MCPSafe
DocsGetting StartedCore Concepts

Core Concepts

Understand the key concepts behind MCPSafe's security scanning and quality assessment.

Security Scanning

Automated static analysis that checks MCP server source code for vulnerabilities like command injection, path traversal, SSRF, and more.

  • AST-based code analysis using Tree-sitter
  • 50+ security rules covering OWASP Top 10
  • Support for JavaScript, TypeScript, and Python
  • No code execution - purely static analysis

Security Grades

Servers receive grades from A+ to F based on vulnerability severity and count. A-grade servers have no critical or high-severity issues.

  • A+ (90-100): No vulnerabilities found
  • A (80-89): Only informational findings
  • B (70-79): Low severity issues only
  • C (50-69): Medium severity issues present
  • D (30-49): High severity vulnerabilities
  • F (0-29): Critical vulnerabilities found

Quality Scores

Beyond security, we evaluate documentation quality, test coverage, TypeScript usage, and maintenance activity.

  • Maintenance: Commit frequency, issue response time
  • Popularity: Stars, downloads, forks
  • Documentation: README quality, API docs, examples
  • Compatibility: TypeScript support, MCP spec compliance

Watchlist

Monitor specific servers and get notified when new vulnerabilities are discovered or security scores change.

  • Add any server to your watchlist
  • Track security score changes over time
  • Get notified of new scan results
  • Compare watched servers side-by-side

Alerts & Notifications

Real-time notifications via email, Slack, or webhooks when security issues are found in your watched servers.

  • Configurable alert thresholds
  • Email notifications
  • Slack integration
  • Webhook callbacks for custom integrations

CI/CD Integration

Integrate security scans into your CI/CD pipeline with GitHub Actions, GitLab CI, or any CI system using the CLI.

  • Fail builds on security thresholds
  • Generate SARIF reports for code scanning
  • Cache scan results for faster builds
  • Pull request comments with scan results

Severity Levels

Vulnerabilities are classified by severity based on CVSS scores and potential impact.

Critical

CVSS 9.0 - 10.0

Immediate exploitation risk. Can lead to full system compromise, remote code execution, or data breach.

Command injection
eval() with user input
Hardcoded credentials

High

CVSS 7.0 - 8.9

Significant security risk requiring prompt attention. May allow unauthorized access or data manipulation.

SQL injection
Path traversal
SSRF vulnerabilities

Medium

CVSS 4.0 - 6.9

Moderate risk that should be addressed. May enable attacks under certain conditions.

Weak crypto usage
Missing input validation
Information disclosure

Low

CVSS 0.1 - 3.9

Minor security concerns or code quality issues. Limited impact but good to fix.

Debug code in production
Verbose error messages
Deprecated functions

Info

CVSS 0.0

Informational findings and best practice recommendations. No immediate security impact.

Missing security headers
Code style issues
Optimization suggestions