MCP Security Scanner
Find vulnerabilities in your MCP servers before your AI agent goes live.
Static analysis security scanner for Model Context Protocol servers. 13 rules mapped to the OWASP MCP Top 10. TypeScript + Python. Extension for VS Code and compatible editors (Cursor, Windsurf, Antigravity) + CLI + GitHub Action.
Powered by KERN — the structural language for AI-generated code.
Why
Every AI tool is adding MCP support. Security scanning hasn't kept up. MCP servers handle file I/O, shell commands, network requests, and database queries — all triggered by LLM tool calls. One missing input validation and your agent becomes an attack surface.
This scanner catches those issues at development time.
Features
Security Score (0-100)
Every MCP server gets a security score based on four weighted metrics:
| Metric |
Weight |
What it measures |
| Guard Coverage |
40% |
% of effects with preceding guards |
| Input Validation |
25% |
% of tool handlers with validation |
| Rule Compliance |
20% |
Penalty per critical/warning finding |
| Auth Posture |
15% |
Auth guards on HTTP/SSE transport |
Grades: A (90+), B (75+), C (60+), D (40+), F (<40)
13 Security Rules (OWASP MCP Top 10)
| Rule |
OWASP |
What it catches |
mcp-command-injection |
#04 |
User params flowing to shell commands |
mcp-path-traversal |
#02 |
File ops with unvalidated paths |
mcp-tool-poisoning |
#03 |
Hidden instructions in tool descriptions |
mcp-secrets-exposure |
#04 |
Hardcoded keys/tokens in server code |
mcp-unsanitized-response |
#05 |
Raw external data / XML returned to LLM |
mcp-missing-validation |
#06 |
Tool params used without validation |
mcp-missing-auth |
#07 |
HTTP/SSE server without auth |
mcp-typosquatting |
#08 |
Suspicious package name similarity |
mcp-data-injection |
#09 |
Hidden instructions in string literals |
mcp-ssrf |
#02 |
Server-side request forgery via unvalidated URLs |
mcp-secret-leakage |
#04 |
Secrets, system info, IP disclosure in responses |
mcp-ir-unguarded-effect |
Structural |
Effects without guards (KERN IR) |
mcp-ir-low-confidence |
Structural |
Low guard/effect ratio |
KERN IR Visualization
The sidebar renders your MCP server's security structure as a tree:
- Actions — each
server.tool() or @mcp.tool() handler
- Effects — dangerous operations (shell exec, file I/O, network, database)
- Guards — validation, path containment, auth checks
- Color-coded: GUARDED (green) vs UNGUARDED (red)
Autofixes (TypeScript + Python)
6 one-click fixes for both languages:
eval() to JSON.parse() (TS) / ast.literal_eval() (Python)- Path traversal guard insertion
- Input validation scaffolding (Zod / Pydantic)
- Auth middleware stub
- Response sanitization
- Secrets to env vars
Config Guardian
Scans your MCP configuration files (claude_desktop_config.json, .cursor/mcp.json, .vscode/mcp.json, .windsurf/mcp.json) for:
- Hardcoded secrets (Shannon entropy + pattern detection)
- Missing version pins on
npx/uvx packages (supply chain risk)
@latest treated as error — it's NOT a version pin- Wide permission flags (
--allow-all, --no-sandbox)
- Unresolvable command paths
Shows a "My MCP Servers" section in the sidebar with trust indicators.
Pin your MCP server's tool schemas to detect unauthorized changes:
kern-mcp-security --lock ./src/server.ts # generate lockfile
kern-mcp-security --verify ./src/server.ts # check for drift
Detects: removed tools, new tools, description changes (tool poisoning), schema changes.
Badge + README Integration
Generate a Shields.io security badge for your project:
KERN: Generate MCP Security Badge
Writes a badge, per-tool score table, and JSON report to your README between <!-- kern-mcp-security-start/end --> markers.
CLI
npx @kernlang/review-mcp ./src/server.ts
Options: --format json|sarif|text, --threshold 60 (fail if below), --quiet, --output report.json.
See @kernlang/review-mcp for full CLI docs.
GitHub Action
Add to .github/workflows/mcp-security.yml:
name: MCP Security
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: KERNlang/kern-lang/packages/review-mcp/ci@main
with:
threshold: 60 # fail if score < 60
sarif: true # upload to GitHub Code Scanning
comment: true # post score + findings to PR
Outputs: score, grade, findings. See CI action source for all inputs.
Usage
Works in VS Code, Cursor, Windsurf, Antigravity, and other compatible editors.
- Install the extension
- Open an MCP server file (TypeScript, JavaScript, or Python)
- The sidebar shows score, IR tree, and findings
- Click any finding to jump to the line
- Use
Cmd+Shift+M / Ctrl+Shift+M to scan manually
- Right-click for "KERN: Scan MCP Server" in the context menu
Configuration
| Setting |
Default |
Description |
kernMcpSecurity.enabled |
true |
Enable/disable scanning |
kernMcpSecurity.severity |
"all" |
Filter: all, errors, warnings |
kernMcpSecurity.animations |
true |
Enable sidebar animations (flow rail, pulse dots) |
Project-level config via .mcpsecurityrc.json:
{
"enabled": true,
"severity": "errors"
}
Architecture
The extension spawns a lightweight MCP subprocess for analysis — the editor stays fast. The engine combines three layers:
- Legacy regex rules — fast pattern matching for known vulnerability patterns
- Compiled
.kern rules — declarative, human-auditable rules with taint tracking and guard dependencies
- KERN IR inference — translates MCP server code to KERN's intermediate representation, checks structural invariants (effects must have guards)
No network calls. No telemetry. Everything runs locally.
Real-World Results
Tested against the official MCP servers and the vulnerable-mcp-servers-lab:
| Test Suite |
Servers |
Findings |
| Official MCP (filesystem, git, memory, fetch, time) |
7 |
37 |
| Vulnerable MCP lab (7 intentional vuln servers) |
7 |
50 |
All 7 lab servers detected. Catches command injection (eval), hardcoded secrets, prompt injection, data injection markers, SSRF, unsanitized external data, missing auth on remote servers, system info disclosure, typosquatting, and rug-pull patterns.
Requirements
- VS Code 1.85+ or compatible editor (Cursor, Windsurf, Antigravity)
- Node.js 18+ (for the CLI)
- MCP servers using
@modelcontextprotocol/sdk (TypeScript) or mcp.server / FastMCP (Python)
Links
License
Part of the KERN project. AGPL-3.0 — free for individuals and open-source projects. Commercial use requires a license. See LICENSE.
