Luvv MCPServer
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Luvv MCPServerscan /home/user/my-project for vulnerabilities"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Luvv MCPServer — 生产级安全审计 MCP 工具
封装 semgrep (SAST) + gitleaks (密钥检测),通过 MCP stdio 协议 为 Claude Desktop 提供一键代码安全扫描能力。
功能特性
run_security_scan工具:传入目标目录路径,自动并行执行 semgrep + gitleaks返回合并的结构化 JSON 审计报告(含摘要统计)
依赖工具未安装时,报告中自动附带各平台的安装指引
所有异常/日志通过 stderr 输出,绝不污染 MCP 协议通道(stdout)
内置路径安全校验,拒绝扫描系统敏感目录
Docker 环境隔离支持,预装全部依赖
Related MCP server: leak-secure-mcp
快速开始
1. 环境要求
组件 | 版本要求 |
Node.js | >= 20.0.0 LTS |
npm | >= 10.0.0 |
semgrep | >= 1.0(可选,未安装在报告中提示) |
gitleaks | >= 8.0(可选,未安装在报告中提示) |
2. 安装依赖与编译
# 克隆项目(或直接进入目录)
cd luvv-mcp-server
# 安装 npm 依赖
npm install
# 编译 TypeScript
npm run build编译产物输出到 dist/ 目录,入口文件 dist/main.js。
3. 安装扫描工具(推荐)
# --- semgrep ---
# macOS
brew install semgrep
# Linux
pipx install semgrep
# 或: pip install semgrep
# --- gitleaks ---
# macOS
brew install gitleaks
# Linux
wget https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_8.18.4_linux_x64.tar.gz
tar -xzf gitleaks_*.tar.gz -C /usr/local/bin/ gitleaks
chmod +x /usr/local/bin/gitleaks
# --- 验证安装 ---
semgrep --version
gitleaks version如果未安装 semgrep 或 gitleaks,扫描仍可运行,但对应工具的结果中会包含
available: false及安装提示。
4. 在 Claude Desktop 中配置
打开 Claude Desktop 配置文件:
macOS:
~/Library/Application Support/Claude/claude_desktop_config.jsonWindows:
%APPDATA%\Claude\claude_desktop_config.jsonLinux:
~/.config/Claude/claude_desktop_config.json
添加以下配置块:
{
"mcpServers": {
"luvv-security-scanner": {
"command": "node",
"args": [
"/Users/你的用户名/luvv-mcp-server/dist/main.js"
]
}
}
}实际路径示例(macOS 用户 zhangsan):
{
"mcpServers": {
"luvv-security-scanner": {
"command": "node",
"args": [
"/Users/zhangsan/luvv-mcp-server/dist/main.js"
]
}
}
}实际路径示例(Windows 用户 Administrator):
{
"mcpServers": {
"luvv-security-scanner": {
"command": "node",
"args": [
"C:\\Users\\Administrator\\luvv-mcp-server\\dist\\main.js"
]
}
}
}配置完成后,重启 Claude Desktop。在对话中输入"帮我扫描 /path/to/project 的安全问题",Claude 会自动调用 run_security_scan 工具。
5. 验证 MCP 连接
启动 Claude Desktop 后,检查工具栏是否出现新工具图标(锤子),或在对话中尝试:
请列出你当前可用的 MCP 工具如果看到 run_security_scan,说明连接成功。
Docker 运行方式
Docker 镜像已预装 semgrep + gitleaks,适合环境隔离或 CI/CD 集成。
构建镜像
docker compose build交互式运行(手动测试)
# 启动容器并进入交互式 stdio 模式
echo '{"jsonrpc":"2.0","id":1,"method":"tools/list"}' | \
docker compose run --rm -T mcp通过管道发送扫描请求
# 构造一个扫描请求的 MCP 消息
cat <<'JSONRPC' | docker compose run --rm -T mcp
{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"run_security_scan","arguments":{"target_path":"/scan"}}}
JSONRPC扫描本地代码
# 将本地项目挂载为 /scan
SCAN_TARGET=$(pwd) docker compose run --rm mcp输出示例
{
"target_path": "/home/user/my-project",
"resolved_path": "/home/user/my-project",
"scan_time": "2026-06-13T12:00:00.000Z",
"duration_ms": 12345,
"tools": {
"semgrep": {
"available": true,
"results": {
"results": [
{
"check_id": "python.lang.security.audit.dangerous-subprocess-use",
"path": "src/utils.py",
"start": { "line": 42 },
"end": { "line": 42 },
"extra": {
"severity": "ERROR",
"message": "Detected subprocess function without a static string"
}
}
]
}
},
"gitleaks": {
"available": true,
"results": [
{
"RuleID": "generic-api-key",
"Description": "Generic API Key",
"File": "config.py",
"StartLine": 15,
"Secret": "***REDACTED***",
"Match": "sk_live_xxxxxxxxxxxx"
}
]
}
},
"summary": {
"total_findings": 2,
"semgrep_findings": 1,
"gitleaks_findings": 1
},
"environment": {
"node_version": "v20.14.0",
"platform": "linux",
"hostname": "dev-machine"
}
}当工具未安装时:
{
"tools": {
"semgrep": {
"available": false,
"error": "semgrep 未安装或不在 PATH 中",
"install_hint": "# macOS\nbrew install semgrep\n\n# Linux (pip)\npip install semgrep"
}
}
}环境变量
参见 .env.example,可复制为 .env 后修改:
变量 | 默认值 | 说明 |
|
| semgrep 规则集( |
|
| semgrep 超时时间(秒) |
|
| gitleaks 超时时间(秒) |
|
| 日志级别(debug/info/warn/error) |
|
| 是否返回完整原始输出 |
项目结构
luvv-mcp-server/
├── src/
│ ├── main.ts # CLI 入口,按参数路由传输模式
│ ├── server.ts # createServer() 工厂函数
│ ├── tools/
│ │ ├── index.ts # registerAllTools() 汇总
│ │ └── run-security-scan.ts # 安全扫描工具定义与处理器
│ ├── transports/
│ │ └── stdio.ts # stdio 传输启动器(+ 信号处理)
│ └── lib/
│ ├── logger.ts # 结构化 stderr 日志
│ ├── executor.ts # spawn 封装 + 路径校验
│ └── scanner.ts # semgrep + gitleaks 编排
├── tests/
│ └── run-security-scan.test.ts # 单元测试
├── dist/ # 编译产物(npm run build)
├── vitest.config.ts
├── package.json
├── tsconfig.json
├── Dockerfile
├── docker-compose.yml
├── .env.example
└── README.mdLicense
MIT
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Tools
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/js2005happy/luvv-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server