Support --allowed-rules filtering with MCP server (#358)

* Initial plan

* Implement --allowed-rules filtering support for MCP server

- Apply global allowedRules setting to MCP server default config
- Add allowed_rules parameter to all MCP tool definitions
- Update all handler functions to parse and apply allowed_rules parameter
- Ensure consistent behavior between CLI and MCP server for rule filtering

Co-authored-by: fproulx-boostsecurity <[email protected]>

* Add comprehensive tests for --allowed-rules filtering in MCP server

- Add test cases for analyze_manifest with allowed_rules parameter
- Verify filtering works correctly with single rule, multiple rules, and non-existent rules
- Confirm both global flag and per-request parameter functionality
- All tests pass demonstrating successful implementation

Co-authored-by: fproulx-boostsecurity <[email protected]>

* Fix linting issues: gofmt formatting and testifylint violations

- Remove trailing whitespace in cmd/handle_analyze_manifest_test.go and cmd/mcp_server.go
- Replace assert.Len(t, ..., 0, ...) with assert.Empty(t, ...) for testifylint compliance
- All tests still pass and functionality remains intact

Co-authored-by: fproulx-boostsecurity <[email protected]>

* Fix global --allowed-rules flag not being honored by MCP server handlers

- Modify startMCPServer to create mcpDefaultConfig with global allowedRules applied
- Update all handler functions to accept and use the mcpDefaultConfig instead of global config
- Add comprehensive test to verify global allowed rules are properly inherited
- Handlers now properly inherit global --allowed-rules setting when no per-request rules specified
- CLI and MCP server behavior now consistent for global rule filtering

Co-authored-by: fproulx-boostsecurity <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: fproulx-boostsecurity <[email protected]>

Author: Copilot

cmd/handle_analyze_manifest_test.go

@@ -294,3 +294,194 @@ jobs:
 
 	t.Logf("Successfully analyzed manifest with %d findings", len(insights.Findings))
 }
+
+func TestHandleAnalyzeManifestWithAllowedRules(t *testing.T) {
+	ctx := context.Background()
+
+	analyzer, err := createTestAnalyzer(ctx)
+	require.NoError(t, err)
+
+	vulnerableManifest := `name: Test Workflow
+on:
+  pull_request_target:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Run test
+        run: echo "Testing ${{ github.event.pull_request.head.ref }}"`
+
+	t.Run("without allowed_rules filter", func(t *testing.T) {
+		request := NewCallToolRequest("analyze_manifest", map[string]interface{}{
+			"content":       vulnerableManifest,
+			"manifest_type": "github-actions",
+		})
+
+		result, err := handleAnalyzeManifest(ctx, request, analyzer)
+		require.NoError(t, err)
+		require.NotNil(t, result)
+		assert.False(t, result.IsError)
+
+		contentText := extractTextFromContent(t, result.Content[0])
+		require.NotEmpty(t, contentText)
+
+		var insights struct {
+			Findings []results.Finding       `json:"findings"`
+			Rules    map[string]results.Rule `json:"rules"`
+		}
+		err = json.Unmarshal([]byte(contentText), &insights)
+		require.NoError(t, err)
+
+		// Should have multiple findings including injection
+		assert.Greater(t, len(insights.Findings), 1, "Should have multiple findings without filter")
+
+		// Verify injection rule is present
+		hasInjection := false
+		for _, finding := range insights.Findings {
+			if finding.RuleId == "injection" {
+				hasInjection = true
+				break
+			}
+		}
+		assert.True(t, hasInjection, "Should have injection finding")
+
+		t.Logf("Found %d findings without filter", len(insights.Findings))
+	})
+
+	t.Run("with allowed_rules filter for injection only", func(t *testing.T) {
+		request := NewCallToolRequest("analyze_manifest", map[string]interface{}{
+			"content":       vulnerableManifest,
+			"manifest_type": "github-actions",
+			"allowed_rules": []string{"injection"},
+		})
+
+		result, err := handleAnalyzeManifest(ctx, request, analyzer)
+		require.NoError(t, err)
+		require.NotNil(t, result)
+		assert.False(t, result.IsError)
+
+		contentText := extractTextFromContent(t, result.Content[0])
+		require.NotEmpty(t, contentText)
+
+		var insights struct {
+			Findings []results.Finding       `json:"findings"`
+			Rules    map[string]results.Rule `json:"rules"`
+		}
+		err = json.Unmarshal([]byte(contentText), &insights)
+		require.NoError(t, err)
+
+		// Should have only injection finding
+		assert.Len(t, insights.Findings, 1, "Should have only one finding with filter")
+		assert.Equal(t, "injection", insights.Findings[0].RuleId, "Should only have injection finding")
+
+		// Should have only injection rule
+		assert.Len(t, insights.Rules, 1, "Should have only one rule with filter")
+		_, hasInjectionRule := insights.Rules["injection"]
+		assert.True(t, hasInjectionRule, "Should have injection rule in rules map")
+
+		t.Logf("Found %d findings with allowed_rules filter", len(insights.Findings))
+	})
+
+	t.Run("with allowed_rules filter for non-existent rule", func(t *testing.T) {
+		request := NewCallToolRequest("analyze_manifest", map[string]interface{}{
+			"content":       vulnerableManifest,
+			"manifest_type": "github-actions",
+			"allowed_rules": []string{"non_existent_rule"},
+		})
+
+		result, err := handleAnalyzeManifest(ctx, request, analyzer)
+		require.NoError(t, err)
+		require.NotNil(t, result)
+		assert.False(t, result.IsError)
+
+		contentText := extractTextFromContent(t, result.Content[0])
+		require.NotEmpty(t, contentText)
+
+		var insights struct {
+			Findings []results.Finding       `json:"findings"`
+			Rules    map[string]results.Rule `json:"rules"`
+		}
+		err = json.Unmarshal([]byte(contentText), &insights)
+		require.NoError(t, err)
+
+		// Should have no findings
+		assert.Empty(t, insights.Findings, "Should have no findings with non-existent rule filter")
+		assert.Empty(t, insights.Rules, "Should have no rules with non-existent rule filter")
+
+		t.Logf("Found %d findings with non-existent rule filter", len(insights.Findings))
+	})
+}
+
+func TestMCPServerGlobalAllowedRules(t *testing.T) {
+	ctx := context.Background()
+
+	// Save original state
+	originalAllowedRules := allowedRules
+	defer func() {
+		allowedRules = originalAllowedRules
+	}()
+
+	// Simulate global --allowed-rules injection flag
+	allowedRules = []string{"injection"}
+
+	// Create analyzer with global allowed rules (simulating startMCPServer behavior)
+	testConfig := *config
+	if len(allowedRules) > 0 {
+		testConfig.AllowedRules = allowedRules
+	}
+
+	vulnerableManifest := `name: Test Workflow
+on:
+  pull_request_target:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Run test
+        run: echo "Testing ${{ github.event.pull_request.head.ref }}"`
+
+	t.Run("handleAnalyzeManifest respects global allowed rules", func(t *testing.T) {
+		opaClient, err := newOpaWithConfig(ctx, &testConfig)
+		require.NoError(t, err)
+		manifestAnalyzer := analyze.NewAnalyzer(nil, nil, &noop.Format{}, &testConfig, opaClient)
+
+		// Call without allowed_rules parameter (should inherit global)
+		request := NewCallToolRequest("analyze_manifest", map[string]interface{}{
+			"content":       vulnerableManifest,
+			"manifest_type": "github-actions",
+		})
+
+		result, err := handleAnalyzeManifest(ctx, request, manifestAnalyzer)
+		require.NoError(t, err)
+		require.NotNil(t, result)
+		assert.False(t, result.IsError)
+
+		contentText := extractTextFromContent(t, result.Content[0])
+		require.NotEmpty(t, contentText)
+
+		var insights struct {
+			Findings []results.Finding       `json:"findings"`
+			Rules    map[string]results.Rule `json:"rules"`
+		}
+		err = json.Unmarshal([]byte(contentText), &insights)
+		require.NoError(t, err)
+
+		// Should have only injection finding due to global allowed rules
+		assert.Len(t, insights.Findings, 1, "Should have only injection finding with global allowed rules")
+		assert.Equal(t, "injection", insights.Findings[0].RuleId, "Should only have injection finding")
+
+		t.Logf("Global allowed rules test: Found %d findings", len(insights.Findings))
+	})
+}