ch.pfx/mcp-server
v1.0.0MCP Server für Forterro Proffix Px5 ERP
23
Total
10
Critical
1
High
12
Medium
Findings
unknownEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
8: # Environment files
9: .env
>>> 10: .env.local
11:
12: # IDEReport false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
35:
36: // Configuration
>>> 37: const SERVER_URL = process.argv[2] || process.env.MCP_SERVER_URL || 'https://mcp.pfx.ch/api/server';
38:
39: // Proffix credentials from environmentReport false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
38:
39: // Proffix credentials from environment
>>> 40: const PROFFIX_USERNAME = process.env.PROFFIX_USERNAME || '';
41: const PROFFIX_PASSWORD = process.env.PROFFIX_PASSWORD || '';
42: const PROFFIX_URL = process.env.PROFFIX_URL || '';Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
39: // Proffix credentials from environment
40: const PROFFIX_USERNAME = process.env.PROFFIX_USERNAME || '';
>>> 41: const PROFFIX_PASSWORD = process.env.PROFFIX_PASSWORD || '';
42: const PROFFIX_URL = process.env.PROFFIX_URL || '';
43: const PROFFIX_PORT = process.env.PROFFIX_PORT || '';Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
40: const PROFFIX_USERNAME = process.env.PROFFIX_USERNAME || '';
41: const PROFFIX_PASSWORD = process.env.PROFFIX_PASSWORD || '';
>>> 42: const PROFFIX_URL = process.env.PROFFIX_URL || '';
43: const PROFFIX_PORT = process.env.PROFFIX_PORT || '';
44: const PROFFIX_DATABASE = process.env.PROFFIX_DATABASE || '';Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
41: const PROFFIX_PASSWORD = process.env.PROFFIX_PASSWORD || '';
42: const PROFFIX_URL = process.env.PROFFIX_URL || '';
>>> 43: const PROFFIX_PORT = process.env.PROFFIX_PORT || '';
44: const PROFFIX_DATABASE = process.env.PROFFIX_DATABASE || '';
45: Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
42: const PROFFIX_URL = process.env.PROFFIX_URL || '';
43: const PROFFIX_PORT = process.env.PROFFIX_PORT || '';
>>> 44: const PROFFIX_DATABASE = process.env.PROFFIX_DATABASE || '';
45:
46: // API Key from environment (Authorization header)Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
45:
46: // API Key from environment (Authorization header)
>>> 47: const HTTP_AUTHORIZATION = process.env.HTTP_AUTHORIZATION || '';
48:
49: // Response format from environment (optional)Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
48:
49: // Response format from environment (optional)
>>> 50: const RESPONSE_FORMAT = process.env.RESPONSE_FORMAT || '';
51:
52: // Setup file loggingReport false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
7:
8: # Environment files
>>> 9: .env
10: .env.local
11: Report false positiveNode.js child process spawning
Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.
8: const fs = require('fs');
9: const path = require('path');
>>> 10: const { execSync } = require('child_process');
11:
12: const ROOT_DIR = path.join(__dirname, '..');Report false positiveHigh-entropy string (4.9 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.8 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positivePossible Base64-encoded payload (long encoded string)
Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.
154: if: steps.check_tag.outputs.exists == 'false'
155: run: |
>>> 156: curl -L "https://github.com/modelcontextprotocol/registry/releases/latest/download/mcp-publisher_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_64/amd64/;s/aarch64/arm64/').tar.gz" | tar xz mcp-publisher
157:
158: - name: Login to MCP RegistryReport false positiveHigh-entropy string (4.9 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.8 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.9 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.9 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.8 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.8 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.9 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.9 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.7 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveScan History
| Date | Risk | Findings | Files | Duration |
|---|---|---|---|---|
| Feb 26, 2026 | critical | 23 | 19 | 0.00s |
| Feb 24, 2026 | critical | 23 | 19 | 0.00s |