Agent/MCP Audit Sprint

GitHub Security tab workflow

MCP Code Scanning GitHub Action

Add a free Agent/MCP scanner to GitHub Code Scanning. The workflow runs the heuristic scanner with SARIF 2.1.0 output, uploads findings to the Security tab, and keeps the fixed USD $1,000 human audit path one click away for launch-blocking risks.

Open workflow example Open Action repo Use browser scanner Open code scanning audit
OutputSARIF 2.1.0 for GitHub Code Scanning
RuntimeNo target dependency install or target code execution
Actionjackjin1997/agent-mcp-code-scan-action@v1
VerifiedPublic @v1 smoke workflow checks Markdown and SARIF output
UpgradeUSD $1,000 human audit for one repo or slice

Copy workflow

Upload MCP scan findings to Code Scanning

Save this as .github/workflows/agent-mcp-code-scanning.yml. It checks TypeScript, JavaScript, Python, Go, Rust, Markdown, package metadata, and workflow changes, then uploads SARIF through GitHub's supported action. 

name: Agent/MCP Code Scanning

on:
  workflow_dispatch:
  pull_request:
    paths:
      - "**/*.ts"
      - "**/*.tsx"
      - "**/*.js"
      - "**/*.mjs"
      - "**/*.py"
      - "**/*.go"
      - "**/*.rs"
      - "**/*.md"
      - "package.json"
      - ".github/workflows/**"

jobs:
  audit:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: jackjin1997/agent-mcp-code-scan-action@v1
        with:
          path: "."
          sarif: "true"
          output: "agent-mcp-audit.sarif"
      - uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: agent-mcp-audit.sarif

What appears

Findings become reviewable security alerts

The SARIF output maps scanner findings into GitHub's security interface with rule names, severity levels, file evidence, and help links back to the free scanner and paid audit handoff.

Remote transport exposure appears as warning or error level scanner output.
Write, destructive, shell, browser, database, cloud, and external API paths are highlighted for review.
Credential paths without redaction signals are promoted as high-risk triage findings.
Missing tests, CI, or common quality scripts are kept visible before launch.

Action repository

Install the standalone scanner action

The action-only repository keeps installation, support, issue templates, and the stable v1 tag focused on GitHub Actions users. Its smoke workflow verifies both Markdown and SARIF output from the public tag.

Repository: jackjin1997/agent-mcp-code-scan-action
Smoke workflow: Smoke Action v1
Support: scanner bug form plus paid audit, browser scanner, and terms links in the issue chooser.

Local command

Generate SARIF without GitHub Actions

The same scanner can emit SARIF locally for a repo folder. This is useful for private review, CI systems outside GitHub, or attaching a scan artifact to an audit request.

node tools/agent-mcp-audit.mjs /path/to/repo --sarif > agent-mcp-audit.sarif

Human review

When SARIF is not enough

  1. Use the workflow for free triage before launch or before opening a paid audit request.
  2. Attach the generated SARIF, workflow run, GitHub Security alert, or Markdown scanner report to the code scanning audit intake.
  3. Confirm scope for one repo or product slice before any payment is sent.
  4. Pay USD $1,000 only after written scope acceptance; delivery starts after payment confirmation.
Start code scanning audit Open fixed quote Review terms