SignalSentinel.Scanner
2.3.0
dotnet tool install --global SignalSentinel.Scanner --version 2.3.0
dotnet new tool-manifest
dotnet tool install --local SignalSentinel.Scanner --version 2.3.0
#tool dotnet:?package=SignalSentinel.Scanner&version=2.3.0
nuke :add-package SignalSentinel.Scanner --version 2.3.0
Signal Sentinel
Signal Sentinel is a security-first MCP (Model Context Protocol) and Agent Skill security product family, designed to address the critical security gap in the agentic AI ecosystem.
Positioning: Signal Sentinel Scanner is a fast, deterministic, offline-capable first-pass authoring aid for MCP operators and skill authors. It is not a substitute for a full runtime defence stack — pair it with Bandit, Gitleaks, Semgrep, and (for runtime) Sentinel Gateway / Enkrypt Skill Sentinel for defence in depth. Every report declares its scope explicitly in an "Scanner Scope" section.
Products
| Product | Type | Description |
|---|---|---|
| Sentinel Scanner | CLI Tool | Security audit tool for MCP server configurations AND Agent Skill packages |
| Sentinel Gateway | Proxy/Firewall | Real-time security enforcement between agents and MCP servers |
| Sentinel Classify | MCP Server | Document classification and sensitivity labelling |
Signal Sentinel Scanner
The Scanner is a command-line tool that audits MCP server configurations and Agent Skill packages for security vulnerabilities. It produces a scored report with OWASP ASI01-ASI10 + AST01-AST10 + MCP01-MCP10 triple mapping and remediation guidance.
What's new in v2.3.0
.sentinel-suppressions.json— accept specific findings with a justification, approver and expiry; retained in every report format for audit.--min-confidence <f>and--triage— confidence-aware filtering; see docs/confidence-rubric.md.sentinel-scan diff <baseline.json> <current.json>— resolved / new / grade-attribution deltas between runs.--save-history,--environment,--complementary-tools— per-environment scoping + explicit scope disclosure in reports.SS-INFO-001non-MCP endpoint detection — no more misleading "Grade A" against a React SPA. When it fires, every MCP-protocol rule (SS-001..SS-010, SS-019..SS-025) is automatically suppressed for that target so the report is internally consistent.- Case-insensitive, lemma-aware
SS-012— eliminates mechanical false positives from "Network" vs "network access". Lemma table now coversdisk,volume,mount,/proc,/sys,/dev,procfs,sysfsas filesystem synonyms. - YAML
capabilities:block is authoritative for SS-012. Declarecapabilities: [read-filesystem, shell_command_execution, network]in a skill's frontmatter and SS-012 will trust it over prose-based heuristics. - Suppressed scans now display a technical-debt exposure banner: "if these N suppression(s) were removed, your grade would be X (Y/100) instead of Z (W/100)" — no hidden risk behind a green grade.
- Pre-commit hook integrations for pre-commit.com, lefthook and husky under
hooks/.
Installation
# Install as .NET global tool
dotnet tool install -g SignalSentinel.Scanner
# Or run via Docker
docker pull ghcr.io/signalcoding/signal-sentinel-scanner:latest
docker run --rm ghcr.io/signalcoding/signal-sentinel-scanner:latest --help
Quick Start
# Auto-discover and scan all MCP configurations
sentinel-scan --discover
# Scan Agent Skills (auto-discover)
sentinel-scan --skills
# Scan both MCP and Skills
sentinel-scan --discover --skills
# Scan a specific skill directory
sentinel-scan --skills ~/.claude/skills/
# Scan a specific configuration file
sentinel-scan --config ~/.cursor/mcp.json
# Scan a remote MCP server (HTTP or WebSocket)
sentinel-scan --remote https://mcp.example.com/mcp
sentinel-scan --remote wss://mcp.example.com/ws
# Generate HTML report
sentinel-scan --discover --skills --format html --output report.html
# Generate SARIF for GitHub Code Scanning (new in v2.2)
sentinel-scan --discover --format sarif --output results.sarif
# Air-gapped / offline scan (refuses --remote, blocks all network egress)
sentinel-scan --discover --skills --offline
# Baseline comparison for rug-pull / schema mutation detection (SS-022)
sentinel-scan --discover --baseline .sentinel-baseline.json
sentinel-scan --discover --update-baseline
# Load Sigma YAML rules from a file or directory
sentinel-scan --discover --sigma-rules ./sigma-rules/
# CI mode (exit code 1 on critical/high findings)
sentinel-scan --discover --skills --ci --format json
What's New in v2.2.0
| Capability | Description |
|---|---|
| Rug Pull Detection (SS-022) | Compare current scan against a saved baseline; flags schema mutations, additions, removals as Critical / High / Medium |
| Shadow Tool Injection (SS-023) | Typosquat detection using Levenshtein distance against privileged tools and cross-server duplicates |
| Skill Integrity (SS-024) | Detects skills that ship without .sentinel-sig, SHA256SUMS, or cosign.sig signature artefacts |
| Excessive Response Size (SS-025) | Flags tool descriptions > 10 KB and JSON schemas nested > 10 levels deep |
Offline Mode (--offline) |
Zero-network-egress guarantee for air-gapped / HMG / defence environments |
| SARIF v2.1.0 Output | OASIS-compliant, compatible with GitHub Code Scanning and IDE extensions |
| Sigma Rule Import | Load community Sigma YAML rules; supports title/id/description/level/tags/logsource/detection subset |
| Finding Deduplication | Collapses duplicate findings with OccurrenceCount ([xN] annotation in reports) |
Output Formats
- Markdown (default): Human-readable report with emoji indicators
- JSON: Machine-readable for CI/CD integration
- HTML: Styled report with Signal Coding branding
- SARIF v2.1.0: OASIS standard, GitHub Code Scanning compatible (new in v2.2)
Security Rules
25 security rules across MCP and Agent Skill scanning, aligned with OWASP Agentic AI Top 10 and OWASP MCP Top 10:
MCP Rules
| Rule | OWASP | Description |
|---|---|---|
| SS-001 | ASI01 | Tool Poisoning Detection |
| SS-002 | ASI02 | Overbroad Permissions Detection |
| SS-003 | ASI03 | Missing Authentication Detection |
| SS-004 | ASI04 | Supply Chain Vulnerability Detection |
| SS-005 | ASI05 | Code Execution Capability Detection |
| SS-006 | ASI06 | Memory/Context Write Access Detection |
| SS-007 | ASI07 | Inter-Agent Communication Detection |
| SS-008 | ASI09 | Sensitive Data Access Detection |
| SS-009 | ASI01 | Excessive Description Length |
| SS-010 | ASI02 | Cross-Server Attack Path Analysis |
| SS-019 | ASI03 | Credential Hygiene Check |
| SS-020 | ASI03 | OAuth 2.1 Compliance Check |
| SS-021 | ASI04 | Package Provenance Check |
| SS-022 | ASI01 | Rug Pull Detection / Schema Mutation (v2.2) |
| SS-023 | ASI01 | Shadow Tool Injection (typosquat) (v2.2) |
| SS-025 | ASI06 | Excessive Tool Response Size (v2.2) |
Skill Rules
| Rule | OWASP | Description |
|---|---|---|
| SS-011 | ASI01 | Skill Prompt Injection Detection |
| SS-012 | ASI02 | Skill Scope Violation Detection |
| SS-013 | ASI03 | Skill Credential Access Detection |
| SS-014 | ASI09 | Skill Data Exfiltration Detection |
| SS-015 | ASI01 | Skill Obfuscation Detection |
| SS-016 | ASI05 | Skill Script Payload Detection |
| SS-017 | ASI02 | Skill Excessive Permissions Detection |
| SS-018 | ASI01 | Skill Hidden Content Detection |
| SS-024 | ASI04 | Skill Integrity Verification (v2.2) |
Supported Platforms (Auto-Discovery)
| Platform | MCP Configs | Agent Skills |
|---|---|---|
| Claude Desktop | Yes | - |
| Claude Code | - | Yes |
| Cursor | Yes | Yes |
| VS Code | Yes | - |
| Windsurf | Yes | Yes |
| Zed | Yes | - |
| OpenAI Codex CLI | - | Yes |
Grading System
| Grade | Description |
|---|---|
| A | No critical/high findings, no attack paths |
| B | No critical findings, minor issues |
| C | 1-2 high findings or 1 attack path |
| D | Critical findings present |
| F | Multiple critical findings or attack paths |
Transports
| Transport | Status |
|---|---|
| stdio | Supported |
| HTTP/SSE | Supported |
| Streamable HTTP | Supported |
| WebSocket (ws/wss) | Supported |
Building from Source
Prerequisites
- .NET 10 SDK
- Git
Build
git clone https://github.com/SignalCoding/signal-sentinel-scanner.git
cd signal-sentinel-scanner
dotnet build
Test
dotnet test
Package
dotnet pack -c Release
Architecture
signal-sentinel/
src/
SignalSentinel.Core/ # Shared library (MCP protocol, security patterns, models)
RuleFormats/ # Sigma YAML loader (v2.2)
Security/ # Levenshtein distance, hash pinning, credential patterns
SignalSentinel.Scanner/ # CLI scanner application
McpClient/ # MCP connection and enumeration (stdio, HTTP, WebSocket)
SkillParser/ # SKILL.md parser, script inventory, integrity verifier
Baseline/ # Schema hasher + baseline manager (v2.2)
Dedup/ # Finding deduplication engine (v2.2)
Offline/ # Offline guard and violation exception (v2.2)
Rules/ # MCP security rules (SS-001..SS-010, SS-019..SS-023, SS-025)
SkillRules/ # Skill security rules (SS-011..SS-018, SS-024)
Scoring/ # OWASP dual mapping and severity scoring
Reports/ # JSON, Markdown, HTML, SARIF v2.1.0 report generators
tests/
SignalSentinel.Scanner.Tests/ # Unit and integration tests (254 tests)
deploy/
docker/ # Multi-arch Docker container
.github/
workflows/ # CI/CD pipelines (SHA-pinned actions)
Contributing
See CONTRIBUTING.md for guidelines.
Security
See SECURITY.md for our security policy and responsible disclosure process.
License
Apache 2.0 - See LICENSE for details.
About Signal Coding Limited
Signal Coding Limited builds enterprise software engineering tools with defence-grade governance. Our products are built to MOD JSP 440/656 compliance and OWASP security standards.
Website: signalcoding.co.uk
Copyright 2026 Signal Coding Limited. All rights reserved.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
This package has no dependencies.
v2.3.0 - Triage, Suppressions, Scope Disclosure, Non-MCP Detection
- NEW: .sentinel-suppressions.json schema v1.0 - formally accept risk on specific findings, with justification, approver, expiry. Retained in JSON/SARIF/Markdown/HTML for audit trail under an "Accepted Risks" section.
- NEW: SS-INFO-001 Non-MCP Endpoint Detected - surfaces an informational finding when --remote is pointed at a host that does not implement MCP (e.g. React SPA catch-all returning text/html). No more misleading "Grade A" against web apps.
- NEW: Confidence-aware triage - --min-confidence <f> filters low-confidence findings; --triage demotes them to Low but keeps them visible; --fail-on <severity> replaces legacy pass/fail semantics.
- NEW: Scan history + delta - --save-history persists runs to .sentinel/history; sentinel-scan diff <baseline.json> <current.json> shows resolved / new / grade-attribution deltas.
- NEW: Per-environment scoping - --environment <dev|staging|prod>, suppressions can scope to an environment.
- NEW: OWASP Agentic Skills Top 10 (AST01..AST10) mapping on every finding - SARIF tags + Markdown/HTML headers show both ASI and AST codes.
- NEW: Explicit scope disclosure block on every report - tells users what was scanned, what was not, and which complementary tools to combine with (Bandit, Gitleaks, Semgrep, Enkrypt Skill Sentinel by default).
- NEW: --list-rules prints the rule registry with OWASP/AST/severity columns.
- NEW: --ignore-rule SS-xxx[,SS-yyy] for ephemeral per-run exclusions.
- IMPROVED: SS-012 now uses case-insensitive capability matching plus a lemma table ("Network" satisfies "network access", "filesystem" satisfies "filesystem access" etc.) - eliminates mechanical false positives from capitalised sentence starts.
- IMPROVED: 26 total rules (was 25); 240 tests; 0 warnings, 0 errors.
- FIX: Non-MCP endpoint detection now runs before HTTP status validation - SS-INFO-001 fires even when the SPA catch-all returns 4xx/5xx with HTML or plain-text bodies.
- FIX: ScanHistoryManager now deserialises lowercase enum strings in v2.2 JSON baselines so `sentinel-scan diff` works across the 2.2 -> 2.3 boundary.
- POSITIONING: README and report language softened towards "fast, deterministic, first-pass authoring aid" - full positioning reset lands in v3.0.0.
- BREAKING: None. Scoring rubric unchanged; CI gates from v2.2 continue to work. Grade-semantics reset is scheduled for v3.0.0 (see ROADMAP_V3.0.md).
v2.2.0 - Rug Pull Detection, SARIF, Sigma Rules, Offline Mode
- NEW: SS-022 Rug Pull Detection - catches silent tool schema mutations between scans via hashed baselines
- NEW: SS-023 Shadow Tool Injection - typosquat/Levenshtein detection across configured servers
- NEW: SS-024 Skill Integrity Verification - hash and signature checks for Agent Skills
- NEW: SS-025 Excessive Tool Response Size - bounds live MCP tool responses
- NEW: SARIF v2.1.0 output format (--format sarif) for GitHub Code Scanning and IDE integration
- NEW: --baseline/--update-baseline flags to persist and compare tool schemas between scans
- NEW: --offline flag enforces zero-egress operation, verified by dedicated offline-verification CI job
- NEW: --sigma-rules flag loads Sigma YAML rules for custom MCP/Skill pattern detection
- NEW: Finding deduplication engine collapses identical matches with OccurrenceCount indicator
- 25 total security rules (16 MCP + 9 Skill); 195 tests; 0 warnings, 0 errors
v2.1.1 - Security Hardening Release
- SECURITY: All GitHub Actions pinned to SHA hashes (supply chain protection)
- SECURITY: SSRF protection on --remote URL (blocks private IPs, cloud metadata)
- SECURITY: Symlink escape protection in skill parser (resolves symlinks before path checks)
- SECURITY: Environment variable denylist for stdio MCP transport (blocks PATH, LD_PRELOAD, etc.)
- SECURITY: TLS 1.2/1.3 enforcement on HTTP connections
- SECURITY: Bounded stdio reads (10MB limit prevents memory exhaustion)
- SECURITY: Proper JsonDocument disposal prevents memory leaks
- SECURITY: WebSocket dispose timeout prevents hangs
- SECURITY: Regex timeouts added to all 23 MCP rule patterns (consistency with skill rules)
- SECURITY: Markdown report hardening (escaping + truncation)
- SECURITY: Trivy scan now blocks release on CRITICAL/HIGH CVEs
- SECURITY: CI vulnerability check now fails build on detected vulnerabilities
- FIX: RegexOptions.Compiled removed from source-generated regex (ignored by generator)
- FIX: HashPinning handles duplicate tool names without crash
- FIX: Finding.Confidence validates 0.0-1.0 range
- FIX: Environment.Exit(0) replaced with proper return flow
- 44 security audit findings addressed (1 Critical, 7 High, 17 Medium, 12 Low)
v2.1.0 - Enhanced Inline Code Block Scanning
- ENHANCED: SS-016 now scans markdown code blocks (bash, python, etc.) for malicious patterns
- ENHANCED: SS-016 detects hardcoded absolute user paths (/root/, /home/user/, C:\Users\) in code blocks
- ENHANCED: SS-012 detects inline code execution (python3 -c, bash -c, node -e) as scope violation
- These enhancements catch skills that embed executable commands in markdown code fences
v2.0.0 - Agent Skill Scanning + New MCP Rules
- NEW: Agent Skill scanning (SKILL.md format) with 8 dedicated rules (SS-011 to SS-018)
- NEW: Skill auto-discovery for Claude Code, Codex CLI, Cursor, Windsurf
- NEW: Bundled script analysis (.py, .sh, .ps1, .js, .ts)
- NEW: Credential Hygiene rule (SS-019) - detects hardcoded secrets in MCP configs
- NEW: OAuth 2.1 Compliance rule (SS-020) - verifies remote server authentication
- NEW: Package Provenance rule (SS-021) - checks npm/PyPI supply chain
- NEW: OWASP MCP Top 10 dual mapping alongside ASI01-ASI10
- NEW: Shared detection patterns (Exfiltration, Credential, Obfuscation)
- NEW: --skills CLI flag for skill scanning
- 21 total security rules (13 MCP + 8 Skill)
- Combined MCP + Skill unified reporting
v1.1.0 - WebSocket Transport Support
- Added WebSocket transport (ws:// and wss:// URLs)
- Auto-detection of transport from URL scheme
- Config file support for websocket transport type
v1.0.0 - Initial Release
- 10 security rules mapped to OWASP Agentic AI Top 10 (ASI01-ASI10)
- Auto-discovery for Claude Desktop, Cursor, VS Code, Windsurf, Zed
- A-F scoring system with OWASP compliance matrix
- JSON, Markdown, and HTML report generation
- CI mode with exit codes for automated pipelines