open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions

feat(llm-security-copilot): port llm-security v5.1.0 to GitHub Copilot CLI

Browse source 
Full port of llm-security plugin for internal use on Windows with GitHub
Copilot CLI. Protocol translation layer (copilot-hook-runner.mjs)
normalizes Copilot camelCase I/O to Claude Code snake_case format — all
original hook scripts run unmodified.

- 8 hooks with protocol translation (stdin/stdout/exit code)
- 18 SKILL.md skills (Agent Skills Open Standard)
- 6 .agent.md agent definitions
- 20 scanners + 14 scanner lib modules (unchanged)
- 14 knowledge files (unchanged)
- 39 test files including copilot-port-verify.mjs (17 tests)
- Windows-ready: node:path, os.tmpdir(), process.execPath, no bash

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen 2026-04-09 21:56:10 +02:00
commit f418a8fe08
169 changed files with 37631 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

959
plugins/llm-security-copilot/templates/unified-report.md Normal file
View file

@ -0,0 +1,959 @@
<!--
UNIFIED REPORT TEMPLATE — llm-security v1.4.0
This single template replaces 9 separate report templates. Agents and commands
select which sections to include by setting ANALYSIS_TYPE.
SECTION ACTIVATION TABLE
========================
Section | scan | deep-scan | audit | posture | plugin-audit | mcp-audit | threat-model | pre-deploy | clean
========================== | ==== | ========= | ===== | ======= | ============ | ========= | ============ | ========== | =====
Header | Y | Y | Y | Y | Y | Y | Y | Y | Y
Risk Dashboard | Y | Y | Y | Y | Y | Y | - | Y | Y
Executive Summary | Y | Y | Y | - | Y | Y | - | - | -
System Description | - | - | - | - | - | - | Y | - | -
Overall Score | - | - | - | Y | - | - | - | - | -
Remediation Summary | - | - | - | - | - | - | - | - | Y
Findings by Severity | Y | - | Y | - | Y | - | - | - | -
Findings by OWASP | Y | Y | - | - | - | - | - | - | -
Supply Chain Assessment | Y | - | - | - | - | - | - | - | -
Scanner Breakdown | - | Y | - | - | - | - | - | - | -
Scanner Risk Matrix | - | Y | - | - | - | - | - | - | -
Methodology (scanners) | - | Y | - | - | - | - | - | - | -
Category Assessment | - | - | Y | - | - | - | - | - | -
Risk Matrix (L×I) | - | - | Y | - | - | - | - | - | -
Action Plan | - | - | Y | - | - | - | - | - | -
Positive Findings | - | - | Y | - | - | - | - | - | -
Category Scorecard | - | - | - | Y | - | - | - | - | -
Quick Wins | - | - | - | Y | - | - | - | - | -
Baseline Comparison | - | - | - | Y | - | - | - | - | -
Plugin Metadata | - | - | - | - | Y | - | - | - | -
Component Inventory | - | - | - | - | Y | - | - | - | -
Permission Matrix | - | - | - | - | Y | - | - | - | -
Hook Safety | - | - | - | - | Y | - | - | - | -
Trust Verdict | - | - | - | - | Y | - | - | - | -
MCP Landscape | - | - | - | - | - | Y | - | - | -
Per-Server Analysis | - | - | - | - | - | Y | - | - | -
MCP Risk Assessment | - | - | - | - | - | Y | - | - | -
Keep/Review/Remove | - | - | - | - | - | Y | - | - | -
Architecture Overview | - | - | - | - | - | - | Y | - | -
MAESTRO Mapping | - | - | - | - | - | - | Y | - | -
Threat Catalog | - | - | - | - | - | - | Y | - | -
Threat Risk Matrix | - | - | - | - | - | - | Y | - | -
Mitigation Plan | - | - | - | - | - | - | Y | - | -
Residual Risk | - | - | - | - | - | - | Y | - | -
Automated Checks | - | - | - | - | - | - | - | Y | -
Manual Verification | - | - | - | - | - | - | - | Y | -
Deploy Verdict | - | - | - | - | - | - | - | Y | -
Fix Log | - | - | - | - | - | - | - | - | Y
Auto/Semi-Auto/Manual | - | - | - | - | - | - | - | - | Y
Validation | - | - | - | - | - | - | - | - | Y
Rollback | - | - | - | - | - | - | - | - | Y
Recommendations | Y | Y | - | Y | Y | - | - | Y | -
Footer | Y | Y | Y | Y | Y | Y | Y | Y | Y
RISK SCORING (unified — all analysis types)
Formula: score = min((Critical × 25) + (High × 10) + (Medium × 4) + (Low × 1), 100)
Bands: 0-20 Low, 21-40 Medium, 41-60 High, 61-80 Critical, 81-100 Extreme
Verdict: BLOCK if Critical >= 1 OR score >= 61
WARNING if High >= 1 OR score >= 21
ALLOW otherwise
Grade: A: pass_rate >= 0.89 AND zero FAIL in cat 1,2,5 AND zero Critical
B: pass_rate >= 0.72 AND zero Critical
C: pass_rate >= 0.56
D: pass_rate >= 0.33
F: pass_rate < 0.33 OR 3+ Critical
FINDING CATEGORIES
Secrets, Injection, Permissions, Supply Chain, MCP Trust,
Destructive, Output Handling, Other
SEVERITY CLASSIFICATION
Critical — Active threat, immediate exploitation risk
High — Significant risk, exploitation likely without mitigation
Medium — Meaningful risk, requires attention
Low — Informational or best-practice gap
Info — Observation, no immediate risk
-->
# {{REPORT_TITLE}}
---
## Header
| Field | Value |
|-------|-------|
| **Report type** | {{ANALYSIS_TYPE}} |
| **Target** | {{TARGET}} |
| **Date** | {{DATE}} |
| **Version** | llm-security v{{VERSION}} |
| **Scope** | {{SCOPE}} |
| **Frameworks** | {{FRAMEWORKS}} |
| **Triggered by** | {{TRIGGER_COMMAND}} |
---
<!-- SECTION: Risk Dashboard — all types except threat-model -->
## Risk Dashboard
| Metric | Value |
|--------|-------|
| **Risk Score** | {{RISK_SCORE}}/100 |
| **Risk Band** | {{RISK_BAND}} |
| **Grade** | {{GRADE}} |
| **Verdict** | {{VERDICT}} |
| Severity | Count |
|----------|------:|
| Critical | {{CRITICAL}} |
| High | {{HIGH}} |
| Medium | {{MEDIUM}} |
| Low | {{LOW}} |
| Info | {{INFO}} |
| **Total** | **{{TOTAL_FINDINGS}}** |
**Verdict rationale:** {{VERDICT_RATIONALE}}
---
<!-- SECTION: Executive Summary — scan, deep-scan, audit, plugin-audit, mcp-audit -->
## Executive Summary
{{EXECUTIVE_SUMMARY}}
---
<!-- SECTION: System Description — threat-model only -->
## System Description
{{SYSTEM_DESCRIPTION}}
---
<!-- SECTION: Overall Score — posture only -->
## Overall Score
**{{POSTURE_SCORE}} / {{POSTURE_APPLICABLE}} categories covered (Grade {{GRADE}})**
```
{{PROGRESS_BAR}}
```
**Risk Score:** {{RISK_SCORE}}/100 ({{RISK_BAND}})
**Verdict:** {{POSTURE_VERDICT}}
---
<!-- SECTION: Remediation Summary — clean only -->
## Remediation Summary
> [!{{VERDICT_TYPE}}]
> **Pre-clean:** {{PRE_VERDICT}} ({{PRE_RISK_SCORE}}/100, {{PRE_RISK_BAND}}) — {{PRE_TOTAL_FINDINGS}} findings
> **Post-clean:** {{POST_VERDICT}} ({{POST_RISK_SCORE}}/100, {{POST_RISK_BAND}}) — {{POST_TOTAL_FINDINGS}} findings
> **Risk reduction:** {{RISK_REDUCTION}}%
| Metric | Before | After | Delta |
|--------|--------|-------|-------|
| Risk Score | {{PRE_RISK_SCORE}} | {{POST_RISK_SCORE}} | {{RISK_DELTA}} |
| Total Findings | {{PRE_TOTAL_FINDINGS}} | {{POST_TOTAL_FINDINGS}} | {{FINDINGS_DELTA}} |
| Critical | {{PRE_CRITICAL}} | {{POST_CRITICAL}} | {{CRITICAL_DELTA}} |
| High | {{PRE_HIGH}} | {{POST_HIGH}} | {{HIGH_DELTA}} |
| Medium | {{PRE_MEDIUM}} | {{POST_MEDIUM}} | {{MEDIUM_DELTA}} |
| Low | {{PRE_LOW}} | {{POST_LOW}} | {{LOW_DELTA}} |
---
<!-- SECTION: Findings by Severity — scan, audit, plugin-audit -->
## Findings
Findings sorted Critical → High → Medium → Low → Info.
Finding IDs: `SCN-NNN` (LLM agent) or `DS-XXX-NNN` (deterministic scanner).
### Critical
| ID | Category | File | Line | Description | OWASP |
|----|----------|------|------|-------------|-------|
| {{FINDING_ROW}} |
**{{FINDING_ID}} Detail**
- **Severity:** Critical
- **Category:** {{CATEGORY}}
- **File:** {{FILE}}
- **Line(s):** {{LINE}}
- **OWASP:** {{OWASP_REF}}
- **Description:** {{DESCRIPTION}}
- **Evidence:** {{EVIDENCE}}
- **Remediation:** {{REMEDIATION}}
### High
> Omit if empty.
### Medium
> Omit if empty.
### Low / Info
> Omit if empty.
---
<!-- SECTION: Findings by OWASP — scan, deep-scan -->
## OWASP Categorization
| OWASP Category | Findings | Max Severity | Scanners |
|----------------|----------|-------------|----------|
| LLM01 — Prompt Injection | {{LLM01_COUNT}} | {{LLM01_MAX}} | {{LLM01_SCANNERS}} |
| LLM02 — Sensitive Info Disclosure | {{LLM02_COUNT}} | {{LLM02_MAX}} | {{LLM02_SCANNERS}} |
| LLM03 — Supply Chain | {{LLM03_COUNT}} | {{LLM03_MAX}} | {{LLM03_SCANNERS}} |
| LLM06 — Excessive Agency | {{LLM06_COUNT}} | {{LLM06_MAX}} | {{LLM06_SCANNERS}} |
---
<!-- SECTION: Supply Chain Assessment — scan only -->
## Supply Chain Assessment
| Component | Type | Source | Trust Score | Notes |
|-----------|------|--------|-------------|-------|
| {{SUPPLY_CHAIN_ROW}} |
**Source verification:** {{SOURCE_VERIFICATION}}
**Permissions analysis:**
- Requested tools: {{REQUESTED_TOOLS}}
- Minimum necessary: {{MIN_TOOLS}}
- Over-permissioned: {{OVER_PERMISSIONED}}
**Supply chain risk summary:** {{SUPPLY_CHAIN_SUMMARY}}
---
<!-- SECTION: Scanner Breakdown — deep-scan only -->
## Scanner Results
### 1. Unicode Analysis (UNI)
**Status:** {{UNI_STATUS}} | **Files:** {{UNI_FILES}} | **Findings:** {{UNI_FINDINGS}} | **Time:** {{UNI_DURATION}}ms
{{UNI_DETAILS}}
### 2. Entropy Analysis (ENT)
**Status:** {{ENT_STATUS}} | **Files:** {{ENT_FILES}} | **Findings:** {{ENT_FINDINGS}} | **Time:** {{ENT_DURATION}}ms
{{ENT_DETAILS}}
### 3. Permission Mapping (PRM)
**Status:** {{PRM_STATUS}} | **Files:** {{PRM_FILES}} | **Findings:** {{PRM_FINDINGS}} | **Time:** {{PRM_DURATION}}ms
{{PRM_DETAILS}}
### 4. Dependency Audit (DEP)
**Status:** {{DEP_STATUS}} | **Files:** {{DEP_FILES}} | **Findings:** {{DEP_FINDINGS}} | **Time:** {{DEP_DURATION}}ms
{{DEP_DETAILS}}
### 5. Taint Tracing (TNT)
**Status:** {{TNT_STATUS}} | **Files:** {{TNT_FILES}} | **Findings:** {{TNT_FINDINGS}} | **Time:** {{TNT_DURATION}}ms
{{TNT_DETAILS}}
### 6. Git Forensics (GIT)
**Status:** {{GIT_STATUS}} | **Files:** {{GIT_FILES}} | **Findings:** {{GIT_FINDINGS}} | **Time:** {{GIT_DURATION}}ms
{{GIT_DETAILS}}
### 7. Network Mapping (NET)
**Status:** {{NET_STATUS}} | **Files:** {{NET_FILES}} | **Findings:** {{NET_FINDINGS}} | **Time:** {{NET_DURATION}}ms
{{NET_DETAILS}}
---
<!-- SECTION: Scanner Risk Matrix — deep-scan only -->
## Scanner Risk Matrix
| Scanner | CRITICAL | HIGH | MEDIUM | LOW | INFO |
|---------|----------|------|--------|-----|------|
| Unicode (UNI) | {{UNI_C}} | {{UNI_H}} | {{UNI_M}} | {{UNI_L}} | {{UNI_I}} |
| Entropy (ENT) | {{ENT_C}} | {{ENT_H}} | {{ENT_M}} | {{ENT_L}} | {{ENT_I}} |
| Permission (PRM) | {{PRM_C}} | {{PRM_H}} | {{PRM_M}} | {{PRM_L}} | {{PRM_I}} |
| Dependency (DEP) | {{DEP_C}} | {{DEP_H}} | {{DEP_M}} | {{DEP_L}} | {{DEP_I}} |
| Taint (TNT) | {{TNT_C}} | {{TNT_H}} | {{TNT_M}} | {{TNT_L}} | {{TNT_I}} |
| Git (GIT) | {{GIT_C}} | {{GIT_H}} | {{GIT_M}} | {{GIT_L}} | {{GIT_I}} |
| Network (NET) | {{NET_C}} | {{NET_H}} | {{NET_M}} | {{NET_L}} | {{NET_I}} |
| **TOTAL** | **{{CRITICAL}}** | **{{HIGH}}** | **{{MEDIUM}}** | **{{LOW}}** | **{{INFO}}** |
---
<!-- SECTION: Methodology — deep-scan only -->
## Methodology
7 deterministic Node.js scanners (zero external dependencies). Results are factual and reproducible.
| Scanner | Algorithm | Limitations |
|---------|-----------|-------------|
| Unicode | Codepoint iteration, Tag decoding | None — deterministic |
| Entropy | Shannon H per string literal | FP on knowledge files, data URIs |
| Permission | Frontmatter parsing, cross-reference | Claude Code plugins only |
| Dependency | npm/pip audit, Levenshtein | Requires package manager CLI |
| Taint | Regex variable tracking, 3-pass | ~70% recall, no AST, no cross-file |
| Git | History analysis, reflog, diff | Max 500 commits, 15s timeout |
| Network | URL extraction, DNS resolution | Max 50 DNS lookups, 3s timeout |
---
<!-- SECTION: Category Assessment — audit only -->
## Category Assessment
### Category 1 — Deny-First Configuration
| Status | {{CAT1_STATUS}} |
|--------|----------------|
**Evidence:**
{{CAT1_EVIDENCE}}
**Recommendations:**
{{CAT1_RECOMMENDATIONS}}
---
### Category 2 — Secrets Protection
| Status | {{CAT2_STATUS}} |
|--------|----------------|
**Evidence:**
{{CAT2_EVIDENCE}}
**Recommendations:**
{{CAT2_RECOMMENDATIONS}}
---
### Category 3 — Path Guarding
| Status | {{CAT3_STATUS}} |
|--------|----------------|
**Evidence:**
{{CAT3_EVIDENCE}}
**Recommendations:**
{{CAT3_RECOMMENDATIONS}}
---
### Category 4 — MCP Server Trust
| Status | {{CAT4_STATUS}} |
|--------|----------------|
**Evidence:**
{{CAT4_EVIDENCE}}
**Recommendations:**
{{CAT4_RECOMMENDATIONS}}
---
### Category 5 — Destructive Command Blocking
| Status | {{CAT5_STATUS}} |
|--------|----------------|
**Evidence:**
{{CAT5_EVIDENCE}}
**Recommendations:**
{{CAT5_RECOMMENDATIONS}}
---
### Category 6 — Sandbox Configuration
| Status | {{CAT6_STATUS}} |
|--------|----------------|
**Evidence:**
{{CAT6_EVIDENCE}}
**Recommendations:**
{{CAT6_RECOMMENDATIONS}}
---
### Category 7 — Human Review Requirements
| Status | {{CAT7_STATUS}} |
|--------|----------------|
**Evidence:**
{{CAT7_EVIDENCE}}
**Recommendations:**
{{CAT7_RECOMMENDATIONS}}
---
### Category 8 — Skill and Plugin Sources
| Status | {{CAT8_STATUS}} |
|--------|----------------|
**Evidence:**
{{CAT8_EVIDENCE}}
**Recommendations:**
{{CAT8_RECOMMENDATIONS}}
---
### Category 9 — Session Isolation
| Status | {{CAT9_STATUS}} |
|--------|----------------|
**Evidence:**
{{CAT9_EVIDENCE}}
**Recommendations:**
{{CAT9_RECOMMENDATIONS}}
---
<!-- SECTION: Risk Matrix (L×I) — audit only -->
## Risk Matrix
```
LIKELIHOOD
Low Medium High
+------------+------------+------------+
High | | | |
IMPACT +------------+------------+------------+
Med | | | |
+------------+------------+------------+
Low | | | |
+------------+------------+------------+
```
---
<!-- SECTION: Action Plan — audit only -->
## Prioritized Action Plan
| # | Priority | Action | Finding | Effort | Risk if Deferred |
|---|----------|--------|---------|--------|------------------|
| {{ACTION_ROWS}} |
---
<!-- SECTION: Positive Findings — audit only -->
## Positive Findings
- **{{CONTROL_NAME}}** — {{CONTROL_DESCRIPTION}}
---
<!-- SECTION: Category Scorecard — posture only -->
## Category Scorecard
| # | Category | Status | Notes |
|---|----------|--------|-------|
| 1 | Deny-First Configuration | {{CAT1_INDICATOR}} | {{CAT1_NOTES}} |
| 2 | Secrets Protection | {{CAT2_INDICATOR}} | {{CAT2_NOTES}} |
| 3 | Path Guarding | {{CAT3_INDICATOR}} | {{CAT3_NOTES}} |
| 4 | MCP Server Trust | {{CAT4_INDICATOR}} | {{CAT4_NOTES}} |
| 5 | Destructive Command Blocking | {{CAT5_INDICATOR}} | {{CAT5_NOTES}} |
| 6 | Sandbox Configuration | {{CAT6_INDICATOR}} | {{CAT6_NOTES}} |
| 7 | Human Review Requirements | {{CAT7_INDICATOR}} | {{CAT7_NOTES}} |
| 8 | Skill and Plugin Sources | {{CAT8_INDICATOR}} | {{CAT8_NOTES}} |
| 9 | Session Isolation | {{CAT9_INDICATOR}} | {{CAT9_NOTES}} |
Status indicators: COVERED / PARTIAL / GAP / N/A
### Category Detail
{{CATEGORY_DETAIL}}
---
<!-- SECTION: Quick Wins — posture only -->
## Quick Wins
- [ ] {{QUICK_WIN}}
> If none: "No quick wins identified — improvements require architectural changes."
---
<!-- SECTION: Baseline Comparison — posture only -->
## Baseline Comparison
| Category | Fully Secured | This Project |
|----------|--------------|--------------|
| Deny-First Configuration | `defaultPermissionLevel: deny` | {{CAT1_CURRENT}} |
| Secrets Protection | Hook active + .env gitignored + no secrets | {{CAT2_CURRENT}} |
| Path Guarding | `pre-write-pathguard` blocks sensitive paths | {{CAT3_CURRENT}} |
| MCP Server Trust | All verified, minimal scope, auth required | {{CAT4_CURRENT}} |
| Destructive Command Blocking | `pre-bash-destructive` with comprehensive patterns | {{CAT5_CURRENT}} |
| Sandbox Configuration | Network/filesystem scoped to project | {{CAT6_CURRENT}} |
| Human Review Requirements | Confirmation gates on irreversible operations | {{CAT7_CURRENT}} |
| Skill and Plugin Sources | All verified sources, minimal permissions | {{CAT8_CURRENT}} |
| Session Isolation | No cross-session leakage, minimal context | {{CAT9_CURRENT}} |
**Gap summary:** {{GAP_SUMMARY}}
---
<!-- SECTION: Plugin Metadata — plugin-audit only -->
## Plugin Metadata
| Field | Value |
|-------|-------|
| **Plugin** | {{PLUGIN_NAME}} |
| **Version** | {{PLUGIN_VERSION}} |
| **Author** | {{PLUGIN_AUTHOR}} |
| **Path** | {{PLUGIN_PATH}} |
| **Auto-discover** | {{AUTO_DISCOVER}} |
| **Commands** | {{CMD_COUNT}} |
| **Agents** | {{AGENT_COUNT}} |
| **Hook events** | {{HOOK_EVENT_COUNT}} |
| **Skills** | {{SKILL_COUNT}} |
| **Knowledge files** | {{KB_COUNT}} ({{KB_LINES}} lines) |
| **Templates** | {{TEMPLATE_COUNT}} |
| **Total files** | {{TOTAL_FILE_COUNT}} |
---
<!-- SECTION: Component Inventory — plugin-audit only -->
## Component Inventory
### Commands
| Name | Allowed Tools | Model | Flags |
|------|---------------|-------|-------|
| {{CMD_ROWS}} |
### Agents
| Name | Tools | Model | Flags |
|------|-------|-------|-------|
| {{AGENT_ROWS}} |
### Hooks
| Event | Matcher | Script | Behavior | Flags |
|-------|---------|--------|----------|-------|
| {{HOOK_ROWS}} |
### Skills
| Name | Reference Files |
|------|----------------|
| {{SKILL_ROWS}} |
---
<!-- SECTION: Permission Matrix — plugin-audit only -->
## Permission Matrix
| Tool | Granted to | Risk Level | Justification Needed |
|------|-----------|------------|---------------------|
| {{PERMISSION_ROWS}} |
**Permission flags:**
| Flag | Components | Assessment |
|------|-----------|------------|
| {{FLAG_ROWS}} |
---
<!-- SECTION: Hook Safety — plugin-audit only -->
## Hook Safety Analysis
**Events intercepted:** {{HOOK_EVENTS}}
| Category | Count | Assessment |
|----------|-------|------------|
| Block hooks | {{BLOCK_HOOKS}} | {{BLOCK_ASSESSMENT}} |
| Warn hooks | {{WARN_HOOKS}} | {{WARN_ASSESSMENT}} |
| State-modifying | {{STATE_HOOKS}} | {{STATE_ASSESSMENT}} |
| Network-calling | {{NET_HOOKS}} | {{NET_ASSESSMENT}} |
| SessionStart | {{SESSION_HOOKS}} | {{SESSION_ASSESSMENT}} |
**Script analysis:**
{{SCRIPT_ANALYSIS}}
---
<!-- SECTION: Trust Verdict — plugin-audit only -->
## Trust Verdict
**Verdict: {{TRUST_VERDICT}}**
| Criterion | Status |
|-----------|--------|
| Zero Critical findings | {{CRIT_CHECK}} |
| Zero High findings | {{HIGH_CHECK}} |
| All hooks transparent | {{HOOK_CHECK}} |
| No state-modifying hooks | {{STATE_CHECK}} |
| No network-calling hooks | {{NET_CHECK}} |
| Permissions justified | {{PERM_CHECK}} |
| No exfiltration patterns | {{EXFIL_CHECK}} |
| No persistence mechanisms | {{PERSIST_CHECK}} |
| No hidden instructions | {{HIDDEN_CHECK}} |
**Verdict rationale:** {{TRUST_RATIONALE}}
---
<!-- SECTION: MCP Landscape — mcp-audit only -->
## MCP Landscape Summary
| Server | Source | Transport | Trust Rating | Critical | High | Medium | Low |
|--------|--------|-----------|--------------|----------|------|--------|-----|
| {{MCP_LANDSCAPE_ROWS}} |
**Overall MCP Risk:** {{MCP_RISK}}
---
<!-- SECTION: Per-Server Analysis — mcp-audit only -->
## Per-Server Analysis
### Server: `{{SERVER_NAME}}`
| Field | Value |
|-------|-------|
| **Transport** | {{TRANSPORT}} |
| **Command/URL** | {{SERVER_CMD}} |
| **Source** | {{SERVER_SOURCE}} |
| **Trust Rating** | {{TRUST_RATING}} |
**Findings:**
| # | Severity | Category | Description | OWASP |
|---|----------|----------|-------------|-------|
| {{SERVER_FINDING_ROWS}} |
**Evidence:**
```
{{SERVER_EVIDENCE}}
```
**Recommendations:**
{{SERVER_RECOMMENDATIONS}}
---
<!-- SECTION: MCP Risk Assessment — mcp-audit only -->
## Overall MCP Risk Assessment
**Risk Rating: {{MCP_RISK}}**
| Criterion | Description |
|-----------|-------------|
| Low | All servers Trusted/Cautious, no High+ findings |
| Medium | Cautious servers with High findings |
| High | Untrusted servers present |
| Critical | Any Dangerous server |
---
<!-- SECTION: Keep/Review/Remove — mcp-audit only -->
## MCP Recommendations
### Keep
{{MCP_KEEP}}
### Review
{{MCP_REVIEW}}
### Remove
{{MCP_REMOVE}}
---
<!-- SECTION: Architecture Overview — threat-model only -->
## Architecture Overview
{{ARCHITECTURE_DIAGRAM}}
---
<!-- SECTION: MAESTRO Mapping — threat-model only -->
## MAESTRO Layer Mapping
| Layer | Components Present | Attack Surface Rating |
|-------|-------------------|----------------------|
| L1 Foundation Models | {{L1_COMPONENTS}} | {{L1_RATING}} |
| L2 Data and Knowledge | {{L2_COMPONENTS}} | {{L2_RATING}} |
| L3 Agent Frameworks | {{L3_COMPONENTS}} | {{L3_RATING}} |
| L4 Tool Integration | {{L4_COMPONENTS}} | {{L4_RATING}} |
| L5 Agent Capabilities | {{L5_COMPONENTS}} | {{L5_RATING}} |
| L6 Multi-Agent Systems | {{L6_COMPONENTS}} | {{L6_RATING}} |
| L7 Ecosystem | {{L7_COMPONENTS}} | {{L7_RATING}} |
---
<!-- SECTION: Threat Catalog — threat-model only -->
## Threat Catalog
### Layer {{LAYER_NUM}} — {{LAYER_NAME}}
#### Threat {{THREAT_ID}}: {{THREAT_TITLE}}
| Field | Value |
|-------|-------|
| STRIDE | {{STRIDE_CAT}} |
| OWASP | {{THREAT_OWASP}} |
| Likelihood | {{LIKELIHOOD}} — {{LIKELIHOOD_RATIONALE}} |
| Impact | {{IMPACT}} — {{IMPACT_RATIONALE}} |
| Risk Score | {{THREAT_RISK_SCORE}} — {{THREAT_PRIORITY}} |
| Wild Exploitation | {{WILD_STATUS}} |
**Attack scenario:** {{ATTACK_SCENARIO}}
**Current control status:** {{CONTROL_STATUS}}
**Recommendation:** {{THREAT_RECOMMENDATION}}
---
<!-- SECTION: Threat Risk Matrix — threat-model only -->
## Threat Risk Matrix
| Threat | Layer | STRIDE | OWASP | Score | Priority |
|--------|-------|--------|-------|-------|----------|
| {{THREAT_MATRIX_ROWS}} |
---
<!-- SECTION: Mitigation Plan — threat-model only -->
## Mitigation Plan
### Critical and High Priority Actions
| # | Threat | Action | Control Type | Effort |
|---|--------|--------|-------------|--------|
| {{MITIGATION_ROWS}} |
### Already Mitigated
| Threat | Control | Evidence |
|--------|---------|---------|
| {{MITIGATED_ROWS}} |
### Accepted Risks
| Threat | Rationale | Owner |
|--------|-----------|-------|
| {{ACCEPTED_ROWS}} |
---
<!-- SECTION: Residual Risk — threat-model only -->
## Residual Risk Summary
{{RESIDUAL_RISK_SUMMARY}}
**Coverage:** {{THREAT_COUNT}} threats across {{LAYER_COUNT}} MAESTRO layers.
**Critical:** {{THREAT_CRIT}} | **High:** {{THREAT_HIGH}} | **Medium:** {{THREAT_MED}} | **Low:** {{THREAT_LOW}}
---
<!-- SECTION: Automated Checks — pre-deploy only -->
## Automated Checks
**Passed: {{PASS_COUNT}}/10**
```
{{CHECK_PROGRESS_BAR}}
```
| # | Check | Status | Detail |
|---|-------|--------|--------|
| 1 | Deny-first permissions | {{CHK1_STATUS}} | {{CHK1_DETAIL}} |
| 2 | Secrets hook active | {{CHK2_STATUS}} | {{CHK2_DETAIL}} |
| 3 | Path guard active | {{CHK3_STATUS}} | {{CHK3_DETAIL}} |
| 4 | Destructive command guard | {{CHK4_STATUS}} | {{CHK4_DETAIL}} |
| 5 | MCP servers verified | {{CHK5_STATUS}} | {{CHK5_DETAIL}} |
| 6 | No hardcoded secrets | {{CHK6_STATUS}} | {{CHK6_DETAIL}} |
| 7 | .gitignore covers secrets | {{CHK7_STATUS}} | {{CHK7_DETAIL}} |
| 8 | CLAUDE.md security docs | {{CHK8_STATUS}} | {{CHK8_DETAIL}} |
| 9 | Sandbox enabled | {{CHK9_STATUS}} | {{CHK9_DETAIL}} |
| 10 | Audit logging configured | {{CHK10_STATUS}} | {{CHK10_DETAIL}} |
---
<!-- SECTION: Manual Verification — pre-deploy only -->
## Manual Verification
- [ ] **Enterprise plan:** {{ENTERPRISE_ANSWER}}
- [ ] **DPIA completed:** {{DPIA_ANSWER}}
- [ ] **Incident response plan:** {{IRP_ANSWER}}
---
<!-- SECTION: Deploy Verdict — pre-deploy only -->
## Deploy Verdict
**{{DEPLOY_VERDICT}}** ({{DEPLOY_RISK_BAND}})
| Pass Count | Risk Band | Verdict |
|-----------|-----------|---------|
| 10/10 | Low | Ready for deployment |
| 8-9/10 | Medium | Nearly ready |
| 6-7/10 | High | Significant gaps |
| 4-5/10 | Critical | Not ready |
| 0-3/10 | Extreme | Deployment blocked |
---
<!-- SECTION: Fix Log — clean only -->
## Fix Summary
| Category | Count |
|----------|-------|
| Auto-fixes applied | {{AUTO_APPLIED}} |
| Semi-auto approved | {{SEMI_APPROVED}} |
| Semi-auto skipped | {{SEMI_SKIPPED}} |
| LLM auto-fixes | {{LLM_AUTO_APPLIED}} |
| LLM semi-auto approved | {{LLM_SEMI_APPROVED}} |
| Manual (reported only) | {{MANUAL_COUNT}} |
| Skipped (historical) | {{HISTORICAL_COUNT}} |
| Failed | {{FAILED_COUNT}} |
| **Total processed** | **{{TOTAL_PROCESSED}}** |
---
<!-- SECTION: Auto/Semi-Auto/Manual — clean only -->
## Auto-Fixes Applied
| Finding ID | File | Operation | Description |
|------------|------|-----------|-------------|
| {{AUTO_FIXES_ROWS}} |
## Semi-Auto Fixes Applied
| Finding ID | File | Change Description | Rationale |
|------------|------|-------------------|-----------|
| {{SEMI_AUTO_APPLIED_ROWS}} |
## Semi-Auto Fixes Skipped
| Finding ID | Proposed Change | User Decision |
|------------|----------------|---------------|
| {{SEMI_AUTO_SKIPPED_ROWS}} |
## Remaining Manual Findings
| Finding ID | Severity | File | Description | Recommendation |
|------------|----------|------|-------------|----------------|
| {{MANUAL_FINDINGS_ROWS}} |
## Skipped (Historical)
| Finding ID | Severity | Commit | Description |
|------------|----------|--------|-------------|
| {{HISTORICAL_ROWS}} |
---
<!-- SECTION: Validation — clean only -->
## Validation Results
| File | Check | Result | Detail |
|------|-------|--------|--------|
| {{VALIDATION_ROWS}} |
## File Modification Log
| File Path | Operations | Validation |
|-----------|-----------|------------|
| {{FILE_MOD_ROWS}} |
---
<!-- SECTION: Rollback — clean only -->
## Rollback
To restore the original (pre-clean) state:
```bash
rm -rf {{TARGET}}
mv {{BACKUP_PATH}} {{TARGET}}
```
> The backup will be removed when you next run `/security clean` on this target.
---
<!-- SECTION: Recommendations — scan, deep-scan, posture, plugin-audit, pre-deploy -->
## Recommendations
| Priority | Finding ID(s) | Action | Effort |
|----------|---------------|--------|--------|
| {{RECOMMENDATION_ROWS}} |
**Quick wins (< 5 min):** {{QUICK_WINS_LIST}}
---
## Footer
| Field | Value |
|-------|-------|
| llm-security version | {{VERSION}} |
| Assessment engine | {{ENGINE}} |
| OWASP references | LLM Top 10 (2025), Agentic AI Top 10 |
| Report generated | {{TIMESTAMP}} |
---
*Generated by llm-security v{{VERSION}}*