Free, open-source CLI that discovers MCP server configurations across your machine and runs security checks to produce a risk score. Single binary. Zero telemetry. No account required.
Install via Homebrew:
brew install golf-mcp/tap/golf-scannerOr with Go:
go install github.com/golf-mcp/golf-scanner/cmd/golf-scanner@latestDiscover your MCP servers:
golf-scanner scanRun a security audit:
golf-scanner auditGolf Scanner is a single static binary (pure Go, 3 dependencies) that:
- Discovers MCP server configurations across 7 IDEs β Claude Code, Cursor, VS Code, Windsurf, Gemini CLI, Kiro, and Antigravity
- Runs 20 security checks β 9 offline (no network) + 11 online (queries OSV, GitHub, npm, PyPI, OCI registries, MCP Registry)
- Produces a 0β100 risk score per server with severity-weighted scoring and hard caps
No account required. Runs offline. Zero telemetry.
Claude Code Β· Cursor Β· VS Code Β· Windsurf Β· Gemini CLI Β· Kiro Β· Antigravity
Discover servers and run security checks with risk scoring.
golf-scanner auditSkip network checks (offline mode):
golf-scanner audit --offlineVerbose output with remediation details:
golf-scanner audit --verboseCI/CD integration β fail if high or critical findings:
golf-scanner audit --fail-on high --json| Flag | Default | Description |
|---|---|---|
--offline |
false |
Skip network checks (OSV, GitHub, npm, PyPI, MCP Registry, OCI registries) |
--format |
table |
Output format: table or json |
--json |
false |
Shorthand for --format json |
--fail-on |
Exit code 1 if findings at or above severity: note, medium, high, critical |
|
--verbose, -v |
false |
Show full finding details including remediation |
--quiet, -q |
false |
Show only the summary table |
--verbose and --quiet are mutually exclusive.
| Check | What It Detects | Online |
|---|---|---|
| Server Type | Classifies the server as package manager, container, binary, script, or HTTP | |
| Command Safety | Identifies risky patterns including privilege escalation and shell injection threats | |
| Credentials | Finds plaintext credentials in args, URLs, and environment variables | |
| Script Location | Flags scripts running from unsafe locations like /tmp or home directories |
|
| Script Permissions | Detects world-writable script files | |
| Binary Location | Assesses executable placement across system paths and home directories | |
| Binary Permissions | Detects world-writable or group-writable binaries | |
| Container Isolation | Flags --privileged mode, dangerous capabilities, host namespace sharing |
|
| Container Volumes | Flags dangerous volume mounts β root filesystem, /etc, Docker socket |
|
| Registry Listing | Confirms MCP Registry inclusion status | Yes |
| Vulnerabilities | Queries OSV.dev for known CVEs and malware in npm/PyPI packages | Yes |
| Typosquatting | Identifies similarly-named packages suggesting malicious imitation | Yes |
| Distribution | Evaluates adoption through download metrics and package age | Yes |
| Source Repository | Checks whether the package links to a source repository | Yes |
| Unscoped Variant | Examines unscoped npm counterparts for security issues | Yes |
| GitHub Trust | Evaluates repository signals like activity, licensing, and contributor count | Yes |
| Container Image | Checks whether images use digest pinning (@sha256:) |
Yes |
| Container Registry | Validates image presence and flags potential tampering via digest mismatch | Yes |
| Container Signature | Verifies cosign signatures with keyless authentication | Yes |
| OAuth | Discovers OAuth/OIDC configuration. Flags missing authentication | Yes |
For full details on each check, see the Security Checks reference.
Each server receives a 0β100 risk score:
- Each check produces findings; the worst severity determines the per-check score (0β10)
- Scores are combined via severity-weighted average (critical 10x, high 7.5x, medium 5x, note 1x)
- The raw average is scaled to 0β100
- Hard caps apply: any critical finding caps the score at 30, any high finding caps at 59
- Risk level: Low (β₯60), Moderate (>30), High (β€30)
For the full scoring explanation, see Understanding Results.
| Variable | Purpose |
|---|---|
GITHUB_TOKEN |
Optional. Increases GitHub API rate limit from 60 to 5,000 req/hr. |
GOLF_GITHUB_TOKEN |
Optional. Fallback if GITHUB_TOKEN is not set. |
No token is needed for most scans. The scanner makes ~3 GitHub API calls per unique repo (metadata, commits, contributors) with results cached, so you'll only hit the unauthenticated limit if you have 20+ servers pointing to distinct GitHub repos.
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | No args, unknown command, --fail-on threshold exceeded, or flag conflict |
| 2 | JSON error or invalid --fail-on value |
Apache 2.0 β see LICENSE.