secscan-mcp 0.1.2__tar.gz

secscan_mcp-0.1.2/.gitignore

@@ -0,0 +1,58 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# Virtual environments
+.venv/
+venv/
+ENV/
+env/
+
+# Tooling caches
+.mypy_cache/
+.pytest_cache/
+.ruff_cache/
+.coverage
+htmlcov/
+.hypothesis/
+
+# IDE / OS
+.idea/
+*.swp
+*.swo
+.DS_Store
+Thumbs.db
+
+# Local env and secrets (never commit)
+.env
+.env.*
+!.env.example
+*.pem
+*.key
+credentials.json
+
+# Scan artifacts (generated during dev/tests)
+.scan-output/
+*.sarif
+
+# uv
+uv.lock

secscan_mcp-0.1.2/CHANGELOG.md

@@ -0,0 +1,40 @@
+# Changelog
+
+All notable changes to this project are documented here. Version numbers follow [Semantic Versioning](https://semver.org/).
+
+## [0.1.2] - 2026-06-16
+
+### Fixed
+
+- Update release process and documentation: enhance CHANGELOG.md auto-update functionality in the release script, ensuring it reflects the latest commits. Streamline release steps by clarifying prerequisites and improving user feedback during the release process.
+- Enhance release workflow and documentation: add workflow_dispatch trigger to release.yml for manual execution, and expand PUBLISHING.md with detailed steps for setting up trusted publishing on PyPI, including environment creation and verification processes.
+
+
+## [0.1.1] - 2026-06-16
+
+### Added
+
+- Git commit history secret scanning (`git_history` engine) via `include_git_history: true`
+- PyPI publish workflow and release script (`make release-patch|minor|major`)
+- Multi-IDE setup guide, example MCP configs, and `uvx` install path
+- CI build job and package publishing docs
+
+## [0.1.0] - 2026-06-16
+
+First public release.
+
+### Added
+
+- MCP server with stdio transport for any IDE (Cursor, VS Code, Claude Desktop, Windsurf, etc.)
+- Tools: `scan_secrets`, `scan_code`, `scan_dependencies`, `scan_iac`, `scan_all`, `list_available_scanners`, `explain_finding`
+- Normalized finding schema with severity mapping, deduplication, and secret redaction
+- Built-in **custom** secret scanner (no external CLI required)
+- Built-in **git_history** scanner — detect secrets in past commits via `include_git_history: true`
+- Optional engine adapters: gitleaks, semgrep, bandit, osv-scanner, checkov
+- Multi-IDE setup guide and example MCP configs
+- CI workflow (Python 3.11–3.13)
+
+[0.1.1]: https://github.com/openjkai/secscan_mcp/releases/tag/v0.1.1
+[0.1.0]: https://github.com/openjkai/secscan_mcp/releases/tag/v0.1.0
+
+[0.1.2]: https://github.com/openjkai/secscan_mcp/releases/tag/v0.1.2

secscan_mcp-0.1.2/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 secscan-mcp contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

secscan_mcp-0.1.2/PKG-INFO

@@ -0,0 +1,161 @@
+Metadata-Version: 2.4
+Name: secscan-mcp
+Version: 0.1.2
+Summary: MCP server for codebase security scanning (secrets, SAST, SCA, IaC)
+Project-URL: Homepage, https://github.com/openjkai/secscan_mcp
+Project-URL: Documentation, https://github.com/openjkai/secscan_mcp#readme
+Project-URL: Repository, https://github.com/openjkai/secscan_mcp
+Project-URL: Issues, https://github.com/openjkai/secscan_mcp/issues
+Project-URL: Changelog, https://github.com/openjkai/secscan_mcp/blob/main/CHANGELOG.md
+Author: secscan-mcp contributors
+License: MIT
+License-File: LICENSE
+Keywords: mcp,model-context-protocol,sast,scanner,secrets,security
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Requires-Python: >=3.11
+Requires-Dist: mcp>=1.6.0
+Requires-Dist: pyyaml>=6.0
+Provides-Extra: dev
+Requires-Dist: build>=1.0; extra == 'dev'
+Requires-Dist: mypy>=1.14; extra == 'dev'
+Requires-Dist: pre-commit>=4.0; extra == 'dev'
+Requires-Dist: pytest-asyncio>=0.24; extra == 'dev'
+Requires-Dist: pytest-cov>=6.0; extra == 'dev'
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Requires-Dist: ruff>=0.9; extra == 'dev'
+Requires-Dist: types-pyyaml>=6.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# secscan-mcp
+
+[![CI](https://github.com/openjkai/secscan_mcp/actions/workflows/ci.yml/badge.svg)](https://github.com/openjkai/secscan_mcp/actions/workflows/ci.yml)
+[![PyPI](https://img.shields.io/pypi/v/secscan-mcp)](https://pypi.org/project/secscan-mcp/)
+
+A portable **MCP server** for security scanning — works with **any AI coding assistant** that supports the [Model Context Protocol](https://modelcontextprotocol.io): Cursor, VS Code, Claude Desktop, Windsurf, Zed, Continue, and more.
+
+Scan codebases for **hardcoded secrets**, **SAST issues**, **vulnerable dependencies**, and **IaC misconfigurations** — one install, one normalized report format.
+
+The built-in **custom** scanner works with no extra tools. Install optional CLIs for broader coverage ([below](#optional-scanners)).
+
+## Quick start
+
+**1. Install** (Python 3.11+):
+
+```bash
+pip install secscan-mcp
+```
+
+Or run without installing (requires [uv](https://docs.astral.sh/uv/)):
+
+```bash
+uvx secscan-mcp
+```
+
+For MCP config with `uvx`, use `"command": "uvx"` and `"args": ["secscan-mcp"]` — see [setup guide](docs/setup.md).
+
+<details>
+<summary>Install from source</summary>
+
+```bash
+git clone https://github.com/openjkai/secscan_mcp.git
+cd secscan_mcp && pip install .
+```
+
+</details>
+
+**2. Add to your IDE** — pick your client:
+
+| IDE / client | Config file | Guide |
+|--------------|-------------|-------|
+| Cursor | `~/.cursor/mcp.json` | [setup →](docs/setup.md#cursor) |
+| VS Code | `.vscode/mcp.json` | [setup →](docs/setup.md#vs-code-github-copilot) |
+| Claude Desktop | OS-specific (see guide) | [setup →](docs/setup.md#claude-desktop) |
+| Claude Code | `~/.claude/settings.json` | [setup →](docs/setup.md#claude-code) |
+| Windsurf | `~/.codeium/windsurf/mcp_config.json` | [setup →](docs/setup.md#windsurf) |
+| Others | — | [Full setup guide](docs/setup.md) |
+
+Minimal config (works in Cursor, Claude Desktop, Windsurf):
+
+```json
+{
+  "mcpServers": {
+    "secscan": {
+      "command": "uvx",
+      "args": ["secscan-mcp"]
+    }
+  }
+}
+```
+
+If you installed with `pip install secscan-mcp`, you can use `"command": "secscan-mcp"` instead.
+
+**3. Verify** — ask your agent: *"Call `list_available_scanners` and scan_secrets on this project."*
+
+## MCP tools
+
+| Tool | Purpose |
+|------|---------|
+| `list_available_scanners` | Which engines are installed on this machine |
+| `scan_secrets` | Hardcoded credentials and secrets (optionally scan git commit history) |
+| `scan_code` | SAST (semgrep, bandit) |
+| `scan_dependencies` | Vulnerable packages (osv-scanner) |
+| `scan_iac` | IaC misconfigurations (checkov) |
+| `scan_all` | All available scanners, one unified report |
+| `explain_finding` | Remediation hints for a `rule_id` |
+
+Most scan tools accept `path` (directory to scan) and optional `severity_threshold` (`critical`, `high`, `medium`, `low`, `info`).
+
+`scan_secrets` also accepts `include_git_history` (boolean). When `true`, scans past git commits for secrets removed from the working tree but still present in history — no extra tools required beyond `git`.
+
+## Optional scanners
+
+Install any of these to extend coverage. Missing CLIs are skipped — the server still runs.
+
+| Engine | Category | Install (example) |
+|--------|----------|-------------------|
+| gitleaks | secrets | `brew install gitleaks` |
+| semgrep | SAST | `pip install semgrep` |
+| bandit | SAST (Python) | `pip install bandit` |
+| osv-scanner | dependencies | `brew install osv-scanner` |
+| checkov | IaC | `pip install checkov` |
+
+After installing, run `list_available_scanners` again to confirm.
+
+## Example prompts
+
+- *"Call `list_available_scanners` and tell me what's installed."*
+- *"Run `scan_secrets` with include_git_history on this repo — check if any secrets were ever committed."*
+- *"Run `scan_all` with severity_threshold high and summarize the findings."*
+- *"Explain the rule `internal-api-key`."*
+
+## Configuration
+
+Environment variables (optional):
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `SECSCAN_DEFAULT_TIMEOUT_SECONDS` | `300` | Per-engine scan timeout |
+| `SECSCAN_MAX_FINDINGS` | `500` | Max findings per report |
+| `SECSCAN_GIT_MAX_COMMITS` | `500` | Max commits scanned in git history mode |
+
+Pass via MCP config `env` block — see [setup guide](docs/setup.md#environment-variables).
+
+## Development
+
+```bash
+make install-dev   # editable install + dev tools
+make check         # lint + typecheck + test
+```
+
+See [docs/CONTRIBUTING.md](docs/CONTRIBUTING.md) and [PLAN.md](PLAN.md).
+
+## License
+
+MIT

secscan_mcp-0.1.2/PLAN.md

@@ -0,0 +1,129 @@
+# secscan-mcp — product plan
+
+## Vision
+
+**secscan-mcp** is a portable [Model Context Protocol](https://modelcontextprotocol.io) server that gives any AI coding assistant — in any IDE — a single, normalized API for security scanning.
+
+One install. One report format. Works in Cursor, VS Code, Claude Desktop, Windsurf, and any other MCP host.
+
+## What it does
+
+| Category | Engines | MCP tool |
+|----------|---------|----------|
+| Secrets (working tree) | custom (built-in), gitleaks | `scan_secrets` |
+| Secrets (git history) | git_history (built-in), gitleaks | `scan_secrets` + `include_git_history: true` |
+| SAST | semgrep, bandit | `scan_code` |
+| Dependencies | osv-scanner | `scan_dependencies` |
+| IaC | checkov | `scan_iac` |
+| All | whatever is installed | `scan_all` |
+
+The **custom** engine scans current files with zero external tools. The **git_history** engine scans past commits for secrets that were removed from the working tree but remain in git history — critical because deleting a secret from code does not remove it from old commits.
+
+Optional CLIs (gitleaks, semgrep, etc.) extend coverage when present; missing CLIs are skipped gracefully.
+
+## Git history scanning
+
+Many credential leaks happen in **commits**, not just the current checkout. Developers often delete a secret from source but forget it persists in git history — where it can be found by anyone with repo access or after a public push.
+
+**How it works:**
+
+1. Call `scan_secrets` with `"include_git_history": true`
+2. **git_history** (built-in, requires `git`) walks recent commits (`git log -p`) and applies the same regex rules as the custom scanner to added lines in patches
+3. **gitleaks** (optional) runs its own history-aware detect when installed
+4. Findings include commit SHA, date, and remediation guidance (rotate + rewrite history)
+
+**Limits:** `SECSCAN_GIT_MAX_COMMITS` (default `500`) caps how far back to scan.
+
+## Architecture
+
+```
+MCP host (any IDE)
+    │  stdio
+    ▼
+server.py          ← MCP tools
+    │
+runner.py          ← parallel runs, timeouts, path safety
+    │
+engines/*          ← one adapter per scanner CLI
+    │
+normalize.py       ← Finding schema, severity, dedupe, redaction
+```
+
+## Phases
+
+### Phase 0 — Core engine ✅
+
+- [x] Normalized `Finding` / `ScanReport` schema
+- [x] Engine adapters (custom, gitleaks, semgrep, bandit, osv, checkov)
+- [x] Parallel runner with timeouts and path validation
+- [x] MCP server with 7 tools (stdio transport)
+- [x] Unit tests for normalize, paths, runner, custom engine
+
+### Phase 1 — Universal distribution ✅
+
+Goal: any developer can install and configure in their IDE in under 2 minutes.
+
+- [x] PLAN.md (this file)
+- [x] README reframed as IDE-agnostic MCP server
+- [x] Multi-IDE setup guide ([docs/setup.md](docs/setup.md))
+- [x] Example MCP configs per host (`docs/examples/`)
+- [x] Fix placeholder URLs in `pyproject.toml`
+- [x] CI workflow (lint, typecheck, test on push)
+- [x] Git history secret scanning (`git_history` engine)
+- [x] Integration tests with `@pytest.mark.integration` marker
+
+### Phase 2 — PyPI publish (current)
+
+Goal: one-line install without cloning the repo.
+
+- [ ] Publish `secscan-mcp` to PyPI (create GitHub Release `v0.1.0` — see [docs/PUBLISHING.md](docs/PUBLISHING.md))
+- [x] Document `pip install secscan-mcp` and `uvx secscan-mcp`
+- [x] GitHub Actions release workflow (tag → build → publish)
+- [x] CHANGELOG.md and semver releases
+
+### Phase 3 — MCP polish
+
+Goal: agents use the tools correctly without hand-holding.
+
+- [ ] Rich tool descriptions and parameter docs
+- [ ] Server instructions for MCP hosts
+- [ ] Expand `explain_finding` rule coverage
+- [ ] Smoke-test in Cursor, VS Code, and Claude Desktop
+- [ ] Default `include_git_history: true` guidance for pre-push / pre-PR workflows
+
+### Phase 4 — Community & discovery
+
+Goal: become the default security MCP.
+
+- [ ] SECURITY.md, issue templates
+- [ ] Submit to MCP registries and awesome lists
+- [ ] Optional VS Code manifest for "Install from manifest"
+- [ ] Optional Docker image for team deployments
+
+## Non-goals (for now)
+
+- HTTP/SSE transport (stdio covers all major hosts today)
+- IDE-specific plugins or extensions
+- Hosted/remote scan service
+
+## Quality gate
+
+Before marking any phase done:
+
+```bash
+make check   # ruff + mypy + pytest
+```
+
+Integration tests (when CLIs are installed):
+
+```bash
+pytest -m integration
+```
+
+## Environment variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `SECSCAN_DEFAULT_TIMEOUT_SECONDS` | `300` | Per-engine scan timeout |
+| `SECSCAN_MAX_FINDINGS` | `500` | Cap findings in a single report |
+| `SECSCAN_GIT_MAX_COMMITS` | `500` | Max commits to scan in git history mode |

secscan_mcp-0.1.2/README.md

@@ -0,0 +1,126 @@
+# secscan-mcp
+
+[![CI](https://github.com/openjkai/secscan_mcp/actions/workflows/ci.yml/badge.svg)](https://github.com/openjkai/secscan_mcp/actions/workflows/ci.yml)
+[![PyPI](https://img.shields.io/pypi/v/secscan-mcp)](https://pypi.org/project/secscan-mcp/)
+
+A portable **MCP server** for security scanning — works with **any AI coding assistant** that supports the [Model Context Protocol](https://modelcontextprotocol.io): Cursor, VS Code, Claude Desktop, Windsurf, Zed, Continue, and more.
+
+Scan codebases for **hardcoded secrets**, **SAST issues**, **vulnerable dependencies**, and **IaC misconfigurations** — one install, one normalized report format.
+
+The built-in **custom** scanner works with no extra tools. Install optional CLIs for broader coverage ([below](#optional-scanners)).
+
+## Quick start
+
+**1. Install** (Python 3.11+):
+
+```bash
+pip install secscan-mcp
+```
+
+Or run without installing (requires [uv](https://docs.astral.sh/uv/)):
+
+```bash
+uvx secscan-mcp
+```
+
+For MCP config with `uvx`, use `"command": "uvx"` and `"args": ["secscan-mcp"]` — see [setup guide](docs/setup.md).
+
+<details>
+<summary>Install from source</summary>
+
+```bash
+git clone https://github.com/openjkai/secscan_mcp.git
+cd secscan_mcp && pip install .
+```
+
+</details>
+
+**2. Add to your IDE** — pick your client:
+
+| IDE / client | Config file | Guide |
+|--------------|-------------|-------|
+| Cursor | `~/.cursor/mcp.json` | [setup →](docs/setup.md#cursor) |
+| VS Code | `.vscode/mcp.json` | [setup →](docs/setup.md#vs-code-github-copilot) |
+| Claude Desktop | OS-specific (see guide) | [setup →](docs/setup.md#claude-desktop) |
+| Claude Code | `~/.claude/settings.json` | [setup →](docs/setup.md#claude-code) |
+| Windsurf | `~/.codeium/windsurf/mcp_config.json` | [setup →](docs/setup.md#windsurf) |
+| Others | — | [Full setup guide](docs/setup.md) |
+
+Minimal config (works in Cursor, Claude Desktop, Windsurf):
+
+```json
+{
+  "mcpServers": {
+    "secscan": {
+      "command": "uvx",
+      "args": ["secscan-mcp"]
+    }
+  }
+}
+```
+
+If you installed with `pip install secscan-mcp`, you can use `"command": "secscan-mcp"` instead.
+
+**3. Verify** — ask your agent: *"Call `list_available_scanners` and scan_secrets on this project."*
+
+## MCP tools
+
+| Tool | Purpose |
+|------|---------|
+| `list_available_scanners` | Which engines are installed on this machine |
+| `scan_secrets` | Hardcoded credentials and secrets (optionally scan git commit history) |
+| `scan_code` | SAST (semgrep, bandit) |
+| `scan_dependencies` | Vulnerable packages (osv-scanner) |
+| `scan_iac` | IaC misconfigurations (checkov) |
+| `scan_all` | All available scanners, one unified report |
+| `explain_finding` | Remediation hints for a `rule_id` |
+
+Most scan tools accept `path` (directory to scan) and optional `severity_threshold` (`critical`, `high`, `medium`, `low`, `info`).
+
+`scan_secrets` also accepts `include_git_history` (boolean). When `true`, scans past git commits for secrets removed from the working tree but still present in history — no extra tools required beyond `git`.
+
+## Optional scanners
+
+Install any of these to extend coverage. Missing CLIs are skipped — the server still runs.
+
+| Engine | Category | Install (example) |
+|--------|----------|-------------------|
+| gitleaks | secrets | `brew install gitleaks` |
+| semgrep | SAST | `pip install semgrep` |
+| bandit | SAST (Python) | `pip install bandit` |
+| osv-scanner | dependencies | `brew install osv-scanner` |
+| checkov | IaC | `pip install checkov` |
+
+After installing, run `list_available_scanners` again to confirm.
+
+## Example prompts
+
+- *"Call `list_available_scanners` and tell me what's installed."*
+- *"Run `scan_secrets` with include_git_history on this repo — check if any secrets were ever committed."*
+- *"Run `scan_all` with severity_threshold high and summarize the findings."*
+- *"Explain the rule `internal-api-key`."*
+
+## Configuration
+
+Environment variables (optional):
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `SECSCAN_DEFAULT_TIMEOUT_SECONDS` | `300` | Per-engine scan timeout |
+| `SECSCAN_MAX_FINDINGS` | `500` | Max findings per report |
+| `SECSCAN_GIT_MAX_COMMITS` | `500` | Max commits scanned in git history mode |
+
+Pass via MCP config `env` block — see [setup guide](docs/setup.md#environment-variables).
+
+## Development
+
+```bash
+make install-dev   # editable install + dev tools
+make check         # lint + typecheck + test
+```
+
+See [docs/CONTRIBUTING.md](docs/CONTRIBUTING.md) and [PLAN.md](PLAN.md).
+
+## License
+
+MIT

secscan_mcp-0.1.2/pyproject.toml

@@ -0,0 +1,134 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "secscan-mcp"
+dynamic = ["version"]
+description = "MCP server for codebase security scanning (secrets, SAST, SCA, IaC)"
+readme = "README.md"
+requires-python = ">=3.11"
+license = { text = "MIT" }
+authors = [{ name = "secscan-mcp contributors" }]
+keywords = ["mcp", "security", "sast", "secrets", "scanner", "model-context-protocol"]
+classifiers = [
+  "Development Status :: 3 - Alpha",
+  "Intended Audience :: Developers",
+  "License :: OSI Approved :: MIT License",
+  "Programming Language :: Python :: 3",
+  "Programming Language :: Python :: 3.11",
+  "Programming Language :: Python :: 3.12",
+  "Programming Language :: Python :: 3.13",
+  "Topic :: Security",
+]
+dependencies = [
+  "mcp>=1.6.0",
+  "pyyaml>=6.0",
+]
+
+[project.optional-dependencies]
+dev = [
+  "pre-commit>=4.0",
+  "pytest>=8.0",
+  "pytest-asyncio>=0.24",
+  "pytest-cov>=6.0",
+  "ruff>=0.9",
+  "mypy>=1.14",
+  "types-PyYAML>=6.0",
+  "build>=1.0",
+]
+
+[project.scripts]
+secscan-mcp = "secscan_mcp.server:main"
+
+[project.urls]
+Homepage = "https://github.com/openjkai/secscan_mcp"
+Documentation = "https://github.com/openjkai/secscan_mcp#readme"
+Repository = "https://github.com/openjkai/secscan_mcp"
+Issues = "https://github.com/openjkai/secscan_mcp/issues"
+Changelog = "https://github.com/openjkai/secscan_mcp/blob/main/CHANGELOG.md"
+
+[tool.hatch.version]
+path = "src/secscan_mcp/__init__.py"
+
+[tool.hatch.build]
+dev-mode-dirs = ["src"]
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/secscan_mcp"]
+
+[tool.hatch.build.targets.sdist]
+include = [
+  "/src",
+  "/tests",
+  "/README.md",
+  "/PLAN.md",
+  "/CHANGELOG.md",
+  "/LICENSE",
+]
+
+[tool.ruff]
+target-version = "py311"
+line-length = 100
+src = ["src", "tests"]
+
+[tool.ruff.lint]
+select = [
+  "E",   # pycodestyle errors
+  "W",   # pycodestyle warnings
+  "F",   # pyflakes
+  "I",   # isort
+  "B",   # flake8-bugbear
+  "UP",  # pyupgrade
+  "SIM", # flake8-simplify
+  "RUF", # ruff-specific
+]
+ignore = ["E501"]  # line length handled by formatter
+
+[tool.ruff.lint.isort]
+known-first-party = ["secscan_mcp"]
+
+[tool.ruff.format]
+quote-style = "double"
+indent-style = "space"
+skip-magic-trailing-comma = false
+line-ending = "auto"
+
+[tool.mypy]
+python_version = "3.11"
+strict = true
+warn_return_any = true
+warn_unused_ignores = true
+disallow_untyped_defs = true
+disallow_incomplete_defs = true
+check_untyped_defs = true
+no_implicit_optional = true
+show_error_codes = true
+files = ["src"]
+mypy_path = ["src"]
+
+[[tool.mypy.overrides]]
+module = ["mcp.*"]
+ignore_missing_imports = true
+
+[[tool.mypy.overrides]]
+module = ["secscan_mcp.server"]
+disable_error_code = ["misc", "no-untyped-call", "untyped-decorator"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+asyncio_mode = "auto"
+addopts = "-ra --strict-markers"
+markers = [
+  "integration: tests that invoke external scanner CLIs",
+  "slow: long-running scans",
+]
+
+[tool.coverage.run]
+source = ["secscan_mcp"]
+branch = true
+
+[tool.coverage.report]
+fail_under = 0
+show_missing = true
+skip_empty = true

secscan_mcp-0.1.2/src/secscan_mcp/__init__.py

@@ -0,0 +1,3 @@
+"""Security scanner MCP server."""
+
+__version__ = "0.1.2"