MSCC - MCP Security Command Center

The Trivy of MCP security - Scan your MCP servers for vulnerabilities before they become breaches

Security scanner for Model Context Protocol (MCP) servers. Detect prompt injection, tool poisoning, secret exposure, and other vulnerabilities in your MCP implementations.

Features

• 63 detection patterns covering OWASP MCP Top 10
• 6 languages supported - Python, JavaScript/Node.js, Go, Rust, Java, C#
• YARA rules engine for custom detection rules
• Multiple export formats - JSON, SARIF, Markdown, HTML, PDF, SVG badges
• MCP Protocol Client for live server scanning
• CI/CD ready with GitHub Actions integration

Installation

# Core SDK
pip install mscc

# With API server
pip install mscc[api]

# With PDF export support
pip install mscc[pdf]

# Development
pip install mscc[dev]

Quick Start

Python SDK

from mscc import MSCCClient, scan_local

# Quick local scan
result = scan_local("./my-mcp-server")
print(f"Risk Score: {result.risk_score}/100")
print(f"Found {len(result.findings)} issues")

# Full client usage
client = MSCCClient()
result = client.scan("./path/to/mcp-server", profile="ci-standard")

# Check findings
for finding in result.findings:
    print(f"[{finding.severity.value}] {finding.title}")
    print(f"  Location: {finding.file_path}:{finding.line_number}")

# Export reports
result.to_pdf("report.pdf")
result.to_sarif()  # Returns SARIF dict
result.to_html()   # Returns HTML string

Command Line Interface

# Scan a local directory
mscc scan ./my-mcp-server

# Scan with specific profile
mscc scan ./src --profile dev-fast

# Scan a Git repository
mscc scan-repo https://github.com/org/mcp-server

# Export to different formats
mscc scan ./src -o report.json
mscc scan ./src -o report.sarif
mscc scan ./src -o report.html

# Fail on high risk score (for CI)
mscc scan ./src --max-risk 70

# Show version
mscc version

GitHub Actions Integration

name: Security Scan

on: [push, pull_request]

jobs:
  mscc-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: '3.11'
      - run: pip install mscc
      - run: mscc scan . --max-risk 70 -o results.sarif
      - uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: results.sarif

Detection Capabilities

OWASP MCP Top 10 Coverage

Category	Patterns	OWASP ID
Prompt Injection	Ignore instructions, system markers, role manipulation, jailbreak, unicode tricks	MCP-03
Tool Poisoning	Hidden HTML comments, encoded content, XSS payloads	MCP-02
Excessive Permissions	Unrestricted shell/filesystem/network, debug mode	MCP-01
Secret Exposure	API keys, passwords, tokens, private keys, connection strings	MCP-01
Command Injection	Shell execution, eval, insecure deserialization	MCP-04

Language Support

Language	Detection Patterns
Python	subprocess, os.system, eval/exec, pickle, yaml.load
JavaScript	eval, child_process, innerHTML, prototype pollution
Go	exec.Command, unsafe, SQL injection, path traversal
Rust	unsafe blocks, Command::new, raw pointers, transmute
Java	Runtime.exec, ObjectInputStream, XXE, JNDI injection
C#	Process.Start, BinaryFormatter, SQL injection, XXE

Scan Profiles

Profile	Use Case
dev-fast	Quick local development checks
ci-standard	CI/CD pipeline integration (default)
full-enterprise	Comprehensive security audit

API Server

# Start the API server
uvicorn mscc.api.app:app --host 0.0.0.0 --port 8000

# Or with Docker
docker build -t mscc .
docker run -p 8000:8000 mscc

Endpoints

Method	Endpoint	Description
GET	/health	Health check
GET	/ready	Readiness check
GET	/docs	OpenAPI documentation
POST	/api/v1/scans	Run a security scan

Example Request

curl -X POST http://localhost:8000/api/v1/scans \
  -H "Content-Type: application/json" \
  -d '{"path": "./my-mcp-server", "profile": "ci-standard"}'

Project Structure

src/mscc/
├── __init__.py          # Package exports
├── cli.py               # Command line interface
├── client.py            # MSCCClient SDK
├── models/              # Data models
├── scanner/
│   ├── engine.py        # Scan orchestration
│   ├── static.py        # Pattern detection (63 patterns)
│   └── yara_scanner.py  # YARA rules engine
├── mcp/
│   ├── client.py        # MCP Protocol Client
│   └── scanner.py       # Live server scanner
├── api/
│   ├── app.py           # FastAPI application
│   ├── db/              # Database models (PostgreSQL)
│   └── cache.py         # Redis caching
└── worker/
    └── tasks.py         # Celery background tasks

rules/                   # YARA detection rules
├── core/
│   ├── owasp-mcp/       # OWASP MCP Top 10 rules
│   └── secrets/         # Secret detection rules
└── community/           # Community-contributed rules

Development

# Clone and install
git clone https://github.com/gensecaihq/mcpscc.git
cd mcpscc
python -m venv .venv
source .venv/bin/activate
pip install -e ".[dev,api,pdf]"

# Run tests
pytest tests/ -v

# Run linting
ruff check src/
black --check src/

Contributing

Contributions are welcome! Please read CONTRIBUTING.md for guidelines.

Security

For security issues, please see SECURITY.md.

License

Apache-2.0 - See LICENSE for details.