MCPShield GitHub App

Automatic security scanning on every pull request. Catch vulnerabilities before they ship.

Free for public repos. 10 scans/day included.

Every pull request is scanned automatically. No manual triggers needed. Results appear as a comment in seconds.

91 regex rules catch known patterns including dangerous capability combinations. LLM judge (Claude) catches semantic attacks that regex misses.

The app only reads your code and writes PR comments. No write access to your repository contents. Minimal permissions.

Every scan produces a grade (A-F) with severity breakdown. Critical and high findings are highlighted with remediation guidance.

GitHub Check Runs that pass or fail based on your security threshold. Add MCPShield as a required status check in branch protection.

How It Works

Click the install button above. Choose which repositories to enable it on. The app requests read-only access to code and write access to PR comments.

When you open or update a PR, MCPShield automatically scans the repository for MCP security issues.

MCPShield posts a comment with the grade and findings, plus a GitHub Check Run. Enable the CI/CD gate to block merges below your threshold.

Category	Examples
Tool Poisoning	Hidden instructions in tool descriptions, cross-tool manipulation, credential harvesting
Prompt Injection	Unicode smuggling, encoding obfuscation, context flooding, instruction tags
Input Validation	Command injection, path traversal, SQL injection, SSRF, eval injection
Authentication	Missing auth on HTTP endpoints, exposed credentials, insecure transport
Semantic Attacks	Domain jargon camouflage, consent fabrication, instruction fragmentation (LLM-only)

$15/mo

✅ MCPShield Security Scan: Grade A (95/100)

Severity	Count
🟡 Medium	1

Findings

Scanned by MCPShield | Two-pass analysis: regex + LLM