MCP.so
ログイン

Compuute MCP Security Scanner

@Compuute

Compuute MCP Security Scanner について

Scan-as-a-Service for MCP servers — HTTP+MCP wrapper around compuute-scan

基本情報

カテゴリ

開発者ツール

ライセンス

MIT

ランタイム

python

トランスポート

stdio

公開者

Compuute

投稿者

Daniel Abbay

設定

以下の設定を使って、このサーバーを MCP 対応クライアントに追加してください。

{
  "mcpServers": {
    "compuute-scan": {
      "type": "http",
      "url": "https://scan.compuute.se/mcp/"
    }
  }
}

ツール

1

Scan a public GitHub MCP-server repository for security issues. Clones the repo (shallow, <60s, <200 MB), runs compuute-scan v0.6.2 in static analysis mode (no code execution from the target), and returns a structured report with severity counts, a 0-100 score, and the 10 most severe findings. WHEN TO USE: - Before connecting to an unknown MCP server discovered via Anthropic Registry, Smithery, mcp.so, or a Discord recommendation. - Before installing a third-party MCP-server package into a production pipeline. - As part of an agent's pre-commit / pre-deploy due-diligence step when adding new dependencies. - As one input to a multi-source trust evaluation (combine with publisher reputation, package install count, last-update recency). WHEN NOT TO USE: - For private repos. Use the on-prem CLI instead: `npx compuute-scan ./path-to-private-repo` - For deep exploitability assessment of a specific code path. This is pattern matching, not dataflow analysis. Book a manual L2-L4 audit at https://compuute.se/audit for that depth. - For non-GitHub hosts (GitLab, Bitbucket, self-hosted). v1 supports github.com only. - For repos > 200 MB or clone time > 60s. The endpoint returns a 413 or 504 in those cases — fall back to local CLI. EXPECTED RESPONSE TIME: - Median: ~1-2 seconds for small repos (<100 files). - p99: ~10 seconds for medium repos. - Hard timeout at clone=60s, scan=120s combined. EXPECTED COST: - Free tier in MVP. Future Pro tier may charge per-scan or per-month. DATA FRESHNESS: - Scanner version is reported in response.scanner.version. - L1 rule set freshness reflects compuute-scan releases — see github.com/Compuute/compuute-scan/CHANGELOG.md for the latest CVE and threat-intel response timeline. EXAMPLES: Example 1 — scan an MCP server you're evaluating: github_url = "https://github.com/modelcontextprotocol/servers" → score: 0, summary: {critical: 1, high: 94, medium: 22} → top_findings include SSRF, eval, etc. → recommendation: "AVOID — 1 critical and 94 high finding(s)..." Example 2 — scan a clean reference implementation: github_url = "https://github.com/microsoft/azure-devops-mcp" → score: 90+, summary: {critical: 0, high: 1} → recommendation: "REVIEW — 1 high finding(s)..." Example 3 — scan your own dev MCP-server before publishing: github_url = "https://github.com/yourorg/your-mcp" → audit your own surface before others install it OUTPUT FIELDS (stable schema): - repo_url (str): canonical URL of the scanned repo. - score (int): 0-100, higher safer. Coarse summary, not a precision claim. - summary (object): {critical, high, medium, low, info, files_scanned}. - recommendation (str): action guidance derived from severity counts. - findings_count (int): total raw findings (may include false positives). - top_findings (list): up to 10 most severe, each with {id, title, severity, file, line, owasp, cwe}. - l0_discovery (object): MCP transport, tool count, dependency pinning. - performance (object): clone_seconds, scan_seconds, repo_size_bytes. - scanner (object): {name, version, layers_covered}. - _disclaimer (str): MANDATORY triage disclaimer. Read it. Args: github_url: Public GitHub HTTPS URL (e.g. https://github.com/org/repo). Must be public and < 200 MB. v1 is github.com only. Returns: Structured scan result. On error, returns {"error": code, "message": ...} with HTTP-style code (invalid_url, clone_failed, scan_timeout, etc.).

概要

What is Compuute MCP Security Scanner?

A Scan-as-a-Service for MCP servers, wrapping the compuute-scan static security scanner in an HTTP API and MCP tool interface. It accepts a public GitHub repo URL and returns a structured security report scored against 37 MCP-specific rules across 8 languages (TypeScript/JavaScript, Python, Go, Rust, C#, Java, Kotlin). Designed for agent-driven consumption.

How to use Compuute MCP Security Scanner?

Send a POST request to /v1/scan with a repo_url JSON body (free, rate-limited) or use the /v1/scan/pay endpoint with an X-Payment header for micropayments. For Claude Code, run claude mcp add compuute-scan --transport http --url https://scan.compuute.se/mcp/ and then invoke the scan_mcp_server tool. The open source CLI can be run locally with npx compuute-scan ./repo.

Key features of Compuute MCP Security Scanner

  • 37 MCP-specific static analysis rules.
  • Idempotent retries with 24‑hour cache.
  • x402 micropayment option for autonomous agents.
  • OWASP security headers and strict input validation.
  • OpenAPI spec and MCP tool for agent discovery.
  • Honest framing: every response includes a false-positive disclaimer.

Use cases of Compuute MCP Security Scanner

  • Evaluate third-party MCP servers before integration.
  • Triage security findings in agent supply chain pipelines.
  • Enterprise security audit for MCP servers in production.
  • AI procurement risk audit for CFOs, CTOs, and CISOs.

FAQ from Compuute MCP Security Scanner

What is the false positive rate of the scanner?

The scanner is a pattern-breadth detector with a historic raw false-positive rate of ~90% (138 raw findings → 13 confirmed). Every response includes a _disclaimer field; use findings as a triage queue, not as confirmed vulnerabilities.

How do I install and use the scanner in Claude Code?

Run claude mcp add compuute-scan --transport http --url https://scan.compuute.se/mcp/ and then use the scan_mcp_server tool with a GitHub URL. The tool returns the same structured report as the HTTP API.

What are the pricing tiers for Compuute MCP Security Scanner?

The open source CLI and hosted free API (rate-limited) are $0. The hosted API supports x402 micropayments at $0.10 USDC per scan on Base L2. Enterprise MCP Security Audits start at $5K and AI Procurement Risk Audits at $5K–$15K.

What languages and rules does the scanner cover?

It covers 37 MCP-specific rules across 8 languages: TypeScript/JavaScript, Python, Go, Rust, C#, Java, and Kotlin.

Is authentication required to use the scanning API?

No authentication is required for the free tier (POST /v1/scan). The paid tier (POST /v1/scan/pay) requires an X-Payment header for x402 micropayment authorization.

コメント

「開発者ツール」の他のコンテンツ