mcp-security-agent
Advanced tools
An MCP-based security scanner and agentic AI for vulnerability detection
An intelligent, agentic AI security scanner built on the Model Context Protocol (MCP) that actively scans for vulnerabilities and provides automated security analysis.
Option A: npm (Recommended)
# Install globally
npm install -g mcp-security-agent
# Or install locally
npm install mcp-security-agent
Option B: Docker
# Run with Docker
docker run ghcr.io/johnjohn2410/mcp-security-agent scan .
Option C: Binary
# Download from GitHub Releases
# https://github.com/johnjohn2410/MCP-Security-Agent/releases
./mcp-security-agent scan .
# Scan a directory for vulnerabilities
mcp-security-agent scan ./your-project
# Or use the CLI directly
mcp-security-agent scan ./your-project --type comprehensive
# Results are displayed in JSON format
# For HTML report, use:
mcp-security-agent scan ./your-project --format html
That's it! Your security scan is complete. The agent will detect:
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ AI Agent │ │ MCP Client │ │ Security │
│ Core │◄──►│ Layer │◄──►│ Scanner │
└─────────────────┘ └─────────────────┘ └─────────────────┘
│ │ │
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Policy │ │ Tool │ │ Vulnerability │
│ Engine │ │ Registry │ │ Database │
└─────────────────┘ └─────────────────┘ └─────────────────┘
# Global installation (CLI tool)
npm install -g mcp-security-agent
# Local installation (library)
npm install mcp-security-agent
# Pull and run
docker run ghcr.io/johnjohn2410/mcp-security-agent scan .
# Or build locally
docker build -t mcp-security-agent .
docker run mcp-security-agent scan .
Download pre-built binaries from GitHub Releases:
mcp-security-agent-linuxmcp-security-agent-macosmcp-security-agent-win.exemcp-security-agent-linux-arm64mcp-security-agent-macos-arm64# Make executable and run
chmod +x mcp-security-agent-linux
./mcp-security-agent-linux scan .
# Clone the repository
git clone https://github.com/johnjohn2410/mcp-security-agent.git
cd mcp-security-agent
# Install dependencies
npm install
# Build the project
npm run build
# Set up environment variables
cp env.example .env
# Edit .env with your configuration
Create a .env file with the following variables:
# OpenAI API Key for AI analysis (optional)
OPENAI_API_KEY=your_openai_api_key
# Security scanning configuration
SCAN_DEPTH=deep
SCAN_TIMEOUT=300000
MAX_CONCURRENT_SCANS=5
# MCP Server configuration
MCP_SERVER_PORT=3000
MCP_SERVER_HOST=localhost
# Logging
LOG_LEVEL=info
LOG_FILE=logs/security-agent.log
# Security policies
ALLOWED_FILE_TYPES=js,ts,py,java,go,yml,yaml,json
BLOCKED_PATTERNS=password,secret,key,token
# Comprehensive security scan
mcp-security-agent scan ./path/to/project --type comprehensive
# Quick scan (secrets and dependencies only)
mcp-security-agent scan ./path/to/project --type quick
# Targeted scan (specific vulnerability types)
mcp-security-agent scan ./path/to/project --targets code,secrets
# Generate HTML report
mcp-security-agent scan ./path/to/project --format html
# Start MCP server for AI assistant integration
mcp-security-agent server
# Main scan command
scan <path> # Scan a directory or file
--type <type> # quick, comprehensive, targeted
--targets <targets> # code,secrets,dependencies,config,policy
--format <format> # json, html, csv, pdf, sarif
--include <patterns> # File patterns to include
--exclude <patterns> # File patterns to exclude
# Policy management
policy --list # List all policies
policy --add <file> # Add policy from file
policy --remove <id> # Remove policy by ID
# Specialized scans
deps <path> # Scan dependencies only
secrets <path> # Scan for secrets only
analyze <path> # AI-powered analysis
# Report generation
report <path> --format html # Generate security report
import { SecurityAgent } from 'mcp-security-agent';
const agent = new SecurityAgent({
path: './my-project',
scanType: 'comprehensive',
outputFormat: 'json'
});
const results = await agent.scan('./my-project', config);
console.log(`Found ${results.findings.length} vulnerabilities`);
The agent can be used as an MCP server for AI assistant integration:
# Start MCP server
mcp-security-agent server
# Connect from MCP client
# The agent will be available as security scanning tools
# Scan a local directory
docker run -v $(pwd):/workspace ghcr.io/johnjohn2410/mcp-security-agent scan /workspace
# Scan with custom configuration
docker run -v $(pwd):/workspace -e SCAN_TYPE=comprehensive ghcr.io/johnjohn2410/mcp-security-agent scan /workspace
# Run as MCP server
docker run -p 3000:3000 ghcr.io/johnjohn2410/mcp-security-agent server
The agent supports multiple output formats:
# Run tests
npm test
# Test with example vulnerable code
mcp-security-agent scan ./examples --type comprehensive
We welcome contributions! Please see our Contributing Guide for details.
# Install dependencies
npm install
# Build in development mode
npm run dev
# Run tests
npm test
# Lint code
npm run lint
This project is licensed under the MIT License - see the LICENSE file for details.
FAQs
An MCP-based security scanner and agentic AI for vulnerability detection
We found that mcp-security-agent demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.
Security News
Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.
Security News
Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.