Add MCP Shield security scan#37
Conversation
| - run: npm ci | ||
| - run: npm run build | ||
| - uses: thuggeelya/mcp-shield-action@v1 | ||
| with: |
| - name: Build | ||
| run: npm run build | ||
|
|
||
| - name: MCP Shield scan |
There was a problem hiding this comment.
only add this step, reduce the diff
There was a problem hiding this comment.
Pull request overview
Adds MCP Shield security scanning to CI and exposes the scan grade in the README to make security posture more visible in the repo’s standard build pipeline.
Changes:
- Adds MCP Shield scan step to the existing GitHub Actions build workflow.
- Grants the workflow token permissions intended to allow posting scan findings back to PRs.
- Adds an MCP Shield badge to the README header.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| README.md | Adds an MCP Shield grade badge to the project header badges. |
| .github/workflows/build.yml | Extends the build workflow to run MCP Shield and adds GITHUB_TOKEN permissions for PR commenting. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: MCP Shield scan | ||
| uses: thuggeelya/mcp-shield-action@v1 | ||
| with: | ||
| server: 'node build/index.js' | ||
| sarif: 'false' |
There was a problem hiding this comment.
The workflow runs on both push and pull_request, but the MCP Shield step appears intended to post PR comments. Consider guarding this step with an if: github.event_name == 'pull_request' (or moving it to a PR-only workflow) to avoid failing or doing unnecessary work on push runs where no PR context exists.
| npx vitest --watch=false | ||
|
|
||
| - name: MCP Shield scan | ||
| uses: thuggeelya/mcp-shield-action@v1 |
There was a problem hiding this comment.
uses: thuggeelya/mcp-shield-action@v1 pulls a moving tag from a third-party repository. For supply-chain hardening (especially with pull-requests: write), pin the action to an immutable commit SHA (optionally with a comment noting the corresponding release).
| uses: thuggeelya/mcp-shield-action@v1 | |
| uses: thuggeelya/mcp-shield-action@c0ffee0000000000000000000000000000000000 # v1 |
There was a problem hiding this comment.
This is my own action and I control the tag. SHA pinning would reduce readability
| permissions: | ||
| contents: read | ||
| pull-requests: write |
There was a problem hiding this comment.
The job-level pull-requests: write permission applies to all steps in this job. If only the MCP Shield step needs write access, consider splitting it into a separate job (or separate workflow) so the build/test steps run with read-only permissions.
| @@ -1,4 +1,4 @@ | |||
| # <img src="https://mermaid.js.org/favicon.svg" height="24"/> MCP Mermaid  [](https://github.com/hustcc/mcp-mermaid/actions/workflows/build.yml) [](https://www.npmjs.com/package/mcp-mermaid) [](https://smithery.ai/server/@hustcc/mcp-mermaid) [](https://www.npmjs.com/package/mcp-mermaid) [](https://archestra.ai/mcp-catalog/hustcc__mcp-mermaid) | |||
| # <img src="https://mermaid.js.org/favicon.svg" height="24"/> MCP Mermaid  [](https://github.com/hustcc/mcp-mermaid/actions/workflows/build.yml) [](https://www.npmjs.com/package/mcp-mermaid) [](https://smithery.ai/server/@hustcc/mcp-mermaid) [](https://www.npmjs.com/package/mcp-mermaid) [](https://archestra.ai/mcp-catalog/hustcc__mcp-mermaid) [-brightgreen)](https://github.com/thuggeelya/mcp-shield) | |||
There was a problem hiding this comment.
The MCP Shield badge encodes a specific grade/score ("A+ (96)") in the URL. This can become inaccurate as scan results change over time; consider using a badge source that reflects the latest workflow/scan status (or a non-scored badge) to avoid the README showing stale security information.
| # <img src="https://mermaid.js.org/favicon.svg" height="24"/> MCP Mermaid  [](https://github.com/hustcc/mcp-mermaid/actions/workflows/build.yml) [](https://www.npmjs.com/package/mcp-mermaid) [](https://smithery.ai/server/@hustcc/mcp-mermaid) [](https://www.npmjs.com/package/mcp-mermaid) [](https://archestra.ai/mcp-catalog/hustcc__mcp-mermaid) [-brightgreen)](https://github.com/thuggeelya/mcp-shield) | |
| # <img src="https://mermaid.js.org/favicon.svg" height="24"/> MCP Mermaid  [](https://github.com/hustcc/mcp-mermaid/actions/workflows/build.yml) [](https://www.npmjs.com/package/mcp-mermaid) [](https://smithery.ai/server/@hustcc/mcp-mermaid) [](https://www.npmjs.com/package/mcp-mermaid) [](https://archestra.ai/mcp-catalog/hustcc__mcp-mermaid) [](https://github.com/thuggeelya/mcp-shield) |
There was a problem hiding this comment.
A badge with a specific score is the feature and one of the main motivators for maintainers. Status can say nothing
|
@thuggeelya can help to fix the ci error? |
|
@hustcc the build failed because GitHub has some limitations for fork-based PRs, such as mine. I've just fixed the action and the pipeline won't fail. And after the PR is merged, comments with reports will work on all future PRs since the workflow will run from your base repo ok? |
@hustcc you can run ci |
Summary
Adds MCP Shield CI workflow for automated security scanning and security badge to README.
On every PR, the workflow posts a detailed comment with findings, affected tools, and recommendations.
Scan results
Score: 96/100 (Grade: A+)
22 checks | 19 passed | 0 failed | 2 warnings
Findings
generate_mermaid_diagram.mermaid: string without maxLengthgenerate_mermaid_diagram.backgroundColor: string without maxLength[medium] Non-idempotent operation: generate_mermaid_diagramRecommendations
🟡 Add idempotency keys (1 found) — Add idempotency_key parameter to non-idempotent tools
MCP Shield · Check reference