Security scanner for MCP (Model Context Protocol) servers — find vulnerabilities before attackers do
MCP Guard
Security scanner for MCP servers — find vulnerabilities before attackers do
Quick Start • Why? • Features • Rules • Usage • CI Integration
82% of MCP servers have security vulnerabilities. Path traversal. Command injection. Secret leaks. MCP Guard finds them in seconds.
Why?
MCP (Model Context Protocol) connects AI models to external tools. There are 13,000+ MCP servers on GitHub — and most were built without security review.
Common issues MCP Guard catches:
- Path Traversal — AI can read
/etc/passwdthrough a file server with no path validation - Command Injection —
exec(\git ${userInput}`)` lets AI inject shell commands - Code Injection —
eval()with tool input = remote code execution - Secret Leaks —
process.env.API_KEYreturned in tool responses goes straight to the LLM - Supply Chain —
npx some-packagewithout version pinning downloads whatever's latest
Quick Start
# Install
pip install mcp-guard
# Scan your MCP servers (auto-discovers from Claude, Cursor configs)
mcp-guard scan
# Scan a specific directory
mcp-guard scan ./my-mcp-server/
# Scan a config file directly
mcp-guard scan ~/.claude/settings.json
One command. Real vulnerabilities. Zero config.
Features
- Auto-discovery — Finds MCP servers from Claude Code, Cursor, and standard config files
- Python + TypeScript — AST-based analysis for Python, pattern matching for TS/JS
- 17 security rules across 5 categories (path traversal, command injection, code injection, secret leaks, supply chain)
- Beautiful terminal output — Rich-powered reports you'll actually want to read
- JSON output — Pipe to CI, dashboards, or other tools with
--json - Exit codes — Non-zero exit when vulnerabilities found (perfect for CI gates)
- Zero dependencies on MCP — Scans source code statically, no server runtime needed
Rules
| Category | Rules | Severities |
|----------|-------|------------|
| Path Traversal | PATH-001 PATH-002 PATH-003 | CRITICAL, HIGH |
| Command Injection | CMD-001 CMD-002 CMD-003 CMD-004 | CRITICAL, HIGH |
| Code Injection | CODE-001 CODE-002 CODE-003 CODE-004 | CRITICAL, HIGH |
| Secret Leaks | ENV-001 ENV-002 | MEDIUM, HIGH |
| Supply Chain | SUPPLY-001 SUPPLY-002 SUPPLY-003 SUPPLY-004 | MEDIUM, HIGH |
View all rules with full descriptions:
mcp-guard rules
Usage
Scan with auto-discovery
# Discovers servers from ~/.claude/settings.json, .cursor/mcp.json, etc.
mcp-guard scan
Scan a specific path
# Directory containing MCP server source
mcp-guard scan ./servers/filesystem-server/
# A specific config file
mcp-guard scan mcp.json
# Multiple paths
mcp-guard scan ./server-a/ ./server-b/ ./config.json
Filter by severity
# Only critical and high severity
mcp-guard scan --severity high
# Only critical
mcp-guard scan --severity critical
Detailed output
# Show descriptions and fix recommendations
mcp-guard scan --verbose
JSON output
# Machine-readable output
mcp-guard scan --json
# Pipe to jq
mcp-guard scan --json | jq '.findings[] | select(.severity == "CRITICAL")'
CI Integration
GitHub Actions
name: MCP Security
on: [push, pull_request]
jobs:
mcp-guard:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- run: pip install mcp-guard
- run: mcp-guard scan . --severity high
MCP Guard exits with code 1 when vulnerabilities are found, making it a natural CI gate.
Pre-commit hook
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: mcp-guard
name: MCP Guard Security Scan
entry: mcp-guard scan
language: python
additional_dependencies: [mcp-guard]
pass_filenames: false
How It Works
- Discovery — Reads MCP config files (Claude Code, Cursor, generic) to find server definitions
- Source analysis — Parses Python files with AST, scans TypeScript/JavaScript with pattern matching
- Config analysis — Checks for supply chain risks in server configurations (unpinned packages, shell execution)
- Report — Outputs findings sorted by severity with fix recommendations
MCP Guard is a static analysis tool — it reads source code, not running servers. No MCP runtime needed.
Contributing
Contributions welcome! See CONTRIBUTING.md for guidelines.
Ideas for contributions:
- New detection rules
- Support for more MCP client configs
- SARIF output format
- VS Code extension
License
MIT — use it everywhere, no strings attached.
Built to make the MCP ecosystem safer.
If this helped you, give it a star — it helps others find it too.