Resumen
Este flujo de trabajo ejecuta semanal to audit your MCP servidor configurations for seguridad problemas. It verifica for hardcoded claves API, valida ese credenciales son pulled de entorno variables, verifies key rotation dates, y prueba ese endpoints son no publicly exposed sin autenticacion. El salida es un structured informe ese feeds en your seguridad resena procesar.
Desencadenador
Cron programar (cada Monday at 6 AM UTC)
Programación
Semanal Monday 6 AM
Pasos del flujo de trabajo
Scan MCP config files
Find todos MCP servidor configuracion files y analizar them for credencial references.
Verificar for hardcoded secrets
Pattern-match config valores contra conocido clave API formats to detectar hardcoded credenciales.
Validar entorno variable usage
Verify ese todos credencial campos reference entorno variables bastante than literal valores.
Test clave API validity
Make un minimal llamada un API con cada configured key to verify it es aun valid y tiene appropriate scope.
Verificar key age
Comparar key creation dates contra rotation politica to marcar stale credenciales.
Generar audit informe
Compile findings en un structured JSON informe con severity levels y remediation pasos.
Implementacion en Python
import requests
import json
import re
import os
from pathlib import Path
from datetime import datetime
API_KEY = os.environ.get("SCAVIO_API_KEY", "")
ROTATION_DAYS = 90
MCP_CONFIG_PATHS = [
Path.home() / ".mcp" / "config.json",
Path(".mcp.json"),
Path("mcp-config.json"),
]
KEY_PATTERNS = [
re.compile(r"sk-[a-zA-Z0-9]{20,}"),
re.compile(r"[a-f0-9]{32,64}"),
re.compile(r"key_[a-zA-Z0-9]{16,}"),
]
def scan_configs() -> list[dict]:
findings = []
for config_path in MCP_CONFIG_PATHS:
if not config_path.exists():
continue
content = config_path.read_text()
config = json.loads(content)
# Check for hardcoded keys
for pattern in KEY_PATTERNS:
matches = pattern.findall(content)
for match in matches:
if not match.startswith("$"):
findings.append({
"file": str(config_path),
"severity": "high",
"issue": "hardcoded_credential",
"value_preview": f"{match[:8]}...",
"remediation": "Move to environment variable",
})
# Check env var references
servers = config.get("mcpServers", config.get("servers", {}))
for name, server_config in servers.items():
env_vars = server_config.get("env", {})
for key, value in env_vars.items():
if not value.startswith("$") and len(value) > 16:
findings.append({
"file": str(config_path),
"severity": "medium",
"issue": "literal_env_value",
"server": name,
"key": key,
"remediation": "Use environment variable reference",
})
return findings
def test_key_validity() -> dict:
if not API_KEY:
return {"status": "missing", "severity": "critical"}
try:
res = requests.post(
"https://api.scavio.dev/api/v1/search",
headers={"x-api-key": API_KEY},
json={"platform": "google", "query": "test"},
timeout=10,
)
if res.status_code == 200:
return {"status": "valid", "severity": "none"}
elif res.status_code == 401:
return {"status": "expired", "severity": "critical"}
else:
return {"status": "error", "code": res.status_code, "severity": "high"}
except Exception as e:
return {"status": "unreachable", "error": str(e), "severity": "high"}
def run():
report = {
"audit_date": datetime.utcnow().isoformat(),
"config_findings": scan_configs(),
"key_validity": test_key_validity(),
"recommendations": [],
}
high_severity = [f for f in report["config_findings"] if f["severity"] == "high"]
if high_severity:
report["recommendations"].append("Rotate all hardcoded credentials immediately")
if report["key_validity"]["severity"] != "none":
report["recommendations"].append("Fix API key authentication issue")
output = Path(f"mcp_audit_{datetime.utcnow().strftime('%Y-%m-%d')}.json")
output.write_text(json.dumps(report, indent=2))
print(f"Audit complete: {len(report['config_findings'])} findings")
print(f"Key status: {report['key_validity']['status']}")
if __name__ == "__main__":
run()Implementacion en JavaScript
const API_KEY = process.env.SCAVIO_API_KEY ?? "";
const ROTATION_DAYS = 90;
const KEY_PATTERNS = [
/sk-[a-zA-Z0-9]{20,}/g,
/[a-f0-9]{32,64}/g,
/key_[a-zA-Z0-9]{16,}/g,
];
// Truncated for build safety
Plataformas utilizadas
Búsqueda web con grafo de conocimiento, PAA y resúmenes de IA