Security Scanning
Helmet provides comprehensive security scanning for all MCP servers in your registry. This automated analysis helps identify vulnerabilities, exposed secrets, and compliance issues before deployment.
Scan Overview
When you run a security scan on an MCP server, Helmet analyzes:
- Tool Vulnerabilities: Security issues in exposed tools and functions
- Secret Exposure: Hardcoded credentials, API keys, and sensitive data
- Dependencies: Known vulnerabilities in third-party packages
- Container Security: Issues in Docker images and layers
- Compliance: Adherence to security policies and best practices
Understanding Scan Results
Security Dashboard
The scan results page provides a comprehensive overview with color-coded metrics:
- Total Issues: Complete count of all findings
- Critical Risk: Issues requiring immediate attention (red)
- High Risk: Significant security concerns (orange)
- Medium Risk: Moderate issues to address (yellow)
- Low Risk: Minor concerns for consideration (green)
Risk Categories
Tool Security
Analyzes the safety of tools exposed by the MCP server:
- Command injection vulnerabilities
- Path traversal risks
- Privilege escalation potential
- Input validation issues
Secrets Exposure
Detects sensitive information that should not be hardcoded:
- API keys and tokens
- Database credentials
- Private keys and certificates
- Internal URLs and endpoints
Dependencies
Examines third-party packages and libraries:
- Known CVEs in dependencies
- Outdated package versions
- License compliance issues
- Supply chain risks
Detailed Findings
Vulnerability Details
Each finding includes:
- Severity Level: Critical, High, Medium, or Low
- Description: What the issue is and why it matters
- Detection Method: How the issue was discovered
- OWASP Category: Related security classification
- Match Context: Specific code or configuration affected
Remediation Guidance
For each finding, Helmet provides:
- Step-by-step remediation instructions
- Best practice recommendations
- Code examples where applicable
- Links to relevant documentation
Scan Types
Repository Scan
Analyzes source code directly from the repository:
- Static code analysis
- Dependency checking
- Secret scanning
- Configuration review
Container Scan
For Docker-based servers:
- Image layer analysis
- Installed package vulnerabilities
- Configuration security
- Runtime environment risks
Upload Scan
For directly uploaded server packages:
- File integrity verification
- Malware detection
- Code analysis
- Manifest validation
Scan Actions
Running a Scan
There are multiple ways to initiate a scan:
- Automatic Scanning: Triggered when adding a new server
- Manual Scan: Click "Run Scan" from the server actions menu
- Scheduled Scans: Configure periodic scanning (coming soon)
- CI/CD Integration: Trigger via API in your pipeline
Interpreting Results
Priority Matrix
Focus remediation efforts based on:
- Critical: Fix immediately, blocks deployment
- High: Address before production use
- Medium: Plan remediation in next update
- Low: Consider fixing for defense in depth
False Positives
Some findings may be false positives. You can:
- Mark findings as reviewed
- Add suppression comments in code
- Configure scan exclusions
- Request manual review
Best Practices
Pre-Scan Preparation
- Update dependencies to latest stable versions
- Remove development credentials
- Clean up commented code
- Review security configurations
Regular Scanning
- Scan on every significant change
- Schedule weekly full scans
- Monitor for new vulnerabilities
- Track remediation progress
Team Collaboration
- Share scan results with developers
- Create tickets for findings
- Document remediation decisions
- Maintain security baseline
Compliance and Reporting
Compliance Checks
Scans validate against:
- Organizational security policies
- Industry standards (OWASP, CIS)
- Regulatory requirements
- Custom rule sets
Export Options
Export scan results for:
- Security audits
- Compliance reporting
- Team collaboration
- Tracking improvements
Next Steps
After reviewing scan results: