16 engines · open methodology

16 scanners.
One verdict.

Every MCP server runs through the same gauntlet. Each engine produces a sub-score; the weighted sum becomes the trust light. No hidden weights, no "AI vibes" — just published rules.

See the engines → Read methodology

Engine families

Vulnerability & SAST 8 engines

Secrets & identity 2 engines

MCP-specific 1 engines

Supply chain & SBOM 3 engines

Compliance & rules 2 engines

Active engines

All free. Every engine runs on every scan. No paid tier required.

Median runtime

52sec

From URL paste to final verdict. Cached on second run.

Findings logged

135k

Cross-server findings catalogued and de-duplicated.

Public methodology

100%

Every weight, every rule, every CVSS bucket — published.

02 — Engines

All 16, in the open.

Filter by category. Each card shows what it tests and where to read its rule definitions.

01 · Static Analysis

Cisco Skill Scanner

Static, pipeline, and bytecode analysis for AI skill code detecting unsafe patterns and policy violations.

Cisco

02 · Static Analysis

Cisco A2A Scanner

Scans Agent-to-Agent protocol implementations for security issues using YARA and heuristics.

Cisco

03 · SBOM & Inventory

Cisco AIBOM

AI Bill of Materials generator mapping models, agents, tools, and workflows in a codebase.

Cisco

04 · Custom Rules

Custom YARA

Custom YARA rules detecting MCP-specific threat patterns, suspicious agent behaviors, and known-bad signatures.

MCPAmpel

05 · Static Analysis

Semgrep

Fast static analysis with custom MCP security rules for command injection, path traversal, and more.

Semgrep Inc.

06 · Static Analysis

Bandit

Python AST-based security linter with 47+ checks for SQL injection, hardcoded passwords, and unsafe deserialization.

PyCQA

07 · Secret Detection

detect-secrets

Detects secrets in code using entropy analysis and pattern matching.

Yelp

08 · Secret Detection

Gitleaks

Detects hardcoded secrets, API keys, tokens, and passwords in source code and git history.

Zach Rice

09 · IaC & Config

Checkov

IaC scanner for Terraform, CloudFormation, Kubernetes, Dockerfile, and CI/CD pipeline misconfigurations.

Prisma Cloud (Palo Alto Networks)

10 · SBOM & Inventory

Syft

SBOM generator producing CycloneDX inventory of all software components in a repository.

Anchore

11 · Dependency Scan

Grype

Vulnerability scanner matching dependencies and OS packages against known CVE databases.

Anchore

12 · License Compliance

ScanCode

License compliance scanner detecting declarations and flagging copyleft or restrictive licenses.

AboutCode

13 · Dependency Scan

Trivy

Comprehensive vulnerability scanner for containers, dependencies, IaC, and supply chain risks.

Aqua Security

14 · Dependency Scan

OSV-Scanner

Multi-ecosystem vulnerability scanner checking Python, npm, Go, Rust, and Java deps against the OSV database.

Google

15 · Dependency Scan

pip-audit

Python dependency vulnerability scanner checking against the Python Advisory Database.

PyPA

16 · MCP Protocol

MCP Guardian

Prompt injection detector scanning MCP tool descriptions for patterns that manipulate LLM behavior.

MCPAmpel

Want your scanner listed?

MCPAmpel aggregates 16+ security engines. If you maintain a scanner for MCP servers, AI tools, or supply chain security, we'd like to hear from you.

Email us

 Methodology

From 16 sub-scores to one number.

Every engine returns a 0–10 sub-score with a confidence band. We combine them with fixed published weights — no learned model, no per-server tuning. The weighted mean is your trust light. A single critical CVE can floor the score regardless of weight; that's the only nonlinearity.

Read the full method → Audit the code

Vulnerability & SAST8 engines

Secrets & identity2 engines

MCP-specific1 engines

Supply chain & SBOM3 engines

Compliance & rules2 engines