๐ How-To: Security Analysis and Content Protection
Goal: Detect sensitive content, implement security controls, and ensure safe architectural documentation.
When to use this guide: Before sharing code, documentation, or architectural decisions; when implementing security controls; during security audits.
๐จ Quick Security Scanโ
Scan Content for Secretsโ
Most Common Use Case: Check if content contains API keys, passwords, or sensitive data before sharing.
{
"tool": "analyze_content_security",
"parameters": {
"content": "const apiKey = 'sk-1234567890abcdef'; // Your code here",
"enhancedMode": true,
"enableTreeSitterAnalysis": true
}
}
Expected Result:
{
"securityIssues": [
{
"type": "api_key",
"severity": "high",
"line": 1,
"pattern": "sk-1234567890abcdef",
"recommendation": "Replace with environment variable"
}
],
"riskLevel": "high",
"maskingRecommended": true
}
Auto-Mask Sensitive Contentโ
{
"tool": "generate_content_masking",
"parameters": {
"content": "const apiKey = 'sk-1234567890abcdef';",
"maskingLevel": "strict",
"preserveStructure": true
}
}
Result:
const apiKey = 'sk-xxxxxxxxxxxxxxxx';
๐ Comprehensive Security Analysisโ
Project-Wide Security Scanโ
Use Case: Audit entire project for security issues before deployment or code review.
{
"tool": "analyze_project_ecosystem",
"parameters": {
"projectPath": ".",
"securityFocused": true,
"includeEnvironment": true,
"enhancedMode": true
}
}
What it finds:
- Hardcoded credentials in source code
- Insecure configuration patterns
- Exposed sensitive files
- Security anti-patterns in architecture
- Dependency vulnerabilities (basic detection)
Environment-Specific Security Analysisโ
{
"tool": "analyze_environment",
"parameters": {
"includeSecurityAnalysis": true,
"checkContainerization": true,
"validateDeploymentSecurity": true
}
}
Detects:
- Insecure environment variable patterns
- Container security misconfigurations
- Deployment security gaps
- Infrastructure security issues
๐ก๏ธ Content Masking Strategiesโ
Basic Masking (Quick Protection)โ
{
"tool": "generate_content_masking",
"parameters": {
"content": "Your content with secrets",
"maskingLevel": "moderate",
"preserveStructure": true
}
}
Masking Levels:
lenient: Only obvious secrets (API keys, passwords)moderate: Common sensitive patterns (default)strict: Aggressive masking including potential PII
Advanced Masking (Custom Patterns)โ
{
"tool": "generate_content_masking",
"parameters": {
"content": "Company internal token: COMP_12345_SECRET",
"maskingLevel": "strict",
"userDefinedPatterns": ["COMP_[0-9]+_[A-Z]+", "internal-.*-token"],
"preserveStructure": true,
"includeLineNumbers": true
}
}
Validate Masking Qualityโ
{
"tool": "validate_content_masking",
"parameters": {
"originalContent": "const key = 'secret123';",
"maskedContent": "const key = 'xxxxxx';",
"strictValidation": true
}
}
Checks:
- No sensitive data leaked through masking
- Code structure preserved
- Functionality not broken by masking
- Masking consistency across similar patterns
๐ Security Pattern Detectionโ
Common Security Anti-Patternsโ
The server automatically detects these security issues:
Credential Exposureโ
// โ Detected as security issue
const apiKey = 'sk-1234567890abcdef';
const password = 'mypassword123';
const token = 'ghp_xxxxxxxxxxxxxxxxxxxx';
// โ
Secure pattern
const apiKey = process.env.API_KEY;
Insecure Configurationโ
# โ Detected as security issue
database:
password: "plaintext_password"
ssl: false
# โ
Secure pattern
database:
password: ${DB_PASSWORD}
ssl: true
Exposed Sensitive Filesโ
{
"tool": "analyze_content_security",
"parameters": {
"content": "Check if .env files are in git",
"contentType": "configuration",
"checkFilePatterns": true
}
}
Detects:
.envfiles in version control- Private keys in repositories
- Configuration files with secrets
- Backup files with sensitive data
Custom Security Rulesโ
{
"tool": "generate_rules",
"parameters": {
"source": "security_focused",
"projectPath": ".",
"customPatterns": [
{
"name": "company_secrets",
"pattern": "COMPANY_[A-Z_]+",
"severity": "high",
"description": "Company-specific secret pattern"
}
]
}
}
๐ข Enterprise Security Workflowsโ
Security-First ADR Generationโ
Use Case: Generate ADRs that include security considerations from the start.
{
"tool": "suggest_adrs",
"parameters": {
"projectPath": ".",
"securityFocused": true,
"includeSecurityDecisions": true,
"analysisScope": "security"
}
}
Generates ADRs for:
- Authentication and authorization strategies
- Data encryption decisions
- Security monitoring approaches
- Incident response procedures
- Compliance requirements
Security Compliance Validationโ
{
"tool": "validate_adr_bootstrap",
"parameters": {
"adrDirectory": "./adrs",
"complianceFramework": "security",
"enableTreeSitterAnalysis": true
}
}
Validates:
- Security decisions are documented
- Implementation matches security ADRs
- No security anti-patterns in code
- Compliance with security standards
Deployment Security Readinessโ
{
"tool": "deployment_readiness",
"parameters": {
"operation": "security_audit",
"projectPath": ".",
"securityValidation": true,
"enableTreeSitterAnalysis": true
}
}
Security Checks:
- No hardcoded secrets in deployment artifacts
- Security configurations validated
- Container security best practices
- Infrastructure security compliance
๐ง Integration with Security Toolsโ
Pre-Commit Security Hooksโ
Add to your .pre-commit-config.yaml:
repos:
- repo: local
hooks:
- id: mcp-security-scan
name: MCP Security Analysis
entry: mcp-security-scan.sh
language: script
files: \.(ts|js|py|yaml|yml|json)$
Create mcp-security-scan.sh:
#!/bin/bash
# Use MCP server for security scanning
echo "Running MCP security analysis..."
# Scan staged files for security issues
git diff --cached --name-only | while read file; do
if [[ -f "$file" ]]; then
content=$(cat "$file")
# Use MCP tool to analyze content
# (Implementation depends on your MCP client setup)
fi
done
CI/CD Security Integrationโ
GitHub Actions Example:
name: Security Analysis
on: [push, pull_request]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup MCP Server
run: npm install -g mcp-adr-analysis-server
- name: Run Security Analysis
env:
OPENROUTER_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
PROJECT_PATH: ${{ github.workspace }}
EXECUTION_MODE: full
run: |
# Run security analysis via MCP
# (Implementation depends on your CI setup)
๐ฏ Security Best Practicesโ
Content Preparationโ
Before Analysis:
- Never analyze production secrets - use test/example data
- Use environment variables for real credentials
- Sanitize logs and outputs before sharing
- Review masked content before distribution
Masking Guidelinesโ
What to Always Mask:
- API keys and tokens
- Passwords and passphrases
- Private keys and certificates
- Database connection strings
- Internal URLs and endpoints
- Personal identifiable information (PII)
What to Consider Masking:
- Internal project names
- Server hostnames
- File paths with usernames
- Email addresses
- Phone numbers
Validation Checklistโ
Before sharing any content:
{
"tool": "analyze_content_security",
"parameters": {
"content": "your final content",
"enhancedMode": true,
"strictValidation": true,
"enableTreeSitterAnalysis": true
}
}
Verify:
- โ No sensitive patterns detected
- โ Masking preserves functionality
- โ No information leakage through context
- โ Compliance with security policies
๐จ Incident Responseโ
Suspected Secret Exposureโ
If you accidentally exposed secrets:
- Immediate Assessment
{
"tool": "analyze_content_security",
"parameters": {
"content": "suspected exposed content",
"enhancedMode": true,
"urgentMode": true
}
}
- Generate Incident Report
{
"tool": "generate_security_incident_report",
"parameters": {
"incidentType": "credential_exposure",
"affectedContent": "description of what was exposed",
"timeline": "when exposure occurred"
}
}
- Remediation Steps
- Rotate exposed credentials immediately
- Review access logs for unauthorized usage
- Update security patterns to prevent recurrence
- Document lessons learned in ADRs
False Positive Handlingโ
When security tools flag legitimate content:
{
"tool": "configure_security_whitelist",
"parameters": {
"projectPath": ".",
"whitelistPatterns": ["example-api-key-.*", "test-token-.*", "demo-secret-.*"],
"justification": "These are example/test patterns, not real secrets"
}
}
๐ Security Metrics and Reportingโ
Security Dashboardโ
{
"tool": "generate_security_dashboard",
"parameters": {
"projectPath": ".",
"includeMetrics": true,
"timeframe": "last_30_days"
}
}
Tracks:
- Security issues found and resolved
- Masking operations performed
- Security ADR compliance
- Trend analysis over time
Compliance Reportingโ
{
"tool": "generate_compliance_report",
"parameters": {
"framework": "SOC2", // or "GDPR", "HIPAA", etc.
"projectPath": ".",
"includeEvidence": true
}
}
๐ Related Documentationโ
- Environment Configuration - Security-related environment variables
- Deployment Readiness - Security validation before deployment
- Troubleshooting - Security-related issues and solutions
- API Reference - Complete security tool documentation
Security concern not covered here? โ File a Security Issue for sensitive matters or General Issue for questions.