Releases: vigneshakaviki/mcp-check
Releases · vigneshakaviki/mcp-check
Release list
mcp-check v0.5.0
Open-source scanner polish release inspired by mature security tools like Trivy, Gitleaks, Semgrep, Checkov, TruffleHog, and actionlint.
Highlights:
- Added
mcp-check rulesandmcp-check rules --format json - Added
mcp-check --version - Added Marketplace-ready Action branding
- Added docs for rules, configuration, and GitHub Action usage
- Added CHANGELOG, SUPPORT, CODE_OF_CONDUCT, PR template, issue config, and Dependabot
- Preserved capability summaries across multi-preset scans
- Centralized report version output on the package version
Validation:
- 15 tests passing
- CLI version and rules smoke checks passed
- Package build succeeds
- GitHub workflow/action YAML validation succeeds
mcp-check v0.4.0
Regression and official-guidance hardening release.
Highlights:
- Adds MCP011 for local HTTP transport hardening and wildcard network binds
- Reclassifies localhost MCP transport URLs as transport-hardening findings instead of SSRF
- Detects OAuth tokens/client secrets in URL query strings
- Detects OAuth metadata that does not advertise PKCE S256 support
- Filters placeholder URLs out of capability summaries
- Adds regression examples for local HTTP transport, wildcard binds, and OAuth token query strings
Validation:
- 13 tests passing
- All shipped examples and fixtures scanned
- Public GitHub sample configs rescanned
- Package build succeeds
- GitHub workflow/action YAML validation succeeds
mcp-check v0.3.0
Adds deeper MCP security checks from recent MCP security research and official guidance.
Highlights:
- MCP009: detects SSRF-prone URLs, private network targets, cloud metadata endpoints, and dangerous URL schemes
- MCP010: detects OAuth/bearer credentials, broad OAuth scopes, and unsafe OAuth endpoint URLs
- Capability summary in terminal and JSON reports
- New unsafe examples for private-network URLs and OAuth misconfiguration
Verification:
- 10 tests passing
- Package build succeeds
- YAML workflow/action validation succeeds
mcp-check v0.2.0
Adds the roadmap issue fixes:
- JSON, YAML, and TOML config parsing
- Explicit suppression files with suppressed findings visible in JSON and SARIF
- Common MCP client path presets for Claude Desktop, Claude Code, and Cursor
- Packaging metadata, PyPI publish workflow, and Homebrew formula guidance
- GitHub Action suppression input
Verification:
- 8 tests passing
- YAML/TOML fixtures scanned successfully
- Package build succeeds
mcp-check v0.1.0
Initial public release of mcp-check.
Highlights:
- Offline static scanning for MCP server configs
- Rules for secrets, sensitive paths, shell execution, unpinned packages, insecure URLs, prompt-injection metadata, and Docker/runtime privileges
- JSON, terminal, and SARIF output
- GitHub Action support
- Unsafe example config zoo for quick demos