Frequently Asked Questions

Common questions about using MCP Security Score for security analysis.

MCP Security Score is a security analysis tool specifically designed for Model Context Protocol (MCP) servers. It performs static code analysis and AI-powered behavioral analysis to identify security vulnerabilities, misconfigurations, and potential risks in MCP server implementations.

What types of repositories can I scan?

MCP Security Score supports:

Public GitHub repositories - Enter the URL directly
Private repositories - Coming soon
ZIP file uploads - Upload your code directly

Currently, we analyze:

TypeScript/JavaScript MCP servers
Python MCP servers

Is my code stored after scanning?

No. Your code is cloned temporarily for analysis and deleted immediately after the scan completes. We only store the scan results (findings, scores, metadata) - never the source code itself.

How often should I scan my MCP servers?

We recommend:

During development - After significant changes
Before releases - As part of your release checklist
Regularly - Weekly or monthly for production servers
In CI/CD - On every pull request for continuous monitoring

Scanning Questions

How long does a scan take?

Most scans complete in 30-60 seconds. Factors that affect scan time:

Repository size
Number of files to analyze
AI analysis complexity

Scans timeout after 5 minutes if they haven't completed.

Why did my scan fail?

Common reasons for scan failures:

| Error | Cause | Solution | |-------|-------|----------| | Repository not found | Invalid URL or private repo | Check URL, ensure repo is public | | Clone failed | Network issues or large repo | Try again, contact support if persistent | | Analysis timeout | Very large codebase | Contact support for enterprise scanning | | No MCP server found | No MCP implementation detected | Ensure your repo contains MCP server code |

What files are scanned?

MCP Security Score analyzes:

.ts, .tsx, .js, .jsx files (TypeScript/JavaScript)
.py files (Python)
package.json, package-lock.json (dependencies)
requirements.txt, pyproject.toml (Python dependencies)

We skip:

node_modules/, venv/, .git/
Binary files, images, documentation
Test files (configurable)

Can I scan private repositories?

Private repository scanning is coming soon. For now, you can:

Upload a ZIP - Download your repo and upload it
Mirror to public - Create a temporary public mirror (be careful with secrets!)

Are scan results cached?

Yes. Scan results are cached for 24 hours. If you scan the same repository within 24 hours, you'll receive the cached result unless you request a fresh scan with forceRefresh: true.

Scoring Questions

How is the security score calculated?

The security score (0-100) is calculated based on:

Number of findings - More findings = lower score
Severity weighting - Critical issues have more impact than low
Category coverage - Issues across multiple categories affect score more
AI analysis - Behavioral risks can affect the score

What do the letter grades mean?

| Grade | Score Range | Meaning | |-------|-------------|---------| | A | 90-100 | Excellent security posture | | B | 80-89 | Good, minor improvements possible | | C | 70-79 | Acceptable, several issues to address | | D | 60-69 | Concerning, significant issues present | | F | 0-59 | Critical, immediate attention required |

What's the difference between Security Score and Safety Score?

Security Score - Based on static code analysis findings
Safety Score - Composite score including AI behavioral analysis

The Safety Score considers:

Static analysis findings
AI-detected behavioral risks
Prompt injection vulnerabilities
Trust assessment from AI analysis

Why is my score lower than expected?

Common reasons:

Informational findings - Even low-severity items affect the score
AI-detected risks - Behavioral analysis found concerning patterns
Multiple categories - Issues spread across categories have more impact

Review each finding and the AI analysis summary for details.

API Questions

How do I get an API key?

Sign up or log in to MCP Security Score
Go to Dashboard → Settings
Click Create API Key
Copy and store the key securely (it's only shown once)

API access requires a Pro subscription or higher.

What are the API rate limits?

| Tier | Daily Limit | |------|-------------| | Free | No API access | | Pro | 100 requests | | Team | 500 requests | | Enterprise | 10,000 requests |

Limits reset at midnight UTC.

How do I handle rate limiting?

Check the response headers:

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 5
X-RateLimit-Reset: 2024-01-16T00:00:00Z

If you receive a 429 response, wait until the reset time.

Can I use the API for commercial purposes?

Yes, with a Pro subscription or higher. Review our Terms of Service for details.

Account Questions

How do I upgrade my subscription?

Go to Dashboard → Settings → Billing
Click Upgrade Plan
Select your desired tier
Complete payment

Can I cancel my subscription?

Yes, you can cancel anytime from Dashboard → Settings → Billing. Your access continues until the end of the billing period.

How do I delete my account?

Security Questions

Is MCP Security Score itself secure?

Yes. We take security seriously:

All data encrypted in transit (TLS 1.3)
Encrypted at rest
SOC 2 Type II compliance (in progress)
Regular security audits
No source code stored

Remote Code Execution (RCE)
Secrets Detection
Network Security
Filesystem Security
Supply Chain
MCP-specific (TypeScript)
Python Security
MCP-specific (Python)

See Security Checks for the complete list.

What AI model powers the analysis?

We use advanced large language models for behavioral analysis. The AI:

Analyzes MCP server behavior and capabilities
Detects prompt injection vulnerabilities
Assesses trust and risk levels
Generates actionable recommendations

Email us at support@mcpscanner.com
Check our Troubleshooting Guide
View API Documentation