@@ -37,7 +37,13 @@ class Scope(str, Enum):
3737 CONTAINER_ADMIN = "container:admin" # Update containers, pull images
3838 SYSTEM_ADMIN = "system:admin" # Install packages, system updates
3939 DOCKER_ADMIN = "docker:admin" # Full Docker access
40-
40+
41+ # Security scopes
42+ SECURITY_READ = "security:read" # View security scans, assessments
43+ SECURITY_SCAN = "security:scan" # Run vulnerability scans
44+ SECURITY_WRITE = "security:write" # Modify firewall rules (high risk)
45+ SECURITY_ADMIN = "security:admin" # Full security management
46+
4147 # Meta scopes
4248 ADMIN = "admin" # All permissions
4349 READ_ONLY = "readonly" # All read permissions
@@ -210,6 +216,84 @@ class ToolScopeRequirement:
210216 requires_approval = True ,
211217 description = "Install system packages (code execution risk)"
212218 ),
219+
220+ # Security Tools - Vulnerability Scanning
221+ "scan_container_vulnerabilities" : ToolScopeRequirement (
222+ tool_name = "scan_container_vulnerabilities" ,
223+ required_scopes = [Scope .SECURITY_SCAN ],
224+ risk_level = "low" ,
225+ description = "Scan containers for vulnerabilities"
226+ ),
227+ "scan_filesystem_vulnerabilities" : ToolScopeRequirement (
228+ tool_name = "scan_filesystem_vulnerabilities" ,
229+ required_scopes = [Scope .SECURITY_SCAN ],
230+ risk_level = "moderate" ,
231+ description = "Scan filesystem for vulnerabilities"
232+ ),
233+
234+ # Security Tools - Secrets Scanning
235+ "scan_secrets_in_file" : ToolScopeRequirement (
236+ tool_name = "scan_secrets_in_file" ,
237+ required_scopes = [Scope .SECURITY_SCAN ],
238+ risk_level = "moderate" ,
239+ description = "Scan file for exposed secrets"
240+ ),
241+ "scan_secrets_in_directory" : ToolScopeRequirement (
242+ tool_name = "scan_secrets_in_directory" ,
243+ required_scopes = [Scope .SECURITY_SCAN ],
244+ risk_level = "moderate" ,
245+ description = "Scan directory for exposed secrets"
246+ ),
247+ "scan_docker_config_secrets" : ToolScopeRequirement (
248+ tool_name = "scan_docker_config_secrets" ,
249+ required_scopes = [Scope .SECURITY_SCAN ],
250+ risk_level = "moderate" ,
251+ description = "Scan Docker config for credentials"
252+ ),
253+
254+ # Security Tools - Firewall Management
255+ "get_firewall_status" : ToolScopeRequirement (
256+ tool_name = "get_firewall_status" ,
257+ required_scopes = [Scope .SECURITY_READ ],
258+ risk_level = "low" ,
259+ description = "View firewall status"
260+ ),
261+ "list_firewall_rules" : ToolScopeRequirement (
262+ tool_name = "list_firewall_rules" ,
263+ required_scopes = [Scope .SECURITY_READ ],
264+ risk_level = "low" ,
265+ description = "List firewall rules"
266+ ),
267+ "add_firewall_rule" : ToolScopeRequirement (
268+ tool_name = "add_firewall_rule" ,
269+ required_scopes = [Scope .SECURITY_WRITE ],
270+ risk_level = "critical" ,
271+ requires_approval = True ,
272+ description = "Add firewall rule (can lock out access)"
273+ ),
274+ "delete_firewall_rule" : ToolScopeRequirement (
275+ tool_name = "delete_firewall_rule" ,
276+ required_scopes = [Scope .SECURITY_WRITE ],
277+ risk_level = "critical" ,
278+ requires_approval = True ,
279+ description = "Delete firewall rule (can expose services)"
280+ ),
281+
282+ # Security Tools - CIS Benchmarks
283+ "run_cis_benchmark" : ToolScopeRequirement (
284+ tool_name = "run_cis_benchmark" ,
285+ required_scopes = [Scope .SECURITY_READ ],
286+ risk_level = "low" ,
287+ description = "Run CIS security assessment"
288+ ),
289+
290+ # Security Tools - Utility
291+ "get_security_scanner_info" : ToolScopeRequirement (
292+ tool_name = "get_security_scanner_info" ,
293+ required_scopes = [Scope .SECURITY_READ ],
294+ risk_level = "low" ,
295+ description = "Get security scanner availability"
296+ ),
213297}
214298
215299
@@ -235,6 +319,7 @@ def expand_scopes(scopes: List[str]) -> Set[str]:
235319 Scope .NETWORK_READ ,
236320 Scope .CONTAINER_READ ,
237321 Scope .FILE_READ ,
322+ Scope .SECURITY_READ ,
238323 ])
239324
240325 return expanded
0 commit comments