Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

Va Pentest

БесплатноНе проверен

A Model Context Protocol server for automated security vulnerability assessment, combining OWASP Dependency-Check dependency scanning with custom code vulnerabi

GitHubEmbed

Описание

A Model Context Protocol server for automated security vulnerability assessment, combining OWASP Dependency-Check dependency scanning with custom code vulnerability detection, and generating detailed HTML and JSON reports.

README

🔒 Model Context Protocol (MCP) Server for Security Vulnerability Assessment and Penetration Testing

A comprehensive Python-based MCP server that provides automated security scanning capabilities for projects. Combines OWASP Dependency-Check for dependency scanning with custom code vulnerability detection.

Features

🔍 Security Scanning

  • Dependency Scanning: Uses OWASP Dependency-Check to identify known vulnerabilities in project dependencies
  • Code Security Scanning: Custom regex-based vulnerability detection for:
    • 🔐 Hardcoded Secrets (API keys, passwords, private keys, JWT tokens, database URLs, AWS credentials)
    • 💉 SQL Injection patterns
    • 🎯 Command Injection vulnerabilities
    • ⚠️ Unsafe Operations (eval, pickle, dangerous imports, file permissions)
    • 🌐 Cross-Site Scripting (XSS) vulnerabilities
    • 🚶 Path Traversal vulnerabilities

📊 Report Generation

  • HTML Reports: Beautiful, interactive HTML reports with vulnerability details and recommendations
  • JSON Reports: Machine-readable JSON format for integration with other systems
  • Comprehensive Summary: Risk assessment and vulnerability statistics

🛠️ MCP Protocol Support

  • Full Model Context Protocol implementation
  • Tool registration and management
  • Resource handling
  • Standardized request/response format

Installation

Prerequisites

  • Python 3.8 or higher
  • pip (Python package manager)
  • OWASP Dependency-Check (optional - will attempt auto-install)

Setup

  1. Clone the repository
git clone https://github.com/banhongit7/va-pentest-mcp.git
cd va-pentest-mcp
  1. Create virtual environment
python -m venv venv

# On Windows
venv\Scripts\activate

# On macOS/Linux
source venv/bin/activate
  1. Install dependencies
pip install -r requirements.txt
  1. Install package
pip install -e .

Configuration

Environment Variables

Create a .env file in the project root:

# MCP Server Configuration
LOG_LEVEL=INFO
LOG_FILE=./logs/va-pentest-mcp.log

# Dependency Check Configuration
DEPENDENCY_CHECK_ENABLED=true
DEPENDENCY_CHECK_PATH=/path/to/dependency-check/bin/dependency-check
DEPENDENCY_CHECK_DB_DIR=./tools/dependency-check-db

# Code Scanner Configuration
CODE_SCANNER_ENABLED=true
SCAN_FOR_SECRETS=true
SCAN_FOR_SQL_INJECTION=true
SCAN_FOR_COMMAND_INJECTION=true
SCAN_FOR_UNSAFE_OPERATIONS=true

# Report Generation
GENERATE_HTML_REPORT=true
GENERATE_JSON_REPORT=true

# Python Path (for Windows)
PYTHONPATH=D:\mcp\va-pentest-mcp\src

MCP Configuration (config.json)

For OpenCode AI integration:

{
  "$schema": "https://opencode.ai/config.json",
  "mcp": {
    "va-pentest-mcp": {
      "type": "local",
      "command": ["python", "-m", "va_pentest_mcp.server"],
      "enabled": true,
      "env": {
        "PYTHONPATH": "D:\\mcp\\va-pentest-mcp\\src",
        "PATH": "D:\\mcp\\va-pentest-mcp\\tools;{env:PATH}"
      }
    }
  }
}

Usage

Starting the Server

python -m va_pentest_mcp.server

Or using the console script:

va-pentest-mcp

Available Tools

1. scan_dependencies

Scans project dependencies for known vulnerabilities using OWASP Dependency-Check.

{
  "project_path": "/path/to/project"
}

2. scan_code

Scans source code for security vulnerabilities.

{
  "project_path": "/path/to/project",
  "file_extensions": [".py", ".js", ".java"]  # Optional
}

3. scan_full

Runs complete security scan and generates reports.

{
  "project_path": "/path/to/project",
  "generate_reports": true
}

Project Structure

va-pentest-mcp/
├── src/
│   └── va_pentest_mcp/
│       ├── __init__.py                 # Package initialization
│       ├── server.py                   # Main MCP Server
│       ├── mcp_protocol.py             # MCP Protocol Handler
│       ├── dependency_scanner.py       # OWASP Dependency-Check Integration
│       ├── code_scanner.py             # Custom Security Vulnerability Detection
│       ├── report_generator.py         # HTML & JSON Report Generation
│       ├── config.py                   # Configuration Management
│       └── utils.py                    # Utility Functions
├── tools/                              # External tools directory
│   ├── dependency-check/               # OWASP Dependency-Check binary
│   └── dependency-check-db/            # Vulnerability database
├── reports/                            # Generated reports
│   ├── scan_report_YYYYMMDD_HHMMSS.html
│   └── scan_report_YYYYMMDD_HHMMSS.json
├── logs/                               # Application logs
├── requirements.txt                    # Python dependencies
├── setup.py                            # Package setup script
├── README.md                           # This file
└── .gitignore                          # Git ignore rules

Vulnerability Detection

Hardcoded Secrets Detection

Detects:

  • API Keys
  • Passwords
  • Private Keys (RSA, OPENSSH, DSA, EC)
  • AWS Access Keys (AKIA...)
  • JWT Tokens
  • Database Connection Strings

Code Injection Detection

  • SQL Injection via string concatenation, format strings, and direct queries
  • Command Injection via os.system, subprocess, shell commands

Unsafe Operations

  • eval() usage
  • pickle/marshal usage
  • Dangerous imports
  • Insecure file permissions

Web Vulnerabilities

  • XSS via innerHTML, dangerouslySetInnerHTML
  • Path Traversal patterns

Report Output

HTML Report Features

  • Executive Summary with Risk Assessment
  • Vulnerability Statistics by Severity
  • Detailed Vulnerability Listing
  • Code Snippets with Line Numbers
  • Remediation Recommendations
  • Professional Styling

JSON Report Structure

{
  "scan_info": {
    "timestamp": "2024-01-01T12:00:00",
    "project_path": "/path/to/project",
    "scan_type": "Combined VA Scan"
  },
  "code_scan": {
    "total_vulnerabilities": 5,
    "vulnerabilities": [
      {
        "type": "Hardcoded Secret",
        "severity": "CRITICAL",
        "file": "config.py",
        "line": 42,
        "description": "Hardcoded API Key detected",
        "recommendation": "Use environment variables instead"
      }
    ]
  },
  "summary": {
    "overall_risk": "HIGH",
    "critical": 2,
    "high": 3
  }
}

Advanced Configuration

Custom File Extensions

file_extensions = ['.py', '.js', '.ts', '.java', '.go', '.rb', '.php', '.cs']

Severity Levels

  • CRITICAL: Immediate action required
  • HIGH: Significant security risk
  • MEDIUM: Moderate risk, should be addressed
  • LOW: Low risk, consider fixing
  • INFO: Informational findings

Troubleshooting

dependency-check Not Found

# Try installing via pip
pip install dependency-check

# Or via npm
npm install -g dependency-check

# Or via homebrew (macOS)
brew install dependency-check

Permission Issues

# Make dependency-check executable
chmod +x /path/to/dependency-check

Windows Python Path

Ensure PYTHONPATH is correctly set in config.json:

"PYTHONPATH": "C:\\Users\\username\\va-pentest-mcp\\src"

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

License

MIT License - See LICENSE file for details

Security Note

This tool is designed for authorized security testing only. Always get proper authorization before testing security vulnerabilities in any system.

Support

For issues, questions, or suggestions:


VA Pentest MCP - Making security assessment automated and accessible 🚀

from github.com/banhongit7/va-pentest-mcp

Установка Va Pentest

У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.

▸ github.com/banhongit7/va-pentest-mcp

FAQ

Va Pentest MCP бесплатный?

Да, Va Pentest MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для Va Pentest?

Нет, Va Pentest работает без API-ключей и переменных окружения.

Va Pentest — hosted или self-hosted?

Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.

Как установить Va Pentest в Claude Desktop, Claude Code или Cursor?

Открой Va Pentest на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare Va Pentest with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории development