MCP Server Compliance Scanning: OWASP MCP Top 10 guardrails

[razashariff]

Context

Guardrails AI does excellent work on LLM output validation. With MCP (Model Context Protocol) becoming the standard for connecting AI agents to tools, there's a new compliance surface: the MCP server itself.

The Gap

Current guardrails focus on LLM inputs/outputs. But when an agent calls an MCP server, the security of that server matters too:

• Is the tool definition signed and tamper-proof? (MCP-03)
• Can tools be redefined after trust? (MCP-04)
• Are JSON-RPC messages authenticated? (MCP-06)
• Is there an audit trail? (MCP-08)

mcps-audit -- OWASP Compliance Scanner for MCP Servers

We built a scanner that checks MCP servers against OWASP standards:

npx mcps-audit ./your-mcp-server

• OWASP MCP Top 10: 10 protocol-level risks with PASS/WARN/FAIL status
• OWASP Agentic AI Top 10: 12 code-level security rules
• PDF compliance report with findings, line numbers, remediation

This could be a valuable "pre-deployment guardrail" -- scan the MCP server before connecting it to your agent pipeline.

Links

• npm: https://www.npmjs.com/package/mcps-audit
• GitHub: https://github.com/razashariff/mcps-audit
• OWASP MCP Top 10: https://owasp.org/www-project-mcp-top-10/
• Sample Report: https://agentsign.dev/sample-report.pdf