MCPSafe
DocsCLICI/CD Integration
CI/CD

CI/CD Integration

Integrate MCPSafe security scanning into your continuous integration pipelines.

Quick Start

  1. 1

    Add your API key as a secret

    Store MCPSAFE_API_KEY in your CI/CD platform's secrets

  2. 2

    Install the CLI

    Run npm install -g @mcpsafe/cli

  3. 3

    Run the scan

    Use mcpsafe scan ./ --wait --fail-on high

Platform Examples

Basic GitHub Actions Workflow

Run security scans on push and pull requests

.github/workflows/security.yml
name: Security Scan

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install MCPSafe CLI
        run: npm install -g @mcpsafe/cli

      - name: Run Security Scan
        env:
          MCPSAFE_API_KEY: ${{ secrets.MCPSAFE_API_KEY }}
        run: mcpsafe scan ./ --wait --fail-on high

      - name: Upload SARIF Results
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

With GitHub Code Scanning (SARIF)

Upload results to GitHub Security tab

.github/workflows/security-sarif.yml
name: Security Scan with SARIF

on:
  push:
    branches: [main]
  pull_request:

jobs:
  security-scan:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install MCPSafe CLI
        run: npm install -g @mcpsafe/cli

      - name: Run Security Scan
        env:
          MCPSAFE_API_KEY: ${{ secrets.MCPSAFE_API_KEY }}
        run: |
          mcpsafe scan ./ --wait --format sarif --output results.sarif
        continue-on-error: true

      - name: Upload SARIF to GitHub
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

Pro Tip

SARIF integration shows vulnerabilities directly in GitHub's Security tab and on pull request diffs.

Failure Thresholds

Use the --fail-on flag to control when builds should fail:

--fail-on criticalOnly fail on critical vulnerabilities
--fail-on highFail on high or critical (recommended)
--fail-on mediumFail on medium, high, or critical
--fail-on lowFail on any vulnerability (strict)

Best Practices

Run on Pull Requests

Catch vulnerabilities before they're merged

Use SARIF Output

Integrate with GitHub Code Scanning

Cache Dependencies

Speed up CLI installation in pipelines

Protect API Keys

Always use secrets, never hardcode