Shipcheck MCP
@TateLyman
Shipcheck MCP について
MCP server for read-only Shipcheck launch-risk scans on authorized JavaScript and TypeScript repos
基本情報
設定
以下の設定を使って、このサーバーを MCP 対応クライアントに追加してください。
{
"mcpServers": {
"shipcheck": {
"command": "npx",
"args": [
"--yes",
"--package",
"shipcheck-mcp",
"shipcheck-mcp"
]
}
}
}ツール
ツールは検出されませんでした
ツールは README から自動的に抽出されます。メンテナーは ## Tools という見出しの下に記載することで、このタブに反映できます。
概要
What is Shipcheck MCP?
Shipcheck MCP is an MCP server that lets local MCP clients run Shipcheck on authorized JavaScript and TypeScript repositories. It performs defensive static analysis to detect launch risks such as exposed private-looking environment variables, unsigned Stripe webhooks, missing Supabase/Firebase rule evidence, debug routes, missing usage-cost guardrails, missing CI, loose dependencies, thin release docs, missing MCP smoke-test proof, undocumented STDIO execution boundaries, and undocumented remote MCP auth boundaries.
How to use Shipcheck MCP?
Run directly with npx --yes shipcheck-mcp. Add the server to an MCP client's stdio configuration using command: "npx" and args: ["--yes", "--package", "shipcheck-mcp", "shipcheck-mcp"]. Once configured, invoke the scan_repository tool with parameters such as root, format, failOn, and strict.
Key features of Shipcheck MCP
- Scans repos for over a dozen common launch risks
- Defensive static analysis – reads files, does not modify or execute code
- No network access required
- Multiple output formats: text, markdown, JSON, SARIF
- Configurable severity thresholds (info/low/medium/high) and strict mode
- Designed for JavaScript and TypeScript projects
Use cases of Shipcheck MCP
- Pre-launch safety check for MCP servers before publishing
- Automated CI pipeline scan for insecure configurations
- Local audit of a repository to catch missing security evidence
FAQ from Shipcheck MCP
What risks does Shipcheck MCP check for?
It scans for exposed private-looking env vars, unsigned Stripe webhooks, missing Supabase/Firebase rule evidence, debug routes, missing usage-cost guardrails, missing CI, loose dependencies, thin release docs, missing MCP smoke-test proof, undocumented STDIO execution boundaries, and undocumented remote MCP auth boundaries.
Does Shipcheck MCP modify my repository or execute code?
No. Shipcheck is defensive static analysis. It reads local project files, does not modify the repository, does not execute project code, and does not require network access.
On which repositories can I run Shipcheck MCP?
Only on repos you own or are authorized to inspect. The tool is meant for authorized use only.
What output formats are supported?
Formats: text, markdown, json, or sarif.
What severity levels can I set?
Severities: info, low, medium, or high. You can also set failOn to a specific severity to fail the scan when issues at that level or higher are found.
「その他」の他のコンテンツ
Servers
modelcontextprotocolModel Context Protocol Servers
XcodeBuildMCP
cameroncookeA Model Context Protocol (MCP) server and CLI that provides tools for agent use when working on iOS and macOS projects.
Mcp
browsermcpBrowser MCP is a Model Context Provider (MCP) server that allows AI applications to control your browser
IDA Pro MCP
mrexodiaAI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.
MCP Toolbox for Databases
googleapisMCP Toolbox for Databases is an open source MCP server for databases.
コメント