The fast local check before you trust a new MCP server or ship an agent workflow.
MCP Preflight
MCP Preflight is the fast local check you run before you trust a new MCP server or ship an agent workflow.
It reads common MCP config files, tool descriptions, prompt resources, and repo manifests, then explains risky patterns in plain language so you can fix them before they become a bigger problem.
This public repository stays intentionally narrow. It contains the Lite product code and the user-facing materials people need to evaluate it. Internal planning, private operating notes, and maintainer admin work stay out of the public repo on purpose.
What it checks
.vscode/mcp.jsonand other common MCP config locations- tool descriptions and prompt resources
- repo manifests and dependency signals
- obvious secret-bearing files such as
.env - risky patterns such as embedded credentials, token passthrough, unsafe launchers, insecure remote targets, prompt injection, and tool poisoning
Why people use it
- It runs locally by default
- The Lite scan does not require an account
- It is built for MCP preflight review, not a broad security platform
- Findings are meant to be readable by developers, not just auditors
- The activity log stays local too, so you can inspect usage without sending workspace data to a backend
Lite and Pro
- Lite is the fast local scan: text and JSON output, workspace scan, file scan, and the core MCP checks
- Pro unlocks the export and workflow surfaces: Markdown, HTML, and SARIF reports, suppression files, CI mode, Git hooks, and policy presets
- Pro is unlocked with a local signed license token, not a hosted MCP Preflight account
- The scanner does not need to phone home just to decide whether Pro is active on your machine
- Buy Pro: Stripe checkout
- Activation and install: Pro license guide
What it is not
- Not a hosted scanner
- Not an agent runtime
- Not a SIEM
- Not a general AppSec platform
Read this next
Commands
npm installnpm run buildnpm run typechecknode packages/cli/dist/index.js scan /path/to/workspacenode packages/cli/dist/index.js activity statusnode packages/cli/dist/index.js activity export --format json --output ./mcp-preflight-activity.jsonnode packages/cli/dist/index.js license guidenode packages/cli/dist/index.js license statusnode packages/cli/dist/index.js license install --from-file /path/to/license.tokennode packages/cli/dist/index.js ci /path/to/workspace --policy balancednode packages/cli/dist/index.js hooks install /path/to/repo --hook pre-pushnode packages/cli/dist/index.js upgradenode packages/cli/dist/index.js review --channel marketplacenode packages/cli/dist/index.js support --channel discussionsnpm run scan -- /path/to/workspace
Local activity
MCP Preflight keeps a small local activity log so you can answer practical questions like:
- how many scans have I actually run
- how often have I hit a Pro gate
- did I already install a local Pro license on this machine
That log is local-only. It does not include workspace contents, and MCP Preflight does not upload it to a hosted service.
If you do not want the log, set MCP_PREFLIGHT_DISABLE_ACTIVITY=1.
If you want to store it somewhere else, set MCP_PREFLIGHT_ACTIVITY_FILE=/path/to/activity-log.jsonl.
Releases
- GitHub Releases for
.vsixfiles, CLI bundles, and release notes
Repository layout
packages/core: shared scanning enginepackages/cli: command-line entrypointapps/vscode-extension: VS Code integration
Support
- Questions and feature requests: GitHub Discussions
- Bugs: GitHub Issues
- License and payment help:
igorsv199@gmail.com - Leave a review: VS Code Marketplace or Open VSX