From 9fa89d611102234105b4302ed45d38aff6e28f07 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Fri, 10 Apr 2026 14:03:10 +0200 Subject: [PATCH] =?UTF-8?q?chore(release):=20bump=20to=20v6.0.0=20?= =?UTF-8?q?=E2=80=94=20CAISS-readiness=20release=20with=20compliance,=20go?= =?UTF-8?q?vernance,=20CLI?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Opus 4.6 --- .claude-plugin/plugin.json | 2 +- CHANGELOG.md | 20 ++++++++++++++++++ CLAUDE.md | 23 +++++++++++++++----- README.md | 35 +++++++++++++++++++++++++++---- scanners/dashboard-aggregator.mjs | 2 +- 5 files changed, 71 insertions(+), 11 deletions(-) diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json index 3cb251c..54ad24f 100644 --- a/.claude-plugin/plugin.json +++ b/.claude-plugin/plugin.json @@ -1,5 +1,5 @@ { "name": "llm-security", "description": "Security scanning, auditing, and threat modeling for Claude Code projects. Detects secrets, validates MCP servers, assesses security posture, and generates threat models aligned with OWASP LLM Top 10.", - "version": "5.1.0" + "version": "6.0.0" } diff --git a/CHANGELOG.md b/CHANGELOG.md index ecec23e..26b3de8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,26 @@ All notable changes to the LLM Security Plugin are documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). +## [6.0.0] - 2026-04-10 + +### Added +- **Compliance mapping** — `knowledge/compliance-mapping.md` maps plugin capabilities to EU AI Act (Art. 9, 15, 17), NIST AI RMF (Map, Measure, Manage, Govern), ISO 42001 (Annex A), and MITRE ATLAS techniques (AML.T IDs) +- **Norwegian regulatory context** — `knowledge/norwegian-context.md` covers Datatilsynet (DPIA for AI), NSM (basic security principles), and Digitaliseringsdirektoratet guidance +- **SARIF 2.1.0 output** — `scanners/lib/sarif-formatter.mjs` converts scan output to OASIS SARIF standard format. Use `--format sarif` with scan/deep-scan commands +- **Structured audit trail** — `scanners/lib/audit-trail.mjs` writes JSONL audit events with ISO 8601 timestamps, OWASP category tags, and SIEM-ready schema. Configurable via `LLM_SECURITY_AUDIT_*` env vars +- **AI-BOM generator** — `scanners/ai-bom-generator.mjs` + `scanners/lib/bom-builder.mjs` produce CycloneDX 1.6 Bills of Materials for AI components (models, MCP servers, plugins, knowledge, hooks) +- **Policy-as-code** — `scanners/lib/policy-loader.mjs` reads `.llm-security/policy.json` for distributable hook configuration. Integrated into all 8 hooks. Env vars always take precedence +- **Standalone CLI** — `bin/llm-security.mjs` provides `npx llm-security` entry point. Subcommands: `scan`, `deep-scan`, `posture`, `audit-bom`, `benchmark` +- **Posture compliance categories** — 3 new posture categories (14: EU AI Act, 15: NIST AI RMF, 16: ISO 42001). Advisory only — do not affect Grade A threshold +- **Attack simulator benchmark mode** — `--benchmark` flag outputs structured pass/fail metrics for CI integration + +### Changed +- Version bump: 5.1.0 → 6.0.0 across all files +- Knowledge base expanded from 13 to 15 files +- Scanner count: 15 → 16 (AI-BOM generator added) +- Posture scanner: 13 → 16 categories +- All hooks now read policy from `.llm-security/policy.json` (backward-compatible — defaults match hardcoded values) + ## [5.1.0] - 2026-04-07 ### Added diff --git a/CLAUDE.md b/CLAUDE.md index 59f56f1..c48f62e 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -1,6 +1,6 @@ -# LLM Security Plugin (v5.1.0) +# LLM Security Plugin (v6.0.0) -Security scanning, auditing, and threat modeling for Claude Code projects. 5 frameworks: OWASP LLM Top 10, Agentic AI Top 10 (ASI), Skills Top 10 (AST), MCP Top 10, AI Agent Traps (DeepMind). 1147 tests. +Security scanning, auditing, and threat modeling for Claude Code projects. 5 frameworks: OWASP LLM Top 10, Agentic AI Top 10 (ASI), Skills Top 10 (AST), MCP Top 10, AI Agent Traps (DeepMind). 1242+ tests. ## Commands @@ -77,7 +77,11 @@ Memory-poisoning (MEM) detects cognitive state poisoning in CLAUDE.md, memory fi Toxic-flow (TFA) is a post-processing correlator that runs LAST — detects "lethal trifecta" (untrusted input + sensitive data access + exfiltration sink) by correlating output from prior scanners. Utility: `node scanners/lib/fs-utils.mjs [args]`. -**Standalone (5):** `posture-scanner.mjs` — deterministic posture assessment, 13 categories, <50ms. NOT in scan-orchestrator (meta-level, not code-level). +Lib: `sarif-formatter.mjs` — converts scan output to OASIS SARIF 2.1.0 format. Used by `--format sarif` flag. +Lib: `audit-trail.mjs` — writes structured JSONL audit events (ISO 8601, OWASP tags, SIEM-ready). Env: `LLM_SECURITY_AUDIT_*`. +Lib: `policy-loader.mjs` — reads `.llm-security/policy.json` for distributable hook configuration. Defaults match hardcoded values. + +**Standalone (7):** `posture-scanner.mjs` — deterministic posture assessment, 16 categories (incl. EU AI Act, NIST AI RMF, ISO 42001), <50ms. NOT in scan-orchestrator (meta-level, not code-level). Run: `node scanners/posture-scanner.mjs [path]` → JSON stdout. Scanner prefix: PST. Used by `/security posture` and `/security audit`. `mcp-live-inspect.mjs` — NOT in scan-orchestrator. MCP servers are running processes, not files. Run: `node scanners/mcp-live-inspect.mjs [target] [--timeout 10000] [--skip-global]` @@ -86,7 +90,8 @@ Scanner prefix: MCI. OWASP: MCP03, MCP06, MCP09. Invoked by `mcp-inspect` and `m `reference-config-generator.mjs` — generates Grade A reference config based on posture gaps. Detects project type (plugin/monorepo/standalone). Templates in `templates/reference-config/`. Run: `node scanners/reference-config-generator.mjs [path] [--apply]` `dashboard-aggregator.mjs` — cross-project security dashboard. Discovers Claude Code projects under ~/ (depth 3) and ~/.claude/plugins/, runs posture-scanner on each, aggregates to machine-grade (weakest link). Cache in `~/.cache/llm-security/dashboard-latest.json` (24h staleness). Run: `node scanners/dashboard-aggregator.mjs [--no-cache] [--max-depth N]` -`attack-simulator.mjs` — red-team harness. Data-driven: 64 scenarios in 12 categories from `knowledge/attack-scenarios.json`. Payloads constructed at runtime (fragment assembly to avoid triggering hooks on source). Uses `runHook()` from test helper. Adaptive mode (`--adaptive`): 5 mutation rounds per passing scenario (homoglyph, encoding, zero-width, case alternation, synonym). Mutation rules in `knowledge/attack-mutations.json`. Run: `node scanners/attack-simulator.mjs [--category ] [--json] [--verbose] [--adaptive]` +`attack-simulator.mjs` — red-team harness. Data-driven: 64 scenarios in 12 categories from `knowledge/attack-scenarios.json`. Payloads constructed at runtime (fragment assembly to avoid triggering hooks on source). Uses `runHook()` from test helper. Adaptive mode (`--adaptive`): 5 mutation rounds per passing scenario (homoglyph, encoding, zero-width, case alternation, synonym). Mutation rules in `knowledge/attack-mutations.json`. Benchmark mode (`--benchmark`): outputs structured pass/fail metrics. Run: `node scanners/attack-simulator.mjs [--category ] [--json] [--verbose] [--adaptive] [--benchmark]` +`ai-bom-generator.mjs` — AI Bill of Materials generator. Discovers AI components (models, MCP servers, plugins, knowledge, hooks) and outputs CycloneDX 1.6 JSON. Scanner prefix: BOM. Run: `node scanners/ai-bom-generator.mjs [--output-file ]` ## Token Budget (ENFORCED) @@ -99,7 +104,13 @@ All commands total ~600 lines. All commands use registered subagent types. - Agents run sequentially to avoid burst rate limits - `pre-install-supply-chain.mjs` queries OSV.dev for CVEs on every package install -## Knowledge Files (13) +## CLI + +`bin/llm-security.mjs` — standalone CLI entry point. Works without Claude Code via `npx llm-security` or `node bin/llm-security.mjs`. +Subcommands: `scan`, `deep-scan`, `posture`, `audit-bom`, `benchmark`. Dispatches to scanner scripts via `child_process.spawn`. +`package.json` `bin` field: `"llm-security": "./bin/llm-security.mjs"`. + +## Knowledge Files (15) | File | Content | |------|---------| @@ -116,6 +127,8 @@ All commands total ~600 lines. All commands use registered subagent types. | `deepmind-agent-traps.md` | DeepMind AI Agent Traps — 6 categories, 43 techniques, coverage matrix | | `attack-scenarios.json` | 64 red-team scenarios across 12 categories for attack simulation | | `attack-mutations.json` | Synonym tables and mutation rules for adaptive red-team testing | +| `compliance-mapping.md` | EU AI Act, NIST AI RMF, ISO 42001, MITRE ATLAS mappings to plugin capabilities | +| `norwegian-context.md` | Norwegian regulatory landscape — Datatilsynet, NSM, Digitaliseringsdirektoratet | ## Reports diff --git a/README.md b/README.md index 3c61117..efdf0c2 100644 --- a/README.md +++ b/README.md @@ -4,12 +4,12 @@ *Built for my own Claude Code workflow and shared openly for anyone who finds it useful. This is a solo project — bug reports and feature requests are welcome, but pull requests are not accepted.* -![Version](https://img.shields.io/badge/version-5.1.0-blue) +![Version](https://img.shields.io/badge/version-6.0.0-blue) ![Platform](https://img.shields.io/badge/platform-Claude_Code_Plugin-purple) ![Agents](https://img.shields.io/badge/agents-6-orange) -![Scanners](https://img.shields.io/badge/scanners-15-cyan) +![Scanners](https://img.shields.io/badge/scanners-16-cyan) ![Hooks](https://img.shields.io/badge/hooks-8-red) -![Knowledge](https://img.shields.io/badge/knowledge_docs-13-green) +![Knowledge](https://img.shields.io/badge/knowledge_docs-15-green) ![License](https://img.shields.io/badge/license-MIT-lightgrey) A Claude Code plugin that provides security scanning, auditing, and threat modeling for agentic AI projects. Built on [OWASP LLM Top 10 (2025)](https://genai.owasp.org/llm-top-10/), [OWASP Agentic AI Top 10](https://genai.owasp.org/agentic-ai/), and the [AI Agent Traps](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=6372438) taxonomy (Google DeepMind, 2025), with threat intelligence from ToxicSkills, ClawHavoc, MCPTox, Pillar Security, Invariant Labs, and Operant AI research. @@ -404,7 +404,7 @@ All hooks are Node.js (`.mjs`) for cross-platform compatibility (macOS, Linux, W ## Knowledge Base -9 research-backed reference files grounding all analysis in published threat intelligence: +15 research-backed reference files grounding all analysis in published threat intelligence: | File | Scope | |------|-------| @@ -417,12 +417,38 @@ All hooks are Node.js (`.mjs`) for cross-platform compatibility (macOS, Linux, W | `mitigation-matrix.md` | OWASP LLM Top 10 → Claude Code control mapping with verification checks and coverage scores | | `top-packages.json` | Top 200 npm + top 100 PyPI package names for typosquatting detection (Levenshtein baseline) | | `skill-registry.json` | Seed data for skill signature registry — known fingerprints and risk profiles | +| `compliance-mapping.md` | EU AI Act, NIST AI RMF, ISO 42001, MITRE ATLAS — article/control mappings to plugin capabilities | +| `norwegian-context.md` | Norwegian regulatory landscape — Datatilsynet, NSM, Digitaliseringsdirektoratet guidance for AI security | +| `prompt-injection-research-2025-2026.md` | 7 research papers (2025-2026) with implications for hook defenses | +| `deepmind-agent-traps.md` | DeepMind AI Agent Traps — 6 categories, 43 techniques, coverage matrix | +| `attack-scenarios.json` | 64 red-team scenarios across 12 categories for attack simulation | +| `attack-mutations.json` | Synonym tables and mutation rules for adaptive red-team testing | > [!NOTE] > All knowledge base content is derived from published OWASP standards and peer-reviewed security research. The knowledge files provide grounding for agent analysis — agents read relevant sections before producing findings. --- +## Compliance & Governance + +v6.0.0 adds an enterprise governance layer for standards-aware security operations: + +| Capability | Description | +|------------|-------------| +| **Compliance Mapping** | Maps plugin capabilities to EU AI Act (Art. 9, 15, 17), NIST AI RMF (Map, Measure, Manage, Govern), ISO 42001 (Annex A), and MITRE ATLAS techniques. Posture categories 14-16 assess compliance readiness. | +| **Norwegian Context** | Regulatory guidance from Datatilsynet (DPIA for AI), NSM (basic security principles), and Digitaliseringsdirektoratet. Relevant for Norwegian public sector AI deployments. | +| **SARIF 2.1.0 Output** | `--format sarif` flag on scan/deep-scan produces OASIS SARIF standard output for CI/CD integration (GitHub Advanced Security, Azure DevOps, SonarQube). | +| **Structured Audit Trail** | JSONL audit events (`audit-trail.mjs`) with ISO 8601 timestamps, OWASP category tags, and SIEM-ready schema. Configurable via `LLM_SECURITY_AUDIT_*` env vars. | +| **AI-BOM** | CycloneDX 1.6 Bill of Materials for AI components — models, MCP servers, plugins, knowledge files, hooks. `llm-security audit-bom `. | +| **Policy-as-Code** | `.llm-security/policy.json` for distributable hook configuration. Teams can enforce consistent security thresholds without per-developer env var setup. | +| **Standalone CLI** | `npx llm-security scan ` — runs scanners without Claude Code. Subcommands: `scan`, `posture`, `audit-bom`, `benchmark`. | + +### Benchmarks + +The attack simulator (`llm-security benchmark`) tests hook defenses with 64 crafted scenarios across 12 categories. Adaptive mode (`--adaptive`) applies 5 mutation rounds per passing scenario (homoglyph substitution, encoding variations, zero-width injection, case alternation, synonym replacement). + +--- + ## OWASP Coverage | Category | Automated (Hooks) | Deterministic (Scanners) | Advisory (Commands) | Coverage | @@ -730,6 +756,7 @@ This plugin provides full-stack security hardening (static analysis + supply cha | Version | Date | Highlights | |---------|------|------------| +| **6.0.0** | 2026-04-10 | **CAISS-readiness release.** Enterprise compliance and governance layer: compliance mapping (EU AI Act, NIST AI RMF, ISO 42001, MITRE ATLAS), Norwegian regulatory context (Datatilsynet, NSM, Digitaliseringsdirektoratet), SARIF 2.1.0 output format (`--format sarif`), structured JSONL audit trail (`audit-trail.mjs`), AI-BOM generator (CycloneDX 1.6), policy-as-code (`.llm-security/policy.json`), standalone CLI (`bin/llm-security.mjs` — `npx llm-security scan`). Posture scanner expanded to 16 categories (+EU AI Act, NIST AI RMF, ISO 42001). Attack simulator benchmark mode (`--benchmark`). 15 knowledge docs, 16 scanners, 1242+ tests. | | **5.1.0** | 2026-04-07 | **Sandboxed remote cloning.** Defense-in-depth for `git clone` attack surface: (1) 8 git config flags disable hooks, symlinks, filter/smudge drivers, fsmonitor, local file protocol; 4 env vars isolate from system/user config. (2) OS sandbox: macOS `sandbox-exec` + Linux `bubblewrap` restrict file writes to only the clone temp dir. Graceful fallback on Windows (git config only). Post-clone size check (100MB max). UUID-unique evidence filenames prevent race conditions. Cleanup guarantee in scan/plugin-audit commands. 1147 tests (was 1115). | | **5.0.0** | 2026-04-06 | **Prompt Injection Hardening (v5.0).** 8-session defense-in-depth overhaul driven by 7 research papers (2025-2026). MEDIUM advisory for obfuscation signals (leetspeak, homoglyphs, zero-width, multi-language). Unicode Tag steganography detection (U+E0000-E007F). Bash expansion normalization (`bash-normalize.mjs`). Rule of Two enforcement (configurable `LLM_SECURITY_TRIFECTA_MODE=block\|warn\|off`). 100-call long-horizon monitoring window with slow-burn trifecta detection. Behavioral drift via Jensen-Shannon divergence. HITL trap detection (approval urgency, summary suppression, scope minimization). Sub-agent delegation tracking (escalation-after-input advisory). NL indirection patterns. Hybrid attacks (P2SQL, recursive injection, XSS-in-agent). CaMeL-inspired data flow tagging (SHA-256 provenance, output-to-input linking). Adaptive red-team (5 mutation rounds per scenario: homoglyph, encoding, zero-width, case alternation, synonym). Knowledge base expanded: `prompt-injection-research-2025-2026.md`, `deepmind-agent-traps.md`, `attack-mutations.json`. Posture scanner expanded to 13 categories (+Prompt Injection Hardening, Rule of Two, Long-Horizon Monitoring). Defense Philosophy section documenting honest limitations. 1115 tests. | | **4.5.1** | 2026-04-04 | **Cross-platform support.** Windows/Linux compatibility: `fileURLToPath()`, `path.dirname()`, native `fetch()` replaces `curl` subprocess, fixed tilde expansion regex. 11 files, 782 tests pass. | diff --git a/scanners/dashboard-aggregator.mjs b/scanners/dashboard-aggregator.mjs index 1e122e9..f466810 100644 --- a/scanners/dashboard-aggregator.mjs +++ b/scanners/dashboard-aggregator.mjs @@ -19,7 +19,7 @@ import { scan } from './posture-scanner.mjs'; // Constants // --------------------------------------------------------------------------- -const VERSION = '5.1.0'; +const VERSION = '6.0.0'; /** Cache location */ const CACHE_DIR = join(homedir(), '.cache', 'llm-security');