Automated scanner that implements this checklist: mcps-audit #4
Description
mcps-audit -- Automated OWASP MCP Security Scanner
This checklist is excellent work. We built a CLI tool that automates many of these checks:
npx mcps-audit ./your-mcp-serverCoverage mapping
mcps-audit scans against both OWASP frameworks:
OWASP MCP Top 10 -- checks for vulnerable patterns AND mitigations:
| Risk | What mcps-audit checks |
|---|---|
| MCP-01 | Bearer tokens/API keys without identity verification |
| MCP-03 | Tool definitions without integrity signing |
| MCP-04 | Dynamic imports without signed tool verification |
| MCP-06 | JSON-RPC calls without message signing |
| MCP-07 | Server endpoints without authentication |
| MCP-08 | Request handling without audit trail |
| MCP-09 | Remote connections without origin validation |
| MCP-10 | Prompt concatenation without isolation |
OWASP Agentic AI Top 10 -- 12 code-level rules:
- Command injection (exec, eval, subprocess)
- Hardcoded secrets
- Excessive permissions
- Prompt injection patterns
- Missing sandboxing
- Supply chain risks
- Data exfiltration patterns
- And more
Output
- PASS/WARN/FAIL verdict per risk
- Risk score (0-100)
- PDF report with findings, line numbers, code snippets, remediation
- JSON output for CI/CD
Links
- npm: https://www.npmjs.com/package/mcps-audit
- GitHub: https://github.com/razashariff/mcps-audit
- Sample Report: https://agentsign.dev/sample-report.pdf
- MCPS IETF Draft: https://datatracker.ietf.org/doc/draft-sharif-mcps-secure-mcp/
Would love to see this referenced in the checklist as an automated implementation. Happy to discuss coverage gaps.