So I built a static analysis scanner specifically for MCP servers. It runs 7 analyzers (secrets, static code, prompt injection, SQL/command injection, permissions, network, dependencies) and takes ~45ms on a typical server.
Usage:
npx mcp-security-auditor scan ./my-mcp-server
No account, runs locally. Outputs text, JSON, SARIF (for GitHub Security tab), HTML, or Markdown. Has a CI mode that exits non-zero above a severity threshold.Available on both npm and PyPI. MIT licensed.
npm: https://www.npmjs.com/package/mcp-security-auditor PyPI: https://pypi.org/project/mcp-security-auditor/ Dev.to writeup with examples: https://dev.to/prabhu_raja_fe2261464cb8e/how-to-scan-your-mc...
Would love feedback on detection patterns — there are definitely gaps I haven't covered yet.