Testing MCP
Allows testing Android mobile projects, including running Gradle-based tests and detecting Android projects.
Provides infrastructure detection and availability checking for Docker environments.
Allows testing Flutter mobile projects, including running Flutter tests and detecting Flutter projects.
Enables running Android tests built with Gradle as part of mobile testing.
Allows AI-generation of unit tests for Jest, a JavaScript testing framework.
Provides infrastructure detection and availability checking for Kubernetes clusters.
Allows AI-generation of unit tests for pytest, a Python testing framework.
Supports testing Python projects, including test execution and analysis using pytest/unittest.
Allows detection of React Native projects for mobile testing.
Supports running tests for Rust projects as part of the testing framework.
Allows detection and testing of Unity game projects.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Testing MCPrun all tests and generate a report"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Testing MCP
A universal AI-powered testing server built on the Model Context Protocol (MCP).
Allows AI agents to inspect, execute, test, monitor, debug, and report on software projects.
Quick Start
# Install
pip install -e ".[dev]"
# Install Playwright browsers (for UI testing)
playwright install chromium
# Optional security tools
pip install bandit semgrep trivy
# Start server (SSE mode)
testing-mcp serve
# Or stdio mode (for Claude Desktop, Cursor, etc.)
testing-mcp stdioRelated MCP server: Gravitas-Core-MCP
MCP Client Configuration
Add to your MCP client config (claude_desktop_config.json, ~/.config/opencode/opencode.json, etc.):
{
"mcpServers": {
"testing-mcp": {
"command": "testing-mcp",
"args": ["stdio"]
}
}
}Or copy testing-mcp.json to your project root for auto-discovery.
Configuration
Create a testing-mcp.toml file in your project root:
[server]
host = "127.0.0.1"
port = 8080MCP Tools (62 total)
Core
Tool | Description |
| Detect language, framework, structure, dependencies |
| Discover and execute existing tests |
| AI-generate unit tests (pytest, unittest, Jest) |
| Generate Markdown, HTML, or JSON reports |
| Regression comparison between test runs |
| Root cause analysis and fix suggestions |
| Log analysis with error pattern matching |
| Add missing entries to prevent credential leaks |
| Auto-generate Dockerfile from project |
| Generate GitHub Actions or GitLab CI config |
| Extract inline SQL schemas into migration files |
| Health check |
Testing
Tool | Description |
| Test console apps (stdin, stdout, exit code) |
| Fuzz test console apps with random input |
| Playwright browser automation |
| API endpoint testing with schema validation |
| Auto-discover API endpoints |
| Validate DB migrations, constraints, rollbacks |
| Startup time, API latency, load testing |
| Concurrent load/stress testing with latency percentiles |
| Discover and run integration tests |
| Smoke test endpoints and commands |
| Mutation testing to evaluate test quality |
Security
Tool | Description |
| Run all security scans (modes: all, sast, secrets, headers, tls, deps, dast, crawl) |
| Static analysis: SQLi, XSS, CSRF, SSRF, CMDI, path traversal, weak crypto, etc. |
| Scan for hardcoded API keys, tokens, credentials, certs |
| Check HTTP security headers (HSTS, CSP, X-Frame-Options, etc.) |
| Validate TLS/SSL certificate |
Browser Automation (Stealth)
Tool | Description |
| Create stealth browser session (anti-bot fingerprinting) |
| Navigate to URL, auto-handle Cloudflare challenges |
| Click element by CSS selector |
| Fill form fields |
| Select dropdown option |
| Get visible text from page/element |
| Get full page or element HTML |
| Execute arbitrary JavaScript |
| Save screenshot to file or return base64 |
| List session cookies |
| Show all active browser sessions |
| Switch active session |
| Close and clean up session |
Visual
Tool | Description |
| Capture webpage screenshots |
| Compare screenshots, highlight differences |
| Animated GIF between baseline and current |
| WCAG accessibility scan using axe-core |
| Check WCAG color contrast ratio |
API & Protocol
Tool | Description |
| Run GraphQL queries |
| Introspect GraphQL schema |
| Detect GraphQL endpoint |
| Test WebSocket connections |
| Test gRPC endpoints |
Platform
Tool | Description |
| Detect Android, Flutter, React Native projects |
| Run Android (Gradle) or Flutter tests |
| Detect Godot, Unity, Unreal projects |
| Run game engine tests |
| Docker, K8s, CI config detection |
| Check Docker availability |
| Check Kubernetes availability |
Profiling
Tool | Description |
| Measure current memory usage |
| Measure startup time and resource usage |
| Profile API memory and latency |
| CPU, memory, disk, network info |
Security Scanning Details
SAST (30 built-in rules)
Detects 15+ vulnerability classes:
SQL Injection — string concatenation, f-string, raw queries
XSS — innerHTML, dangerouslySetInnerHTML, unsafe template rendering
Command Injection — os.system, subprocess(shell=True), exec/eval, popen
SSTI — Template injection (Jinja2, Flask
render_template_string)Path Traversal — open/Path with user-controlled paths, unsafe joins
SSRF — User-controlled URLs in requests/httpx/fetch/urlopen
CSRF — csrf_exempt decorators, disabled Django CSRF middleware
IDOR — Insecure direct object references in params
LDAP Injection — Unsanitized LDAP search filters
XXE — XML parser with external entity expansion enabled
Deserialization — pickle.loads, yaml.load, marshal.load
Hardcoded Secrets — passwords, API keys, tokens in source code
Weak Crypto — MD5, SHA1, DES, RC4, ECB mode
Weak CORS —
Access-Control-Allow-Origin: *with credentialsPrototype Pollution — Unsafe object merge/assign
Mass Assignment —
**kwargsorupdate()with request dataRace Condition — TOCTOU patterns in file operations
File Upload — Unrestricted file upload without validation
ReDoS — Unsafe regex patterns with user input
Info Disclosure — Stack traces, debug endpoints exposed
Debug Mode — Flask debug mode enabled in production
Secret Scanner (25+ patterns)
Scans for: AWS keys, GitHub tokens, GitLab tokens, Slack tokens, Discord tokens, JWT tokens, Stripe keys, SSH private keys, PGP private keys, Google API keys, Azure keys, GCP keys, Telegram tokens, Twilio credentials, Heroku API keys, npm tokens, npmrc auth tokens, database connection strings (MySQL, PostgreSQL, MongoDB, Redis), and generic bearer/token patterns
HTTP Header Scanner (15 checks)
Validates: Strict-Transport-Security (incl. weak max-age), Content-Security-Policy (incl. unsafe script-src 'unsafe-inline'), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, Server disclosure, X-Powered-By disclosure
TLS/SSL Checker
Validates certificates, expiry dates, SAN entries, protocol versions
DAST (Dynamic Analysis)
Technology fingerprinting (server headers, cookies, framework patterns)
Endpoint discovery (JS source mapping, common API paths)
SQL injection detection (error-based, time-based)
XSS detection (reflected payloads)
Authentication-aware scanning
Dependency Scanner
Scans lockfiles via OSV.dev API:
requirements.txt,Pipfile.lock,poetry.lockpackage-lock.json,Cargo.lock,Gemfile.lock,go.sum
Configuration Scanner
Docker Checks (10): Running as root, latest tag used, ADD vs COPY, secrets in build args, exposed ports, HEALTHCHECK missing, no .dockerignore, vulnerable base images, shell in ENTRYPOINT, multi-stage build missing K8s Checks (10): Privileged containers, hostNetwork, runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation, resource limits, seccomp, securityContext, hostPID/IPC, ServiceAccount token mount CI/CD Checks (5): Hardcoded secrets, unpinned actions, script injection, missing code checkout, missing artifact upload
Web Crawler
Discovers endpoints and files via:
HTML source patterns (forms, links, scripts, API endpoints)
JS source scanning (XHR/fetch URLs, route patterns)
Common files (robots.txt, sitemap.xml, security.txt, .well-known/)
Reporter
Unified report builder that aggregates all scan results with:
Deduplication of findings across scanners
Risk scoring (NONE → INFO → LOW → MEDIUM → HIGH → CRITICAL)
Text and JSON output formats
Project Structure
testing_mcp/
├── analyzers/ # Project detection (language, framework, deps)
├── api/ # API testing (httpx, OpenAPI, GraphQL, WebSocket, gRPC)
├── browser/ # Stealth browser automation (anti-bot fingerprinting, Cloudflare bypass)
├── database/ # DB validation (migrations, constraints)
├── fix/ # Remediation tools (gitignore, Docker, CI, migrations)
├── generators/ # AI test generation
├── performance/ # Benchmarking (Locust, load/stress testing, profiling)
├── plugins/ # Plugin framework (Language, Framework, Reporter)
├── reporters/ # Report generation (Markdown/HTML/JSON)
├── runners/ # Test executors + analysis (Python, Java, JS, Go, Rust, mobile, game)
├── security/ # SAST (30 rules), secrets (25+ patterns), headers, TLS, DAST,
│ # dependency scanning (OSV.dev), config (Docker/K8s/CI),
│ # web crawling, reporter
├── server/ # MCP server + tool registration
├── tests/ # Test suite (179+ tests covering all modules)
├── ui/ # Playwright UI automation + accessibility + visual regression
└── utils/ # Configuration, utilitiesRunning Tests
pip install -e ".[dev]"
pytest testing_mcp/tests/ -vDocker
docker compose upLicense
LGPL v2.1
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/shalonjovan/test_mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server