MCP server for ClassiFinder — secret scanning tools for AI agents
Project description
ClassiFinder MCP Server
An MCP server that gives AI agents the ability to scan text for leaked secrets and redact them before they reach an LLM.
Installation
pip install classifinder-mcp
Setup
Get a free API key at classifinder.ai, then add to your agent config:
Claude Code
{
"mcpServers": {
"classifinder": {
"command": "classifinder-mcp",
"env": {
"CLASSIFINDER_API_KEY": "ss_live_your_key_here"
}
}
}
}
Cursor
Add to .cursor/mcp.json in your project:
{
"mcpServers": {
"classifinder": {
"command": "classifinder-mcp",
"env": {
"CLASSIFINDER_API_KEY": "ss_live_your_key_here"
}
}
}
}
Tools
classifinder_scan
Scan text for leaked secrets and credentials. Returns findings with type, severity, confidence, and remediation guidance.
Agent: "Check this config for secrets"
→ classifinder_scan(text="AWS_ACCESS_KEY_ID=AKIAJGKJHSKLDJFH3284")
→ Found 1 secret: aws_access_key (critical, confidence 0.95)
classifinder_redact
Replace all detected secrets with safe placeholders. Returns clean text safe to forward to any LLM.
Agent: "Clean this before sending to the model"
→ classifinder_redact(text="key=sk_live_EXAMPLE_KEY_HERE")
→ "key=[STRIPE_LIVE_SECRET_KEY_REDACTED]"
What It Detects
178 detection patterns:
- 164 secret types across 10 categories: cloud/infra keys (AWS, GCP, Azure, Vercel including the 2024+ prefixed taxonomy vcp_/vci_/vca_/vcr_/vck_, Fly.io, Doppler, HashiCorp Vault, Cloudflare, Dropbox, JFrog/Artifactory and more); payment (Stripe, PayPal, Shopify with 4 token types, credit cards Luhn-validated, Square); VCS (GitHub, GitLab with 10 token types covering deploy/feed/runner/SCIM/k8s-agent/OAuth/feature-flag, Bitbucket); comms/SaaS (Slack including config/session/legacy variants, Twilio, SendGrid, Mailgun, Datadog, Sentry, PagerDuty, Notion, Linear and more); database connection strings (PostgreSQL/MySQL/MongoDB/Redis/Supabase); generic SSH/PEM private keys and JWTs; AI/LLM provider keys (OpenAI, Anthropic user + admin, Cohere, xAI, Mistral, DeepSeek, HuggingFace user + organization, Replicate, Groq, ElevenLabs, AssemblyAI, Deepgram, LangFuse, AWS Bedrock long + short-lived, Vercel AI Gateway, Weights & Biases); DevOps/CI-CD/observability (Databricks, Dynatrace, LaunchDarkly, Harness, Octopus Deploy, Fastly, Gitea, TravisCI, Prefect, Infracost, Sumo Logic, Snyk, Sonar, Sourcegraph); data/analytics (ClickHouse, PlanetScale, PostHog, Postman, Algolia, Contentful); and enterprise identity (Atlassian, 1Password, HubSpot, Mapbox, MaxMind, Zendesk).
- 14 prompt-injection markers for LLM input scanning — 4 phase-1 high-precision (chat-template role-hijack tokens like
<|im_start|>and[INST], tool-call tag injection, known jailbreak personas like DAN/AIM, Unicode bidirectional override / Trojan Source) + 6 phase-2 medium-precision (zero-width Unicode smuggling, fake "Assistant:" turns, system-prompt extraction, instruction override like "ignore previous instructions", persona override (context-gated), encoded-payload markers) + 4 phase-3 SAFE-MCP-derived markers cross-referenced to the SAFE-MCP technique catalog. Catches 20.6% of in-the-wild jailbreaks (validated against theverazuo/jailbreak_llmscorpus). Severity caps athigh— these are attack markers, not credentials.
One scan returns both secret findings and injection markers — no second vendor, no separate pipeline.
Hardening — Sandbox Profiles
The MCP server is intentionally minimal: ~180 lines, two read-only tools, a single egress destination (api.classifinder.ai:443), and the API key as the only secret in scope. That makes it cheap to run under a sandbox. Three documented profiles:
Docker
docker run --rm -i \
--read-only \
--tmpfs /tmp \
-v ~/.classifinder:/root/.classifinder \
-e CLASSIFINDER_API_KEY \
python:3.12-slim sh -c "pip install -q classifinder-mcp && classifinder-mcp"
--read-only— container filesystem is read-only--tmpfs /tmp— writable scratch space for pip / Python-v ~/.classifinder:/root/.classifinder— only persistent mount, used for the audit log-e CLASSIFINDER_API_KEY— key passed via env, never written to disk-i— keeps stdin attached (MCP transport is stdio)
For a faster invocation in production, build a thin image with classifinder-mcp pre-installed.
Firejail (Linux)
firejail \
--noroot \
--caps.drop=all \
--seccomp \
--private-tmp \
--whitelist=~/.classifinder \
--read-only=~ \
--read-write=~/.classifinder \
classifinder-mcp
- Drops all capabilities + applies a default seccomp filter
- Filesystem: home is read-only, only
~/.classifinder/writable - Process runs without root privilege escalation
- Network egress remains open (required for
api.classifinder.ai) — pair with host-level egress filtering (ufw,iptables, ornftables) if you want network restriction
Bubblewrap (Linux)
bwrap \
--ro-bind / / \
--bind ~/.classifinder ~/.classifinder \
--proc /proc --dev /dev --tmpfs /tmp \
--unshare-pid --unshare-uts --new-session --die-with-parent \
--setenv CLASSIFINDER_API_KEY "$CLASSIFINDER_API_KEY" \
classifinder-mcp
- Read-only bind mount of
/; writable bind only for~/.classifinder/ - Fresh PID + UTS namespaces; new session
--die-with-parentensures the sandbox tears down if the host process exits- API key passed via setenv, no file mount needed
Verification
These profiles are documented starting points. None are exercised in this repo's CI — they're correctness-by-construction (read-only bind mounts, dropped caps, single-purpose tmpfs) rather than test-validated. If you run a sandbox in production and want me to roll a verified profile into a future release, open an issue with the exact invocation you're using.
Audit Log
The MCP server appends one JSONL line per tool call to a local audit file. Metadata only — the audit log never contains your input text or any detected secret values.
Default path: ~/.classifinder/mcp-audit.log
Fields per line:
{
"timestamp": "2026-05-22T15:30:42.123456Z",
"tool": "classifinder_scan",
"input_byte_count": 142,
"finding_count": 1,
"latency_ms": 87.4
}
Configuration (env vars):
| Variable | Default | Purpose |
|---|---|---|
CLASSIFINDER_MCP_AUDIT |
1 (on) |
Set to 0 to disable logging entirely |
CLASSIFINDER_MCP_AUDIT_PATH |
~/.classifinder/mcp-audit.log |
Override the log path |
The audit log is observability for your own use — useful for compliance (proving the MCP server ran), debugging (correlating latency spikes), and forensic review (which tool ran when). Write failures are silent; the tool call always succeeds even if the audit cannot be written.
Verifying a Release
Every published release is signed twice:
- PyPI attestations (PEP 740) — minted by PyPI from this repo's OIDC identity during publish. Verified automatically by
pipwhen installing from PyPI; you don't need to do anything. - Sigstore bundles — published as GitHub Release assets (
*.sigstore.jsonnext to the sdist + wheel). Verify withsigstore-python:
pip install sigstore
gh release download v0.1.4 --repo ClassiFinder/classifinder-mcp \
--pattern '*.whl' --pattern '*.sigstore.json'
sigstore verify identity \
--bundle classifinder_mcp-0.1.4-py3-none-any.whl.sigstore.json \
--cert-identity 'https://github.com/ClassiFinder/classifinder-mcp/.github/workflows/release.yml@refs/tags/v0.1.4' \
--cert-oidc-issuer 'https://token.actions.githubusercontent.com' \
classifinder_mcp-0.1.4-py3-none-any.whl
The signing identity binds the artifact to this repo's release.yml workflow at a specific tag — an attacker can't forge a valid bundle without compromising GitHub's OIDC token issuance.
See Also
For CLI scanning instead of MCP, see cfsniff — a command-line tool that scans files, shell history, and configs for secrets (pipx install cfsniff).
Disclaimer
ClassiFinder is a detection aid, not a guarantee. No scanner catches 100% of secrets in 100% of formats. See our Terms of Service for full details.
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file classifinder_mcp-0.1.4.tar.gz.
File metadata
- Download URL: classifinder_mcp-0.1.4.tar.gz
- Upload date:
- Size: 12.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0345f3541427038b4f5373269e0b5f970e5cf13b0a8ab445604c27b3dac1e274
|
|
| MD5 |
9470b495debdcb3c4059786a0746a472
|
|
| BLAKE2b-256 |
f7c90a13b82fd478be1d9e4c63485986cf1d6ae036b9261874967106c684a955
|
Provenance
The following attestation bundles were made for classifinder_mcp-0.1.4.tar.gz:
Publisher:
release.yml on ClassiFinder/classifinder-mcp
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
classifinder_mcp-0.1.4.tar.gz -
Subject digest:
0345f3541427038b4f5373269e0b5f970e5cf13b0a8ab445604c27b3dac1e274 - Sigstore transparency entry: 1609046774
- Sigstore integration time:
-
Permalink:
ClassiFinder/classifinder-mcp@dce78c084b9d2dee2d5a627fb0a74aac2227f2fe -
Branch / Tag:
refs/tags/v0.1.4 - Owner: https://github.com/ClassiFinder
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@dce78c084b9d2dee2d5a627fb0a74aac2227f2fe -
Trigger Event:
push
-
Statement type:
File details
Details for the file classifinder_mcp-0.1.4-py3-none-any.whl.
File metadata
- Download URL: classifinder_mcp-0.1.4-py3-none-any.whl
- Upload date:
- Size: 10.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
53039c881faa8b9821bc60b2266e10a592489116e1062544e72419404364aa71
|
|
| MD5 |
f7455e3f2670bd6addf1e9a19a81ab2b
|
|
| BLAKE2b-256 |
8642abb248a9a978d2dd312b948624c0fff751923f28ae67185c29ac2357f78d
|
Provenance
The following attestation bundles were made for classifinder_mcp-0.1.4-py3-none-any.whl:
Publisher:
release.yml on ClassiFinder/classifinder-mcp
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
classifinder_mcp-0.1.4-py3-none-any.whl -
Subject digest:
53039c881faa8b9821bc60b2266e10a592489116e1062544e72419404364aa71 - Sigstore transparency entry: 1609047811
- Sigstore integration time:
-
Permalink:
ClassiFinder/classifinder-mcp@dce78c084b9d2dee2d5a627fb0a74aac2227f2fe -
Branch / Tag:
refs/tags/v0.1.4 - Owner: https://github.com/ClassiFinder
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@dce78c084b9d2dee2d5a627fb0a74aac2227f2fe -
Trigger Event:
push
-
Statement type: