Security infrastructure for the agent economy

Your MCP servers have security holes.
mcp-scan finds them.

A CLI scanner purpose-built for Model Context Protocol servers. Detects vulnerabilities, misconfigurations, and compliance gaps in seconds.

$ npx @syntrophy/mcp-scan scan ./your-mcp-server

No account required. MIT licensed. Read the docs →

bash — mcp-scan

$ npx @syntrophy/mcp-scan scan ./server

@syntrophy/mcp-scan v0.1.0

Scanning: ./server (14 rules)

[CRITICAL] TOOL-POISONING-001

src/tools/calculator.ts:47

Tool description accepts user input without sanitization.

Fix: sanitize at registration time

[HIGH] TRANSPORT-AUTH-002

src/transport/sse.ts:23

SSE endpoint missing auth on capability negotiation.

Fix: require Bearer token on /capabilities

[INFO] SPEC-DRIFT-001

package.json

MCP spec version 0.9.1 — current is 1.0.

Scanned 847 lines in 4.2s
2 findings require action.

Rules

Rules written for MCP, not retooled from generic scanners

mcp-scan ships with a rule library built against the MCP specification — tool poisoning, prompt injection via tool descriptions, transport security, capability escalation. Generic SAST tools miss these. We don't.

No generic scanner has MCP-specific rules. The attack surfaces in this protocol don't exist in traditional web security tooling.

Generic SAST

mcp-scan

Scanning...

0 findings

No MCP rules loaded

Scanning... (14 rules)

TOOL-POISONING-001

[CRITICAL]

TRANSPORT-AUTH-002

[HIGH]

2 findings require action.

CLI

One command. No account required.

npx @syntrophy/mcp-scan scan <target> — that's it. Run locally, in your CI pipeline, or in a pre-commit hook. Results in seconds. JSON and SARIF output for downstream tooling.

.github/workflows/security.yml

# Add to any CI pipeline
- name: mcp-scan security check
  run: npx @syntrophy/mcp-scan scan ./src/mcp-server

mcp-scan terminal demo — real scan output

Real scan output. No mock data.

Findings

Every finding tells you exactly what to fix

No vague "potential vulnerability detected" noise. mcp-scan returns the vulnerable code path, severity classification, rule ID, and a remediation path. Fix it. Move on.

FINDING [CRITICAL] TOOL-POISONING-001

File: src/tools/calculator.ts:47 Rule: Tool description injection vector Detail: Tool description accepts user-controlled input without sanitization. An attacker can inject instructions into the model context via crafted tool names or descriptions. Fix: Sanitize tool descriptions at registration time. See: docs/rules/TOOL-POISONING-001.md

Pricing

Start free. Stay free.

mcp-scan is in beta

Full CLI access — free while we're in development. Join the beta list to get notified about Pro features, rule updates, and the CI integration.

No spam. Unsubscribe any time. We announce rule updates and version releases only.

FAQ

Common questions

Does mcp-scan require an account?

No. npx @syntrophy/mcp-scan scan <target> runs locally with no signup, no API key, no telemetry by default.

What MCP spec versions does it support?

mcp-scan tests against the current MCP specification. The rule library is updated as the spec evolves — check --version for the current rule count.

Can I run it in CI?

Yes. JSON output and SARIF 2.1.0 output work with GitHub Advanced Security, GitLab, and any SIEM with SARIF ingestion. --format sarif --output report.sarif

Is the rule library open source?

The CLI and community rule library are MIT licensed. Advanced rules (enterprise detection patterns, custom rule authoring) are planned for Pro.

What languages and frameworks does it support?

mcp-scan analyzes MCP server implementations in TypeScript and JavaScript. Python support is on the roadmap. File a GitHub issue if your runtime is blocking adoption.

How is this different from Snyk or Semgrep?

Snyk and Semgrep have no MCP-specific rules. They don't know the MCP spec. They won't catch tool poisoning, prompt injection via tool descriptions, or capability escalation. mcp-scan was built for exactly these attack surfaces.

Your MCP servers have security holes.mcp-scan finds them.