CI/CD Integration

Integrate MCP Security Score into your CI/CD pipeline to automatically scan your MCP servers on every push or pull request.

Overview

Using the MCP Security Score API, you can:

• Scan repositories automatically on code changes
• Fail builds when security score drops below threshold
• Track security trends over time
• Block insecure code from merging

Prerequisites

1. Pro subscription or higher - API access required
2. API key - Create one in Dashboard → Settings

Basic Integration Pattern

All CI/CD integrations follow this pattern:

1. Trigger - On push, PR, or schedule
2. Scan - Call POST /api/v1/scan
3. Poll - Wait for scan completion
4. Check - Compare score against threshold
5. Report - Pass/fail the build

# Pseudo-code for any CI system
SCAN_ID=$(create_scan "$REPO_URL")
RESULT=$(wait_for_scan "$SCAN_ID")
SCORE=$(get_score "$RESULT")
 
if [ "$SCORE" -lt "$THRESHOLD" ]; then
  echo "Security score $SCORE is below threshold $THRESHOLD"
  exit 1
fi

Integration Guides

• GitHub Actions - GitHub workflows
• GitLab CI - GitLab pipelines
• Other CI Systems - Jenkins, CircleCI, etc.

Configuration Options

Score Threshold

Set a minimum acceptable security score:

# Example thresholds
THRESHOLD=80  # Strict - A or B grades only
THRESHOLD=70  # Moderate - C grade acceptable
THRESHOLD=60  # Lenient - Only fail on F grades

When to Scan

| Trigger | Use Case | |---------|----------| | Every push | Maximum coverage, high API usage | | Pull requests | Block insecure code before merge | | Main branch only | Monitor production code | | Scheduled (daily/weekly) | Periodic audits |

Handling Failures

Options when a scan fails or times out:

• Block the build - Strictest, prevents deployment
• Warn and continue - Log issues but don't block
• Require manual review - Mark as pending for review

Best Practices

1. Store API Key Securely

Never commit API keys to code:

# GitHub Actions
env:
  MCP_SCANNER_API_KEY: ${{ secrets.MCP_SCANNER_API_KEY }}
 
# GitLab CI
variables:
  MCP_SCANNER_API_KEY: $MCP_SCANNER_API_KEY  # From CI/CD settings

2. Cache Scan Results

Scans are cached for 24 hours. For PRs with multiple commits, only the first commit triggers a new scan:

# The API returns cached results automatically
# unless you specify forceRefresh: true

3. Set Appropriate Timeouts

Scans typically complete in 30-60 seconds. Set timeouts accordingly:

# Allow 2 minutes for scan
timeout: 120

4. Report Results Clearly

Output the score and key findings in CI logs:

echo "Security Score: $SCORE ($GRADE)"
echo "Critical findings: $CRITICAL_COUNT"
echo "High findings: $HIGH_COUNT"

Example Output

=== MCP Security Score Security Check ===
Repository: https://github.com/owner/repo
Scan ID: scan_abc123xyz
 
Waiting for scan to complete...
Status: cloning
Status: analyzing
Status: complete
 
Results:
- Security Score: 78 (C)
- Safety Score: 75 (C)
- Total Findings: 12
  - Critical: 0
  - High: 2
  - Medium: 5
  - Low: 5
 
Threshold: 70
Result: PASSED

Next Steps

• GitHub Actions - Step-by-step GitHub setup
• GitLab CI - GitLab pipeline configuration
• API Examples - Code samples