secscan-mcp
The secscan-mcp server provides comprehensive security scanning tools for AI coding assistants, enabling detection of secrets, code vulnerabilities, dependency issues, and IaC misconfigurations.
Secret Detection (
scan_secrets): Scans a directory for hardcoded credentials, with an option to include git commit history.SAST Analysis (
scan_code): Runs static analysis tools (semgrep, bandit) to find code-level security vulnerabilities.Dependency Scanning (
scan_dependencies): Checks lockfiles for known vulnerable packages using osv-scanner.IaC Scanning (
scan_iac): Detects misconfigurations in Infrastructure-as-Code files via checkov.Unified Scanning (
scan_all): Runs all available scanners in one call and produces a consolidated, normalized report.Scanner Discovery (
list_available_scanners): Reports which third-party scanning CLIs are installed and available.Remediation Guidance (
explain_finding): Provides detailed explanations and remediation hints for a specificrule_idfrom scan results.
All scan tools accept a path parameter and an optional severity_threshold (critical, high, medium, low, info) to filter results. The server operates gracefully, skipping optional scanners if their CLIs are not installed, and works with any MCP-compatible AI assistant (e.g., Cursor, VS Code, Claude Desktop).
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@secscan-mcprun a full security scan on this project with high severity threshold"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
secscan-mcp
A portable MCP server for security scanning — works with any AI coding assistant that supports the Model Context Protocol: Cursor, VS Code, Claude Desktop, Windsurf, Zed, Continue, and more.
Scan codebases for hardcoded secrets, SAST issues, vulnerable dependencies, and IaC misconfigurations — one install, one normalized report format.
The built-in custom scanner works with no extra tools. Install optional CLIs for broader coverage (below).
Quick start
Requires Python 3.11+. If pip install secscan-mcp says "No matching distribution found", your default python3 is likely too old — use python3.11 -m pip install secscan-mcp or install Python 3.11+ first.
1. Install from PyPI:
pip install secscan-mcp
# or explicitly:
python3.11 -m pip install secscan-mcpOr run without installing (requires uv):
uvx secscan-mcpFor MCP config with uvx, use "command": "uvx" and "args": ["secscan-mcp"] — see setup guide.
git clone https://github.com/openjkai/secscan_mcp.git
cd secscan_mcp && pip install .2. Add to your IDE — pick your client:
IDE / client | Config file | Guide |
Cursor |
| |
VS Code |
| |
Claude Desktop | OS-specific (see guide) | |
Claude Code |
| |
Windsurf |
| |
Others | — |
Minimal config (works in Cursor, Claude Desktop, Windsurf):
{
"mcpServers": {
"secscan": {
"command": "uvx",
"args": ["secscan-mcp"]
}
}
}If you installed with pip install secscan-mcp, you can use "command": "secscan-mcp" instead.
3. Verify — ask your agent: "Call list_available_scanners and scan_secrets on this project."
Related MCP server: Adversary MCP Server
MCP tools
Tool | Purpose |
| Which engines are installed on this machine |
| Hardcoded credentials and secrets (optionally scan git commit history) |
| SAST (semgrep, bandit) |
| Vulnerable packages (osv-scanner) |
| IaC misconfigurations (checkov) |
| All available scanners, one unified report |
| Remediation hints for a |
Most scan tools accept path (directory to scan) and optional severity_threshold (critical, high, medium, low, info).
scan_secrets also accepts include_git_history (boolean). When true, scans past git commits for secrets removed from the working tree but still present in history — no extra tools required beyond git.
Optional scanners
Install any of these to extend coverage. Missing CLIs are skipped — the server still runs.
Engine | Category | Install (example) |
gitleaks | secrets |
|
semgrep | SAST |
|
bandit | SAST (Python) |
|
osv-scanner | dependencies |
|
checkov | IaC |
|
After installing, run list_available_scanners again to confirm.
Example prompts
"Call
list_available_scannersand tell me what's installed.""Run
scan_secretswith include_git_history on this repo — check if any secrets were ever committed.""Run
scan_allwith severity_threshold high and summarize the findings.""Explain the rule
internal-api-key."
Configuration
Environment variables (optional):
Variable | Default | Description |
|
| Per-engine scan timeout |
|
| Max findings per report |
|
| Max commits scanned in git history mode |
Pass via MCP config env block — see setup guide.
Development
make install-dev # editable install + dev tools
make check # lint + typecheck + testSee docs/CONTRIBUTING.md and PLAN.md.
License
MIT
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/openjkai/secscan_mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server