home / mcp / gitguardian mcp server

GitGuardian MCP Server

MCP server for secret scanning, incident management, honeytokens, and authentication/token management with optional HTTP/SSE or stdio transports.

Installation

Add the following to your MCP client configuration file.

Configuration

View docs

{
  "mcpServers": {
    "gitguardian-ggmcp": {
      "url": "http://127.0.0.1:8000",
      "headers": {
        "MCP_HOST": "127.0.0.1",
        "MCP_PORT": "8000",
        "GITGUARDIAN_URL": "https://dashboard.gitguardian.com",
        "ENABLE_LOCAL_OAUTH": "false or true depending on setup",
        "GITGUARDIAN_SCOPES": "scan,incidents:read,sources:read,honeytokens:read,honeytokens:write",
        "GITGUARDIAN_CLIENT_ID": "ggshield_oauth",
        "GITGUARDIAN_TOKEN_NAME": "\"Developer MCP Token\"",
        "GITGUARDIAN_TOKEN_LIFETIME": "30 or never",
        "GITGUARDIAN_PERSONAL_ACCESS_TOKEN": "YOUR_PAT_TOKEN"
      }
    }
  }
}

GitGuardian MCP Server lets your AI agent scan codebases for secrets using GitGuardian’s detectors, manage security incidents, and automate honeytoken workflows. It provides secure, contextual tools to remediate issues without leaving your development environment.

How to use

You connect your MCP client to the GitGuardian MCP Server and start issuing tasks such as scanning codebases for leaked secrets, listing incidents, or managing honeytokens. Use the available tools to get authenticated user details, revoke tokens, and perform remediation steps directly from your editor or automation workflow. When using HTTP transport, include per-request authentication headers; with stdio transport, rely on your configured OAuth flow or PAT as described in the authentication section.

How to install

Prerequisites you need to fulfill before installing the GitGuardian MCP Server:

uv is required for package installation and dependency management. Install uv from its official getting-started guide.
A compatible MCP client is needed to connect to the server (HTTP or stdio).

Install and run the MCP server using the provided stdio or HTTP transport commands shown in the configuration examples below. Follow the steps that match your editor or integration approach.

Additional sections: configuration, security, notes

Configuration shows how to enable HTTP transport, OAuth, and self-hosted GitGuardian instances. The following two MCP server configurations are provided for common scenarios: a remote HTTP URL configuration and a local stdio configuration using uvx.

Security and authentication details emphasize that OAuth is the default for stdio transport, with options to disable OAuth for PAT-based or per-request authentication in HTTP/SSE mode. When using HTTP transport, per-request Authorization headers are required and OAuth must be disabled.

Notes cover deployment considerations, including how tokens are stored, default hosts and ports, and the distinction between stdio and HTTP transports. If you plan to expose the MCP server over HTTP, ensure ENABLE_LOCAL_OAUTH is set to false when using MCP_PORT, and use the appropriate authentication method for your deployment.

Tools and capabilities

The server provides these core capabilities to help you secure codebases and incidents directly from your editor or automation tool.

Available tools

scan_secrets

Scan code for leaked secrets, credentials, and API keys using GitGuardian detectors.

list_incidents

View security incidents related to the project you are working on.

manage_honeytokens

Create and manage honeytokens to detect unauthorized access.

get_user_info

Get authenticated user information and token details.

revoke_token

Revoke the current API token.