marketing-shibata50/claude-code-ultimate-guide
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(security): add security hardening guide and hooks v3.6.0

Browse source 
- Add guide/security-hardening.md (~10K) covering:
  - MCP vetting workflow with CVE-2025-53109/53110, 54135, 54136
  - Prompt injection evasion techniques (Unicode, ANSI, null bytes)
  - Secret detection tool comparison (Gitleaks, TruffleHog, GitGuardian)
  - Incident response procedures

- Add 3 new security hooks:
  - unicode-injection-scanner.sh: zero-width, RTL, ANSI escape detection
  - repo-integrity-scanner.sh: scan README/package.json for injection
  - mcp-config-integrity.sh: verify MCP config hash

- Update existing hooks:
  - prompt-injection-detector.sh: +ANSI, +null bytes, +nested cmd
  - output-secrets-scanner.sh: +env leakage, +generic tokens

- Update cross-references in ultimate-guide.md (§7.4, §8.6)
- Move MCP Security Hardening to Done in IDEAS.md

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Florian BRUNIAUX 2026-01-15 07:39:53 +01:00
parent 55a9fa34cf
commit 34b2ca7200
12 changed files with 986 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

30
IDEAS.md
View file

@ -2,25 +2,25 @@
> Research topics for future guide improvements. Curated and validated.
## High Priority
## Done
### MCP Security Hardening
### MCP Security Hardening
Unified security research covering MCP vulnerabilities, prompt injection, and secret detection.
**Topics:**
- Real-world Tool Shadowing and Confused Deputy incidents
- Prompt injection bypass techniques (Unicode, encoding, obfuscation)
- Secret detection regex patterns (compare GitHub, Gitleaks, TruffleHog)
- Supply chain risks in MCP server ecosystem
**Completed**: [Security Hardening Guide](./guide/security-hardening.md) covers:
- CVE-2025-53109/53110, 54135, 54136 with mitigations
- MCP vetting workflow with 5-minute audit checklist
- MCP Safe List (community vetted)
- Prompt injection evasion techniques (Unicode, ANSI, null bytes)
- Secret detection tool comparison (Gitleaks, TruffleHog, GitGuardian)
- Incident response procedures (secret exposed, MCP compromised)
- 3 new hooks: `unicode-injection-scanner.sh`, `repo-integrity-scanner.sh`, `mcp-config-integrity.sh`
**Perplexity Query:**
```
MCP Model Context Protocol security vulnerabilities 2024-2025:
- Tool shadowing attacks
- Prompt injection bypass techniques for coding assistants
- Secret detection regex patterns comparison (GitHub vs Gitleaks vs TruffleHog)
Include real incidents if documented.
```
---
## High Priority
*(No items currently)*
---