Secure Code Review MCP Server

Secure Code Review MCP Server

Local MCP server that scans code for security issues (secrets, dependencies, configurations, risky patterns) and integrates with GitHub Copilot in VS Code for automated pre-commit reviews.

Category
Visit Server

README

Secure Code Review MCP Server

A local MCP (Model Context Protocol) server that helps software engineers review their code for security issues before committing or raising a PR. This server integrates directly with GitHub Copilot in VS Code.

🎯 What Problem Does This Solve?

Developers often commit code with:

  • Hardcoded secrets (API keys, passwords)
  • Duplicate or risky dependencies
  • Insecure configuration settings
  • Dangerous code patterns (eval, SQL injection)
  • Missing security hygiene files

This MCP server provides automated security scanning right inside VS Code through GitHub Copilot, catching issues before they reach your repository.

πŸ—οΈ Architecture

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                      VS Code                                 β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”‚
β”‚  β”‚              GitHub Copilot Chat                      β”‚   β”‚
β”‚  β”‚   "Scan my code for security issues"                 β”‚   β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   β”‚
β”‚                           β”‚                                  β”‚
β”‚                           β–Ό                                  β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”‚
β”‚  β”‚              MCP Client (STDIO)                       β”‚   β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                            β”‚
                            β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚           Secure Code Review MCP Server                      β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”‚
β”‚  β”‚                   server.py                           β”‚   β”‚
β”‚  β”‚            (MCP SDK + Tool Handlers)                  β”‚   β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   β”‚
β”‚                           β”‚                                  β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”‚
β”‚  β”‚            β”‚           β”‚           β”‚                β”‚   β”‚
β”‚  β–Ό            β–Ό           β–Ό           β–Ό                β–Ό   β”‚
β”‚ β”Œβ”€β”€β”€β”€β”    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”β”‚
β”‚ β”‚Sec β”‚    β”‚  Dep   β”‚  β”‚ Config β”‚  β”‚  Code  β”‚    β”‚   PR   β”‚β”‚
β”‚ β”‚retsβ”‚    β”‚Scanner β”‚  β”‚Scanner β”‚  β”‚Pattern β”‚    β”‚Readine-β”‚β”‚
β”‚ β”‚Scanβ”‚    β”‚        β”‚  β”‚        β”‚  β”‚Scanner β”‚    β”‚  ss    β”‚β”‚
β”‚ β””β”€β”€β”€β”€β”˜    β””β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β””β”€β”€β”€β”€β”€β”€β”€β”€β”˜β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                            β”‚
                            β–Ό
                    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                    β”‚ Local Files  β”‚
                    β”‚ (Read-Only)  β”‚
                    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

πŸ“ Project Structure

secure-code-review-mcp/
β”œβ”€β”€ README.md                    # This file
β”œβ”€β”€ requirements.txt             # Python dependencies
β”œβ”€β”€ .gitignore                  # Git ignore rules
β”‚
β”œβ”€β”€ src/
β”‚   β”œβ”€β”€ __init__.py
β”‚   β”œβ”€β”€ server.py               # Main MCP server with 6 tools
β”‚   β”‚
β”‚   β”œβ”€β”€ scanners/
β”‚   β”‚   β”œβ”€β”€ __init__.py
β”‚   β”‚   β”œβ”€β”€ base_scanner.py     # Abstract base scanner
β”‚   β”‚   β”œβ”€β”€ secrets_scanner.py  # Hardcoded secrets detection
β”‚   β”‚   β”œβ”€β”€ dependency_scanner.py  # Dependency issues
β”‚   β”‚   β”œβ”€β”€ config_scanner.py   # Insecure configurations
β”‚   β”‚   β”œβ”€β”€ code_pattern_scanner.py  # Risky code patterns
β”‚   β”‚   └── pr_readiness_scanner.py  # PR checklist generator
β”‚
β”œβ”€β”€ sample_project/             # Test project with vulnerabilities
β”‚   β”œβ”€β”€ app.py                  # Python with dangerous patterns
β”‚   β”œβ”€β”€ index.js               # JavaScript with dangerous patterns
β”‚   β”œβ”€β”€ config.py              # Insecure configurations
β”‚   β”œβ”€β”€ requirements.txt       # Dependencies with issues
β”‚   β”œβ”€β”€ package.json           # Node.js dependencies with issues
β”‚   β”œβ”€β”€ Dockerfile             # Docker with security issues
β”‚   β”œβ”€β”€ .env.example           # Environment variables template
β”‚   └── README.md              # Sample project notes

Note: docs/, tests/, pyproject.toml, and mcp_config.json were intentionally removed to keep this project minimal and focused on local MCP usage.

✨ MCP Tools Available

Tool Description
scan_hardcoded_secrets Scan for passwords, API keys, tokens, AWS credentials, private keys, database connection strings
scan_dependencies Check for duplicate packages, unpinned versions, risky packages, missing lock files
scan_insecure_configs Detect DEBUG=true, CORS=*, root user in Docker, latest tag usage
scan_risky_code_patterns Find eval(), exec(), SQL injection, weak hashing (MD5/SHA1), unsafe yaml.load
generate_pr_security_checklist Generate PR readiness checklist with pass/fail status
run_full_security_review Run all scanners and produce comprehensive summary

πŸš€ Prerequisites

  • Python 3.10+
  • VS Code with GitHub Copilot extension
  • GitHub Copilot Chat enabled

πŸ“¦ Installation

Step 1: Clone/Navigate to the Project

cd path/to/secure-code-review-mcp

Step 2: Create Virtual Environment (Recommended)

# Windows
python -m venv venv
.\venv\Scripts\activate

# macOS/Linux
python3 -m venv venv
source venv/bin/activate

Step 3: Install Dependencies

pip install -r requirements.txt

Step 4: Verify Installation

python -c "import mcp; print('MCP SDK installed successfully!')"

πŸ”Œ Connecting to GitHub Copilot in VS Code

Step 1: Create MCP Configuration

Create or verify .vscode/mcp.json in your workspace root:

{
    "servers": {
        "secure-code-review": {
            "type": "stdio",
            "command": "python",
            "args": [
                "${workspaceFolder}/mcp-client-server/secure-code-review-mcp/src/server.py"
            ],
            "env": {
                "PYTHONPATH": "${workspaceFolder}/mcp-client-server/secure-code-review-mcp/src"
            }
        }
    }
}

Note: Adjust the path based on your folder structure.

Step 2: Reload VS Code

  1. Press Ctrl+Shift+P (or Cmd+Shift+P on Mac)
  2. Type "Developer: Reload Window"
  3. Press Enter

Step 3: Verify MCP Server is Connected

  1. Open GitHub Copilot Chat (Ctrl+Alt+I or click the Copilot icon)
  2. Click the πŸ”§ Tools icon in the chat
  3. You should see "secure-code-review" listed with 6 tools

πŸ§ͺ Testing the MCP Server

Test with Sample Project

The sample_project/ folder contains intentionally vulnerable code for testing.

Example Prompts for GitHub Copilot

Open GitHub Copilot Chat and try these prompts:

1. "Scan sample_project for hardcoded secrets"

2. "Check dependencies in the sample_project folder"

3. "Find insecure configurations in sample_project"

4. "Scan sample_project for risky code patterns"

5. "Generate a PR security checklist for sample_project"

6. "Run a full security review on sample_project"

Expected Output Example

For scan_hardcoded_secrets:

{
  "scanner": "SecretsScanner",
  "files_scanned": 5,
  "total_findings": 12,
  "findings": [
    {
      "file_path": "sample_project/app.py",
      "line_number": 15,
      "matched_pattern_type": "Hardcoded Password",
      "severity": "High",
      "recommendation": "Remove hardcoded password and use environment variables"
    }
  ],
  "summary": {
    "high_severity": 10,
    "medium_severity": 2,
    "low_severity": 0
  }
}

For run_full_security_review:

{
  "project_path": "sample_project",
  "summary": {
    "total_findings": 45,
    "high_severity_count": 25,
    "medium_severity_count": 15,
    "low_severity_count": 5
  },
  "pr_readiness": {
    "overall_status": "πŸ”΄ Needs Fixes",
    "checklist_items": [...]
  },
  "final_recommendation": "πŸ”΄ DO NOT RAISE PR - Fix all high severity issues first"
}

πŸ” What Each Scanner Detects

Secrets Scanner

  • password=, passwd=, pwd=
  • api_key=, apikey=
  • secret=, token=
  • AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
  • -----BEGIN PRIVATE KEY-----
  • Database connection strings with credentials
  • JWT secrets

Dependency Scanner

  • Duplicate packages in requirements.txt
  • Duplicate dependencies across package.json sections
  • Unpinned versions (pandas without ==x.x.x)
  • Wildcard versions (*, latest)
  • Known risky packages (pycrypto, event-stream, etc.)
  • Missing lock files

Config Scanner

  • DEBUG=true
  • ENV=development in production configs
  • CORS=*, ALLOW_ORIGINS=*
  • Root user in Dockerfile
  • :latest tag in Docker images
  • Exposed sensitive ports (22, 3389)
  • Hardcoded passwords in Docker ENV

Code Pattern Scanner

Python:

  • eval(), exec()
  • subprocess.run(..., shell=True)
  • os.system()
  • pickle.load() with untrusted data
  • yaml.load() without SafeLoader
  • SQL string formatting
  • hashlib.md5(), hashlib.sha1()

JavaScript:

  • eval()
  • new Function()
  • setTimeout/setInterval with strings
  • child_process.exec()
  • .innerHTML assignment
  • document.write()
  • SQL template literals
  • crypto.createHash('md5'/'sha1')

πŸ“„ License

MIT License - Free for personal and commercial use.

🀝 Contributing

Contributions welcome! Please:

  1. Fork the repository
  2. Create a feature branch
  3. Submit a pull request

⚠️ Disclaimer: This is a basic security scanner for learning and demonstration purposes. It should NOT be used as the sole security review tool for production applications. Always use professional security tools and conduct thorough security audits.

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured