https://github.com/highflame-ai/ramparts
mcp scan that scans any mcp server for indirect attack vectors and security or configuration vulnerabilities
https://github.com/highflame-ai/ramparts
agent ai llm mcp modelcontextprotocol security
Last synced: 1 day ago
JSON representation
mcp scan that scans any mcp server for indirect attack vectors and security or configuration vulnerabilities
- Host: GitHub
- URL: https://github.com/highflame-ai/ramparts
- Owner: highflame-ai
- License: apache-2.0
- Created: 2025-07-23T00:03:49.000Z (6 months ago)
- Default Branch: main
- Last Pushed: 2025-12-15T10:17:45.000Z (about 1 month ago)
- Last Synced: 2025-12-20T18:27:16.721Z (about 1 month ago)
- Topics: agent, ai, llm, mcp, modelcontextprotocol, security
- Language: Rust
- Homepage: https://www.getjavelin.com
- Size: 7.6 MB
- Stars: 78
- Watchers: 1
- Forks: 12
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Security: docs/security-features.md
Awesome Lists containing this project
README
# Ramparts: mcp (model context protocol) scanner
*A fast, lightweight security scanner for Model Context Protocol (MCP) servers with built-in vulnerability detection.*
[](https://crates.io/crates/ramparts)
[](https://github.com/highflame-ai/ramparts)
[](LICENSE)
[](https://www.rust-lang.org/)
[](https://github.com/highflame-ai/ramparts/actions)
[](https://github.com/highflame-ai/ramparts/actions)
[](https://github.com/highflame-ai/ramparts/releases)
## Overview
**Ramparts** is a scanner designed for the **Model Context Protocol (MCP)** ecosystem. As AI agents and LLMs increasingly rely on external tools and resources through MCP servers, ensuring the security of these connections has become critical.
The Model Context Protocol (MCP) is an open standard that enables AI assistants to securely connect to external data sources and tools. It allows AI agents to access databases, file systems, and APIs through toolcalling to retrieve real-time information and interact with external or internal services.
Ramparts is under active development. Read our [launch blog](https://www.getjavelin.com/blogs/ramparts-mcp-scan).
### The Security Challenge
MCP servers expose powerful capabilitiesβfile systems, databases, APIs, and system commandsβthat can become attack vectors like tool poisoning, command injection, and data exfiltration without proper security analysis. - π **[Security Features & Attack Vectors](docs/security-features.md)**
### What Ramparts Does
Ramparts provides **security scanning** of MCP servers by:
1. **Discovering Capabilities**: Scans all MCP endpoints to identify available tools, resources, and prompts
2. **Multi-Transport Support**: Supports HTTP, SSE, stdio, and subprocess transports with intelligent fallback
3. **Session Management**: Handles stateful MCP servers with automatic session ID management
4. **Static Analysis**: Performs yara-based checks for common vulnerabilities
5. **Cross-Origin Analysis**: Detects when tools span multiple domains, which could enable context hijacking or injection attacks
6. **LLM-Powered Analysis**: Uses AI models to detect sophisticated security issues
7. **Risk Assessment**: Categorizes findings by severity and provides actionable recommendations
>
> **π‘ Jump directly to detailed Rampart features?**
> [**π Detailed Features**](docs/features.md)
## Who Ramparts is For
- **Developers**: Scan MCP servers for vulnerabilities in your development environment (Cursor, Windsurf, Claude Code) or production deployments.
- **MCP users**: Scan third-party servers before connecting, validate local servers before production.
- **MCP developers**: Ensure your tools, resources, and prompts don't expose vulnerabilities to AI agents.
## Use Cases
- **Security Audits**: Comprehensive assessment of MCP server security posture
- **Development**: Testing MCP servers during development and testing phases
- **CI/CD Integration**: Automated security scanning in deployment pipelines
- **Compliance**: Meeting security requirements for AI agent deployments
> **π‘ Caution**: Ramparts analyzes MCP server metadata and static configurations. For comprehensive security, combine with runtime MCP guardrails and adopt a layered security approach. The MCP threat landscape is rapidly evolving, and rampart is not perfect and inaccuracies are inevitable.
## Quick Start
**Installation**
```bash
cargo install ramparts
```
**Scan an MCP server**
```bash
ramparts scan https://api.githubcopilot.com/mcp/ --auth-headers "Authorization: Bearer $TOKEN"
# Generate detailed markdown report (scan_YYYYMMDD_HHMMSS.md)
ramparts scan https://api.githubcopilot.com/mcp/ --auth-headers "Authorization: Bearer $TOKEN" --report
# Scan stdio/subprocess MCP servers
ramparts scan "stdio:npx:mcp-server-commands"
ramparts scan "stdio:python3:/path/to/mcp_server.py"
```
**Scan your IDE's MCP configurations**
```bash
# Automatically discovers and scans MCP servers from Cursor, Windsurf, VS Code, Claude Desktop, Claude Code
ramparts scan-config
# With detailed report generation
ramparts scan-config --report
```
> **π‘ Did you know you can start Ramparts as a server?** Run `ramparts server` to get a REST API for continuous monitoring and CI/CD integration. See π **[Ramparts Server Mode](docs/api.md)**
### Run as an MCP server (stdio)
```bash
ramparts mcp-stdio
```
When publishing to Docker MCP Toolkit, configure the container command to `ramparts mcp-stdio` so the toolkit connects via stdio. Use `MCP-Dockerfile` to make this the default.
## Example Output
**Single server scan:**
```bash
ramparts scan https://api.githubcopilot.com/mcp/ --auth-headers "Authorization: Bearer $TOKEN"
```
```
RAMPARTS
MCP Security Scanner
Version: 0.7.0
Current Time: 2025-08-04 07:32:19 UTC
Git Commit: 9d0c37c
π GitHub Copilot MCP Server
β
All tools passed security checks
βββ push_files β
passed
βββ create_or_update_file β οΈ 2 warnings
β βββ π HIGH (LLM): Tool allowing directory traversal attacks
β βββ π HIGH (YARA): EnvironmentVariableLeakage
βββ get_secret_scanning_alert β οΈ 1 warning
β βββ π HIGH (YARA): EnvironmentVariableLeakage
Summary:
β’ Tools scanned: 83
β’ Security issues: 3 findings
```
**IDE configuration scan:**
```bash
ramparts scan-config --report
```
```
π Found 3 IDE config files:
β vscode IDE: /Users/user/.vscode/mcp.json
β claude IDE: /Users/user/Library/Application Support/Claude/claude_desktop_config.json
β cursor IDE: /Users/user/.cursor/mcp.json
π vscode IDE config: /Users/user/.vscode/mcp.json (2 servers)
ββ github-copilot [HTTP]: https://api.githubcopilot.com/mcp/
ββ local-tools [STDIO]: stdio:python[local-mcp-server]
π MCP Servers Security Scan Summary
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
π Scan Summary:
β’ Servers: 2 total (2 β
successful, 0 β failed)
β’ Resources: 81 tools, 0 resources, 2 prompts
β’ Security: β
All servers passed security checks
π Detailed report generated: scan_20250804_073225.md
```
## Contributing
We welcome contributions to Ramparts mcp scan. If you have suggestions, bug reports, or feature requests, please open an issue on our GitHub repository.
## Documentation
- π **[Troubleshooting Guide](docs/troubleshooting.md)** - Solutions to common issues
- βοΈ **[Configuration Reference](docs/configuration.md)** - Complete configuration file documentation
- π **[CLI Reference](docs/cli.md)** - All commands, options, and usage examples
## Additional Resources
- [Need Support?](https://github.com/highflame-ai/ramparts/issues)
- [MCP Protocol Documentation](https://modelcontextprotocol.io/)
// Examples folder was removed to reduce branch diff; see configuration docs instead.
- [Configuration Guide](docs/configuration.md)