Laraguard Mcp
@ecr17dev
About Laraguard Mcp
No overview available yet
Basic information
Config
Add this server to your MCP-compatible client using the configuration below.
{
"mcpServers": {
"laraguard": {
"command": "node",
"args": [
"/absolute/path/to/Laraguard MCP/dist/index.js"
],
"env": {
"MCP_BASE_PATHS": "/absolute/path/to/your-laravel-project"
}
}
}
}Tools
No tools detected
We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.
Overview
What is Laraguard MCP?
Laraguard MCP is a security audit server for Laravel projects that implements the Model Context Protocol (MCP) using stdio transport. It performs static analysis, dependency CVE scanning, and live attack simulation without requiring Laravel to be running, returning structured JSON findings categorized by severity.
How to use Laraguard MCP?
Clone the repository, install dependencies with npm install, and optionally configure environment variables (e.g., MCP_BASE_PATHS). Then add a laraguard entry to your MCP client’s configuration (JSON block with command node pointing to dist/index.js, or npx tsx pointing to src/index.ts under development). Tools are invoked by sending tool calls like project_info, full_audit, or attack_simulate with a path and optional baseUrl.
Key features of Laraguard MCP
- Static code scanning with 15+ rules covering SQL injection, RCE, hardcoded credentials, and LFI
- Blade XSS scanner that detects unescaped output in templates
- Route and middleware audit for missing auth, throttle, or CSRF exceptions
- Dependency CVE feed querying the OSV.dev batch API for real vulnerabilities
- Configuration audit inspecting
.envandconfig/cors.phpfor critical misconfigurations - Active attack simulation firing live HTTP probes (SQLi, XSS, CSRF, auth bypass, rate limiting)
Use cases of Laraguard MCP
- Pre-deployment security audit of Laravel codebases to catch vulnerabilities before production
- Continuous integration pipeline integration to block risky commits automatically
- Dependency vulnerability monitoring via
composer.lockCVE lookups - Security researcher or penetration tester tool for automated Laravel reconnaissance
FAQ from Laraguard MCP
What runtime does Laraguard MCP require?
Node.js 20 or higher and npm 10 or higher are required. The server runs as a pure TypeScript process using @modelcontextprotocol/sdk.
Does Laraguard MCP send my project data to an external service?
Only the dependency_audit tool makes external HTTP requests to the OSV.dev API to query CVEs. All other tools operate entirely locally, and sensitive values are redacted before reaching the MCP client.
How do I configure which directories can be scanned?
Set the MCP_BASE_PATHS environment variable (comma-separated) or MCP_BASE_PATH (single path) in the MCP client’s env block. If neither is set, the current working directory is used.
Which MCP clients are supported?
Any MCP client that supports stdio transport, including Cursor, Claude Desktop, and VS Code MCP extensions. Configuration involves adding a laraguard entry under mcpServers in the client’s config file.
How does attack simulation work and what does it require?
The attack_simulate tool sends six live HTTP probes (SQL injection, XSS, CSRF, auth bypass, rate limiting, error disclosure) to a running Laravel app. It requires the baseUrl parameter pointing to a live server.
More Other MCP servers
🪟 Windows-MCP
CursorTouchMCP Server for Computer Use in Windows
Servers
modelcontextprotocolModel Context Protocol Servers
MCP Registry
modelcontextprotocolA community driven registry service for Model Context Protocol (MCP) servers.
ICSS
chokcoco不止于 CSS

Sequential Thinking
modelcontextprotocolModel Context Protocol Servers
Comments