Add mcp scanner gh action #100
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Introduces a GitHub Actions workflow for MCP Security Scanner, a local scan script, and documentation. The workflow runs security scans on PRs and manual triggers, generates reports, and uploads results as artifacts. The documentation explains usage, configuration, and troubleshooting, while the script enables local scanning against a running MCP server.
The MCP Security Scan GitHub Actions workflow now runs daily at 2 AM UTC in addition to pull requests and manual triggers. This ensures regular automated security checks.
Coverage Report
File CoverageNo changed files found. |
Replaces deprecated --auth-value flag with --auth-token in mcp-scan commands within the security scan workflow for improved compatibility.
Added the --transport http flag to MCP security scan commands in both workflow and script files. Updated the authentication flag from --auth-value to --auth-token for consistency and correctness.
Changed the default scan URL from /mcp to /mcp/job_management in workflow, documentation, and script to focus scans on the job_management toolset. Updated instructions and messaging to clarify how to scan all tools or other toolsets, improving scan speed and specificity.
Enhances the workflow to capture both stdout and file output from the MCP security scan, ensures fallback to captured output if the report file is missing, and improves the GitHub Actions summary step with better checks and parsing for both text and JSON reports. Adds more robust reporting and debugging information for scan results.
Enhanced the GitHub Actions summary for MCP security scans with clearer headings, severity tables, and collapsible detailed results. The summary now parses and displays key statistics from the text report, omits redundant JSON parsing, and adds an artifact download section for full scan results.
Updated the parsing logic in mcp-security-scan.yml to extract summary values directly from the scan report file, avoiding shell variable truncation. Added default values for each metric to ensure robustness if extraction fails.
Refactored the summary parsing logic to handle multiline summary sections in scan-report.txt by joining the last two lines before extracting values. This change ensures more reliable extraction of critical, high, medium, low, passed, and failed counts, and removes unnecessary debug output.
Refines the logic for extracting the summary section from the scan report by using grep to get the 'Summary:' line and the following line, ensuring multiline summaries are correctly joined and parsed.
Failed security checks are now highlighted separately in the GitHub summary if present. The full scan results table is included without truncation, and the collapsible section label is updated for clarity.
Update the MCP security scan workflow to extract and summarize results from the JSON report using jq instead of parsing the text report. This improves reliability and detail in reporting, including clearer summaries and detailed failed check information.
Refactor the workflow to extract summary and findings from the 'findings' array instead of the deprecated 'summary' and 'results' fields in the scan-report.json. The script now calculates severity counts, displays failed checks with remediation steps, and updates all jq queries to match the new JSON schema.
Eliminates the step that runs the MCP Security Scan with text output and related file handling logic from the GitHub Actions workflow. Only the JSON output scan step remains, simplifying the workflow.
Updated the mcp-security-scan workflow to sort findings by severity (critical, high, medium, low, info) and display corresponding emojis for each severity level. This improves readability and prioritization of scan results in the GitHub summary.
Separates the status emoji assignment into its own variable for improved readability in the GitHub Actions workflow output.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
draft/in development