# mcp-audit — Scan MCP Configs for Secrets & Shadow APIs > Audit MCP server configs and source trees to find exposed secrets, risky endpoints, and model access. Outputs JSON/CSV/SARIF/CycloneDX AI-BOM for CI gates. ## Install Merge the JSON below into your `.mcp.json`: ## Quick Use ```bash pip install mcp-audit # Inventory MCP configurations under the current repo mcp-audit scan --path . --format json -o mcp-report.json # Deeper: scan an MCP server's source tree mcp-audit source-scan ./my-mcp --format sarif --output mcp.sarif ``` ## Intro mcp-audit is a security-focused CLI that inventories MCP configurations and can optionally analyze MCP server source code, so teams can understand what their agents can access before shipping. **Best for:** Security reviews for agent toolchains, CI compliance, and MCP governance **Works with:** Local repos/paths; JSON/CSV/SARIF/CycloneDX outputs; CLI-first workflows **Setup time:** 5–10 minutes ### Key facts (verified) - Supports `scan` for configs and `source-scan` for code per README. - Exports JSON, CSV, Markdown, SARIF, and CycloneDX 1.6 AI-BOM formats (README). - GitHub: 149 stars · 37 forks; pushed 2026-05-12 (GitHub API verified). ## Main Use mcp-audit as a guardrail, not a one-off report: - Add `mcp-audit scan` to CI to catch accidental secret commits in MCP configs. - Run `source-scan` on any in-house MCP server before granting it broad access. - Prefer SARIF output if you already use GitHub code scanning, so findings land where engineers work. ### README excerpt (verbatim) # MCP Audit [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [![Python 3.9+](https://img.shields.io/badge/python-3.9+-blue.svg)](https://www.python.org/downloads/) [![GitHub release](https://img.shields.io/github/v/release/apisec-inc/mcp-audit)](https://github.com/apisec-inc/mcp-audit/releases) **See what your AI agents can access - before they go live.** **Web App** ![MCP Audit Web App](https://apisec-inc.github.io/mcp-audit/screenshot.png) **CLI** ![MCP Audit CLI](https://apisec-inc.github.io/mcp-audit/Screenshot2.png) ## Quick Start ```bash # Install pip install -e . # Scan your machine mcp-audit scan # Or try the web app (no install) # https://apisec-inc.github.io/mcp-audit/?demo=true ``` ## What It Does MCP Audit scans your AI development tools (Claude Desktop, Cursor, VS Code) and reveals: - **Secrets** - Exposed API keys, tokens, database passwords - **APIs** - Every endpoint your AI agents connect to - **AI Models** - Which LLMs are configured (GPT-4, Claude, Llama) - **Risk Flags** - Shell access, filesystem access, unverified sources ``` ⚠️ 2 SECRET(S) DETECTED - IMMEDIATE ACTION REQUIRED [CRITICAL] GitHub Personal Access Token Location: github-tools → env.GITHUB_TOKEN Remediation: https://github.com/settings/tokens → Delete → Recreate [HIGH] Database Connection String Location: postgres-mcp → env.DATABASE_URL Remediation: Rotate credentials, use secrets manager ``` ## Source-level Scanning (new in v1.1) `mcp-audit scan` inventories MCP server **configurations**. The new `mcp-audit source-scan` command goes one level deeper — it reads the MCP server's own **source code** and flags code-level vulnerabilities the server author may have introduced. Today it catches the **"Prompt In, Shell Out"** attack chain: an MCP server that pipes an LLM-controlled tool argument into a shell-spawning API (`child_process.exec`, `util.promisify(exec)`, `subprocess.run(shell=True)`, `os.system`, `os.popen`) without sanitization. An attacker controlling the LLM input can inject shell metacharacters and execute arbitrary code on the host running the MCP server. ```bash $ mcp-audit source-scan ./packages/my-mcp-server MCP source-scan: packages/my-mcp-server 1 critical · 0 high · 1 finding(s) total Severity Conf File:Line API Snippet CRITICAL high server.js:19 util.promisify(child_process.exec) ... const { stdout } = await execAsync( ``` Outputs: - `--format table` (default, human-readable) ### FAQ **Q: What does `scan` look at?** A: README says it inventories MCP server configurations and summarizes access. **Q: When should I use `source-scan`?** A: Use it for in-house or unverified servers to catch code-level risks. **Q: What output fits CI?** A: JSON for parsing, or SARIF/CycloneDX when integrating with security tooling. ## Source & Thanks > Source: https://github.com/apisec-inc/mcp-audit > License: MIT > GitHub stars: 149 · forks: 37 --- ## 快速使用 ```bash pip install mcp-audit # 扫描当前仓库内的 MCP 配置 mcp-audit scan --path . --format json -o mcp-report.json # 更深入:扫描 MCP 服务器源码目录 mcp-audit source-scan ./my-mcp --format sarif --output mcp.sarif ``` ## 简介 mcp-audit 是面向安全的命令行工具:先盘点 MCP 配置,再按需扫描 MCP 服务器源码,帮助团队在上线前搞清楚 Agent 到底能访问什么。 **最适合:** Agent 工具链安全评审、CI 合规门禁、MCP 治理 **适配:** 本地仓库/目录;支持 JSON/CSV/SARIF/CycloneDX 输出;命令行工作流 **配置时间:** 5–10 分钟 ### 关键事实(已验证) - README 提供 `scan`(配置盘点)与 `source-scan`(源码扫描)两类命令。 - README 列出 JSON/CSV/Markdown/SARIF/CycloneDX 1.6 AI-BOM 多种输出格式。 - GitHub:149 stars · 37 forks;最近更新 2026-05-12(GitHub API 验证)。 ## 正文 把 mcp-audit 当作“持续护栏”而不是一次性报告: - CI 里跑 `mcp-audit scan`,及时发现 MCP 配置里的意外密钥暴露。 - 给自研 MCP server 放权前先跑 `source-scan` 做基线体检。 - 如果你已在用 GitHub Code Scanning,优先输出 SARIF 让问题直接落在研发工作流里。 ### README 原文节选(verbatim) # MCP Audit [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [![Python 3.9+](https://img.shields.io/badge/python-3.9+-blue.svg)](https://www.python.org/downloads/) [![GitHub release](https://img.shields.io/github/v/release/apisec-inc/mcp-audit)](https://github.com/apisec-inc/mcp-audit/releases) **See what your AI agents can access - before they go live.** **Web App** ![MCP Audit Web App](https://apisec-inc.github.io/mcp-audit/screenshot.png) **CLI** ![MCP Audit CLI](https://apisec-inc.github.io/mcp-audit/Screenshot2.png) ## Quick Start ```bash # Install pip install -e . # Scan your machine mcp-audit scan # Or try the web app (no install) # https://apisec-inc.github.io/mcp-audit/?demo=true ``` ## What It Does MCP Audit scans your AI development tools (Claude Desktop, Cursor, VS Code) and reveals: - **Secrets** - Exposed API keys, tokens, database passwords - **APIs** - Every endpoint your AI agents connect to - **AI Models** - Which LLMs are configured (GPT-4, Claude, Llama) - **Risk Flags** - Shell access, filesystem access, unverified sources ``` ⚠️ 2 SECRET(S) DETECTED - IMMEDIATE ACTION REQUIRED [CRITICAL] GitHub Personal Access Token Location: github-tools → env.GITHUB_TOKEN Remediation: https://github.com/settings/tokens → Delete → Recreate [HIGH] Database Connection String Location: postgres-mcp → env.DATABASE_URL Remediation: Rotate credentials, use secrets manager ``` ## Source-level Scanning (new in v1.1) `mcp-audit scan` inventories MCP server **configurations**. The new `mcp-audit source-scan` command goes one level deeper — it reads the MCP server's own **source code** and flags code-level vulnerabilities the server author may have introduced. Today it catches the **"Prompt In, Shell Out"** attack chain: an MCP server that pipes an LLM-controlled tool argument into a shell-spawning API (`child_process.exec`, `util.promisify(exec)`, `subprocess.run(shell=True)`, `os.system`, `os.popen`) without sanitization. An attacker controlling the LLM input can inject shell metacharacters and execute arbitrary code on the host running the MCP server. ```bash $ mcp-audit source-scan ./packages/my-mcp-server MCP source-scan: packages/my-mcp-server 1 critical · 0 high · 1 finding(s) total Severity Conf File:Line API Snippet CRITICAL high server.js:19 util.promisify(child_process.exec) ... const { stdout } = await execAsync( ``` Outputs: - `--format table` (default, human-readable) ### FAQ **`scan` 会检查什么?** 答:README 表示它盘点 MCP 配置并汇总访问范围。 **什么时候用 `source-scan`?** 答:自研或不确定可信度的 MCP server 建议先做源码级扫描。 **CI 里用什么输出?** 答:JSON 便于解析;SARIF/CycloneDX 便于接入安全平台。 ## 来源与感谢 > Source: https://github.com/apisec-inc/mcp-audit > License: MIT > GitHub stars: 149 · forks: 37 --- Source: https://tokrepo.com/en/workflows/mcp-audit-scan-mcp-configs-for-secrets-shadow-apis Author: MCP Hub