fix(cli): scope scan-resources to its own surface (#221)#254
Merged
hello-args merged 3 commits intoJun 11, 2026
Merged
Conversation
scan-resources is documented as "Scan MCP resources only" but the shared _surface_scan helper hardcoded discover_instructions=True. Instruction discovery then walked SKILL.md / prompt manifests, so resource-only scans reported prompt-surface findings (e.g. skill_md, prompt_injection) and polluted resource CI gates on repos that ship skill documentation. Derive discover_instructions from the requested surfaces: it stays on for prompt/instruction scans (which need it) and turns off for resource-only scans. Driving it from the surface set keeps the three subcommands correct by construction and avoids drift if new surface commands are added.
Merge main and document that resource-only surface scans no longer walk SKILL.md / prompt instruction files.
Collaborator
|
Thanks @maxime2476! Nice catch on this one. The explanation, fix, and regression test all make sense, and I really like the approach of deriving instruction discovery from the selected surfaces rather than hardcoding behavior. Appreciate you taking the time to track it down and put together a clean fix. Thanks for the contribution! |
Contributor
Author
|
Thanks for the review and the feedback! Glad the fix was helpful. Happy to contribute, and I’ll be around for future issues as well. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #221
What was wrong
mcts scan-resourcesis documented as "Scan MCP resources only", but it was reporting prompt/instruction findings. The shared_surface_scanhelper hardcodeddiscover_instructions=True, so instruction discovery still walkedSKILL.md/ prompt manifests on every surface scan. On repos that ship skill documentation, a resource-only scan surfacedskill_md/prompt_injectionfindings and polluted resource-only CI gates with prompt-surface noise.The fix
Instead of a flat
True,discover_instructionsis now derived from the surfaces being scanned:scan-prompts(prompt,instruction) → discovery stays onscan-instructions(instruction) → discovery stays onscan-resources(resource) → discovery turns offDriving the flag from the surface set keeps the three subcommands correct by construction, so a future surface command can't silently reintroduce the leak.
Tests
Added
test_scan_resources_excludes_prompt_surface_findings, which seeds a repo with an injection-ladenSKILL.md, then asserts:scan-resourcesemits no prompt-surface analyzers (prompt_injection,prompt_defense,skill_md)scan-promptsstill picks the skill doc up (the doc is genuinely a prompt surface)Confirmed the test fails on
main(leaked prompt-surface findings: ['skill_md']) and passes with the fix.ruff checkis clean on the touched files.