Skills Development Static MCP Security Scan Tool

Static MCP Security Scan Tool

v20260707
harness-mcp-scan
Performs a pure, read-only static security scan of a harness's declared MCP surfaces. It analyzes policy, permission, and dependency issues by reading manifest files (e.g., .mcp/servers.json and .harness/claims.json) without executing any underlying tools. Designed for integration into CI/CD pipelines to enforce security policies and ensure compliance.
Get Skill
364 downloads
Overview

Calls harness mcp-scan to enumerate every declared MCP server + tool and flag policy / permission / dependency issues. Never executes any tool; pure static analysis.

Algorithm

Implementation: scripts/mcp-scan.mjs.

  1. Invoke the pinned harness binary (metaharness@~0.3.0, resolved from a local install or the one-time ~/.ruflo/metaharness-cache-<pin> cache — never @latest): harness mcp-scan <path> --json.
  2. Parse findings[] with { severity, id, server, tool, message }.
  3. --fail-on <severity>: exit 1 when any finding is at or above that level. Default high.
  4. Output JSON (default) or markdown table.

Severity rank

Severity Rank
low 1
medium 2
high 3

--fail-on high (default) only fails on HIGH; --fail-on medium also fails on MEDIUM; --fail-on low fails on any finding.

CI integration

- name: MCP static scan
  run: node plugins/ruflo-metaharness/scripts/mcp-scan.mjs --fail-on high

The exit code is the only thing CI watches; the JSON output goes to artifacts for human review.

Graceful degradation

When harness binary is unavailable (no network, blocked registry), emits structured { degraded: true, reason: 'metaharness-not-available' } and exits 0. Ruflo continues — ADR-150 architectural constraint.

Info
Category Development
Name harness-mcp-scan
Version v20260707
Size 1.68KB
Updated At 2026-07-09
Language