Merge pull request #97 from project-codeguard/feature/add-mcp-security-rule

santosomar · web-flow · commit 7298d2ea9b0a · 2026-01-27T16:23:03.000-05:00
Add MCP (Model Context Protocol) security rule
diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json
@@ -1,7 +1,7 @@
 {
   "name": "codeguard-security",
   "description": "Security code review skill based on Project CodeGuard's comprehensive security rules. Helps AI coding agents write secure code and prevent common vulnerabilities.",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "author": {
     "name": "Project CodeGuard",
     "url": "https://project-codeguard.org"
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "project-codeguard"
-version = "1.1.0"
+version = "1.2.0"
 description = "AI Coding Rules for Security and Best Practices"
 requires-python = ">=3.11"
 dependencies = [
diff --git a/skills/software-security/SKILL.md b/skills/software-security/SKILL.md
@@ -1,7 +1,7 @@
 ---
 name: software-security
 description: A software security skill that integrates with Project CodeGuard to help AI coding agents write secure code and prevent common vulnerabilities. Use this skill when writing, reviewing, or modifying code to ensure secure-by-default practices are followed.
-codeguard-version: "1.0.1"
+codeguard-version: "1.1.0"
 framework: "Project CodeGuard"
 purpose: "Embed secure-by-default practices into AI coding workflows"
 ---
@@ -34,21 +34,22 @@ When writing or reviewing code:
 | cpp | codeguard-0-safe-c-functions.md |
 | d | codeguard-0-iac-security.md |
 | docker | codeguard-0-devops-ci-cd-containers.md, codeguard-0-supply-chain-security.md |
-| go | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-input-validation-injection.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
+| go | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-input-validation-injection.md, codeguard-0-mcp-security.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
 | html | codeguard-0-client-side-web-security.md, codeguard-0-input-validation-injection.md, codeguard-0-session-management-and-cookies.md |
-| java | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-mobile-apps.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
-| javascript | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-cloud-orchestration-kubernetes.md, codeguard-0-data-storage.md, codeguard-0-devops-ci-cd-containers.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md, codeguard-0-logging.md, codeguard-0-mobile-apps.md, codeguard-0-privacy-data-protection.md, codeguard-0-session-management-and-cookies.md, codeguard-0-supply-chain-security.md |
+| java | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-mcp-security.md, codeguard-0-mobile-apps.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
+| javascript | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-cloud-orchestration-kubernetes.md, codeguard-0-data-storage.md, codeguard-0-devops-ci-cd-containers.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md, codeguard-0-logging.md, codeguard-0-mcp-security.md, codeguard-0-mobile-apps.md, codeguard-0-privacy-data-protection.md, codeguard-0-session-management-and-cookies.md, codeguard-0-supply-chain-security.md |
 | kotlin | codeguard-0-additional-cryptography.md, codeguard-0-authentication-mfa.md, codeguard-0-framework-and-languages.md, codeguard-0-mobile-apps.md |
 | matlab | codeguard-0-additional-cryptography.md, codeguard-0-authentication-mfa.md, codeguard-0-mobile-apps.md, codeguard-0-privacy-data-protection.md |
 | perl | codeguard-0-mobile-apps.md |
 | php | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
 | powershell | codeguard-0-devops-ci-cd-containers.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md |
-| python | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
+| python | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-mcp-security.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
 | ruby | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
+| rust | codeguard-0-mcp-security.md |
 | shell | codeguard-0-devops-ci-cd-containers.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md |
 | sql | codeguard-0-data-storage.md, codeguard-0-input-validation-injection.md |
 | swift | codeguard-0-additional-cryptography.md, codeguard-0-authentication-mfa.md, codeguard-0-mobile-apps.md |
-| typescript | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-session-management-and-cookies.md |
+| typescript | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-mcp-security.md, codeguard-0-session-management-and-cookies.md |
 | vlang | codeguard-0-client-side-web-security.md |
 | xml | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-devops-ci-cd-containers.md, codeguard-0-framework-and-languages.md, codeguard-0-mobile-apps.md, codeguard-0-xml-and-serialization.md |
 | yaml | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authorization-access-control.md, codeguard-0-cloud-orchestration-kubernetes.md, codeguard-0-data-storage.md, codeguard-0-devops-ci-cd-containers.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-logging.md, codeguard-0-privacy-data-protection.md, codeguard-0-supply-chain-security.md |
diff --git a/skills/software-security/rules/codeguard-0-mcp-security.md b/skills/software-security/rules/codeguard-0-mcp-security.md
@@ -0,0 +1,102 @@
+---
+description: MCP (Model Context Protocol) Security based on CoSAI MCP Security guidelines
+languages:
+- python
+- javascript
+- typescript
+- go
+- rust
+- java
+alwaysApply: false
+---
+
+rule_id: codeguard-0-mcp-security
+
+# MCP (Model Context Protocol) Security Guidelines
+
+NEVER deploy MCP servers or clients without implementing proper security controls.
+
+### Workload Identity and Authentication
+- Use SPIFFE/SPIRE for cryptographic workload identities
+  - SPIFFE (Secure Production Identity Framework For Everyone) provides a standard for service identity
+  - SPIRE (SPIFFE Runtime Environment) issues and rotates short-lived cryptographic identities (SVIDs)
+
+### Input and Data Sanitization
+- Validate ALL inputs using allowlists at every trust boundary
+- Sanitize file paths through canonicalization
+- Use parameterized queries for database operations
+- Apply context-aware output encoding (SQL, shell, HTML)
+- Sanitize tool outputs: return only minimum fields, redact all PII and sensitive data
+- Treat ALL inputs, tool schemas, metadata, prompts, and resource content as untrusted input
+- Deploy prompt injection detection systems
+- Use strict JSON schemas to maintain boundaries between instructions and data
+
+### Sandboxing and Isolation
+- Design MCP servers to execute with least privilege
+- MCP servers interacting with host environment (files, commands, network) MUST implement sandboxing controls
+- LLM-generated code MUST NOT run with full user privileges
+- Implement additional sandboxing layers: gVisor, Kata Containers, SELinux sandboxes
+
+### Cryptographic Verification of Resources
+- Provide cryptographic signatures and SBOMs for all server code
+- Implement signature verification in your MCP client before loading servers
+- Use TLS for ALL data in transit
+- Implement remote attestation capabilities to verify servers are running expected code
+
+### Transport Layer Security
+
+#### stdio Transport (Local Servers)
+- STRONGLY RECOMMENDED for local MCP to eliminate DNS rebinding risks
+- Direct pipe-based stream communication
+- Implement sandbox to prevent privilege escalation
+
+#### HTTP Streaming Transport (Remote Servers)
+Required security controls to implement:
+- Payload Limits (prevent large payload and recursive payload DoS)
+- Rate limiting for tool calls and transport requests
+- Client-Server Authentication/Authorization
+- Mutual TLS Authentication
+- TLS Encryption
+- CORS Protection
+- CSRF Protection
+- Integrity Checks (prevent replay, spoofing, poisoned responses)
+
+### Secure Tool and UX Design
+- Create single-purpose tools with explicit boundaries; avoid "do anything" tools
+- Do not rely on the LLM for validation or authorization decisions
+- Use two-stage commit for high-impact actions: draft/preview first, explicit commit with confirmation second
+- Provide rollback/undo paths (draft IDs, snapshots, reversible actions) and time-bound commits when possible
+
+### Human-in-the-Loop
+- Implement confirmation prompts for risky operations in your MCP server
+- Use elicitation on MCP server side to request user confirmation of risky actions
+- Security-relevant messages MUST clearly indicate implications
+- Do NOT rely solely on human approval (users can become fatigued)
+
+### Logging and Observability
+- Implement logging in your MCP servers and clients
+- Log: tools that were used, parameters, originating prompt
+- Use OpenTelemetry for end-to-end linkability of actions
+- Maintain immutable records of actions and authorizations
+
+---
+
+## Deployment Pattern Security
+
+### All-Local (stdio or http)
+- Security depends entirely on host system posture
+- Use `stdio` transport to avoid DNS rebinding risks
+- Use sandboxing to limit privilege escalation attacks
+- Appropriate for development and personal use
+
+### Single-Tenant Remote (http)
+- Authentication between client and server is REQUIRED
+- Use secure credential storage (OS keychains, secret managers)
+- Communication MUST be authenticated and encrypted
+- Enterprise clients should enforce authenticated server discovery with explicit allowlists
+
+### Multi-Tenant Remote (http)
+- Require robust tenant isolation, identity, and access control
+- Implement strong multi-tenancy controls (per-tenant encryption, role-based access control)
+- Prefer MCP servers hosted directly by service provider
+- Provide remote attestation when possible
diff --git a/sources/core/codeguard-0-mcp-security.md b/sources/core/codeguard-0-mcp-security.md
@@ -0,0 +1,100 @@
+---
+description: MCP (Model Context Protocol) Security based on CoSAI MCP Security guidelines
+languages:
+- python
+- javascript
+- typescript
+- go
+- rust
+- java
+alwaysApply: false
+---
+
+# MCP (Model Context Protocol) Security Guidelines
+
+NEVER deploy MCP servers or clients without implementing proper security controls.
+
+### Workload Identity and Authentication
+- Use SPIFFE/SPIRE for cryptographic workload identities
+  - SPIFFE (Secure Production Identity Framework For Everyone) provides a standard for service identity
+  - SPIRE (SPIFFE Runtime Environment) issues and rotates short-lived cryptographic identities (SVIDs)
+
+### Input and Data Sanitization
+- Validate ALL inputs using allowlists at every trust boundary
+- Sanitize file paths through canonicalization
+- Use parameterized queries for database operations
+- Apply context-aware output encoding (SQL, shell, HTML)
+- Sanitize tool outputs: return only minimum fields, redact all PII and sensitive data
+- Treat ALL inputs, tool schemas, metadata, prompts, and resource content as untrusted input
+- Deploy prompt injection detection systems
+- Use strict JSON schemas to maintain boundaries between instructions and data
+
+### Sandboxing and Isolation
+- Design MCP servers to execute with least privilege
+- MCP servers interacting with host environment (files, commands, network) MUST implement sandboxing controls
+- LLM-generated code MUST NOT run with full user privileges
+- Implement additional sandboxing layers: gVisor, Kata Containers, SELinux sandboxes
+
+### Cryptographic Verification of Resources
+- Provide cryptographic signatures and SBOMs for all server code
+- Implement signature verification in your MCP client before loading servers
+- Use TLS for ALL data in transit
+- Implement remote attestation capabilities to verify servers are running expected code
+
+### Transport Layer Security
+
+#### stdio Transport (Local Servers)
+- STRONGLY RECOMMENDED for local MCP to eliminate DNS rebinding risks
+- Direct pipe-based stream communication
+- Implement sandbox to prevent privilege escalation
+
+#### HTTP Streaming Transport (Remote Servers)
+Required security controls to implement:
+- Payload Limits (prevent large payload and recursive payload DoS)
+- Rate limiting for tool calls and transport requests
+- Client-Server Authentication/Authorization
+- Mutual TLS Authentication
+- TLS Encryption
+- CORS Protection
+- CSRF Protection
+- Integrity Checks (prevent replay, spoofing, poisoned responses)
+
+### Secure Tool and UX Design
+- Create single-purpose tools with explicit boundaries; avoid "do anything" tools
+- Do not rely on the LLM for validation or authorization decisions
+- Use two-stage commit for high-impact actions: draft/preview first, explicit commit with confirmation second
+- Provide rollback/undo paths (draft IDs, snapshots, reversible actions) and time-bound commits when possible
+
+### Human-in-the-Loop
+- Implement confirmation prompts for risky operations in your MCP server
+- Use elicitation on MCP server side to request user confirmation of risky actions
+- Security-relevant messages MUST clearly indicate implications
+- Do NOT rely solely on human approval (users can become fatigued)
+
+### Logging and Observability
+- Implement logging in your MCP servers and clients
+- Log: tools that were used, parameters, originating prompt
+- Use OpenTelemetry for end-to-end linkability of actions
+- Maintain immutable records of actions and authorizations
+
+---
+
+## Deployment Pattern Security
+
+### All-Local (stdio or http)
+- Security depends entirely on host system posture
+- Use `stdio` transport to avoid DNS rebinding risks
+- Use sandboxing to limit privilege escalation attacks
+- Appropriate for development and personal use
+
+### Single-Tenant Remote (http)
+- Authentication between client and server is REQUIRED
+- Use secure credential storage (OS keychains, secret managers)
+- Communication MUST be authenticated and encrypted
+- Enterprise clients should enforce authenticated server discovery with explicit allowlists
+
+### Multi-Tenant Remote (http)
+- Require robust tenant isolation, identity, and access control
+- Implement strong multi-tenancy controls (per-tenant encryption, role-based access control)
+- Prefer MCP servers hosted directly by service provider
+- Provide remote attestation when possible
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "codeguard-security",`
`3`	`3`	`"description": "Security code review skill based on Project CodeGuard's comprehensive security rules. Helps AI coding agents write secure code and prevent common vulnerabilities.",`
`4`		`- "version": "1.1.0",`
	`4`	`+ "version": "1.2.0",`
`5`	`5`	`"author": {`
`6`	`6`	`"name": "Project CodeGuard",`
`7`	`7`	`"url": "https://project-codeguard.org"`