Open Source · Security

mcp-scan

Security scanner for MCP servers

terminal — mcp-scan

Defense in Depth

13 scanners. 15+ AI tools. One command.

mcp-scan provides a unified security layer for the Model Context Protocol ecosystem. Run it locally or integrate with your CI/CD pipeline.

mcp-scan — live scan

Data Flow

Claude Code

Cursor

VS Code

mcp
scan

✓ 0 issues

✗ 2 issues

Live Scan

How it works

Three steps to secure your AI tools

Install

npm install -g mcp-scan or run instantly with npx — no setup required.

Scan

Automatically detects Claude, Cursor, VS Code, and 12+ AI tools.

Fix

Detailed findings with severity levels and remediation steps.

13 Specialized Scanners

v1.7.5

HIGH

Secrets Detection

Entropy-based scanning for API keys and tokens.

HIGH

CVE Scanner

Cross-references dependencies against known vulnerabilities.

HIGH

Prompt Injection

Analyzes prompts for potential injection vectors.

HIGH

Tool Poisoning

Detects malicious tool definitions and schemas.

HIGH

Shell Injection

Detects unescaped inputs in shell-capable servers.

MEDIUM

Supply Chain

Verifies the trust chain of connected MCP servers.

MEDIUM

Typosquatting

Detects suspicious server names mimicking official packages.

MEDIUM

Permissions

Audits requested capabilities (filesystem, network, shell).

MEDIUM

Env Leakage

Prevents exposure of sensitive environment variables.

LOW

AST Analysis

Deep static analysis of server source code.

LOW

Transport Security

Enforces TLS and secure communication protocols.

LOW

Registry Trust

Validates servers against known-good MCP registries.

LOW

License Compliance

Scans for incompatible or risky open-source licenses.

Universal Client Support

mcp-scan works with every major AI tool that supports the Model Context Protocol.

Claude Desktop

Cursor

VS Code

Windsurf

Zed

Gemini CLI

Codex CLI

Continue.dev

Amp

Plandex

ChatGPT Desktop

GitHub Copilot

Cline

Roo Code

CI/CD Ready

SARIF & GitHub Actions Integration

Includes a GitHub Action for automated pull request scanning. Outputs SARIF 2.1.0 for native integration with GitHub Advanced Security and other security dashboards.

SARIF 2.1.0GitHub Advanced Security

.github/workflows/security.yml

- name: MCP Security Scan
  uses: rodolfboctor/mcp-scan@v1
  with:
    fail-on-severity: high
    output-format: sarif
    upload-sarif: true

v1.7.5 · MIT LICENSE

Secure by default. Open by design.

mcp-scan is free, open source, and built for the community. Zero telemetry. No vendor lock-in. 136 tests passed. Integrated with the ugig.net MCP marketplace.

0Scanners

0Tests

0+AI Tools

rodolfboctor/mcp-scanMIT Licensed Open Source

Star on GitHub View Repo

npm install -g mcp-scan

npx mcp-scan

Works with

Claude DesktopCursorVS CodeWindsurfZedGemini CLICodex CLIContinue.devAmpPlandexChatGPT DesktopGitHub CopilotClineRoo CodeClaude DesktopCursorVS CodeWindsurfZedGemini CLICodex CLIContinue.devAmpPlandexChatGPT DesktopGitHub CopilotClineRoo Code

Secured by mcp-scan · Trusted by AI Builders