SecScanMCP
Verified Safeby zakariaf
Overview
This is an enhanced security scanner test suite designed to detect a wide range of vulnerabilities in MCP (Model Context Protocol) servers, including prompt injection, tool poisoning, hardcoded secrets, and various code injection types.
Installation
make restartEnvironment Variables
- CLAMAV_HOST
- CLAMAV_PORT
- TRIVY_CACHE_DIR
- TRIVY_TIMEOUT
- TRIVY_DB_REPOSITORY
- CODEQL_CLI_PATH
- MODEL_PATH
- DB_PATH
- LOG_LEVEL
- CONFIG_PATH
Security Notes
This project is a security scanner, which by its nature interacts with and tests for malicious patterns. The code demonstrates good practices for isolating dangerous operations (e.g., Docker containerization, `subprocess.create_subprocess_exec` over `shell=True`, secret masking in findings). However, any security testing tool carries inherent risks if misconfigured or used on unauthorized systems. The documentation explicitly outlines ethical usage and safe testing practices. The internal design follows clean architecture principles, which generally improves code quality and reduces security vulnerabilities within the scanner itself.
Similar Servers
mcp-scanner
A Python tool for scanning Model Context Protocol (MCP) servers and tools to detect potential security findings by leveraging Cisco AI Defense API, YARA rules, and LLM-as-a-judge.
mcp-watch
A comprehensive security scanner for Model Context Protocol (MCP) servers that detects vulnerabilities and security issues in MCP implementations.
mcp-server-fuzzer
A comprehensive CLI-based fuzzing tool for Model Context Protocol (MCP) servers, designed to find vulnerabilities and validate server conformance through both tool argument fuzzing and protocol type fuzzing across multiple transport protocols (HTTP, SSE, Stdio, StreamableHTTP).
mcp-zap-server
Exposes OWASP ZAP actions as Model Context Protocol (MCP) tools, enabling AI agents (e.g., Claude Desktop, Cursor) to orchestrate security scanning operations, import OpenAPI specs, and generate reports.