bitsalt
Coming soon — building in public

MCP Security Posture Scanner

An open-source CLI that scans your MCP server configurations for the security issues documented in the MCP Threat Model — exposed secrets, overpermissioned tools, unsafe transport configurations, and more.

What it will scan

  • Credential exposure API keys, tokens, and secrets hardcoded in MCP configuration files
  • Permission scope Tools granted broader access than necessary for their stated function
  • Transport security MCP servers running over HTTP without TLS in production contexts
  • Tool invocation logging Whether tool calls are being logged for audit and incident response
  • Server provenance Third-party MCP servers without clear ownership or maintenance signals
  • Configuration drift Differences between declared and actual tool capabilities

What it won't do

This is a static configuration scanner, not a runtime monitor. It tells you what's wrong with how your MCP servers are configured — it doesn't instrument your agents or intercept traffic. If you want runtime monitoring, that's a different problem (and probably a different product). Honesty builds trust.

View on GitHub →

Get notified at launch

We'll send you a note when the scanner is ready to use. No drip sequence.

No spam. Just a launch notification.