Skip to content

ci: add KYA security scan for MCP dependencies#16

Open
Thezenmonster wants to merge 2 commits intoVapiAI:mainfrom
Thezenmonster:add-kya-scan
Open

ci: add KYA security scan for MCP dependencies#16
Thezenmonster wants to merge 2 commits intoVapiAI:mainfrom
Thezenmonster:add-kya-scan

Conversation

@Thezenmonster
Copy link
Copy Markdown

@Thezenmonster Thezenmonster commented Mar 28, 2026

Automated MCP dependency security scanning on every push and PR via KYA Scan.

What it checks per dependency:

  • Abuse database: has this package been reported for malicious behaviour?
  • Install scripts: does the package run code on npm install?
  • Suspicious URLs: hardcoded IPs or exfiltration domains?
  • Prompt injection: manipulation patterns in package metadata?
  • Metadata quality: missing repo, licence, or description?

919 MCP packages scanned. 98.5% clean. This catches the rest before they reach your project.

Free, no API key, no configuration. One YAML file, zero code changes.

KYA Scan Action | Scanner

@Thezenmonster
Copy link
Copy Markdown
Author

Thezenmonster commented Mar 28, 2026

Hi @lukatmyshu - this adds automated npm dependency scanning to your CI. One YAML file that checks deps against a community abuse database on push/PR. Pinned to commit SHA, read-only permissions. We've scanned 919 MCP packages and found 1.5% with security issues. Happy to adjust config if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Thezenmonster