Submit

Zfuzz

@Zfuzz-dev

Real security scanners for AI coding agents: SAST (441 rules), secret detection (419+ patterns), dependency CVEs, MCP/skill vetting, MITRE ATT&CK. Real scanners, not the model guessing. Rust, Apache-2.0, free.
Overview

Zfuzz — the security engineer your AI agent never had

AI coding agents write code fast but know about security rather than scanning for it — so they ship hardcoded keys, vulnerable deps and injectable code. Zfuzz is an MCP server that plugs 10 real security tools into any agent.

Tools: scan_code (SAST, 441 rules, taint analysis, 7 languages) · scan_secrets (419+ patterns + entropy) · scan_dependencies (CVEs via OSV.dev) · scan_mcp_config & scan_skill (vet MCP configs/skills for prompt injection, booby-trapped scripts) · check_mitre · threat_model · search_security_procedures · explain_finding · reconcile_permissions.

Install: claude mcp add zfuzz -- npx -y @zfuzz/mcp — or add { "mcpServers": { "zfuzz": { "command": "npx", "args": ["-y", "@zfuzz/mcp"] } } } to any MCP client.

Real scanners, not the model guessing. Rust · Apache-2.0 · 100% local, no account, no telemetry. Repo: https://github.com/Zfuzz-dev/zfuzz-mcp · Site: https://zfuzz.com

Server Config

{
  "mcpServers": {
    "zfuzz": {
      "command": "npx",
      "args": [
        "-y",
        "@zfuzz/mcp"
      ]
    }
  }
}
© 2025 MCP.so. All rights reserved.

Build with ShipAny.