A
securityA
licenseA
qualityAudits npm package dependencies for security vulnerabilities, providing detailed reports and fix recommendations with MCP integration.
Last updated -
1
693
41
TypeScript
MIT License
Provides Docker-specific security best practices and recommendations for containerized applications
Analyzes Git repositories for security issues including .gitignore file validation and Git history scanning for exposed secrets and vulnerabilities
Detects GitHub-specific API keys and tokens in code repositories to prevent credential exposure
Identifies Google API keys and credentials in code repositories to prevent unauthorized access to Google services
Scans for exposed OpenAI API keys and tokens in codebases to prevent unauthorized access to OpenAI services
Security Scanner MCP Server
A comprehensive security scanning tool for code repositories, exposed as an MCP (Model Context Protocol) server. This tool helps developers identify security vulnerabilities, exposed secrets, dependency issues, and configuration problems in their codebases.
Features
- Secret Detection: Scans for exposed API keys, passwords, tokens, and other sensitive information
- Vulnerability Analysis: Identifies common security vulnerabilities in code
- Dependency Auditing: Checks for outdated or vulnerable dependencies
- Git Security: Analyzes .gitignore files and git history for security issues
- Real-time Scanning: Check content for secrets before committing
- Security Best Practices: Provides actionable security recommendations
Installation
Or use with npx:
CLI Usage (NEW in v1.1.0)
The package now includes a standalone CLI tool for direct command-line scanning:
CLI Options:
--format <format>: Output format (summary|detailed|json), default: summary--categories <categories...>: Specific categories to scan (secrets|vulnerabilities|dependencies|gitignore|git-history), default: all
Usage with Claude Desktop
Add the server to your Claude Desktop configuration:
macOS
Edit ~/Library/Application Support/Claude/claude_desktop_config.json:
Windows
Edit %APPDATA%\Claude\claude_desktop_config.json:
Available Tools
1. scan_repository
Performs a comprehensive security scan on a repository.
Parameters:
path(required): Path to the repository to scanoutputFormat(optional): Output format - "summary", "detailed", or "json" (default: "summary")categories(optional): Specific categories to scan (default: all)- "secrets": API keys, passwords, tokens
- "vulnerabilities": Code vulnerabilities
- "dependencies": Dependency issues
- "gitignore": .gitignore analysis
- "git-history": Git history scanning
Example:
2. check_secret
Checks if a piece of content contains potential secrets or sensitive information.
Parameters:
content(required): Content to check for secretsfileType(optional): File type/extension for context-aware scanning
Example:
3. check_gitignore
Analyzes .gitignore file for missing security patterns.
Parameters:
path(required): Path to the repositorypatterns(optional): Additional patterns to check for
Example:
4. get_security_tips
Get security best practices and tips for a specific topic.
Parameters:
topic(required): Security topic- "secrets": Secret management best practices
- "gitignore": .gitignore recommendations
- "dependencies": Dependency security
- "docker": Docker security
- "ci-cd": CI/CD security
- "general": General security tips
Example:
Security Patterns Detected
Secrets
- AWS Access Keys and Secret Keys
- API Keys (OpenAI, Google, GitHub, etc.)
- Private Keys (SSH, SSL certificates)
- Database connection strings
- OAuth tokens
- JWT tokens
- And many more...
Vulnerabilities
- SQL injection risks
- Command injection risks
- Hardcoded IPs and credentials
- Weak cryptography usage
- Insecure deserialization
- Debug code in production
- Insecure random number generation
Configuration Issues
- Missing .gitignore patterns
- Exposed configuration files
- Temporary file usage
- HTTP without TLS
Example Workflow
- Initial Repository Scan
- Check Code Before Committing
- Fix .gitignore Issues
- Get Security Recommendations
Output Formats
Summary Format
Quick overview showing count of issues by severity level.
Detailed Format
Complete listing of all findings with:
- Issue description
- File location and line number
- Severity level
- Remediation recommendations
JSON Format
Machine-readable format for integration with other tools.
Best Practices
- Run Regular Scans: Integrate into your CI/CD pipeline
- Fix Critical Issues First: Address high and critical severity findings immediately
- Update .gitignore: Ensure all sensitive file patterns are excluded
- Rotate Exposed Secrets: If any secrets are found, rotate them immediately
- Keep Dependencies Updated: Regular dependency updates reduce vulnerabilities
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
License
MIT
Acknowledgments
This tool was created after discovering exposed credentials in production code. It aims to help developers prevent similar security incidents by providing proactive scanning and education about security best practices.
This server cannot be installed
Enables comprehensive security scanning of code repositories to detect secrets, vulnerabilities, dependency issues, and configuration problems. Provides real-time security checks and best practice recommendations to help developers identify and prevent security issues.
Related MCP Servers
- -securityAlicense-qualityA Model Context Protocol tool for analyzing code repositories, performing security scans, and assessing code quality across multiple programming languages.Last updated -1PythonMIT License
- -securityAlicense-qualityProvides Trivy security scanning capabilities through a standardized interface, allowing users to scan projects for vulnerabilities and automatically fix them by updating dependencies.Last updated -9PythonMIT License
- -securityAlicense-qualityA comprehensive system that helps organizations track, manage, and respond to security vulnerabilities effectively through features like vulnerability tracking, user management, support tickets, API key management, and SSL certificate management.Last updated -PythonMIT License