Shcheck

Author: tb0hdan

CLAUDE.md

@@ -15,3 +15,4 @@
 ## Important Files
 - docs/PROJECT_NOTES.md - Contains project overview, goals, and current implementation status
 - Makefile - Contains build, test, and lint commands
+- deployments/Dockerfile - contains containerized version

cmd/wass-mcp/main.go

@@ -24,6 +24,7 @@ import (
 	"github.com/tb0hdan/wass-mcp/pkg/tools/history"
 	"github.com/tb0hdan/wass-mcp/pkg/tools/nikto"
 	"github.com/tb0hdan/wass-mcp/pkg/tools/nuclei"
+	"github.com/tb0hdan/wass-mcp/pkg/tools/shcheck"
 	"github.com/tb0hdan/wass-mcp/pkg/tools/wapiti"
 )
 
@@ -89,6 +90,7 @@ func main() {
 		nikto.New(logger),
 		wapiti.New(logger),
 		nuclei.New(logger),
+		shcheck.New(logger),
 	}
 
 	// Create tool instances.

deployments/Dockerfile

@@ -27,7 +27,9 @@ RUN sed -i 's/^Components: main$/Components: main contrib non-free/' /etc/apt/so
     && apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates \
     nikto \
+    python3-pip \
     wapiti \
+    && pip3 install --no-cache-dir --break-system-packages shcheck \
     && rm -rf /var/lib/apt/lists/* \
     && apt-get clean
 

docs/PROJECT_NOTES.md

@@ -42,6 +42,8 @@ wass-mcp/
 │   │   │   └── wapiti.go # Wapiti scanner tool
 │   │   ├── nuclei/
 │   │   │   └── nuclei.go # Nuclei scanner tool
+│   │   ├── shcheck/
+│   │   │   └── shcheck.go # Security headers checker tool
 │   │   ├── fullscan/
 │   │   │   └── fullscan.go # Parallel full scan tool
 │   │   └── history/
@@ -143,6 +145,29 @@ Template-based vulnerability scanner using Nuclei. Performs fast scanning using
 - Detailed finding information
 - Affected URLs and parameters
 
+### shcheck
+
+Security headers checker using shcheck.py. Analyzes HTTP response headers for security best practices including Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, and more.
+
+**Input:**
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `host` | string | Target hostname or IP |
+| `port` | int | Target port (default: 80) |
+| `vhost` | string | Virtual host header (optional) |
+| `max_lines` | int | Max output lines (pagination) |
+| `offset` | int | Line offset (pagination) |
+
+**Example:**
+```json
+{"host": "example.com", "port": 443}
+```
+
+**Output:** Returns JSON output including:
+- Present security headers with their values
+- Missing security headers that should be configured
+- Deprecated headers detected
+
 ### full_scan
 
 Comprehensive security scan using all available scanners in parallel. Merges results into a unified report.
@@ -164,7 +189,7 @@ Comprehensive security scan using all available scanners in parallel. Merges res
 **Output:** Unified report containing:
 - Scan summary with timing for each scanner
 - Success/failure status per scanner
-- Merged results from all scanners (nikto, wapiti, nuclei)
+- Merged results from all scanners (nikto, wapiti, nuclei, shcheck)
 
 **Features:**
 - Runs all available scanners in parallel
@@ -316,6 +341,7 @@ The project includes comprehensive test coverage for all packages:
 | `pkg/models` | Data models | JSON serialization, field validation |
 | `pkg/tools` | Tool wrapper | Execution logging, timing, error handling |
 | `pkg/tools/history` | History tool | All history actions (list, get, delete, clear) |
+| `pkg/tools/shcheck` | shcheck tool | Security headers checker tests |
 | `pkg/types` | Constants | Value validation |
 
 ### Running Tests
@@ -383,3 +409,7 @@ BSD 3-Clause License - Copyright (c) 2026, Bohdan Turkynevych.
   - Added shared `ApplyPagination()` and `FormatScannerOutput()` functions
   - Added shared constants `DefaultHost` and `DefaultPort` in `pkg/types`
   - Reduced code duplication across nikto, wapiti, nuclei, and fullscan tools
+- **v1.4:** Added shcheck security headers checker tool:
+  - Analyzes HTTP security headers using shcheck.py with JSON output
+  - Supports vhost via custom Host header
+  - Included in full_scan parallel scanning

pkg/tools/shcheck/shcheck.go

@@ -0,0 +1,92 @@
+package shcheck
+
+import (
+	"context"
+	"fmt"
+	"os/exec"
+
+	"github.com/modelcontextprotocol/go-sdk/mcp"
+	"github.com/rs/zerolog"
+	"github.com/tb0hdan/wass-mcp/pkg/server"
+	"github.com/tb0hdan/wass-mcp/pkg/tools"
+)
+
+const (
+	binaryName  = "shcheck.py"
+	description = "shcheck is a security headers checker that analyzes HTTP response headers for security best practices."
+	headerVerb  = "output"
+)
+
+// Tool implements the shcheck security headers scanner.
+type Tool struct {
+	tools.BaseScanner
+}
+
+// Scan performs the shcheck scan and returns the output.
+func (t *Tool) Scan(ctx context.Context, params tools.ScanParams) tools.ScanResult {
+	host, port := t.ResolveHostPort(params.Host, params.Port)
+
+	targetURL := tools.BuildTargetURL(host, port)
+	t.Logger.Info().Msgf("Running shcheck scan on %s", targetURL)
+
+	args := []string{"-j", "-d", targetURL}
+	if params.Vhost != "" {
+		args = append(args, "-a", fmt.Sprintf("Host: %s", params.Vhost))
+	}
+
+	cmd := exec.CommandContext(ctx, binaryName, args...) //nolint:gosec
+	output, err := cmd.CombinedOutput()
+
+	if err != nil {
+		return tools.ScanResult{
+			Output: string(output),
+			Error:  fmt.Errorf("failed to execute shcheck: %w", err),
+		}
+	}
+
+	return tools.ScanResult{
+		Output: string(output),
+		Error:  nil,
+	}
+}
+
+// Register registers the shcheck tool with the MCP server.
+func (t *Tool) Register(srv *server.Server) error {
+	return t.RegisterTool(srv, t.Handler)
+}
+
+// Handler handles MCP tool requests.
+func (t *Tool) Handler(ctx context.Context, _ *mcp.CallToolRequest, input tools.ScannerInput) (*mcp.CallToolResult, any, error) {
+	if err := t.ValidateInput(input); err != nil {
+		return nil, nil, err
+	}
+
+	host, port := t.ResolveHostPort(input.Host, input.Port)
+
+	params := tools.ScanParams{
+		Host:  host,
+		Port:  port,
+		Vhost: input.Vhost,
+	}
+
+	scanResult := t.Scan(ctx, params)
+	if scanResult.Error != nil {
+		return nil, nil, fmt.Errorf("%w\nOutput: %s", scanResult.Error, scanResult.Output)
+	}
+
+	targetURL := tools.BuildTargetURL(host, port)
+	resultText := tools.FormatScannerOutput(binaryName, headerVerb, targetURL, scanResult.Output, input.MaxLines, input.Offset)
+
+	return &mcp.CallToolResult{
+		Content: []mcp.Content{
+			&mcp.TextContent{Text: resultText},
+		},
+	}, nil, nil
+}
+
+// New creates a new shcheck scanner tool.
+func New(logger zerolog.Logger) tools.Scanner {
+	return &Tool{
+		BaseScanner: tools.NewBaseScanner(binaryName, description, logger),
+	}
+}