How do I use secscan-mcp?

1. Click on "Install Server". 2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state. 3. In the chat, type @ followed by the MCP server name and your instructions, e.g., "@secscan-mcp run a full security scan on this project with high severity threshold" That's it! The server will respond to your query, and you can continue using it as needed. Here is a step-by-step guide with screenshots.

secscan-mcp

by openjkai

Overview Schema Related Servers Score Discussions

Python

Local

secscan-mcp

MCP server for Cursor that scans codebases for security issues: hardcoded secrets, SAST, vulnerable dependencies, and IaC misconfigurations.

The built-in custom scanner works with no extra tools. Install optional CLIs (below) for broader coverage.

Install

Requires Python 3.11+.

git clone <repository-url>
cd mcp_test
python3 -m venv .venv
source .venv/bin/activate   # Windows: .venv\Scripts\activate
pip install .

Confirm the command exists:

which secscan-mcp

Use in Cursor

Option 1 — Any project (recommended)

Add to ~/.cursor/mcp.json (create the file if needed):

{
  "mcpServers": {
    "secscan": {
      "command": "/absolute/path/to/secscan-mcp"
    }
  }
}

Use the path from which secscan-mcp after install.

Then:

Cmd+Shift+P → Developer: Reload Window
Cursor Settings → Tools & MCP — secscan should show as connected (green)
Open the project you want to scan
In Agent chat, ask the agent to use the tools (see examples)

Works for any folder you open in Cursor, not only this repository.

Option 2 — This repo only

If you develop or test secscan-mcp itself, use the included .cursor/mcp.json and run make install-dev so ${workspaceFolder}/.venv/bin/secscan-mcp exists.

MCP tools

Tool	Purpose
`list_available_scanners`	Which engines are installed on this machine
`scan_secrets`	Hardcoded credentials and secrets
`scan_code`	SAST (semgrep, bandit)
`scan_dependencies`	Vulnerable packages (osv-scanner)
`scan_iac`	IaC misconfigurations (checkov)
`scan_all`	All available scanners, one report
`explain_finding`	Remediation hints for a `rule_id`

Most tools accept path (directory to scan) and optional severity_threshold (critical, high, medium, low, info).

Example prompts

“Call list_available_scanners and tell me what’s installed.”
“Run scan_secrets on this project.”
“Run scan_all with severity_threshold high and summarize the findings.”
“Explain the rule internal-api-key.”

Optional scanners

Tool	Category	Install (example)
gitleaks	secrets	`brew install gitleaks`
semgrep	SAST	`pip install semgrep`
bandit	SAST (Python)	`pip install bandit`
osv-scanner	dependencies	`brew install osv-scanner`
checkov	IaC	`pip install checkov`

After installing, run list_available_scanners again to confirm.

Troubleshooting

Problem	What to try
`secscan` missing in MCP list	Reload window; confirm `mcp.json` path and JSON syntax
Red / failed to start	Re-run `pip install .`; check `which secscan-mcp` matches config `command`
Agent doesn’t call tools	Use Agent mode; name the tool explicitly in your message
Only `custom` runs	Expected until optional CLIs are installed

Development

See docs/CONTRIBUTING.md and PLAN.md.

Install Server

license - permissive license

quality

maintenance

How are these scores calculated?

Resources

GitHub Repository

Need Help?

Related Servers

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/openjkai/secscan_mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server