TraceX
AI-powered test case generation and traceability platform using Google ADK. Orchestrates 7 specialized agents to parse requirements, generate IEEE-829 test cases, verify regulatory compliance, insert traceability links into BigQuery, and create Jira issues — with a modern React + TypeScript UI.
0Tools
2Findings
0Stars
Mar 22, 2026Last Scanned
1 high · 1 low findings detected
Security Category Deep Dive
Prompt Injection
Prompt & context manipulation attacks
69
Maturity
14
Rules
5
Sub-Categories
1
Gaps
64%
Implemented
56
Tests
1
Stories
100%3 rules
Injection via tool descriptions and parameter fields
GAP-001Prompt Injection Coverage GapMissing detection coverage for emerging prompt injection attack variants not addressed by current rules
100%4 rules
Hidden instructions via external content and tool responses
100%2 rules
Context window saturation and prior-approval exploitation
100%3 rules
Payload hiding via invisible chars, base64, schema fields
100%2 rules
Injection via prompt templates and runtime tool output
Findings2
1high
1low
High1
highI15Transport Session SecurityMCP07-insecure-configAML.T0054
Pattern "(session[_\s-]?id|sessionId)\s*[:=]\s*["'][a-zA-Z0-9_-]{1,8}["']" matched in source_code: "session_id = "session1"" (at position 1724)
Use HTTPS for all MCP Streamable HTTP endpoints. Generate cryptographically random session IDs (min 128 bits entropy). Do not accept session IDs from user input (CVE-2025-6515). Validate TLS certificates — do not disable certificate verification.
Low1
lowF4MCP Spec Non-ComplianceMCP07-insecure-config
Server fails MCP spec compliance checks: required:server_name; required:server_version; required:protocol_version; recommended:tool_descriptions; recommended:parameter_descriptions
Follow the MCP specification for server metadata. Include server name, version, and protocol version. Provide descriptions for all tools and parameters.