Crucible v0.5.0 — Production-Ready
The first open-source MCP server security scanner.
Every feature verified against real HTTP endpoints.
What's New
MCP Server Scanner
crucible mcp-scan --server
First open-source tool testing MCP security.
43% of servers vulnerable to command injection.
Hallucination Detection (15 vectors)
Tests fake citation injection, false memory assertion,
non-existent API claims, scope hallucination.
Toxicity Testing (20 vectors)
Role-play escalation, authority bypass, persona injection.
Local Model Support
crucible scan --target http://localhost:11434 --format-preset ollama
Native presets for Ollama, LM Studio, HuggingFace TGI.
--fail-on CI/CD Gate
crucible scan --target URL --fail-on CRITICAL
Exit code 1 if findings >= severity. Fails the build.
Bug Fixes (7 production bugs resolved)
- mcp-scan now works with local .json files
- SARIF output is valid SARIF 2.1.0
- --scope-file blocks out-of-scope targets (exit code 2)
- --rate-limit flag implemented
- version dynamically reads from package metadata
- --turns flag controls exact turn count
- UTF-8 encoding on Windows fixed
Stats
283 tests passing · 0 mypy errors · 79 source files
Python 3.10 / 3.11 / 3.12 · Ubuntu + Windows + macOS
Install
pip install crucible-security==0.5.0