shyshlakov/pci-dss-mcp

Precision filters for CRYPTO-HARDCODED-KEY and PAN-KEYWORD false positives. No new MCP tools — existing scan output is more precise on real-world Go payment-service codebases with banking domain structs and non-secret constants.

Fixed

• F-25 CRYPTO-HARDCODED-KEY filter cascade. Four-layer post-detection filter eliminates false positives on HTTP header constants, sentinel errors (errors.New/fmt.Errorf), log field names, camelCase JSON keys, and constants files. Layer 3 hex/base64 fast-path forces CRITICAL on genuine hardcoded crypto keys (zero false-negatives). All downgraded findings carry TriageHint tags for auditor visibility.
• F-27 IBAN vs PAN sibling heuristic. Banking-domain AccountNumber fields in structs with >= 2 banking siblings (IBAN, BIC, SWIFT, RoutingNumber, SortCode, ABA, BankCode) and zero PCI-scope siblings downgrade PAN-KEYWORD to INFO. Defense-in-depth guards: any PCI-scope sibling (CVV, CardNumber, etc.), card-related struct tags, or tokenization context aborts the downgrade.

Changed

• README Use Cases section: updated quick-scan prompt to include INFO findings review instead of discarding them. Added "Why INFO findings matter" section explaining the audit trail design.

Internal

• New scanner/cryptoscanner/hardcoded_filter.go with ApplyHardcodedFilter four-layer cascade.
• New scanner/panscanner/banking_context.go with IsBankingContext sibling analysis.
• 8 new fixture files in testdata/vulnerable-payment-service/ covering all filter layers and banking context patterns.
• Fixed 6 missing CSP-MISSING INFO entries and 3 stale line numbers in EXPECTED-FINDINGS.md.

Metrics

• Real-world smoke scan: v0.1.2 baseline preserved (0C/4H/3M). Zero regressions.
• Golden fixture make test-fixture exits 0. Live path parity verified (42C/83H/27M/43I).

Install

go install github.com/shyshlakov/[email protected]

See CHANGELOG.md for the full history.