Scan-as-a-Service for MCP servers. HTTP + MCP wrapper around compuute-scan — the MCP-specific static security scanner. Designed for agent-callable consumption.
POST a public GitHub repo URL → get a structured security report scored against 37 MCP-specific rules across 8 languages (TS/JS, Python, Go, Rust, C#, Java, Kotlin).
Honesty note (read first): compuute-scan is a pattern-breadth detector, not an exploitability oracle. Historic false-positive rate after manual validation is ~90% on raw output (verified against modelcontextprotocol/servers: 138 raw findings → 13 confirmed). Every response carries a
_disclaimerfield stating this explicitly. Use findings as a triage queue, not as a list of confirmed vulnerabilities. See docs/FP-RATES.md for per-rule transparency.
| Method | Path | Purpose |
|---|---|---|
| POST | /v1/scan |
Scan a public GitHub MCP-server repo |
| GET | /v1/scan/info |
Scanner version, limits, capabilities |
| GET | /v1/health |
Liveness + scanner-binary check |
| GET | /openapi.json |
OpenAPI v3 spec (for agent discovery) |
| /mcp/ | (planned) | MCP server with scan_mcp_server tool |
curl -X POST https://scan.compuute.se/v1/scan \
-H 'Content-Type: application/json' \
-H 'Idempotency-Key: 00000000-0000-0000-0000-000000000001' \
-d '{"repo_url": "https://github.com/modelcontextprotocol/servers"}'Response (truncated):
{
"repo_url": "https://github.com/modelcontextprotocol/servers",
"scanner": {"name": "compuute-scan", "version": "0.6.2", "layers_covered": ["L0", "L1"]},
"summary": {"critical": 1, "high": 94, "medium": 22, "low": 0, "files_scanned": 77},
"score": 0,
"recommendation": "AVOID — 1 critical and 94 high finding(s)...",
"top_findings": [...],
"performance": {"clone_seconds": 1.2, "scan_seconds": 0.5, "repo_size_bytes": 41234},
"_disclaimer": "PATTERN MATCH — compuute-scan is a static analyzer..."
}| Feature | How |
|---|---|
| Idempotent retries (24h cache) | Idempotency-Key header |
| HTTP cache | ETag + Cache-Control: public, max-age=1800 |
| Conditional GET | If-None-Match → 304 Not Modified |
| Strict input validation | Pydantic extra="forbid", GitHub-HTTPS-only |
| OpenAPI for discovery | GET /openapi.json with descriptions on every field |
| Honest framing | Every response carries _disclaimer — pattern match, not exploitability claim |
python3 -m venv venv && source venv/bin/activate
pip install -r requirements.txt
export COMPUUTE_SCAN_PATH=$HOME/compuute-scan/compuute-scan.js
uvicorn main:app --reloadpytest tests/ -vapi/services/scan.py— clone + sandbox + scan + parse. Pure functions.api/serializers/scan_serializer.py— Pydantic models, strict validation.api/routes/scan.py— HTTP layer: idempotency, cache, ETag.main.py— FastAPI wiring.
Bundled compuute-scan version is configured via COMPUUTE_SCAN_PATH env var.
| Tier | Audience | Price |
|---|---|---|
| Free | Indie devs, agent builders | 3 scans/day |
| Pro | Teams shipping MCP to production | TBD |
| Audit | Manual L2-L4 audit by Compuute AB | $5K-30K — see compuute.se/audit |
| Doc | For |
|---|---|
| docs/ARCHITECTURE.md | Component diagram, request flow, threat model, deployment topology |
| docs/DEVELOPMENT.md | Local setup, layout, code style, common pitfalls — onboard a new dev in 30 min |
| docs/STRATEGY.md | Position, pricing tiers, roadmap, decision log — why we built it this way |
| docs/MONITORING.md | Endpoints to watch, automated checks, runbook for failures |
| docs/agentic-market-submission.md | Three paths to Agentic.market listing with engineering effort estimates |
| scripts/status.sh | 30-second project status check (run anytime) |
Found a vulnerability? See SECURITY.md — email security@compuute.se. We follow a 90-day coordinated disclosure window.
MIT (matches compuute-scan).
Compuute AB — daniel@compuute.se