Security findings (SQL injection, Dockerfile secrets, dependency vulns)

[bellatrixnv]

Hi, I scanned this repo with a multi-engine MCP security scanner

Critical/High

• Dockerfile:21 exposes MYSQL_PASSWORD via ENV. Visible in image history and running containers. Use build secrets or runtime-only env vars instead.
• Dockerfile runs as root. Consider adding a non-root USER.
• server.py:95 has string-based SQL query construction. Bandit flags it as a potential injection vector (B608).
• mcp@1.0.0 has 3 known vulns (DoS, DNS rebinding). Upgrading to a patched version fixes these.
• black@23.0.0 has a ReDoS vulnerability.

Low

• .github/workflows/test.yml:18 contains what looks like a hardcoded secret.

report: https://mcpampel.com/scan/a607fb58-0617-4791-8533-4e9e54cb84e4