Orcorus Repository Scanner
Scans GitHub repositories for security vulnerabilities, hardcoded secrets, and generates a SECURITY.md report with a security score and tier classification.
Uses an OpenAI-compatible LLM to perform an agentic, multi-turn code review that explores the codebase and produces an OWASP Top 10-aligned security report.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Orcorus Repository ScannerScan https://github.com/myorg/myrepo for security issues"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Orcorus Repository Scanner
A repository security scanner for GitHub repositories, available as both an MCP server and a CLI tool. Orcorus clones a repo, runs static analysis, detects hardcoded secrets, verifies the build, and performs an AI-powered OWASP-aligned security code review — producing a scored SECURITY.md report.
Features
Static analysis — Runs Bandit on Python code to detect common vulnerabilities
Secrets detection — Pattern-based scanning for API keys, tokens, private keys, and credentials
Build verification — Attempts to build/install the project (supports Python, Node, Go, Rust)
Test detection — Identifies test frameworks (pytest, jest, mocha, vitest, unittest)
AI security review — Agentic, multi-turn code review using an OpenAI-compatible LLM that explores the codebase with tools (read files, search code, list directories) and produces an OWASP Top 10-aligned report
Scoring & tiering — Assigns a 0–100 security score and classifies repos as Gold / Silver / Bronze / Reject
MCP server — Exposes
scan_repo,get_report, andlist_reportstools via FastMCP
Related MCP server: Security Scanner MCP
Project Structure
src/ # Core library
__init__.py # Public API: Scanner, ScanConfig, ScanResult
models.py # Data models (ScanConfig, ScanResult)
scanner.py # Main scanning pipeline
analyzers.py # Bandit, secrets, build, test, and quality checks
ai_review.py # Agentic AI security review loop
report.py # SECURITY.md report generation
server.py # MCP server (FastMCP)
scan_repo.py # CLI clientQuick Start
CLI
# With AI review (GitHub repo)
python scan_repo.py https://github.com/owner/repo --api-key sk-...
# Without AI review
python scan_repo.py https://github.com/owner/repo --skip-ai
# Scan a local directory in-place (absolute --subdir path)
python scan_repo.py --name SSH-Command \
--subdir /srv/docker/orcorus-integrations/ssh-command \
--api-key sk-... --model gpt-5.4 --base-url https://api.cometapi.com/v1
# Scan current directory
python scan_repo.py .
# Custom model / provider
python scan_repo.py https://github.com/owner/repo \
--model gpt-5.2 \
--base-url https://api.openai.com/v1 \
--api-key sk-...MCP Server
python server.py
# or
fastmcp run server.pyThe server exposes three tools:
Tool | Description |
| Scan a GitHub repo (runs as a background task) |
| Retrieve a completed SECURITY.md report by name |
| List all available scan reports with scores |
MCP Client Setup
VS Code / Claude Code (settings.json)
Add the following to your MCP settings.json to run Orcorus as a Docker container:
{
"mcpServers": {
"scanner": {
"command": "docker",
"args": [
"run", "-i", "--rm",
"-e", "OPENAI_API_KEY=sk-your-api-key-here",
"-e", "ORCORUS_MODEL=gpt-5.2",
"-e", "OPENAI_BASE_URL=https://api.openai.com/v1",
"-e", "ORCORUS_REPORTS_DIR=/app/reports",
"-e", "ORCORUS_WORK_DIR=/app/repos",
"-e", "ORCORUS_AI_TIMEOUT=300",
"-e", "ORCORUS_MAX_TURNS=40",
"orcorus/security_scanner:latest"
]
}
}
}To persist reports between runs, mount a volume:
{
"mcpServers": {
"scanner": {
"command": "docker",
"args": [
"run", "-i", "--rm",
"-e", "OPENAI_API_KEY=sk-your-api-key-here",
"-e", "ORCORUS_MODEL=gpt-5.2",
"-e", "OPENAI_BASE_URL=https://api.openai.com/v1",
"-v", "/path/to/local/reports:/app/reports",
"orcorus/security_scanner:latest"
]
}
}
}To skip AI review (static analysis only), add -e, "ORCORUS_SKIP_AI=true" to the args.
Configuration
CLI Arguments
Argument | Default | Description |
|
| GitHub repository URL or local path (ignored when |
| auto-detected | Display name for the report |
| HEAD | Specific commit to checkout |
| (none) | Subdirectory scope, or an absolute path to scan a directory in-place without cloning |
|
| API key for the LLM provider |
|
| Model to use for AI review |
|
| OpenAI-compatible API base URL |
|
| Directory to save reports |
|
| Timeout per AI call (seconds) |
|
| Max agentic review turns |
|
| Skip the AI review step |
|
| Keep the cloned repo after scanning |
Environment Variables (MCP Server)
Variable | Default | Description |
| (none) | API key for AI review |
|
| LLM model name |
|
| API base URL |
|
| Reports output directory |
|
| Temporary clone directory |
|
| Timeout per AI call (seconds) |
|
| Max agentic review turns |
|
| Set to |
|
| Set to |
Scoring
Score | Tier |
90–100 | Gold |
75–89 | Silver |
60–74 | Bronze |
0–59 | Reject |
Deductions are applied for high/medium/low Bandit findings, hardcoded secrets, build failures, missing tests, missing README, missing dependency files, and critical/high severity issues found during AI review.
Dependencies
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/ceilingduster/mcp_security_scanner'
If you have feedback or need assistance with the MCP directory API, please join our Discord server