MCTS scans MCP servers for security issues — permissions, injection, secrets, attack chains, supply chain risk, and cross-server toxic flows — locally or in CI.
Ships today: repo/live/remote/snapshot scanning · 30+ analyzers · 79-technique regression suite · attack chains · inventory across 12+ agent clients · skills scan · vet/pentest · SARIF/HTML reports · GitHub Action · optional Semgrep, LLM triage, and mcts-mcp server mode.
New to MCTS? Read one guide, run one command, done.
- Install and first scan — install, scan the example server, read the output, export HTML
- Two scores on the same scan? Scoring developer guide — 5 min, answers 90% of score questions
- Stuck on a term? Glossary
You do not need to read the CLI reference, architecture doc, or planning docs to get value from MCTS.
Install → first scan → scoring guide (if confused) → CI integration → done
Contributors add: Architecture → CONTRIBUTING.md.
Pick the task that matches what you are doing right now:
| Task | Start here |
|---|---|
| Scan my MCP server code | Getting started → Scan your first server — mcts scan ./server.py |
| Scan a whole repo | mcts scan ./repo/ — same guide, repo section |
| Not sure which file to scan | mcts scan . --auto — auto scan |
| Probe a running server | Live scanning — needs --live --i-understand-live-risk |
| Scan a hosted URL | Remote scanning — --url + auth |
| Scan with no network (exported JSON) | Static snapshot — --snapshot |
| Choose a scan mode (decision tree) | Which scan mode should I use? |
| Understand scan scores | Scoring developer guide — start here |
| Fail CI on bad scores | CI integration — see scoring guide for gate cheat sheet |
| Share results with leadership | HTML report — mcts report report.json -o report.html |
| See what's installed on my machine | Config inventory — mcts inventory --scan |
| Scan all local MCP configs | mcts scan --machine-wide — CLI reference |
| Understand a finding | Security checks |
| Look up a flag or command | CLI reference |
# Install once (isolated — not in your app venv)
pipx install mcp-mcts
# or one-off: uvx mcp-mcts scan ./server.py
# Basic scan
mcts scan ./server.py
# Save JSON + HTML dashboard
mcts scan ./server.py -o report.json
mcts report report.json -o security-report.html
# CI gate
mcts scan ./server.py --fail-on-critical --min-score 70 -o report.sarif --format sarifMore commands: CLI reference
Three tiers — read top to bottom only as needed.
| Topic | Guide |
|---|---|
| Install + first scan | Getting started |
| Which scan mode to use | Scanning overview |
| Live / remote / snapshot / fuzz / inventory | Scanning guides |
| CI and GitHub Action | CI integration |
| Understand scores | Scoring developer guide |
| HTML and SARIF reports | Reporting overview |
| Topic | Guide |
|---|---|
| Every command and flag | CLI reference |
| Every security check | Security checks |
| Scoring (legacy + v2) | Scoring developer guide → legacy spec · v2 spec |
| Technique IDs (MCTS-T-*) | Threat taxonomy |
| REST API | REST API |
| Term definitions | Glossary |
| Topic | Guide |
|---|---|
| Roadmap and shipped vs planned | Product roadmap |
| Gap analysis and implementation plan | Feature expansion plan |
| Product positioning | Product positioning |
| Contributing code | CONTRIBUTING.md |
| CLI roadmap / GAP tables | Planned CLI |
| Role | Path |
|---|---|
| Developer (first time) | Getting started → Scanning overview |
| MCP server author | Getting started → Security checks |
| DevOps / CI | Scoring developer guide → CI integration |
| Security engineer | Architecture → Security checks |
| Agent / platform team | Inventory → CLI reference |
| Contributor | CONTRIBUTING.md → Quick start |