Secscan
БесплатноНе проверенMCP server for Cursor that scans codebases for security issues including hardcoded secrets, SAST, vulnerable dependencies, and IaC misconfigurations.
Описание
MCP server for Cursor that scans codebases for security issues including hardcoded secrets, SAST, vulnerable dependencies, and IaC misconfigurations.
README
A portable MCP server for security scanning — works with any AI coding assistant that supports the Model Context Protocol: Cursor, VS Code, Claude Desktop, Windsurf, Zed, Continue, and more.
Scan codebases for hardcoded secrets, SAST issues, vulnerable dependencies, and IaC misconfigurations — one install, one normalized report format.
The built-in custom scanner works with no extra tools. Install optional CLIs for broader coverage (below).
Quick start
Requires Python 3.11+. If pip install secscan-mcp says "No matching distribution found", your default python3 is likely too old — use python3.11 -m pip install secscan-mcp or install Python 3.11+ first.
1. Install from PyPI:
pip install secscan-mcp
# or explicitly:
python3.11 -m pip install secscan-mcp
Or run without installing (requires uv):
uvx secscan-mcp
For MCP config with uvx, use "command": "uvx" and "args": ["secscan-mcp"] — see setup guide.
Install from source
git clone https://github.com/openjkai/secscan_mcp.git
cd secscan_mcp && pip install .
2. Add to your IDE — pick your client:
| IDE / client | Config file | Guide |
|---|---|---|
| Cursor | ~/.cursor/mcp.json |
setup → |
| VS Code | .vscode/mcp.json |
setup → |
| Claude Desktop | OS-specific (see guide) | setup → |
| Claude Code | ~/.claude/settings.json |
setup → |
| Windsurf | ~/.codeium/windsurf/mcp_config.json |
setup → |
| Others | — | Full setup guide |
Minimal config (works in Cursor, Claude Desktop, Windsurf):
{
"mcpServers": {
"secscan": {
"command": "uvx",
"args": ["secscan-mcp"]
}
}
}
If you installed with pip install secscan-mcp, you can use "command": "secscan-mcp" instead.
3. Verify — ask your agent: "Call list_available_scanners and scan_secrets on this project."
MCP tools
| Tool | Purpose |
|---|---|
list_available_scanners |
Which engines are installed on this machine |
scan_secrets |
Hardcoded credentials and secrets (optionally scan git commit history) |
scan_code |
SAST (semgrep, bandit) |
scan_dependencies |
Vulnerable packages (osv-scanner) |
scan_iac |
IaC misconfigurations (checkov) |
scan_all |
All available scanners, one unified report |
explain_finding |
Remediation hints for a rule_id |
Most scan tools accept path (directory to scan) and optional severity_threshold (critical, high, medium, low, info).
scan_secrets also accepts include_git_history (boolean). When true, scans past git commits for secrets removed from the working tree but still present in history — no extra tools required beyond git.
Optional scanners
Install any of these to extend coverage. Missing CLIs are skipped — the server still runs.
| Engine | Category | Install (example) |
|---|---|---|
| gitleaks | secrets | brew install gitleaks |
| semgrep | SAST | pip install semgrep |
| bandit | SAST (Python) | pip install bandit |
| osv-scanner | dependencies | brew install osv-scanner |
| checkov | IaC | pip install checkov |
After installing, run list_available_scanners again to confirm.
Example prompts
- "Call
list_available_scannersand tell me what's installed." - "Run
scan_secretswith include_git_history on this repo — check if any secrets were ever committed." - "Run
scan_allwith severity_threshold high and summarize the findings." - "Explain the rule
internal-api-key."
Configuration
Environment variables (optional):
| Variable | Default | Description |
|---|---|---|
SECSCAN_DEFAULT_TIMEOUT_SECONDS |
300 |
Per-engine scan timeout |
SECSCAN_MAX_FINDINGS |
500 |
Max findings per report |
SECSCAN_GIT_MAX_COMMITS |
500 |
Max commits scanned in git history mode |
Pass via MCP config env block — see setup guide.
Development
make install-dev # editable install + dev tools
make check # lint + typecheck + test
See docs/CONTRIBUTING.md and PLAN.md.
License
MIT
Установка Secscan
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/openjkai/secscan_mcpFAQ
Secscan MCP бесплатный?
Да, Secscan MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Secscan?
Нет, Secscan работает без API-ключей и переменных окружения.
Secscan — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить Secscan в Claude Desktop, Claude Code или Cursor?
Открой Secscan на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare Secscan with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
