-
Notifications
You must be signed in to change notification settings - Fork 0
The Gate Engine
The gate engine is the deterministic heart of security-mcp. It takes a change (or a whole codebase), runs a wide battery of analysis in parallel, reconciles the results against your policy, exceptions, and a baseline, and returns a single defensible verdict. Agents call it, CI calls it, and you can call it directly. Same engine, same rules, every time.
flowchart TD
A[Load policy] --> B[Scope: recent_changes / full / targets]
B --> C[Classify change]
C --> D[Detect surfaces<br/>web, api, infra, iOS, Android, AI, agentic]
D --> E[Build control catalog]
E --> F[Scanner readiness check]
F --> G[Collect evidence map]
G --> H[35 checks in parallel]
H --> I[Apply vulnerability SLAs]
I --> J[Build coverage manifest]
J --> K[Apply exceptions]
K --> L[Confidence score]
L --> M[Baseline regression diff]
M --> N{Verdict: PASS / FAIL}
N --> O[Persist baseline]
Step by step:
- Load policy. Read the active policy file, verify its signature if integrity is enabled, and resolve the target environment (dev/staging/prod) and its severity-block thresholds.
-
Scope the change. Default mode is
recent_changes(diff between base and head refs). Other modes scan the full codebase or a specific set of targets. - Classify the change. Determine languages, frameworks, and the nature of the diff.
- Detect surfaces. Identify which attack surfaces are present so checks run surface-aware: web, API, infrastructure, iOS, Android, AI/LLM, and agentic tool-use.
- Build the control catalog. Resolve which controls apply to the detected surfaces and policy.
- Scanner readiness. Probe which external scanners are installed and available; missing scanners are recorded, not silently skipped.
- Collect evidence. Gather the evidence map that ties findings and controls to concrete locations.
- Run 35 checks in parallel. See the module list below.
- Apply vulnerability SLAs. Age findings against the policy SLAs and escalate breaches.
- Build the coverage manifest. Record what ran, what was skipped, and why, so coverage is auditable.
- Apply exceptions. Suppress findings covered by valid, approved, unexpired exceptions.
-
Score confidence.
confidence = 0.7 * automated-coverage + 0.3 * scanner-score. - Baseline regression diff. Compare against the persisted baseline; any new HIGH or CRITICAL relative to baseline is a regression.
- Verdict. Combine policy thresholds, SLA breaches, regressions, and coverage gaps into PASS or FAIL.
- Persist baseline. Write the accepted state forward for next time.
A check module that crashes does not get to lower the score quietly. A crashed module produces a HIGH severity "coverage gap" finding, so a broken analyzer is loud, not invisible. A baseline regression is treated as HIGH. Confidence blends how much of the catalog the automated checks covered with how the orchestrated scanners scored, weighted 70/30.
35 checks run in parallel: 33 distinct analysis modules plus 2 precomputed coverage feeds. Several are deep modules with large curated pattern sets.
| Module | Patterns | What it finds |
|---|---|---|
| docker-deep | 49 | Dockerfile and container build misconfigurations and escapes |
| data-platform | 47 | Data store, warehouse, and pipeline exposure and access flaws |
| auth | 43 | Authentication and session weaknesses: tokens, lockout, OAuth, JWT |
| injection | 42 | SQL, NoSQL, command, SSTI, path traversal, and related injection classes |
| gitops | 41 | GitOps and deployment-config drift and secret exposure |
| supply-chain | 32 | Dependency confusion, typosquatting, and provenance gaps |
| business-logic | 31 | Multi-step flow abuse, mass assignment, and money arithmetic flaws |
| agentic-instructions | 11 | Tool-use and agent instruction-handling risks |
| ai-governance | 3 | AI bounded-output and governance controls |
Two more high-coverage modules sit alongside these: k8s (70 patterns) for Kubernetes manifest and RBAC issues, and iac (56 patterns) for general infrastructure-as-code misconfiguration.
One line each:
- secrets: hardcoded credentials, keys, and tokens.
- dependencies: known-vulnerable packages and SCA.
- crypto: weak algorithms, bad modes, and timing-unsafe comparisons.
- web / Next.js: web framework misconfig, CSP, CSRF, and SSRF surfaces.
- api: API authz, rate limiting, and exposure issues.
- mobile-ios: iOS platform security and data protection.
- mobile-android: Android platform security and permissions.
- graphql: GraphQL introspection, depth, and authz abuse.
- database: database access and configuration risks.
- dlp: data-loss-prevention and PII handling.
- sbom: software bill of materials completeness.
- playbook (IR): incident-response readiness.
- runtime / DAST: live runtime checks against a staging target.
- ci-pipeline: CI/CD pipeline injection and trust issues.
- nuclei (DAST): templated dynamic scanning against a staging target.
- required-artifacts: presence of policy-mandated artifacts.
- scanners: orchestration and result merging of external scanners.
The two precomputed coverage feeds round out the 35 and supply the coverage manifest with what ran versus what applied.
The gate orchestrates best-in-class open scanners and merges their findings into the unified result:
| Scanner | Role |
|---|---|
| gitleaks | Secret detection |
| semgrep | Static analysis (SAST) |
| trivy | Vulnerability and config scanning |
| osv-scanner | Dependency vulnerability lookup |
| checkov | IaC misconfiguration |
| conftest | Policy-as-code (OPA/Rego) |
| zaproxy | Dynamic application security testing |
Scanner readiness is reported up front, so a missing scanner shows as reduced coverage rather than a false all-clear.
The gate enriches findings with live intelligence, cached for 24 hours so repeated runs stay fast and offline-tolerant.
| Source | Effect |
|---|---|
| CISA KEV | Known-exploited vulnerabilities flagged and SLA-escalated |
| EPSS | Exploit probability; a score above 0.5 escalates the finding |
| OpenSSF Scorecard | Dependency project health signal |
| npm registry | Package metadata for supply-chain checks |
SECURITY_OFFLINE disables all egress. The gate then runs entirely from local analysis and any cached intel, with no outbound calls. Private, scoped package names are never sent to public endpoints even when online. See Environment Variables and Security and Hardening.
Start here
Engines
Agents
Reference
Operate