mcp-audit-scanner 0.1.0__tar.gz

mcp_audit_scanner-0.1.0/.github/PULL_REQUEST_TEMPLATE/rule-submission.md

@@ -0,0 +1,28 @@
+---
+name: Community Rule Submission
+about: Submit a new detection rule to the mcp-audit community ruleset
+---
+
+## Rule submission checklist
+
+- [ ] Rule ID follows the `COMM-NNN` format and does not conflict with an
+      existing rule in `rules/community/`
+- [ ] Rule file is named `{RULE-ID}.yml` and placed in `rules/community/`
+- [ ] Rule passes `mcp-audit rule validate rules/community/{RULE-ID}.yml`
+      with no errors
+- [ ] Rule has been tested with `mcp-audit rule test` against at least one
+      real MCP config
+- [ ] Severity is justified in the PR description (why high vs medium vs low)
+- [ ] Tags are drawn from existing tag vocabulary where possible
+- [ ] Rule does not duplicate an existing community rule
+- [ ] Description explains what attacker behavior or misconfiguration this
+      detects and why it matters
+
+## Rule summary
+
+**Rule ID:** COMM-NNN  
+**Name:**  
+**Severity:**  
+**What it detects:**  
+**Why it matters:**  
+**Tested against:** (describe the config you tested it on)

mcp_audit_scanner-0.1.0/.github/dependabot.yml

@@ -0,0 +1,25 @@
+version: 2
+updates:
+  # Python dependencies (pip/uv)
+  - package-ecosystem: pip
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+    ignore:
+      # sigstore has breaking changes between minors — pin manually
+      - dependency-name: sigstore
+        update-types: ["version-update:semver-minor", "version-update:semver-major"]
+
+  # GitHub Actions
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: monday
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies

mcp_audit_scanner-0.1.0/.github/workflows/ci.yml

@@ -0,0 +1,85 @@
+name: CI
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  test:
+    name: Test (${{ matrix.os }}, ${{ matrix.python-version }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        python-version: ["3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install uv
+        run: pip install uv
+
+      - name: Install dependencies
+        run: uv pip install -e ".[dev]" --system
+
+      - name: Install Playwright browsers
+        if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.12'
+        run: |
+          uv pip install playwright --system
+          python -m playwright install chromium firefox webkit
+          python -m playwright install-deps
+
+      - name: Run tests
+        run: pytest tests/ -x -q
+
+      - name: Ruff check
+        run: ruff check src/ tests/
+
+      - name: Ruff format check
+        run: ruff format --check src/ tests/
+
+      - name: Verify test-count docs in sync
+        # Runs on a single matrix leg — collected test count is identical
+        # across OS / Python versions, so repeating the check is redundant.
+        if: matrix.os == 'ubuntu-latest' && matrix.python-version == '3.12'
+        run: python scripts/update_test_count.py --check
+
+  binary-smoke:
+    name: Binary smoke test (ubuntu)
+    runs-on: ubuntu-latest
+    # Only run on PRs and pushes to main — skip for every branch push
+    if: github.event_name == 'pull_request' || github.ref == 'refs/heads/main'
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        run: pip install uv
+
+      - name: Install dependencies
+        run: uv pip install -e ".[dev]" --system
+
+      - name: Install PyInstaller
+        run: uv pip install pyinstaller --system
+
+      - name: Build Linux binary
+        run: uv run pyinstaller mcp-audit-linux-x86_64.spec --distpath dist/
+
+      - name: Run smoke test
+        run: python scripts/smoke_test.py dist/mcp-audit-linux-x86_64
+
+      - name: Check binary size
+        run: |
+          SIZE_BYTES=$(wc -c < dist/mcp-audit-linux-x86_64 | tr -d ' ')
+          SIZE_MB=$(echo "scale=1; $SIZE_BYTES / 1048576" | bc)
+          echo "Linux binary: ${SIZE_MB} MB"
+          if [ "$SIZE_BYTES" -gt 36700160 ]; then
+            echo "ERROR: binary exceeds 35 MB hard limit" >&2
+            exit 1
+          fi

mcp_audit_scanner-0.1.0/.github/workflows/codeql.yml

@@ -0,0 +1,38 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Weekly full scan — Mondays at 08:00 UTC
+    - cron: "0 8 * * 1"
+
+jobs:
+  analyze:
+    name: Analyze (Python)
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: python
+          # Use the security-extended query suite for broader coverage
+          queries: security-extended
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:python"

mcp_audit_scanner-0.1.0/.github/workflows/mcp-audit-example.yml

@@ -0,0 +1,48 @@
+name: MCP Security Scan
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  mcp-audit:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run mcp-audit
+        uses: adudley78/mcp-audit@main
+        with:
+          severity-threshold: high
+          upload-sarif: 'true'
+
+  # Pro feature — uncomment if you have an mcp-audit Pro license and Semgrep installed.
+  # mcp-audit-sast:
+  #   runs-on: ubuntu-latest
+  #   permissions:
+  #     security-events: write
+  #     contents: read
+  #
+  #   steps:
+  #     - uses: actions/checkout@v4
+  #
+  #     - name: Install Semgrep
+  #       run: pip install semgrep
+  #
+  #     - name: Run mcp-audit with SAST
+  #       uses: adudley78/mcp-audit@main
+  #       with:
+  #         sast: 'true'
+  #         sast-path: 'src/'
+  #         severity-threshold: medium
+  #         upload-sarif: 'true'

mcp_audit_scanner-0.1.0/.github/workflows/release.yml

@@ -0,0 +1,133 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+
+permissions:
+  contents: write
+
+jobs:
+  build:
+    name: Build ${{ matrix.target }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: macos-13
+            target: darwin-x86_64
+            spec: mcp-audit-darwin-x86_64.spec
+            binary: mcp-audit-darwin-x86_64
+          - os: macos-latest
+            target: darwin-arm64
+            spec: mcp-audit-darwin-arm64.spec
+            binary: mcp-audit-darwin-arm64
+          - os: ubuntu-latest
+            target: linux-x86_64
+            spec: mcp-audit-linux-x86_64.spec
+            binary: mcp-audit-linux-x86_64
+          - os: windows-latest
+            target: windows-x86_64
+            spec: mcp-audit-windows-x86_64.spec
+            binary: mcp-audit-windows-x86_64.exe
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          version: "latest"
+
+      - name: Set up Python
+        run: uv python install 3.11
+
+      - name: Install dependencies
+        run: uv sync --all-extras
+
+      - name: Install PyInstaller
+        run: uv pip install pyinstaller
+
+      - name: Build binary
+        run: uv run pyinstaller ${{ matrix.spec }} --distpath dist/
+
+      - name: Smoke test — version
+        run: dist/${{ matrix.binary }} version
+        shell: bash
+
+      - name: Smoke test — full end-to-end
+        run: python scripts/smoke_test.py dist/${{ matrix.binary }}
+        shell: bash
+
+      - name: Binary size check
+        shell: bash
+        run: |
+          BINARY="dist/${{ matrix.binary }}"
+          SIZE_BYTES=$(wc -c < "$BINARY" | tr -d ' ')
+          SIZE_MB=$(echo "scale=1; $SIZE_BYTES / 1048576" | bc)
+          echo "Binary size: ${SIZE_MB} MB (${SIZE_BYTES} bytes)"
+          # Warn at 25 MB, fail at 35 MB. Sigstore added ~3-4 MB from the 20 MB baseline.
+          # Adjust these thresholds after the first post-sigstore rebuild.
+          if [ "$SIZE_BYTES" -gt 36700160 ]; then   # 35 MB
+            echo "ERROR: binary exceeds 35 MB hard limit (${SIZE_MB} MB)" >&2
+            exit 1
+          elif [ "$SIZE_BYTES" -gt 26214400 ]; then  # 25 MB
+            echo "WARNING: binary exceeds 25 MB soft limit (${SIZE_MB} MB)"
+          else
+            echo "OK: binary is within size target"
+          fi
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.target }}
+          path: dist/${{ matrix.binary }}
+          if-no-files-found: error
+
+  release:
+    name: Create GitHub Release
+    needs: build
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: dist/
+
+      - name: Create release and upload binaries
+        uses: softprops/action-gh-release@v2
+        with:
+          files: dist/**/*
+          generate_release_notes: true
+
+  report:
+    name: Release Summary
+    needs: [build, release]
+    runs-on: ubuntu-latest
+    if: always()
+
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: dist/
+
+      - name: Post binary size summary
+        run: |
+          echo "## Binary sizes" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Binary | Size |" >> $GITHUB_STEP_SUMMARY
+          echo "|--------|------|" >> $GITHUB_STEP_SUMMARY
+          for f in dist/**/*; do
+            if [ -f "$f" ]; then
+              SIZE=$(du -sh "$f" | cut -f1)
+              NAME=$(basename "$f")
+              echo "| $NAME | $SIZE |" >> $GITHUB_STEP_SUMMARY
+            fi
+          done
+        shell: bash

mcp_audit_scanner-0.1.0/.gitignore

@@ -0,0 +1,26 @@
+__pycache__/
+*.py[cod]
+*.egg-info/
+dist/
+build/
+.eggs/
+*.egg
+.venv/
+venv/
+.mypy_cache/
+.pytest_cache/
+.ruff_cache/
+*.so
+.DS_Store
+Thumbs.db
+
+# Secrets and credentials
+.env
+.env.*
+*.key
+*.pem
+
+# PyInstaller build artifacts (spec files are source — do not ignore *.spec)
+# Demo output files (generated by demo/run_demo.sh)
+demo/output/*.json
+demo/output/*.sarif

mcp_audit_scanner-0.1.0/.pre-commit-hooks.yaml

@@ -0,0 +1,9 @@
+- id: mcp-audit
+  name: mcp-audit MCP Security Scanner
+  description: Scan MCP server configuration files for security vulnerabilities
+  language: python
+  entry: mcp-audit
+  args: [scan, --severity-threshold, high]
+  types: [json]
+  pass_filenames: false
+  always_run: false

mcp_audit_scanner-0.1.0/.semgrepignore

@@ -0,0 +1,13 @@
+# Root .semgrepignore — overrides Semgrep's built-in defaults.
+# Intentionally does NOT exclude tests/ so that semgrep-rules/tests/
+# fixtures are scannable.
+
+node_modules/
+__pycache__/
+*.min.js
+dist/
+build/
+venv/
+.venv/
+.git/
+*.pyc