From 2bd118b09d594061ebaf010cad34918155edc836 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio <ozz@stacklok.com>
Date: Thu, 5 Feb 2026 12:31:29 +0200
Subject: [PATCH] feat(astra-db-mcp): enable security scanning with mock_env

Replace insecure_ignore with mock_env to allow mcp-scanner to start
the server and scan its tools. The mock ASTRA_DB_APPLICATION_TOKEN
and ASTRA_DB_API_ENDPOINT are not real credentials - they're
placeholders that let the server initialize.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 npx/astra-db-mcp/spec.yaml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/npx/astra-db-mcp/spec.yaml b/npx/astra-db-mcp/spec.yaml
index 124f708..2606c5f 100644
--- a/npx/astra-db-mcp/spec.yaml
+++ b/npx/astra-db-mcp/spec.yaml
@@ -17,8 +17,14 @@ provenance:
   repository_uri: "https://github.com/datastax/astra-db-mcp"
   repository_ref: "refs/heads/main"
 
-# Security allowlist - No issues found in scan
+# Security configuration
 security:
-  # Server requires Astra DB credentials to start - cannot be scanned in CI
-  insecure_ignore: true
+  # Mock env vars allow security scanning without real credentials
+  mock_env:
+    - name: ASTRA_DB_APPLICATION_TOKEN
+      value: "AstraCS:mock-token-for-scanning:0000000000000000"
+      description: "Astra DB token - mock value for security scanning"
+    - name: ASTRA_DB_API_ENDPOINT
+      value: "https://mock-db-id.apps.astra.datastax.com"
+      description: "Astra DB endpoint - mock value for security scanning"
   allowed_issues: []