TelemetryFlow GO MCP Server (TFO-GO-MCP)

• Supported Versions
• Reporting a Vulnerability
• Security Measures
• Security Best Practices
• Dependency Security
• API Key Security
• Security Checklist

We provide security updates for the following versions:

We recommend always using the latest version for the best security.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via one of the following methods:

1. Email: security@devopscorner.id
2. GitHub Security Advisories: Create a security advisory

Please include the following information in your report:

• Type of vulnerability (e.g., XSS, SQL injection, buffer overflow)
• Full paths of source file(s) related to the vulnerability
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

1. Acknowledgment: We will acknowledge receipt of your report within 48 hours.
2. Assessment: We will investigate and validate the reported vulnerability.
3. Updates: We will keep you informed of our progress.
4. Fix: We will develop and test a fix.
5. Disclosure: We will coordinate disclosure with you.
6. Credit: We will credit you in the security advisory (if desired).

flowchart TB
    subgraph Security["Security Layers"]
        API["API Key Validation"]
        RATE["Rate Limiting"]
        INPUT["Input Validation"]
        SANITIZE["Output Sanitization"]
    end

    REQUEST["Incoming Request"] --> API
    API --> RATE
    RATE --> INPUT
    INPUT --> SANITIZE
    SANITIZE --> HANDLER["Request Handler"]

    style Security fill:#ffcdd2,stroke:#f44336

• API keys are never logged
• Keys are stored in environment variables
• Keys are not included in configuration files committed to version control
• Keys are validated on every request

• All inputs are validated before processing
• JSON schema validation for tool arguments
• Path traversal prevention for file operations
• Command injection prevention for shell operations

• Configurable request limits per minute
• Burst allowance for temporary spikes
• Per-client rate tracking

• TLS for external API calls
• Minimal file permissions
• Secure default configuration

# DO: Use environment variables
export TELEMETRYFLOW_MCP_CLAUDE_API_KEY="your-api-key"

# DO: Use secret managers in production
TELEMETRYFLOW_MCP_CLAUDE_API_KEY=$(aws secretsmanager get-secret-value --secret-id telemetryflow-go-mcp/api-key)

# DON'T: Put keys in config files
# DON'T: Commit keys to version control
# DON'T: Share keys in logs or error messages

# config.yaml - DO NOT include secrets here
claude:
  api_key: "" # Use environment variable instead

security:
  rate_limit:
    enabled: true
    requests_per_minute: 60

• Use absolute paths
• Validate file paths
• Restrict operations to allowed directories
• Set appropriate file permissions

• Validate all command inputs
• Use allowlists for permitted commands
• Set execution timeouts
• Run with minimal privileges

// DO: Validate inputs
func (h *Handler) Execute(ctx context.Context, input string) error {
    if err := validate(input); err != nil {
        return fmt.Errorf("invalid input: %w", err)
    }
    // ...
}

// DO: Use parameterized queries (for database operations)
// DO: Sanitize outputs
// DO: Handle errors without leaking information

# Regularly update dependencies
go get -u ./...
go mod tidy

# Check for vulnerabilities
go list -m all | nancy sleuth
govulncheck ./...

// DON'T: Hardcode secrets
const apiKey = "sk-ant-api..."  // NEVER DO THIS

// DO: Use environment variables
apiKey := os.Getenv("TELEMETRYFLOW_MCP_CLAUDE_API_KEY")

We use multiple tools to scan for vulnerabilities:

# Install govulncheck
go install golang.org/x/vuln/cmd/govulncheck@latest

# Scan for vulnerabilities
govulncheck ./...

# Using nancy
go list -json -m all | nancy sleuth

# Docker image scanning
trivy image telemetryflow-go-mcp:latest

• Critical vulnerabilities: Patch within 24 hours
• High vulnerabilities: Patch within 7 days
• Medium vulnerabilities: Patch within 30 days
• Low vulnerabilities: Patch in next release

• Rotate keys every 90 days
• Rotate immediately if compromised
• Use separate keys for dev/staging/production

• Limit key access to necessary personnel
• Use separate keys per application/environment
• Monitor key usage for anomalies

• API keys stored securely (not in code/config)
• Rate limiting enabled
• Input validation implemented
• Logging does not include sensitive data
• TLS configured for external connections
• File permissions set correctly
• Dependencies scanned for vulnerabilities
• Security tests passing

• Regular dependency updates
• Regular security scans
• Monitor for security advisories
• Review access controls
• Audit logging enabled
• Incident response plan ready

• No secrets in code
• Input validation for new features
• Security tests for new functionality
• Documentation updated for security features
• Security review for significant changes

security:
  rate_limit:
    enabled: true
    requests_per_minute: 60
    burst_size: 10

  api_key_validation: true

  allowed_commands:
    - "go"
    - "make"
    - "git"

For security concerns, please contact:

• Security Email: security@devopscorner.id
• GitHub Security: Security Advisories

Thank you for helping keep TelemetryFlow GO MCP and its users secure!