A
securityA
licenseA
qualityAudits npm package dependencies for security vulnerabilities, providing detailed reports and fix recommendations with MCP integration.
Last updated -
1
63
47
MIT License
Provides Docker-specific security best practices and recommendations for containerized applications
Analyzes Git repositories for security issues including .gitignore file validation and Git history scanning for exposed secrets and vulnerabilities
Detects GitHub-specific API keys and tokens in code repositories to prevent credential exposure
Identifies Google API keys and credentials in code repositories to prevent unauthorized access to Google services
Scans for exposed OpenAI API keys and tokens in codebases to prevent unauthorized access to OpenAI services
Security Scanner MCP Server
A comprehensive security scanning tool for code repositories, exposed as an MCP (Model Context Protocol) server. This tool helps developers identify security vulnerabilities, exposed secrets, dependency issues, and configuration problems in their codebases.
Features
Secret Detection: Scans for exposed API keys, passwords, tokens, and other sensitive information
Vulnerability Analysis: Identifies common security vulnerabilities in code
Dependency Auditing: Checks for outdated or vulnerable dependencies
Git Security: Analyzes .gitignore files and git history for security issues
Real-time Scanning: Check content for secrets before committing
Security Best Practices: Provides actionable security recommendations
Installation
npm install -g @rupeshpanwar/security-scanner-mcp
Or use with npx:
npx @rupeshpanwar/security-scanner-mcp
CLI Usage (NEW in v1.1.0)
The package now includes a standalone CLI tool for direct command-line scanning:
# Scan a directory with summary output
security-scan scan /path/to/project
# Scan with detailed output
security-scan scan /path/to/project --format detailed
# Scan specific categories
security-scan scan /path/to/project --categories secrets vulnerabilities
# Output as JSON
security-scan scan /path/to/project --format json
# Save report to file
security-scan scan /path/to/project --format detailed > security-report.txt
CLI Options:
--format <format>: Output format (summary|detailed|json), default: summary--categories <categories...>: Specific categories to scan (secrets|vulnerabilities|dependencies|gitignore|git-history), default: all
Usage with Claude Desktop
Add the server to your Claude Desktop configuration:
macOS
Edit ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"security-scanner": {
"command": "npx",
"args": ["@rupeshpanwar/security-scanner-mcp"]
}
}
}
Windows
Edit %APPDATA%\Claude\claude_desktop_config.json:
{
"mcpServers": {
"security-scanner": {
"command": "npx",
"args": ["@rupeshpanwar/security-scanner-mcp"]
}
}
}
Available Tools
1. scan_repository
Performs a comprehensive security scan on a repository.
Parameters:
path(required): Path to the repository to scanoutputFormat(optional): Output format - "summary", "detailed", or "json" (default: "summary")categories(optional): Specific categories to scan (default: all)"secrets": API keys, passwords, tokens
"vulnerabilities": Code vulnerabilities
"dependencies": Dependency issues
"gitignore": .gitignore analysis
"git-history": Git history scanning
Example:
Scan the repository at /path/to/repo for all security issues
2. check_secret
Checks if a piece of content contains potential secrets or sensitive information.
Parameters:
content(required): Content to check for secretsfileType(optional): File type/extension for context-aware scanning
Example:
Check this content for secrets: AWS_ACCESS_KEY=AKIA1234567890ABCDEF
3. check_gitignore
Analyzes .gitignore file for missing security patterns.
Parameters:
path(required): Path to the repositorypatterns(optional): Additional patterns to check for
Example:
Check if the .gitignore in /path/to/repo has all recommended security patterns
4. get_security_tips
Get security best practices and tips for a specific topic.
Parameters:
topic(required): Security topic"secrets": Secret management best practices
"gitignore": .gitignore recommendations
"dependencies": Dependency security
"docker": Docker security
"ci-cd": CI/CD security
"general": General security tips
Example:
Give me security tips about secrets management
Security Patterns Detected
Secrets
AWS Access Keys and Secret Keys
API Keys (OpenAI, Google, GitHub, etc.)
Private Keys (SSH, SSL certificates)
Database connection strings
OAuth tokens
JWT tokens
And many more...
Vulnerabilities
SQL injection risks
Command injection risks
Hardcoded IPs and credentials
Weak cryptography usage
Insecure deserialization
Debug code in production
Insecure random number generation
Configuration Issues
Missing .gitignore patterns
Exposed configuration files
Temporary file usage
HTTP without TLS
Example Workflow
Initial Repository Scan
Scan the repository at ./my-project and show me a detailed reportCheck Code Before Committing
Check this config file for any secrets: [paste your config content]Fix .gitignore Issues
Check my .gitignore file and tell me what security patterns I'm missingGet Security Recommendations
Give me best practices for managing secrets in my codebase
Output Formats
Summary Format
Quick overview showing count of issues by severity level.
Detailed Format
Complete listing of all findings with:
Issue description
File location and line number
Severity level
Remediation recommendations
JSON Format
Machine-readable format for integration with other tools.
Best Practices
Run Regular Scans: Integrate into your CI/CD pipeline
Fix Critical Issues First: Address high and critical severity findings immediately
Update .gitignore: Ensure all sensitive file patterns are excluded
Rotate Exposed Secrets: If any secrets are found, rotate them immediately
Keep Dependencies Updated: Regular dependency updates reduce vulnerabilities
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
License
MIT
Acknowledgments
This tool was created after discovering exposed credentials in production code. It aims to help developers prevent similar security incidents by providing proactive scanning and education about security best practices.
This server cannot be installed
Enables comprehensive security scanning of code repositories to detect secrets, vulnerabilities, dependency issues, and configuration problems. Provides real-time security checks and best practice recommendations to help developers identify and prevent security issues.
Related MCP Servers
- -securityAlicense-qualityProvides Trivy security scanning capabilities through a standardized interface, allowing users to scan projects for vulnerabilities and automatically fix them by updating dependencies.Last updated -10MIT License
- -securityAlicense-qualityA comprehensive system that helps organizations track, manage, and respond to security vulnerabilities effectively through features like vulnerability tracking, user management, support tickets, API key management, and SSL certificate management.Last updated -MIT License
- AsecurityAlicenseAqualityProvides tools for analyzing project structures, searching through codebases, managing dependencies, and performing file operations with advanced filtering capabilities.Last updated -691MIT License