mcpscc

MSCC (MSCC - MCP Security Command Center) is a security scanner for MCP servers. It analyzes your MCP implementations to detect vulnerabilities such as prompt injection, tool poisoning, secret exposure, and other MCP-related risks using a curated set of detection patterns and YARA rules. The project exposes an API-friendly interface and tooling to scan local MCP server installations, export reports (JSON, SARIF, HTML, PDF), and integrate into CI/CD workflows. You can run the scanner locally, in a container, or integrate it into your CI to continuously verify the security posture of your MCP servers.

To use the server tooling, you can run the API server (either directly via Python/uvicorn or via Docker) to provide a live scanning endpoint, or you can leverage the Python SDK (MSCCClient) and CLI (mscc) to perform scans, export reports, or embed scanning into scripts. The available capabilities include running scans against a local MCP server path or a Git repository, generating SARIF or PDF reports, and performing automated checks in CI pipelines. The scanner also ships with a variety of detection rules organized by language and MCP Top 10 coverage, plus the ability to add custom YARA rules for organization-specific checks.

Prerequisites:

• Python 3.9+ for the Python-based tooling and SDK (optional if you use Docker/CLI only)
• Docker (optional if you prefer containerized runs)
• Git (for cloning sources or examples)

Option A: Install and run locally with Python (SDK + API server)

1. Clone the repository (or install via PyPI if available): git clone https://github.com/gensecaihq/mcpscc.git cd mcpscc

2. Create and activate a Python virtual environment: python -m venv .venv source .venv/bin/activate

3. Install the package with development extras (API, PDF, etc.): pip install -e ".[dev,api,pdf]"

4. Run the API server directly (example using uvicorn): uvicorn mscc.api.app:app --host 0.0.0.0 --port 8000

Option B: Run using Docker (recommended for simplicity and isolation)

1. Build and run the MSCC API container (assuming Dockerfile is present): docker build -t mscc . docker run -p 8000:8000 mscc

Option C: Quick start using the Python SDK (no server required)

1. Install the base SDK: pip install mscc

2. Use the Python SDK in your scripts to scan local MCP servers, export reports, and handle findings as shown in the Quick Start example in the repository README.

Tips and common issues:

• If you run the API server, ensure port 8000 is accessible from your CI/CD or local tooling. Adjust the port as needed in your environment.
• When using Docker, keep the image up to date to receive the latest detection rules and language support.
• You can customize reporting exports (PDF, SARIF, HTML) via the MSCC client/reporting API in your scripts or CI jobs.
• Environment variables you may encounter include configuration for database/redis backends when using the API server in production (e.g., REDIS_URL, DATABASE_URL). If you enable caching or a persistent database, configure these values accordingly.
• The Docker approach is ideal for CI environments; the Python-based approach is flexible for local development and scripting.
• For CI integrations, consider using a specific scan profile (ci-standard) and enforce max-risk thresholds as part of your pipeline.