On this page
Getting Started
Install from source with Go:
go install github.com/batoisystems/mcp-audit/cmd/mcp-audit@latestFor local development:
git clone https://github.com/batoisystems/mcp-audit.git
cd mcp-audit
go test ./...
go run ./cmd/mcp-audit versionRun a scan against the current workspace:
mcp-audit scan --path .Generate a Markdown report:
mcp-audit scan --path . --format markdown --out report.mdGenerate SARIF for code scanning:
mcp-audit scan --path . --format sarif --out results.sarif --fail-on highFirst Useful Commands
| Goal | Command |
|---|---|
| Local scan | mcp-audit scan --path . |
| Markdown review report | mcp-audit scan --path . --format markdown --out report.md |
| SARIF for code scanning | mcp-audit scan --path . --format sarif --out results.sarif --fail-on high |
| Policy check | mcp-audit policy check --path . --policy ./mcp-audit-policy.yaml |
| HTTP discovery probe | mcp-audit probe --url http://localhost:3000/mcp |
Common Targets
MCP Audit detects common local configuration files, including claude_desktop_config.json, VS Code .vscode/mcp.json, mcp.json, .mcp.json, package scripts that launch MCP servers, and Docker Compose services that appear to run MCP servers.
First Review Checklist
- Check whether any tool can run shell commands.
- Check whether filesystem access includes home directories, SSH keys, cloud config, or project secrets.
- Check whether HTTP MCP servers require authentication.
- Check whether tool descriptions include prompt-injection language.
- Decide whether findings should be fixed, suppressed with a reason, or converted into a policy requirement.
Runtime Probe
Use runtime probing only for discovery. HTTP probing sends initialization and list requests without executing tools:
mcp-audit probe --url http://localhost:3000/mcpStdio probing starts a local process, so require explicit command-execution approval in your workflow.