or ~/.pci-dss-mcp/vuln-cache/ by default.