Secure MCP tools before agents run them.
Local-first scanner for risky shell commands, leaked secrets, broad filesystem access, remote MCP endpoints, and unpinned packages.
mcp-guard
Scan completed · 2s
- 2 Critical
- 5 High
- 2 Medium
Top Issues
mcp-servers.json:12
args: ["/"]
Authorization=Bea...ken
{
"ruleId": "MCP010",
"level": "error",
"message": "Shell command executes inline script",
"uri": "mcp-servers.json"
}Scan locally with the CLI
Fast, private, and simple enough for local review or pre-commit workflows.
npm i -g agent-mcp-guard
mcp-guard init
mcp-guard scan --policy .mcp-guard-policy.json --format html- Bootstrap a GitHub Action in one command
- Detect risky shell commands and broad access
- Enforce approved commands, packages, directories, and URLs
- Redact secret-like env vars and headers
- Output text, Markdown, HTML, JSON, and SARIF
Automate with GitHub Action
Block risky MCP config changes before they merge, with reports attached to the run.
- uses: ChaoYue0307/mcp-guard-action@v0.4.4
with:
config: .mcp.json
# policy: .mcp-guard-policy.json
baseline: .mcp-guard-baseline.json
fail-on: high
comment-pr: "true"
upload-sarif: "true"- Deterministic action from the pinned tag
- PR comment and job summary for review
- Baseline mode for accepted known findings
- SARIF upload for GitHub code scanning
Ship review-ready reports
Turn raw config risk into a report a founder, security lead, or engineering team can act on.
Critical 2
High 5
Medium 2
- Server inventory and finding table
- Active vs baseline-accepted findings
- Evidence and remediation guidance
- Useful for internal security reviews
Outputs that match developer workflows.
Use one scanner across local review, pull requests, artifacts, and GitHub Security. Reports are generated locally and secret-like values are redacted before output.
Rules and findings map to SARIF 2.1.0 so teams can track MCP risks beside other code scanning alerts.
Readable risk score, server inventory, severity summary, evidence, and remediation guidance.
Machine-readable active findings, accepted baseline findings, stable fingerprints, and summary counts.
Accept known findings. Block only new risk.
Real repositories rarely start clean. Baseline mode lets teams commit the current reviewed state, keep those findings visible, and fail pull requests only when new high-risk MCP changes appear.
mcp-guard scan --config .mcp.json \
--write-baseline .mcp-guard-baseline.json
mcp-guard scan --config .mcp.json \
--baseline .mcp-guard-baseline.json \
--fail-on highCreate a JSON baseline with stable fingerprints for current findings.
Commit the baseline after reviewing accepted risk and reasons.
CI reports accepted findings but fails only on new active findings.
Inspect the exact input, command, and generated reports.
This is a reproducible example generated by the current CLI from a committed MCP config. The config is synthetic, but the findings and reports are real outputs from `mcp-guard`.
Unpinned `npx`, broad `/` filesystem access, shell installer, remote endpoint, and secret-like values.
2 critical, 5 high, and 2 medium findings with rule IDs, evidence, and remediation guidance.
Need help wiring this into a real repo?
mcp-guard is an automated local scanner. Paid setup pilots are available for teams that want the CLI, GitHub Action, baseline, PR comments, and SARIF reporting wired into a real repository without sending configs to a hosted service.
Setup pilot scope
- Run the CLI against local MCP configs
- Generate Markdown, HTML, JSON, and SARIF reports
- Add the GitHub Action to pull request checks
- Create a reviewed baseline for accepted known findings
- Enable PR comments for active risk summaries
- Collect missing patterns for future rules
- Keep configs local and redact secret-like values