@rad-security/mcp-server

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    1381:             // Handle DELETE requests for session termination
    1382:             app.delete("/mcp", handleSessionRequest);
>>> 1383:             const port = process.env.PORT || 3000;
    1384:             app.listen(port, () => {
    1385:                 logger.info({ transport: "streamable", url: `http://localhost:${port}/mcp` }, "server_ready");

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    1309:                 await transport.handlePostMessage(req, res);
    1310:             });
>>> 1311:             const port = process.env.PORT || 3000;
    1312:             app.listen(port, () => {
    1313:                 logger.info({ transport: "sse", url: `http://localhost:${port}/sse` }, "server_ready");

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    1260: async function main() {
    1261:     try {
>>> 1262:         const transportType = process.env.TRANSPORT_TYPE || "stdio";
    1263:         if (!["stdio", "sse", "streamable"].includes(transportType)) {
    1264:             throw new Error("Transport type must be either 'stdio', 'sse' or 'streamable'");

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    38: function parseToolkitFilters() {
    39:     const includeEnv = process.env.INCLUDE_TOOLKITS;
>>> 40:     const excludeEnv = process.env.EXCLUDE_TOOLKITS;
    41:     const result = {};
    42:     if (includeEnv) {

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    37: // Parse toolkit filters from environment variables
    38: function parseToolkitFilters() {
>>> 39:     const includeEnv = process.env.INCLUDE_TOOLKITS;
    40:     const excludeEnv = process.env.EXCLUDE_TOOLKITS;
    41:     const result = {};

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    23:         const accountId = process.env.RAD_SECURITY_ACCOUNT_ID || "";
    24:         const tenantId = process.env.RAD_SECURITY_TENANT_ID || "";
>>> 25:         const baseUrl = process.env.RAD_SECURITY_API_URL || "https://api.rad.security";
    26:         return new RadSecurityClient(sessionToken, accessKeyId, secretKey, baseUrl, accountId, tenantId);
    27:     }

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    22:         const secretKey = process.env.RAD_SECURITY_SECRET_KEY || "";
    23:         const accountId = process.env.RAD_SECURITY_ACCOUNT_ID || "";
>>> 24:         const tenantId = process.env.RAD_SECURITY_TENANT_ID || "";
    25:         const baseUrl = process.env.RAD_SECURITY_API_URL || "https://api.rad.security";
    26:         return new RadSecurityClient(sessionToken, accessKeyId, secretKey, baseUrl, accountId, tenantId);

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    21:         const accessKeyId = process.env.RAD_SECURITY_ACCESS_KEY_ID || "";
    22:         const secretKey = process.env.RAD_SECURITY_SECRET_KEY || "";
>>> 23:         const accountId = process.env.RAD_SECURITY_ACCOUNT_ID || "";
    24:         const tenantId = process.env.RAD_SECURITY_TENANT_ID || "";
    25:         const baseUrl = process.env.RAD_SECURITY_API_URL || "https://api.rad.security";

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    20:         const sessionToken = process.env.RAD_SECURITY_SESSION_TOKEN || "";
    21:         const accessKeyId = process.env.RAD_SECURITY_ACCESS_KEY_ID || "";
>>> 22:         const secretKey = process.env.RAD_SECURITY_SECRET_KEY || "";
    23:         const accountId = process.env.RAD_SECURITY_ACCOUNT_ID || "";
    24:         const tenantId = process.env.RAD_SECURITY_TENANT_ID || "";

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    19:     static fromEnv() {
    20:         const sessionToken = process.env.RAD_SECURITY_SESSION_TOKEN || "";
>>> 21:         const accessKeyId = process.env.RAD_SECURITY_ACCESS_KEY_ID || "";
    22:         const secretKey = process.env.RAD_SECURITY_SECRET_KEY || "";
    23:         const accountId = process.env.RAD_SECURITY_ACCOUNT_ID || "";

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    18:     }
    19:     static fromEnv() {
>>> 20:         const sessionToken = process.env.RAD_SECURITY_SESSION_TOKEN || "";
    21:         const accessKeyId = process.env.RAD_SECURITY_ACCESS_KEY_ID || "";
    22:         const secretKey = process.env.RAD_SECURITY_SECRET_KEY || "";

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    202:             id: "RAD-K8S-SECRETS_ENV-VAR",
    203:             title: "Prefer using secrets as files over secrets as environment variables",
>>> 204:             description: "It is reasonably common for application code to log out its environment (particularly in the event of an error). This will include any secret values passed in as environment variables, so secrets can easily be exposed to any user or entity who has access to the logs. Remediation: Containers were discovered that include secret keys as environment in container.env.valueFrom.secretKeyRef.name and container.env.valueFrom.secretKeyRef.key values. They should be removed from all containers and replaceed with secrets used as files.",
    205:         },
    206:         {

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    63: }, pino.destination(2)); // Write to stderr (fd 2)
    64: // Log startup info
>>> 65: if (process.env.NODE_ENV !== 'test') {
    66:     logger.info({
    67:         log_level: logLevel,

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    10: const logFormat = process.env.LOG_FORMAT || 'json';
    11: const accountId = process.env.RAD_SECURITY_ACCOUNT_ID || '';
>>> 12: const tenantId = process.env.RAD_SECURITY_TENANT_ID || '';
    13: // Determine if we should use pretty printing
    14: const usePretty = logFormat != 'json';

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    9: const logLevel = process.env.LOG_LEVEL || 'info';
    10: const logFormat = process.env.LOG_FORMAT || 'json';
>>> 11: const accountId = process.env.RAD_SECURITY_ACCOUNT_ID || '';
    12: const tenantId = process.env.RAD_SECURITY_TENANT_ID || '';
    13: // Determine if we should use pretty printing

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    8:  */
    9: const logLevel = process.env.LOG_LEVEL || 'info';
>>> 10: const logFormat = process.env.LOG_FORMAT || 'json';
    11: const accountId = process.env.RAD_SECURITY_ACCOUNT_ID || '';
    12: const tenantId = process.env.RAD_SECURITY_TENANT_ID || '';

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    7:  * - RAD_SECURITY_TENANT_ID: Tenant ID to include in all logs
    8:  */
>>> 9: const logLevel = process.env.LOG_LEVEL || 'info';
    10: const logFormat = process.env.LOG_FORMAT || 'json';
    11: const accountId = process.env.RAD_SECURITY_ACCOUNT_ID || '';

Decoded base64 content: R{����-E�)�{

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ������ƭ���j�az{bq�^

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��^��b�{?r[����

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��^��b�{?~)݊x,

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��^��b�{?�{^������

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: .+- ��j)ޮĜ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: .+-!ק�+bzĜ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �Hu��܃z֢�Ĝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: .+- Z.u����zĜ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �B���E�(����Ĝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: .+- ���&�qਞ��Ĝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: .+-*�ޮw�z�^���q�"��'~(.��b�s�'"zĜ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �B�{Z�w���zX�zĜ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �+-5�p���y�rب�Ĝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: .+-"v�ċ^�Ĝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �V�����t���

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: E�P,���6�i<�zĜ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: .+- �!n��u7��V�zĜ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: .+- �!n��vĜ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: .+- ��j)ޮĜ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: .+-!ק�+bzĜ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �Hu��܃z֢�Ĝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: .+- Z.u����zĜ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �B���E�(����Ĝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �+- ���&�q�kjg���,

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: .+- ���&�qਞ��Ĝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��B�je���x*'��%

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �+- ����Qz�.�Ǭ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �+-"f�y[����n)b�'�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��J�����^�����x7�j)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��J�����^�����xȬr�ߊ�jب�7�j)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �B�{Z�w���zX�zĜ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �+-5�p���y�rب�Ĝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �+-5�p���y�rب�*.�Ǭ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��Z��b�ا�j躔�j۬

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ���"v�ċ^�j[>�"�+�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: .+-"v�ċ^�Ĝ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �V�����t���

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: r���ல�&Z��~Z0

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��Z�ல�&Z��~Z0

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: {��׋��Cj֓ʗ�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: .+- �!n��u7��V�zĜ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��Cj�[���M驕�^

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: .+- �!n��vĜ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �+-^�v�"{^������

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �{�Ȩ�)�&��7�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ䞲Ȩ����-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ䞲Ȩ����-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ䞲Ȩ����-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: .+-*�ޮw�z�^���q�"��'~(.��b�s�'"zĜ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��J�����^�����xȬr�ߊ�jب�7�j)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: .+-*�ޮw�z�^���q�"��'~(.��b�s�'"zĜ��

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��J�����^�����xȬr�ߊ�jب�7�j)l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: Yh���)^��,q�Z�*'

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: jYh���)^��,q�Z�*'

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: j�h����'��'
�(�{S�G�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��r��j)ޯ���

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��r��j)ޯ���

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Possible Base64-encoded payload (long encoded string)

Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.

    3:     resource_uid: z.string().describe("Kubernetes resource UID to get misconfigurations for"),
    4: });
>>> 5: export const GetKubernetesResourceMisconfigurationDetailsSchema = z.object({
    6:     cluster_id: z.string().describe("ID of the cluster to get misconfiguration for"),
    7:     misconfig_id: z.string().describe("ID of the misconfiguration to get details for"),

Possible Base64-encoded payload (long encoded string)

Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.

    7:     misconfig_id: z.string().describe("ID of the misconfiguration to get details for"),
    8: });
>>> 9: export const ListKubernetesResourceMisconfigurationPoliciesSchema = z.object({
    10: // Empty schema as the function doesn't take parameters
    11: }).describe("Get a list of available misconfiguration policies");

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    67:         }
    68:         try {
>>> 69:             const response = await fetch(`${this.baseUrl}/authentication/authenticate`, {
    70:                 method: "POST",
    71:                 headers: {

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    124:         logger.debug({ endpoint, method, params }, 'api_request_started');
    125:         try {
>>> 126:             const response = await fetch(url, {
    127:                 method,
    128:                 headers,

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Possible Base64-encoded payload (long encoded string)

Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.

    252:                         name: "get_k8s_resource_misconfig",
    253:                         description: "Get detailed information about a specific Kubernetes resource misconfiguration",
>>> 254:                         inputSchema: zodToJsonSchema(misconfigs.GetKubernetesResourceMisconfigurationDetailsSchema),
    255:                     },
    256:                     {

Possible Base64-encoded payload (long encoded string)

Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.

    257:                         name: "list_k8s_resource_misconfig_policies",
    258:                         description: "List available misconfiguration policies used by RAD Security to detect Kubernetes resource misconfigurations",
>>> 259:                         inputSchema: zodToJsonSchema(misconfigs.ListKubernetesResourceMisconfigurationPoliciesSchema),
    260:                     },
    261:                 ]

Possible Base64-encoded payload (long encoded string)

Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.

    812:                 }
    813:                 case "get_k8s_resource_misconfig": {
>>> 814:                     const args = misconfigs.GetKubernetesResourceMisconfigurationDetailsSchema.parse(request.params.arguments);
    815:                     const response = await misconfigs.getKubernetesResourceMisconfigurationDetails(client, args.cluster_id, args.misconfig_id);
    816:                     return {

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    12: // Main functions
    13: export async function listCveVendors() {
>>> 14:     const response = await fetch(`${BASE_URL}/browse`);
    15:     if (!response.ok) {
    16:         throw new Error(`Failed to list vendors: ${response.statusText}`);

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    19: }
    20: export async function listCveProducts(vendor) {
>>> 21:     const response = await fetch(`${BASE_URL}/browse/${encodeURIComponent(vendor)}`);
    22:     if (!response.ok) {
    23:         throw new Error(`Failed to list products for vendor ${vendor}: ${response.statusText}`);

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    29:         ? `${BASE_URL}/search/${encodeURIComponent(vendor)}/${encodeURIComponent(product)}`
    30:         : `${BASE_URL}/search/${encodeURIComponent(vendor)}`;
>>> 31:     const response = await fetch(url);
    32:     if (!response.ok) {
    33:         throw new Error(`Failed to search CVEs: ${response.statusText}`);

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    36: }
    37: export async function getCve(cveId) {
>>> 38:     const response = await fetch(`${BASE_URL}/cve/${encodeURIComponent(cveId)}`);
    39:     if (!response.ok) {
    40:         throw new Error(`Failed to get CVE ${cveId}: ${response.statusText}`);

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    43: }
    44: export async function getLatest30Cves() {
>>> 45:     const response = await fetch(`${BASE_URL}/last`);
    46:     if (!response.ok) {
    47:         throw new Error(`Failed to get last CVEs: ${response.statusText}`);

Possible Base64-encoded payload (long encoded string)

Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.

    8:     resource_uid: string;
    9: }>;
>>> 10: export declare const GetKubernetesResourceMisconfigurationDetailsSchema: z.ZodObject<{
    11:     cluster_id: z.ZodString;
    12:     misconfig_id: z.ZodString;

Possible Base64-encoded payload (long encoded string)

Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.

    18:     misconfig_id: string;
    19: }>;
>>> 20: export declare const ListKubernetesResourceMisconfigurationPoliciesSchema: z.ZodObject<{}, "strip", z.ZodTypeAny, {}, {}>;
    21: export declare function listKubernetesResourceMisconfigurations(client: RadSecurityClient, resourceUid: string): Promise<any>;
    22: export declare function getKubernetesResourceMisconfigurationDetails(client: RadSecurityClient, clusterId: string, misconfigId: string): Promise<any>;