compuute-scan-api

Name: Compuute MCP Security Scanner
Author: compuute

Scan-as-a-Service for MCP servers. HTTP + MCP wrapper around compuute-scan — the MCP-specific static security scanner. Designed for agent-callable consumption.

POST a public GitHub repo URL → get a structured security report scored against 37 MCP-specific rules across 8 languages (TS/JS, Python, Go, Rust, C#, Java, Kotlin).

Honesty note (read first): compuute-scan is a pattern-breadth detector, not an exploitability oracle. Historic false-positive rate after manual validation is ~90% on raw output (verified against modelcontextprotocol/servers: 138 raw findings → 13 confirmed). Every response carries a _disclaimer field stating this explicitly. Use findings as a triage queue, not as a list of confirmed vulnerabilities. See docs/FP-RATES.md for per-rule transparency.

Endpoints

Method	Path	Purpose
POST	`/v1/scan`	Scan a public GitHub MCP-server repo
GET	`/v1/scan/info`	Scanner version, limits, capabilities
GET	`/v1/health`	Liveness + scanner-binary check
GET	`/openapi.json`	OpenAPI v3 spec (for agent discovery)
/mcp/	(planned)	MCP server with `scan_mcp_server` tool

Example

curl -X POST https://scan.compuute.se/v1/scan \
  -H 'Content-Type: application/json' \
  -H 'Idempotency-Key: 00000000-0000-0000-0000-000000000001' \
  -d '{"repo_url": "https://github.com/modelcontextprotocol/servers"}'

Response (truncated):

{
  "repo_url": "https://github.com/modelcontextprotocol/servers",
  "scanner": {"name": "compuute-scan", "version": "0.6.2", "layers_covered": ["L0", "L1"]},
  "summary": {"critical": 1, "high": 94, "medium": 22, "low": 0, "files_scanned": 77},
  "score": 0,
  "recommendation": "AVOID — 1 critical and 94 high finding(s)...",
  "top_findings": [...],
  "performance": {"clone_seconds": 1.2, "scan_seconds": 0.5, "repo_size_bytes": 41234},
  "_disclaimer": "PATTERN MATCH — compuute-scan is a static analyzer..."
}

Agent-shaped API features

Feature	How
Idempotent retries (24h cache)	`Idempotency-Key` header
HTTP cache	`ETag` + `Cache-Control: public, max-age=1800`
Conditional GET	`If-None-Match` → 304 Not Modified
Strict input validation	Pydantic `extra="forbid"`, GitHub-HTTPS-only
OpenAPI for discovery	`GET /openapi.json` with descriptions on every field
Honest framing	Every response carries `_disclaimer` — pattern match, not exploitability claim

Local development

python3 -m venv venv && source venv/bin/activate
pip install -r requirements.txt
export COMPUUTE_SCAN_PATH=$HOME/compuute-scan/compuute-scan.js
uvicorn main:app --reload

Tests

pytest tests/ -v

Architecture

api/services/scan.py — clone + sandbox + scan + parse. Pure functions.
api/serializers/scan_serializer.py — Pydantic models, strict validation.
api/routes/scan.py — HTTP layer: idempotency, cache, ETag.
main.py — FastAPI wiring.

Bundled compuute-scan version is configured via COMPUUTE_SCAN_PATH env var.

Productisation roadmap

Tier	Audience	Price
Free	Indie devs, agent builders	3 scans/day
Pro	Teams shipping MCP to production	TBD
Audit	Manual L2-L4 audit by Compuute AB	$5K-30K — see compuute.se/audit

Documentation

Doc	For
docs/ARCHITECTURE.md	Component diagram, request flow, threat model, deployment topology
docs/DEVELOPMENT.md	Local setup, layout, code style, common pitfalls — onboard a new dev in 30 min
docs/STRATEGY.md	Position, pricing tiers, roadmap, decision log — why we built it this way
docs/MONITORING.md	Endpoints to watch, automated checks, runbook for failures
docs/agentic-market-submission.md	Three paths to Agentic.market listing with engineering effort estimates
scripts/status.sh	30-second project status check (run anytime)

Security

Found a vulnerability? See SECURITY.md — email security@compuute.se. We follow a 90-day coordinated disclosure window.

License

MIT (matches compuute-scan).

Author

Compuute AB — daniel@compuute.se