Merge pull request #134 from invariantlabs-ai/rename-insecure-flag

hemang-snyk · web-flow · commit 730ec9507ce6 · 2025-11-14T11:18:35.000+01:00
Rename --insecure flag to --skip-ssl-verify
diff --git a/src/mcp_scan/MCPScanner.py b/src/mcp_scan/MCPScanner.py
@@ -76,7 +76,7 @@ def __init__(
         verbose: bool = False,
         additional_headers: dict | None = None,
         control_servers: list | None = None,
-        insecure: bool = False,
+        skip_ssl_verify: bool = False,
         **kwargs: Any,
     ):
         logger.info("Initializing MCPScanner")
@@ -95,7 +95,7 @@ def __init__(
         self.include_built_in = include_built_in
         self.control_servers = control_servers
         self.verbose = verbose
-        self.insecure = insecure
+        self.skip_ssl_verify = skip_ssl_verify
         logger.debug(
             "MCPScanner initialized with timeout: %d, checks_per_server: %d", server_timeout, checks_per_server
         )
@@ -306,7 +306,7 @@ async def scan(self) -> list[ScanPathResult]:
             opt_out_of_identity=self.opt_out_of_identity,
             skip_pushing=bool(self.control_servers),
             verbose=self.verbose,
-            insecure=self.insecure,
+            skip_ssl_verify=self.skip_ssl_verify,
         )
         logger.debug("Result verified: %s", result_verified)
         logger.debug("Saving storage file")
diff --git a/src/mcp_scan/cli.py b/src/mcp_scan/cli.py
@@ -213,7 +213,7 @@ def add_common_arguments(parser):
         help="Output results in JSON format instead of rich text",
     )
     parser.add_argument(
-        "--insecure",
+        "--skip-ssl-verify",
         default=False,
         action="store_true",
         help="Disable SSL certificate verification",
@@ -795,7 +795,7 @@ async def run_scan_inspect(mode="scan", args=None):
                 server_config["opt_out"],
                 verbose=getattr(args, "verbose", False),
                 additional_headers=parse_headers(server_config["headers"]),
-                insecure=getattr(args, "insecure", False),
+                skip_ssl_verify=getattr(args, "skip_ssl_verify", False),
             )
     return result
 
diff --git a/src/mcp_scan/upload.py b/src/mcp_scan/upload.py
@@ -61,7 +61,7 @@ async def upload(
     verbose: bool = False,
     additional_headers: dict | None = None,
     max_retries: int = 3,
-    insecure: bool = False,
+    skip_ssl_verify: bool = False,
 ) -> None:
     """
     Upload the scan results to the control server with retry logic.
@@ -74,7 +74,7 @@ async def upload(
         verbose: Whether to enable verbose logging
         additional_headers: Additional HTTP headers to send
         max_retries: Maximum number of retry attempts (default: 3)
-        insecure: Whether to disable SSL certificate verification (default: False)
+        skip_ssl_verify: Whether to disable SSL certificate verification (default: False)
     """
     if not results:
         logger.info("No scan results to upload")
@@ -104,7 +104,7 @@ async def upload(
         try:
             async with aiohttp.ClientSession(
                 trace_configs=trace_configs,
-                connector=setup_tcp_connector(insecure=insecure),
+                connector=setup_tcp_connector(skip_ssl_verify=skip_ssl_verify),
             ) as session:
                 headers = {"Content-Type": "application/json"}
                 headers.update(additional_headers)
diff --git a/src/mcp_scan/verify_api.py b/src/mcp_scan/verify_api.py
@@ -103,14 +103,14 @@ async def on_request_redirect(session, trace_config_ctx, params):
     return [trace_config]
 
 
-def setup_tcp_connector(insecure: bool = False) -> aiohttp.TCPConnector:
+def setup_tcp_connector(skip_ssl_verify: bool = False) -> aiohttp.TCPConnector:
     """
     Setup a TCP connector with SSL settings.
 
-    When insecure is True, disable SSL verification and hostname checking.
+    When skip_ssl_verify is True, disable SSL verification and hostname checking.
     Otherwise, use a secure default SSL context with certifi CA and TLSv1.2+.
     """
-    if insecure:
+    if skip_ssl_verify:
         # Disable SSL verification at the connector level
         return aiohttp.TCPConnector(ssl=False, enable_cleanup_closed=True)
 
@@ -152,7 +152,7 @@ async def analyze_machine(
     verbose: bool = False,
     skip_pushing: bool = False,
     max_retries: int = 3,
-    insecure: bool = False,
+    skip_ssl_verify: bool = False,
 ) -> list[ScanPathResult]:
     """
     Analyze the scan paths with the analysis server.
@@ -166,7 +166,7 @@ async def analyze_machine(
         verbose: Whether to enable verbose logging
         skip_pushing: Whether to skip pushing the scan to the platform
         max_retries: Maximum number of retry attempts
-        insecure: Whether to skip SSL verification
+        skip_ssl_verify: Whether to skip SSL verification
     """
     logger.debug(f"Analyzing scan path with URL: {analysis_url}")
     user_info = get_user_info(identifier=identifier, opt_out=opt_out_of_identity)
@@ -190,7 +190,7 @@ async def analyze_machine(
         try:
             async with aiohttp.ClientSession(
                 trace_configs=trace_configs,
-                connector=setup_tcp_connector(insecure=insecure),
+                connector=setup_tcp_connector(skip_ssl_verify=skip_ssl_verify),
             ) as session:
                 async with session.post(
                     analysis_url,
diff --git a/tests/unit/test_cli_parsing.py b/tests/unit/test_cli_parsing.py
@@ -409,8 +409,8 @@ async def test_no_upload_when_no_control_servers(self):
             mock_upload.assert_not_called()
 
     @pytest.mark.asyncio
-    async def test_upload_with_insecure(self):
-        """Test that upload is called with insecure option."""
+    async def test_upload_with_skip_ssl_verify(self):
+        """Test that upload is called with skip_ssl_verify option."""
         from argparse import Namespace
 
         from mcp_scan.cli import run_scan_inspect
@@ -428,30 +428,30 @@ async def test_upload_with_insecure(self):
             # Setup upload mock
             mock_upload.return_value = None
 
-            # Create args with a control server and without the insecure option
-            args_without_insecure = Namespace(
+            # Create args with a control server and without the skip_ssl_verify option
+            args_without_skip_ssl_verify = Namespace(
                 verification_H=None,
                 control_servers=[{"url": "https://server1.com", "headers": [], "identifier": None, "opt_out": False}],
             )
 
             # Run the scan
-            await run_scan_inspect(mode="scan", args=args_without_insecure)
+            await run_scan_inspect(mode="scan", args=args_without_skip_ssl_verify)
 
-            # Verify upload was called and insecure was not propagated
+            # Verify upload was called and skip_ssl_verify was not propagated
             _, kwargs = mock_upload.call_args
-            assert kwargs.get("insecure") is False
+            assert kwargs.get("skip_ssl_verify") is False
 
-            # Create args with a control server and insecure option
-            args_with_insecure = Namespace(
+            # Create args with a control server and skip_ssl_verify option
+            args_with_skip_ssl_verify = Namespace(
                 verification_H=None,
                 control_servers=[{"url": "https://server1.com", "headers": [], "identifier": None, "opt_out": False}],
-                insecure=True,
+                skip_ssl_verify=True,
             )
 
             # Run the scan
-            await run_scan_inspect(mode="scan", args=args_with_insecure)
+            await run_scan_inspect(mode="scan", args=args_with_skip_ssl_verify)
 
-            # Verify upload was called and insecure was propagated
+            # Verify upload was called and skip_ssl_verify was propagated
             assert mock_upload.call_count == 2
             _, kwargs = mock_upload.call_args
-            assert kwargs.get("insecure") is True
+            assert kwargs.get("skip_ssl_verify") is True
