npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@sulthonzh/mcp-audit

v1.1.1

Published

Security scanner for MCP (Model Context Protocol) servers

Readme

MCP Audit 🔍

Security scanner for MCP (Model Context Protocol) servers — and your container/K8s/Helm infrastructure too. Think of it as npm audit but for your AI agent integrations and cloud-native deployments.

Why MCP Audit?

Everyone's installing MCP servers like crazy, but nobody's checking if they're about to give a plugin full access to their filesystem, data, and context. MCP Audit gives you visibility into what these servers can actually do — and flags the risky stuff before it bites you.

It also scans Dockerfiles, Kubernetes manifests, and Helm charts, because your AI tools don't live in a vacuum. They run in containers, on clusters, behind charts. Might as well audit the whole stack.

What It Scans

| Target | Command | What It Catches | |--------|---------|-----------------| | MCP config files | mcp-audit scan | Risky permissions, overly broad file access | | MCP server repos | mcp-audit check <repo> | Prompt injection, hardcoded secrets, trust scoring | | Dockerfiles | mcp-audit docker <path> | Root user, exposed secrets, outdated base images | | Kubernetes manifests | mcp-audit k8s <path> | Privileged containers, hostNetwork, runaway resources | | Helm charts | mcp-audit helm <path> | Hardcoded secrets in values.yaml, unsafe defaults |

Quick Start

npm install -g mcp-audit

# Scan your MCP config
mcp-audit scan

# Audit a remote MCP server
mcp-audit check github.com/user/mcp-server

# Scan a Dockerfile
mcp-audit docker ./Dockerfile

# Scan K8s manifests
mcp-audit k8s ./manifests

# Scan a Helm chart
mcp-audit helm ./my-chart

# CI mode (exits with code on findings)
mcp-audit check --ci

Usage

Scan MCP Configuration

Checks claude_desktop_config.json, .cursor/mcp.json, and other MCP config files for risky permissions.

mcp-audit scan
mcp-audit scan -o report.json  # save report

Check a Remote Server

Clones the repo, runs static analysis, and generates a trust score based on GitHub signals.

mcp-audit check https://github.com/username/mcp-server
mcp-audit check https://github.com/username/mcp-server --ci  # CI-friendly

Docker Security

mcp-audit docker ./Dockerfile
mcp-audit docker ./docker-dir  # scans all Dockerfiles in directory

Detects: root user, ADD vs COPY, hardcoded secrets, latest tags, missing .dockerignore.

Kubernetes Security

mcp-audit k8s ./manifests
mcp-audit k8s ./manifests --strict  # stricter checks

Detects: privileged containers, hostNetwork/hostPID, missing resource limits, alwaysPullPolicy not set, containers running as root.

Helm Chart Security

mcp-audit helm ./my-chart
mcp-audit helm ./my-chart --strict -o report.json

Automatically detects Helm charts (looks for Chart.yaml). Scans values.yaml for hardcoded secrets and privileged flags, strips Go template syntax from templates/ and runs K8s security checks, and validates Chart.yaml for deprecated API versions and missing metadata.

CI Integration

All scanners support --ci for pipeline-friendly output and proper exit codes. Use --strict to fail on warnings too.

# GitHub Actions example
- name: Security Audit
  run: |
    npx mcp-audit k8s ./k8s --ci --strict
    npx mcp-audit docker . --ci
    npx mcp-audit helm ./charts --ci

Configuration

Create mcp-audit.config.json to customize:

{
  "vulnerabilityDatabase": "https://raw.githubusercontent.com/your-org/mcp-vuln-db/main/database.json",
  "trustWeight": {
    "stars": 0.3,
    "tests": 0.3,
    "ci": 0.2,
    "age": 0.2
  }
}

Pre-commit Hook

# .pre-commit-config.yaml
repos:
  - repo: local
    hooks:
      - id: mcp-audit
        name: MCP Security Audit
        entry: mcp-audit check --ci
        language: system

Contributing

PRs welcome. Open an issue first if it's a significant change.

License

MIT