Security Controls

25 controls across 5 security domains. 4 MCP-specific controls address AI attack surfaces.

levels:1234
mcp-specific
*recommended

Supply Chain

SC-01..SC-05

Ensures dependencies are known, vulnerability-free, and from trusted sources.

SC-01

SBOM Generation

Bundle includes a Software Bill of Materials (CycloneDX or SPDX format) listing all components.

1234
SC-02

Vulnerability Scan

No critical CVEs in KEV, no critical/high CVEs with EPSS > 10%. VEX statements supported for exceptions.

1234
SC-03

Dependency Pinning

All dependencies pinned to exact versions via lock files. No floating version ranges.

1234
SC-04

License Compliancelegal

Bundle license declared and compatible with all dependency licenses.

1234
SC-05

Trusted Sources

All dependencies from approved registries (npm, PyPI, crates.io). Private registries declared.

1234

Code Quality

CQ-01..CQ-07

Ensures code is free from secrets, malware, and security defects.

CQ-01

No Embedded Secrets

No AWS keys, API tokens, passwords, or private keys in source. Scanned with TruffleHog.

1234
CQ-02

No Malicious Patterns

No data exfiltration, typosquatting, crypto miners, backdoors, or malicious install hooks.

1234
CQ-03

Static Analysis Clean

Server code passes Bandit/ESLint security analysis with no high-severity findings.

1234
CQ-04

Input Validation

All tool parameters validated using schema libraries (Zod, Pydantic, JSON Schema).

1234
CQ-05

Safe Execution Patterns

No shell=True, eval(), exec(), or SQL string concatenation in server code.

1234
CQ-06

Anti-Slopsquatting

Package name not in LLM hallucination corpus. Protects against AI code generation attacks.

1234
CQ-07

Behavioral Analysis

Bundle runs in isolated sandbox. Network, filesystem, and process behavior monitored.

1234

Artifact Integrity

AI-01..AI-04

Ensures the bundle has not been tampered with and can be cryptographically verified.

AI-01

Valid Manifest

manifest.json present and valid. Required fields: name, version, mcp_config.

1234
AI-02

Content Hashes

SHA-256 hashes for all files in manifest. Verified against actual contents.

1234
AI-03

Bundle Signature

Cryptographically signed with Sigstore or GPG. Signature verifiable against publisher key.

1234
AI-04

Reproducible Build*

Independent builds from same source produce identical bundles.

1234

Provenance

PR-01..PR-05

Establishes the origin and build process of the bundle.

PR-01

Source Repository

Public source repository linked and accessible. Source matches bundle contents.

1234
PR-02

Author Identity

Publisher verified via OIDC (GitHub, Google) or email domain verification.

1234
PR-03

Build Attestation

SLSA provenance attestation from trusted builder (GitHub Actions, GitLab CI).

1234
PR-04

Commit Linkage*

Linked to specific source commit. Signed commits recommended.

1234
PR-05

Source Repository Health

OpenSSF Scorecard score >= 5.0 (L3) or >= 7.0 (L4). No critical check failures.

1234

Capability Declaration

CD-01..CD-04

Ensures bundles accurately declare their capabilities and permissions.

CD-01

Tool Declaration

All tools declared in manifest with human-readable descriptions.

1234
CD-02

Permission Scope

Filesystem, network, environment, subprocess permissions declared in manifest.

1234
CD-03

Tool Description Safety

No prompt injection, exfiltration instructions, or hidden directives in tool descriptions.

1234
CD-04

Credential Scope Declaration

OAuth scopes and API permissions declared. Least-privilege principle enforced.

1234
Certification OverviewFull MTF Specification