mcp-audit

MCP Audit is a Python-based MCP server that scans your development environment to reveal what AI agents can access, including secrets, APIs, and AI models. It offers both a CLI and a web-app workflow, allowing you to run local machine scans or inspect repositories for MCP configurations. The CLI can perform full scans or targeted checks (secrets, APIs, models) and supports multiple output formats such as JSON, CSV, Markdown, CycloneDX AI-BOM, and SARIF. Install it, then run mcp-audit scan to discover MCPs on your machine, or use the web app for an interactive, browser-based analysis. The tool is designed to help you identify risky configurations before deploying AI agents.

Prerequisites:\n- Python 3.9+ (recommended by the project)\n- Git (to clone the repository)\n- Optional: Docker if you prefer containerized usage\n\nOption A: Python (recommended)\n1) Clone the repository and install in editable mode:\n\n git clone https://github.com/apisec-inc/mcp-audit.git\n cd mcp-audit\n pip install -e .\n\n2) Verify installation:\n\n mcp-audit --help\n\n3) Run a full scan:\n\n mcp-audit scan\n\nOption B: Docker\n1) Build and run the Docker image to scan a directory:\n\n docker build -t mcp-audit .\n docker run -v $(pwd):/scan mcp-audit scan\n\n2) Output JSON example:\n\n docker run -v $(pwd):/scan mcp-audit scan --format json -o /scan/report.json\n\nPrerequisites recap:\n- Ensure Python 3.9+ is installed if using the Python path.\n- If using Docker, you need Docker installed and access to the project directory you want to scan.

Tips and caveats:\n- The web app offers a no-install option for quick exploration; the CLI provides full local analysis with options to customize output formats.\n- For best results, run scans on machines or repos where MCPs are likely configured (Claude Desktop, Cursor, VS Code, Windsurf, Zed).\n- Environment variables may contain secrets; this tool detects secrets in MCP configurations, not in running processes.\n- When integrating with CI, use the JSON or SARIF outputs to feed into security dashboards.\n- If you encounter install issues, verify Python 3.9+ is active in your environment and that you have network access to fetch dependencies.\n- The CLI supports multiple export formats: json, csv, markdown, cyclonedx, sarif, and optional email-based PDF reports.\n- There is also a Docker path for CI environments where installing Python packages is not desirable.\n