feat: external scanner engine slots + clickable Fix with Claude#14
Open
ithiria894 wants to merge 4 commits intomainfrom
Open
feat: external scanner engine slots + clickable Fix with Claude#14ithiria894 wants to merge 4 commits intomainfrom
ithiria894 wants to merge 4 commits intomainfrom
Conversation
… any SARIF/JSON scanner Security panel now supports external scanner engines alongside the built-in scanner: - Auto-detects installed scanners (cc-audit, AgentSeal, agent-audit, mcp-audit) - Engine selector dropdown always visible in security panel action bar - External scanner CLI output (SARIF or JSON) parsed into CCO finding format - Findings mapped to MCP server scope for click-to-navigate - AgentSeal-specific parser handles mcp_results/skill_results format - Human-readable category labels (Supply Chain, Sensitive Access, etc.) - Description + remediation rendered per finding - "▶ Scan" button with disabled state during scan - docs/scanner-engines.md explains compatible engines + install commands - "+ Add scanner engines" link for discovery Tested E2E: AgentSeal guard → 26 findings (6 high, 20 medium) → click-to-navigate → zero JS errors. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ecurity finding Click any 💡 remediation line to copy a detailed prompt to clipboard: - MCP server name + config file path - Issue name, severity, category - Scanner engine name + rule ID (for credibility) - Full description + suggested fix - Request to evaluate root cause and guide through fix Hover reveals "Fix with Claude →" action label. Click copies prompt + shows toast. Works for both external scanner findings and built-in scanner findings. Also: replaced cryptic rule ID tags (MCP-007) with human-readable category labels (Supply Chain, Sensitive Access, etc.) and improved text contrast for dark theme readability. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Built-in scanner is the primary defense — it actually connects to MCP servers and reads tool definitions (the real attack surface for prompt injection). External scanners complement by checking config hygiene, supply chain, CVEs. Added comparison table to scanner-engines.md showing what each scans. Reverted --connect flag on AgentSeal (doesn't add tool introspection). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test plan
POST /api/security-scan {engine: "agentseal"}returns parsed findingsGET /api/security-scannersdetects installed scanners🤖 Generated with Claude Code