Skip to content

Add MCP Shield security scan#66

Open
thuggeelya wants to merge 2 commits intoblazickjp:mainfrom
thuggeelya:add-mcp-shield-ci
Open

Add MCP Shield security scan#66
thuggeelya wants to merge 2 commits intoblazickjp:mainfrom
thuggeelya:add-mcp-shield-ci

Conversation

@thuggeelya
Copy link
Copy Markdown

@thuggeelya thuggeelya commented Mar 4, 2026
edited
Loading

Summary

Adds MCP Shield CI workflow for automated security scanning and security badge to README.
On every PR, the workflow posts a detailed comment with findings, affected tools, and recommendations.

Scan results

Score: 86/100 (Grade: A-)
22 checks | 14 passed | 0 failed | 8 warnings

Findings

⚠️ SEC-001 WARN — Found 1 poisoning indicator(s) (CWE-94)

  • [low] Excessively long description (2400 chars)

⚠️ COMP-009 WARN — 5 field(s) missing constraints

  • search_papers.query: string without maxLength
  • search_papers.date_from: string without maxLength
  • search_papers.date_to: string without maxLength
  • download_paper.paper_id: string without maxLength
  • read_paper.paper_id: string without maxLength

⚠️ ADV-003 WARN — 1 tool(s) may perform bulk operations

  • search_papers (unbounded array: categories)

⚠️ ADV-005 WARN — 2 tool(s) access external network

  • search_papers (network verb)
  • download_paper (network verb)

⚠️ SEC-002 WARN — Found 1 potential injection vector(s) (CWE-78, CWE-89, CWE-22)

  • [medium] Potential injection vector: search_papers.query

⚠️ SEC-003 WARN — Security score: 78/100 (5 finding(s))

⚠️ SEC-005 WARN — Found 1 write scope concern(s) (CWE-434)

  • [medium] User-facing write: search_papers

⚠️ SEC-006 WARN — Found 2 non-idempotent operation(s) (CWE-352)

  • [medium] Non-idempotent operation: search_papers
  • [medium] Non-idempotent operation: download_paper

Recommendations

🔴 Review injection risks (1 found) — Add maxLength/pattern to schemas, or --deny high-risk tools

Affected: search_papers.query
🟡 Confirm write scope (1 found) — Require user confirmation for write operations
Affected: search_papers
🟡 Add idempotency keys (2 found) — Add idempotency_key parameter to non-idempotent tools
Affected: search_papers, download_paper
🔵 Improve schemas (5 fields) — Add descriptions, maxLength, and pattern constraints to inputSchema fields
Affected: search_papers.query, search_papers.date_from, search_papers.date_to, download_paper.paper_id, read_paper.paper_id

MCP Shield · Check reference

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thuggeelya