Add secure scanning of MCP Servers #184
Merged
+2,740
−49
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…istry into show-anthropic-api-response
- Add scan_all_servers.py CLI tool for bulk security scanning - Supports --token and --token-file parameters with priority handling - Generates comprehensive markdown reports with detailed findings - Reports saved to security_scans/scan_report.md (latest) and security_scans/reports/ (timestamped archives) - Masks tokens in logs for security (shows first 20 and last 10 chars) - Enhance service_mgmt.sh security scan workflow - Auto-append /mcp to proxy_pass_url if not ending with /mcp or /sse - Load ADMIN_PASSWORD from .env file for auto-disabling unsafe servers - Fix authentication header forwarding in auth-server - Update auth_server/server.py - Add fallback to check Authorization header if X-Authorization not present - Explicit priority: X-Authorization > Authorization - Add mcp_security_scanner.py header support - Parse --headers argument and extract Bearer token - Pass token to mcp-scanner via --bearer-token - Add example configs - shawndurrani-ai-server-config.json for external MCP server - Update .gitignore - Add .roo/ for Roo IDE files
Changes: - Renamed docs/cisco-security-scanner-setup.md to docs/security-scanner.md - Rewrote documentation to be generic (not Cisco-specific) - Added MCP Supply Chain Security introduction - Documented integration with Cisco AI Defence MCP Scanner - Section 1: Security scanning during server addition - Command format and examples - Real config example (cloudflare-docs-server-config.json) - Real scan output example (docs.mcp.cloudflare.com_mcp.json) - Explained disabled state and security-pending tag - Added placeholder for screenshot - Section 2: Periodic registry scans - Command examples for scan_all_servers.py - Report location and structure (security_scans/scan_report.md) - Reference to scan_report_example.md - Updated README.md: - Added security scanning to "What's New" section - Added "Security Scanning" subsection to Enterprise Features - Removed unnecessary prerequisites: - MCP Scanner install (already in pyproject.toml) - Registry admin credentials (handled by .env) - Removed redundant troubleshooting section Files changed: - docs/cisco-security-scanner-setup.md → docs/security-scanner.md - README.md (What's New + Enterprise Features sections) - cli/examples/cloudflare-docs-server-config.json (new example) - docs/scan_report_example.md (new reference report)
…p servers This commit fixes multiple issues with health checks and automatic tool discovery: 1. Health Check - Proper MCP Session Management - Add proper MCP initialize flow to get session ID from server - Use server-generated session ID for subsequent ping requests - Skip URL pattern shortcut when supported_transports contains streamable-http - Handle auth failures during initialize by falling back to ping without auth 2. Tool Fetching - Header and URL Fixes - Add required Accept header: application/json, text/event-stream - Remove trailing slash from MCP URLs (Cloudflare rejects it) - Fix MCP client to properly handle Cloudflare's requirements 3. Tool Auto-Discovery - Enhanced Logic - Always fetch tools on first health check (previous_status == UNKNOWN) - Fetch tools when server transitions to healthy - Fetch tools if server is healthy but has empty tool_list - Ensures tools populate automatically on startup and registration 4. Import Script - Preserve Transport Type - Stop removing supported_transports field during import - Allows SSE servers to be registered with correct transport type - Fixes health checks for servers like ai.shawndurrani-mcp-merchant Fixes Cloudflare Documentation MCP Server health checks and tool discovery. Fixes sre-gateway showing unhealthy when auth token expires.
Replace placeholder text with actual screenshot reference for failed security scan. Shows how servers that fail security scans are added in disabled state with security-pending tag.
Use mcpgateway.example.com instead of mcpgateway.ddns.net for better documentation practices with a generic example domain.
Remove markdown code block wrapper from example report summary to display it as rendered markdown for better readability.
The statement about MCP Scanner being included in pyproject.toml is unnecessary in the Prerequisites section.
aarora79
added a commit
that referenced
this pull request
Oct 24, 2025
This commit adds the documentation enhancements that were made after PR #184 was created but before it was merged: - Add failed_scan.png screenshot for security scanner documentation - Convert "Cisco AI Defence MCP Scanner" references to clickable links - Replace specific domain examples with example.com - Render example report as markdown instead of code block - Remove redundant installation notes These changes improve documentation readability and provide better navigation to related resources.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #, if available: 172
Description of changes:
Modified the security scanning workflow in service_mgmt.sh to scan the tools before registering.
Key changes:
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.