Skip to content

Latest commit

 

History

History
140 lines (108 loc) · 4.22 KB

README.md

File metadata and controls

140 lines (108 loc) · 4.22 KB

MCPScan

A specialized security scanning tool for Model Context Protocol (MCP) servers. MCPScan performs comprehensive security analysis of MCP server implementations using multiple scanning tools:

  • Semgrep for code pattern analysis
  • npm audit for JavaScript/Node.js dependencies
  • pip-audit for Python dependencies

Features

  • Automated MCP server repository cloning and scanning
  • Multi-tool security analysis tailored for MCP servers:
    • Static code analysis with Semgrep rules for:
      • Dangerous code patterns that could compromise model context
      • Local file access vulnerabilities
      • Network access security
      • Obfuscated code detection
      • Process execution monitoring
      • HTTP/HTTPS endpoint analysis
    • Dependency vulnerability scanning:
      • Python package vulnerabilities via pip-audit
      • JavaScript package vulnerabilities via npm audit
  • Automatic MCP server framework detection
  • Results aggregation and reporting in JSON format
  • Docker containerization for isolated scanning
  • Automatic cleanup of temporary files

Prerequisites

  • Docker installed and running
  • Python 3.x (for running MCP-Get scanner)
  • Internet connection for repository cloning and package list fetching

Installation

  1. Clone this repository
  2. Build the Docker container:
./src/docker_build.sh

Usage

Scanning a Single Repository

./src/docker_run_one.sh <repository-url>

Example:

./src/docker_run_one.sh "https://github.com/modelcontextprotocol/servers"

Scanning All Servers in the MCP Get repo

python3 src/docker_run_mcp_get.py

This will:

  1. Fetch the MCP server list from MCP-Get
  2. Clone each MCP server repository
  3. Run comprehensive security scans
  4. Save detailed analysis to the results directory

Output

Results are processed through multiple stages:

  1. Individual scan results are saved to the results directory:
    • Semgrep analysis results
    • Package vulnerability scans (pip-audit/npm audit)
  2. Results are combined into a single JSON file in results/combined
  3. Final reduced results in results/reduced:
    • JSON summary with findings by rule
    • Detailed vulnerability information
    • Human-readable text report
    • Simplified format for easy parsing

The reduced results include:

  • Total findings count
  • Findings categorized by rule type
  • Dependencies scan summary with vulnerability counts
  • Detailed vulnerability information for each package
  • Code analysis findings with file locations and snippets

Project Structure

  • src/docker/semgrep_rules/ - Custom Semgrep rule definitions
  • src/docker/ - Core scanning logic and utilities
    • package_scan.py - Dependency vulnerability scanning
    • cleanup.py - Temporary file management
    • Other scanning utilities
  • results/ - Scan output directory (created during execution)

Dependencies

This project relies on:

  • Docker
  • Python 3.x
  • Semgrep (installed in Docker container)
  • pip-audit (installed during scanning)
  • npm (for JavaScript projects)
  • Requests library for Python

Third-Party Attributions

  • Semgrep - Static analysis tool (OSS License)
  • pip-audit - Python dependency scanner (Apache 2.0)
  • npm audit - Node.js dependency scanner
  • Requests - HTTP library for Python (Apache 2.0)
  • MCP-Get - Package list source

License

This project is licensed under the Mozilla Public License Version 2.0. See the LICENSE file for details.

Contributing

[Add contribution guidelines here]

Output Structure

Scan results are organized in three stages:

  1. Individual scan results in results/
  2. Combined results in results/combined/
  3. Reduced results in results/reduced/ containing:
    • Summary of findings by rule type
    • Detailed vulnerability information
    • Simplified findings format
    • Human-readable text report

TODO

  • Reduce the output jsons to a single representation
  • Add support for go
  • Add result caching, store last tested hash for a repo
  • More tests and scans
  • Add severity scoring system
  • Implement parallel scanning for multiple repositories