MCPScan
This repository is archived. I started this as an experiment to work with Aider, but did not make enough progress to make it useful. It will currently clone a repo in a docker container, then run semgrep rules and dependancy scans. I did not do enough testing or output formatting to rely on this, but it may be a good starting point for someone else.
A specialized security scanning tool for Model Context Protocol (MCP) servers. MCPScan performs comprehensive security analysis of MCP server implementations using multiple scanning tools:
- Semgrep for code pattern analysis
- npm audit for JavaScript/Node.js dependencies
- pip-audit for Python dependencies
Features
- Automated MCP server repository cloning and scanning
- Multi-tool security analysis tailored for MCP servers:
- Static code analysis with Semgrep rules for:
- Dangerous code patterns that could compromise model context
- Local file access vulnerabilities
- Network access security
- Obfuscated code detection
- Process execution monitoring
- HTTP/HTTPS endpoint analysis
- Dependency vulnerability scanning:
- Python package vulnerabilities via pip-audit
- JavaScript package vulnerabilities via npm audit
- Static code analysis with Semgrep rules for:
- Automatic MCP server framework detection
- Results aggregation and reporting in JSON format
- Docker containerization for isolated scanning
- Automatic cleanup of temporary files
Prerequisites
- Docker installed and running
- Python 3.x (for running MCP-Get scanner)
- Internet connection for repository cloning and package list fetching
Installation
- Clone this repository
- Build the Docker container:
./src/docker_build.sh
Usage
Scanning a Single Repository
./src/docker_run_one.sh <repository-url>
Example:
./src/docker_run_one.sh "https://github.com/modelcontextprotocol/servers"
Scanning All Servers in the MCP Get repo
python3 src/docker_run_mcp_get.py
This will:
- Fetch the MCP server list from MCP-Get
- Clone each MCP server repository
- Run comprehensive security scans
- Save detailed analysis to the
resultsdirectory
Output
Results are processed through multiple stages:
- Individual scan results are saved to the
resultsdirectory:- Semgrep analysis results
- Package vulnerability scans (pip-audit/npm audit)
- Results are combined into a single JSON file in
results/combined - Final reduced results in
results/reduced:- JSON summary with findings by rule
- Detailed vulnerability information
- Human-readable text report
- Simplified format for easy parsing
The reduced results include:
- Total findings count
- Findings categorized by rule type
- Dependencies scan summary with vulnerability counts
- Detailed vulnerability information for each package
- Code analysis findings with file locations and snippets
Project Structure
-
src/docker/semgrep_rules/- Custom Semgrep rule definitions -
src/docker/- Core scanning logic and utilities-
package_scan.py- Dependency vulnerability scanning -
cleanup.py- Temporary file management - Other scanning utilities
-
-
results/- Scan output directory (created during execution)
Dependencies
This project relies on:
- Docker
- Python 3.x
- Semgrep (installed in Docker container)
- pip-audit (installed during scanning)
- npm (for JavaScript projects)
- Requests library for Python
Third-Party Attributions
- Semgrep - Static analysis tool (OSS License)
- pip-audit - Python dependency scanner (Apache 2.0)
- npm audit - Node.js dependency scanner
- Requests - HTTP library for Python (Apache 2.0)
- MCP-Get - Package list source
License
This project is licensed under the Mozilla Public License Version 2.0. See the LICENSE file for details.
Contributing
[Add contribution guidelines here]
Output Structure
Scan results are organized in three stages:
- Individual scan results in
results/ - Combined results in
results/combined/ - Reduced results in
results/reduced/containing:- Summary of findings by rule type
- Detailed vulnerability information
- Simplified findings format
- Human-readable text report
TODO
- Reduce the output jsons to a single representation
- Add support for go
- Add result caching, store last tested hash for a repo
- More tests and scans
- Add severity scoring system
- Implement parallel scanning for multiple repositories
相关推荐
I find academic articles and books for research and literature reviews.
Confidential guide on numerology and astrology, based of GG33 Public information
Converts Figma frames into front-end code for various mobile frameworks.
Advanced software engineer GPT that excels through nailing the basics.
Take an adjectivised noun, and create images making it progressively more adjective!
Embark on a thrilling diplomatic quest across a galaxy on the brink of war. Navigate complex politics and alien cultures to forge peace and avert catastrophe in this immersive interstellar adventure.
Discover the most comprehensive and up-to-date collection of MCP servers in the market. This repository serves as a centralized hub, offering an extensive catalog of open-source and proprietary MCP servers, complete with features, documentation links, and contributors.
Micropython I2C-based manipulation of the MCP series GPIO expander, derived from Adafruit_MCP230xx
The all-in-one Desktop & Docker AI application with built-in RAG, AI agents, No-code agent builder, MCP compatibility, and more.
Bridge between Ollama and MCP servers, enabling local LLMs to use Model Context Protocol tools
🧑🚀 全世界最好的LLM资料总结(Agent框架、辅助编程、数据处理、模型训练、模型推理、o1 模型、MCP、小语言模型、视觉语言模型) | Summary of the world's best LLM resources.
Fair-code workflow automation platform with native AI capabilities. Combine visual building with custom code, self-host or cloud, 400+ integrations.
Reviews
1
(1)
user_xXyNK0hn
2025-04-16
I absolutely love mcpscan by tranqy! This tool is incredibly efficient and easy to use. The interface is clean, and it quickly scans all necessary components without any hassle. It's a must-have for anyone needing reliable scanning in their MCP applications. Highly recommended! Check out the project on GitHub here: https://github.com/tranqy/mcpscan