Skip to content

shyshlakov/pci-dss-mcp

v0.5.3 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 1mo MCP Security & Auth
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Summary

AI summary

Added native Go fuzz coverage for four high‑risk parser surfaces with CI and nightly workflows.

Full changelog

Highlights

Native Go fuzz coverage for four high-risk parser surfaces, plus CI + nightly infrastructure to run them automatically. Zero scanner behavior change — scan counts on the golden fixture remain 49C/89H/27M/0L/59I byte-for-byte with v0.5.2.

Closes OpenSSF Scorecard Fuzzing alert #5.

Fuzz targets (4 × native testing.F)

  • FuzzLuhn — Luhn PAN checksum validator (21 seeds)
  • FuzzWalkergo/ast parse + inspect pipeline used by every AST-based scanner (60 seeds)
  • FuzzCursorDecode — base64 + JSON pagination cursor codec from v0.2.1 hybrid response (12 seeds)
  • FuzzScriptScannerHTML — HTML tokenizer + CSP parser + SRI extractor (15 seeds)

Seed corpora committed under testdata/fuzz/. Crashes auto-save there as permanent regression fixtures.

Developer + CI

  • make fuzz — runs all 4 targets for 10s each (~45s wall), FUZZTIME=30s make fuzz for deeper smoke
  • .github/workflows/ci.yml — PR fuzz-smoke matrix: 30s/target, fails on new crash or seed regression
  • .github/workflows/fuzz-nightly.yml — 03:00 UTC cron, 30 min/target, auto-issue + artifact upload on crash, weekly cache key

Docs

  • README: CI badge + Contributing checklist item + "Adding a new fuzz target" extension guide

Install

# Docker
docker pull ghcr.io/shyshlakov/pci-dss-mcp:v0.5.3

# Go install
go install github.com/shyshlakov/[email protected]

# MCP Registry (auto-resolving clients)
io.github.shyshlakov/[email protected]

Semver

PATCH v0.5.2 → v0.5.3. Dev tooling + CI infrastructure + docs only. No scanner behavior change, no MCP tool contract change, no output schema change.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track shyshlakov/pci-dss-mcp

Get notified when new releases ship.

Sign up free

About shyshlakov/pci-dss-mcp

PCI DSS v4.0.1 static-analysis MCP server for Go payment codebases. 12 scanners detect PAN/CVV exposure, weak crypto, missing audit logs, vulnerable deps, TLS misconfig, auth weaknesses, plus CycloneDX 1.6 SBOM generation - each finding mapped to the exact PCI requirement. AI-assisted triage via triage_findings. Keyless-signed multi-arch Docker image on ghcr.io.

All releases →

Related context

Beta — feedback welcome: [email protected]