open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions
ktg-plugin-marketplace/plugins/llm-security/templates/unified-report.md
Kjell Tore Guttormsen 899cb5c121 fix(llm-security): template — v1 → v2 risk constants + narrative_audit block 
Updates the HTML-comment risk-formula reference at lines 55-66 from the
stale v1 sum-and-cap formula to the v2 severity-dominated tiers that
have been authoritative in scanners/lib/severity.mjs since v7.0.0. Adds
a Narrative Audit block inside the Executive Summary section surfacing
summary.narrative_audit.suppressed_findings.{count,by_category} from
the agent's trailing JSON. The block is transparency only — it does
NOT affect risk_score, riskBand, or verdict.

Part of v7.1.1 narrative-coherence patch (plan: .claude/plans/ultraplan-2026-04-29-report-coherence.md).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 12:45:28 +02:00

984 lines
29 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!--
UNIFIED REPORT TEMPLATE — llm-security v1.4.0
This single template replaces 9 separate report templates. Agents and commands
select which sections to include by setting ANALYSIS_TYPE.
SECTION ACTIVATION TABLE
========================
Section | scan | deep-scan | audit | posture | plugin-audit | mcp-audit | threat-model | pre-deploy | clean
========================== | ==== | ========= | ===== | ======= | ============ | ========= | ============ | ========== | =====
Header | Y | Y | Y | Y | Y | Y | Y | Y | Y
Risk Dashboard | Y | Y | Y | Y | Y | Y | - | Y | Y
Executive Summary | Y | Y | Y | - | Y | Y | - | - | -
System Description | - | - | - | - | - | - | Y | - | -
Overall Score | - | - | - | Y | - | - | - | - | -
Remediation Summary | - | - | - | - | - | - | - | - | Y
Findings by Severity | Y | - | Y | - | Y | - | - | - | -
Findings by OWASP | Y | Y | - | - | - | - | - | - | -
Supply Chain Assessment | Y | - | - | - | - | - | - | - | -
Scanner Breakdown | - | Y | - | - | - | - | - | - | -
Scanner Risk Matrix | - | Y | - | - | - | - | - | - | -
Methodology (scanners) | - | Y | - | - | - | - | - | - | -
Category Assessment | - | - | Y | - | - | - | - | - | -
Risk Matrix (L×I) | - | - | Y | - | - | - | - | - | -
Action Plan | - | - | Y | - | - | - | - | - | -
Positive Findings | - | - | Y | - | - | - | - | - | -
Category Scorecard | - | - | - | Y | - | - | - | - | -
Quick Wins | - | - | - | Y | - | - | - | - | -
Baseline Comparison | - | - | - | Y | - | - | - | - | -
Plugin Metadata | - | - | - | - | Y | - | - | - | -
Component Inventory | - | - | - | - | Y | - | - | - | -
Permission Matrix | - | - | - | - | Y | - | - | - | -
Hook Safety | - | - | - | - | Y | - | - | - | -
Trust Verdict | - | - | - | - | Y | - | - | - | -
MCP Landscape | - | - | - | - | - | Y | - | - | -
Per-Server Analysis | - | - | - | - | - | Y | - | - | -
MCP Risk Assessment | - | - | - | - | - | Y | - | - | -
Keep/Review/Remove | - | - | - | - | - | Y | - | - | -
Architecture Overview | - | - | - | - | - | - | Y | - | -
MAESTRO Mapping | - | - | - | - | - | - | Y | - | -
Threat Catalog | - | - | - | - | - | - | Y | - | -
Threat Risk Matrix | - | - | - | - | - | - | Y | - | -
Mitigation Plan | - | - | - | - | - | - | Y | - | -
Residual Risk | - | - | - | - | - | - | Y | - | -
Automated Checks | - | - | - | - | - | - | - | Y | -
Manual Verification | - | - | - | - | - | - | - | Y | -
Deploy Verdict | - | - | - | - | - | - | - | Y | -
Fix Log | - | - | - | - | - | - | - | - | Y
Auto/Semi-Auto/Manual | - | - | - | - | - | - | - | - | Y
Validation | - | - | - | - | - | - | - | - | Y
Rollback | - | - | - | - | - | - | - | - | Y
Recommendations | Y | Y | - | Y | Y | - | - | Y | -
Footer | Y | Y | Y | Y | Y | Y | Y | Y | Y
RISK SCORING (v2 — severity-dominated, log-scaled, v7.0.0+)
See scanners/lib/severity.mjs riskScore(), verdict(), riskBand() —
this comment block is reference only; severity.mjs is authoritative.
Tiers (riskScore):
critical >= 1 → 70-95 (1=80, 2=86, 4=93, 10=95)
high only → 40-65 (1=48, 5=60, 17=65)
medium only → 15-35 (1=20, 5=28, 50=33)
low only → 1-11 (1=4, 10=11)
none → 0
Bands (riskBand): 0-14 Low, 15-39 Medium, 40-64 High, 65-84 Critical, 85-100 Extreme
Verdict: BLOCK if critical>=1 OR score>=65
WARNING if high>=1 OR score>=15
ALLOW otherwise
Grade (gradeFromPassRate, posture/audit only):
A: pass_rate >= 0.89 AND zero FAIL in cat 1,2,5 AND zero Critical
B: pass_rate >= 0.72 AND zero Critical
C: pass_rate >= 0.56
D: pass_rate >= 0.33
F: pass_rate < 0.33 OR 3+ Critical
FINDING CATEGORIES
Secrets, Injection, Permissions, Supply Chain, MCP Trust,
Destructive, Output Handling, Other
SEVERITY CLASSIFICATION
Critical — Active threat, immediate exploitation risk
High — Significant risk, exploitation likely without mitigation
Medium — Meaningful risk, requires attention
Low — Informational or best-practice gap
Info — Observation, no immediate risk
-->
# {{REPORT_TITLE}}
---
## Header
| Field | Value |
|-------|-------|
| **Report type** | {{ANALYSIS_TYPE}} |
| **Target** | {{TARGET}} |
| **Date** | {{DATE}} |
| **Version** | llm-security v{{VERSION}} |
| **Scope** | {{SCOPE}} |
| **Frameworks** | {{FRAMEWORKS}} |
| **Triggered by** | {{TRIGGER_COMMAND}} |
---
<!-- SECTION: Risk Dashboard — all types except threat-model -->
## Risk Dashboard
| Metric | Value |
|--------|-------|
| **Risk Score** | {{RISK_SCORE}}/100 |
| **Risk Band** | {{RISK_BAND}} |
| **Grade** | {{GRADE}} |
| **Verdict** | {{VERDICT}} |
| Severity | Count |
|----------|------:|
| Critical | {{CRITICAL}} |
| High | {{HIGH}} |
| Medium | {{MEDIUM}} |
| Low | {{LOW}} |
| Info | {{INFO}} |
| **Total** | **{{TOTAL_FINDINGS}}** |
**Verdict rationale:** {{VERDICT_RATIONALE}}
---
<!-- SECTION: Executive Summary — scan, deep-scan, audit, plugin-audit, mcp-audit -->
## Executive Summary
{{EXECUTIVE_SUMMARY}}
<!-- SECTION: Narrative Audit — scan, deep-scan, plugin-audit (transparency only — does NOT adjust verdict) -->
### Narrative Audit
**Suppressed signals:** {{SUPPRESSED_FINDINGS_COUNT}} ({{SUPPRESSED_FINDINGS_BREAKDOWN}})
> Per `summary.narrative_audit.suppressed_findings`. Suppressed signals
> are raw extractor matches (entropy, frontmatter, taint) that the agent
> downgraded after context evaluation (e.g., GLSL keywords, framework
> env-var references, animation markup, SVG inline data URIs). They do
> NOT appear in the Findings sections and do NOT affect risk_score or
> verdict. The category breakdown is for reviewer transparency only.
---
<!-- SECTION: System Description — threat-model only -->
## System Description
{{SYSTEM_DESCRIPTION}}
---
<!-- SECTION: Overall Score — posture only -->
## Overall Score
**{{POSTURE_SCORE}} / {{POSTURE_APPLICABLE}} categories covered (Grade {{GRADE}})**
```
{{PROGRESS_BAR}}
```
**Risk Score:** {{RISK_SCORE}}/100 ({{RISK_BAND}})
**Verdict:** {{POSTURE_VERDICT}}
---
<!-- SECTION: Remediation Summary — clean only -->
## Remediation Summary
> [!{{VERDICT_TYPE}}]
> **Pre-clean:** {{PRE_VERDICT}} ({{PRE_RISK_SCORE}}/100, {{PRE_RISK_BAND}}) — {{PRE_TOTAL_FINDINGS}} findings
> **Post-clean:** {{POST_VERDICT}} ({{POST_RISK_SCORE}}/100, {{POST_RISK_BAND}}) — {{POST_TOTAL_FINDINGS}} findings
> **Risk reduction:** {{RISK_REDUCTION}}%
| Metric | Before | After | Delta |
|--------|--------|-------|-------|
| Risk Score | {{PRE_RISK_SCORE}} | {{POST_RISK_SCORE}} | {{RISK_DELTA}} |
| Total Findings | {{PRE_TOTAL_FINDINGS}} | {{POST_TOTAL_FINDINGS}} | {{FINDINGS_DELTA}} |
| Critical | {{PRE_CRITICAL}} | {{POST_CRITICAL}} | {{CRITICAL_DELTA}} |
| High | {{PRE_HIGH}} | {{POST_HIGH}} | {{HIGH_DELTA}} |
| Medium | {{PRE_MEDIUM}} | {{POST_MEDIUM}} | {{MEDIUM_DELTA}} |
| Low | {{PRE_LOW}} | {{POST_LOW}} | {{LOW_DELTA}} |
---
<!-- SECTION: Findings by Severity — scan, audit, plugin-audit -->
## Findings
Findings sorted Critical → High → Medium → Low → Info.
Finding IDs: `SCN-NNN` (LLM agent) or `DS-XXX-NNN` (deterministic scanner).
### Critical
| ID | Category | File | Line | Description | OWASP |
|----|----------|------|------|-------------|-------|
| {{FINDING_ROW}} |
**{{FINDING_ID}} Detail**
- **Severity:** Critical
- **Category:** {{CATEGORY}}
- **File:** {{FILE}}
- **Line(s):** {{LINE}}
- **OWASP:** {{OWASP_REF}}
- **Description:** {{DESCRIPTION}}
- **Evidence:** {{EVIDENCE}}
- **Remediation:** {{REMEDIATION}}
### High
> Omit if empty.
### Medium
> Omit if empty.
### Low / Info
> Omit if empty.
---
<!-- SECTION: Findings by OWASP — scan, deep-scan -->
## OWASP Categorization
| OWASP Category | Findings | Max Severity | Scanners |
|----------------|----------|-------------|----------|
| LLM01 — Prompt Injection | {{LLM01_COUNT}} | {{LLM01_MAX}} | {{LLM01_SCANNERS}} |
| LLM02 — Sensitive Info Disclosure | {{LLM02_COUNT}} | {{LLM02_MAX}} | {{LLM02_SCANNERS}} |
| LLM03 — Supply Chain | {{LLM03_COUNT}} | {{LLM03_MAX}} | {{LLM03_SCANNERS}} |
| LLM06 — Excessive Agency | {{LLM06_COUNT}} | {{LLM06_MAX}} | {{LLM06_SCANNERS}} |
---
<!-- SECTION: Supply Chain Assessment — scan only -->
## Supply Chain Assessment
| Component | Type | Source | Trust Score | Notes |
|-----------|------|--------|-------------|-------|
| {{SUPPLY_CHAIN_ROW}} |
**Source verification:** {{SOURCE_VERIFICATION}}
**Permissions analysis:**
- Requested tools: {{REQUESTED_TOOLS}}
- Minimum necessary: {{MIN_TOOLS}}
- Over-permissioned: {{OVER_PERMISSIONED}}
**Supply chain risk summary:** {{SUPPLY_CHAIN_SUMMARY}}
---
<!-- SECTION: Scanner Breakdown — deep-scan only -->
## Scanner Results
### 1. Unicode Analysis (UNI)
**Status:** {{UNI_STATUS}} | **Files:** {{UNI_FILES}} | **Findings:** {{UNI_FINDINGS}} | **Time:** {{UNI_DURATION}}ms
{{UNI_DETAILS}}
### 2. Entropy Analysis (ENT)
**Status:** {{ENT_STATUS}} | **Files:** {{ENT_FILES}} | **Findings:** {{ENT_FINDINGS}} | **Time:** {{ENT_DURATION}}ms
{{ENT_DETAILS}}
### 3. Permission Mapping (PRM)
**Status:** {{PRM_STATUS}} | **Files:** {{PRM_FILES}} | **Findings:** {{PRM_FINDINGS}} | **Time:** {{PRM_DURATION}}ms
{{PRM_DETAILS}}
### 4. Dependency Audit (DEP)
**Status:** {{DEP_STATUS}} | **Files:** {{DEP_FILES}} | **Findings:** {{DEP_FINDINGS}} | **Time:** {{DEP_DURATION}}ms
{{DEP_DETAILS}}
### 5. Taint Tracing (TNT)
**Status:** {{TNT_STATUS}} | **Files:** {{TNT_FILES}} | **Findings:** {{TNT_FINDINGS}} | **Time:** {{TNT_DURATION}}ms
{{TNT_DETAILS}}
### 6. Git Forensics (GIT)
**Status:** {{GIT_STATUS}} | **Files:** {{GIT_FILES}} | **Findings:** {{GIT_FINDINGS}} | **Time:** {{GIT_DURATION}}ms
{{GIT_DETAILS}}
### 7. Network Mapping (NET)
**Status:** {{NET_STATUS}} | **Files:** {{NET_FILES}} | **Findings:** {{NET_FINDINGS}} | **Time:** {{NET_DURATION}}ms
{{NET_DETAILS}}
---
<!-- SECTION: Scanner Risk Matrix — deep-scan only -->
## Scanner Risk Matrix
| Scanner | CRITICAL | HIGH | MEDIUM | LOW | INFO |
|---------|----------|------|--------|-----|------|
| Unicode (UNI) | {{UNI_C}} | {{UNI_H}} | {{UNI_M}} | {{UNI_L}} | {{UNI_I}} |
| Entropy (ENT) | {{ENT_C}} | {{ENT_H}} | {{ENT_M}} | {{ENT_L}} | {{ENT_I}} |
| Permission (PRM) | {{PRM_C}} | {{PRM_H}} | {{PRM_M}} | {{PRM_L}} | {{PRM_I}} |
| Dependency (DEP) | {{DEP_C}} | {{DEP_H}} | {{DEP_M}} | {{DEP_L}} | {{DEP_I}} |
| Taint (TNT) | {{TNT_C}} | {{TNT_H}} | {{TNT_M}} | {{TNT_L}} | {{TNT_I}} |
| Git (GIT) | {{GIT_C}} | {{GIT_H}} | {{GIT_M}} | {{GIT_L}} | {{GIT_I}} |
| Network (NET) | {{NET_C}} | {{NET_H}} | {{NET_M}} | {{NET_L}} | {{NET_I}} |
| **TOTAL** | **{{CRITICAL}}** | **{{HIGH}}** | **{{MEDIUM}}** | **{{LOW}}** | **{{INFO}}** |
---
<!-- SECTION: Methodology — deep-scan only -->
## Methodology
7 deterministic Node.js scanners (zero external dependencies). Results are factual and reproducible.
| Scanner | Algorithm | Limitations |
|---------|-----------|-------------|
| Unicode | Codepoint iteration, Tag decoding | None — deterministic |
| Entropy | Shannon H per string literal | FP on knowledge files, data URIs |
| Permission | Frontmatter parsing, cross-reference | Claude Code plugins only |
| Dependency | npm/pip audit, Levenshtein | Requires package manager CLI |
| Taint | Regex variable tracking, 3-pass | ~70% recall, no AST, no cross-file |
| Git | History analysis, reflog, diff | Max 500 commits, 15s timeout |
| Network | URL extraction, DNS resolution | Max 50 DNS lookups, 3s timeout |
---
<!-- SECTION: Category Assessment — audit only -->
## Category Assessment
### Category 1 — Deny-First Configuration
| Status | {{CAT1_STATUS}} |
|--------|----------------|
**Evidence:**
{{CAT1_EVIDENCE}}
**Recommendations:**
{{CAT1_RECOMMENDATIONS}}
---
### Category 2 — Secrets Protection
| Status | {{CAT2_STATUS}} |
|--------|----------------|
**Evidence:**
{{CAT2_EVIDENCE}}
**Recommendations:**
{{CAT2_RECOMMENDATIONS}}
---
### Category 3 — Path Guarding
| Status | {{CAT3_STATUS}} |
|--------|----------------|
**Evidence:**
{{CAT3_EVIDENCE}}
**Recommendations:**
{{CAT3_RECOMMENDATIONS}}
---
### Category 4 — MCP Server Trust
| Status | {{CAT4_STATUS}} |
|--------|----------------|
**Evidence:**
{{CAT4_EVIDENCE}}
**Recommendations:**
{{CAT4_RECOMMENDATIONS}}
---
### Category 5 — Destructive Command Blocking
| Status | {{CAT5_STATUS}} |
|--------|----------------|
**Evidence:**
{{CAT5_EVIDENCE}}
**Recommendations:**
{{CAT5_RECOMMENDATIONS}}
---
### Category 6 — Sandbox Configuration
| Status | {{CAT6_STATUS}} |
|--------|----------------|
**Evidence:**
{{CAT6_EVIDENCE}}
**Recommendations:**
{{CAT6_RECOMMENDATIONS}}
---
### Category 7 — Human Review Requirements
| Status | {{CAT7_STATUS}} |
|--------|----------------|
**Evidence:**
{{CAT7_EVIDENCE}}
**Recommendations:**
{{CAT7_RECOMMENDATIONS}}
---
### Category 8 — Skill and Plugin Sources
| Status | {{CAT8_STATUS}} |
|--------|----------------|
**Evidence:**
{{CAT8_EVIDENCE}}
**Recommendations:**
{{CAT8_RECOMMENDATIONS}}
---
### Category 9 — Session Isolation
| Status | {{CAT9_STATUS}} |
|--------|----------------|
**Evidence:**
{{CAT9_EVIDENCE}}
**Recommendations:**
{{CAT9_RECOMMENDATIONS}}
---
<!-- SECTION: Risk Matrix (L×I) — audit only -->
## Risk Matrix
```
LIKELIHOOD
Low Medium High
+------------+------------+------------+
High | | | |
IMPACT +------------+------------+------------+
Med | | | |
+------------+------------+------------+
Low | | | |
+------------+------------+------------+
```
---
<!-- SECTION: Action Plan — audit only -->
## Prioritized Action Plan
| # | Priority | Action | Finding | Effort | Risk if Deferred |
|---|----------|--------|---------|--------|------------------|
| {{ACTION_ROWS}} |
---
<!-- SECTION: Positive Findings — audit only -->
## Positive Findings
- **{{CONTROL_NAME}}** — {{CONTROL_DESCRIPTION}}
---
<!-- SECTION: Category Scorecard — posture only -->
## Category Scorecard
| # | Category | Status | Notes |
|---|----------|--------|-------|
| 1 | Deny-First Configuration | {{CAT1_INDICATOR}} | {{CAT1_NOTES}} |
| 2 | Secrets Protection | {{CAT2_INDICATOR}} | {{CAT2_NOTES}} |
| 3 | Path Guarding | {{CAT3_INDICATOR}} | {{CAT3_NOTES}} |
| 4 | MCP Server Trust | {{CAT4_INDICATOR}} | {{CAT4_NOTES}} |
| 5 | Destructive Command Blocking | {{CAT5_INDICATOR}} | {{CAT5_NOTES}} |
| 6 | Sandbox Configuration | {{CAT6_INDICATOR}} | {{CAT6_NOTES}} |
| 7 | Human Review Requirements | {{CAT7_INDICATOR}} | {{CAT7_NOTES}} |
| 8 | Skill and Plugin Sources | {{CAT8_INDICATOR}} | {{CAT8_NOTES}} |
| 9 | Session Isolation | {{CAT9_INDICATOR}} | {{CAT9_NOTES}} |
Status indicators: COVERED / PARTIAL / GAP / N/A
### Category Detail
{{CATEGORY_DETAIL}}
---
<!-- SECTION: Quick Wins — posture only -->
## Quick Wins
- [ ] {{QUICK_WIN}}
> If none: "No quick wins identified — improvements require architectural changes."
---
<!-- SECTION: Baseline Comparison — posture only -->
## Baseline Comparison
| Category | Fully Secured | This Project |
|----------|--------------|--------------|
| Deny-First Configuration | `defaultPermissionLevel: deny` | {{CAT1_CURRENT}} |
| Secrets Protection | Hook active + .env gitignored + no secrets | {{CAT2_CURRENT}} |
| Path Guarding | `pre-write-pathguard` blocks sensitive paths | {{CAT3_CURRENT}} |
| MCP Server Trust | All verified, minimal scope, auth required | {{CAT4_CURRENT}} |
| Destructive Command Blocking | `pre-bash-destructive` with comprehensive patterns | {{CAT5_CURRENT}} |
| Sandbox Configuration | Network/filesystem scoped to project | {{CAT6_CURRENT}} |
| Human Review Requirements | Confirmation gates on irreversible operations | {{CAT7_CURRENT}} |
| Skill and Plugin Sources | All verified sources, minimal permissions | {{CAT8_CURRENT}} |
| Session Isolation | No cross-session leakage, minimal context | {{CAT9_CURRENT}} |
**Gap summary:** {{GAP_SUMMARY}}
---
<!-- SECTION: Plugin Metadata — plugin-audit only -->
## Plugin Metadata
| Field | Value |
|-------|-------|
| **Plugin** | {{PLUGIN_NAME}} |
| **Version** | {{PLUGIN_VERSION}} |
| **Author** | {{PLUGIN_AUTHOR}} |
| **Path** | {{PLUGIN_PATH}} |
| **Auto-discover** | {{AUTO_DISCOVER}} |
| **Commands** | {{CMD_COUNT}} |
| **Agents** | {{AGENT_COUNT}} |
| **Hook events** | {{HOOK_EVENT_COUNT}} |
| **Skills** | {{SKILL_COUNT}} |
| **Knowledge files** | {{KB_COUNT}} ({{KB_LINES}} lines) |
| **Templates** | {{TEMPLATE_COUNT}} |
| **Total files** | {{TOTAL_FILE_COUNT}} |
---
<!-- SECTION: Component Inventory — plugin-audit only -->
## Component Inventory
### Commands
| Name | Allowed Tools | Model | Flags |
|------|---------------|-------|-------|
| {{CMD_ROWS}} |
### Agents
| Name | Tools | Model | Flags |
|------|-------|-------|-------|
| {{AGENT_ROWS}} |
### Hooks
| Event | Matcher | Script | Behavior | Flags |
|-------|---------|--------|----------|-------|
| {{HOOK_ROWS}} |
### Skills
| Name | Reference Files |
|------|----------------|
| {{SKILL_ROWS}} |
---
<!-- SECTION: Permission Matrix — plugin-audit only -->
## Permission Matrix
| Tool | Granted to | Risk Level | Justification Needed |
|------|-----------|------------|---------------------|
| {{PERMISSION_ROWS}} |
**Permission flags:**
| Flag | Components | Assessment |
|------|-----------|------------|
| {{FLAG_ROWS}} |
---
<!-- SECTION: Hook Safety — plugin-audit only -->
## Hook Safety Analysis
**Events intercepted:** {{HOOK_EVENTS}}
| Category | Count | Assessment |
|----------|-------|------------|
| Block hooks | {{BLOCK_HOOKS}} | {{BLOCK_ASSESSMENT}} |
| Warn hooks | {{WARN_HOOKS}} | {{WARN_ASSESSMENT}} |
| State-modifying | {{STATE_HOOKS}} | {{STATE_ASSESSMENT}} |
| Network-calling | {{NET_HOOKS}} | {{NET_ASSESSMENT}} |
| SessionStart | {{SESSION_HOOKS}} | {{SESSION_ASSESSMENT}} |
**Script analysis:**
{{SCRIPT_ANALYSIS}}
---
<!-- SECTION: Trust Verdict — plugin-audit only -->
## Trust Verdict
**Verdict: {{TRUST_VERDICT}}**
| Criterion | Status |
|-----------|--------|
| Zero Critical findings | {{CRIT_CHECK}} |
| Zero High findings | {{HIGH_CHECK}} |
| All hooks transparent | {{HOOK_CHECK}} |
| No state-modifying hooks | {{STATE_CHECK}} |
| No network-calling hooks | {{NET_CHECK}} |
| Permissions justified | {{PERM_CHECK}} |
| No exfiltration patterns | {{EXFIL_CHECK}} |
| No persistence mechanisms | {{PERSIST_CHECK}} |
| No hidden instructions | {{HIDDEN_CHECK}} |
**Verdict rationale:** {{TRUST_RATIONALE}}
---
<!-- SECTION: MCP Landscape — mcp-audit only -->
## MCP Landscape Summary
| Server | Source | Transport | Trust Rating | Critical | High | Medium | Low |
|--------|--------|-----------|--------------|----------|------|--------|-----|
| {{MCP_LANDSCAPE_ROWS}} |
**Overall MCP Risk:** {{MCP_RISK}}
---
<!-- SECTION: Per-Server Analysis — mcp-audit only -->
## Per-Server Analysis
### Server: `{{SERVER_NAME}}`
| Field | Value |
|-------|-------|
| **Transport** | {{TRANSPORT}} |
| **Command/URL** | {{SERVER_CMD}} |
| **Source** | {{SERVER_SOURCE}} |
| **Trust Rating** | {{TRUST_RATING}} |
**Findings:**
| # | Severity | Category | Description | OWASP |
|---|----------|----------|-------------|-------|
| {{SERVER_FINDING_ROWS}} |
**Evidence:**
```
{{SERVER_EVIDENCE}}
```
**Recommendations:**
{{SERVER_RECOMMENDATIONS}}
---
<!-- SECTION: MCP Risk Assessment — mcp-audit only -->
## Overall MCP Risk Assessment
**Risk Rating: {{MCP_RISK}}**
| Criterion | Description |
|-----------|-------------|
| Low | All servers Trusted/Cautious, no High+ findings |
| Medium | Cautious servers with High findings |
| High | Untrusted servers present |
| Critical | Any Dangerous server |
---
<!-- SECTION: Keep/Review/Remove — mcp-audit only -->
## MCP Recommendations
### Keep
{{MCP_KEEP}}
### Review
{{MCP_REVIEW}}
### Remove
{{MCP_REMOVE}}
---
<!-- SECTION: Architecture Overview — threat-model only -->
## Architecture Overview
{{ARCHITECTURE_DIAGRAM}}
---
<!-- SECTION: MAESTRO Mapping — threat-model only -->
## MAESTRO Layer Mapping
| Layer | Components Present | Attack Surface Rating |
|-------|-------------------|----------------------|
| L1 Foundation Models | {{L1_COMPONENTS}} | {{L1_RATING}} |
| L2 Data and Knowledge | {{L2_COMPONENTS}} | {{L2_RATING}} |
| L3 Agent Frameworks | {{L3_COMPONENTS}} | {{L3_RATING}} |
| L4 Tool Integration | {{L4_COMPONENTS}} | {{L4_RATING}} |
| L5 Agent Capabilities | {{L5_COMPONENTS}} | {{L5_RATING}} |
| L6 Multi-Agent Systems | {{L6_COMPONENTS}} | {{L6_RATING}} |
| L7 Ecosystem | {{L7_COMPONENTS}} | {{L7_RATING}} |
---
<!-- SECTION: Threat Catalog — threat-model only -->
## Threat Catalog
### Layer {{LAYER_NUM}} — {{LAYER_NAME}}
#### Threat {{THREAT_ID}}: {{THREAT_TITLE}}
| Field | Value |
|-------|-------|
| STRIDE | {{STRIDE_CAT}} |
| OWASP | {{THREAT_OWASP}} |
| Likelihood | {{LIKELIHOOD}} — {{LIKELIHOOD_RATIONALE}} |
| Impact | {{IMPACT}} — {{IMPACT_RATIONALE}} |
| Risk Score | {{THREAT_RISK_SCORE}} — {{THREAT_PRIORITY}} |
| Wild Exploitation | {{WILD_STATUS}} |
**Attack scenario:** {{ATTACK_SCENARIO}}
**Current control status:** {{CONTROL_STATUS}}
**Recommendation:** {{THREAT_RECOMMENDATION}}
---
<!-- SECTION: Threat Risk Matrix — threat-model only -->
## Threat Risk Matrix
| Threat | Layer | STRIDE | OWASP | Score | Priority |
|--------|-------|--------|-------|-------|----------|
| {{THREAT_MATRIX_ROWS}} |
---
<!-- SECTION: Mitigation Plan — threat-model only -->
## Mitigation Plan
### Critical and High Priority Actions
| # | Threat | Action | Control Type | Effort |
|---|--------|--------|-------------|--------|
| {{MITIGATION_ROWS}} |
### Already Mitigated
| Threat | Control | Evidence |
|--------|---------|---------|
| {{MITIGATED_ROWS}} |
### Accepted Risks
| Threat | Rationale | Owner |
|--------|-----------|-------|
| {{ACCEPTED_ROWS}} |
---
<!-- SECTION: Residual Risk — threat-model only -->
## Residual Risk Summary
{{RESIDUAL_RISK_SUMMARY}}
**Coverage:** {{THREAT_COUNT}} threats across {{LAYER_COUNT}} MAESTRO layers.
**Critical:** {{THREAT_CRIT}} | **High:** {{THREAT_HIGH}} | **Medium:** {{THREAT_MED}} | **Low:** {{THREAT_LOW}}
---
<!-- SECTION: Automated Checks — pre-deploy only -->
## Automated Checks
**Passed: {{PASS_COUNT}}/10**
```
{{CHECK_PROGRESS_BAR}}
```
| # | Check | Status | Detail |
|---|-------|--------|--------|
| 1 | Deny-first permissions | {{CHK1_STATUS}} | {{CHK1_DETAIL}} |
| 2 | Secrets hook active | {{CHK2_STATUS}} | {{CHK2_DETAIL}} |
| 3 | Path guard active | {{CHK3_STATUS}} | {{CHK3_DETAIL}} |
| 4 | Destructive command guard | {{CHK4_STATUS}} | {{CHK4_DETAIL}} |
| 5 | MCP servers verified | {{CHK5_STATUS}} | {{CHK5_DETAIL}} |
| 6 | No hardcoded secrets | {{CHK6_STATUS}} | {{CHK6_DETAIL}} |
| 7 | .gitignore covers secrets | {{CHK7_STATUS}} | {{CHK7_DETAIL}} |
| 8 | CLAUDE.md security docs | {{CHK8_STATUS}} | {{CHK8_DETAIL}} |
| 9 | Sandbox enabled | {{CHK9_STATUS}} | {{CHK9_DETAIL}} |
| 10 | Audit logging configured | {{CHK10_STATUS}} | {{CHK10_DETAIL}} |
---
<!-- SECTION: Manual Verification — pre-deploy only -->
## Manual Verification
- [ ] **Enterprise plan:** {{ENTERPRISE_ANSWER}}
- [ ] **DPIA completed:** {{DPIA_ANSWER}}
- [ ] **Incident response plan:** {{IRP_ANSWER}}
---
<!-- SECTION: Deploy Verdict — pre-deploy only -->
## Deploy Verdict
**{{DEPLOY_VERDICT}}** ({{DEPLOY_RISK_BAND}})
| Pass Count | Risk Band | Verdict |
|-----------|-----------|---------|
| 10/10 | Low | Ready for deployment |
| 8-9/10 | Medium | Nearly ready |
| 6-7/10 | High | Significant gaps |
| 4-5/10 | Critical | Not ready |
| 0-3/10 | Extreme | Deployment blocked |
---
<!-- SECTION: Fix Log — clean only -->
## Fix Summary
| Category | Count |
|----------|-------|
| Auto-fixes applied | {{AUTO_APPLIED}} |
| Semi-auto approved | {{SEMI_APPROVED}} |
| Semi-auto skipped | {{SEMI_SKIPPED}} |
| LLM auto-fixes | {{LLM_AUTO_APPLIED}} |
| LLM semi-auto approved | {{LLM_SEMI_APPROVED}} |
| Manual (reported only) | {{MANUAL_COUNT}} |
| Skipped (historical) | {{HISTORICAL_COUNT}} |
| Failed | {{FAILED_COUNT}} |
| **Total processed** | **{{TOTAL_PROCESSED}}** |
---
<!-- SECTION: Auto/Semi-Auto/Manual — clean only -->
## Auto-Fixes Applied
| Finding ID | File | Operation | Description |
|------------|------|-----------|-------------|
| {{AUTO_FIXES_ROWS}} |
## Semi-Auto Fixes Applied
| Finding ID | File | Change Description | Rationale |
|------------|------|-------------------|-----------|
| {{SEMI_AUTO_APPLIED_ROWS}} |
## Semi-Auto Fixes Skipped
| Finding ID | Proposed Change | User Decision |
|------------|----------------|---------------|
| {{SEMI_AUTO_SKIPPED_ROWS}} |
## Remaining Manual Findings
| Finding ID | Severity | File | Description | Recommendation |
|------------|----------|------|-------------|----------------|
| {{MANUAL_FINDINGS_ROWS}} |
## Skipped (Historical)
| Finding ID | Severity | Commit | Description |
|------------|----------|--------|-------------|
| {{HISTORICAL_ROWS}} |
---
<!-- SECTION: Validation — clean only -->
## Validation Results
| File | Check | Result | Detail |
|------|-------|--------|--------|
| {{VALIDATION_ROWS}} |
## File Modification Log
| File Path | Operations | Validation |
|-----------|-----------|------------|
| {{FILE_MOD_ROWS}} |
---
<!-- SECTION: Rollback — clean only -->
## Rollback
To restore the original (pre-clean) state:
```bash
rm -rf {{TARGET}}
mv {{BACKUP_PATH}} {{TARGET}}
```
> The backup will be removed when you next run `/security clean` on this target.
---
<!-- SECTION: Recommendations — scan, deep-scan, posture, plugin-audit, pre-deploy -->
## Recommendations
| Priority | Finding ID(s) | Action | Effort |
|----------|---------------|--------|--------|
| {{RECOMMENDATION_ROWS}} |
**Quick wins (< 5 min):** {{QUICK_WINS_LIST}}
---
## Footer
| Field | Value |
|-------|-------|
| llm-security version | {{VERSION}} |
| Assessment engine | {{ENGINE}} |
| OWASP references | LLM Top 10 (2025), Agentic AI Top 10 |
| Report generated | {{TIMESTAMP}} |
---
*Generated by llm-security v{{VERSION}}*
Reference in a new issue View git blame Copy permalink