SignalSentinel.Scanner
2.2.0
See the version list below for details.
dotnet tool install --global SignalSentinel.Scanner --version 2.2.0
dotnet new tool-manifest
dotnet tool install --local SignalSentinel.Scanner --version 2.2.0
#tool dotnet:?package=SignalSentinel.Scanner&version=2.2.0
nuke :add-package SignalSentinel.Scanner --version 2.2.0
Signal Sentinel
Signal Sentinel is a security-first MCP (Model Context Protocol) and Agent Skill security product family, designed to address the critical security gap in the agentic AI ecosystem.
Products
| Product | Type | Description |
|---|---|---|
| Sentinel Scanner | CLI Tool | Security audit tool for MCP server configurations AND Agent Skill packages |
| Sentinel Gateway | Proxy/Firewall | Real-time security enforcement between agents and MCP servers |
| Sentinel Classify | MCP Server | Document classification and sensitivity labelling |
Signal Sentinel Scanner
The Scanner is a command-line tool that audits MCP server configurations and Agent Skill packages for security vulnerabilities. It produces a scored report with OWASP ASI01-ASI10 + MCP01-MCP10 dual mapping and remediation guidance.
Installation
# Install as .NET global tool
dotnet tool install -g SignalSentinel.Scanner
# Or run via Docker
docker pull ghcr.io/signalcoding/signal-sentinel-scanner:latest
docker run --rm ghcr.io/signalcoding/signal-sentinel-scanner:latest --help
Quick Start
# Auto-discover and scan all MCP configurations
sentinel-scan --discover
# Scan Agent Skills (auto-discover)
sentinel-scan --skills
# Scan both MCP and Skills
sentinel-scan --discover --skills
# Scan a specific skill directory
sentinel-scan --skills ~/.claude/skills/
# Scan a specific configuration file
sentinel-scan --config ~/.cursor/mcp.json
# Scan a remote MCP server (HTTP or WebSocket)
sentinel-scan --remote https://mcp.example.com/mcp
sentinel-scan --remote wss://mcp.example.com/ws
# Generate HTML report
sentinel-scan --discover --skills --format html --output report.html
# Generate SARIF for GitHub Code Scanning (new in v2.2)
sentinel-scan --discover --format sarif --output results.sarif
# Air-gapped / offline scan (refuses --remote, blocks all network egress)
sentinel-scan --discover --skills --offline
# Baseline comparison for rug-pull / schema mutation detection (SS-022)
sentinel-scan --discover --baseline .sentinel-baseline.json
sentinel-scan --discover --update-baseline
# Load Sigma YAML rules from a file or directory
sentinel-scan --discover --sigma-rules ./sigma-rules/
# CI mode (exit code 1 on critical/high findings)
sentinel-scan --discover --skills --ci --format json
What's New in v2.2.0
| Capability | Description |
|---|---|
| Rug Pull Detection (SS-022) | Compare current scan against a saved baseline; flags schema mutations, additions, removals as Critical / High / Medium |
| Shadow Tool Injection (SS-023) | Typosquat detection using Levenshtein distance against privileged tools and cross-server duplicates |
| Skill Integrity (SS-024) | Detects skills that ship without .sentinel-sig, SHA256SUMS, or cosign.sig signature artefacts |
| Excessive Response Size (SS-025) | Flags tool descriptions > 10 KB and JSON schemas nested > 10 levels deep |
Offline Mode (--offline) |
Zero-network-egress guarantee for air-gapped / HMG / defence environments |
| SARIF v2.1.0 Output | OASIS-compliant, compatible with GitHub Code Scanning and IDE extensions |
| Sigma Rule Import | Load community Sigma YAML rules; supports title/id/description/level/tags/logsource/detection subset |
| Finding Deduplication | Collapses duplicate findings with OccurrenceCount ([xN] annotation in reports) |
Output Formats
- Markdown (default): Human-readable report with emoji indicators
- JSON: Machine-readable for CI/CD integration
- HTML: Styled report with Signal Coding branding
- SARIF v2.1.0: OASIS standard, GitHub Code Scanning compatible (new in v2.2)
Security Rules
25 security rules across MCP and Agent Skill scanning, aligned with OWASP Agentic AI Top 10 and OWASP MCP Top 10:
MCP Rules
| Rule | OWASP | Description |
|---|---|---|
| SS-001 | ASI01 | Tool Poisoning Detection |
| SS-002 | ASI02 | Overbroad Permissions Detection |
| SS-003 | ASI03 | Missing Authentication Detection |
| SS-004 | ASI04 | Supply Chain Vulnerability Detection |
| SS-005 | ASI05 | Code Execution Capability Detection |
| SS-006 | ASI06 | Memory/Context Write Access Detection |
| SS-007 | ASI07 | Inter-Agent Communication Detection |
| SS-008 | ASI09 | Sensitive Data Access Detection |
| SS-009 | ASI01 | Excessive Description Length |
| SS-010 | ASI02 | Cross-Server Attack Path Analysis |
| SS-019 | ASI03 | Credential Hygiene Check |
| SS-020 | ASI03 | OAuth 2.1 Compliance Check |
| SS-021 | ASI04 | Package Provenance Check |
| SS-022 | ASI01 | Rug Pull Detection / Schema Mutation (v2.2) |
| SS-023 | ASI01 | Shadow Tool Injection (typosquat) (v2.2) |
| SS-025 | ASI06 | Excessive Tool Response Size (v2.2) |
Skill Rules
| Rule | OWASP | Description |
|---|---|---|
| SS-011 | ASI01 | Skill Prompt Injection Detection |
| SS-012 | ASI02 | Skill Scope Violation Detection |
| SS-013 | ASI03 | Skill Credential Access Detection |
| SS-014 | ASI09 | Skill Data Exfiltration Detection |
| SS-015 | ASI01 | Skill Obfuscation Detection |
| SS-016 | ASI05 | Skill Script Payload Detection |
| SS-017 | ASI02 | Skill Excessive Permissions Detection |
| SS-018 | ASI01 | Skill Hidden Content Detection |
| SS-024 | ASI04 | Skill Integrity Verification (v2.2) |
Supported Platforms (Auto-Discovery)
| Platform | MCP Configs | Agent Skills |
|---|---|---|
| Claude Desktop | Yes | - |
| Claude Code | - | Yes |
| Cursor | Yes | Yes |
| VS Code | Yes | - |
| Windsurf | Yes | Yes |
| Zed | Yes | - |
| OpenAI Codex CLI | - | Yes |
Grading System
| Grade | Description |
|---|---|
| A | No critical/high findings, no attack paths |
| B | No critical findings, minor issues |
| C | 1-2 high findings or 1 attack path |
| D | Critical findings present |
| F | Multiple critical findings or attack paths |
Transports
| Transport | Status |
|---|---|
| stdio | Supported |
| HTTP/SSE | Supported |
| Streamable HTTP | Supported |
| WebSocket (ws/wss) | Supported |
Building from Source
Prerequisites
- .NET 10 SDK
- Git
Build
git clone https://github.com/SignalCoding/signal-sentinel-scanner.git
cd signal-sentinel-scanner
dotnet build
Test
dotnet test
Package
dotnet pack -c Release
Architecture
signal-sentinel/
src/
SignalSentinel.Core/ # Shared library (MCP protocol, security patterns, models)
RuleFormats/ # Sigma YAML loader (v2.2)
Security/ # Levenshtein distance, hash pinning, credential patterns
SignalSentinel.Scanner/ # CLI scanner application
McpClient/ # MCP connection and enumeration (stdio, HTTP, WebSocket)
SkillParser/ # SKILL.md parser, script inventory, integrity verifier
Baseline/ # Schema hasher + baseline manager (v2.2)
Dedup/ # Finding deduplication engine (v2.2)
Offline/ # Offline guard and violation exception (v2.2)
Rules/ # MCP security rules (SS-001..SS-010, SS-019..SS-023, SS-025)
SkillRules/ # Skill security rules (SS-011..SS-018, SS-024)
Scoring/ # OWASP dual mapping and severity scoring
Reports/ # JSON, Markdown, HTML, SARIF v2.1.0 report generators
tests/
SignalSentinel.Scanner.Tests/ # Unit and integration tests (195 tests)
deploy/
docker/ # Multi-arch Docker container
.github/
workflows/ # CI/CD pipelines (SHA-pinned actions)
Contributing
See CONTRIBUTING.md for guidelines.
Security
See SECURITY.md for our security policy and responsible disclosure process.
License
Apache 2.0 - See LICENSE for details.
About Signal Coding Limited
Signal Coding Limited builds enterprise software engineering tools with defence-grade governance. Our products are built to MOD JSP 440/656 compliance and OWASP security standards.
Website: signalcoding.co.uk
Copyright 2026 Signal Coding Limited. All rights reserved.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
This package has no dependencies.
v2.2.0 - Rug Pull Detection, SARIF, Sigma Rules, Offline Mode
- NEW: SS-022 Rug Pull Detection - catches silent tool schema mutations between scans via hashed baselines
- NEW: SS-023 Shadow Tool Injection - typosquat/Levenshtein detection across configured servers
- NEW: SS-024 Skill Integrity Verification - hash and signature checks for Agent Skills
- NEW: SS-025 Excessive Tool Response Size - bounds live MCP tool responses
- NEW: SARIF v2.1.0 output format (--format sarif) for GitHub Code Scanning and IDE integration
- NEW: --baseline/--update-baseline flags to persist and compare tool schemas between scans
- NEW: --offline flag enforces zero-egress operation, verified by dedicated offline-verification CI job
- NEW: --sigma-rules flag loads Sigma YAML rules for custom MCP/Skill pattern detection
- NEW: Finding deduplication engine collapses identical matches with OccurrenceCount indicator
- 25 total security rules (16 MCP + 9 Skill); 195 tests; 0 warnings, 0 errors
v2.1.1 - Security Hardening Release
- SECURITY: All GitHub Actions pinned to SHA hashes (supply chain protection)
- SECURITY: SSRF protection on --remote URL (blocks private IPs, cloud metadata)
- SECURITY: Symlink escape protection in skill parser (resolves symlinks before path checks)
- SECURITY: Environment variable denylist for stdio MCP transport (blocks PATH, LD_PRELOAD, etc.)
- SECURITY: TLS 1.2/1.3 enforcement on HTTP connections
- SECURITY: Bounded stdio reads (10MB limit prevents memory exhaustion)
- SECURITY: Proper JsonDocument disposal prevents memory leaks
- SECURITY: WebSocket dispose timeout prevents hangs
- SECURITY: Regex timeouts added to all 23 MCP rule patterns (consistency with skill rules)
- SECURITY: Markdown report hardening (escaping + truncation)
- SECURITY: Trivy scan now blocks release on CRITICAL/HIGH CVEs
- SECURITY: CI vulnerability check now fails build on detected vulnerabilities
- FIX: RegexOptions.Compiled removed from source-generated regex (ignored by generator)
- FIX: HashPinning handles duplicate tool names without crash
- FIX: Finding.Confidence validates 0.0-1.0 range
- FIX: Environment.Exit(0) replaced with proper return flow
- 44 security audit findings addressed (1 Critical, 7 High, 17 Medium, 12 Low)
v2.1.0 - Enhanced Inline Code Block Scanning
- ENHANCED: SS-016 now scans markdown code blocks (bash, python, etc.) for malicious patterns
- ENHANCED: SS-016 detects hardcoded absolute user paths (/root/, /home/user/, C:\Users\) in code blocks
- ENHANCED: SS-012 detects inline code execution (python3 -c, bash -c, node -e) as scope violation
- These enhancements catch skills that embed executable commands in markdown code fences
v2.0.0 - Agent Skill Scanning + New MCP Rules
- NEW: Agent Skill scanning (SKILL.md format) with 8 dedicated rules (SS-011 to SS-018)
- NEW: Skill auto-discovery for Claude Code, Codex CLI, Cursor, Windsurf
- NEW: Bundled script analysis (.py, .sh, .ps1, .js, .ts)
- NEW: Credential Hygiene rule (SS-019) - detects hardcoded secrets in MCP configs
- NEW: OAuth 2.1 Compliance rule (SS-020) - verifies remote server authentication
- NEW: Package Provenance rule (SS-021) - checks npm/PyPI supply chain
- NEW: OWASP MCP Top 10 dual mapping alongside ASI01-ASI10
- NEW: Shared detection patterns (Exfiltration, Credential, Obfuscation)
- NEW: --skills CLI flag for skill scanning
- 21 total security rules (13 MCP + 8 Skill)
- Combined MCP + Skill unified reporting
v1.1.0 - WebSocket Transport Support
- Added WebSocket transport (ws:// and wss:// URLs)
- Auto-detection of transport from URL scheme
- Config file support for websocket transport type
v1.0.0 - Initial Release
- 10 security rules mapped to OWASP Agentic AI Top 10 (ASI01-ASI10)
- Auto-discovery for Claude Desktop, Cursor, VS Code, Windsurf, Zed
- A-F scoring system with OWASP compliance matrix
- JSON, Markdown, and HTML report generation
- CI mode with exit codes for automated pipelines