MCP Audit Docs

Reports and Evidence

Export Markdown, JSON, SARIF, SBOM, and Batoi Guard evidence from MCP Audit scans.

Start Reading Open MCP Audit GitHub
On this page

Reports and Evidence

MCP Audit supports human-readable reports and machine-readable evidence.

Evidence Output Pipeline One scan result can serve reviewer, automation, security, and governance consumers. Scan Result findings + inventory Markdown JSON SARIF SBOM Guard Evidence human review automation code scanning provenance governance trail

Markdown

Markdown reports are useful for reviews and pull request attachments:

mcp-audit scan --path . --format markdown --out report.md

Reports include an executive summary, risk score, findings by severity, tool inventory, auth and transport review, remediation checklist, and raw findings.

JSON

JSON is intended for automation and downstream processing:

mcp-audit scan --path . --format json --out report.json

SARIF

SARIF is intended for GitHub code scanning and compatible security tooling:

mcp-audit scan --path . --format sarif --out results.sarif --fail-on high

SBOM

Generate an offline CycloneDX SBOM from local project metadata:

mcp-audit sbom --path . --out sbom.cdx.json

Batoi Guard Evidence

Export Batoi Guard evidence for governance workflows:

mcp-audit scan --path . --format guard --out guard-evidence.json

Output Selection

OutputBest forConsumerRetention
MarkdownHuman review and pull request discussionDevelopers, security reviewersAttach to review or release notes
JSONCustom automationInternal tools and scriptsStore when downstream processing is needed
SARIFCode scanning dashboardsGitHub code scanning and compatible toolsKeep with CI run artifacts
SBOMDependency and provenance reviewSecurity, compliance, release teamsRetain with release evidence
Guard evidenceGoverned platform audit trailBatoi Guard and governance workflowsRetain with workspace evidence