agent-scan

Connects to live MCP servers using the MCPScanner class, retrieves tool/prompt/resource descriptions and configurations, and submits natural-language content to the Invariant analysis API for vulnerability detection. Uses a two-stage pipeline: MCP client layer establishes connections and enumerates server capabilities, then the analysis pipeline extracts and redacts sensitive data before remote submission for LLM-based threat detection.

Injects the Invariant Gateway into MCP client configurations to intercept live MCP traffic at runtime without modifying agent code. The proxy command rewrites client configuration files to route all MCP calls through a FastAPI-based mcp_scan_server that validates requests/responses against security policies before forwarding to actual MCP servers. Implements real-time policy enforcement with session-based state tracking and configurable guardrails.

Maintains session-based state for MCP interactions in proxy mode, tracking tool calls, responses, and policy decisions across multiple requests. Stores session state in memory or external persistence layer (Redis, database) and generates comprehensive audit logs of all MCP activity. Enables stateful policy enforcement (e.g., preventing toxic tool chains) and compliance auditing.

Captures and logs all MCP traffic (requests, responses, errors) for debugging and analysis. Provides detailed logging of MCP client-server interactions including payloads, timing, and error details. Supports traffic export in multiple formats (JSON, HAR) for analysis in external tools. Enables troubleshooting of MCP connectivity issues and understanding of agent behavior.

Parses and validates MCP configuration files in JSON and YAML formats, extracting server definitions, authentication credentials, and transport protocol specifications. Validates configuration syntax and schema, detects missing required fields, and provides detailed error messages for invalid configurations. Supports multiple configuration file formats and locations (environment variables, default paths).

Scans AI agent skills (packaged agent components) for embedded malware payloads, sensitive data handling violations, exposure to untrusted third parties, and hard-coded secrets using static analysis and pattern matching. Analyzes skill code, dependencies, and metadata to identify security risks before skills are integrated into agent systems. Supports both direct skill file scanning and skill registry lookups.

Provides an offline inspect command that analyzes MCP servers and agent components locally without submitting data to remote APIs. Uses local pattern matching, heuristic analysis, and built-in vulnerability signatures to detect common security issues. Enables security-sensitive organizations to scan infrastructure without external network calls while maintaining privacy of tool descriptions and configurations.

Implements automatic data redaction in the scan analysis pipeline to remove or mask sensitive information (credentials, PII, proprietary details) before submitting tool descriptions and configurations to the Invariant analysis API. Uses configurable redaction rules and pattern matching to identify and redact secrets, API keys, email addresses, and other sensitive data. Maintains a redaction audit trail for compliance and debugging.

Automatically discovers and enumerates MCP servers from client configuration files, environment variables, and registry lookups without requiring manual server endpoint specification. Uses the MCP client layer to connect to discovered servers and retrieve their capabilities (tools, prompts, resources) for analysis. Supports multiple MCP transport protocols (stdio, SSE, HTTP) and handles server authentication automatically.

Provides a whitelist command and API for managing approved MCP servers, tools, prompts, and resources that should be excluded from vulnerability scanning or policy enforcement. Stores whitelisted entities in a persistent storage file with support for granular approval rules (by server, tool name, or pattern). Integrates with both static scanning and dynamic proxy modes to skip analysis for approved entities.

Verifies the authenticity and integrity of MCP server binaries using cryptographic signatures before connecting and scanning. Validates that MCP server executables are signed by trusted publishers and have not been tampered with. Supports multiple signature formats and maintains a trusted publisher registry for signature validation.

Uploads completed scan results to external control servers (HTTP endpoints) for centralized collection and management in enterprise deployments. Supports the evo subcommand for pushing results to Snyk Evo platform. Implements retry logic, SSL/TLS validation, and identity management for secure result transmission. Supports structured result formatting and filtering before upload.

Defines and enforces security policies and guardrails for MCP traffic using a rule-based system. Supports policy rules that restrict tool usage, enforce approval workflows, and prevent dangerous tool combinations. Policies are defined in YAML/JSON format and evaluated against MCP requests/responses in the proxy mode. Includes built-in policy templates for common security scenarios (e.g., preventing data exfiltration, blocking dangerous tools).