590 devskim (#592)

* Implement devskim

Signed-off-by: Mihai Criveti <[email protected]>

* Implement devskim

Signed-off-by: Mihai Criveti <[email protected]>

---------

Signed-off-by: Mihai Criveti <[email protected]>

Author: crivetimihai

.github/workflows/devskim.yml.inactive

@@ -0,0 +1,29 @@
+name: DevSkim
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '31 6 * * 6'
+
+jobs:
+  lint:
+    name: DevSkim
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run DevSkim scanner
+        uses: microsoft/DevSkim-Action@v1
+
+      - name: Upload DevSkim scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: devskim-results.sarif

.gitignore

@@ -1,3 +1,5 @@
+*.sarif
+devskim-results.sarif
 debug_login_page.png
 docs/pstats.png
 mcp.prof

CHANGELOG.md

@@ -11,12 +11,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/)
 ### Security Notice
 
 > **This is a security-focused release. Upgrading is highly recommended.**
-> 
+>
 > This release continues our security-first approach with the Admin UI and Admin API **disabled by default**. To enable these features for local development, update your `.env` file:
 > ```bash
 > # Enable the visual Admin UI (true/false)
 > MCPGATEWAY_UI_ENABLED=true
-> 
+>
 > # Enable the Admin API endpoints (true/false)
 > MCPGATEWAY_ADMIN_API_ENABLED=true
 > ```
@@ -131,7 +131,7 @@ This release represents a major milestone in code quality, security, and reliabi
 
 #### 🏆 Top Contributors in 0.4.0
 - **Mihai Criveti** (@crivetimihai) - Release coordinator, security improvements, and extensive testing infrastructure
-- **Madhav Kandukuri** (@madhav165) - Major input validation framework, security fixes, and test coverage improvements  
+- **Madhav Kandukuri** (@madhav165) - Major input validation framework, security fixes, and test coverage improvements
 - **Keval Mahajan** (@kevalmahajan) - HTTPX retry mechanism implementation and UI improvements
 - **Manav Gupta** (@manavgup) - Comprehensive doctest coverage and Playwright test suite
 

Makefile

@@ -2898,11 +2898,13 @@ test-full: coverage test-ui-report
 # help: pip-audit           - Audit Python dependencies for published CVEs
 # help: gitleaks-install    - Install gitleaks secret scanner
 # help: gitleaks            - Scan git history for secrets
+# help: devskim-install-dotnet - Install .NET SDK and DevSkim CLI (security patterns scanner)
+# help: devskim             - Run DevSkim static analysis for security anti-patterns
 
 # List of security tools to run with security-all
-SECURITY_TOOLS := semgrep dodgy dlint interrogate prospector pip-audit
+SECURITY_TOOLS := semgrep dodgy dlint interrogate prospector pip-audit devskim
 
-.PHONY: security-all security-report security-fix $(SECURITY_TOOLS) gitleaks-install gitleaks pyupgrade
+.PHONY: security-all security-report security-fix $(SECURITY_TOOLS) gitleaks-install gitleaks pyupgrade devskim-install-dotnet devskim
 
 ## --------------------------------------------------------------------------- ##
 ##  Master security target
@@ -3004,6 +3006,63 @@ gitleaks:                           ## 🔍 Scan for secrets in git history
 	@gitleaks detect --source . -v || true
 	@echo "💡 To scan git history: gitleaks detect --source . --log-opts='--all'"
 
+## --------------------------------------------------------------------------- ##
+##  DevSkim (.NET-based security patterns scanner)
+## --------------------------------------------------------------------------- ##
+devskim-install-dotnet:             ## 📦 Install .NET SDK and DevSkim CLI
+	@echo "📦 Installing .NET SDK and DevSkim CLI..."
+	@if [ "$$(uname)" = "Darwin" ]; then \
+		echo "🍏 Installing .NET SDK for macOS..."; \
+		brew install --cask dotnet-sdk || brew upgrade --cask dotnet-sdk; \
+	elif [ "$$(uname)" = "Linux" ]; then \
+		echo "🐧 Installing .NET SDK for Linux..."; \
+		if command -v apt-get >/dev/null 2>&1; then \
+			wget -q https://packages.microsoft.com/config/ubuntu/$$(lsb_release -rs)/packages-microsoft-prod.deb -O /tmp/packages-microsoft-prod.deb 2>/dev/null || \
+			wget -q https://packages.microsoft.com/config/ubuntu/22.04/packages-microsoft-prod.deb -O /tmp/packages-microsoft-prod.deb; \
+			sudo dpkg -i /tmp/packages-microsoft-prod.deb; \
+			sudo apt-get update; \
+			sudo apt-get install -y dotnet-sdk-9.0 || sudo apt-get install -y dotnet-sdk-8.0 || sudo apt-get install -y dotnet-sdk-7.0; \
+			rm -f /tmp/packages-microsoft-prod.deb; \
+		elif command -v dnf >/dev/null 2>&1; then \
+			sudo dnf install -y dotnet-sdk-9.0 || sudo dnf install -y dotnet-sdk-8.0; \
+		else \
+			echo "❌ Unsupported Linux distribution. Please install .NET SDK manually."; \
+			echo "   Visit: https://dotnet.microsoft.com/download"; \
+			exit 1; \
+		fi; \
+	else \
+		echo "❌ Unsupported OS. Please install .NET SDK manually."; \
+		echo "   Visit: https://dotnet.microsoft.com/download"; \
+		exit 1; \
+	fi
+	@echo "🔧 Installing DevSkim CLI tool..."
+	@export PATH="$$PATH:$$HOME/.dotnet/tools" && \
+		dotnet tool install --global Microsoft.CST.DevSkim.CLI || \
+		dotnet tool update --global Microsoft.CST.DevSkim.CLI
+	@echo "✅  DevSkim installed successfully!"
+	@echo "💡  You may need to add ~/.dotnet/tools to your PATH:"
+	@echo "    export PATH=\"\$$PATH:\$$HOME/.dotnet/tools\""
+
+devskim:                            ## 🛡️  Run DevSkim security patterns analysis
+	@echo "🛡️  Running DevSkim static analysis..."
+	@if command -v devskim >/dev/null 2>&1 || [ -f "$$HOME/.dotnet/tools/devskim" ]; then \
+		export PATH="$$PATH:$$HOME/.dotnet/tools" && \
+		echo "📂 Scanning mcpgateway/ for security anti-patterns..." && \
+		devskim analyze --source-code mcpgateway --output-file devskim-results.sarif -f sarif && \
+		echo "" && \
+		echo "📊 Detailed findings:" && \
+		devskim analyze --source-code mcpgateway -f text && \
+		echo "" && \
+		echo "📄 SARIF report saved to: devskim-results.sarif" && \
+		echo "💡 To view just the summary: devskim analyze --source-code mcpgateway -f text | grep -E '(Critical|Important|Moderate|Low)' | sort | uniq -c"; \
+	else \
+		echo "❌ DevSkim not found in PATH or ~/.dotnet/tools/"; \
+		echo "💡 Install with:"; \
+		echo "   • Run 'make devskim-install-dotnet'"; \
+		echo "   • Or install .NET SDK and run: dotnet tool install --global Microsoft.CST.DevSkim.CLI"; \
+		echo "   • Then add to PATH: export PATH=\"\$$PATH:\$$HOME/.dotnet/tools\""; \
+	fi
+
 ## --------------------------------------------------------------------------- ##
 ##  Security reporting and advanced targets
 ## --------------------------------------------------------------------------- ##
@@ -3021,6 +3080,14 @@ security-report:                    ## 📊 Generate comprehensive security repo
 	@/bin/bash -c "source $(VENV_DIR)/bin/activate && \
 		python3 -m pip install -q dodgy && \
 		$(VENV_DIR)/bin/dodgy mcpgateway tests || true" >> $(DOCS_DIR)/docs/security/report.md 2>&1
+	@echo "" >> $(DOCS_DIR)/docs/security/report.md
+	@echo "## DevSkim Security Anti-patterns" >> $(DOCS_DIR)/docs/security/report.md
+	@if command -v devskim >/dev/null 2>&1 || [ -f "$$HOME/.dotnet/tools/devskim" ]; then \
+		export PATH="$$PATH:$$HOME/.dotnet/tools" && \
+		devskim analyze --source-code mcpgateway --format text >> $(DOCS_DIR)/docs/security/report.md 2>&1 || true; \
+	else \
+		echo "DevSkim not installed - skipping" >> $(DOCS_DIR)/docs/security/report.md; \
+	fi
 	@echo "✅ Security report saved to $(DOCS_DIR)/docs/security/report.md"
 
 security-fix:                       ## 🔧 Auto-fix security issues where possible
@@ -3038,3 +3105,4 @@ security-fix:                       ## 🔧 Auto-fix security issues where possi
 	@echo "   - Dependency updates (run 'make update')"
 	@echo "   - Secrets in code (review dodgy/gitleaks output)"
 	@echo "   - Security patterns (review semgrep output)"
+	@echo "   - DevSkim findings (review devskim-results.sarif)"

docs/docs/architecture/roadmap.md

@@ -519,4 +519,4 @@ WE ARE HERE
 7. **Chrome MCP Plugin Integration** - Browser extension for managing MCP configurations, servers, and connections
 
 ### 🔐 Secrets & Sensitive Data
-8. **Secure Secrets Management & Masking** - External secrets store integration (Vault)
+8. **Secure Secrets Management & Masking** - External secrets store integration (Vault)

docs/requirements.txt

@@ -87,4 +87,4 @@ weasyprint>=65.1
 webcolors>=24.11.1
 webencodings>=0.5.1
 zipp>=3.23.0
-zopfli>=0.2.3.post1
+zopfli>=0.2.3.post1