Add better concistency to the MCP rule

thomas-bartlett · thomas-bartlett · commit dcd21e47281b · 2026-01-27T14:51:10.000-05:00
diff --git a/skills/software-security/SKILL.md b/skills/software-security/SKILL.md
@@ -1,7 +1,7 @@
 ---
 name: software-security
 description: A software security skill that integrates with Project CodeGuard to help AI coding agents write secure code and prevent common vulnerabilities. Use this skill when writing, reviewing, or modifying code to ensure secure-by-default practices are followed.
-codeguard-version: "1.0.1"
+codeguard-version: "1.1.0"
 framework: "Project CodeGuard"
 purpose: "Embed secure-by-default practices into AI coding workflows"
 ---
@@ -34,21 +34,22 @@ When writing or reviewing code:
 | cpp | codeguard-0-safe-c-functions.md |
 | d | codeguard-0-iac-security.md |
 | docker | codeguard-0-devops-ci-cd-containers.md, codeguard-0-supply-chain-security.md |
-| go | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-input-validation-injection.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
+| go | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-input-validation-injection.md, codeguard-0-mcp-security.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
 | html | codeguard-0-client-side-web-security.md, codeguard-0-input-validation-injection.md, codeguard-0-session-management-and-cookies.md |
-| java | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-mobile-apps.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
-| javascript | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-cloud-orchestration-kubernetes.md, codeguard-0-data-storage.md, codeguard-0-devops-ci-cd-containers.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md, codeguard-0-logging.md, codeguard-0-mobile-apps.md, codeguard-0-privacy-data-protection.md, codeguard-0-session-management-and-cookies.md, codeguard-0-supply-chain-security.md |
+| java | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-mcp-security.md, codeguard-0-mobile-apps.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
+| javascript | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-cloud-orchestration-kubernetes.md, codeguard-0-data-storage.md, codeguard-0-devops-ci-cd-containers.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md, codeguard-0-logging.md, codeguard-0-mcp-security.md, codeguard-0-mobile-apps.md, codeguard-0-privacy-data-protection.md, codeguard-0-session-management-and-cookies.md, codeguard-0-supply-chain-security.md |
 | kotlin | codeguard-0-additional-cryptography.md, codeguard-0-authentication-mfa.md, codeguard-0-framework-and-languages.md, codeguard-0-mobile-apps.md |
 | matlab | codeguard-0-additional-cryptography.md, codeguard-0-authentication-mfa.md, codeguard-0-mobile-apps.md, codeguard-0-privacy-data-protection.md |
 | perl | codeguard-0-mobile-apps.md |
 | php | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
 | powershell | codeguard-0-devops-ci-cd-containers.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md |
-| python | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
+| python | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-mcp-security.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
 | ruby | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md, codeguard-0-session-management-and-cookies.md, codeguard-0-xml-and-serialization.md |
+| rust | codeguard-0-mcp-security.md |
 | shell | codeguard-0-devops-ci-cd-containers.md, codeguard-0-iac-security.md, codeguard-0-input-validation-injection.md |
 | sql | codeguard-0-data-storage.md, codeguard-0-input-validation-injection.md |
 | swift | codeguard-0-additional-cryptography.md, codeguard-0-authentication-mfa.md, codeguard-0-mobile-apps.md |
-| typescript | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-session-management-and-cookies.md |
+| typescript | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authentication-mfa.md, codeguard-0-authorization-access-control.md, codeguard-0-client-side-web-security.md, codeguard-0-file-handling-and-uploads.md, codeguard-0-framework-and-languages.md, codeguard-0-input-validation-injection.md, codeguard-0-mcp-security.md, codeguard-0-session-management-and-cookies.md |
 | vlang | codeguard-0-client-side-web-security.md |
 | xml | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-devops-ci-cd-containers.md, codeguard-0-framework-and-languages.md, codeguard-0-mobile-apps.md, codeguard-0-xml-and-serialization.md |
 | yaml | codeguard-0-additional-cryptography.md, codeguard-0-api-web-services.md, codeguard-0-authorization-access-control.md, codeguard-0-cloud-orchestration-kubernetes.md, codeguard-0-data-storage.md, codeguard-0-devops-ci-cd-containers.md, codeguard-0-framework-and-languages.md, codeguard-0-iac-security.md, codeguard-0-logging.md, codeguard-0-privacy-data-protection.md, codeguard-0-supply-chain-security.md |
diff --git a/skills/software-security/rules/codeguard-0-mcp-security.md b/skills/software-security/rules/codeguard-0-mcp-security.md
@@ -0,0 +1,94 @@
+---
+description: MCP (Model Context Protocol) Security based on CoSAI MCP Security guidelines
+languages:
+- python
+- javascript
+- typescript
+- go
+- rust
+- java
+alwaysApply: false
+---
+
+rule_id: codeguard-0-mcp-security
+
+# MCP (Model Context Protocol) Security Guidelines
+
+NEVER deploy MCP servers or clients without implementing proper security controls.
+
+### Workload Identity and Authentication
+- Use SPIFFE/SPIRE for cryptographic workload identities
+  - SPIFFE (Secure Production Identity Framework For Everyone) provides a standard for service identity
+  - SPIRE (SPIFFE Runtime Environment) issues and rotates short-lived cryptographic identities (SVIDs)
+
+### Input and Data Sanitization
+- Validate ALL inputs using allowlists at every trust boundary
+- Sanitize file paths through canonicalization
+- Use parameterized queries for database operations
+- Apply context-aware output encoding (SQL, shell, HTML)
+- Treat ALL AI-generated content as untrusted input
+- Deploy prompt injection detection systems
+- Use strict JSON schemas to maintain boundaries between instructions and data
+
+### Sandboxing and Isolation
+- Design MCP servers to execute with least privilege
+- MCP servers interacting with host environment (files, commands, network) MUST implement sandboxing controls
+- LLM-generated code MUST NOT run with full user privileges
+- Implement additional sandboxing layers: gVisor, Kata Containers, SELinux sandboxes
+
+### Cryptographic Verification of Resources
+- Provide cryptographic signatures and SBOMs for all server code
+- Implement signature verification in your MCP client before loading servers
+- Use TLS for ALL data in transit
+- Implement remote attestation capabilities to verify servers are running expected code
+
+### Transport Layer Security
+
+#### stdio Transport (Local Servers)
+- STRONGLY RECOMMENDED for local MCP to eliminate DNS rebinding risks
+- Direct pipe-based stream communication
+- Implement sandbox to prevent privilege escalation
+
+#### HTTP Streaming Transport (Remote Servers)
+Required security controls to implement:
+- Payload Limits (prevent large payload and recursive payload DoS)
+- Client-Server Authentication/Authorization
+- Mutual TLS Authentication
+- TLS Encryption
+- CORS Protection
+- CSRF Protection
+- Integrity Checks (prevent replay, spoofing, poisoned responses)
+
+### Human-in-the-Loop
+- Implement confirmation prompts for risky operations in your MCP server
+- Use elicitation on MCP server side to request user confirmation of risky actions
+- Security-relevant messages MUST clearly indicate implications
+- Do NOT rely solely on human approval (users can become fatigued)
+
+### Logging and Observability
+- Implement logging in your MCP servers and clients
+- Log: tools that were used, parameters, originating prompt
+- Use OpenTelemetry for end-to-end linkability of actions
+- Maintain immutable records of actions and authorizations
+
+---
+
+## Deployment Pattern Security
+
+### All-Local (stdio or http)
+- Security depends entirely on host system posture
+- Use `stdio` transport to avoid DNS rebinding risks
+- Use sandboxing to limit privilege escalation attacks
+- Appropriate for development and personal use
+
+### Single-Tenant Remote (http)
+- Authentication between client and server is REQUIRED
+- Use secure credential storage (OS keychains, secret managers)
+- Communication MUST be authenticated and encrypted
+- Enterprise clients should enforce authenticated server discovery with explicit allowlists
+
+### Multi-Tenant Remote (http)
+- Require robust tenant isolation, identity, and access control
+- Implement strong multi-tenancy controls (per-tenant encryption, role-based access control)
+- Prefer MCP servers hosted directly by service provider
+- Provide remote attestation when possible
diff --git a/sources/core/codeguard-0-mcp-security.md b/sources/core/codeguard-0-mcp-security.md
@@ -6,22 +6,19 @@ languages:
 - typescript
 - go
 - rust
+- java
 alwaysApply: false
 ---
 
-rule_id: codeguard-0-mcp-security
-
 # MCP (Model Context Protocol) Security Guidelines
 
 NEVER deploy MCP servers or clients without implementing proper security controls.
 
-
 ### Workload Identity and Authentication
 - Use SPIFFE/SPIRE for cryptographic workload identities
   - SPIFFE (Secure Production Identity Framework For Everyone) provides a standard for service identity
   - SPIRE (SPIFFE Runtime Environment) issues and rotates short-lived cryptographic identities (SVIDs)
 
-
 ### Input and Data Sanitization
 - Validate ALL inputs using allowlists at every trust boundary
 - Sanitize file paths through canonicalization
@@ -93,5 +90,3 @@ Required security controls to implement:
 - Implement strong multi-tenancy controls (per-tenant encryption, role-based access control)
 - Prefer MCP servers hosted directly by service provider
 - Provide remote attestation when possible
-
-You must always explain how this rule was applied and why it was applied.
diff --git a/uv.lock b/uv.lock
