Skip to content

fix(cli): reject unknown --rule values instead of silently passing#25

Open
dmchaledev wants to merge 1 commit into
mainfrom
claude/amazing-franklin-wk0p5w
Open

fix(cli): reject unknown --rule values instead of silently passing#25
dmchaledev wants to merge 1 commit into
mainfrom
claude/amazing-franklin-wk0p5w

Conversation

@dmchaledev

Copy link
Copy Markdown
Contributor

Summary

Fixes #11. A security scanner that silently passes on misconfiguration is worse than one that fails loudly, because it gives false assurance.

Today an unknown or typo'd --rule value is cast straight to RuleId and used to filter the rule set (src/args.ts):

} else if (arg.startsWith('--rule=')) {
  rules.push(arg.slice('--rule='.length) as RuleId); // no validation
}

A value matching no real rule filters the rule set down to nothing, so the scan produces zero findings, a passing report, and exit code 0:

# Intended: gate on the no-auth rule. Typo: should be NO_AUTH.
mcp-security-scanner --rule=NOAUTH --exit-code ./mcp-config.json
# Before: 0 findings, PASSED, exit 0  → security gate silently bypassed

This was inconsistent with --format and --fail-on, which already validate their input and exit 2. (The original issue pointed at cli.ts; the --rule parsing has since moved into args.ts, but the bug came along with it.)

Changes

  • src/args.ts — validate each --rule value against the RuleId enum; return an error result (exit 2) with a clear message listing valid rule IDs when it doesn't match.
  • src/cli.ts — list valid rule IDs in --help for discoverability.
  • src/__tests__/args.test.ts — regression test asserting --rule=NOAUTH exits 2.

Verification

$ node dist/cli.js --rule=NOAUTH --exit-code ./c.json
Error: Unknown rule "NOAUTH". Valid rule IDs: NO_AUTH, WEAK_API_KEY, MISSING_TLS, ...
$ echo $?
2

$ node dist/cli.js --rule=NO_AUTH ./c.json   # valid rule still works → exit 0

npm run typecheck, npm run lint, and npm test (100 tests) all pass.

Acceptance criteria (from #11)

  • --rule=BOGUS exits with code 2 and a clear error message
  • Valid rule IDs continue to work and are filtered correctly
  • --help lists valid rule IDs
  • Test covering the unknown-rule case

🤖 Generated with Claude Code

https://claude.ai/code/session_017ffK3ewW2pyTMsmmNSQK2R


Generated by Claude Code

An unknown or typo'd --rule ID was cast straight to RuleId and used to
filter the rule set. A value matching no real rule filtered the set down
to nothing, producing zero findings, a passing report, and exit code 0 —
a false "PASSED" security gate from a single typo.

Validate each --rule value against the RuleId enum and exit 2 with a
clear error (mirroring --format and --fail-on). Also list valid rule IDs
in --help for discoverability, and add a regression test.

Fixes #11

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017ffK3ewW2pyTMsmmNSQK2R
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

CLI silently passes when --rule is given an unknown/typo'd rule ID (false "PASSED" security gate)

2 participants