Skip to content

Commit 3b8e503

Browse files
committed
docs(039): document the security scanner system and add an extensive CLI reference
The existing docs/features/security-scanner-plugins.md was out of date relative to the actual v0.23 scanner system: * Listed only 4 of the 7 bundled scanners (missing mcp-ai-scanner, nova-proximity, ramparts, and mislabeled mcp-scan as "Invariant Labs" when it is now "Snyk Agent Scan"). * Documented `install` / `remove` CLI subcommands as canonical. Those are now hidden aliases for `enable` / `disable`. * Claimed `auto_scan_quarantined` defaults to `true` and `integrity_check_on_restart` to `true`. Both default to `false` in code. * Referred to the scanner configure path writing secrets to the OS keyring. The path no longer touches the OS keyring by default on macOS (see PR #372 F-03 follow-up); env values are stored directly in the scanner record in BBolt. * Had no mention of `--all`, `--async`, `--dry-run`, `--scanners`, `rescan`, `cancel-all`, `status`, the source-resolution order, the aggregated-report "Scanners: X run, Y failed" line, the `available / pulling / installed / configured / error` vocabulary, SSE events, or the scanner plugin contract. This commit: 1. Rewrites docs/features/security-scanner-plugins.md to reflect the actual v0.23 scanner system, with all 7 bundled scanners, accurate config defaults, the full REST API surface, SSE events, and a pointer to the new CLI reference. 2. Adds docs/cli/security-commands.md (~760 lines) — an extensive reference covering every `mcpproxy security` subcommand, flags, status vocabulary, output formats, live-progress behavior, source resolution, typical workflows (interactive, CI/scripting, false- positive triage), and common failure modes. Mirrors the style of the existing activity-commands.md and management-commands.md. 3. Updates docs/cli/command-reference.md with a short Security Scanner Commands section pointing at the new extensive reference. Matches the pattern used for Tool Quarantine / Code Execution. No code changes. Documentation only. Verified every subcommand in the new reference exists in the actual CLI by diffing against `mcpproxy security --help` output. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent ad7ab19 commit 3b8e503

3 files changed

Lines changed: 1003 additions & 114 deletions

File tree

docs/cli/command-reference.md

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -566,3 +566,25 @@ mcpproxy trust-cert <certificate-path> [flags]
566566
```bash
567567
mcpproxy trust-cert /path/to/cert.pem --keychain=system
568568
```
569+
570+
## Security Scanner Commands
571+
572+
MCPProxy integrates Docker-based security scanners that analyze quarantined upstream MCP servers for tool poisoning, prompt injection, CVEs, and other supply-chain risks. All commands live under `mcpproxy security` and cover three workflows:
573+
574+
1. **Scanner lifecycle**`scanners`, `enable`, `disable`, `configure`
575+
2. **Scan operations**`scan` (with `--all`, `--async`, `--dry-run`, `--scanners`), `rescan`, `status`, `report`, `cancel-all`
576+
3. **Approval & integrity**`approve`, `reject`, `integrity`, `overview`
577+
578+
Quick examples:
579+
580+
```bash
581+
mcpproxy security scanners # list registry + status
582+
mcpproxy security enable mcp-scan # pull the scanner image
583+
mcpproxy security configure mcp-scan --env SNYK_TOKEN=xxx
584+
mcpproxy security scan github-server # blocking, live progress
585+
mcpproxy security scan github-server --dry-run # print plan, no containers
586+
mcpproxy security report github-server # aggregated findings
587+
mcpproxy security approve github-server # unquarantine + index tools
588+
```
589+
590+
For the full reference — every flag, every status vocabulary, all output formats (`table` / `json` / `yaml` / `sarif`), workflow recipes, and troubleshooting — see **[Security Commands](/cli/security-commands)**. For the underlying feature architecture see [Security Scanner Plugin System](/features/security-scanner-plugins).

0 commit comments

Comments
 (0)