Security Rules Reference

Complete documentation of all 36 security rules in MCPSafe

MCPSafe scans MCP server source code for security vulnerabilities using a comprehensive set of detection rules. Each rule targets a specific vulnerability pattern and provides actionable remediation guidance.

Total Rules

Critical Rules

High Rules

Rule Categories

Security rules are organized into categories based on the type of vulnerability they detect.

Command Injection

Vulnerabilities allowing execution of arbitrary system commands

Code Injection

Vulnerabilities allowing execution of arbitrary code

Path Traversal

Vulnerabilities allowing access to files outside intended directories

Network Security

SSRF and other network-related vulnerabilities

Hardcoded Secrets

Credentials and API keys embedded in source code

Authentication

Weak authentication patterns and missing auth checks

SQL Injection

Vulnerabilities allowing SQL query manipulation

Information Disclosure

Exposure of sensitive data through logs or errors

Insecure Deserialization

Unsafe deserialization of untrusted data

Other

Additional security checks and validations

Severity Levels

Each vulnerability is assigned a severity level based on its potential impact and exploitability.

Critical

Immediate exploitation risk, requires urgent fix

High

Significant security impact, fix soon

Medium

Moderate risk, should be addressed

Low

Minor issues, best practices

All Security Rules

Showing 36 of 36 rules

Command Injection

Code Injection

Path Traversal

Network Security

Hardcoded Secrets

Authentication

SQL Injection

Insecure Deserialization

Other

Information Disclosure

Using the Rules API

You can programmatically access all security rules through the MCPSafe API.

GET /api/v1/scanner/rules

Retrieve all available security rules

curl -X GET "https://api.mcpsafe.com/api/v1/scanner/rules"

# Response
{
  "rules": [
    {
      "rule_id": "CMD001",
      "title": "child_process.exec() with User Input",
      "severity": "critical",
      "category": "command_injection",
      "cwe_id": "CWE-78",
      "cvss_score": 9.8,
      "file_patterns": ["*.js", "*.ts"]
    },
    ...
  ],
  "total": 36
}

Ready to scan your MCP server?

Submit your server and get a comprehensive security analysis using all 36 rules.

Getting Started Scan Now

Getting Started API Reference

Security Rules Reference

Rule Categories

Command Injection

Code Injection

Path Traversal

Network Security

Hardcoded Secrets

Authentication

SQL Injection

Information Disclosure

Insecure Deserialization

Other

Severity Levels

All Security Rules

Command Injection

child_process.exec() with User Input

child_process.spawn() with shell: true

os.system() Usage

subprocess with shell=True

Code Injection

eval() with External Input

Function() Constructor Usage

DOM-Based XSS Vulnerability

React dangerouslySetInnerHTML

Prototype Pollution

Recursive Merge Prototype Pollution

Path Traversal

path.join() with User Input

fs Operations with User-Controlled Paths

Directory Traversal Pattern

open() with Unvalidated Path

Network Security

HTTP Request with User-Controlled URL

Python HTTP Request with User-Controlled URL

DNS Rebinding Vulnerability

Internal IP Access Pattern

Insecure Transport

Hardcoded Secrets

Hardcoded Credentials

API Key Exposure

Authentication

Weak Password Hashing

Plaintext Password Comparison

Missing Handler Authentication

SQL Injection

SQL Injection via String Concatenation

Raw SQL Query with User Input

Insecure Deserialization

Node Unserialize Vulnerability

Python Pickle Deserialization

YAML Deserialization

Other

Regular Expression DoS (ReDoS)

User Input in Regular Expression

Unsafe Tool Input

Excessive Permissions

Missing Input Validation

Information Disclosure

Verbose Error Disclosure

Debug Logging of Sensitive Data

Using the Rules API

GET /api/v1/scanner/rules

Ready to scan your MCP server?