tzervas · tzervas · Jul 9, 2025 · Jul 10, 2025 · sourcery-ai · Jul 10, 2025
diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml
@@ -1,6 +1,13 @@
-name: "CodeQL"
+name: "Security Scanning"
 run-name: ${{ github.event.inputs.code_scanning_run_name }}
-on: [push, pull_request, workflow_dispatch]
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '0 0 * * *'  # Run daily at midnight UTC
+  workflow_dispatch:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -12,6 +19,74 @@ env:
   CODE_SCANNING_IS_ANALYZING_DEFAULT_BRANCH: ${{ github.event.inputs.code_scanning_is_analyzing_default_branch }}
 
 jobs:
+  security-scan:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Container Scanning
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs,config'
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: 'trivy'
+
+      # Dependency Scanning
+      - name: Verify dependencies
+        run: |
+          go mod verify
+          go mod download
+
+      - name: Run govulncheck
+        run: |
+          go install golang.org/x/vuln/cmd/govulncheck@latest
+          govulncheck ./...
+
+      # SAST Scanning
+      - name: Run gosec
+        uses: securego/gosec@master
+        with:
+          args: '-no-fail -fmt sarif -out gosec-results.sarif ./...'
+
-      - name: Run gosec
-        uses: securego/gosec@master
-        with:
-          args: '-no-fail -fmt sarif -out gosec-results.sarif ./...'
+      - name: Run gosec
+        uses: securego/gosec@v2.19.0
+        with:
+          args: '-no-fail -fmt sarif -out gosec-results.sarif ./...'
-      - name: Run gosec
-        uses: securego/gosec@master
-        with:
-          args: '-no-fail -fmt sarif -out gosec-results.sarif ./...'
+      - name: Run gosec
+        uses: securego/gosec@v2.19.0
+        with:
+          args: '-no-fail -fmt sarif -out gosec-results.sarif ./...'
+      - name: Upload gosec scan results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: gosec-results.sarif
+          category: gosec
+
+      # Secrets Scanning
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        with:
+          config-path: .gitleaks.toml
+          format: sarif
+          report-path: gitleaks-report.sarif
+
-      - name: Run gitleaks
-        uses: gitleaks/gitleaks-action@v2
-        with:
-          config-path: .gitleaks.toml
-          format: sarif
-          report-path: gitleaks-report.sarif
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2.19.0
+        with:
+          config-path: .gitleaks.toml
+          format: sarif
+          report-path: gitleaks-report.sarif
-      - name: Run gitleaks
-        uses: gitleaks/gitleaks-action@v2
-        with:
-          config-path: .gitleaks.toml
-          format: sarif
-          report-path: gitleaks-report.sarif
+      - name: Run gitleaks
+        uses: gitleaks/gitleaks-action@v2.19.0
+        with:
+          config-path: .gitleaks.toml
+          format: sarif
+          report-path: gitleaks-report.sarif
+      - name: Upload gitleaks scan results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: gitleaks-report.sarif
+          category: gitleaks
+
   analyze:
     name: Analyze (${{ matrix.language }})
     runs-on: ${{ fromJSON(matrix.runner) }}

diff --git a/.gitleaks.toml b/.gitleaks.toml
@@ -0,0 +1,59 @@
+# Gitleaks configuration file
+
+title = "Gitleaks Rules"
+
+# Add custom rules for secret detection
+[[rules]]
+id = "github-token"
+description = "GitHub Token"
+regex = '''(?i)(?:github(?:_| |\.|-)token|gh(?:_| |\.|-)token|gh(?:_| |\.|-)pat|github(?:_| |\.|-)pat)(?:[ |=|:])[ |"|']*([a-zA-Z0-9]{35,41})'''
+secret-group = 1
+entropy = 4.5
+keywords = [
+    "github[_|-]token",
+    "gh[_|-]token",
+    "gh[_|-]pat",
+    "github[_|-]pat"
+]
+
+[[rules]]
+id = "github-oauth"
+description = "GitHub OAuth Access Token"
+regex = '''(?i)(?:github(?:_| |\.|-)oauth|gh(?:_| |\.|-)oauth)(?:[ |=|:])[ |"|']*([a-zA-Z0-9]{35,41})'''
+secret-group = 1
+entropy = 4.5
+keywords = [
+    "github[_|-]oauth",
+    "gh[_|-]oauth"
+]
+
+[[rules]]
+id = "aws-access-token"
+description = "AWS Access Token"
+regex = '''(?i)(?:aws_access_key_id|aws_secret_access_key)(?:[ |=|:])[ |"|']*([a-zA-Z0-9/+]{40})'''
+secret-group = 1
+keywords = [
+    "aws_access_key_id",
+    "aws_secret_access_key"
+]
+
+[[rules]]
+id = "private-key"
+description = "Private Key"
+regex = '''(?i)-----BEGIN[ A-Z0-9_-]*PRIVATE KEY-----'''
+keywords = [
+    "BEGIN PRIVATE KEY",
+    "BEGIN RSA PRIVATE KEY",
+    "BEGIN DSA PRIVATE KEY",
+    "BEGIN EC PRIVATE KEY",
+    "BEGIN PGP PRIVATE KEY BLOCK"
+]
+
+# Allow list specific files/paths
+[allowlist]
+paths = [
+    '''(.*?)(test)''',         # Test files
+    '''(.*?)(mock)''',         # Mock files
+    '''(.*?)(\\.example)''',   # Example files
+    '''(.*?)(\\.sample)'''     # Sample files
+]
diff --git a/Dockerfile b/Dockerfile
@@ -20,6 +20,8 @@ RUN --mount=type=cache,target=/go/pkg/mod \
 FROM gcr.io/distroless/base-debian12
 # Set the working directory
 WORKDIR /server
+# Set default toolset permissions
+ENV GITHUB_TOOLSET_PERMISSIONS='{"issues":{"level":"read","scopes":["repo"]},"pullrequests":{"level":"write","scopes":["repo"]},"discussions":{"level":"read","scopes":["repo"]},"actions":{"level":"admin","scopes":["repo","workflow"]},"dependabot":{"level":"write","scopes":["repo","security_events"]},"code_scanning":{"level":"read","scopes":["repo","security_events"]},"secret_scanning":{"level":"admin","scopes":["repo","security_events"]}}'
 # Copy the binary from the build stage
 COPY --from=build /bin/github-mcp-server .
 # Set the entrypoint to the server binary

diff --git a/pkg/security/security_test.go b/pkg/security/security_test.go
@@ -0,0 +1,171 @@
+package security
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSecurityConfig(t *testing.T) {
+	t.Run("DefaultConfig", func(t *testing.T) {
+		cfg := DefaultConfig()
+		assert.True(t, cfg.ReadOnly, "Default config should be read-only")
+		assert.True(t, cfg.DynamicToolsets, "Dynamic toolsets should be enabled by default")
+		assert.True(t, cfg.RateLimit.Enabled, "Rate limiting should be enabled by default")
+		assert.Equal(t, float64(10), cfg.RateLimit.RequestsPerSecond, "Default RPS should be 10")
+	})
+}
-func TestSecurityConfig(t *testing.T) {
-	t.Run("DefaultConfig", func(t *testing.T) {
-		cfg := DefaultConfig()
-		assert.True(t, cfg.ReadOnly, "Default config should be read-only")
-		assert.True(t, cfg.DynamicToolsets, "Dynamic toolsets should be enabled by default")
-		assert.True(t, cfg.RateLimit.Enabled, "Rate limiting should be enabled by default")
-		assert.Equal(t, float64(10), cfg.RateLimit.RequestsPerSecond, "Default RPS should be 10")
-	})
-}
+func TestSecurityConfig(t *testing.T) {
+	t.Run("DefaultConfig", func(t *testing.T) {
+		cfg := DefaultConfig()
+		assert.True(t, cfg.ReadOnly, "Default config should be read-only")
+		assert.True(t, cfg.DynamicToolsets, "Dynamic toolsets should be enabled by default")
+		assert.True(t, cfg.RateLimit.Enabled, "Rate limiting should be enabled by default")
+		assert.Equal(t, float64(10), cfg.RateLimit.RequestsPerSecond, "Default RPS should be 10")
+	})
+
+	t.Run("NonDefaultConfig", func(t *testing.T) {
+		cfg := DefaultConfig()
+		cfg.ReadOnly = false
+		cfg.DynamicToolsets = false
+		cfg.RateLimit.Enabled = false
+		cfg.RateLimit.RequestsPerSecond = 42
+
+		assert.False(t, cfg.ReadOnly, "ReadOnly should be false when set")
+		assert.False(t, cfg.DynamicToolsets, "DynamicToolsets should be false when set")
+		assert.False(t, cfg.RateLimit.Enabled, "Rate limiting should be disabled when set")
+		assert.Equal(t, float64(42), cfg.RateLimit.RequestsPerSecond, "RPS should reflect non-default value")
+	})
+}
-func TestSecurityConfig(t *testing.T) {
-	t.Run("DefaultConfig", func(t *testing.T) {
-		cfg := DefaultConfig()
-		assert.True(t, cfg.ReadOnly, "Default config should be read-only")
-		assert.True(t, cfg.DynamicToolsets, "Dynamic toolsets should be enabled by default")
-		assert.True(t, cfg.RateLimit.Enabled, "Rate limiting should be enabled by default")
-		assert.Equal(t, float64(10), cfg.RateLimit.RequestsPerSecond, "Default RPS should be 10")
-	})
-}
+func TestSecurityConfig(t *testing.T) {
+	t.Run("DefaultConfig", func(t *testing.T) {
+		cfg := DefaultConfig()
+		assert.True(t, cfg.ReadOnly, "Default config should be read-only")
+		assert.True(t, cfg.DynamicToolsets, "Dynamic toolsets should be enabled by default")
+		assert.True(t, cfg.RateLimit.Enabled, "Rate limiting should be enabled by default")
+		assert.Equal(t, float64(10), cfg.RateLimit.RequestsPerSecond, "Default RPS should be 10")
+	})
+
+	t.Run("NonDefaultConfig", func(t *testing.T) {
+		cfg := DefaultConfig()
+		cfg.ReadOnly = false
+		cfg.DynamicToolsets = false
+		cfg.RateLimit.Enabled = false
+		cfg.RateLimit.RequestsPerSecond = 42
+
+		assert.False(t, cfg.ReadOnly, "ReadOnly should be false when set")
+		assert.False(t, cfg.DynamicToolsets, "DynamicToolsets should be false when set")
+		assert.False(t, cfg.RateLimit.Enabled, "Rate limiting should be disabled when set")
+		assert.Equal(t, float64(42), cfg.RateLimit.RequestsPerSecond, "RPS should reflect non-default value")
+	})
+}
+
+func TestSecurityHeaders(t *testing.T) {
+	logger := logrus.New()
+	cfg := DefaultConfig()
+	middleware := NewSecurityMiddleware(cfg, logger)
+
+	handler := middleware.SecurityHeaders(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest("GET", "/", nil)
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+
+	expectedHeaders := map[string]string{
+		"Content-Security-Policy":     "default-src 'self'",
+		"X-Content-Type-Options":      "nosniff",
+		"X-Frame-Options":            "DENY",
+		"X-XSS-Protection":           "1; mode=block",
+		"Strict-Transport-Security":   "max-age=31536000; includeSubDomains",
+	}
+
+	for header, expected := range expectedHeaders {
+		assert.Equal(t, expected, rec.Header().Get(header), "Security header %s not set correctly", header)
+	}
+}
+
+func TestRateLimiting(t *testing.T) {
+	logger := logrus.New()
+	cfg := DefaultConfig()
+	cfg.RateLimit.RequestsPerSecond = 2
+	cfg.RateLimit.Burst = 1
+	middleware := NewSecurityMiddleware(cfg, logger)
+
+	handler := middleware.RateLimiting(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	t.Run("Within Limits", func(t *testing.T) {
+		req := httptest.NewRequest("GET", "/", nil)
+		rec := httptest.NewRecorder()
+		handler.ServeHTTP(rec, req)
+		assert.Equal(t, http.StatusOK, rec.Code)
+	})
+
+	t.Run("Exceeds Limits", func(t *testing.T) {
+		// Make multiple requests quickly
+		for i := 0; i < 5; i++ {
+			req := httptest.NewRequest("GET", "/", nil)
+			rec := httptest.NewRecorder()
+			handler.ServeHTTP(rec, req)
+			if i >= 3 {
+				assert.Equal(t, http.StatusTooManyRequests, rec.Code)
+			}
+		}
+	})
+}
+
+func TestToolsetIsolation(t *testing.T) {
+	logger := logrus.New()
+	cfg := DefaultConfig()
+	middleware := NewSecurityMiddleware(cfg, logger)
+
+	t.Run("Context Creation", func(t *testing.T) {
+		ctx1 := middleware.CreateToolsetContext("toolset1")
+		ctx2 := middleware.CreateToolsetContext("toolset2")
+
+		assert.NotEqual(t, ctx1.ID, ctx2.ID)
+		assert.NotNil(t, ctx1.Logger)
+		assert.NotNil(t, ctx2.Logger)
+	})
+
+	t.Run("Resource Limits", func(t *testing.T) {
+		ctx := middleware.CreateToolsetContext("test-toolset")
+		assert.Equal(t, int64(512*1024*1024), ctx.ResourceLimits.MaxMemory)
+		assert.Equal(t, float64(1.0), ctx.ResourceLimits.MaxCPU)
+		assert.Equal(t, 1000, ctx.ResourceLimits.MaxRequests)
+	})
+}
+
+func TestRequestValidation(t *testing.T) {
+	logger := logrus.New()
+	cfg := DefaultConfig()
+	middleware := NewSecurityMiddleware(cfg, logger)
+
+	handler := middleware.RequestValidation(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	t.Run("Valid Request", func(t *testing.T) {
+		req := httptest.NewRequest("POST", "/", nil)
+		req.Header.Set("Content-Type", "application/json")
+		req.Header.Set("Authorization", "Bearer token")
+		rec := httptest.NewRecorder()
+		handler.ServeHTTP(rec, req)
+		assert.Equal(t, http.StatusOK, rec.Code)
+	})
+
+	t.Run("Invalid Content Type", func(t *testing.T) {
+		req := httptest.NewRequest("POST", "/", nil)
+		req.Header.Set("Content-Type", "text/plain")
+		req.Header.Set("Authorization", "Bearer token")
+		rec := httptest.NewRecorder()
+		handler.ServeHTTP(rec, req)
+		assert.Equal(t, http.StatusUnsupportedMediaType, rec.Code)
+	})
+
+	t.Run("Missing Authorization", func(t *testing.T) {
+		req := httptest.NewRequest("POST", "/", nil)
+		req.Header.Set("Content-Type", "application/json")
+		rec := httptest.NewRecorder()
+		handler.ServeHTTP(rec, req)
+		assert.Equal(t, http.StatusUnauthorized, rec.Code)
+	})
+}
+
+func TestAuditLogging(t *testing.T) {
+	logger := logrus.New()
+	cfg := DefaultConfig()
+	middleware := NewSecurityMiddleware(cfg, logger)
+
+	// Create a test buffer for logging
+	buf := &logBuffer{}
+	logger.SetOutput(buf)
+
+	ctx := context.Background()
+	toolsetID := "test-toolset"
+	operation := "test-operation"
+
+	middleware.AuditLog(ctx, toolsetID, operation)
+
+	logs := buf.String()
+	assert.Contains(t, logs, toolsetID)
+	assert.Contains(t, logs, operation)
+}
+
+// Helper type for capturing logs
+type logBuffer struct {
+	logs []string
+}
+
+func (b *logBuffer) Write(p []byte) (n int, err error) {
+	b.logs = append(b.logs, string(p))
+	return len(p), nil
+}
+
+func (b *logBuffer) String() string {
+	return string(b.logs[len(b.logs)-1])
+}