MCP Scanner
ScanLeaderboardDocsSign in
Home/mark3labs/mcp-go/Results

This repository may not be an MCP server

We could not detect MCP SDK imports or tool registrations.

4F

mcp-go

mark3labs/mcp-go

9 files · 12 findings

Share GitHub SARIF JSON
12 high
Tool Poisoningclean
Command Injectionclean
Path Traversalclean
SSRFclean
Credential Theftclean
Excessive Permissionsclean
Missing Authclean
Supply Chain
Supply Chain12

GitHub Actions with unpinned actions

high

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

.github/workflows/ci.yml:13
- uses: actions/checkout@v4
How to fix

Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...

12 issues
Rug Pullclean
Data Exfiltrationclean
Insecure Communicationclean
Excessive Data Exposureclean
Logging Deficiencyclean
Runtime Tool Poisoningclean
Shadow MCP Serverclean

GitHub Actions with unpinned actions

high

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

.github/workflows/ci.yml:14
- uses: actions/setup-go@v5
How to fix

Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...

GitHub Actions with unpinned actions

high

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

.github/workflows/ci.yml:22
- uses: actions/checkout@v4
How to fix

Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...

GitHub Actions with unpinned actions

high

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

.github/workflows/ci.yml:23
- uses: actions/setup-go@v5
How to fix

Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...

GitHub Actions with unpinned actions

high

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

.github/workflows/golangci-lint.yml:16
- uses: actions/checkout@v4
How to fix

Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...

GitHub Actions with unpinned actions

high

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

.github/workflows/golangci-lint.yml:17
- uses: actions/setup-go@v5
How to fix

Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...

GitHub Actions with unpinned actions

high

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

.github/workflows/golangci-lint.yml:21
uses: golangci/golangci-lint-action@v8
How to fix

Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...

GitHub Actions with unpinned actions

high

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

.github/workflows/pages.yml:13
uses: actions/checkout@v3
How to fix

Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...

GitHub Actions with unpinned actions

high

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

.github/workflows/pages.yml:16
uses: oven-sh/setup-bun@v1
How to fix

Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...

GitHub Actions with unpinned actions

high

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

.github/workflows/pages.yml:29
uses: JamesIves/github-pages-deploy-action@v4
How to fix

Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...

GitHub Actions with unpinned actions

high

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

.github/workflows/release.yml:12
uses: actions/checkout@v3
How to fix

Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...

GitHub Actions with unpinned actions

high

Using GitHub Actions with branch references instead of SHA pins enables supply chain attacks.

.github/workflows/release.yml:16
uses: actions/create-release@v1
How to fix

Pin GitHub Actions to full commit SHAs: uses: actions/checkout@abc123...