Open Source · MIT Licensed

The MCP Security Scanner
That Runs Locally

Stop sending your MCP configs to the cloud. MCPScan analyses your Model Context Protocol servers for vulnerabilities — entirely on your machine. No API keys. No data leaving your network. No excuses.

Star on GitHub
pip install mcpscan
mcpscan — terminal
$ pip install mcpscan
$ mcpscan scan ~/.config/claude/claude_desktop_config.json
 
MCPScan v0.4.2 — MCP Security Scanner
─────────────────────────────────────────
Scanning 3 MCP servers...
 
✓ Schema Validation passed
✓ Transport Security passed
⚠ Auth & Permissions 2 warnings
✗ SSRF Probing 1 critical
✓ Injection Analysis passed
✓ Toxic Flows passed
⚠ Data Exfiltration 1 warning
✓ Capability Audit passed
⚠ Config Hygiene 1 warning
✓ OWASP LLM Mapping passed
 
─────────────────────────────────────────
Results: 7 passed · 3 warnings · 1 critical
Report: ./mcpscan-report.html

10 Security Check Modules

Comprehensive coverage across the MCP attack surface.

01

SSRF Probing

Detect server-side request forgery vectors in tool definitions

02

Injection Analysis

Find prompt injection and command injection risks

03

Auth & Permissions

Verify authentication and authorisation configurations

04

Toxic Flows

Map dangerous tool chain combinations across MCP servers

05

Data Exfiltration

Identify paths where sensitive data could leak

06

Schema Validation

Validate tool schemas against MCP specification

07

Transport Security

Check TLS, stdio isolation, and transport-layer risks

08

Capability Audit

Review exposed capabilities and excessive permissions

09

Config Hygiene

Detect hardcoded secrets, weak defaults, and misconfigs

10

OWASP LLM Mapping

Map findings to OWASP LLM Top 10 categories

📄

HTML Reports

Beautiful, shareable HTML reports with severity ratings, remediation guidance, and OWASP LLM Top 10 mapping. Perfect for stakeholder reviews.

🔄

SARIF Export

Export results in SARIF format for integration with GitHub Advanced Security, VS Code, and other SARIF-compatible tools.

📊

Diff Mode

Compare scan results before and after changes. Catch regressions in CI/CD pipelines and track security posture over time.

CI/CD Ready

Add MCPScan to your pipeline in one line. JSON output for automation, non-zero exit codes on findings, and diff mode for PR checks.

.github/workflows/mcp-security.yml
- name: Scan MCP configs
  run: |
    pip install mcpscan
    mcpscan scan ./mcp.json --format sarif --output results.sarif
    mcpscan scan ./mcp.json --format json --fail-on critical

MCPScan vs Cloud Scanners

Why send your configs to someone else's server?

FeatureMCPScanCloud Scanners
Runs locally
No API keys required
Works offline
GDPR compliant by default
Configs never leave your machine
SARIF export
CI/CD integration
HTML reports
Diff mode (before/after)
Open source (MIT)

What People Are Saying

“Finally, an MCP scanner that doesn't require me to upload my configs to someone else's cloud. The SARIF export slots right into our GitHub workflow.”

— Security EngineerAI-first startup

“We added MCPScan to our CI pipeline in under 5 minutes. Caught a critical SSRF vector on the first run that our manual review missed.”

— DevOps LeadEnterprise SaaS

Get Started in Seconds

One command. No signup. No API keys. No cloud dependency.

pip install mcpscan
View on GitHubProfessional Security Audit →