ggmcp

This MCP server integrates GitGuardian's security capabilities into your AI workflow. It provides tools to scan codebases for secrets, manage security incidents related to your current project, create honeytokens to detect unauthorized access, and manage authentication tokens. When connected to an agent, you can issue natural language prompts such as 'Scan this codebase for leaked secrets' or 'List all my active honeytokens', and the MCP server will perform the corresponding GitGuardian actions and return structured results to your agent. The server also supports viewing and revoking API tokens, enabling your agent to handle authentication lifecycle tasks as part of remediation workflows. Typical use involves running the MCP server, authenticating (via OAuth by default), and then issuing prompts that map to the supported capabilities (Secret Scanning, Incident Management, Honeytokens, Authentication Management, Token Management).

Prerequisites:

• A host with Node.js installed or a container/ENV capable of running uvx (Python/uv toolchain) as described in the project docs.
• uv (as used by this MCP server workflow) installed according to the uv documentation: https://docs.astral.sh/uv/getting-started/installation/

Installation steps:

1. Install uv according to the official instructions for your OS.

2. Install and run the MCP server using uvx with the repository URL:

   uvx --from git+https://github.com/GitGuardian/ggmcp.git developer-mcp-server

3. Configure your MCP client (Cursor, Claude Desktop, Windsurf, or Zed) to point to the server by adding the following example configuration, adapting the path to uvx if necessary:

   { "mcpServers": { "GitGuardianDeveloper": { "command": "uvx", "args": [ "--from", "git+https://github.com/GitGuardian/ggmcp.git", "developer-mcp-server" ] } } }

4. If you plan to use OAuth (default), no extra steps are required beyond starting the server. To use a Personal Access Token (PAT) instead, adjust the configuration to disable OAuth and provide the PAT as described in the Authentication section of the README.

Notes and tips:

• Default authentication uses OAuth via the stdio transport. ENABLE_LOCAL_OAUTH=true is the default behavior; tokens are stored locally (e.g., ~/.gitguardian/) for reuse.
• If operating in non-interactive environments (CI/CD), consider using PAT authentication by disabling local OAuth and providing GITGUARDIAN_PERSONAL_ACCESS_TOKEN in the environment.
• Ensure the environment where uvx runs has network access to GitGuardian services and the Git repository used by the --from argument.
• The MCP server configuration examples show a single server name (GitGuardianDeveloper); you can name it differently in your client configs if desired.
• When using Cursor, Claude Desktop, Windsurf, or Zed, be mindful of each tool’s specific syntax for absolute paths (e.g., Claude Desktop requires an absolute path to uvx).