Upload 21 files

DOCKER_SETUP.md

@@ -0,0 +1,127 @@
+# 🚀 Docker Setup для Security Tools MCP
+
+## 📋 Быстрый старт
+
+### 1. Создайте файл `.env`:
+```bash
+# Создайте .env в корне проекта
+touch .env
+```
+
+### 2. Заполните `.env` файл:
+```bash
+# ======================
+# API KEYS
+# ======================
+NEBIUS_API_KEY=your_api_key_here
+CIRCLE_API_URL=https://api.example.com/protect/check_violation
+
+# ======================
+# SERVER CONFIGURATION
+# ======================
+GRADIO_SERVER_NAME=0.0.0.0
+
+# ======================
+# MAIN AGENT PORTS
+# ======================
+AGENT_EXTERNAL_PORT=7860
+AGENT_INTERNAL_PORT=7860
+
+# ======================
+# MCP SERVERS PORTS
+# ======================
+
+# Bandit Security Scanner
+BANDIT_EXTERNAL_PORT=7861
+BANDIT_INTERNAL_PORT=7861
+
+# Detect Secrets Scanner
+DETECT_SECRETS_EXTERNAL_PORT=7862
+DETECT_SECRETS_INTERNAL_PORT=7862
+
+# Pip Audit Scanner
+PIP_AUDIT_EXTERNAL_PORT=7863
+PIP_AUDIT_INTERNAL_PORT=7863
+
+# Circle Test Scanner
+CIRCLE_TEST_EXTERNAL_PORT=7864
+CIRCLE_TEST_INTERNAL_PORT=7864
+
+# Semgrep Scanner
+SEMGREP_EXTERNAL_PORT=7865
+SEMGREP_INTERNAL_PORT=7865
+```
+
+### 3. Запуск:
+```bash
+# Запуск всех сервисов
+docker-compose up --build
+
+# Запуск в фоне
+docker-compose up -d
+
+# Только главный агент + MCP серверы
+docker-compose up security-tools-agent
+```
+
+## 🌐 Доступ к приложениям:
+
+- **🎯 Main Agent**: http://localhost:7860 (основное приложение)
+- **🔒 Bandit**: http://localhost:7861
+- **🔍 Detect Secrets**: http://localhost:7862  
+- **🛡️ Pip Audit**: http://localhost:7863
+- **📋 Circle Test**: http://localhost:7864
+- **🔍 Semgrep**: http://localhost:7865
+
+## ⚙️ Кастомизация портов:
+
+Если порты заняты, измените в `.env`:
+```bash
+# Альтернативные порты
+AGENT_EXTERNAL_PORT=8060
+BANDIT_EXTERNAL_PORT=8061
+DETECT_SECRETS_EXTERNAL_PORT=8062
+PIP_AUDIT_EXTERNAL_PORT=8063
+CIRCLE_TEST_EXTERNAL_PORT=8064
+SEMGREP_EXTERNAL_PORT=8065
+```
+
+## 🔧 Полезные команды:
+
+```bash
+# Статус сервисов
+docker-compose ps
+
+# Логи главного агента
+docker-compose logs security-tools-agent
+
+# Логи всех сервисов
+docker-compose logs -f
+
+# Остановка
+docker-compose down
+
+# Полная очистка
+docker-compose down -v --rmi all
+```
+
+## 🏗️ Архитектура:
+
+```
+┌─────────────────────────────────────────┐
+│           Security Tools Agent          │
+│              (main.py)                  │
+│            Port: 7860                   │
+└─────────────────┬───────────────────────┘
+                  │
+    ┌─────────────┼─────────────┐
+    │             │             │
+    ▼             ▼             ▼
+┌─────────┐  ┌─────────┐  ┌─────────┐
+│ Bandit  │  │Detect   │  │   ...   │
+│ :7861   │  │Secrets  │  │         │
+└─────────┘  │ :7862   │  └─────────┘
+             └─────────┘
+```
+
+Все MCP серверы работают в Docker сети `mcp-network` и общаются через имена сервисов! 

README_2.md

@@ -0,0 +1,513 @@
+# 🔒 Security Tools MCP Collection
+
+Коллекция MCP (Model Context Protocol) оберток для инструментов безопасности.
+
+## 🌟 Features
+
+- **Python Code Security Analysis**: Vulnerability detection through AST analysis
+- **MCP Support**: Integration with any MCP clients
+- **Web Interface**: Convenient Gradio interface for manual testing
+- **Baseline Management**: Create and compare with baseline files
+- **Profile Scanning**: Use specialized security profiles
+- **Flexible Configuration**: Customize severity and confidence levels
+- **Dependency Scanning**: Scan Python environments for known vulnerabilities with pip-audit
+- **Policy Compliance**: Check code against security policies with Circle Test
+- **Static Analysis**: Advanced code analysis with Semgrep
+
+## 🚀 Quick Start
+
+### 1. Install Dependencies
+
+```bash
+pip install -r requirements.txt
+```
+
+### 2. Run Servers
+
+```bash
+# Run Bandit MCP server
+python app.py
+
+# Run Detect Secrets MCP server
+python detect_secrets_mcp.py
+
+# Run Pip Audit MCP server
+python pip_audit_mcp.py
+
+# Run Circle Test MCP server
+python circle_test_mcp.py
+
+# Run Semgrep MCP server
+python semgrep_mcp.py
+```
+
+The servers will be available at:
+- **Bandit Web Interface**: `http://localhost:7860`
+- **Bandit MCP Server**: `http://localhost:7860/gradio_api/mcp/sse`
+- **Bandit MCP Schema**: `http://localhost:7860/gradio_api/mcp/schema`
+- **Detect Secrets Web Interface**: `http://localhost:7861`
+- **Detect Secrets MCP Server**: `http://localhost:7861/gradio_api/mcp/sse`
+- **Detect Secrets MCP Schema**: `http://localhost:7861/gradio_api/mcp/schema`
+- **Pip Audit Web Interface**: `http://localhost:7862`
+- **Pip Audit MCP Server**: `http://localhost:7862/gradio_api/mcp/sse`
+- **Pip Audit MCP Schema**: `http://localhost:7862/gradio_api/mcp/schema`
+- **Circle Test Web Interface**: `http://localhost:7863`
+- **Circle Test MCP Server**: `http://localhost:7863/gradio_api/mcp/sse`
+- **Circle Test MCP Schema**: `http://localhost:7863/gradio_api/mcp/schema`
+- **Semgrep Web Interface**: `http://localhost:7864`
+- **Semgrep MCP Server**: `http://localhost:7864/gradio_api/mcp/sse`
+- **Semgrep MCP Schema**: `http://localhost:7864/gradio_api/mcp/schema`
+
+## 🔧 Available Tools
+
+### 1. Bandit Tools
+
+#### 1.1 `bandit_scan` - Basic Scanning
+
+Analyzes Python code for security issues.
+
+**Parameters:**
+- `code_input`: Python code or path to file/directory
+- `scan_type`: "code" (direct code) or "path" (file/directory)
+- `severity_level`: "low", "medium", "high"
+- `confidence_level`: "low", "medium", "high"  
+- `output_format`: "json", "txt"
+
+**Usage Example:**
+```python
+bandit_scan(
+    code_input="eval(user_input)",
+    scan_type="code",
+    severity_level="medium",
+    confidence_level="high"
+)
+```
+
+#### 1.2 `bandit_baseline` - Baseline Management
+
+Creates baseline file or compares with existing one.
+
+**Parameters:**
+- `target_path`: Path to project for analysis
+- `baseline_file`: Path to baseline file
+
+#### 1.3 `bandit_profile_scan` - Profile Scanning
+
+Runs scanning using specific security profile.
+
+**Parameters:**
+- `target_path`: Path to project
+- `profile_name`: "ShellInjection", "SqlInjection", "Crypto", "Subprocess"
+
+### 2. Detect Secrets Tools
+
+#### 2.1 `detect_secrets_scan` - Basic Scanning
+
+Scans code for secrets using detect-secrets.
+
+**Parameters:**
+- `code_input`: Code to scan or path to file/directory
+- `scan_type`: "code" (direct code) or "path" (file/directory)
+- `base64_limit`: Entropy limit for base64 strings (0.0-8.0)
+- `hex_limit`: Entropy limit for hex strings (0.0-8.0)
+- `exclude_lines`: Regex pattern for lines to exclude
+- `exclude_files`: Regex pattern for files to exclude
+- `exclude_secrets`: Regex pattern for secrets to exclude
+- `word_list`: Path to word list file
+- `output_format`: "json" or "txt"
+
+**Usage Example:**
+```python
+detect_secrets_scan(
+    code_input="API_KEY = 'sk_live_51H1h2K3L4M5N6O7P8Q9R0S1T2U3V4W5X6Y7Z8'",
+    scan_type="code",
+    base64_limit=4.5,
+    hex_limit=3.0
+)
+```
+
+#### 2.2 `detect_secrets_baseline` - Baseline Management
+
+Creates or updates a baseline file for detect-secrets.
+
+**Parameters:**
+- `target_path`: Path to code for analysis
+- `baseline_file`: Path to baseline file
+- `base64_limit`: Entropy limit for base64 strings
+- `hex_limit`: Entropy limit for hex strings
+
+#### 2.3 `detect_secrets_audit` - Baseline Audit
+
+Audits a detect-secrets baseline file.
+
+**Parameters:**
+- `baseline_file`: Path to baseline file
+- `show_stats`: Show statistics
+- `show_report`: Show report
+- `only_real`: Only show real secrets
+- `only_false`: Only show false positives
+
+### 3. Pip Audit Tools
+
+#### 3.1 `pip_audit_scan` - Basic Scanning
+
+Scans Python environment for known vulnerabilities using pip-audit.
+
+**Parameters:**
+- No parameters required - scans current Python environment
+
+**Usage Example:**
+```python
+pip_audit_scan()
+```
+
+**Example Output:**
+```json
+{
+  "success": true,
+  "results": {
+    "vulnerabilities": [
+      {
+        "name": "package-name",
+        "installed_version": "1.0.0",
+        "fixed_version": "1.0.1",
+        "description": "Vulnerability description",
+        "aliases": ["CVE-2024-XXXX"]
+      }
+    ]
+  }
+}
+```
+
+### 4. Circle Test Tools
+
+#### 4.1 `check_violation` - Policy Compliance Check
+
+Checks code against security policies.
+
+**Parameters:**
+- `code_input`: Code to check
+- `policies`: Dictionary of security policies
+
+**Usage Example:**
+```python
+check_violation(
+    code_input="def read_file(filename):\n    with open(filename, 'r') as f:\n        return f.read()",
+    policies={
+        "1": "Presence of SPDX-License-Identifier...",
+        "2": "Presence of plaintext credentials..."
+    }
+)
+```
+
+**Example Output:**
+```json
+{
+  "success": true,
+  "results": {
+    "1": {
+      "policy": "Presence of SPDX-License-Identifier...",
+      "violation": "no"
+    },
+    "2": {
+      "policy": "Presence of plaintext credentials...",
+      "violation": "yes"
+    }
+  }
+}
+```
+
+### 5. Semgrep Tools
+
+#### 5.1 `semgrep_scan` - Basic Scanning
+
+Scans code using Semgrep rules.
+
+**Parameters:**
+- `code_input`: Code to scan or path to file/directory
+- `scan_type`: "code" (direct code) or "path" (file/directory)
+- `rules`: Rules to use (e.g., "p/default" or path to rules file)
+- `output_format`: "json" or "text"
+
+**Usage Example:**
+```python
+semgrep_scan(
+    code_input="def get_user(user_id):\n    query = f'SELECT * FROM users WHERE id = {user_id}'\n    return db.execute(query)",
+    scan_type="code",
+    rules="p/default",
+    output_format="json"
+)
+```
+
+#### 5.2 `semgrep_list_rules` - List Available Rules
+
+Lists available Semgrep rules.
+
+**Parameters:**
+- No parameters required
+
+**Usage Example:**
+```python
+semgrep_list_rules()
+```
+
+## 🎯 What Bandit Detects
+
+- **Insecure Functions**: `exec()`, `eval()`, `compile()`
+- **Hardcoded Passwords**: Hard-coded secrets in code
+- **Insecure Serialization**: Using `pickle` without validation
+- **SQL Injections**: Unsafe SQL query formation
+- **Shell Injections**: Command execution with `shell=True`
+- **SSL Issues**: Missing certificate verification
+- **Weak Encryption Algorithms**: Using outdated methods
+- **File Permission Issues**: Insecure file permissions
+
+## 🔍 What Detect Secrets Detects
+
+- **API Keys**: Various service API keys
+- **Passwords**: High entropy strings that look like passwords
+- **Private Keys**: RSA, SSH, and other private keys
+- **OAuth Tokens**: Various OAuth tokens
+- **AWS Keys**: AWS access and secret keys
+- **GitHub Tokens**: GitHub personal access tokens
+- **Slack Tokens**: Slack API tokens
+- **Stripe Keys**: Stripe API keys
+- **And More**: Many other types of secrets
+
+## 🛡️ What Pip Audit Detects
+
+- **Known Vulnerabilities**: CVE and other security advisories
+- **Outdated Dependencies**: Packages with known security issues
+- **Version Conflicts**: Incompatible package versions
+- **Deprecated Packages**: Packages that are no longer maintained
+- **Supply Chain Issues**: Compromised or malicious packages
+
+## 📋 What Circle Test Checks
+
+- **License Compliance**: SPDX-License-Identifier presence and validity
+- **Credential Management**: Plaintext credentials in configuration files
+- **Code Quality**: TODO/FIXME tags in production code
+- **Security Best Practices**: HTTP usage, logging of sensitive data
+- **API Usage**: Deprecated API calls
+- **Input Validation**: Unsanitized user input in commands
+- **File Operations**: Unsafe file path handling
+- **Database Security**: SQL injection prevention
+- **Path Management**: Absolute path usage
+- **Environment Management**: Production environment references
+- **Dependency Management**: Version pinning in lock files
+
+## 🔍 What Semgrep Detects
+
+- **Security Vulnerabilities**: SQL injection, command injection, path traversal
+- **Code Quality Issues**: Anti-patterns, best practices violations
+- **Custom Rules**: User-defined security and style rules
+- **Language-Specific Issues**: Language-specific vulnerabilities
+- **Framework-Specific Issues**: Framework-specific security concerns
+
+## 🧪 Vulnerable Code Examples
+
+### 1. Using eval()
+```python
+user_input = "print('hello')"
+eval(user_input)  # B307: Use of possibly insecure function
+```
+
+### 2. Hardcoded password
+```python
+password = "secret123"  # B105: Possible hardcoded password
+```
+
+### 3. Insecure subprocess
+```python
+import subprocess
+subprocess.call("ls -la", shell=True)  # B602: subprocess call with shell=True
+```
+
+### 4. Using pickle
+```python
+import pickle
+data = pickle.loads(user_data)  # B301: Pickle usage
+```
+
+### 5. API Key
+```python
+API_KEY = "sk_live_51H1h2K3L4M5N6O7P8Q9R0S1T2U3V4W5X6Y7Z8"  # Detect Secrets: API Key
+```
+
+### 6. Private Key
+```python
+private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA..."  # Detect Secrets: Private Key
+```
+
+## 🌐 MCP Client Integration
+
+### Configuration for Cursor IDE
+
+```json
+{
+  "mcpServers": {
+    "bandit-security": {
+      "command": "npx",
+      "args": [
+        "-y", 
+        "mcp-remote", 
+        "http://localhost:7860/gradio_api/mcp/sse",
+        "--transport", 
+        "sse-only"
+      ]
+    },
+    "detect-secrets": {
+      "command": "npx",
+      "args": [
+        "-y", 
+        "mcp-remote", 
+        "http://localhost:7861/gradio_api/mcp/sse",
+        "--transport", 
+        "sse-only"
+      ]
+    },
+    "pip-audit": {
+      "command": "npx",
+      "args": [
+        "-y", 
+        "mcp-remote", 
+        "http://localhost:7862/gradio_api/mcp/sse",
+        "--transport", 
+        "sse-only"
+      ]
+    },
+    "circle-test": {
+      "command": "npx",
+      "args": [
+        "-y", 
+        "mcp-remote", 
+        "http://localhost:7863/gradio_api/mcp/sse",
+        "--transport", 
+        "sse-only"
+      ]
+    },
+    "semgrep": {
+      "command": "npx",
+      "args": [
+        "-y", 
+        "mcp-remote", 
+        "http://localhost:7864/gradio_api/mcp/sse",
+        "--transport", 
+        "sse-only"
+      ]
+    }
+  }
+}
+```
+
+### Configuration for Other MCP Clients
+
+```json
+{
+  "servers": [
+    {
+      "name": "Bandit Security Scanner",
+      "transport": {
+        "type": "sse",
+        "url": "http://localhost:7860/gradio_api/mcp/sse"
+      }
+    },
+    {
+      "name": "Detect Secrets Scanner",
+      "transport": {
+        "type": "sse",
+        "url": "http://localhost:7861/gradio_api/mcp/sse"
+      }
+    },
+    {
+      "name": "Pip Audit Scanner",
+      "transport": {
+        "type": "sse",
+        "url": "http://localhost:7862/gradio_api/mcp/sse"
+      }
+    },
+    {
+      "name": "Circle Test Scanner",
+      "transport": {
+        "type": "sse",
+        "url": "http://localhost:7863/gradio_api/mcp/sse"
+      }
+    },
+    {
+      "name": "Semgrep Scanner",
+      "transport": {
+        "type": "sse",
+        "url": "http://localhost:7864/gradio_api/mcp/sse"
+      }
+    }
+  ]
+}
+```
+
+## 📊 Results Format
+
+### JSON Scan Result
+```json
+{
+  "success": true,
+  "results": {
+    "errors": [],
+    "generated_at": "2024-01-01T12:00:00Z",
+    "metrics": {
+      "_totals": {
+        "CONFIDENCE.HIGH": 1,
+        "SEVERITY.MEDIUM": 1,
+        "loc": 10,
+        "nosec": 0
+      }
+    },
+    "results": [
+      {
+        "code": "eval(user_input)",
+        "filename": "/tmp/example.py",
+        "issue_confidence": "HIGH",
+        "issue_severity": "MEDIUM",
+        "issue_text": "Use of possibly insecure function - consider using safer alternatives.",
+        "line_number": 2,
+        "line_range": [2],
+        "test_id": "B307",
+        "test_name": "blacklist"
+      }
+    ]
+  }
+}
+```
+
+## 🚀 Deploy on Hugging Face Spaces
+
+1. Create a new Space on Hugging Face
+2. Choose Gradio SDK
+3. Upload `app.py`, `detect_secrets_mcp.py`, `pip_audit_mcp.py`, `circle_test_mcp.py`, `semgrep_mcp.py` and `requirements.txt` files
+4. MCP servers will be available at:
+   - Bandit: `https://YOUR_USERNAME-bandit-mcp.hf.space/gradio_api/mcp/sse`
+   - Detect Secrets: `https://YOUR_USERNAME-detect-secrets-mcp.hf.space/gradio_api/mcp/sse`
+   - Pip Audit: `https://YOUR_USERNAME-pip-audit-mcp.hf.space/gradio_api/mcp/sse`
+   - Circle Test: `https://YOUR_USERNAME-circle-test-mcp.hf.space/gradio_api/mcp/sse`
+   - Semgrep: `https://YOUR_USERNAME-semgrep-mcp.hf.space/gradio_api/mcp/sse`
+
+## 🤝 AI Agent Integration
+
+This MCP server can be integrated with any AI agents supporting MCP:
+
+- **Claude Desktop**: Through MCP configuration
+- **Cursor IDE**: Through MCP server settings  
+- **Tiny Agents**: Through JavaScript or Python clients
+- **Custom Agents**: Through HTTP+SSE or stdio
+
+## 📖 Additional Resources
+
+- [Bandit Documentation](https://bandit.readthedocs.io/)
+- [Detect Secrets Documentation](https://github.com/Yelp/detect-secrets)
+- [Pip Audit Documentation](https://pypi.org/project/pip-audit/)
+- [Semgrep Documentation](https://semgrep.dev/docs/)
+- [MCP Specification](https://spec.modelcontextprotocol.io/)
+- [Gradio MCP Integration](https://gradio.app/guides/mcp-integration/)
+
+---
+
+**Note**: Bandit, Detect Secrets, Pip Audit, Circle Test, and Semgrep are static analyzers and cannot detect all types of vulnerabilities. Use them as part of a comprehensive security strategy. 

agent.json

@@ -0,0 +1,16 @@
+{
+  "model": "Qwen/Qwen2.5-72B-Instruct",
+  "provider": "nebius",
+  "servers": [
+    {
+      "type": "stdio",
+      "config": {
+        "command": "npx",
+        "args": [
+          "mcp-remote",
+          "http://localhost:7860/gradio_api/mcp/sse"
+        ]
+      }
+    }
+  ]
+} 

agent_requirements.txt

@@ -0,0 +1,134 @@
+agno==1.5.10
+aiofiles==24.1.0
+aiohappyeyeballs==2.6.1
+aiohttp>=3.8.0
+aiosignal==1.3.2
+altair==5.5.0
+annotated-types==0.7.0
+attrs==25.3.0
+bandit[toml,baseline,sarif]>=1.7.0
+blinker==1.9.0
+boltons==21.0.0
+boolean.py==5.0
+bracex==2.5.post1
+CacheControl==0.14.3
+cachetools==5.5.2
+certifi==2025.4.26
+charset-normalizer==3.4.2
+click==8.1.8
+click-option-group==0.5.7
+colorama==0.4.6
+cyclonedx-python-lib>=5,<9
+defusedxml==0.7.1
+Deprecated==1.2.18
+detect-secrets>=1.0.0
+distro==1.9.0
+docstring_parser==0.16
+exceptiongroup==1.2.2
+face==24.0.0
+fastapi>=0.100.0
+ffmpy==0.6.0
+filelock==3.18.0
+frozenlist==1.6.2
+fsspec==2025.5.1
+gitdb==4.0.12
+GitPython==3.1.44
+glom==22.1.0
+googleapis-common-protos==1.70.0
+gradio==5.33.0
+gradio_client==1.10.2
+groovy==0.1.2
+h11==0.16.0
+hf-xet==1.1.3
+httpcore==1.0.9
+httpx==0.28.1
+httpx-sse==0.4.0
+huggingface-hub==0.32.4
+idna==3.10
+importlib_metadata==7.1.0
+Jinja2==3.1.6
+jiter==0.10.0
+jsonschema==4.24.0
+jsonschema-specifications==2025.4.1
+license-expression==30.4.1
+markdown-it-py==3.0.0
+MarkupSafe==3.0.2
+mcp>=1.0.0
+mdurl==0.1.2
+msgpack==1.1.0
+multidict==6.4.4
+narwhals==1.41.1
+numpy==2.2.6
+openai==1.84.0
+opentelemetry-api==1.25.0
+opentelemetry-exporter-otlp-proto-common==1.25.0
+opentelemetry-exporter-otlp-proto-http==1.25.0
+opentelemetry-instrumentation==0.46b0
+opentelemetry-instrumentation-requests==0.46b0
+opentelemetry-proto==1.25.0
+opentelemetry-sdk==1.25.0
+opentelemetry-semantic-conventions==0.46b0
+opentelemetry-util-http==0.46b0
+orjson==3.10.18
+packageurl-python==0.17.1
+packaging>=20.9,<25
+pandas==2.3.0
+pbr==6.1.1
+peewee==3.18.1
+pillow==11.2.1
+pip-api==0.0.34
+pip-requirements-parser==32.0.1
+pip-audit>=2.0.0
+platformdirs==4.3.8
+propcache==0.3.1
+protobuf==4.25.8
+py-serializable>=1.1.1,<2.0.0
+pyarrow==20.0.0
+pydantic==2.11.5
+pydantic-settings==2.9.1
+pydantic_core==2.33.2
+pydeck==0.9.1
+pydub==0.25.1
+Pygments==2.19.1
+pyparsing==3.2.3
+python-dateutil==2.9.0.post0
+python-dotenv>=0.19.0
+python-multipart==0.0.20
+pytz==2025.2
+PyYAML==6.0.2
+referencing==0.36.2
+requests==2.32.3
+rich==13.5.3
+rpds-py==0.25.1
+ruamel.yaml==0.18.13
+ruamel.yaml.clib==0.2.12
+ruff==0.11.13
+safehttpx==0.1.6
+semantic-version==2.10.0
+semgrep==1.124.0
+shellingham==1.5.4
+six==1.17.0
+smmap==5.0.2
+sniffio==1.3.1
+sortedcontainers==2.4.0
+sse-starlette==2.3.6
+starlette>=0.27.0
+stevedore==5.4.1
+streamlit==1.45.1
+tenacity==9.1.2
+toml==0.10.2
+tomli==2.0.2
+tomlkit==0.13.3
+tornado==6.5.1
+tqdm==4.67.1
+typer==0.16.0
+typing-inspection==0.4.1
+typing_extensions==4.14.0
+tzdata==2025.2
+urllib3==2.4.0
+uvicorn>=0.23.0
+wcmatch==8.5.2
+websockets==15.0.1
+wrapt==1.17.2
+yarl==1.20.0
+zipp==3.22.0

bandit_mcp.py

@@ -0,0 +1,347 @@
+import gradio as gr
+import subprocess
+import json
+import os
+import tempfile
+from typing import Dict, List, Optional
+from pathlib import Path
+
+def bandit_scan(
+    code_input: str,
+    scan_type: str = "code",
+    severity_level: str = "low",
+    confidence_level: str = "low",
+    output_format: str = "json"
+) -> Dict:
+    """
+    Analyzes Python code for security issues using Bandit.
+    
+    Args:
+        code_input (str): Python code for analysis or path to file/directory
+        scan_type (str): Scan type - 'code' for direct code or 'path' for file/directory
+        severity_level (str): Minimum severity level - 'low', 'medium', 'high'
+        confidence_level (str): Minimum confidence level - 'low', 'medium', 'high'
+        output_format (str): Output format - 'json', 'txt', 'xml'
+    
+    Returns:
+        Dict: Security analysis results
+    """
+    try:
+        # Create temporary file or use existing path
+        if scan_type == "code":
+            # Create temporary file with code
+            with tempfile.NamedTemporaryFile(mode='w', suffix='.py', delete=False) as tmp_file:
+                tmp_file.write(code_input)
+                target_path = tmp_file.name
+        else:
+            # Use existing path
+            target_path = code_input
+            if not os.path.exists(target_path):
+                return {
+                    "error": f"Path not found: {target_path}",
+                    "success": False
+                }
+        
+        # Build bandit command
+        cmd = ["bandit"]
+        
+        # Add severity level flags
+        if severity_level == "medium":
+            cmd.append("-ll")
+        elif severity_level == "high":
+            cmd.append("-lll")
+        
+        # Add confidence level flags
+        if confidence_level == "medium":
+            cmd.append("-ii")
+        elif confidence_level == "high":
+            cmd.append("-iii")
+        
+        # Add output format
+        if output_format == "json":
+            cmd.extend(["-f", "json"])
+        elif output_format == "xml":
+            cmd.extend(["-f", "xml"])
+        
+        # Add recursive scanning for directories
+        if scan_type == "path" and os.path.isdir(target_path):
+            cmd.append("-r")
+        
+        # Add scan target path
+        cmd.append(target_path)
+        
+        # Execute command
+        result = subprocess.run(cmd, capture_output=True, text=True)
+        
+        # Remove temporary file if created
+        if scan_type == "code":
+            try:
+                os.unlink(target_path)
+            except:
+                pass
+        
+        # Process result
+        if output_format == "json":
+            try:
+                output_data = json.loads(result.stdout) if result.stdout else {}
+                return {
+                    "success": True,
+                    "results": output_data,
+                    "stderr": result.stderr,
+                    "return_code": result.returncode
+                }
+            except json.JSONDecodeError:
+                return {
+                    "success": False,
+                    "error": "JSON parsing error",
+                    "stdout": result.stdout,
+                    "stderr": result.stderr,
+                    "return_code": result.returncode
+                }
+        else:
+            return {
+                "success": True,
+                "output": result.stdout,
+                "stderr": result.stderr,
+                "return_code": result.returncode
+            }
+            
+    except Exception as e:
+        return {
+            "success": False,
+            "error": f"Error executing Bandit: {str(e)}"
+        }
+
+def bandit_baseline(
+    target_path: str,
+    baseline_file: str
+) -> Dict:
+    """
+    Creates baseline file for Bandit or compares with existing baseline.
+    
+    Args:
+        target_path (str): Path to code for analysis
+        baseline_file (str): Path to baseline file
+    
+    Returns:
+        Dict: Result of baseline creation or comparison
+    """
+    try:
+        if not os.path.exists(target_path):
+            return {
+                "error": f"Path not found: {target_path}",
+                "success": False
+            }
+        
+        # If baseline file doesn't exist, create it
+        if not os.path.exists(baseline_file):
+            cmd = ["bandit", "-r", target_path, "-f", "json", "-o", baseline_file]
+            result = subprocess.run(cmd, capture_output=True, text=True)
+            
+            return {
+                "success": True,
+                "action": "created",
+                "message": f"Baseline file created: {baseline_file}",
+                "return_code": result.returncode,
+                "stderr": result.stderr
+            }
+        else:
+            # Compare with existing baseline
+            cmd = ["bandit", "-r", target_path, "-b", baseline_file, "-f", "json"]
+            result = subprocess.run(cmd, capture_output=True, text=True)
+            
+            try:
+                output_data = json.loads(result.stdout) if result.stdout else {}
+                return {
+                    "success": True,
+                    "action": "compared",
+                    "results": output_data,
+                    "return_code": result.returncode,
+                    "stderr": result.stderr
+                }
+            except json.JSONDecodeError:
+                return {
+                    "success": False,
+                    "error": "JSON parsing error when comparing with baseline",
+                    "stdout": result.stdout,
+                    "stderr": result.stderr
+                }
+                
+    except Exception as e:
+        return {
+            "success": False,
+            "error": f"Error working with baseline: {str(e)}"
+        }
+
+def bandit_profile_scan(
+    target_path: str,
+    profile_name: str = "ShellInjection"
+) -> Dict:
+    """
+    Runs Bandit with a specific security profile.
+    
+    Args:
+        target_path (str): Path to code for analysis
+        profile_name (str): Profile name (e.g., 'ShellInjection')
+    
+    Returns:
+        Dict: Analysis results using the profile
+    """
+    try:
+        if not os.path.exists(target_path):
+            return {
+                "error": f"Path not found: {target_path}",
+                "success": False
+            }
+        
+        cmd = ["bandit", "-p", profile_name, "-f", "json"]
+        
+        if os.path.isdir(target_path):
+            cmd.extend(["-r", target_path])
+        else:
+            cmd.append(target_path)
+        
+        result = subprocess.run(cmd, capture_output=True, text=True)
+        
+        try:
+            output_data = json.loads(result.stdout) if result.stdout else {}
+            return {
+                "success": True,
+                "profile": profile_name,
+                "results": output_data,
+                "return_code": result.returncode,
+                "stderr": result.stderr
+            }
+        except json.JSONDecodeError:
+            return {
+                "success": False,
+                "error": "JSON parsing error",
+                "stdout": result.stdout,
+                "stderr": result.stderr
+            }
+            
+    except Exception as e:
+        return {
+            "success": False,
+            "error": f"Error executing profile scan: {str(e)}"
+        }
+
+# Create Gradio interfaces
+with gr.Blocks(title="Bandit Security Scanner MCP") as demo:
+    gr.Markdown("# 🔒 Bandit Security Scanner")
+    gr.Markdown("Python code security analyzer with MCP support")
+    
+    with gr.Tab("Basic Scanning"):
+        with gr.Row():
+            with gr.Column():
+                scan_type = gr.Radio(
+                    choices=["code", "path"],
+                    value="code",
+                    label="Scan Type"
+                )
+                code_input = gr.Textbox(
+                    lines=10,
+                    placeholder="Enter Python code or path to file/directory...",
+                    label="Code or Path"
+                )
+                severity = gr.Dropdown(
+                    choices=["low", "medium", "high"],
+                    value="low",
+                    label="Minimum Severity Level"
+                )
+                confidence = gr.Dropdown(
+                    choices=["low", "medium", "high"],
+                    value="low", 
+                    label="Minimum Confidence Level"
+                )
+                output_format = gr.Dropdown(
+                    choices=["json", "txt"],
+                    value="json",
+                    label="Output Format"
+                )
+                scan_btn = gr.Button("🔍 Scan", variant="primary")
+            
+            with gr.Column():
+                scan_output = gr.JSON(label="Scan Results")
+        
+        scan_btn.click(
+            fn=bandit_scan,
+            inputs=[code_input, scan_type, severity, confidence, output_format],
+            outputs=scan_output
+        )
+    
+    with gr.Tab("Baseline Management"):
+        with gr.Row():
+            with gr.Column():
+                baseline_path = gr.Textbox(
+                    label="Project Path",
+                    placeholder="/path/to/your/project"
+                )
+                baseline_file = gr.Textbox(
+                    label="Baseline File Path",
+                    placeholder="/path/to/baseline.json"
+                )
+                baseline_btn = gr.Button("📋 Create/Compare Baseline", variant="secondary")
+            
+            with gr.Column():
+                baseline_output = gr.JSON(label="Baseline Results")
+        
+        baseline_btn.click(
+            fn=bandit_baseline,
+            inputs=[baseline_path, baseline_file],
+            outputs=baseline_output
+        )
+    
+    with gr.Tab("Profile Scanning"):
+        with gr.Row():
+            with gr.Column():
+                profile_path = gr.Textbox(
+                    label="Project Path",
+                    placeholder="/path/to/your/project"
+                )
+                profile_name = gr.Dropdown(
+                    choices=["ShellInjection", "SqlInjection", "Crypto", "Subprocess"],
+                    value="ShellInjection",
+                    label="Security Profile"
+                )
+                profile_btn = gr.Button("🎯 Scan with Profile", variant="secondary")
+            
+            with gr.Column():
+                profile_output = gr.JSON(label="Profile Scan Results")
+        
+        profile_btn.click(
+            fn=bandit_profile_scan,
+            inputs=[profile_path, profile_name],
+            outputs=profile_output
+        )
+    
+    with gr.Tab("Examples"):
+        gr.Markdown("""
+        ## 🚨 Vulnerable code examples for testing:
+        
+        ### 1. Using eval()
+        ```python
+        user_input = "print('hello')"
+        eval(user_input)  # B307: Use of possibly insecure function
+        ```
+        
+        ### 2. Hardcoded password
+        ```python
+        password = "secret123"  # B105: Possible hardcoded password
+        ```
+        
+        ### 3. Insecure subprocess
+        ```python
+        import subprocess
+        subprocess.call("ls -la", shell=True)  # B602: subprocess call with shell=True
+        ```
+        
+        ### 4. Using pickle
+        ```python
+        import pickle
+        data = pickle.loads(user_data)  # B301: Pickle usage
+        ```
+        """)
+
+if __name__ == "__main__":
+    demo.launch(mcp_server=True)

circle_test_mcp.py

@@ -0,0 +1,154 @@
+#!/usr/bin/env python3
+"""
+MCP server for Circle Test - a tool for checking code against security policies
+"""
+
+import gradio as gr
+import aiohttp
+import asyncio
+import ssl
+import os
+from typing import Dict, List
+from dotenv import load_dotenv
+
+# Загружаем переменные окружения
+load_dotenv()
+
+# Получаем URL из переменных окружения
+CIRCLE_API_URL = os.getenv('CIRCLE_API_URL', 'https://api.example.com/protect/check_violation')
+
+async def check_violation(prompt: str, policies: Dict[str, str]) -> Dict:
+    """
+    Проверяет код на соответствие политикам безопасности.
+    
+    Args:
+        prompt (str): Код для проверки
+        policies (Dict[str, str]): Словарь политик безопасности
+    
+    Returns:
+        Dict: Результаты проверки
+    """
+    try:
+        payload = {
+            "dialog": [
+                {
+                    "role": "assistant",
+                    "content": prompt
+                }
+            ],
+            "policies": policies
+        }
+
+        # Создаем SSL-контекст
+        ssl_context = ssl.create_default_context()
+        ssl_context.check_hostname = False
+        ssl_context.verify_mode = ssl.CERT_NONE
+
+        async with aiohttp.ClientSession() as session:
+            async with session.post(
+                CIRCLE_API_URL,
+                json=payload,
+                timeout=30,
+                ssl=ssl_context
+            ) as response:
+                result = await response.json()
+                
+                # Преобразуем результат в более читаемый формат
+                if 'policies' in result:
+                    formatted_result = {}
+                    for policy_num, value in result['policies'].items():
+                        policy_text = policies.get(policy_num, "Unknown policy")
+                        formatted_result[policy_num] = {
+                            "policy": policy_text,
+                            "violation": "yes" if value == 1 else "no"
+                        }
+                    return {
+                        "success": True,
+                        "results": formatted_result
+                    }
+                return {
+                    "success": False,
+                    "error": "Invalid response format"
+                }
+
+    except Exception as e:
+        return {
+            "success": False,
+            "error": f"Error checking violations: {str(e)}"
+        }
+
+# Создаем Gradio интерфейс
+with gr.Blocks(title="Circle Test MCP") as demo:
+    gr.Markdown("# 🔍 Circle Test Scanner")
+    gr.Markdown("Security policy compliance checker with MCP support")
+
+    with gr.Tab("Policy Check"):
+        with gr.Row():
+            with gr.Column():
+                code_input = gr.Textbox(
+                    lines=10,
+                    placeholder="Enter code to check...",
+                    label="Code"
+                )
+                check_btn = gr.Button("🔍 Check Policies", variant="primary")
+            
+            with gr.Column():
+                check_output = gr.JSON(label="Check Results")
+
+        check_btn.click(
+            fn=check_violation,
+            inputs=[
+                code_input,
+                gr.State({
+                    "1": "Presence of SPDX-License-Identifier with an ID not in the approved list, or missing SPDX tag in top-level LICENSE file.",
+                    "2": "Presence of plaintext credentials (passwords, tokens, keys) in configuration files (YAML, JSON, .env, etc.).",
+                    "3": "Presence of TODO or FIXME tags in comments inside non-test production code files.",
+                    "4": "Presence of any string literal starting with http:// not wrapped in a validated secure-client.",
+                    "5": "Presence of logging statements that output sensitive data (user PII, private keys, passwords, tokens) without masking or hashing.",
+                    "6": "Presence of calls to deprecated or outdated APIs (functions or methods marked as deprecated).",
+                    "7": "Presence of subprocess or os.system calls where user input is concatenated directly without proper sanitization or escaping.",
+                    "8": "Presence of file read/write operations using paths derived directly from user input without normalization or path-traversal checks.",
+                    "9": "Presence of SQL queries built using string concatenation with user input instead of parameterized queries or ORM methods.",
+                    "10": "Presence of string literals matching absolute filesystem paths (e.g., \"/home/...\" or \"C:\\\\...\") rather than relative paths or environment variables.",
+                    "11": "Presence of hostnames or URLs containing \"prod\", \"production\", or \"release\" that reference production databases or services in non-test code.",
+                    "12": "Presence of dependencies in lock files (Pipfile.lock or requirements.txt) without exact version pins (using version ranges like \">=\" or \"~=\" without a fixed version).",
+                    "13": "Presence of hashlib.md5(...) or any MD5-based hashing, since MD5 is cryptographically broken (use SHA-256 or better).",
+                    "14": "Presence of pdb.set_trace() or other pdb imports, as debug statements should not remain in production code.",
+                    "15": "Presence of logging.debug($SENSITIVE) or similar logging calls that output sensitive information without redaction.",
+                    "16": "Presence of re.compile($USER_INPUT) where $USER_INPUT is unsanitized, since this can lead to ReDoS attacks.",
+                    "17": "Presence of xml.etree.ElementTree.parse($USER_INPUT) without secure parsing, leading to XXE vulnerabilities.",
+                    "18": "Presence of zipfile.ZipFile($USER_INPUT) or similar extraction calls on untrusted zips, which can cause path traversal.",
+                    "19": "Presence of tarfile.open($USER_INPUT) on untrusted tar files, leading to path traversal vulnerabilities.",
+                    "20": "Presence of os.chmod($PATH, 0o777) or equivalent setting overly permissive permissions, which is insecure.",
+                    "21": "Presence of os.environ[$KEY] = $VALUE modifying environment variables at runtime, which can introduce security risks."
+                })
+            ],
+            outputs=check_output
+        )
+
+    with gr.Tab("Examples"):
+        gr.Markdown("""
+        ## 🚨 Examples of code to check:
+        
+        ### 1. Insecure File Operations
+        ```python
+        def read_file(filename):
+            with open(filename, "r") as f:
+                return f.read()
+        ```
+        
+        ### 2. Hardcoded Credentials
+        ```python
+        DB_PASSWORD = "secret123"
+        API_KEY = "sk_live_51H1h2K3L4M5N6O7P8Q9R0S1T2U3V4W5X6Y7Z8"
+        ```
+        
+        ### 3. Insecure Subprocess
+        ```python
+        import subprocess
+        subprocess.call(f"ls {user_input}", shell=True)
+        ```
+        """)
+
+if __name__ == "__main__":
+    demo.launch(mcp_server=True) 

detect_secrets_mcp.py

@@ -0,0 +1,479 @@
+#!/usr/bin/env python3
+"""
+MCP server for detect-secrets - a tool for detecting secrets in code
+"""
+
+import gradio as gr
+import subprocess
+import json
+import os
+import tempfile
+from typing import Dict, List, Optional
+from pathlib import Path
+
+def detect_secrets_scan(
+    code_input: str,
+    scan_type: str = "code",
+    base64_limit: float = 3.0,
+    hex_limit: float = 2.0,
+    exclude_lines: str = "",
+    exclude_files: str = "",
+    exclude_secrets: str = "",
+    word_list: str = "",
+    output_format: str = "json"
+) -> Dict:
+    """
+    Scans code for secrets using detect-secrets.
+    
+    Args:
+        code_input (str): Code to scan or path to file/directory
+        scan_type (str): Scan type - 'code' for direct code or 'path' for file/directory
+        base64_limit (float): Entropy limit for base64 strings (0.0-8.0)
+        hex_limit (float): Entropy limit for hex strings (0.0-8.0)
+        exclude_lines (str): Regex pattern for lines to exclude
+        exclude_files (str): Regex pattern for files to exclude
+        exclude_secrets (str): Regex pattern for secrets to exclude
+        word_list (str): Path to word list file
+        output_format (str): Output format - 'json' or 'txt'
+    
+    Returns:
+        Dict: Scan results
+    """
+    try:
+        print(f"Debug: Input code length: {len(code_input)}")
+        print(f"Debug: First 100 chars: {code_input[:100]}")
+        
+        # Build detect-secrets command
+        cmd = ["detect-secrets", "scan"]
+        
+        # Add entropy limits
+        cmd.extend(["--base64-limit", str(base64_limit)])
+        cmd.extend(["--hex-limit", str(hex_limit)])
+        
+        # Add exclude patterns
+        if exclude_lines:
+            cmd.extend(["--exclude-lines", exclude_lines])
+        if exclude_files:
+            cmd.extend(["--exclude-files", exclude_files])
+        if exclude_secrets:
+            cmd.extend(["--exclude-secrets", exclude_secrets])
+        if word_list:
+            cmd.extend(["--word-list", word_list])
+            
+        # Добавляем параметры для улучшения обнаружения
+        cmd.extend(["--force-use-all-plugins"])  # Принудительно используем все плагины
+        cmd.extend(["--no-verify"])  # Отключаем верификацию
+        cmd.extend(["--disable-filter", "detect_secrets.filters.gibberish.should_exclude_secret"])  # Отключаем фильтр бессмысленного текста
+        cmd.extend(["--disable-filter", "detect_secrets.filters.heuristic.is_likely_id_string"])  # Отключаем фильтр ID строк
+        cmd.extend(["--disable-filter", "detect_secrets.filters.heuristic.is_sequential_string"])  # Отключаем фильтр последовательных строк
+        
+        # Execute command with pipe
+        if scan_type == "code":
+            # Нормализуем строки
+            lines = code_input.replace('\r\n', '\n').replace('\r', '\n').split('\n')
+            print(f"Debug: Number of lines: {len(lines)}")
+            
+            all_results = {}
+            all_plugins = set()
+            
+            for idx, line in enumerate(lines):
+                if not line.strip():
+                    continue  # пропускаем пустые строки
+                
+                print(f"Debug: Scanning line {idx + 1}: {line}")
+                
+                cmd_line = cmd.copy()  # копия базовой команды
+                cmd_line.append("--string")
+                cmd_line.append(line)
+                
+                print(f"Debug: Command: {' '.join(cmd_line)}")
+                
+                result = subprocess.run(cmd_line, capture_output=True, text=True)
+                stdout, stderr = result.stdout, result.stderr
+                
+                print(f"Debug: Line {idx + 1} stdout: {stdout}")
+                
+                # Парсим текстовый вывод
+                for output_line in stdout.split('\n'):
+                    if ':' in output_line:
+                        plugin, result = output_line.split(':', 1)
+                        plugin = plugin.strip()
+                        result = result.strip()
+                        
+                        # Добавляем плагин в список использованных
+                        all_plugins.add(plugin)
+                        
+                        # Если плагин нашел секрет
+                        if result.lower() == 'true':
+                            # Добавляем результат
+                            if plugin not in all_results:
+                                all_results[plugin] = []
+                            
+                            # Создаем запись о найденном секрете
+                            secret_info = {
+                                "type": plugin,
+                                "line_number": idx + 1,
+                                "line": line,
+                                "hashed_secret": f"hash_{line}",
+                                "is_secret": True,
+                                "is_verified": False
+                            }
+                            
+                            # Добавляем энтропию, если она указана
+                            if '(' in result:
+                                entropy = result.split('(')[1].split(')')[0]
+                                try:
+                                    secret_info["entropy"] = float(entropy)
+                                except ValueError:
+                                    pass
+                            
+                            all_results[plugin].append(secret_info)
+            
+            # Собираем финальный результат
+            final_output = {
+                "version": "1.5.0",
+                "plugins_used": [{"name": plugin} for plugin in sorted(all_plugins)],
+                "filters_used": [],
+                "results": all_results,
+                "generated_at": ""
+            }
+            
+            print(f"Debug: Final results: {json.dumps(final_output, indent=2)}")
+            
+            return {
+                "success": True,
+                "results": final_output,
+                "stderr": "",
+                "return_code": 0
+            }
+        else:
+            # Для сканирования файла/директории используем обычный способ
+            if not os.path.exists(code_input):
+                return {
+                    "error": f"Path not found: {code_input}",
+                    "success": False
+                }
+            cmd.append(code_input)
+            result = subprocess.run(cmd, capture_output=True, text=True)
+            stdout, stderr = result.stdout, result.stderr
+            return_code = result.returncode
+        
+        # Process result
+        if output_format == "json":
+            try:
+                output_data = json.loads(stdout) if stdout else {}
+                return {
+                    "success": True,
+                    "results": output_data,
+                    "stderr": stderr,
+                    "return_code": return_code
+                }
+            except json.JSONDecodeError as e:
+                print(f"Debug: JSON parse error: {e}")
+                print(f"Debug: Raw stdout: {stdout}")
+                return {
+                    "success": False,
+                    "error": "JSON parsing error",
+                    "stdout": stdout,
+                    "stderr": stderr,
+                    "return_code": return_code
+                }
+        else:
+            return {
+                "success": True,
+                "output": stdout,
+                "stderr": stderr,
+                "return_code": return_code
+            }
+            
+    except Exception as e:
+        print(f"Debug: Exception: {str(e)}")
+        return {
+            "success": False,
+            "error": f"Error executing detect-secrets: {str(e)}"
+        }
+
+def detect_secrets_baseline(
+    target_path: str,
+    baseline_file: str,
+    base64_limit: float = 4.5,
+    hex_limit: float = 3.0
+) -> Dict:
+    """
+    Creates or updates a baseline file for detect-secrets.
+    
+    Args:
+        target_path (str): Path to code for analysis
+        baseline_file (str): Path to baseline file
+        base64_limit (float): Entropy limit for base64 strings
+        hex_limit (float): Entropy limit for hex strings
+    
+    Returns:
+        Dict: Result of baseline creation/update
+    """
+    try:
+        if not os.path.exists(target_path):
+            return {
+                "error": f"Path not found: {target_path}",
+                "success": False
+            }
+        
+        # Build command
+        cmd = ["detect-secrets", "scan"]
+        
+        # Add entropy limits
+        cmd.extend(["--base64-limit", str(base64_limit)])
+        cmd.extend(["--hex-limit", str(hex_limit)])
+        
+        # Add baseline file if exists
+        if os.path.exists(baseline_file):
+            cmd.extend(["--baseline", baseline_file])
+        
+        # Add scan target
+        cmd.append(target_path)
+        
+        # Execute command
+        result = subprocess.run(cmd, capture_output=True, text=True)
+        
+        # Save output to baseline file
+        with open(baseline_file, 'w') as f:
+            f.write(result.stdout)
+        
+        return {
+            "success": True,
+            "action": "created" if not os.path.exists(baseline_file) else "updated",
+            "message": f"Baseline file {'created' if not os.path.exists(baseline_file) else 'updated'}: {baseline_file}",
+            "return_code": result.returncode,
+            "stderr": result.stderr
+        }
+                
+    except Exception as e:
+        return {
+            "success": False,
+            "error": f"Error working with baseline: {str(e)}"
+        }
+
+def detect_secrets_audit(
+    baseline_file: str,
+    show_stats: bool = False,
+    show_report: bool = False,
+    only_real: bool = False,
+    only_false: bool = False
+) -> Dict:
+    """
+    Audits a detect-secrets baseline file.
+    
+    Args:
+        baseline_file (str): Path to baseline file
+        show_stats (bool): Show statistics
+        show_report (bool): Show report
+        only_real (bool): Only show real secrets
+        only_false (bool): Only show false positives
+    
+    Returns:
+        Dict: Audit results
+    """
+    try:
+        if not os.path.exists(baseline_file):
+            return {
+                "error": f"Baseline file not found: {baseline_file}",
+                "success": False
+            }
+        
+        # Build command
+        cmd = ["detect-secrets", "audit"]
+        
+        if show_stats:
+            cmd.append("--stats")
+        if show_report:
+            cmd.append("--report")
+        if only_real:
+            cmd.append("--only-real")
+        if only_false:
+            cmd.append("--only-false")
+        
+        cmd.append(baseline_file)
+        
+        # Execute command
+        result = subprocess.run(cmd, capture_output=True, text=True)
+        
+        return {
+            "success": True,
+            "output": result.stdout,
+            "stderr": result.stderr,
+            "return_code": result.returncode
+        }
+            
+    except Exception as e:
+        return {
+            "success": False,
+            "error": f"Error auditing baseline: {str(e)}"
+        }
+
+# Create Gradio interface
+with gr.Blocks(title="Detect Secrets MCP") as demo:
+    gr.Markdown("# 🔍 Detect Secrets Scanner")
+    gr.Markdown("Secret detection tool with MCP support")
+    
+    with gr.Tab("Basic Scanning"):
+        with gr.Row():
+            with gr.Column():
+                scan_type = gr.Radio(
+                    choices=["code", "path"],
+                    value="code",
+                    label="Scan Type"
+                )
+                code_input = gr.Textbox(
+                    lines=10,
+                    placeholder="Enter code or path to scan...",
+                    label="Code or Path"
+                )
+                base64_limit = gr.Slider(
+                    minimum=0.0,
+                    maximum=8.0,
+                    value=4.5,
+                    step=0.1,
+                    label="Base64 Entropy Limit"
+                )
+                hex_limit = gr.Slider(
+                    minimum=0.0,
+                    maximum=8.0,
+                    value=3.0,
+                    step=0.1,
+                    label="Hex Entropy Limit"
+                )
+                exclude_lines = gr.Textbox(
+                    label="Exclude Lines Pattern (regex)"
+                )
+                exclude_files = gr.Textbox(
+                    label="Exclude Files Pattern (regex)"
+                )
+                exclude_secrets = gr.Textbox(
+                    label="Exclude Secrets Pattern (regex)"
+                )
+                word_list = gr.Textbox(
+                    label="Word List File Path"
+                )
+                output_format = gr.Dropdown(
+                    choices=["json", "txt"],
+                    value="json",
+                    label="Output Format"
+                )
+                scan_btn = gr.Button("🔍 Scan", variant="primary")
+            
+            with gr.Column():
+                scan_output = gr.JSON(label="Scan Results")
+        
+        scan_btn.click(
+            fn=detect_secrets_scan,
+            inputs=[
+                code_input, scan_type, base64_limit, hex_limit,
+                exclude_lines, exclude_files, exclude_secrets,
+                word_list, output_format
+            ],
+            outputs=scan_output
+        )
+    
+    with gr.Tab("Baseline Management"):
+        with gr.Row():
+            with gr.Column():
+                baseline_path = gr.Textbox(
+                    label="Project Path",
+                    placeholder="/path/to/your/project"
+                )
+                baseline_file = gr.Textbox(
+                    label="Baseline File Path",
+                    placeholder="/path/to/.secrets.baseline"
+                )
+                baseline_base64_limit = gr.Slider(
+                    minimum=0.0,
+                    maximum=8.0,
+                    value=4.5,
+                    step=0.1,
+                    label="Base64 Entropy Limit"
+                )
+                baseline_hex_limit = gr.Slider(
+                    minimum=0.0,
+                    maximum=8.0,
+                    value=3.0,
+                    step=0.1,
+                    label="Hex Entropy Limit"
+                )
+                baseline_btn = gr.Button("📋 Create/Update Baseline", variant="secondary")
+            
+            with gr.Column():
+                baseline_output = gr.JSON(label="Baseline Results")
+        
+        baseline_btn.click(
+            fn=detect_secrets_baseline,
+            inputs=[
+                baseline_path, baseline_file,
+                baseline_base64_limit, baseline_hex_limit
+            ],
+            outputs=baseline_output
+        )
+    
+    with gr.Tab("Baseline Audit"):
+        with gr.Row():
+            with gr.Column():
+                audit_baseline = gr.Textbox(
+                    label="Baseline File Path",
+                    placeholder="/path/to/.secrets.baseline"
+                )
+                show_stats = gr.Checkbox(
+                    label="Show Statistics",
+                    value=False
+                )
+                show_report = gr.Checkbox(
+                    label="Show Report",
+                    value=False
+                )
+                only_real = gr.Checkbox(
+                    label="Only Real Secrets",
+                    value=False
+                )
+                only_false = gr.Checkbox(
+                    label="Only False Positives",
+                    value=False
+                )
+                audit_btn = gr.Button("🔍 Audit Baseline", variant="secondary")
+            
+            with gr.Column():
+                audit_output = gr.JSON(label="Audit Results")
+        
+        audit_btn.click(
+            fn=detect_secrets_audit,
+            inputs=[
+                audit_baseline, show_stats,
+                show_report, only_real, only_false
+            ],
+            outputs=audit_output
+        )
+    
+    with gr.Tab("Examples"):
+        gr.Markdown("""
+        ## 🚨 Examples of secrets that can be detected:
+        
+        ### 1. API Keys
+        ```python
+        API_KEY = "sk_live_51H1h2K3L4M5N6O7P8Q9R0S1T2U3V4W5X6Y7Z8"
+        ```
+        
+        ### 2. Passwords
+        ```python
+        password = "SuperSecret123!"  # High entropy string
+        ```
+        
+        ### 3. Private Keys
+        ```python
+        private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA..."
+        ```
+        
+        ### 4. OAuth Tokens
+        ```python
+        oauth_token = "ya29.a0AfB_byC..."
+        ```
+        """)
+
+if __name__ == "__main__":
+    demo.launch(mcp_server=True) 

docker-compose.yml

@@ -0,0 +1,157 @@
+version: '3.8'
+
+services:
+
+  # Bandit Security Scanner
+  bandit-security-scanner:
+    build:
+      context: .
+      dockerfile: docker/bandit.Dockerfile
+    container_name: bandit-mcp-server
+    ports:
+      - "${BANDIT_EXTERNAL_PORT:-7861}:${BANDIT_INTERNAL_PORT:-7861}"
+    environment:
+      - GRADIO_SERVER_NAME=${GRADIO_SERVER_NAME:-0.0.0.0}
+      - GRADIO_SERVER_PORT=${BANDIT_INTERNAL_PORT:-7861}
+      - APP_NAME=Bandit Security Scanner MCP
+    volumes:
+      - ./scan_data:/app/scan_data
+      - ./reports:/app/reports
+      - ./projects:/app/projects
+    restart: unless-stopped
+    networks:
+      - mcp-network
+    labels:
+      - "application=bandit-security-scanner"
+      - "service=mcp-server"
+
+  # Detect Secrets Scanner
+  detect-secrets-scanner:
+    build:
+      context: .
+      dockerfile: docker/detect_secrets.Dockerfile
+    container_name: detect-secrets-mcp-server
+    ports:
+      - "${DETECT_SECRETS_EXTERNAL_PORT:-7862}:${DETECT_SECRETS_INTERNAL_PORT:-7862}"
+    environment:
+      - GRADIO_SERVER_NAME=${GRADIO_SERVER_NAME:-0.0.0.0}
+      - GRADIO_SERVER_PORT=${DETECT_SECRETS_INTERNAL_PORT:-7862}
+      - APP_NAME=Detect Secrets MCP
+    volumes:
+      - ./scan_data:/app/scan_data
+      - ./reports:/app/reports
+      - ./projects:/app/projects
+    restart: unless-stopped
+    networks:
+      - mcp-network
+    labels:
+      - "application=detect-secrets-scanner"
+      - "service=mcp-server"
+
+  # Pip Audit Scanner
+  pip-audit-scanner:
+    build:
+      context: .
+      dockerfile: docker/pip_audit.Dockerfile
+    container_name: pip-audit-mcp-server
+    ports:
+      - "${PIP_AUDIT_EXTERNAL_PORT:-7863}:${PIP_AUDIT_INTERNAL_PORT:-7863}"
+    environment:
+      - GRADIO_SERVER_NAME=${GRADIO_SERVER_NAME:-0.0.0.0}
+      - GRADIO_SERVER_PORT=${PIP_AUDIT_INTERNAL_PORT:-7863}
+      - APP_NAME=Pip Audit MCP
+    volumes:
+      - ./scan_data:/app/scan_data
+      - ./reports:/app/reports
+      - ./projects:/app/projects
+    restart: unless-stopped
+    networks:
+      - mcp-network
+    labels:
+      - "application=pip-audit-scanner"
+      - "service=mcp-server"
+
+  # Circle Test Scanner
+  circle-test-scanner:
+    build:
+      context: .
+      dockerfile: docker/circle_test.Dockerfile
+    container_name: circle-test-mcp-server
+    ports:
+      - "${CIRCLE_TEST_EXTERNAL_PORT:-7864}:${CIRCLE_TEST_INTERNAL_PORT:-7864}"
+    environment:
+      - GRADIO_SERVER_NAME=${GRADIO_SERVER_NAME:-0.0.0.0}
+      - GRADIO_SERVER_PORT=${CIRCLE_TEST_INTERNAL_PORT:-7864}
+      - APP_NAME=Circle Test MCP
+    volumes:
+      - ./scan_data:/app/scan_data
+      - ./reports:/app/reports
+      - ./projects:/app/projects
+    restart: unless-stopped
+    networks:
+      - mcp-network
+    labels:
+      - "application=circle-test-scanner"
+      - "service=mcp-server"
+
+  # Semgrep Scanner
+  semgrep-scanner:
+    build:
+      context: .
+      dockerfile: docker/semgrep.Dockerfile
+    container_name: semgrep-mcp-server
+    ports:
+      - "${SEMGREP_EXTERNAL_PORT:-7865}:${SEMGREP_INTERNAL_PORT:-7865}"
+    environment:
+      - GRADIO_SERVER_NAME=${GRADIO_SERVER_NAME:-0.0.0.0}
+      - GRADIO_SERVER_PORT=${SEMGREP_INTERNAL_PORT:-7865}
+      - APP_NAME=Semgrep MCP
+    volumes:
+      - ./scan_data:/app/scan_data
+      - ./reports:/app/reports
+      - ./projects:/app/projects
+    restart: unless-stopped
+    networks:
+      - mcp-network
+    labels:
+      - "application=semgrep-scanner"
+      - "service=mcp-server"
+
+  # Main Security Tools Agent
+  security-tools-agent:
+    build:
+      context: .
+      dockerfile: docker/agent.Dockerfile
+    container_name: security-tools-mcp-agent
+    ports:
+      - "${AGENT_EXTERNAL_PORT:-7860}:${AGENT_INTERNAL_PORT:-7860}"
+    environment:
+      - GRADIO_SERVER_NAME=${GRADIO_SERVER_NAME:-0.0.0.0}
+      - GRADIO_SERVER_PORT=${AGENT_INTERNAL_PORT:-7860}
+      - APP_NAME=Security Tools MCP Agent
+      - NEBIUS_API_KEY=${NEBIUS_API_KEY}
+    volumes:
+      - ./scan_data:/app/scan_data
+      - ./reports:/app/reports
+      - ./projects:/app/projects
+    depends_on:
+      - bandit-security-scanner
+      - detect-secrets-scanner
+      - pip-audit-scanner
+      - circle-test-scanner
+      - semgrep-scanner
+    restart: unless-stopped
+    networks:
+      - mcp-network
+    labels:
+      - "application=security-tools-agent"
+      - "service=main-agent"
+
+networks:
+  mcp-network:
+    driver: bridge
+
+volumes:
+  scan_data:
+  reports:
+  projects:

docker/agent.Dockerfile

@@ -0,0 +1,42 @@
+FROM python:3.11-slim
+
+# Метаданные образа
+LABEL maintainer="VulnBuster"
+LABEL description="Security Tools MCP Agent - Main Application"
+LABEL version="1.0"
+LABEL application="security-tools-mcp-agent"
+
+# Установка системных зависимостей
+RUN apt-get update && apt-get install -y \
+    git \
+    curl \
+    build-essential \
+    && rm -rf /var/lib/apt/lists/*
+
+# Создание рабочей директории
+WORKDIR /app
+
+# Копирование requirements для агента
+COPY agent_requirements.txt ./requirements.txt
+
+# Установка Python зависимостей
+RUN pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir -r requirements.txt
+
+# Копирование исходного кода
+COPY main.py .
+
+# Переменные окружения для Agent
+ENV GRADIO_SERVER_PORT=7860
+ENV GRADIO_SERVER_NAME=0.0.0.0
+ENV APP_NAME="Security Tools MCP Agent"
+
+# Открытие порта
+EXPOSE $GRADIO_SERVER_PORT
+
+# Healthcheck
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+    CMD curl -f http://localhost:${GRADIO_SERVER_PORT}/ || exit 1
+
+# Команда запуска
+CMD ["python", "main.py"] 

docker/bandit.Dockerfile

@@ -0,0 +1,42 @@
+FROM python:3.11-slim
+
+# Метаданные образа
+LABEL maintainer="VulnBuster"
+LABEL description="Bandit Security Scanner MCP Server with Gradio Web Interface"
+LABEL version="1.0"
+LABEL application="bandit-mcp"
+
+# Установка системных зависимостей
+RUN apt-get update && apt-get install -y \
+    git \
+    curl \
+    build-essential \
+    && rm -rf /var/lib/apt/lists/*
+
+# Создание рабочей директории
+WORKDIR /app
+
+# Копирование requirements
+COPY requirements.txt ./requirements.txt
+
+# Установка Python зависимостей
+RUN pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir -r requirements.txt
+
+# Копирование исходного кода
+COPY bandit_mcp.py .
+
+# Переменные окружения для Bandit MCP
+ENV GRADIO_SERVER_PORT=7861
+ENV GRADIO_SERVER_NAME=0.0.0.0
+ENV APP_NAME="Bandit Security Scanner MCP"
+
+# Открытие порта
+EXPOSE $GRADIO_SERVER_PORT
+
+# Healthcheck
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+    CMD curl -f http://localhost:${GRADIO_SERVER_PORT}/ || exit 1
+
+# Команда запуска
+CMD ["python", "bandit_mcp.py"]

docker/circle_test.Dockerfile

@@ -0,0 +1,42 @@
+FROM python:3.11-slim
+
+# Метаданные образа
+LABEL maintainer="VulnBuster"
+LABEL description="Circle Test MCP Server with Gradio Web Interface"
+LABEL version="1.0"
+LABEL application="circle-test-mcp"
+
+# Установка системных зависимостей
+RUN apt-get update && apt-get install -y \
+    git \
+    curl \
+    build-essential \
+    && rm -rf /var/lib/apt/lists/*
+
+# Создание рабочей директории
+WORKDIR /app
+
+# Копирование requirements
+COPY requirements.txt ./requirements.txt
+
+# Установка Python зависимостей
+RUN pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir -r requirements.txt
+
+# Копирование исходного кода
+COPY circle_test_mcp.py .
+
+# Переменные окружения для Circle Test MCP
+ENV GRADIO_SERVER_PORT=7864
+ENV GRADIO_SERVER_NAME=0.0.0.0
+ENV APP_NAME="Circle Test MCP"
+
+# Открытие порта
+EXPOSE $GRADIO_SERVER_PORT
+
+# Healthcheck
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+    CMD curl -f http://localhost:${GRADIO_SERVER_PORT}/ || exit 1
+
+# Команда запуска
+CMD ["python", "circle_test_mcp.py"] 

docker/detect_secrets.Dockerfile

@@ -0,0 +1,42 @@
+FROM python:3.11-slim
+
+# Метаданные образа
+LABEL maintainer="VulnBuster"
+LABEL description="Detect Secrets MCP Server with Gradio Web Interface"
+LABEL version="1.0"
+LABEL application="detect-secrets-mcp"
+
+# Установка системных зависимостей
+RUN apt-get update && apt-get install -y \
+    git \
+    curl \
+    build-essential \
+    && rm -rf /var/lib/apt/lists/*
+
+# Создание рабочей директории
+WORKDIR /app
+
+# Копирование requirements
+COPY requirements.txt ./requirements.txt
+
+# Установка Python зависимостей
+RUN pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir -r requirements.txt
+
+# Копирование исходного кода
+COPY detect_secrets_mcp.py .
+
+# Переменные окружения для Detect Secrets MCP
+ENV GRADIO_SERVER_PORT=7862
+ENV GRADIO_SERVER_NAME=0.0.0.0
+ENV APP_NAME="Detect Secrets MCP"
+
+# Открытие порта
+EXPOSE $GRADIO_SERVER_PORT
+
+# Healthcheck
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+    CMD curl -f http://localhost:${GRADIO_SERVER_PORT}/ || exit 1
+
+# Команда запуска
+CMD ["python", "detect_secrets_mcp.py"] 

docker/pip_audit.Dockerfile

@@ -0,0 +1,42 @@
+FROM python:3.11-slim
+
+# Метаданные образа
+LABEL maintainer="VulnBuster"
+LABEL description="Pip Audit MCP Server with Gradio Web Interface"
+LABEL version="1.0"
+LABEL application="pip-audit-mcp"
+
+# Установка системных зависимостей
+RUN apt-get update && apt-get install -y \
+    git \
+    curl \
+    build-essential \
+    && rm -rf /var/lib/apt/lists/*
+
+# Создание рабочей директории
+WORKDIR /app
+
+# Копирование requirements
+COPY requirements.txt ./requirements.txt
+
+# Установка Python зависимостей
+RUN pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir -r requirements.txt
+
+# Копирование исходного кода
+COPY pip_audit_mcp.py .
+
+# Переменные окружения для Pip Audit MCP
+ENV GRADIO_SERVER_PORT=7863
+ENV GRADIO_SERVER_NAME=0.0.0.0
+ENV APP_NAME="Pip Audit MCP"
+
+# Открытие порта
+EXPOSE $GRADIO_SERVER_PORT
+
+# Healthcheck
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+    CMD curl -f http://localhost:${GRADIO_SERVER_PORT}/ || exit 1
+
+# Команда запуска
+CMD ["python", "pip_audit_mcp.py"] 

docker/semgrep.Dockerfile

@@ -0,0 +1,42 @@
+FROM python:3.11-slim
+
+# Метаданные образа
+LABEL maintainer="VulnBuster"
+LABEL description="Semgrep MCP Server with Gradio Web Interface"
+LABEL version="1.0"
+LABEL application="semgrep-mcp"
+
+# Установка системных зависимостей
+RUN apt-get update && apt-get install -y \
+    git \
+    curl \
+    build-essential \
+    && rm -rf /var/lib/apt/lists/*
+
+# Создание рабочей директории
+WORKDIR /app
+
+# Копирование requirements
+COPY requirements.txt ./requirements.txt
+
+# Установка Python зависимостей
+RUN pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir -r requirements.txt
+
+# Копирование исходного кода
+COPY semgrep_mcp.py .
+
+# Переменные окружения для Semgrep MCP
+ENV GRADIO_SERVER_PORT=7865
+ENV GRADIO_SERVER_NAME=0.0.0.0
+ENV APP_NAME="Semgrep MCP"
+
+# Открытие порта
+EXPOSE $GRADIO_SERVER_PORT
+
+# Healthcheck
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+    CMD curl -f http://localhost:${GRADIO_SERVER_PORT}/ || exit 1
+
+# Команда запуска
+CMD ["python", "semgrep_mcp.py"] 

main.py

@@ -0,0 +1,571 @@
+import asyncio
+import os
+import tempfile
+import gradio as gr
+from textwrap import dedent
+from agno.agent import Agent
+from agno.tools.mcp import MCPTools
+from agno.models.nebius import Nebius
+from mcp import ClientSession
+from mcp.client.sse import sse_client
+from dotenv import load_dotenv
+import base64
+import difflib
+import re
+import subprocess
+import sys
+import shutil
+import time
+import aiohttp
+import logging
+import signal
+import socket
+import json
+
+
+# Настройка логирования
+logging.basicConfig(
+    level=logging.DEBUG,
+    format='%(asctime)s - %(name)s - %(levelname)s - %(message)s'
+)
+logger = logging.getLogger(__name__)
+
+def clean_and_validate_json(raw_text: str) -> str:
+    """
+    Агрессивно очищает и валидирует JSON из текста
+    """
+    logger.debug(f"Попытка очистки JSON из текста длиной {len(raw_text)}")
+    
+    # Убираем все возможные блоки думания и комментариев
+    cleaned = re.sub(r"<think>.*?</think>", "", raw_text, flags=re.DOTALL)
+    cleaned = re.sub(r"```json\s*", "", cleaned)
+    cleaned = re.sub(r"```\s*", "", cleaned)
+    cleaned = cleaned.strip()
+    
+    # Ищем JSON объект от первой { до соответствующей }
+    start_idx = cleaned.find("{")
+    if start_idx == -1:
+        return raw_text
+    
+    # Найдем соответствующую закрывающую скобку
+    bracket_count = 0
+    end_idx = -1
+    
+    for i in range(start_idx, len(cleaned)):
+        if cleaned[i] == '{':
+            bracket_count += 1
+        elif cleaned[i] == '}':
+            bracket_count -= 1
+            if bracket_count == 0:
+                end_idx = i
+                break
+    
+    if end_idx == -1:
+        return raw_text
+    
+    # Извлекаем JSON часть
+    json_part = cleaned[start_idx:end_idx + 1]
+    
+    try:
+        # Проверяем, является ли это валидным JSON
+        json.loads(json_part)
+        logger.debug("JSON успешно очищен и валидирован")
+        return json_part
+    except json.JSONDecodeError as e:
+        logger.debug(f"Ошибка при валидации очищенного JSON: {e}")
+        return raw_text
+
+def standardize_mcp_response(response_text: str, server_name: str) -> str:
+    """
+    Стандартизирует ответы от разных MCP серверов в единый формат
+    """
+    try:
+        # Сначала пытаемся парсить как JSON
+        parsed = json.loads(response_text)
+        
+        # Для Circle Test - ответы могут приходить в формате {"results": [...]}
+        if server_name == "circle_test":
+            if isinstance(parsed, dict) and "results" in parsed:
+                return json.dumps(parsed, ensure_ascii=False)
+            elif isinstance(parsed, list):
+                # Если пришел список результатов без обертки
+                standardized = {"results": parsed}
+                return json.dumps(standardized, ensure_ascii=False)
+        
+        # Для Bandit - ответы могут приходить в формате {"results": [...], "metrics": {...}}
+        elif server_name == "bandit":
+            if isinstance(parsed, dict):
+                return json.dumps(parsed, ensure_ascii=False)
+            elif isinstance(parsed, list):
+                # Если пришел список результатов без обертки
+                standardized = {"results": parsed}
+                return json.dumps(standardized, ensure_ascii=False)
+        
+        # Для других серверов - возвращаем как есть, если JSON валидный
+        return json.dumps(parsed, ensure_ascii=False)
+        
+    except json.JSONDecodeError:
+        # Если не JSON, возвращаем оригинальную строку
+        logger.debug(f"Ответ от {server_name} не является валидным JSON")
+        return response_text
+
+def extract_json_payload(raw: str) -> str:
+    """
+    Извлекает первый JSON объект {...} из строки, удаляя Markdown-разметку и дополнительный текст.
+    """
+    logger.debug(f"Исходная строка для извлечения JSON (длина: {len(raw)}): {raw[:500]}...")
+    
+    # Убираем блоки <think>
+    raw = re.sub(r"<think>.*?</think>", "", raw, flags=re.DOTALL).strip()
+    
+    # Убираем markdown блоки
+    raw = re.sub(r"```json\s*", "", raw)
+    raw = re.sub(r"```", "", raw)
+    
+    # Убираем возможные лишние символы в начале и конце
+    raw = raw.strip()
+    
+    logger.debug(f"После очистки markdown (длина: {len(raw)}): {raw[:500]}...")
+    
+    # Ищем первый '{' и соответствующую ему закрывающую '}'
+    start = raw.find("{")
+    if start == -1:
+        logger.warning("Не найден открывающий символ '{'")
+        return raw
+    
+    # Ищем соответствующую закрывающую скобку
+    bracket_count = 0
+    end = -1
+    for i in range(start, len(raw)):
+        if raw[i] == '{':
+            bracket_count += 1
+        elif raw[i] == '}':
+            bracket_count -= 1
+            if bracket_count == 0:
+                end = i
+                break
+    
+    if end == -1:
+        logger.warning("Не найден соответствующий закрывающий символ '}'")
+        return raw
+    
+    json_candidate = raw[start:end + 1]
+    logger.debug(f"Извлеченный JSON кандидат (длина: {len(json_candidate)}): {json_candidate[:500]}...")
+    
+    # Проверяем валидность JSON перед возвратом
+    try:
+        parsed = json.loads(json_candidate)
+        logger.debug("JSON успешно распарсен в extract_json_payload")
+        return json_candidate
+    except json.JSONDecodeError as e:
+        logger.warning(f"Извлеченный JSON невалидный: {str(e)}")
+        logger.debug(f"Проблемный JSON: {json_candidate}")
+        # Пытаемся вернуть полную строку без обработки
+        try:
+            # Проверяем, может быть вся строка уже является валидным JSON
+            json.loads(raw)
+            logger.debug("Полная строка является валидным JSON")
+            return raw
+        except json.JSONDecodeError:
+            logger.warning("Даже полная строка не является валидным JSON, возвращаем как есть")
+            return raw
+
+# Глобальные переменные для переиспользования сессий
+MCP_WRAPPERS = {}
+
+# Загружаем переменные окружения из .env файла
+load_dotenv()
+api_key = os.getenv("NEBIUS_API_KEY")
+if not api_key:
+    raise ValueError("NEBIUS_API_KEY not found in .env file")
+
+# Конфигурация MCP серверов (для Docker с переменными окружения)
+BANDIT_PORT = os.getenv('BANDIT_INTERNAL_PORT', '7861')
+DETECT_SECRETS_PORT = os.getenv('DETECT_SECRETS_INTERNAL_PORT', '7862')
+PIP_AUDIT_PORT = os.getenv('PIP_AUDIT_INTERNAL_PORT', '7863')
+CIRCLE_TEST_PORT = os.getenv('CIRCLE_TEST_INTERNAL_PORT', '7864')
+SEMGREP_PORT = os.getenv('SEMGREP_INTERNAL_PORT', '7865')
+
+MCP_SERVERS = {
+    "bandit": {
+        "url": f"http://bandit-security-scanner:{BANDIT_PORT}/gradio_api/mcp/sse",
+        "description": "Python code security analysis",
+        "port": int(BANDIT_PORT)
+    },
+    "detect_secrets": {
+        "url": f"http://detect-secrets-scanner:{DETECT_SECRETS_PORT}/gradio_api/mcp/sse",
+        "description": "Secret detection in code",
+        "port": int(DETECT_SECRETS_PORT)
+    },
+    "pip_audit": {
+        "url": f"http://pip-audit-scanner:{PIP_AUDIT_PORT}/gradio_api/mcp/sse",
+        "description": "Python package vulnerability scanning",
+        "port": int(PIP_AUDIT_PORT)
+    },
+    "circle_test": {
+        "url": f"http://circle-test-scanner:{CIRCLE_TEST_PORT}/gradio_api/mcp/sse",
+        "description": "Security policy compliance checking",
+        "port": int(CIRCLE_TEST_PORT)
+    },
+    "semgrep": {
+        "url": f"http://semgrep-scanner:{SEMGREP_PORT}/gradio_api/mcp/sse",
+        "description": "Advanced static code analysis",
+        "port": int(SEMGREP_PORT)
+    }
+}
+
+def check_port(port: int) -> bool:
+    """Проверяет доступность порта"""
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    try:
+        result = sock.connect_ex(('127.0.0.1', port))
+        return result == 0
+    finally:
+        sock.close()
+
+def signal_handler(signum, frame):
+    """Обработчик сигналов для корректного завершения"""
+    logger.info("Получен сигнал завершения, закрываем серверы...")
+    sys.exit(0)
+
+# Регистрируем обработчики сигналов
+signal.signal(signal.SIGINT, signal_handler)
+signal.signal(signal.SIGTERM, signal_handler)
+
+def generate_simple_diff(original_content: str, updated_content: str, file_path: str) -> str:
+    """
+    Генерирует простой diff между оригинальным и обновленным содержимым
+    """
+    diff_lines = list(difflib.unified_diff(
+        original_content.splitlines(keepends=True),
+        updated_content.splitlines(keepends=True),
+        fromfile=f"{file_path} (original)",
+        tofile=f"{file_path} (modified)",
+        n=3
+    ))
+    if not diff_lines:
+        return "No changes detected."
+    added_lines = sum(1 for l in diff_lines if l.startswith("+") and not l.startswith("+++"))
+    removed_lines = sum(1 for l in diff_lines if l.startswith("-") and not l.startswith("---"))
+    diff_content = "".join(diff_lines)
+    stats = f"\n📊 Changes: +{added_lines} additions, -{removed_lines} deletions"
+    return diff_content + stats
+
+async def check_server_availability(url: str, max_retries: int = 5, delay: float = 5.0) -> bool:
+    """Проверяет доступность MCP сервера с увеличенными таймаутами"""
+    logger.debug(f"Проверка доступности сервера: {url}")
+    for i in range(max_retries):
+        try:
+            async with aiohttp.ClientSession() as session:
+                async with session.get(url, timeout=30) as response:
+                    if response.status == 200:
+                        logger.info(f"Сервер {url} доступен")
+                        return True
+        except Exception as e:
+            logger.warning(f"Попытка {i+1}/{max_retries} не удалась: {str(e)}")
+        await asyncio.sleep(delay)
+    logger.error(f"Сервер {url} недоступен после {max_retries} попыток")
+    return False
+
+async def init_all_tools():
+    """Инициализирует все MCP инструменты один раз при старте приложения"""
+    global MCP_WRAPPERS
+    
+    try:
+        # Создаем SSE клиенты для каждого сервера
+        for name, cfg in MCP_SERVERS.items():
+            async with sse_client(cfg["url"]) as (read, write):
+                async with ClientSession(read, write) as session:
+                    MCP_WRAPPERS[name] = MCPTools(session=session)
+            
+        logger.info("Все MCP инструменты успешно инициализированы")
+    except Exception as e:
+        logger.error(f"Ошибка при инициализации MCP инструментов: {str(e)}")
+        raise
+
+async def run_mcp_agent(message, server_name):
+    """Запускает агента для конкретного MCP сервера"""
+    logger.info(f"Запуск MCP агента для {server_name}")
+    
+    if not api_key:
+        logger.error("Nebius API key не найден в .env файле")
+        return "Error: Nebius API key not found in .env file"
+    
+    if server_name not in MCP_SERVERS:
+        logger.error(f"Неизвестный MCP сервер: {server_name}")
+        return f"Error: Unknown MCP server {server_name}"
+    
+    if server_name not in MCP_WRAPPERS:
+        logger.error(f"MCP инструмент {server_name} не инициализирован")
+        return f"Error: MCP tool {server_name} not initialized"
+    
+    try:
+        # Получаем инструмент из кэша
+        mcp_tools = MCP_WRAPPERS[server_name]
+        
+        # Создаем агента
+        agent = Agent(
+            tools=[mcp_tools],
+            instructions=dedent(f"""\
+                You are an intelligent security assistant with access to MCP tools for {server_name}.
+                
+                IMPORTANT INSTRUCTIONS:
+                1. Use the appropriate MCP tool to analyze the provided code
+                2. Return ONLY the raw JSON result from the MCP tool
+                3. Do NOT add any explanations, commentary, or additional formatting
+                4. Do NOT wrap the result in markdown code blocks
+                5. Do NOT add any text before or after the JSON
+                6. If the tool returns a "results" field, return the complete response including that field
+                
+                The JSON output should be clean and parseable without any modifications.
+            """),
+            markdown=False,  # Отключаем Markdown для получения чистого JSON
+            show_tool_calls=True,
+            model=Nebius(
+                id="Qwen/Qwen3-30B-A3B-fast",
+                api_key=api_key
+            )
+        )
+        
+        # Форматируем сообщение
+        formatted_message = f"Analyze this code using {server_name}: {message}"
+        
+        # Запускаем анализ
+        response = await agent.arun(formatted_message)
+        logger.info(f"Успешное выполнение для {server_name}")
+        logger.debug(f"Полный ответ агента для {server_name}: {response.content}")
+        
+        # Сначала пробуем агрессивную очистку
+        cleaned_response = clean_and_validate_json(response.content)
+        
+        # Если агрессивная очистка не помогла, используем обычную функцию
+        if cleaned_response == response.content:
+            cleaned_response = extract_json_payload(response.content)
+        
+        # Стандартизируем ответ для конкретного сервера
+        standardized_response = standardize_mcp_response(cleaned_response, server_name)
+        
+        logger.debug(f"Стандартизированный ответ для {server_name}: {standardized_response}")
+        return standardized_response
+        
+    except Exception as e:
+        logger.error(f"Ошибка выполнения {server_name}: {str(e)}")
+        # Возвращаем ошибку в формате JSON для консистентности
+        error_response = {
+            "success": False,
+            "error": f"Error running {server_name}: {str(e)}",
+            "results": {}
+        }
+        return json.dumps(error_response, ensure_ascii=False)
+
+async def run_fix_agent(message):
+    """Запускает агента для исправления кода"""
+    if not api_key:
+        return "Error: Nebius API key not found in .env file"
+    
+    agent = Agent(
+        tools=[],
+        instructions=dedent("""\
+            You are an intelligent code refactoring assistant.
+            Based on the vulnerabilities detected, propose a corrected version of the code.
+            Return only the full updated source code, without any additional commentary or markup.
+        """),
+        markdown=False,
+        show_tool_calls=False,
+        model=Nebius(
+            id="Qwen/Qwen3-30B-A3B-fast",
+            api_key=api_key
+        )
+    )
+    try:
+        response = await agent.arun(message)
+        return response.content
+    except Exception as e:
+        return f"Error proposing fixes: {e}"
+
+async def process_file(file_obj, custom_checks, selected_servers):
+    """Обрабатывает файл с помощью выбранных MCP серверов"""
+    if not file_obj:
+        return "", "", ""
+    
+    try:
+        # Сохраняем загруженный файл
+        temp_dir = tempfile.gettempdir()
+        file_path = os.path.join(temp_dir, file_obj.name)
+        
+        # Получаем содержимое файла из объекта Gradio
+        with open(file_obj.name, 'r', encoding='utf-8') as f:
+            file_content = f.read()
+            
+        with open(file_path, "w", encoding='utf-8') as f:
+            f.write(file_content)
+        
+        # Подготавливаем сообщение для всех серверов
+        if custom_checks:
+            user_message = (
+                f"Please analyze this code for {custom_checks}, "
+                f"using the most comprehensive settings available:\n\n{file_content}"
+            )
+        else:
+            user_message = (
+                f"Please perform a full vulnerability and security analysis on this code, "
+                f"selecting the highest intensity settings:\n\n{file_content}"
+            )
+        
+        # Запускаем все анализаторы параллельно
+        tasks = {
+            server: asyncio.create_task(run_mcp_agent(user_message, server))
+            for server in selected_servers
+        }
+        
+        # Собираем результаты
+        raw_outputs = {
+            server: re.sub(r"<think>.*?</think>", "", await task, flags=re.DOTALL).strip()
+            for server, task in tasks.items()
+        }
+
+        # Преобразуем raw_outputs в читаемый текст для Markdown
+        formatted_results = []
+        for name, raw in raw_outputs.items():
+            logger.debug(f"Обработка результата для {name}, длина: {len(raw)}")
+            logger.debug(f"Полное содержимое для {name}: {raw}")
+            
+            try:
+                # Пытаемся распарсить JSON
+                parsed_data = json.loads(raw)
+                logger.debug(f"JSON успешно распарсен для {name}")
+                
+                # Извлекаем результаты если они есть
+                if isinstance(parsed_data, dict) and 'results' in parsed_data:
+                    display_data = parsed_data['results']
+                    logger.debug(f"Извлечены results для {name}")
+                else:
+                    display_data = parsed_data
+                    logger.debug(f"Используются сырые данные для {name}")
+                
+                # Форматируем для отображения
+                formatted_json = json.dumps(display_data, indent=2, ensure_ascii=False)
+                formatted_results.append(f"### {name.upper()}:\n```json\n{formatted_json}\n```")
+                
+            except json.JSONDecodeError as e:
+                # Если JSON некорректный, показываем как есть
+                logger.warning(f"Не удалось распарсить JSON для {name}: {str(e)}")
+                logger.debug(f"Позиция ошибки: {getattr(e, 'pos', 'неизвестно')}")
+                logger.debug(f"Длина строки: {len(raw)}")
+                
+                # Пытаемся найти проблемную область
+                if hasattr(e, 'pos') and e.pos:
+                    start_pos = max(0, e.pos - 50)
+                    end_pos = min(len(raw), e.pos + 50)
+                    problem_area = raw[start_pos:end_pos]
+                    logger.debug(f"Проблемная область вокруг позиции {e.pos}: {repr(problem_area)}")
+                
+                # Проверяем на наличие скрытых символов
+                has_non_printable = any(ord(c) < 32 and c not in '\n\r\t' for c in raw)
+                if has_non_printable:
+                    logger.warning(f"Обнаружены непечатаемые символы в ответе для {name}")
+                
+                formatted_results.append(f"### {name.upper()} (Raw output):\n```\n{raw}\n```")
+            except Exception as e:
+                # Любые другие ошибки
+                logger.error(f"Ошибка обработки результата для {name}: {str(e)}")
+                formatted_results.append(f"### {name.upper()} (Error):\n```\nОшибка обработки: {str(e)}\n```")
+        
+        markdown_output = "\n\n".join(formatted_results)
+
+        # Читаем оригинальный код
+        with open(file_path, 'r', encoding='utf-8') as f_in:
+            orig_code = f_in.read()
+        
+        # Подготавливаем промпт для исправлений
+        orig_name = os.path.basename(file_path)
+        fix_prompt = f"""Below is the full source code of '{orig_name}':
+```python
+{orig_code}
+```
+Please generate a corrected version of this code, addressing all security vulnerabilities. Return only the full updated source code."""
+        
+        # Получаем исправленный код
+        fixed_code = await run_fix_agent(fix_prompt)
+        
+        # Очищаем код от блоков <think>
+        cleaned_code = re.sub(r"<think>.*?</think>", "", fixed_code, flags=re.DOTALL).strip()
+        
+        # Генерируем diff
+        diff_text = generate_simple_diff(orig_code, cleaned_code, orig_name)
+        
+        return markdown_output, diff_text, cleaned_code
+        
+    except Exception as e:
+        logger.error(f"Ошибка при обработке файла: {str(e)}")
+        return f"❌ Произошла ошибка: {str(e)}", "", ""
+
+async def check_all_servers():
+    """Проверяет доступность всех MCP серверов"""
+    unavailable_servers = []
+    for server_name, config in MCP_SERVERS.items():
+        if not check_port(config["port"]):
+            unavailable_servers.append(f"{server_name} (порт {config['port']})")
+    return unavailable_servers
+
+def process_file_sync(file_obj, custom_checks, selected_servers):
+    """Синхронная обертка для process_file"""
+    return asyncio.run(process_file(file_obj, custom_checks, selected_servers))
+
+# Создаем интерфейс Gradio
+with gr.Blocks(title="Security Tools MCP Agent") as demo:
+    gr.Markdown("# 🔒 Security Tools MCP Agent")
+    
+    with gr.Row():
+        with gr.Column(scale=1):
+            file_input = gr.File(
+                label="Upload a code file",
+                file_types=[".py", ".js", ".java", ".go", ".rb"]
+            )
+            custom_checks = gr.Textbox(
+                label="Enter specific checks or tools to use (optional)",
+                placeholder="e.g., SQL injection, shell injection, detect secrets"
+            )
+            server_checkboxes = gr.CheckboxGroup(
+                choices=list(MCP_SERVERS.keys()),
+                value=list(MCP_SERVERS.keys()),
+                label="Select MCP Servers"
+            )
+            scan_button = gr.Button("Run Scan", variant="primary")
+    
+    with gr.Row():
+        with gr.Column(scale=1):
+            analysis_output = gr.Markdown(label="Security Analysis Results")
+            diff_output = gr.Textbox(label="Proposed Code Fixes", lines=10)
+            fixed_code_output = gr.Code(label="Fixed Code", language="python")
+            download_button = gr.File(label="Download corrected file")
+    
+    def update_download_button(fixed_code):
+        if fixed_code:
+            temp_dir = tempfile.gettempdir()
+            fixed_path = os.path.join(temp_dir, "fixed_code.py")
+            with open(fixed_path, "w") as f:
+                f.write(fixed_code)
+            return fixed_path
+        return None
+    
+    scan_button.click(
+        fn=process_file_sync,
+        inputs=[file_input, custom_checks, server_checkboxes],
+        outputs=[analysis_output, diff_output, fixed_code_output]
+    ).then(
+        fn=update_download_button,
+        inputs=[fixed_code_output],
+        outputs=[download_button]
+    )
+
+if __name__ == "__main__":
+    try:
+        # Инициализируем все MCP инструменты при старте
+        asyncio.run(init_all_tools())
+        
+        logger.info("Запуск Security Tools MCP Agent...")
+        demo.launch(share=True)
+    except Exception as e:
+        logger.error(f"Ошибка запуска приложения: {str(e)}")
+        sys.exit(1)

mcp.json

@@ -0,0 +1,54 @@
+{
+  "mcpServers": {
+    "bandit-security": {
+      "command": "npx",
+      "args": [
+        "-y", 
+        "mcp-remote", 
+        "http://localhost:7860/gradio_api/mcp/sse",
+        "--transport", 
+        "sse-only"
+      ]
+    },
+    "detect-secrets": {
+      "command": "npx",
+      "args": [
+        "-y", 
+        "mcp-remote", 
+        "http://localhost:7861/gradio_api/mcp/sse",
+        "--transport", 
+        "sse-only"
+      ]
+    },
+    "pip-audit": {
+      "command": "npx",
+      "args": [
+        "-y", 
+        "mcp-remote", 
+        "http://localhost:7862/gradio_api/mcp/sse",
+        "--transport", 
+        "sse-only"
+      ]
+    },
+    "circle-test": {
+      "command": "npx",
+      "args": [
+        "-y", 
+        "mcp-remote", 
+        "http://localhost:7863/gradio_api/mcp/sse",
+        "--transport", 
+        "sse-only"
+      ]
+    },
+    "semgrep": {
+      "command": "npx",
+      "args": [
+        "-y", 
+        "mcp-remote", 
+        "http://localhost:7864/gradio_api/mcp/sse",
+        "--transport", 
+        "sse-only"
+      ]
+    }
+  }
+}

pip_audit_mcp.py

@@ -0,0 +1,79 @@
+#!/usr/bin/env python3
+"""
+MCP server for pip-audit - a tool for scanning Python environments for known vulnerabilities
+"""
+
+import subprocess
+import json
+from typing import Dict
+import gradio as gr
+
+def pip_audit_scan() -> Dict:
+    """
+    Scans Python environments for known vulnerabilities using pip-audit with basic settings.
+    
+    Returns:
+        Dict: Scan results
+    """
+    try:
+        cmd = ["pip-audit", "--format", "json"]
+
+        print(f"Executing command: {' '.join(cmd)}")
+        result = subprocess.run(cmd, capture_output=True, text=True, check=False)
+        stdout, stderr = result.stdout, result.stderr
+        return_code = result.returncode
+
+        if return_code != 0:
+            print(f"pip-audit command failed with return code {return_code}")
+            print(f"Stderr: {stderr}")
+            return {
+                "success": False,
+                "error": f"pip-audit command failed with return code {return_code}",
+                "stdout": stdout,
+                "stderr": stderr,
+                "return_code": return_code
+            }
+
+        try:
+            output_data = json.loads(stdout) if stdout else {}
+            return {
+                "success": True,
+                "results": output_data,
+                "stderr": stderr,
+                "return_code": return_code
+            }
+        except json.JSONDecodeError as e:
+            print(f"JSON parsing error: {e}")
+            print(f"Raw stdout: {stdout}")
+            return {
+                "success": False,
+                "error": "JSON parsing error: " + str(e),
+                "stdout": stdout,
+                "stderr": stderr,
+                "return_code": return_code
+            }
+            
+    except Exception as e:
+        print(f"Error executing pip-audit: {str(e)}")
+        return {
+            "success": False,
+            "error": f"Error executing pip-audit: {str(e)}"
+        }
+
+# Create Gradio interface
+with gr.Blocks(title="Pip Audit MCP") as demo:
+    gr.Markdown("# 🛡️ Pip Audit Scanner")
+    gr.Markdown("Vulnerability scanning tool for Python environments with MCP support")
+
+    with gr.Tab("Basic Scanning"):
+        scan_btn = gr.Button("🔍 Run Basic Audit", variant="primary")
+        scan_output = gr.JSON(label="Audit Results")
+
+        scan_btn.click(
+            fn=pip_audit_scan,
+            inputs=[],
+            outputs=scan_output
+        )
+
+if __name__ == "__main__":
+    demo.launch(mcp_server=True)

requirements.txt

@@ -0,0 +1,9 @@
+gradio[mcp]
+bandit[toml,baseline,sarif]
+pathlib
+smolagents
+detect-secrets[word_list,gibberish]
+pip-audit
+python-dotenv
+aiohttp
+semgrep

semgrep_mcp.py

@@ -0,0 +1,210 @@
+#!/usr/bin/env python3
+"""
+MCP server for Semgrep - a tool for static analysis of code
+"""
+
+import gradio as gr
+import subprocess
+import json
+import os
+import tempfile
+from typing import Dict, List, Optional
+from pathlib import Path
+
+def semgrep_scan(
+    code_input: str,
+    scan_type: str = "code",
+    rules: str = "p/default",
+    output_format: str = "json"
+) -> Dict:
+    """
+    Сканирует код с помощью Semgrep.
+    
+    Args:
+        code_input (str): Код для сканирования или путь к файлу/директории
+        scan_type (str): Тип сканирования - 'code' для прямого кода или 'path' для файла/директории
+        rules (str): Правила для сканирования (например, 'p/default' или путь к файлу правил)
+        output_format (str): Формат вывода - 'json' или 'text'
+    
+    Returns:
+        Dict: Результаты сканирования
+    """
+    try:
+        # Создаем временный файл или используем существующий путь
+        if scan_type == "code":
+            # Создаем временный файл с кодом
+            with tempfile.NamedTemporaryFile(mode='w', suffix='.py', delete=False) as tmp_file:
+                tmp_file.write(code_input)
+                target_path = tmp_file.name
+        else:
+            # Используем существующий путь
+            target_path = code_input
+            if not os.path.exists(target_path):
+                return {
+                    "error": f"Path not found: {target_path}",
+                    "success": False
+                }
+        
+        # Строим команду semgrep
+        cmd = ["semgrep", "scan"]
+        
+        # Добавляем правила
+        cmd.extend(["--config", rules])
+        
+        # Добавляем формат вывода
+        if output_format == "json":
+            cmd.extend(["--json"])
+        
+        # Добавляем путь для сканирования
+        cmd.append(target_path)
+        
+        # Выполняем команду
+        result = subprocess.run(cmd, capture_output=True, text=True)
+        
+        # Удаляем временный файл, если он был создан
+        if scan_type == "code":
+            try:
+                os.unlink(target_path)
+            except:
+                pass
+        
+        # Обрабатываем результат
+        if output_format == "json":
+            try:
+                output_data = json.loads(result.stdout) if result.stdout else {}
+                return {
+                    "success": True,
+                    "results": output_data,
+                    "stderr": result.stderr,
+                    "return_code": result.returncode
+                }
+            except json.JSONDecodeError:
+                return {
+                    "success": False,
+                    "error": "JSON parsing error",
+                    "stdout": result.stdout,
+                    "stderr": result.stderr,
+                    "return_code": result.returncode
+                }
+        else:
+            return {
+                "success": True,
+                "output": result.stdout,
+                "stderr": result.stderr,
+                "return_code": result.returncode
+            }
+            
+    except Exception as e:
+        return {
+            "success": False,
+            "error": f"Error executing Semgrep: {str(e)}"
+        }
+
+def semgrep_list_rules() -> Dict:
+    """
+    Получает список доступных правил Semgrep.
+    
+    Returns:
+        Dict: Список правил
+    """
+    try:
+        cmd = ["semgrep", "list-rules"]
+        result = subprocess.run(cmd, capture_output=True, text=True)
+        
+        if result.returncode == 0:
+            rules = []
+            for line in result.stdout.split('\n'):
+                if line.strip():
+                    rules.append(line.strip())
+            return {
+                "success": True,
+                "rules": rules
+            }
+        else:
+            return {
+                "success": False,
+                "error": f"Error listing rules: {result.stderr}"
+            }
+            
+    except Exception as e:
+        return {
+            "success": False,
+            "error": f"Error executing Semgrep: {str(e)}"
+        }
+
+# Создаем Gradio интерфейс
+with gr.Blocks(title="Semgrep MCP") as demo:
+    gr.Markdown("# 🔍 Semgrep Scanner")
+    gr.Markdown("Static analysis tool with MCP support")
+    
+    with gr.Tab("Basic Scanning"):
+        with gr.Row():
+            with gr.Column():
+                scan_type = gr.Radio(
+                    choices=["code", "path"],
+                    value="code",
+                    label="Scan Type"
+                )
+                code_input = gr.Textbox(
+                    lines=10,
+                    placeholder="Enter code or path to scan...",
+                    label="Code or Path"
+                )
+                rules = gr.Textbox(
+                    value="p/default",
+                    label="Rules (e.g., p/default or path to rules file)"
+                )
+                output_format = gr.Dropdown(
+                    choices=["json", "text"],
+                    value="json",
+                    label="Output Format"
+                )
+                scan_btn = gr.Button("🔍 Scan", variant="primary")
+            
+            with gr.Column():
+                scan_output = gr.JSON(label="Scan Results")
+        
+        scan_btn.click(
+            fn=semgrep_scan,
+            inputs=[code_input, scan_type, rules, output_format],
+            outputs=scan_output
+        )
+    
+    with gr.Tab("Available Rules"):
+        rules_btn = gr.Button("📋 List Rules", variant="secondary")
+        rules_output = gr.JSON(label="Available Rules")
+        
+        rules_btn.click(
+            fn=semgrep_list_rules,
+            inputs=[],
+            outputs=rules_output
+        )
+    
+    with gr.Tab("Examples"):
+        gr.Markdown("""
+        ## 🚨 Examples of code to scan:
+        
+        ### 1. SQL Injection
+        ```python
+        def get_user(user_id):
+            query = f"SELECT * FROM users WHERE id = {user_id}"
+            return db.execute(query)
+        ```
+        
+        ### 2. Command Injection
+        ```python
+        import subprocess
+        def run_command(command):
+            subprocess.call(f"ls {command}", shell=True)
+        ```
+        
+        ### 3. Path Traversal
+        ```python
+        def read_file(filename):
+            with open(f"/home/user/{filename}", "r") as f:
+                return f.read()
+        ```
+        """)
+
+if __name__ == "__main__":
+    demo.launch(mcp_server=True) 

test_client.py

@@ -0,0 +1,115 @@
+#!/usr/bin/env python3
+"""
+Example MCP client for testing Bandit Security Scanner
+"""
+
+import os
+import asyncio
+from smolagents.mcp_client import MCPClient
+
+async def test_bandit_mcp_client():
+    """Tests connection to Bandit MCP server"""
+    
+    # URL of your Bandit MCP server
+    server_url = "http://localhost:7860/gradio_api/mcp/sse"
+    
+    print("🔒 Connecting to Bandit MCP server...")
+    
+    try:
+        async with MCPClient({"url": server_url}) as client:
+            # Get list of available tools
+            tools = await client.get_tools()
+            
+            print(f"\n✅ Successfully connected! Available tools: {len(tools)}")
+            print("\n📋 Available tools:")
+            for tool in tools:
+                print(f"  • {tool.name}: {tool.description}")
+            
+            # Test scanning vulnerable code
+            print("\n🧪 Testing vulnerable code scanning...")
+            
+            vulnerable_code = """
+import subprocess
+import pickle
+
+# Vulnerabilities for testing
+password = "hardcoded_secret123"  # B105: Hardcoded password
+eval("print('hello')")  # B307: Use of eval
+subprocess.call("ls -la", shell=True)  # B602: subprocess with shell=True
+data = pickle.loads(user_input)  # B301: Pickle usage
+"""
+            
+            # Call bandit_scan
+            scan_tool = next((t for t in tools if t.name == "bandit_scan"), None)
+            if scan_tool:
+                result = await client.call_tool(
+                    tool_name="bandit_scan",
+                    arguments={
+                        "code_input": vulnerable_code,
+                        "scan_type": "code",
+                        "severity_level": "low",
+                        "confidence_level": "low",
+                        "output_format": "json"
+                    }
+                )
+                
+                print("📊 Scan results:")
+                if result.get("success"):
+                    issues = result.get("results", {}).get("results", [])
+                    print(f"  Found security issues: {len(issues)}")
+                    
+                    for i, issue in enumerate(issues, 1):
+                        print(f"\n  🚨 Issue {i}:")
+                        print(f"     ID: {issue.get('test_id')}")
+                        print(f"     Severity: {issue.get('issue_severity')}")
+                        print(f"     Confidence: {issue.get('issue_confidence')}")
+                        print(f"     Description: {issue.get('issue_text')}")
+                        print(f"     Line: {issue.get('line_number')}")
+                        print(f"     Code: {issue.get('code', '').strip()}")
+                else:
+                    print(f"  ❌ Scan error: {result.get('error')}")
+            else:
+                print("  ❌ bandit_scan tool not found")
+            
+            # Test baseline creation (if file exists)
+            print("\n🎯 Testing baseline creation...")
+            baseline_tool = next((t for t in tools if t.name == "bandit_baseline"), None)
+            if baseline_tool:
+                # Create temporary file with code
+                import tempfile
+                with tempfile.NamedTemporaryFile(mode='w', suffix='.py', delete=False) as tmp_file:
+                    tmp_file.write(vulnerable_code)
+                    tmp_path = tmp_file.name
+                
+                baseline_result = await client.call_tool(
+                    tool_name="bandit_baseline",
+                    arguments={
+                        "target_path": tmp_path,
+                        "baseline_file": "/tmp/bandit_baseline.json"
+                    }
+                )
+                
+                print("📋 Baseline result:")
+                if baseline_result.get("success"):
+                    action = baseline_result.get("action", "unknown")
+                    message = baseline_result.get("message", "")
+                    print(f"  ✅ Action: {action}")
+                    if message:
+                        print(f"  📝 Message: {message}")
+                else:
+                    print(f"  ❌ Baseline error: {baseline_result.get('error')}")
+                
+                # Clean up temporary file
+                try:
+                    os.unlink(tmp_path)
+                except:
+                    pass
+            
+    except Exception as e:
+        print(f"❌ Connection error: {e}")
+        print("💡 Make sure Bandit MCP server is running on http://localhost:7860")
+
+if __name__ == "__main__":
+    print("🔒 Bandit MCP Client Test")
+    print("=" * 50)
+    asyncio.run(test_bandit_mcp_client()) 

test_dependencies.py

@@ -0,0 +1,126 @@
+#!/usr/bin/env python3
+"""
+Check installation of all required dependencies for Bandit MCP and Detect Secrets MCP
+"""
+
+import sys
+import subprocess
+
+def check_package(package_name, import_name=None):
+    """Checks package installation"""
+    if import_name is None:
+        import_name = package_name
+    
+    try:
+        __import__(import_name)
+        print(f"✅ {package_name} - installed")
+        return True
+    except ImportError:
+        print(f"❌ {package_name} - NOT installed")
+        return False
+
+def check_command(command):
+    """Checks command availability in system"""
+    try:
+        result = subprocess.run([command, "--version"], 
+                              capture_output=True, text=True)
+        if result.returncode == 0:
+            print(f"✅ {command} - available")
+            return True
+        else:
+            print(f"❌ {command} - unavailable")
+            return False
+    except FileNotFoundError:
+        print(f"❌ {command} - not found")
+        return False
+
+def main():
+    print("🔒 Checking MCP Dependencies")
+    print("=" * 50)
+    
+    all_good = True
+    
+    # Check Python packages
+    print("\n📦 Python packages:")
+    packages = [
+        ("gradio", "gradio"),
+        ("bandit", "bandit"),
+        ("smolagents", "smolagents"),
+        ("detect_secrets", "detect_secrets")
+    ]
+    
+    for package, import_name in packages:
+        if not check_package(package, import_name):
+            all_good = False
+    
+    # Check commands
+    print("\n🔧 System commands:")
+    commands = ["bandit", "npx", "detect-secrets"]
+    
+    for command in commands:
+        if not check_command(command):
+            all_good = False
+    
+    # Check specific bandit capabilities
+    print("\n🎯 Bandit capabilities:")
+    try:
+        result = subprocess.run(["bandit", "--help"], 
+                              capture_output=True, text=True)
+        if "-f json" in result.stdout:
+            print("✅ JSON format - supported")
+        else:
+            print("❌ JSON format - not supported")
+            
+        if "-b" in result.stdout:
+            print("✅ Baseline - supported")
+        else:
+            print("❌ Baseline - not supported")
+            
+        if "-p" in result.stdout:
+            print("✅ Profiles - supported")
+        else:
+            print("❌ Profiles - not supported")
+            
+    except Exception as e:
+        print(f"❌ Error checking Bandit: {e}")
+        all_good = False
+    
+    # Check specific detect-secrets capabilities
+    print("\n🔍 Detect Secrets capabilities:")
+    try:
+        result = subprocess.run(["detect-secrets", "scan", "--help"], 
+                              capture_output=True, text=True)
+        if "--baseline" in result.stdout:
+            print("✅ Baseline - supported")
+        else:
+            print("❌ Baseline - not supported")
+            
+        if "--base64-limit" in result.stdout:
+            print("✅ Base64 entropy - supported")
+        else:
+            print("❌ Base64 entropy - not supported")
+            
+        if "--hex-limit" in result.stdout:
+            print("✅ Hex entropy - supported")
+        else:
+            print("❌ Hex entropy - not supported")
+            
+    except Exception as e:
+        print(f"❌ Error checking Detect Secrets: {e}")
+        all_good = False
+    
+    print("\n" + "=" * 50)
+    if all_good:
+        print("🎉 All dependencies are installed correctly!")
+        print("💡 Now you can run:")
+        print("   - python app.py (for Bandit MCP)")
+        print("   - python detect_secrets_mcp.py (for Detect Secrets MCP)")
+    else:
+        print("⚠️  Some dependencies are missing.")
+        print("💡 Install them with: pip install -r requirements.txt")
+        print("💡 For npm dependencies: npm install -g npx")
+        
+    return all_good
+
+if __name__ == "__main__":
+    main()