https://github.com/Flux159/mcp-server-kubernetes ·
lang: typescript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 10 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 8 |
AGT012 Agent control bridge may listen on a network interface with… |
medium | 6 |
MINED044 Js Console Log Prod |
info | 4 |
MINED052 Ts Any Typed |
info | 4 |
DKR011 Dockerfile installs recommended OS packages |
low | 3 |
MINED043 Http Not Https |
info | 2 |
AUC009 [AUC009] Sensitive function route lacks elevated authorizat… |
medium | 2 |
DKR010 Dockerfile leaves apt package indexes in the image layer |
low | 1 |
MINED113 Express POST/PUT/DELETE/PATCH route without auth |
high | 1 |
MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
tests/sse.test.ts:26
· conf 0.80
[MINED113] Express POST /messages has no auth: Express route POST /messages declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated ro…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/cd.yml:17
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/cd.yml:21
· conf 0.90
[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/cd.yml:30
· conf 0.90
[MINED115] Action `azure/setup-helm` pinned to mutable ref `@v4.3.0`: `uses: azure/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/cd.yml:76
· conf 0.90
[MINED115] Action `reecetech/version-increment` pinned to mutable ref `@2024.10.1`: `uses: reecetech/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/cd.yml:109
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:13
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:14
· conf 0.90
[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:56
· conf 0.90
[MINED115] Action `dorny/test-reporter` pinned to mutable ref `@v2`: `uses: dorny/test-reporter@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made th…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `node:24.2.0-slim` not pinned by digest: `FROM node:24.2.0-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build…AGT012
Agent control bridge may listen on a network interface without visible auth
helm-chart/examples/custom-kubeconfig.yaml:7
· conf 0.72
Agent control bridge may listen on a network interface without visible authAGT012
Agent control bridge may listen on a network interface without visible auth
helm-chart/examples/generic-kubeconfig.yaml:134
· conf 0.72
Agent control bridge may listen on a network interface without visible authAGT012
Agent control bridge may listen on a network interface without visible auth
helm-chart/examples/secure-networkpolicy.yaml:84
· conf 0.72
Agent control bridge may listen on a network interface without visible authAGT012
Agent control bridge may listen on a network interface without visible auth
helm-chart/templates/deployment.yaml:95
· conf 0.72
Agent control bridge may listen on a network interface without visible authAGT012
Agent control bridge may listen on a network interface without visible auth
helm-chart/templates/networkpolicy-tests.yaml:23
· conf 0.72
Agent control bridge may listen on a network interface without visible authAGT012
Agent control bridge may listen on a network interface without visible auth
helm-chart/templates/networkpolicy.yaml:38
· conf 0.72
Agent control bridge may listen on a network interface without visible authAUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.AUC002
[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
[AUC002] Low visible authorization coverage in route inventory: Only 44.4% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
src/utils/sse.ts:16
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
src/utils/streamable-http.ts:120
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…DKR007
Docker build context has no .dockerignore
.dockerignore
· conf 0.90
Docker build context has no .dockerignoreDKR009
Dockerfile separates apt update from install
Dockerfile:16
· conf 0.86
Dockerfile separates apt update from installSEC091
Go: net/http server without timeouts
src/utils/streamable-http.ts:38
· conf 1.00
[SEC091] Go: net/http server without timeouts: HTTP server without ReadHeaderTimeout/ReadTimeout/WriteTimeout is vulnerable to Slowloris. Ported from gosec G112 + G114 (Apache-2.0).WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtAIC003
Duplicated implementation block across source files
src/tools/kubectl-create.ts:321
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/tools/kubectl-delete.ts:131
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/tools/kubectl-describe.ts:88
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/tools/kubectl-generic.ts:109
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/tools/kubectl-get.ts:217
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/tools/kubectl-logs.ts:73
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/tools/kubectl-patch.ts:110
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/tools/kubectl-rollout.ts:114
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/tools/kubectl-scale.ts:57
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/utils/streamable-http.ts:101
· conf 0.86
Duplicated implementation block across source filesDKR010
Dockerfile leaves apt package indexes in the image layer
Dockerfile:6
· conf 0.74
Dockerfile leaves apt package indexes in the image layerDKR011
Dockerfile installs recommended OS packages
Dockerfile:6
· conf 0.72
Dockerfile installs recommended OS packagesDKR011
Dockerfile installs recommended OS packages
Dockerfile:7
· conf 0.72
Dockerfile installs recommended OS packagesDKR011
Dockerfile installs recommended OS packages
Dockerfile:17
· conf 0.72
Dockerfile installs recommended OS packagesMINED043
Http Not Https
CWE-319
src/utils/sse.ts:70
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
src/utils/streamable-http.ts:158
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 8 more): Same pattern found in 8 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
scripts/update-version.js:8
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
src/config/telemetry-config.ts:118
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
src/tools/kubectl-apply.ts:112
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
src/utils/kubernetes-manager.ts:121
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED052
Ts Any Typed
CWE-704
[MINED052] Ts Any Typed (and 11 more): Same pattern found in 11 additional files. Review if needed.MINED052
Ts Any Typed
CWE-704
src/middleware/telemetry-middleware.ts:17
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
src/tools/exec_in_pod.ts:134
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
src/tools/kubectl-apply.ts:124
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED054
Ts As Any
CWE-704
src/config/telemetry-config.ts:39
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/72e4dbc6-fe29-4402-b534-7a8611204b36/.