Risk Scoring
Golf Inventory uses the same 0–100 scoring model as the OSS Scanner:- Each check produces findings with a severity (critical, high, medium, note)
- Per-check scores are combined using severity-weighted averages
- Hard caps enforce maximum scores: any critical finding caps at 30, any high finding caps at 59
- Risk levels: Low (≥60), Moderate (>30), High (≤30)
Governance Classification
Every discovered server is classified into one of three governance states:| Classification | Description |
|---|---|
| Proxied | Server URL matches a Golf Gateway upstream. Traffic flows through the gateway, enabling threat detection, audit logging, rate limiting, and PII scrubbing. |
| Known | Server exists in Control Plane configuration (assigned to a gateway or added as a known server), but the employee connects directly, bypassing gateway controls. |
| Shadow | Not configured in Control Plane at all. Unmanaged and ungoverned — no visibility into what data flows through it. |
Finding Categories
Findings are organized into 12 categories:| Category | Description |
|---|---|
| NHI exposure | Non-human identity credentials exposed in configuration |
| Credential access | Plaintext credentials in arguments, URLs, or environment variables |
| Vulnerable packages | Known CVEs or malware in npm/PyPI packages |
| Typosquatting risk | Package names similar to known packages — possible supply chain attack |
| Toxic combinations | Dangerous combinations of capabilities (e.g., read secrets + external network) |
| Prompt injection | Tool descriptions containing injection patterns |
| Command injection | Shell injection metacharacters or dangerous command patterns |
| Authentication risk | Missing or weak authentication on public servers |
| Unsandboxed | Server running without container isolation or restrictive permissions |
| Outdated/unmaintained | Archived repositories, low adoption, or missing source code links |
| Capabilities not fetched | Server capabilities have not been retrieved yet |
| Custom server | Server not found in any registry — requires manual review |
Platform Checks
The platform extends the OSS Scanner’s 20 checks with additional analysis:Sandbox Analysis
Server source code is executed in an isolated cloud sandbox. The analysis examines:- Dependency tree and count
- External domains the server communicates with
- Secrets embedded in source code
- Overall risk profile
Capability Analysis
All server tools, prompts, and resources are analyzed for holistic risk assessment. The analysis produces per-tool assessments across seven risk categories (see below).Tool Description Injection Detection
Tool descriptions and input schemas are analyzed for prompt injection patterns:- Prompt override instructions
- Data exfiltration instructions
- Cross-tool manipulation
- Obfuscation techniques (ANSI codes, zero-width characters, bidirectional text)
Description Change Detection (TOFU/Rug-Pull)
A trust-on-first-use (TOFU) system that establishes baseline hashes for tool descriptions on the first scan. Subsequent scans compare against the baseline and flag any changes — detecting rug-pull attacks where a tool description is modified after initial trust.Seven Risk Categories
Capability analysis produces assessments across seven risk categories:| Category | Description |
|---|---|
| Destructive tools | Tools that can delete, destroy, or corrupt data |
| Open world access | Tools with unrestricted external access |
| Sensitive data access | Tools accessing credentials, PII, or financial data |
| Code execution | Tools executing arbitrary code or shell commands |
| Write operations | Non-idempotent state changes |
| Broad scope | Over-privileged tools with excessively wide permissions |
| Toxic combinations | Dangerous combinations of capabilities (e.g., read secrets + external network access) |