Skip to content

decoy-run/decoy-scan

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Repository files navigation

decoy-scan

Find security risks in your MCP servers before attackers do. Zero dependencies, zero config, zero account required.

npm License: MIT

npx decoy-scan

Scans Claude Desktop, Cursor, Windsurf, VS Code, Claude Code, Zed, and Cline. Finds risky tools, detects prompt injection, analyzes toxic data flows, tracks manifest changes, and maps everything to the OWASP Agentic Top 10.

What It Checks

Check What it finds
Tool risk classification Critical/high/medium/low tools by name + description
Prompt injection detection 37 patterns across 20 attack categories in tool descriptions
Toxic flow analysis Cross-server data leak (TF001) and destructive (TF002) attack chains
Tool manifest hashing Detects tool additions, removals, and description changes between scans
Skill scanning Prompt injection, hardcoded secrets, suspicious URLs in Claude Code skills
Server command analysis Pipe-to-shell, inline code, typosquatting, temp directory spawning
Environment variable exposure API keys, tokens, secrets, cloud credentials passed to servers
Supply chain advisories 40+ known vulnerable MCP packages via Decoy advisory database
Transport security HTTP without TLS, missing auth, wildcard CORS, public-bound SSE
Input sanitization Unconstrained parameters, missing maxLength, open schemas
Permission scope Over-privileged servers, dangerous capability combinations
OWASP mapping Every finding mapped to ASI01–ASI05

GitHub Action

One step. Scans MCP configs, enforces policy, uploads results to GitHub Security tab.

# .github/workflows/mcp-security.yml
name: MCP Security
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: decoy-run/decoy-scan@v1

That's it. Fails the build if critical tools or prompt injection are found. Results appear in the Security tab.

With options

- uses: decoy-run/decoy-scan@v1
  with:
    policy: no-critical,no-poisoning,no-toxic-flows
    report: true
    token: ${{ secrets.DECOY_TOKEN }}

Inputs

Input Default Description
policy no-critical,no-poisoning Comma-separated policy rules
sarif true Upload SARIF to GitHub Security tab
report false Upload to Decoy Guard dashboard
token Decoy API token (for report)
verbose false Show all tools including low-risk

Policy rules

no-critical          Fail on critical tools (code exec, file write)
no-high              Fail on high-risk tools (file read, network)
no-poisoning         Fail on prompt injection in tool descriptions
no-toxic-flows       Fail on cross-server data leak / destructive chains
no-secrets           Fail on secrets exposed in MCP config
require-tripwires    Fail if decoy-tripwire not installed
max-critical=N       Fail if more than N critical tools
max-high=N           Fail if more than N high-risk tools

Manual CI/CD

If you prefer raw commands over the Action:

- run: npx decoy-scan --policy=no-critical,no-poisoning
- run: npx decoy-scan --sarif > results.sarif
- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

Options

npx decoy-scan                     # Full scan with server probing
npx decoy-scan --json              # JSON output (stdout, pipeable to jq)
npx decoy-scan --sarif             # SARIF 2.1.0 for GitHub Security / VS Code
npx decoy-scan --skills            # Also scan Claude Code skills
npx decoy-scan --no-probe          # Config-only (don't spawn servers)
npx decoy-scan --no-advisories     # Skip advisory database check
npx decoy-scan --report            # Upload results to Decoy dashboard
npx decoy-scan --policy=RULES      # CI/CD policy gate (exit 2 on violation)
npx decoy-scan --verbose           # Show all tools including low-risk
npx decoy-scan --quiet             # Suppress status output (exit code only)
npx decoy-scan --no-color          # Disable colored output

Run from your project root to include project-level .mcp.json configs.

Exit Codes

Code Meaning
0 No critical or high-risk issues
1 High-risk issues found
2 Critical issues, tool poisoning, toxic flows, or policy violation

Library

import {
  scan,
  toSarif,
  classifyTool,
  detectPoisoning,
  analyzeToxicFlows,
  hashToolManifest,
  detectManifestChanges,
  discoverSkills,
  analyzeSkill,
} from 'decoy-scan';

const results = await scan({ skills: true });
console.log(results.toxicFlows);    // [{ id: "TF001", severity: "critical", roles: {...} }]
console.log(results.skills);        // [{ name: "...", findings: [...] }]
console.log(results.servers[0].manifestHash);  // "45c4c571f03c78a2"

How It Compares

decoy-scan Snyk agent-scan
Language JavaScript Python
Dependencies 0 15 (aiohttp, pydantic, mcp, etc.)
Install npx decoy-scan uvx snyk-agent-scan + Snyk account
Cloud required No Yes (sends data to Snyk API)
Toxic flow analysis Yes (local) Yes (cloud)
Manifest change detection Yes Yes (registry-based)
Skill scanning Yes Yes
CI/CD policy gate Yes No
SARIF output Yes No
OWASP mapping Yes No
Hosts supported 8 6
Tripwire integration Yes (decoy-tripwire) No

Supported Hosts

Claude Desktop, Cursor, Windsurf, VS Code, Claude Code (global + project), Zed, Cline

Related

License

MIT

About

Security scanner for MCP server configurations. Like npm audit, but for your AI agent tool servers. Finds risky tools, input validation gaps, transport vulnerabilities, and over-permissioned capability chains. Open source, zero dependencies.

npmjs.com/package/decoy-scan

Topics

cli security mcp scanner supply-chain owasp sarif ai-agent prompt-injection tool-poisoning

Resources

Readme

License

MIT license

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

Decoy Scan - MCP Security for CI/CD Latest
Mar 29, 2026

Packages

 
 
 

Contributors

Languages