Security scanner for MCP (Model Context Protocol) server configurations and AI agent tool permissions.
Project description
๐ MCP-Scan
Security scanner for MCP server configurations and AI agent tool permissions.
Detect dangerous shell commands, exposed API keys, over-permissive file access, high-risk tools, and prompt injection patterns โ before they reach production.
Quick Start ยท Example Output ยท Rules ยท Library API ยท Dashboard ยท CI/CD ยท Contributing
๐จ The Problem
AI agents are now connecting to tools, files, GitHub, Slack, Gmail, Notion, databases, and internal systems via MCP (Model Context Protocol). This creates serious security risk:
- ๐ Unrestricted shell access (
bash -c "$USER_INPUT") - ๐ API keys and tokens hard-coded in configuration files
- ๐ Over-permissive file system access (
/,/etc/shadow,~/.ssh) - ๐ง Tools that can send emails, delete files, or drop database tables with no confirmation
- ๐ Prompt injection patterns that could hijack agent behavior
- โ ๏ธ Binaries running from untrusted paths (
/tmp/Downloads/sketchy-tool)
OWASP now has an MCP Top 10 covering tool poisoning, excessive agency, and context spoofing. GitHub added secret scanning support for MCP workflows. The attack surface is real and growing.
MCP-Scan catches these risks in seconds.
โก Quick Start
Install
pip install mcp-scan
Scan
mcp-scan scan ./mcp-config.json
That's it. 3 lines.
๐ฅ Example Input
Here's a dangerous MCP configuration:
{
"mcpServers": {
"terminal.run": {
"command": "bash",
"args": ["-c", "eval $USER_INPUT"],
"env": {
"OPENAI_API_KEY": "sk-proj-abc123def456ghi789jkl012mno"
}
},
"gmail.send": {
"command": "node",
"args": ["gmail-mcp-server", "--no-confirm"],
"env": {
"GMAIL_TOKEN": "ya29.a0AfH6SMBx_FAKE_TOKEN"
}
},
"filesystem": {
"command": "/tmp/Downloads/sketchy-binary",
"args": ["/", "/etc/shadow", "/root/.ssh"]
}
}
}
๐ Example Output
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ MCP Security Scan Report โ
โ File: mcp-config.json โ
โ Version: 0.1.0 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Findings: 8 HIGH | 3 MEDIUM | 3 LOW (14 total) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Severity โ Rule โ Server โ Message
โโโโโโโโโโโผโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
HIGH โ MCP-001 โ terminal.run โ Uses dangerous command: "bash"
HIGH โ MCP-002 โ terminal.run โ OpenAI API key exposed in env
HIGH โ MCP-006 โ gmail.send โ High-risk tool: email sending
HIGH โ MCP-008 โ filesystem โ Binary from untrusted path: /tmp/
MEDIUM โ MCP-003 โ filesystem โ Access to sensitive path: /etc/shadow
MEDIUM โ MCP-003 โ filesystem โ Access to sensitive path: /root/.ssh
LOW โ MCP-005 โ terminal.run โ No allowedTools defined
๐ Scanning Rules
| Rule | Name | Severity | What it catches |
|---|---|---|---|
| MCP-001 | Dangerous Shell Commands | ๐ด HIGH | bash, powershell, eval, sudo, ssh, piped curl |
| MCP-002 | Exposed Secrets | ๐ด HIGH | OpenAI keys, GitHub PATs, AWS keys, Slack tokens, private keys |
| MCP-003 | Over-permissive Paths | ๐ก MEDIUM | /, /etc, ~/.ssh, C:\Windows\System32 |
| MCP-004 | Untrusted MCP Server | ๐ก MEDIUM | Binaries from /tmp, Downloads, unverified sources |
| MCP-005 | Missing Tool Allowlist | ๐ต LOW | No allowedTools restriction โ full agent access |
| MCP-006 | High-Risk Tools | ๐ด HIGH | Email send, file delete, DB write, Slack post without gates |
| MCP-007 | Prompt Injection | ๐ก MEDIUM | "Ignore previous instructions", template injection, jailbreaks |
| MCP-008 | Unsafe Binary Execution | ๐ด HIGH | Executing from /tmp/, Downloads/, .cache/ |
๐ Python Library API
Use mcp-scan programmatically in your own tools:
from mcp_scan import scan_config, scan_file, ScanPolicy
# Scan a config dictionary
result = scan_config({
"mcpServers": {
"my-server": {
"command": "bash",
"args": ["-c", "rm -rf /"]
}
}
})
print(result.has_errors) # True
print(result.highest_severity) # "HIGH"
print(result.total_findings) # 3
for finding in result.findings:
print(f"[{finding.severity}] {finding.rule_id}: {finding.message}")
# Scan with a custom policy
policy = ScanPolicy(
allowed_commands=["node", "python"],
trusted_servers=["@modelcontextprotocol/"],
ignored_rules=["MCP-005"],
)
result = scan_config(config, policy=policy)
# Scan a file directly
result = scan_file("./mcp-config.json")
# Export to SARIF
from mcp_scan import to_sarif_json
print(to_sarif_json(result))
๐ Web Dashboard
Start the built-in dashboard:
pip install mcp-scan[server]
mcp-scan serve
Open http://localhost:8000 โ paste your config, click Scan Now, and get instant visual results with severity cards, findings table, and SARIF export.
๐ณ Docker
cd docker
docker compose up --build
Dashboard available at http://localhost:8000. Mount your config files:
docker run --rm -v $(pwd):/configs mcp-scan mcp-scan scan /configs/mcp-config.json
โ๏ธ CI/CD Integration
GitHub Actions
- name: Install mcp-scan
run: pip install mcp-scan
- name: Scan MCP configs
run: mcp-scan scan ./mcp-config.json --fail-on HIGH
- name: Upload SARIF (optional)
run: mcp-scan scan ./mcp-config.json --output sarif > results.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
The scanner exits with code 1 when HIGH-severity findings are detected, automatically failing your CI pipeline.
๐ Custom Scanning Policy
Create mcp-policy.yaml to customize behavior:
trusted_servers:
- "@modelcontextprotocol/"
- "npx"
allowed_commands:
- "node"
- "python"
ignored_rules:
- "MCP-005"
max_severity: HIGH
mcp-scan scan ./config.json --policy ./mcp-policy.yaml
๐๏ธ Architecture
Input (CLI / API / Library)
โ
Parser (JSON / YAML โ Pydantic McpConfig)
โ
Engine (8 security rules + policy filtering)
โ
Output (Rich terminal / JSON / SARIF / Dashboard)
See docs/architecture.md for the full architecture diagram and threat model.
๐ฏ Real Use Cases
- AI coding agents โ Teams using Cursor, Windsurf, or Claude Code with MCP servers need to audit tool permissions before granting agents access to codebases and infrastructure.
- Enterprise AI deployments โ Companies rolling out Claude, GPT, or Gemini with tool use need security gates for email, Slack, database, and file system access.
- Platform engineering โ Platform teams can run
mcp-scanin CI/CD to enforce security policies across all MCP configurations in the org. - Compliance โ Security teams can generate SARIF reports for audit trails and integrate with GitHub Advanced Security.
๐บ๏ธ Roadmap
- Custom rule engine โ Write your own rules in YAML
- Continuous monitoring โ Watch config files for changes and alert
- Slack/Discord alerts โ Send notifications when new risks are found
- VS Code extension โ Inline warnings in your editor
- MCP runtime analysis โ Monitor actual tool invocations at runtime
- Organization-wide policies โ Centralized policy management
- SBOM integration โ Software Bill of Materials for MCP server dependencies
๐ค Contributing
We welcome contributions! See CONTRIBUTING.md for guidelines.
Development Setup
git clone https://github.com/martian7777/mcp-agent-security-scanner.git
cd mcp-scan
pip install -e ".[all]"
pytest
Adding a New Rule
- Add your detection function to
mcp_scan/engine.py - Register it in the
ALL_RULESlist - Add tests in
tests/test_engine.py - Update the rule table in this README
๐ท๏ธ Good First Issues
Looking to contribute? Start here:
- Add GitLab CI template โ Create a
.gitlab-ci.ymlexample for GitLab users - Add
--config-formatauto-detection โ Detect JSON vs YAML from file content, not just extension - Add Slack webhook rule โ Detect Slack webhook URLs (
https://hooks.slack.com/...) in configs - Improve remediation messages โ Make fix suggestions more specific and actionable
- Add
--quietflag โ Only print findings, no header/footer
๐ License
MIT โ see LICENSE.
Built for teams shipping AI agents safely.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mcp_agent_security_scanner-0.1.0.tar.gz.
File metadata
- Download URL: mcp_agent_security_scanner-0.1.0.tar.gz
- Upload date:
- Size: 21.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4a26d52ec62044819cb2bb5f22e25852c1ab6f10f4d89f125895d0bb1a08e5d5
|
|
| MD5 |
d1009619ab69b2e0b36149100e7a8b52
|
|
| BLAKE2b-256 |
32cfb9fb395f560c854f5e5319b0eac63e3b4aa240d47699d8081fc1cc6e1cd8
|
File details
Details for the file mcp_agent_security_scanner-0.1.0-py3-none-any.whl.
File metadata
- Download URL: mcp_agent_security_scanner-0.1.0-py3-none-any.whl
- Upload date:
- Size: 19.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
961f2c7426d312cbcd45ba7eed07f8e03b4dbe12347feee9784019584ae06bb1
|
|
| MD5 |
d4e33d2639e8298b9896d62c1f2ca1e7
|
|
| BLAKE2b-256 |
486c92c3b33a697e54e84f4dc109d21eeff079976a2f1b6e1906a979560e15a7
|
