Which integrations are available for this server?

Checks if a password has been breached using the Have I Been Pwned API with k-anonymity; the password never leaves the local machine. Audits dependencies from package.json against the OSV.dev vulnerability database to detect known CVEs in npm packages. Audits dependencies from requirements.txt against the OSV.dev vulnerability database to detect known CVEs in PyPI packages.

1. Click on "Install Server". 2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state. 3. In the chat, type @ followed by the MCP server name and your instructions, e.g., "@GuardX scan my project for secrets" That's it! The server will respond to your query, and you can continue using it as needed. Here is a step-by-step guide with screenshots.

GuardX

by harshzagade

Overview Schema Related Servers Score Discussions

Python

Local

🛡️ GuardX

A keyless, defensive (blue-team) code-security auditor for the Model Context Protocol. Let your AI assistant scan codebases for secrets, audit dependencies for known CVEs, and check passwords against breach data — all from natural language.

Python MCP License: MIT No API Keys Use PRs Welcome

⚠️ Defensive use only. Every tool is read-only, privacy-preserving, and needs no API keys. Use it only on code and credentials you own or are authorized to assess.

Unlike offensive recon tools that probe live websites, this server inspects your own code and credentials — making it the blue-team companion to your red-team tooling.

Related MCP server: credential-free

Features

🔑 Secret scanning — detect hardcoded AWS keys, GitHub/Slack tokens, private keys, JWTs, and generic credentials. Findings are masked, so reports are safe to share.
📦 Dependency auditing — check requirements.txt (PyPI) and package.json (npm) against the free OSV.dev vulnerability database.
🔐 Breached-password check — query Have I Been Pwned using k-anonymity; the password never leaves your machine.
🚫 No API keys, no accounts — clone, install, run.
🤖 Native MCP — works with Claude Code, Claude Desktop, Gemini CLI, OpenAI Codex, Cursor, and any MCP client.

Screenshots

🔑 Scan a project for hardcoded secrets

📦 Audit dependencies against the OSV vulnerability database

🔐 Check whether a password has been breached

Installation

git clone https://github.com/harshzagade/guardx-mcp.git
cd guardx-mcp

# (recommended) create a virtual environment
python -m venv .venv
# Windows:
.venv\Scripts\activate
# macOS / Linux:
source .venv/bin/activate

pip install -r requirements.txt

Requirements: Python 3.10+ and the mcp + httpx packages (installed via requirements.txt).

Connect to an MCP Client

GuardX runs locally over stdio, so any MCP-capable client can launch it. In every example below, replace /absolute/path/to/guardx-mcp/server.py with the real path on your machine. If you used a virtual environment, point command at that env's Python (e.g. .venv/bin/python or .venv\Scripts\python.exe) instead of python.

💡 First, confirm the server starts on its own (it then waits for a client on stdin — press Ctrl+C to exit):
python server.py

claude mcp add guardx -- python /absolute/path/to/guardx-mcp/server.py

Add --scope project to write it to a shared .mcp.json in your repo.
Verify with claude mcp list, then use /mcp inside Claude Code.

Edit your claude_desktop_config.json:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "guardx": {
      "command": "python",
      "args": ["/absolute/path/to/guardx-mcp/server.py"]
    }
  }
}

Restart Claude Desktop; GuardX appears under the 🔌 tools menu.

Edit ~/.gemini/settings.json (global) or .gemini/settings.json (per-project). The Gemini Code Assist IDE extension reads the same file:

{
  "mcpServers": {
    "guardx": {
      "command": "python",
      "args": ["/absolute/path/to/guardx-mcp/server.py"]
    }
  }
}

Then run gemini and use /mcp to confirm the server is connected.

Codex uses TOML and shares config between the CLI and the IDE extension. Either run:

codex mcp add guardx -- python /absolute/path/to/guardx-mcp/server.py

…or hand-edit ~/.codex/config.toml ( note the underscore in mcp_servers):

[mcp_servers.guardx]
command = "python"
args = ["/absolute/path/to/guardx-mcp/server.py"]

Codex only supports local stdio MCP servers — perfect for GuardX.

Create .cursor/mcp.json in your project (or the global ~/.cursor/mcp.json):

{
  "mcpServers": {
    "guardx": {
      "command": "python",
      "args": ["/absolute/path/to/guardx-mcp/server.py"]
    }
  }
}

VS Code (with MCP support) uses the same mcpServers shape in its settings.

Windows tip: in JSON, write paths with forward slashes (C:/Users/you/guardx-mcp/server.py) or escaped backslashes (C:\\Users\\you\\...).

Usage

Once connected, just ask your assistant in plain language:

You say...	Tool used
"Scan `./my-project` for hardcoded secrets"	`scan_secrets`
"Audit `requirements.txt` for known vulnerabilities"	`audit_dependencies`
"Has the password `password123` been pwned?"	`check_pwned_password`

How the Privacy-Safe Password Check Works

check_pwned_password follows the k-anonymity model recommended by Have I Been Pwned:

The password is hashed locally with SHA-1.
Only the first 5 hex characters of the hash are sent to the HIBP range API.
The API returns all hash suffixes sharing that prefix; the match is found locally.

➡️ Your password and its full hash never leave your machine.

Tool Reference

Tool	Signature	Description
Secret scanner	`scan_secrets(path, max_findings=200)`	Recursively scans a file or directory for hardcoded secrets. Skips binaries and common ignore dirs (`.git`, `node_modules`, …). Returns masked findings with file and line number.
Dependency auditor	`audit_dependencies(path)`	Parses a `requirements.txt` or `package.json` and checks each pinned dependency against OSV.dev. Returns CVE/GHSA ids and summaries.
Pwned-password check	`check_pwned_password(password)`	Checks a password against HIBP via k-anonymity. Reports breach count without transmitting the password.

Project Structure

guardx-mcp/
├── server.py          # MCP server + the three tools
├── requirements.txt   # runtime dependencies (mcp, httpx)
├── assets/            # README screenshots
├── README.md
├── LICENSE            # MIT
└── .gitignore

Contributing

Contributions are welcome! Ideas: more secret patterns, additional ecosystems (Go modules, Cargo, Maven), or an SBOM export. Please keep all contributions defensive in nature. Open an issue or a pull request.

License

Released under the MIT License.

This server cannot be installed

license - permissive license

quality - not tested

maintenance

How are these scores calculated?

Maintenance

–Maintainers

–Response time

–Release cycle

–Releases (12mo)

Commit activity

Resources

GitHub Repository

Need Help?

Related Servers

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/harshzagade/Guardx-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server