MCP Audit Docs

GitHub Action

Run MCP Audit in GitHub Actions with severity thresholds and review evidence.

Start Reading Open MCP Audit GitHub
On this page

GitHub Action

Use MCP Audit in CI to review MCP server changes before they are merged.

Pull Request Security Gate Run MCP Audit before MCP configuration or tool changes reach protected branches. Pull Request config changes Checkout repository MCP Audit scan + policy SARIF code scanning Evidence report artifacts Gate fail-on Branch protection should respect the MCP Audit job status. 
name: MCP Audit

on:
  pull_request:
  push:
    branches: [main]

jobs:
  mcp-audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: batoisystems/mcp-audit/.github/actions/mcp-audit@v0.1.0
        with:
          path: "."
          fail-on: "high"

Suggested CI Policy

  • Fail pull requests on high or critical findings.
  • Export SARIF when code scanning is enabled.
  • Keep a reviewed baseline for known exceptions.
  • Require policy files for production MCP servers.
  • Store Markdown or Guard evidence for release review when MCP tools can access sensitive systems.

Workflow Variants

VariantUse whenAdd
Minimum gateYou need a fast merge check.mcp-audit scan --path . --fail-on high
Code scanningSecurity reviewers use GitHub code scanning.SARIF output and upload step
Governed releaseMCP tools can reach sensitive systems.Markdown or Guard evidence artifact
Adoption phaseExisting findings need staged cleanup.Baseline plus expiry-based suppressions