Skip to content

Releases: vigneshakaviki/mcp-check

mcp-check v0.5.0

Choose a tag to compare

@vigneshakaviki vigneshakaviki released this 10 Jul 21:55

Open-source scanner polish release inspired by mature security tools like Trivy, Gitleaks, Semgrep, Checkov, TruffleHog, and actionlint.

Highlights:

  • Added mcp-check rules and mcp-check rules --format json
  • Added mcp-check --version
  • Added Marketplace-ready Action branding
  • Added docs for rules, configuration, and GitHub Action usage
  • Added CHANGELOG, SUPPORT, CODE_OF_CONDUCT, PR template, issue config, and Dependabot
  • Preserved capability summaries across multi-preset scans
  • Centralized report version output on the package version

Validation:

  • 15 tests passing
  • CLI version and rules smoke checks passed
  • Package build succeeds
  • GitHub workflow/action YAML validation succeeds

mcp-check v0.4.0

Choose a tag to compare

@vigneshakaviki vigneshakaviki released this 10 Jul 21:47

Regression and official-guidance hardening release.

Highlights:

  • Adds MCP011 for local HTTP transport hardening and wildcard network binds
  • Reclassifies localhost MCP transport URLs as transport-hardening findings instead of SSRF
  • Detects OAuth tokens/client secrets in URL query strings
  • Detects OAuth metadata that does not advertise PKCE S256 support
  • Filters placeholder URLs out of capability summaries
  • Adds regression examples for local HTTP transport, wildcard binds, and OAuth token query strings

Validation:

  • 13 tests passing
  • All shipped examples and fixtures scanned
  • Public GitHub sample configs rescanned
  • Package build succeeds
  • GitHub workflow/action YAML validation succeeds

mcp-check v0.3.0

Choose a tag to compare

@vigneshakaviki vigneshakaviki released this 10 Jul 21:36

Adds deeper MCP security checks from recent MCP security research and official guidance.

Highlights:

  • MCP009: detects SSRF-prone URLs, private network targets, cloud metadata endpoints, and dangerous URL schemes
  • MCP010: detects OAuth/bearer credentials, broad OAuth scopes, and unsafe OAuth endpoint URLs
  • Capability summary in terminal and JSON reports
  • New unsafe examples for private-network URLs and OAuth misconfiguration

Verification:

  • 10 tests passing
  • Package build succeeds
  • YAML workflow/action validation succeeds

mcp-check v0.2.0

Choose a tag to compare

@vigneshakaviki vigneshakaviki released this 10 Jul 21:07

Adds the roadmap issue fixes:

  • JSON, YAML, and TOML config parsing
  • Explicit suppression files with suppressed findings visible in JSON and SARIF
  • Common MCP client path presets for Claude Desktop, Claude Code, and Cursor
  • Packaging metadata, PyPI publish workflow, and Homebrew formula guidance
  • GitHub Action suppression input

Verification:

  • 8 tests passing
  • YAML/TOML fixtures scanned successfully
  • Package build succeeds

mcp-check v0.1.0

Choose a tag to compare

@vigneshakaviki vigneshakaviki released this 10 Jul 20:51

Initial public release of mcp-check.

Highlights:

  • Offline static scanning for MCP server configs
  • Rules for secrets, sensitive paths, shell execution, unpinned packages, insecure URLs, prompt-injection metadata, and Docker/runtime privileges
  • JSON, terminal, and SARIF output
  • GitHub Action support
  • Unsafe example config zoo for quick demos