Skip to content

Bug: MCP server reports skipped scanners as "completed" when dependencies are missing #356

Description

@rafaelpereyra

When running a scan via the ASH MCP server (run_ash_scan), the get_scan_progress API reports scanners that were skipped due to missing dependencies as "completed" with 0 findings. This is misleading — the consumer has no way to distinguish between "scanned and found nothing" vs "never ran because dependencies weren't available."

Steps to Reproduce

  1. Run a scan via the MCP server on a system where some scanner dependencies are missing (e.g., grype, opengrep, semgrep, syft not installed):
result = run_ash_scan(source_dir="/path/to/project")
scan_id = result['scan_id']

# Poll until complete
progress = get_scan_progress(scan_id=scan_id)
  1. Observe that get_scan_progress reports all scanners (including those with missing deps) as:
{
  "scanner_name": "opengrep",
  "status": "completed",
  "finding_count": 0,
  "severity_counts": { "critical": 0, "high": 0, "medium": 0, "low": 0, "info": 0, "suppressed": 0 }
}
  1. Meanwhile, the ASH log (ash.log) shows:
Scanner semgrep dependencies are not satisfied, marking as MISSING
Scanner syft dependencies are not satisfied, marking as MISSING

Expected Behavior

Scanners that were skipped due to missing dependencies should be reported with a distinct status, e.g.:

{
  "scanner_name": "opengrep",
  "status": "skipped",
  "skip_reason": "missing_dependencies",
  "finding_count": 0
}

Or at minimum, the progress response should include a skipped_scanners field listing which scanners didn't actually run.

Impact

  • Users relying on the MCP server for CI/CD integration may believe they have full scanner coverage when they don't.
  • No signal that security coverage is degraded.
  • The completed_scanners count (9 in this case) doesn't match the actual number of scanners that ran (4).

Environment

  • ASH version: v3 (installed via uvx)
  • OS: Linux (Amazon Linux)
  • MCP server: ASH MCP server
  • Missing scanners: grype, opengrep, semgrep, syft (dependencies not installed)
  • Scanners that actually ran: bandit, checkov, detect-secrets, npm-audit

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions