TelemetryFlow Python MCP Server (TFO-Python-MCP)

• Supported Versions
• Reporting a Vulnerability
• Security Measures
• Security Best Practices
• Dependency Security
• API Key Security
• Security Checklist

We provide security updates for the following versions:

We recommend always using the latest version for the best security.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via one of the following methods:

1. Email: security@devopscorner.id
2. GitHub Security Advisories: Create a security advisory

Please include the following information in your report:

• Type of vulnerability (e.g., XSS, SQL injection, command injection)
• Full paths of source file(s) related to the vulnerability
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

1. Acknowledgment: We will acknowledge receipt of your report within 48 hours.
2. Assessment: We will investigate and validate the reported vulnerability.
3. Updates: We will keep you informed of our progress.
4. Fix: We will develop and test a fix.
5. Disclosure: We will coordinate disclosure with you.
6. Credit: We will credit you in the security advisory (if desired).

flowchart TB
    subgraph Security["Security Layers"]
        API["API Key Validation"]
        RATE["Rate Limiting"]
        INPUT["Input Validation"]
        SANITIZE["Output Sanitization"]
    end

    REQUEST["Incoming Request"] --> API
    API --> RATE
    RATE --> INPUT
    INPUT --> SANITIZE
    SANITIZE --> HANDLER["Request Handler"]

    style Security fill:#ffcdd2,stroke:#f44336

• API keys are never logged
• Keys are stored in environment variables
• Keys are not included in configuration files committed to version control
• Keys are validated on every request

• All inputs are validated before processing
• JSON schema validation for tool arguments
• Path traversal prevention for file operations
• Command injection prevention for shell operations

• Configurable request limits per minute
• Burst allowance for temporary spikes
• Per-client rate tracking

• TLS for external API calls
• Minimal file permissions
• Secure default configuration

# DO: Use environment variables
export ANTHROPIC_API_KEY="your-api-key"

# DO: Use secret managers in production
ANTHROPIC_API_KEY=$(aws secretsmanager get-secret-value --secret-id telemetryflow-python-mcp/api-key)

# DON'T: Put keys in config files
# DON'T: Commit keys to version control
# DON'T: Share keys in logs or error messages

# config.yaml - DO NOT include secrets here
claude:
  api_key: "" # Use environment variable instead

security:
  rate_limit:
    enabled: true
    requests_per_minute: 60

• Use absolute paths
• Validate file paths
• Restrict operations to allowed directories
• Set appropriate file permissions

• Validate all command inputs
• Use allowlists for permitted commands
• Set execution timeouts
• Run with minimal privileges

# DO: Validate inputs
async def execute(self, arguments: dict[str, Any]) -> ToolResult:
    """Execute tool with validated input."""
    # Validate using Pydantic
    validated = ToolInput.model_validate(arguments)

    # Sanitize file paths
    safe_path = self._sanitize_path(validated.path)
    if not self._is_allowed_path(safe_path):
        return ToolResult.error("Path not allowed")

    # Execute with validated input
    return await self._do_execute(validated)


# DO: Use parameterized queries (for database operations)
# DO: Sanitize outputs
# DO: Handle errors without leaking information

# Regularly update dependencies
pip install --upgrade pip
pip install -e ".[dev]"

# Check for vulnerabilities
pip-audit
safety check

# Generate requirements with hashes
pip-compile --generate-hashes requirements.in

# DON'T: Hardcode secrets
API_KEY = "sk-ant-api..."  # NEVER DO THIS

# DO: Use environment variables
import os

api_key = os.environ.get("ANTHROPIC_API_KEY")
if not api_key:
    raise ValueError("ANTHROPIC_API_KEY environment variable required")

We use multiple tools to scan for vulnerabilities:

# Install security tools
pip install pip-audit safety bandit

# Scan for vulnerabilities
pip-audit

# Check with safety
safety check

# Run bandit security linter
bandit -r src/

# Docker image scanning
trivy image telemetryflow-python-mcp:latest

• Critical vulnerabilities: Patch within 24 hours
• High vulnerabilities: Patch within 7 days
• Medium vulnerabilities: Patch within 30 days
• Low vulnerabilities: Patch in next release

• Rotate keys every 90 days
• Rotate immediately if compromised
• Use separate keys for dev/staging/production

• Limit key access to necessary personnel
• Use separate keys per application/environment
• Monitor key usage for anomalies

• API keys stored securely (not in code/config)
• Rate limiting enabled
• Input validation implemented
• Logging does not include sensitive data
• TLS configured for external connections
• File permissions set correctly
• Dependencies scanned for vulnerabilities
• Security tests passing

• Regular dependency updates
• Regular security scans
• Monitor for security advisories
• Review access controls
• Audit logging enabled
• Incident response plan ready

• No secrets in code
• Input validation for new features
• Security tests for new functionality
• Documentation updated for security features
• Security review for significant changes

security:
  rate_limit:
    enabled: true
    requests_per_minute: 60
    burst_size: 10

  api_key_validation: true

  allowed_commands:
    - "python"
    - "pip"
    - "make"
    - "git"

For security concerns, please contact:

• Security Email: security@devopscorner.id
• GitHub Security: Security Advisories

Thank you for helping keep TelemetryFlow Python MCP and its users secure!