Pipelock Security Assessment

Scored 89/100 but capped at C — high-risk MCP server "dev-db-tools" (claude-code) is unprotected.

Run ID: 37cf1047-120c-449f-b4f1-4b52731506a9 | 2026-03-27 19:51:46 UTC | v2.0.0

Assessment Details

PLATFORM
linux/amd64

PIPELOCK VERSION
v2.0.0

CONFIG FILE
/etc/pipelock/pipelock.yaml

CONFIG HASH
679a7341f8f9...

SCORING VERSION
1

LICENSE
assess

GIT COMMIT
0d7cdc3ec091...

ASSESSED
2026-03-27 19:51:46 UTC

Methodology

Detection Coverage (25%)Simulated attacks against the scanner pipeline Config Posture (25%)Security feature enablement and configuration strength Deployment Verification (30%)Live probe of scanning pipeline and network containment MCP Protection (20%)MCP server discovery and protection coverage

Grades: A (90-100), B (80-89), C (70-79), D (60-69), F (0-59). Critical exposures cap the grade regardless of numeric score.

Critical Exposure

⚠ 3 Unprotected MCP Server(s)

These servers have no pipelock proxy wrapper. Agent traffic flows directly to the server without DLP scanning, injection detection, or tool policy enforcement.

High-risk servers that capped your grade:

high dev-db-tools claude-code · stdio

high local-filesystem cursor · stdio

Also unprotected:

medium staging-deploy vscode · stdio

Assessment Sections

Section	Score	Grade	Detail
Config Posture	82/100	B	82/100 points
Deployment Verification	100/100	A	7/7 applicable checks passed
Detection Coverage	100/100	A	20/20 scenarios detected
MCP Protection	70/100	C	10 servers scored, 0 client parse errors

Attack Simulation (20/20 detected, 0 known limitations)

DETECTED

MISSED

Scenario	Category	Result	Detail
AWS access key in URL path	DLP Exfiltration	DETECTED	dlp
Base64-encoded GitHub token	DLP Exfiltration	DETECTED	dlp
Hex-encoded Slack token	DLP Exfiltration	DETECTED	dlp
Anthropic API key in text body	DLP Exfiltration	DETECTED	1 matches
OpenAI API key in URL	DLP Exfiltration	DETECTED	dlp
Private key (WIF format) in URL	DLP Exfiltration	DETECTED	dlp
Classic instruction override	Prompt Injection	DETECTED	Prompt Injection
Leetspeak evasion	Prompt Injection	DETECTED	Prompt Injection
Base64-wrapped injection	Prompt Injection	DETECTED	Encoded Payload
Credential solicitation	Prompt Injection	DETECTED	Credential Solicitation
Memory persistence directive	Prompt Injection	DETECTED	Memory Persistence Directive
Role override (DAN jailbreak)	Prompt Injection	DETECTED	Jailbreak Attempt, jailbreak_attempt, Role Override
IMPORTANT tag in description	Tool Poisoning	DETECTED	1 matches
Exfiltration in schema default	Tool Poisoning	DETECTED	1 matches
Cross-tool manipulation	Tool Poisoning	DETECTED	1 matches
Vendor extension with instructions	Tool Poisoning	DETECTED	1 matches
URL-encoded secret in path	URL Evasion	DETECTED	dlp
CRLF injection in URL	URL Evasion	DETECTED	crlf_injection
Overlong URL	URL Evasion	DETECTED	length
Path traversal	URL Evasion	DETECTED	path_traversal

Configuration Audit (82/100 points)

DLP 15/15

DLP enabled with 4 custom patterns and env leak scanning

Response Scanning 10/10

Response scanning enabled with block action

MCP Tool Scanning 10/10

Tool scanning enabled with block action

MCP Tool Policy 11/15

3 rules configured, missing persistence and network patterns

MCP Input Scanning 5/5

Input scanning enabled with block action

MCP Session Binding 5/5

Session binding enabled

Kill Switch 5/10

Sentinel file configured, no API listener or SIGUSR1

Enforcement 8/10

Balanced mode with enforce=true

Domain Blocklist 5/5

3 domains on blocklist

Adaptive Enforcement 0/5

Adaptive enforcement not enabled

Tool Chain Detection 3/5

1 chain configured, no advanced sequences

Sandbox 5/5

Sandbox enabled

Deployment Verification (7 passed, 0 failed, 3 N/A)

PASS

config_valid

Configuration loaded and validated successfully

PASS

proxy_health

Proxy health endpoint responded 200 OK

PASS

fetch_dlp

Fetch proxy blocked URL containing AWS access key pattern

PASS

forward_blocked

Forward proxy blocked connection to malware.example.com

PASS

scanning_dlp

DLP scanner detected embedded GitHub token in request body

PASS

scanning_injection

Response scanner detected prompt injection attempt

PASS

scanning_policy

Tool policy blocked exec tool call matching block rule

N/A

no_direct_http

Containment checks require container or VM runtime context

N/A

no_direct_dns

Containment checks require container or VM runtime context

N/A

no_direct_https

Containment checks require container or VM runtime context

MCP Server Inventory (7 protected, 3 unprotected, 10 total)

Server Name	Client	Transport	Protection	Risk	Command
dev-db-tools	claude-code	stdio	UNPROTECTED	high	npx
local-filesystem	cursor	stdio	UNPROTECTED	high	npx
staging-deploy	vscode	stdio	UNPROTECTED	medium	node
internal-docs	claude-code	stdio	PIPELOCK	low	pipelock
prod-api	claude-code	stdio	PIPELOCK	low	pipelock
slack-notifications	claude-code	stdio	PIPELOCK	low	pipelock
github-copilot-tools	cursor	stdio	PIPELOCK	low	pipelock
jira-integration	cursor	stdio	PIPELOCK	low	pipelock
aws-bedrock	vscode	stdio	PIPELOCK	low	pipelock
datadog-monitoring	vscode	stdio	PIPELOCK	low	pipelock

Findings (8)

HIGH 2

MEDIUM 4

INFO 2

Severity	Category	Source	Title / Detail	Remediation
HIGH	mcp_protection	discover	MCP server "dev-db-tools" (claude-code) is unprotected	Wrap this MCP server with pipelock: `pipelock mcp proxy --config pipelock.yaml -- <original-command>`. High-risk servers with database or shell access should be prioritized.
HIGH	mcp_protection	discover	MCP server "local-filesystem" (cursor) is unprotected	Wrap this MCP server with pipelock: `pipelock mcp proxy --config pipelock.yaml -- <original-command>`. High-risk servers with database or shell access should be prioritized.
MEDIUM	Adaptive Enforcement	audit_score	Adaptive enforcement not enabled; anomalous agent behavior will not trigger automatic escalation	Enable adaptive enforcement with `adaptive_enforcement: {enabled: true}`.
MEDIUM	Kill Switch	audit_score	Kill switch has only 1 source configured; recommend API listener and SIGUSR1 for defense-in-depth	Configure kill switch with multiple sources (config, API, sentinel file).
MEDIUM	MCP Tool Policy	audit_score	Tool policy missing patterns for persistence tools (write_file, create_directory) and network tools (curl, wget)	Add tool policy rules to restrict dangerous tool calls. See docs/configuration.md.
MEDIUM	mcp_protection	discover	MCP server "staging-deploy" (vscode) is unprotected	Wrap this MCP server with pipelock: `pipelock mcp proxy --config pipelock.yaml -- <original-command>`.
INFO	Enforcement	audit_score	Using balanced mode; strict mode provides maximum protection for high-security environments	Switch to strict mode with `mode: strict` for maximum protection.
INFO	Tool Chain Detection	audit_score	Only 1 tool chain rule; consider adding chains for read-then-delete and search-then-exfiltrate patterns	Enable chain detection with `tool_chain_detection: {enabled: true}`.

Priority Actions

1 Wrap 3 unprotected MCP server(s) with pipelock: `pipelock mcp proxy --config pipelock.yaml -- <command>`. 2 high-risk server(s) with database or shell access should be prioritized.

2 Enable adaptive enforcement with `adaptive_enforcement: {enabled: true}`.

3 Configure kill switch with multiple sources (config, API, sentinel file).

4 Add tool policy rules to restrict dangerous tool calls. See docs/configuration.md.

5 Switch to strict mode with `mode: strict` for maximum protection.

Verification

UNSIGNED Ed25519 Digital Signature

Run ID
37cf1047-120c-449f-b4f1-4b52731506a9

Config Hash
679a7341f8f9...

pipelock assess verify <run-dir> --agent <agent-name>