MCP Preflight

MCP Preflight is the fast local check you run before you trust a new MCP server or ship an agent workflow.

It reads common MCP config files, tool descriptions, prompt resources, and repo manifests, then explains risky patterns in plain language so you can fix them before they become a bigger problem.

This public repository stays intentionally narrow. It contains the Lite product code and the user-facing materials people need to evaluate it. Internal planning, private operating notes, and maintainer admin work stay out of the public repo on purpose.

What it checks

• .vscode/mcp.json and other common MCP config locations
• tool descriptions and prompt resources
• repo manifests and dependency signals
• obvious secret-bearing files such as .env
• risky patterns such as embedded credentials, token passthrough, unsafe launchers, insecure remote targets, prompt injection, and tool poisoning

Why people use it

• It runs locally by default
• The Lite scan does not require an account
• It is built for MCP preflight review, not a broad security platform
• Findings are meant to be readable by developers, not just auditors
• The activity log stays local too, so you can inspect usage without sending workspace data to a backend

Lite and Pro

• Lite is the fast local scan: text and JSON output, workspace scan, file scan, and the core MCP checks
• Pro unlocks the export and workflow surfaces: Markdown, HTML, and SARIF reports, suppression files, CI mode, Git hooks, and policy presets
• Pro is unlocked with a local signed license token, not a hosted MCP Preflight account
• The scanner does not need to phone home just to decide whether Pro is active on your machine
• Buy Pro: Stripe checkout
• Activation and install: Pro license guide

What it is not

• Not a hosted scanner
• Not an agent runtime
• Not a SIEM
• Not a general AppSec platform

Read this next

• Privacy
• Pro license guide
• Rule overview
• Sample report
• Audit notes
• Security reporting

Commands

• npm install
• npm run build
• npm run typecheck
• node packages/cli/dist/index.js scan /path/to/workspace
• node packages/cli/dist/index.js activity status
• node packages/cli/dist/index.js activity export --format json --output ./mcp-preflight-activity.json
• node packages/cli/dist/index.js license guide
• node packages/cli/dist/index.js license status
• node packages/cli/dist/index.js license install --from-file /path/to/license.token
• node packages/cli/dist/index.js ci /path/to/workspace --policy balanced
• node packages/cli/dist/index.js hooks install /path/to/repo --hook pre-push
• node packages/cli/dist/index.js upgrade
• node packages/cli/dist/index.js review --channel marketplace
• node packages/cli/dist/index.js support --channel discussions
• npm run scan -- /path/to/workspace

Local activity

MCP Preflight keeps a small local activity log so you can answer practical questions like:

• how many scans have I actually run
• how often have I hit a Pro gate
• did I already install a local Pro license on this machine

That log is local-only. It does not include workspace contents, and MCP Preflight does not upload it to a hosted service.

If you do not want the log, set MCP_PREFLIGHT_DISABLE_ACTIVITY=1.

If you want to store it somewhere else, set MCP_PREFLIGHT_ACTIVITY_FILE=/path/to/activity-log.jsonl.

Releases

• GitHub Releases for .vsix files, CLI bundles, and release notes

Repository layout

• packages/core: shared scanning engine
• packages/cli: command-line entrypoint
• apps/vscode-extension: VS Code integration

Support

• Questions and feature requests: GitHub Discussions
• Bugs: GitHub Issues
• License and payment help: igorsv199@gmail.com
• Leave a review: VS Code Marketplace or Open VSX