Skip to content

Security: Ansvar-Systems/german-cybersecurity-mcp

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
1.x
< 1.0

We support only the latest minor version. Please upgrade to receive security patches.

Security Scanning

This project uses multiple layers of automated security scanning:

Dependency Vulnerabilities

  • Dependabot: Automated dependency updates (weekly)
  • npm audit: Runs on every CI build
  • Socket.dev: Supply chain attack detection

Code Analysis

  • CodeQL: Static analysis for security vulnerabilities (weekly + on PRs)
  • Semgrep: SAST scanning for OWASP top 10, secrets, and TypeScript-specific issues
  • Trivy: Filesystem, dependency, and container image vulnerability scanning
  • Gitleaks: Secret detection across git history

Container Security

  • Docker Security Scan: Daily container image scanning via Trivy
  • SBOM Generation: CycloneDX and SPDX format (365-day retention)
  • OSSF Scorecard: OpenSSF best practices scoring

What We Scan For

  • Known CVEs in dependencies
  • SQL injection vulnerabilities
  • Cross-site scripting (XSS)
  • Regular expression denial of service (ReDoS)
  • Path traversal attacks
  • Supply chain attacks (malicious packages, typosquatting)
  • Hardcoded secrets and credentials

Reporting a Vulnerability

If you discover a security vulnerability:

  1. Do NOT open a public GitHub issue
  2. Email: hello@ansvar.ai
  3. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if you have one)

We will respond within 48 hours and provide a timeline for a fix.

Security Best Practices

This project follows security best practices:

  • All database queries use prepared statements (no SQL injection)
  • Input validation on all user-provided parameters
  • Read-only database access (no write operations at runtime)
  • No execution of user-provided code
  • Automated security testing in CI/CD
  • Regular dependency updates via Dependabot

Database Security

Regulatory Database (SQLite)

The regulatory database is:

  • Pre-built and version-controlled (tamper evident)
  • Opened in read-only mode at runtime (no write risk)
  • Source data from official regulatory authorities (auditable)
  • Ingestion scripts require manual execution (no auto-download at runtime)

Third-Party Dependencies

We minimize dependencies and regularly audit:

  • Core runtime: Node.js, TypeScript, @ansvar/mcp-sqlite
  • MCP SDK: Official Anthropic package
  • No unnecessary dependencies

All dependencies are tracked via package-lock.json and scanned for vulnerabilities.

Last Updated: 2026-04-03

There aren't any published security advisories