The mcp-gateway-scan is a powerful, read-only static scanner designed to identify potential production-readiness anti-patterns in MCP (Model-driven Control Plane) agent gateways. With its rapid analysis capabilities, this tool offers a comprehensive score across seven critical dimensions, allowing developers to pinpoint areas of concern in their code and configuration within seconds.

Overview

This scanner stands out because it does not execute or interact with your code or network; it solely analyzes files to flag potential failure modes that could turn a properly functioning MCP gateway into an incident. The scanner highlights issues including:

• Authorization models that may lead to unauthorized access
• Error handlers that fail open
• Unpinned supply chains
• Dark traces, unbounded spending
• Inline secrets that compromise security
• Missing operational controls This functionality emphasizes the importance of security and compliance in developing gateways, as highlighted in the Provenwright MCP Gateway Readiness Audit.

Scanning Process

The scanning process can be initiated using the command:

npx mcp-gateway-scan ./path/to/your/gateway

The tool produces detailed reports indicating the status of each dimension, which can include red (critical issues), yellow (warnings), and green (good practices). For a more automated approach, it can be integrated into continuous integration (CI) pipelines by utilizing the --ci option for compact, machine-readable output, enabling immediate feedback on the presence of critical issues during build processes.

Key Features

• Read-Only Operation: The scanner only reads files and never executes any part of the code, thus ensuring no sensitive information is leaked. When it identifies inline secrets, only their locations are reported, with values redacted.
• Detailed Dimension Scoring: The scanner evaluates seven essential dimensions of gateway readiness, including access governance, fail-close capabilities, artifact management, observability, cost management, secrets management, and overall production readiness. Each dimension is assessed with clear severity indicators, providing actionable insights for improvement.
• Flexible Deployment: The scanner can be run directly from the command line or as part of an MCP server environment, allowing for conversational usage through agents like Claude Code and Cursor.

Example Usage

Run the scanner against code fixtures to see practical assessments:

mcp-gateway-scan fixtures/secure      # Mostly green score
mcp-gateway-scan fixtures/vulnerable  # Mostly red score

This feature allows users to evaluate sample repositories safe from actual vulnerabilities.

Conclusion

The mcp-gateway-scan is an invaluable tool for developers seeking to ensure the readiness of their MCP gateways for production environments by identifying and managing potential vulnerabilities effectively. For more thorough assessments, consider exploring the full Provenwright MCP Gateway Readiness Audit, which provides an in-depth analysis along with a remediation roadmap.