playbooks

home / mcp / gitguardian mcp server

GitGuardian MCP Server

Provides an MCP server that uses GitGuardian’s API to scan code for secrets, manage incidents, and handle honeytokens.

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "gitguardian-gg-mcp": {
      "command": "uvx",
      "args": [
        "--from",
        "git+https://github.com/GitGuardian/ggmcp.git",
        "developer-mcp-server"
      ],
      "env": {
        "MCP_HOST": "127.0.0.1",
        "MCP_PORT": "8000",
        "GITGUARDIAN_URL": "https://dashboard.gitguardian.com",
        "ENABLE_LOCAL_OAUTH": "true",
        "GITGUARDIAN_SCOPES": "scan,incidents:read,sources:read,honeytokens:read,honeytokens:write",
        "GITGUARDIAN_CLIENT_ID": "ggshield_oauth",
        "GITGUARDIAN_TOKEN_NAME": "Developer MCP Token",
        "GITGUARDIAN_TOKEN_LIFETIME": "30",
        "GITGUARDIAN_PERSONAL_ACCESS_TOKEN": "YOUR_PAT_TOKEN"
      }
    }
  }
}

Stay focused on building your product while your AI agent leverages GitGuardian’s MCP server to scan codebases for secrets, manage security incidents, and handle honeytokens. This MCP server integrates with your agent to provide context-rich security tooling without switching to the GitGuardian console.

How to use

You interact with the MCP server through your MCP client. Use the server to scan your codebase for leaked secrets, view and manage incidents related to your current project, create honeytokens to detect unauthorized access, and handle authentication and token management. When you issue commands like scanning a codebase or listing incidents, the MCP client forwards them to the server, which returns structured results you can act on within your tooling. For remote deployments, you can authenticate per request via the Authorization header to keep each interaction secure.

How to install

Prerequisites you need before installing include a runtime you can use to run the MCP server client. The MCP server in this guide is designed to be run through the provided command line interface and integrated with supported editors. The installation steps below show how to configure a local, standard setup using the available MCP client integration. Follow the exact commands for your editor to ensure compatibility.

Configuration and usage notes

You can run the MCP server in stdio mode for local IDE integrations or enable HTTP/SSE transport for remote access. OAuth is enabled by default for local usage, but you can disable it and use a Personal Access Token (PAT) if you prefer non-interactive authentication. When using HTTP/SSE mode, each request must include its own credentials via the Authorization header.

Security and authentication

Authentication methods supported include OAuth (default in stdio transport), Personal Access Token (PAT) for non-interactive environments, and per-request authentication when HTTP/SSE transport is enabled. If you switch to HTTP/SSE, disable local OAuth and provide credentials with every request. Tokens and credentials are stored securely on first use and reused for subsequent requests.

Examples of common prompts

Remediate all incidents related to my project. Scan this codebase for any leaked secrets or credentials. Check if there are any new security incidents assigned to me. List all my active honeytokens. Generate a new honeytoken for monitoring AWS credential access. Show me my most recent honeytoken and help me embed it in my codebase. Create a honeytoken named 'dev-database' and hide it in config files.

Self-hosted and instance configurations

If you are using a self-hosted GitGuardian instance, set the GITGUARDIAN_URL to point to your deployment. You can tailor OAuth client settings, token lifetimes, and scopes via environment variables to match your instance’s security requirements. When operating across multiple instances or tenants, you can assign per-request authentication headers to isolate access per call.

Development and testing

For development and testing, you can run the included test suite to verify functionality. The tests are designed to exercise the MCP server’s endpoints and authentication flows. Use the provided commands to install dependencies, run tests, and generate coverage reports.

Notes and tips

- The MCP server supports both GitGuardian SaaS and self-hosted instances. - You can enable HTTP transport by configuring MCP_PORT and MCP_HOST, but OAuth must be disabled in that mode. - When using HTTP/SSE, authentication can be provided via the Authorization header or through a configured environment variable as a fallback. - The default token and client configurations may be customized with environment variables for OAuth and PAT support.

Code examples and configuration blocks

{
  "mcpServers": {
    "GitGuardianDeveloper": {
      "command": "uvx",
      "args": [
        "--from",
        "git+https://github.com/GitGuardian/ggmcp.git",
        "developer-mcp-server"
      ]
    }
  }
}

Available tools

Secret Scanning

Scans code for leaked secrets, credentials, and API keys to prevent exposure in repositories.

Incident Management

Allows you to view security incidents related to the current project and manage remediation steps.

Honeytokens

Create and manage honeytokens to detect unauthorized access and monitor usage.

Authentication Management

Get authenticated user information and token details.

Token Management

Revoke current API tokens and manage session lifecycles.