Secure Code Review MCP Server

A local MCP (Model Context Protocol) server that helps software engineers review their code for security issues before committing or raising a PR. This server integrates directly with GitHub Copilot in VS Code.

🎯 What Problem Does This Solve?

Developers often commit code with:

• Hardcoded secrets (API keys, passwords)
• Duplicate or risky dependencies
• Insecure configuration settings
• Dangerous code patterns (eval, SQL injection)
• Missing security hygiene files

This MCP server provides automated security scanning right inside VS Code through GitHub Copilot, catching issues before they reach your repository.

🏗️ Architecture

┌─────────────────────────────────────────────────────────────┐
│                      VS Code                                 │
│  ┌─────────────────────────────────────────────────────┐   │
│  │              GitHub Copilot Chat                      │   │
│  │   "Scan my code for security issues"                 │   │
│  └────────────────────────┬────────────────────────────┘   │
│                           │                                  │
│                           ▼                                  │
│  ┌─────────────────────────────────────────────────────┐   │
│  │              MCP Client (STDIO)                       │   │
│  └────────────────────────┬────────────────────────────┘   │
└───────────────────────────┼─────────────────────────────────┘
                            │
                            ▼
┌─────────────────────────────────────────────────────────────┐
│           Secure Code Review MCP Server                      │
│  ┌─────────────────────────────────────────────────────┐   │
│  │                   server.py                           │   │
│  │            (MCP SDK + Tool Handlers)                  │   │
│  └────────────────────────┬────────────────────────────┘   │
│                           │                                  │
│  ┌────────────┬───────────┼───────────┬────────────────┐   │
│  │            │           │           │                │   │
│  ▼            ▼           ▼           ▼                ▼   │
│ ┌────┐    ┌────────┐  ┌────────┐  ┌────────┐    ┌────────┐│
│ │Sec │    │  Dep   │  │ Config │  │  Code  │    │   PR   ││
│ │rets│    │Scanner │  │Scanner │  │Pattern │    │Readine-││
│ │Scan│    │        │  │        │  │Scanner │    │  ss    ││
│ └────┘    └────────┘  └────────┘  └────────┘    └────────┘│
└─────────────────────────────────────────────────────────────┘
                            │
                            ▼
                    ┌──────────────┐
                    │ Local Files  │
                    │ (Read-Only)  │
                    └──────────────┘

📁 Project Structure

secure-code-review-mcp/
├── README.md                    # This file
├── requirements.txt             # Python dependencies
├── .gitignore                  # Git ignore rules
│
├── src/
│   ├── __init__.py
│   ├── server.py               # Main MCP server with 6 tools
│   │
│   ├── scanners/
│   │   ├── __init__.py
│   │   ├── base_scanner.py     # Abstract base scanner
│   │   ├── secrets_scanner.py  # Hardcoded secrets detection
│   │   ├── dependency_scanner.py  # Dependency issues
│   │   ├── config_scanner.py   # Insecure configurations
│   │   ├── code_pattern_scanner.py  # Risky code patterns
│   │   └── pr_readiness_scanner.py  # PR checklist generator
│
├── sample_project/             # Test project with vulnerabilities
│   ├── app.py                  # Python with dangerous patterns
│   ├── index.js               # JavaScript with dangerous patterns
│   ├── config.py              # Insecure configurations
│   ├── requirements.txt       # Dependencies with issues
│   ├── package.json           # Node.js dependencies with issues
│   ├── Dockerfile             # Docker with security issues
│   ├── .env.example           # Environment variables template
│   └── README.md              # Sample project notes

Note: docs/, tests/, pyproject.toml, and mcp_config.json were intentionally removed to keep this project minimal and focused on local MCP usage.

✨ MCP Tools Available

Tool	Description
scan_hardcoded_secrets	Scan for passwords, API keys, tokens, AWS credentials, private keys, database connection strings
scan_dependencies	Check for duplicate packages, unpinned versions, risky packages, missing lock files
scan_insecure_configs	Detect DEBUG=true, CORS=*, root user in Docker, latest tag usage
scan_risky_code_patterns	Find eval(), exec(), SQL injection, weak hashing (MD5/SHA1), unsafe yaml.load
generate_pr_security_checklist	Generate PR readiness checklist with pass/fail status
run_full_security_review	Run all scanners and produce comprehensive summary

🚀 Prerequisites

• Python 3.10+
• VS Code with GitHub Copilot extension
• GitHub Copilot Chat enabled

📦 Installation

Step 1: Clone/Navigate to the Project

cd path/to/secure-code-review-mcp

Step 2: Create Virtual Environment (Recommended)

# Windows
python -m venv venv
.\venv\Scripts\activate

# macOS/Linux
python3 -m venv venv
source venv/bin/activate

Step 3: Install Dependencies

pip install -r requirements.txt

Step 4: Verify Installation

python -c "import mcp; print('MCP SDK installed successfully!')"

🔌 Connecting to GitHub Copilot in VS Code

Step 1: Create MCP Configuration

Create or verify .vscode/mcp.json in your workspace root:

{
    "servers": {
        "secure-code-review": {
            "type": "stdio",
            "command": "python",
            "args": [
                "${workspaceFolder}/mcp-client-server/secure-code-review-mcp/src/server.py"
            ],
            "env": {
                "PYTHONPATH": "${workspaceFolder}/mcp-client-server/secure-code-review-mcp/src"
            }
        }
    }
}

Note: Adjust the path based on your folder structure.

Step 2: Reload VS Code

1. Press Ctrl+Shift+P (or Cmd+Shift+P on Mac)
2. Type "Developer: Reload Window"
3. Press Enter

Step 3: Verify MCP Server is Connected

1. Open GitHub Copilot Chat (Ctrl+Alt+I or click the Copilot icon)
2. Click the 🔧 Tools icon in the chat
3. You should see "secure-code-review" listed with 6 tools

🧪 Testing the MCP Server

Test with Sample Project

The sample_project/ folder contains intentionally vulnerable code for testing.

Example Prompts for GitHub Copilot

Open GitHub Copilot Chat and try these prompts:

1. "Scan sample_project for hardcoded secrets"

2. "Check dependencies in the sample_project folder"

3. "Find insecure configurations in sample_project"

4. "Scan sample_project for risky code patterns"

5. "Generate a PR security checklist for sample_project"

6. "Run a full security review on sample_project"

Expected Output Example

For scan_hardcoded_secrets:

{
  "scanner": "SecretsScanner",
  "files_scanned": 5,
  "total_findings": 12,
  "findings": [
    {
      "file_path": "sample_project/app.py",
      "line_number": 15,
      "matched_pattern_type": "Hardcoded Password",
      "severity": "High",
      "recommendation": "Remove hardcoded password and use environment variables"
    }
  ],
  "summary": {
    "high_severity": 10,
    "medium_severity": 2,
    "low_severity": 0
  }
}

For run_full_security_review:

{
  "project_path": "sample_project",
  "summary": {
    "total_findings": 45,
    "high_severity_count": 25,
    "medium_severity_count": 15,
    "low_severity_count": 5
  },
  "pr_readiness": {
    "overall_status": "🔴 Needs Fixes",
    "checklist_items": [...]
  },
  "final_recommendation": "🔴 DO NOT RAISE PR - Fix all high severity issues first"
}

🔍 What Each Scanner Detects

Secrets Scanner

• password=, passwd=, pwd=
• api_key=, apikey=
• secret=, token=
• AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
• -----BEGIN PRIVATE KEY-----
• Database connection strings with credentials
• JWT secrets

Dependency Scanner

• Duplicate packages in requirements.txt
• Duplicate dependencies across package.json sections
• Unpinned versions (pandas without ==x.x.x)
• Wildcard versions (*, latest)
• Known risky packages (pycrypto, event-stream, etc.)
• Missing lock files

Config Scanner

• DEBUG=true
• ENV=development in production configs
• CORS=*, ALLOW_ORIGINS=*
• Root user in Dockerfile
• :latest tag in Docker images
• Exposed sensitive ports (22, 3389)
• Hardcoded passwords in Docker ENV

Code Pattern Scanner

Python:

• eval(), exec()
• subprocess.run(..., shell=True)
• os.system()
• pickle.load() with untrusted data
• yaml.load() without SafeLoader
• SQL string formatting
• hashlib.md5(), hashlib.sha1()

JavaScript:

• eval()
• new Function()
• setTimeout/setInterval with strings
• child_process.exec()
• .innerHTML assignment
• document.write()
• SQL template literals
• crypto.createHash('md5'/'sha1')

📄 License

MIT License - Free for personal and commercial use.

🤝 Contributing

Contributions welcome! Please:

1. Fork the repository
2. Create a feature branch
3. Submit a pull request

---

⚠️ Disclaimer: This is a basic security scanner for learning and demonstration purposes. It should NOT be used as the sole security review tool for production applications. Always use professional security tools and conduct thorough security audits.