Skip to content

214070779/code-scanner-mcp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
acquisition
acquisition
 
 
detectors
detectors
 
 
scripts
scripts
 
 
utils
utils
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
mcpize.yaml
mcpize.yaml
 
 
pyproject.toml
pyproject.toml
 
 
server.py
server.py
 
 

Repository files navigation

Code Security Scanner MCP Server

Scan your local codebase for security vulnerabilities, hardcoded secrets, and insecure coding patterns — all from your AI assistant via MCP (Model Context Protocol).

Features

🔑 Secrets Detection (24+ patterns)

  • AWS Access Keys & Secret Keys
  • GitHub tokens (personal, OAuth, app)
  • Stripe API keys (live/test)
  • Slack tokens & webhooks
  • Google Cloud / Firebase credentials
  • Database connection strings
  • JWT tokens & private keys (RSA, DSA, EC)
  • npm auth tokens, Telegram bot tokens, SendGrid API keys
  • Generic API keys & password assignments

📦 Dependency Vulnerability Scanning

Automatically detects and parses:

  • package.json (npm/yarn/pnpm)
  • requirements.txt, Pipfile, pyproject.toml (Python)
  • go.mod (Go)
  • Cargo.toml (Rust)
  • pom.xml, build.gradle (Java)

Checks against a built-in database of 45+ CVEs across JavaScript, Python, Java, Go, and Rust ecosystems.

🛡️ Insecure Code Pattern Detection

  • SQL Injection: String concatenation in queries, raw SQL builders
  • XSS: innerHTML, dangerouslySetInnerHTML, v-html
  • Command Injection: os.system, subprocess shell=True, eval/exec, child_process.exec
  • Path Traversal: Unsanitized file paths
  • Insecure Deserialization: pickle, yaml.load, marshal
  • Configuration Issues: Debug mode, CORS wildcard, hardcoded JWT secrets
  • Information Leakage: Stack trace exposure, directory listing

Tools

Tool Description
scan_secrets Scan for hardcoded API keys, tokens, and passwords
scan_dependencies Check dependencies against known vulnerability database
scan_code_patterns Detect SQLi, XSS, command injection, and other patterns
scan_file Comprehensive scan of a single file (secrets + code patterns)
scan_directory Full project audit (secrets + dependencies + code patterns)

Quick Start

Prerequisites

  • Python 3.11+
  • pip install mcp pydantic

Run with MCP Inspector

git clone https://github.com/214070779/code-scanner-mcp.git
cd code-scanner-mcp
pip install mcp pydantic
npx @modelcontextprotocol/inspector python3 server.py

Configure in your AI Client

Add to your MCP settings:

{
  "mcpServers": {
    "code-scanner": {
      "command": "python3",
      "args": ["/path/to/code-scanner-mcp/server.py"]
    }
  }
}

Example Usage

"Scan my project for security issues" → AI calls scan_directory(path="./my-project")

"Check this file for secrets before committing" → AI calls scan_file(path="./src/config.ts")

"Are there any vulnerable npm packages?" → AI calls scan_dependencies(path=".")

Supported Platforms

Development

# Clone and install
git clone https://github.com/214070779/code-scanner-mcp.git
cd code-scanner-mcp
pip install mcp pydantic

# Run tests
python3 -c "from server import mcp; print('OK:', list(mcp._tool_manager._tools.keys()))"

# Run with inspector
npx @modelcontextprotocol/inspector python3 server.py

License

MIT

About

Code security scanner MCP server - scans secrets, dependencies, and insecure code patterns

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages