Skip to content

feat(scan): add mock_env support for MCP servers requiring env vars#370

Merged
JAORMX merged 2 commits intomainfrom
feat/mock-env-for-mcp-scan
Feb 5, 2026
Merged

feat(scan): add mock_env support for MCP servers requiring env vars#370
JAORMX merged 2 commits intomainfrom
feat/mock-env-for-mcp-scan

Conversation

@JAORMX
Copy link
Collaborator

@JAORMX JAORMX commented Feb 5, 2026

Summary

  • Adds mock_env field to spec.yaml for MCP servers that require environment variables to start
  • Enables security scanning of servers that previously had to use insecure_ignore: true
  • Updates run_scan.py to accept config via JSON file and pass --stdio-env args to mcp-scanner

Problem

MCP servers that require environment variables (like SEARXNG_URL, NOTION_TOKEN, etc.) cannot be security scanned because:

  1. The scanner starts the server via stdio to discover tools
  2. Without required env vars, the server fails to start
  3. Previously, we used insecure_ignore: true which completely skips the scan

Solution

Add a mock_env field to spec.yaml that specifies placeholder environment variables to pass to the scanner:

security:
  mock_env:
    - name: SEARXNG_URL
      value: "https://mock-searxng.example.com"
      description: "SearXNG instance URL - mock for scanning"
  allowed_issues: []

Changes

File Change
scripts/mcp-scan/generate_mcp_config.py Extract mock_env from spec.yaml and include in JSON output
scripts/mcp-scan/run_scan.py Add --config flag, read mock_env, pass --stdio-env to scanner
.github/workflows/build-containers.yml Use config file approach instead of positional args
docs/adding-servers.md Document mock_env field and usage
scripts/mcp-scan/README.md Update usage examples

Test plan

  • Verify generate_mcp_config.py outputs mock_env field (empty array for existing servers)
  • Verify run_scan.py --config works with mock_env
  • Verify CI workflow passes
  • Test with a server that requires env vars (e.g., mcp-searxng in PR feat: add octocode-mcp and mcp-searxng servers #362)

🤖 Generated with Claude Code

@github-actions
Copy link

github-actions bot commented Feb 5, 2026
edited
Loading

🔒 MCP Security Scan Results

✅ agentql-mcp

  • Status: Passed
  • Tools scanned: 0
  • Result: No security issues detected

Summary: Scanned 1 MCP server(s), all passed security checks. ✅

JAORMX and others added 2 commits February 5, 2026 12:09
@JAORMX @claude
feat(scan): add mock_env support for MCP servers requiring env vars
ebcd8d5 
MCP servers that require environment variables (like API URLs or tokens)
cannot be security scanned because the scanner needs to start the server
to discover tools. This adds a `mock_env` field to spec.yaml that allows
specifying placeholder environment variables for scanning purposes.

Changes:
- generate_mcp_config.py: Extract mock_env from security section
- run_scan.py: Add --config flag and pass --stdio-env args to scanner
- build-containers.yml: Use config file approach for run_scan.py
- Documentation: Add mock_env to spec.yaml reference and usage examples

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@JAORMX @claude
feat(agentql-mcp): enable security scanning with mock_env
ced6837 
Replace insecure_ignore with mock_env to allow mcp-scanner to start
the server and scan its tools. The mock AGENTQL_API_KEY is not a real
credential - it's a placeholder that lets the server initialize.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@JAORMX JAORMX force-pushed the feat/mock-env-for-mcp-scan branch from 38baeed to ced6837 Compare February 5, 2026 10:09
@JAORMX JAORMX merged commit 397a1ea into main Feb 5, 2026
13 checks passed
@JAORMX JAORMX deleted the feat/mock-env-for-mcp-scan branch February 5, 2026 10:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rdimitrov rdimitrov rdimitrov approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JAORMX @rdimitrov