Skip to main content
Glama
friendlygeorge

Security Scanner MCP Server

scan_repository

Read-only

Scan Git repositories to identify vulnerabilities, misconfigurations, and secrets using Trivy.

Instructions

Scan a git repository (local or remote URL) for vulnerabilities, misconfigurations, and secrets using Trivy.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
urlYesGit repository URL or local path
branchNoBranch to scan (default: HEAD)
timeoutNoTimeout in seconds (default: 180)
scannersNoScanner types: vuln,misconfig,secret,license
severityNoSeverities to filter
Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Annotations already declare readOnlyHint=true, which aligns with the description's 'scan' operation. However, the description adds no further behavioral context beyond that, such as whether the repository is cloned, if results are cached, or if external dependencies like Trivy are required.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single concise sentence with no wasted words. It front-loads the verb and resource, making it easy to understand quickly.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool has 5 parameters, no output schema, and is moderately complex (scanning with Trivy), the description is too brief. It omits details like expected output format, error handling, or required environment setup, which are important for an agent to use the tool correctly.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

All 5 parameters have descriptions in the input schema (100% coverage), so the baseline is 3. The description does not add any extra meaning or usage details for the parameters beyond their schema descriptions.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the verb 'scan', the resource 'git repository (local or remote URL)', and the purpose 'for vulnerabilities, misconfigurations, and secrets using Trivy'. It distinguishes from sibling tools like scan_config and scan_filesystem by specifying repository scanning.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

No guidance is provided on when to use this tool versus alternatives such as scan_filesystem or scan_image. There is no mention of prerequisites, context, or when not to use it.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/friendlygeorge/security-scanner-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server