Secure Code Review MCP Server
Local MCP server that scans code for security issues (secrets, dependencies, configurations, risky patterns) and integrates with GitHub Copilot in VS Code for automated pre-commit reviews.
README
Secure Code Review MCP Server
A local MCP (Model Context Protocol) server that helps software engineers review their code for security issues before committing or raising a PR. This server integrates directly with GitHub Copilot in VS Code.
π― What Problem Does This Solve?
Developers often commit code with:
- Hardcoded secrets (API keys, passwords)
- Duplicate or risky dependencies
- Insecure configuration settings
- Dangerous code patterns (eval, SQL injection)
- Missing security hygiene files
This MCP server provides automated security scanning right inside VS Code through GitHub Copilot, catching issues before they reach your repository.
ποΈ Architecture
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β VS Code β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β GitHub Copilot Chat β β
β β "Scan my code for security issues" β β
β ββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββ β
β β β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β MCP Client (STDIO) β β
β ββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Secure Code Review MCP Server β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β server.py β β
β β (MCP SDK + Tool Handlers) β β
β ββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββ β
β β β
β ββββββββββββββ¬ββββββββββββΌββββββββββββ¬βββββββββββββββββ β
β β β β β β β
β βΌ βΌ βΌ βΌ βΌ β
β ββββββ ββββββββββ ββββββββββ ββββββββββ βββββββββββ
β βSec β β Dep β β Config β β Code β β PR ββ
β βretsβ βScanner β βScanner β βPattern β βReadine-ββ
β βScanβ β β β β βScanner β β ss ββ
β ββββββ ββββββββββ ββββββββββ ββββββββββ βββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
ββββββββββββββββ
β Local Files β
β (Read-Only) β
ββββββββββββββββ
π Project Structure
secure-code-review-mcp/
βββ README.md # This file
βββ requirements.txt # Python dependencies
βββ .gitignore # Git ignore rules
β
βββ src/
β βββ __init__.py
β βββ server.py # Main MCP server with 6 tools
β β
β βββ scanners/
β β βββ __init__.py
β β βββ base_scanner.py # Abstract base scanner
β β βββ secrets_scanner.py # Hardcoded secrets detection
β β βββ dependency_scanner.py # Dependency issues
β β βββ config_scanner.py # Insecure configurations
β β βββ code_pattern_scanner.py # Risky code patterns
β β βββ pr_readiness_scanner.py # PR checklist generator
β
βββ sample_project/ # Test project with vulnerabilities
β βββ app.py # Python with dangerous patterns
β βββ index.js # JavaScript with dangerous patterns
β βββ config.py # Insecure configurations
β βββ requirements.txt # Dependencies with issues
β βββ package.json # Node.js dependencies with issues
β βββ Dockerfile # Docker with security issues
β βββ .env.example # Environment variables template
β βββ README.md # Sample project notes
Note:
docs/,tests/,pyproject.toml, andmcp_config.jsonwere intentionally removed to keep this project minimal and focused on local MCP usage.
β¨ MCP Tools Available
| Tool | Description |
|---|---|
scan_hardcoded_secrets |
Scan for passwords, API keys, tokens, AWS credentials, private keys, database connection strings |
scan_dependencies |
Check for duplicate packages, unpinned versions, risky packages, missing lock files |
scan_insecure_configs |
Detect DEBUG=true, CORS=*, root user in Docker, latest tag usage |
scan_risky_code_patterns |
Find eval(), exec(), SQL injection, weak hashing (MD5/SHA1), unsafe yaml.load |
generate_pr_security_checklist |
Generate PR readiness checklist with pass/fail status |
run_full_security_review |
Run all scanners and produce comprehensive summary |
π Prerequisites
- Python 3.10+
- VS Code with GitHub Copilot extension
- GitHub Copilot Chat enabled
π¦ Installation
Step 1: Clone/Navigate to the Project
cd path/to/secure-code-review-mcp
Step 2: Create Virtual Environment (Recommended)
# Windows
python -m venv venv
.\venv\Scripts\activate
# macOS/Linux
python3 -m venv venv
source venv/bin/activate
Step 3: Install Dependencies
pip install -r requirements.txt
Step 4: Verify Installation
python -c "import mcp; print('MCP SDK installed successfully!')"
π Connecting to GitHub Copilot in VS Code
Step 1: Create MCP Configuration
Create or verify .vscode/mcp.json in your workspace root:
{
"servers": {
"secure-code-review": {
"type": "stdio",
"command": "python",
"args": [
"${workspaceFolder}/mcp-client-server/secure-code-review-mcp/src/server.py"
],
"env": {
"PYTHONPATH": "${workspaceFolder}/mcp-client-server/secure-code-review-mcp/src"
}
}
}
}
Note: Adjust the path based on your folder structure.
Step 2: Reload VS Code
- Press
Ctrl+Shift+P(orCmd+Shift+Pon Mac) - Type "Developer: Reload Window"
- Press Enter
Step 3: Verify MCP Server is Connected
- Open GitHub Copilot Chat (
Ctrl+Alt+Ior click the Copilot icon) - Click the π§ Tools icon in the chat
- You should see "secure-code-review" listed with 6 tools
π§ͺ Testing the MCP Server
Test with Sample Project
The sample_project/ folder contains intentionally vulnerable code for testing.
Example Prompts for GitHub Copilot
Open GitHub Copilot Chat and try these prompts:
1. "Scan sample_project for hardcoded secrets"
2. "Check dependencies in the sample_project folder"
3. "Find insecure configurations in sample_project"
4. "Scan sample_project for risky code patterns"
5. "Generate a PR security checklist for sample_project"
6. "Run a full security review on sample_project"
Expected Output Example
For scan_hardcoded_secrets:
{
"scanner": "SecretsScanner",
"files_scanned": 5,
"total_findings": 12,
"findings": [
{
"file_path": "sample_project/app.py",
"line_number": 15,
"matched_pattern_type": "Hardcoded Password",
"severity": "High",
"recommendation": "Remove hardcoded password and use environment variables"
}
],
"summary": {
"high_severity": 10,
"medium_severity": 2,
"low_severity": 0
}
}
For run_full_security_review:
{
"project_path": "sample_project",
"summary": {
"total_findings": 45,
"high_severity_count": 25,
"medium_severity_count": 15,
"low_severity_count": 5
},
"pr_readiness": {
"overall_status": "π΄ Needs Fixes",
"checklist_items": [...]
},
"final_recommendation": "π΄ DO NOT RAISE PR - Fix all high severity issues first"
}
π What Each Scanner Detects
Secrets Scanner
password=,passwd=,pwd=api_key=,apikey=secret=,token=AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY-----BEGIN PRIVATE KEY------ Database connection strings with credentials
- JWT secrets
Dependency Scanner
- Duplicate packages in requirements.txt
- Duplicate dependencies across package.json sections
- Unpinned versions (
pandaswithout==x.x.x) - Wildcard versions (
*,latest) - Known risky packages (pycrypto, event-stream, etc.)
- Missing lock files
Config Scanner
DEBUG=trueENV=developmentin production configsCORS=*,ALLOW_ORIGINS=*- Root user in Dockerfile
:latesttag in Docker images- Exposed sensitive ports (22, 3389)
- Hardcoded passwords in Docker ENV
Code Pattern Scanner
Python:
eval(),exec()subprocess.run(..., shell=True)os.system()pickle.load()with untrusted datayaml.load()without SafeLoader- SQL string formatting
hashlib.md5(),hashlib.sha1()
JavaScript:
eval()new Function()setTimeout/setIntervalwith stringschild_process.exec().innerHTMLassignmentdocument.write()- SQL template literals
crypto.createHash('md5'/'sha1')
π License
MIT License - Free for personal and commercial use.
π€ Contributing
Contributions welcome! Please:
- Fork the repository
- Create a feature branch
- Submit a pull request
β οΈ Disclaimer: This is a basic security scanner for learning and demonstration purposes. It should NOT be used as the sole security review tool for production applications. Always use professional security tools and conduct thorough security audits.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.