Track MCP LogoTrack MCP
Track MCP LogoTrack MCP

The world's largest repository of Model Context Protocol servers. Discover, explore, and submit MCP tools.

Product

  • Categories
  • Top MCP
  • New & Updated
  • Submit MCP

Company

  • About

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy

© 2026 TrackMCP. All rights reserved.

Built with ❤️ by Krishna Goyal

    Ggmcp

    MCP server for scanning and remediating hardcoded secrets using GitGuardian’s API. Detect over 500 secret types and prevent credential leaks before code goes public.

    25 stars
    Python
    Updated Nov 4, 2025
    mcp
    mcp-server
    secrets
    security

    Table of Contents

    • What it does
    • Prompt examples
    • Quick start
    • Cursor
    • Claude Desktop
    • Claude.ai (web)
    • Windsurf
    • Zed
    • Choosing a deployment
    • Authentication
    • Local stdio mode (PAT-only)
    • Self-hosting the MCP server
    • Configuration reference
    • Migration notes
    • Want more?
    • Development

    Table of Contents

    • What it does
    • Prompt examples
    • Quick start
    • Cursor
    • Claude Desktop
    • Claude.ai (web)
    • Windsurf
    • Zed
    • Choosing a deployment
    • Authentication
    • Local stdio mode (PAT-only)
    • Self-hosting the MCP server
    • Configuration reference
    • Migration notes
    • Want more?
    • Development

    Documentation

    GitGuardian MCP Server

    Bring GitGuardian's secret detection and incident management into your AI agent.

    Scan code for credentials before they leak, triage existing incidents, generate

    honeytokens, and remediate findings — all from inside your IDE or chat client,

    backed by GitGuardian's 500+ detectors.

    [!CAUTION]

    MCP servers are an emerging technology. Agents act on your behalf and under

    your responsibility. Use trusted MCP servers and review agent actions when

    they interact with tools. To limit blast radius the server defaults to

    read-only-leaning permissions; what is actually exposed is determined by

    the OAuth scopes your access token holds.

    What it does

    • Secret scanning — proactively scan files for leaked credentials.
    • Incident management — list, filter, assign, resolve, and tag incidents

    (both internal and Public Monitoring incidents).

    • Honeytokens — generate honeytokens and list existing ones.
    • Code-fix automation — open pull requests that remediate secrets in

    repositories your workspace monitors.

    The exact set of tools exposed to your agent depends on the OAuth scopes

    granted to your access token.

    Prompt examples

    code
    Scan this codebase for any leaked secrets or credentials.
    code
    Remediate all incidents related to my project.
    code
    Check if there are any new security incidents assigned to me.
    code
    Help me understand this security incident and provide remediation steps.
    code
    List all my active honeytokens.
    code
    Generate a new honeytoken for monitoring AWS credential access.
    code
    Create a honeytoken named 'dev-database' and hide it in config files.

    Quick start

    The recommended way to run the GitGuardian MCP server is to point your MCP

    client at the hosted server. The MCP client handles OAuth automatically; no

    local install, no token to manage, no uvx.

    Pick the URL that matches your GitGuardian region:

    RegionURL
    US SaaShttps://mcp.gitguardian.com/mcp
    EU SaaShttps://mcp.eu1.gitguardian.com/mcp
    Self-hostedSee Self-hosting the MCP server

    Cursor

    Edit ~/.cursor/mcp.json:

    json
    {
      "mcpServers": {
        "GitGuardian": {
          "type": "http",
          "url": "https://mcp.gitguardian.com/mcp"
        }
      }
    }

    Claude Desktop

    Edit ~/Library/Application Support/Claude Desktop/mcp.json (macOS) or

    %APPDATA%\Claude Desktop\mcp.json (Windows). Same JSON as Cursor. Claude

    Desktop versions that pre-date HTTP MCP support need the

    Local stdio fallback.

    Claude.ai (web)

    Add the server in Settings → Connectors → Add custom connector with the

    URL above. OAuth is handled in the browser tab.

    Windsurf

    Edit ~/Library/Application Support/Windsurf/mcp.json (or

    ~/.config/Windsurf/mcp.json on Linux):

    json
    {
      "mcp": {
        "servers": {
          "GitGuardian": {
            "type": "http",
            "url": "https://mcp.gitguardian.com/mcp"
          }
        }
      }
    }

    Zed

    Edit ~/Library/Application Support/Zed/mcp.json (or

    ~/.config/Zed/mcp.json on Linux) with the same type: http snippet.

    Choosing a deployment

    Two deployment paths are supported. Pick based on where your GitGuardian

    instance lives and what tradeoffs you accept.

    DeploymentWhen to use
    Hosted MCP (Quick start above)GitGuardian SaaS (US/EU) and you accept that requests transit mcp.gitguardian.com in addition to api.gitguardian.com
    Self-hosted MCP (§)Self-hosted GitGuardian, airgapped environments, or you want the MCP server on your own infrastructure
    Local stdio with PAT (§)CI/CD, scripts, one-off invocations, or older MCP clients without type: http support

    Authentication

    Most users do not need to touch this — the Quick start

    config implicitly uses the OAuth proxy mode on the hosted server, and the

    Local stdio config uses PAT env.

    There are four authentication modes the server can run in; you pick one via

    env vars.

    ModeConfigurationUsed by
    OAuth proxy (HTTP)MCP_OAUTH_PROXY_ENABLED=true + ENABLE_LOCAL_OAUTH=falseThe hosted MCP server. MCP client runs OAuth against /authorize+/token; the server proxies to the GG dashboard.
    Raw bearer (HTTP)ENABLE_LOCAL_OAUTH=false + MCP_PORT setSelf-hosted deployments without OAuth. Client sends Authorization: Bearer on every request.
    PAT env (any transport)GITGUARDIAN_PERSONAL_ACCESS_TOKEN= + ENABLE_LOCAL_OAUTH=falseCI, scripts, local stdio. Server uses the env-var PAT for every GG API call.
    Browser-OAuth stdio *(deprecated)*ENABLE_LOCAL_OAUTH=true (today's default in stdio)Legacy uvx --from … flow that opens a localhost callback and stores the PAT on disk.

    [!NOTE]

    Browser-driven OAuth in stdio mode is deprecated. New stdio deployments

    should authenticate with a PAT; OAuth-driven flows should use the hosted or

    self-hosted HTTP server. The stdio OAuth code path will be removed in a

    future release; until then it remains the default in stdio for backward

    compatibility.

    Local stdio mode (PAT-only)

    For CI/CD, airgapped environments, or older MCP clients, run the server

    locally over stdio with a PAT:

    json
    {
      "mcpServers": {
        "GitGuardian": {
          "command": "uvx",
          "args": [
            "--from",
            "git+https://github.com/GitGuardian/ggmcp.git",
            "gg-mcp-server"
          ],
          "env": {
            "ENABLE_LOCAL_OAUTH": "false",
            "GITGUARDIAN_PERSONAL_ACCESS_TOKEN": "your_pat_here",
            "GITGUARDIAN_URL": "https://dashboard.gitguardian.com"
          }
        }
      }
    }

    Create a PAT in your GitGuardian dashboard under **API → Personal Access

    Tokens**. The set of tools the server exposes depends on the PAT's scopes.

    For Claude Desktop on macOS, the command field needs the absolute path

    to uvx (e.g. /Users/you/.local/bin/uvx) — Claude Desktop does not resolve

    $PATH for MCP servers.

    Self-hosting the MCP server

    The MCP server will be soon available out of the box as part of your GitGuardian self-hosted deployment (Helm chart).

    This section is only meant to describe how it works, but you don't have to set it up.

    A Docker image is published at ghcr.io/gitguardian/ggmcp. Run it behind a

    reverse proxy that terminates TLS, then point your MCP clients at it. The

    container exposes the StreamableHTTP transport on port 8000 by default.

    Minimum configuration:

    bash
    docker run -p 8000:8000 \
      -e GITGUARDIAN_URL=https://dashboard.gitguardian.mycorp.local \
      -e MCP_BASE_URL=https://mcp.mycorp.local \
      -e MCP_OAUTH_PROXY_ENABLED=true \
      -e ENABLE_LOCAL_OAUTH=false \
      ghcr.io/gitguardian/ggmcp:latest \
      gunicorn --workers=4 --worker-class=uvicorn.workers.UvicornWorker \
               -b 0.0.0.0:8000 gg_mcp_server.http_app:app

    MCP_OAUTH_PROXY_ENABLED=true makes the server advertise itself as an OAuth

    Protected Resource (RFC 9728) and proxy /authorize, /token, /register

    to your GitGuardian dashboard. MCP clients then run the OAuth flow against

    your domain.

    Configuration reference

    VariableDescriptionDefault
    GITGUARDIAN_URLGitGuardian dashboard URLhttps://dashboard.gitguardian.com
    GITGUARDIAN_PERSONAL_ACCESS_TOKENPAT (overrides OAuth)Unset
    GITGUARDIAN_SCOPESComma-separated OAuth scopes to requestAuto
    GITGUARDIAN_CLIENT_IDOAuth client IDggshield_oauth
    GITGUARDIAN_TOKEN_NAMEDisplay name for OAuth-issued PATsMCP Token
    GITGUARDIAN_TOKEN_LIFETIMEPAT lifetime in days (or never)30
    MCP_PORTPort for HTTP transport (unset ⇒ stdio)Unset
    MCP_HOSTBind address for HTTP transport127.0.0.1
    MCP_BASE_URLPublic URL of this MCP server (OAuth proxy mode)http://localhost:8000
    MCP_OAUTH_PROXY_ENABLEDAdvertise OAuth Protected Resource metadatafalse
    ENABLE_LOCAL_OAUTHLegacy: enable stdio OAuth flow (deprecated)true

    Migration notes

    The developer-mcp-server and secops-mcp-server console scripts are

    deprecated and re-export the unified gg-mcp-server. Update your MCP client

    configuration to invoke gg-mcp-server directly; both old scripts will be

    removed in a future release.

    Want more?

    Have a use case that isn't covered? Open an issue

    with your idea.

    Development

    See [DEVELOPMENT.md](DEVELOPMENT.md) for contributing, running tests, and

    adding new tools.

    Similar MCP

    Based on tags & features

    • MC

      Mcp Aoai Web Browsing

      Python·
      30
    • DA

      Davinci Resolve Mcp

      Python·
      327
    • FH

      Fhir Mcp Server

      Python·
      55
    • WE

      Web Eval Agent

      Python·
      1.2k

    Trending MCP

    Most active this week

    • PL

      Playwright Mcp

      TypeScript·
      22.1k
    • SE

      Serena

      Python·
      14.5k
    • MC

      Mcp Playwright

      TypeScript·
      4.9k
    • MC

      Mcp Server Cloudflare

      TypeScript·
      3.0k
    View All MCP Servers

    Similar MCP

    Based on tags & features

    • MC

      Mcp Aoai Web Browsing

      Python·
      30
    • DA

      Davinci Resolve Mcp

      Python·
      327
    • FH

      Fhir Mcp Server

      Python·
      55
    • WE

      Web Eval Agent

      Python·
      1.2k

    Trending MCP

    Most active this week

    • PL

      Playwright Mcp

      TypeScript·
      22.1k
    • SE

      Serena

      Python·
      14.5k
    • MC

      Mcp Playwright

      TypeScript·
      4.9k
    • MC

      Mcp Server Cloudflare

      TypeScript·
      3.0k