SecureMCP

SecureMCP is a comprehensive security auditing tool for MCP-enabled applications. It provides modules to scan OAuth token handling, test for prompt injection vulnerabilities, verify authentication and server integrity, and generate both HTML and JSON reports detailing vulnerabilities and remediation steps. You can run it from the command line to perform targeted scans of your MCP server, or use its programmatic components to integrate scanning into your tooling. Typical usage involves pointing SecureMCP at your MCP server URL and selecting the areas you want to test (OAuth token handling, prompt injection, authentication controls, and overall server integrity). The tool then analyzes token storage, token endpoints, system prompts, response handling, and security headers to produce actionable findings in multiple formats.

Key capabilities include: OAuth token scanner (format, expiration, storage, endpoint validation, and JWT analysis), prompt injection tester (payload types, positions, system prompt override detection, and role confusion detection), authentication and server integrity checks (SSL/TLS, security headers, HSTS, CSP), and a built-in report generator that outputs HTML and JSON reports with remediation guidance and summary statistics.

Prerequisites:

• Docker (optional for containerized deployment) or a local environment capable of running the MCP server binaries
• Go 1.21+ if building from source (per project prerequisites)
• Node.js (for dashboard UI, if you intend to use the UI components)

From Source:

1. Clone the repository: git clone https://github.com/makalin/SecureMCP.git
2. Enter the project directory: cd SecureMCP
3. Build the project (Go-based binary): make build
4. Run tests (optional): make test

Using Docker:

1. Pull the SecureMCP image: docker pull makalin/SecureMCP
2. Run the container (adjust ports and targets as needed): docker run -i makalin/SecureMCP

Basic usage examples (CLI):

• Basic scan ./securemcp scan --target https://your-mcp-server.com
• Scan with specific options ./securemcp scan --target https://your-mcp-server.com
  --scan-oauth
  --scan-prompt-injection
  --scan-authentication
  --timeout 30s
• Generate HTML report ./securemcp scan --target https://your-mcp-server.com --report html
• Generate JSON report ./securemcp scan --target https://your-mcp-server.com --report json

Tips and common issues:

• Ensure your target MCP server is accessible from the scanning environment (network allowlists may apply).
• If Docker is unavailable, build from source and run the binary directly.
• When using the programmatic API, you can customize the ScanOptions to enable/disable specific checks (OAuth, prompt injection, authentication) and set a timeout that fits your environment.
• For accurate results, run scans against staging or test MCP deployments before production.
• Review generated HTML/JSON reports for remediation guidance and cross-check with your security baselines (SSL/TLS, HSTS, CSP).