shyshlakov/pci-dss-mcp

Path-based false-positive reduction for file walkers and the secret scanner. No new MCP tools or rules — existing scan output is more precise on real-world Go payment-service codebases.

Fixed

• F-24 Dev-context examples recognition. scanner/devcontext.go now recognizes examples/, example/, samples/, sample/ directory segments and config.example.*/config.sample.* filename patterns as dedicated dev-context. Credential findings inside these paths downgrade from CRITICAL to INFO with TriageHint: dev_path_examples_skipped. Production configs/ paths stay CRITICAL (recall preserved).
• F-28 Test-directory walker exclusion. scanner/walker.go and scanner/gitwalker.go now skip files whose project-relative path contains a case-sensitive segment in {test, testing, mocks, fixtures, e2e} when IncludeTests=false, beyond the existing *_test.go suffix check. testdata (golden fixture tree) and integration (production payment-integration directories) are deliberately excluded from the set for recall safety.

Internal

• New scanner/pathsegments.go with shared hasTestDirSegment(root, path) bool helper used by both walkers.
• New scanner.DevContext.ExamplesPath bool field to let callers distinguish examples-dev from generic-dev paths.

Metrics

• Real-world smoke scan: v0.1.1 baseline 45 MEDIUM+ vs v0.1.2 38 MEDIUM+ = -7 MEDIUM+ (15.6% reduction).
• Zero HIGH regressions. Golden fixture make test-fixture exits 0.

Install

go install github.com/shyshlakov/[email protected]

See CHANGELOG.md for the full history.