Secure Code Review MCP Server
Integrates with GitHub Copilot in VS Code to provide automated security scanning of code for hardcoded secrets, dependency issues, insecure configurations, risky code patterns, and PR readiness checks before committing or raising a PR.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Secure Code Review MCP ServerScan current project for security issues"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Secure Code Review MCP Server
A local MCP (Model Context Protocol) server that helps software engineers review their code for security issues before committing or raising a PR. This server integrates directly with GitHub Copilot in VS Code.
π― What Problem Does This Solve?
Developers often commit code with:
Hardcoded secrets (API keys, passwords)
Duplicate or risky dependencies
Insecure configuration settings
Dangerous code patterns (eval, SQL injection)
Missing security hygiene files
This MCP server provides automated security scanning right inside VS Code through GitHub Copilot, catching issues before they reach your repository.
Related MCP server: grippy-code-review
ποΈ Architecture
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VS Code β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β GitHub Copilot Chat β β
β β "Scan my code for security issues" β β
β ββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββ β
β β β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β MCP Client (STDIO) β β
β ββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Secure Code Review MCP Server β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β server.py β β
β β (MCP SDK + Tool Handlers) β β
β ββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββ β
β β β
β ββββββββββββββ¬ββββββββββββΌββββββββββββ¬βββββββββββββββββ β
β β β β β β β
β βΌ βΌ βΌ βΌ βΌ β
β ββββββ ββββββββββ ββββββββββ ββββββββββ βββββββββββ
β βSec β β Dep β β Config β β Code β β PR ββ
β βretsβ βScanner β βScanner β βPattern β βReadine-ββ
β βScanβ β β β β βScanner β β ss ββ
β ββββββ ββββββββββ ββββββββββ ββββββββββ βββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββ
β Local Files β
β (Read-Only) β
ββββββββββββββββπ Project Structure
secure-code-review-mcp/
βββ README.md # This file
βββ requirements.txt # Python dependencies
βββ .gitignore # Git ignore rules
β
βββ src/
β βββ __init__.py
β βββ server.py # Main MCP server with 6 tools
β β
β βββ scanners/
β β βββ __init__.py
β β βββ base_scanner.py # Abstract base scanner
β β βββ secrets_scanner.py # Hardcoded secrets detection
β β βββ dependency_scanner.py # Dependency issues
β β βββ config_scanner.py # Insecure configurations
β β βββ code_pattern_scanner.py # Risky code patterns
β β βββ pr_readiness_scanner.py # PR checklist generator
β
βββ sample_project/ # Test project with vulnerabilities
β βββ app.py # Python with dangerous patterns
β βββ index.js # JavaScript with dangerous patterns
β βββ config.py # Insecure configurations
β βββ requirements.txt # Dependencies with issues
β βββ package.json # Node.js dependencies with issues
β βββ Dockerfile # Docker with security issues
β βββ .env.example # Environment variables template
β βββ README.md # Sample project notesNote:
docs/,tests/,pyproject.toml, andmcp_config.jsonwere intentionally removed to keep this project minimal and focused on local MCP usage.
β¨ MCP Tools Available
Tool | Description |
| Scan for passwords, API keys, tokens, AWS credentials, private keys, database connection strings |
| Check for duplicate packages, unpinned versions, risky packages, missing lock files |
| Detect DEBUG=true, CORS=*, root user in Docker, latest tag usage |
| Find eval(), exec(), SQL injection, weak hashing (MD5/SHA1), unsafe yaml.load |
| Generate PR readiness checklist with pass/fail status |
| Run all scanners and produce comprehensive summary |
π Prerequisites
Python 3.10+
VS Code with GitHub Copilot extension
GitHub Copilot Chat enabled
π¦ Installation
Step 1: Clone/Navigate to the Project
cd path/to/secure-code-review-mcpStep 2: Create Virtual Environment (Recommended)
# Windows
python -m venv venv
.\venv\Scripts\activate
# macOS/Linux
python3 -m venv venv
source venv/bin/activateStep 3: Install Dependencies
pip install -r requirements.txtStep 4: Verify Installation
python -c "import mcp; print('MCP SDK installed successfully!')"π Connecting to GitHub Copilot in VS Code
Step 1: Create MCP Configuration
Create or verify .vscode/mcp.json in your workspace root:
{
"servers": {
"secure-code-review": {
"type": "stdio",
"command": "python",
"args": [
"${workspaceFolder}/mcp-client-server/secure-code-review-mcp/src/server.py"
],
"env": {
"PYTHONPATH": "${workspaceFolder}/mcp-client-server/secure-code-review-mcp/src"
}
}
}
}Note: Adjust the path based on your folder structure.
Step 2: Reload VS Code
Press
Ctrl+Shift+P(orCmd+Shift+Pon Mac)Type "Developer: Reload Window"
Press Enter
Step 3: Verify MCP Server is Connected
Open GitHub Copilot Chat (
Ctrl+Alt+Ior click the Copilot icon)Click the π§ Tools icon in the chat
You should see "secure-code-review" listed with 6 tools
π§ͺ Testing the MCP Server
Test with Sample Project
The sample_project/ folder contains intentionally vulnerable code for testing.
Example Prompts for GitHub Copilot
Open GitHub Copilot Chat and try these prompts:
1. "Scan sample_project for hardcoded secrets"
2. "Check dependencies in the sample_project folder"
3. "Find insecure configurations in sample_project"
4. "Scan sample_project for risky code patterns"
5. "Generate a PR security checklist for sample_project"
6. "Run a full security review on sample_project"Expected Output Example
For scan_hardcoded_secrets:
{
"scanner": "SecretsScanner",
"files_scanned": 5,
"total_findings": 12,
"findings": [
{
"file_path": "sample_project/app.py",
"line_number": 15,
"matched_pattern_type": "Hardcoded Password",
"severity": "High",
"recommendation": "Remove hardcoded password and use environment variables"
}
],
"summary": {
"high_severity": 10,
"medium_severity": 2,
"low_severity": 0
}
}For run_full_security_review:
{
"project_path": "sample_project",
"summary": {
"total_findings": 45,
"high_severity_count": 25,
"medium_severity_count": 15,
"low_severity_count": 5
},
"pr_readiness": {
"overall_status": "π΄ Needs Fixes",
"checklist_items": [...]
},
"final_recommendation": "π΄ DO NOT RAISE PR - Fix all high severity issues first"
}π What Each Scanner Detects
Secrets Scanner
password=,passwd=,pwd=api_key=,apikey=secret=,token=AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY-----BEGIN PRIVATE KEY-----Database connection strings with credentials
JWT secrets
Dependency Scanner
Duplicate packages in requirements.txt
Duplicate dependencies across package.json sections
Unpinned versions (
pandaswithout==x.x.x)Wildcard versions (
*,latest)Known risky packages (pycrypto, event-stream, etc.)
Missing lock files
Config Scanner
DEBUG=trueENV=developmentin production configsCORS=*,ALLOW_ORIGINS=*Root user in Dockerfile
:latesttag in Docker imagesExposed sensitive ports (22, 3389)
Hardcoded passwords in Docker ENV
Code Pattern Scanner
Python:
eval(),exec()subprocess.run(..., shell=True)os.system()pickle.load()with untrusted datayaml.load()without SafeLoaderSQL string formatting
hashlib.md5(),hashlib.sha1()
JavaScript:
eval()new Function()setTimeout/setIntervalwith stringschild_process.exec().innerHTMLassignmentdocument.write()SQL template literals
crypto.createHash('md5'/'sha1')
π License
MIT License - Free for personal and commercial use.
π€ Contributing
Contributions welcome! Please:
Fork the repository
Create a feature branch
Submit a pull request
β οΈ Disclaimer: This is a basic security scanner for learning and demonstration purposes. It should NOT be used as the sole security review tool for production applications. Always use professional security tools and conduct thorough security audits.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Balakonda-reddy/Secure_Code_Review_MCP_Server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server