Orcorus Repository Scanner
FreeNot checkedScans GitHub repositories for security vulnerabilities by cloning, performing static analysis, secret detection, build verification, and AI-powered OWASP-aligne
About
Scans GitHub repositories for security vulnerabilities by cloning, performing static analysis, secret detection, build verification, and AI-powered OWASP-aligned code review, producing a scored SECURITY.md report.
README
A repository security scanner for GitHub repositories, available as both an MCP server and a CLI tool. Orcorus clones a repo, runs static analysis, detects hardcoded secrets, verifies the build, and performs an AI-powered OWASP-aligned security code review — producing a scored SECURITY.md report.
Features
- Static analysis — Runs Bandit on Python code to detect common vulnerabilities
- Secrets detection — Pattern-based scanning for API keys, tokens, private keys, and credentials
- Build verification — Attempts to build/install the project (supports Python, Node, Go, Rust)
- Test detection — Identifies test frameworks (pytest, jest, mocha, vitest, unittest)
- AI security review — Agentic, multi-turn code review using an OpenAI-compatible LLM that explores the codebase with tools (read files, search code, list directories) and produces an OWASP Top 10-aligned report
- Scoring & tiering — Assigns a 0–100 security score and classifies repos as Gold / Silver / Bronze / Reject
- MCP server — Exposes
scan_repo,get_report, andlist_reportstools via FastMCP
Project Structure
src/ # Core library
__init__.py # Public API: Scanner, ScanConfig, ScanResult
models.py # Data models (ScanConfig, ScanResult)
scanner.py # Main scanning pipeline
analyzers.py # Bandit, secrets, build, test, and quality checks
ai_review.py # Agentic AI security review loop
report.py # SECURITY.md report generation
server.py # MCP server (FastMCP)
scan_repo.py # CLI client
Quick Start
CLI
# With AI review (GitHub repo)
python scan_repo.py https://github.com/owner/repo --api-key sk-...
# Without AI review
python scan_repo.py https://github.com/owner/repo --skip-ai
# Scan a local directory in-place (absolute --subdir path)
python scan_repo.py --name SSH-Command \
--subdir /srv/docker/orcorus-integrations/ssh-command \
--api-key sk-... --model gpt-5.4 --base-url https://api.cometapi.com/v1
# Scan current directory
python scan_repo.py .
# Custom model / provider
python scan_repo.py https://github.com/owner/repo \
--model gpt-5.2 \
--base-url https://api.openai.com/v1 \
--api-key sk-...
MCP Server
python server.py
# or
fastmcp run server.py
The server exposes three tools:
| Tool | Description |
|---|---|
scan_repo |
Scan a GitHub repo (runs as a background task) |
get_report |
Retrieve a completed SECURITY.md report by name |
list_reports |
List all available scan reports with scores |
MCP Client Setup
VS Code / Claude Code (settings.json)
Add the following to your MCP settings.json to run Orcorus as a Docker container:
{
"mcpServers": {
"scanner": {
"command": "docker",
"args": [
"run", "-i", "--rm",
"-e", "OPENAI_API_KEY=sk-your-api-key-here",
"-e", "ORCORUS_MODEL=gpt-5.2",
"-e", "OPENAI_BASE_URL=https://api.openai.com/v1",
"-e", "ORCORUS_REPORTS_DIR=/app/reports",
"-e", "ORCORUS_WORK_DIR=/app/repos",
"-e", "ORCORUS_AI_TIMEOUT=300",
"-e", "ORCORUS_MAX_TURNS=40",
"orcorus/security_scanner:latest"
]
}
}
}
To persist reports between runs, mount a volume:
{
"mcpServers": {
"scanner": {
"command": "docker",
"args": [
"run", "-i", "--rm",
"-e", "OPENAI_API_KEY=sk-your-api-key-here",
"-e", "ORCORUS_MODEL=gpt-5.2",
"-e", "OPENAI_BASE_URL=https://api.openai.com/v1",
"-v", "/path/to/local/reports:/app/reports",
"orcorus/security_scanner:latest"
]
}
}
}
To skip AI review (static analysis only), add -e, "ORCORUS_SKIP_AI=true" to the args.
Configuration
CLI Arguments
| Argument | Default | Description |
|---|---|---|
repo_url |
. |
GitHub repository URL or local path (ignored when --subdir is absolute) |
--name |
auto-detected | Display name for the report |
--commit |
HEAD | Specific commit to checkout |
--subdir |
(none) | Subdirectory scope, or an absolute path to scan a directory in-place without cloning |
--api-key |
$OPENAI_API_KEY |
API key for the LLM provider |
--model |
gpt-5.2 |
Model to use for AI review |
--base-url |
https://api.openai.com/v1 |
OpenAI-compatible API base URL |
--reports-dir |
./reports |
Directory to save reports |
--ai-timeout |
300 |
Timeout per AI call (seconds) |
--max-turns |
40 |
Max agentic review turns |
--skip-ai |
false |
Skip the AI review step |
--keep-repo |
false |
Keep the cloned repo after scanning |
Environment Variables (MCP Server)
| Variable | Default | Description |
|---|---|---|
OPENAI_API_KEY |
(none) | API key for AI review |
ORCORUS_MODEL |
gpt-5.2 |
LLM model name |
OPENAI_BASE_URL |
https://api.openai.com/v1 |
API base URL |
ORCORUS_REPORTS_DIR |
./reports |
Reports output directory |
ORCORUS_WORK_DIR |
./repos |
Temporary clone directory |
ORCORUS_AI_TIMEOUT |
300 |
Timeout per AI call (seconds) |
ORCORUS_MAX_TURNS |
40 |
Max agentic review turns |
ORCORUS_SKIP_AI |
false |
Set to 1 or true to skip AI review |
ORCORUS_ALLOW_LOCAL_PATHS |
false |
Set to 1 or true to allow scanning local filesystem paths via MCP |
Scoring
| Score | Tier |
|---|---|
| 90–100 | Gold |
| 75–89 | Silver |
| 60–74 | Bronze |
| 0–59 | Reject |
Deductions are applied for high/medium/low Bandit findings, hardcoded secrets, build failures, missing tests, missing README, missing dependency files, and critical/high severity issues found during AI review.
Dependencies
Installing Orcorus Repository Scanner
This server has no published package — it is built from source. Open the repository and follow its README.
▸ github.com/ceilingduster/mcp_security_scannerFAQ
Is Orcorus Repository Scanner MCP free?
Yes, Orcorus Repository Scanner MCP is free — one-click install via Unyly at no cost.
Does Orcorus Repository Scanner need an API key?
No, Orcorus Repository Scanner runs without API keys or environment variables.
Is Orcorus Repository Scanner hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install Orcorus Repository Scanner in Claude Desktop, Claude Code or Cursor?
Open Orcorus Repository Scanner on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
GitHub
PRs, issues, code search, CI status
by GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
by mcpdotdirectCompare Orcorus Repository Scanner with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All development MCPs
