Digital code and binary - Software security scanning

Secure your AI agents. Scan MCP servers and Agent Skills before attackers do.

25 security rules aligned with OWASP Agentic AI Top 10, OWASP Agentic Skills Top 10, and OWASP MCP Top 10. Free and open source. Built on .NET 10 with defence-grade governance.

Signal Sentinel Scanner is a fast, deterministic, offline-capable first-pass authoring aid for MCP operators and skill authors. Pair it with Bandit, Gitleaks, Semgrep, and Sentinel Gateway for defence in depth.

25
Detection Rules
3
OWASP Frameworks
7
Platforms
4
Transports
4
Output Formats
254
Unit Tests
Apache 2.0
Licence
SARIF v2.1
Standard

Two attack surfaces. One scanner.

Signal Sentinel Scanner performs static and runtime security analysis of both MCP server configurations and Agent Skill packages.

MCP Server Scanning

Scans local config files (Claude Desktop, Cursor, VS Code, Windsurf, Zed) and connects to remote MCP servers (HTTP/SSE, Streamable HTTP, WebSocket) to enumerate tools, resources, and prompts for security vulnerabilities.

16 security rules

Agent Skill Scanning

Scans SKILL.md files (the emerging standard adopted by Claude Code, Codex CLI, Cursor, Windsurf, and 20+ platforms) for prompt injection, credential exposure, data exfiltration, obfuscated payloads, and malicious bundled scripts.

9 security rules

Every finding is mapped to the OWASP Agentic AI Security Top 10 (ASI01-ASI10), the OWASP Agentic Skills Top 10 (AST01-AST10), and the OWASP MCP Top 10 (MCP01-MCP10), producing a scored A-F grade with prioritised remediation guidance.

What's new

Recent releases since v2.1.0

v2.2.0 – Rug-pull detection, SARIF, offline mode (March 2026)

SS-022

Rug Pull Detection

Compare current scan against a saved baseline; flags schema mutations, additions, and removals as Critical / High / Medium. Protects against post-install tool swaps.

SS-023

Shadow Tool Injection

Typosquat detection using Levenshtein distance against privileged tools and cross-server duplicates.

SS-024

Skill Integrity

Detects skills that ship without .sentinel-sig, SHA256SUMS, or cosign.sig signature artefacts.

SS-025

Excessive Response Size

Flags tool descriptions over 10 KB and JSON schemas nested more than 10 levels deep.

--offline

Offline Mode

Zero network-egress guarantee for air-gapped / HMG / defence environments. Refuses --remote and blocks outbound I/O.

SARIF

SARIF v2.1.0 Output

OASIS-compliant SARIF output compatible with GitHub Code Scanning, Azure DevOps, and IDE extensions.

Sigma

Sigma Rule Import

Load community Sigma YAML rules. Supports title/id/description/level/tags/logsource/detection subset.

Engine

Finding Deduplication

Collapses duplicate findings across sources with OccurrenceCount; rendered as [xN] annotation in reports.

v2.3.0 – Suppressions, triage, non-MCP detection, counter-factual grading (April 2026)

.sentinel-suppressions.json

Accepted-Risk Workflow

Accept specific findings with justification, approver, expiry, and per-environment scoping. Retained in every report for audit trail.

--triage

Confidence-Aware Triage

Hard filter below a confidence threshold, or demote medium-confidence findings one severity level with --triage.

sentinel-scan diff

Scan History & Diff

Attributes grade changes to the rules that caused them. "Your grade dropped from B to D because SS-022 fired."

--environment

Per-Environment Baselines

Separate baselines for dev / staging / prod so deltas do not leak between environments.

SS-INFO-001

Non-MCP Endpoint Detection

When --remote targets a non-JSON-RPC endpoint, auto-suppresses all MCP-protocol rules for that target. No more misleading Grade A on a web front door.

capabilities:

YAML Capabilities Authority

The capabilities: block in a skill YAML frontmatter is authoritative for SS-012. Eliminates mechanical false positives.

SS-012

Lemma-Aware Detection

Extended synonym table covers 30+ terms (disk, volume, mount, /proc, /sys, /dev) for operator-friendly language.

Counter-factual

Counter-Factual Grade

"If these N suppressions were removed, your grade would be F (30/100) instead of A (100/100)." Suppressions cannot hide risk.

25 detection rules + 1 informational

16 MCP server rules and 9 Agent Skill rules. Triple OWASP mapping: Agentic AI Top 10 (ASI), Agentic Skills Top 10 (AST), and MCP Top 10.

MCP Server Rules (16)

RuleASIASTMCPDescription
SS-001ASI01AST01MCP01Tool Poisoning Detection
SS-002ASI02AST02MCP02Overbroad Permissions Detection
SS-003ASI03AST03MCP03Missing Authentication Detection
SS-004ASI04AST04MCP04Supply Chain Vulnerability Detection
SS-005ASI05AST05MCP05Code Execution Capability Detection
SS-006ASI06AST06MCP06Memory / Context Write Access Detection
SS-007ASI07AST07MCP07Inter-Agent Communication Detection
SS-008ASI09AST08MCP08Sensitive Data Access Detection
SS-009ASI01AST09MCP09Excessive Description Length
SS-010ASI02AST10MCP10Cross-Server Attack Path Analysis
SS-019ASI03AST03MCP03Credential Hygiene Check
SS-020ASI03AST03MCP03OAuth 2.1 Compliance Check
SS-021ASI04AST04MCP04Package Provenance Check
SS-022ASI01AST01MCP01Rug Pull / Schema Mutation Detection
SS-023ASI01AST01MCP01Shadow Tool Injection (typosquat)
SS-025ASI06AST06MCP06Excessive Tool Response Size

Agent Skill Rules (9)

RuleASIASTDescription
SS-011ASI01AST01, AST04Skill Prompt Injection Detection
SS-012ASI02AST03Skill Scope Violation Detection
SS-013ASI03AST03Skill Credential Access Detection
SS-014ASI09AST01, AST03Skill Data Exfiltration Detection
SS-015ASI01AST05Skill Obfuscation Detection
SS-016ASI05AST05Skill Script Payload Detection
SS-017ASI02AST06Skill Excessive Permissions Detection
SS-018ASI01AST01Skill Hidden Content Detection
SS-024ASI04AST04Skill Integrity Verification

Informational (1)

RuleOWASPDescription
SS-INFO-001ASI10Non-MCP Endpoint Detected – emitted when the target returns non-JSON-RPC content. Auto-suppresses all MCP-protocol rules for that target.

Native SARIF v2.1.0 output

SARIF is the OASIS standard for static analysis results. Signal Sentinel emits SARIF v2.1.0 alongside JSON, Markdown, and HTML, so you can pipe scan results into GitHub Code Scanning, Azure DevOps Advanced Security, Defender for Cloud, JetBrains Qodana, and any other SARIF-compatible tool without a converter.

SARIF v2.1.0OWASP ASIOWASP ASTOWASP MCP

Air-gapped by design

Pass --offline and Signal Sentinel refuses to make any network call for the duration of the scan. Remote MCP targets are rejected, DNS lookups are disabled, and the runtime blocks outbound I/O. All detection logic runs from the local binary against local files. No telemetry, no callbacks, no model dependency. Suitable for OFFICIAL-SENSITIVE / SECRET environments subject to JSP 440 / 656.

Clear, actionable security grades

A
90-100
Excellent - no critical or high findings
B
70-89
Good - minor medium-severity issues
C
50-69
Fair - review and remediation recommended
D
25-49
Poor - immediate remediation required
F
0-24
Failing - do not use in production

Scoring: -25 critical, -10 high, -3 medium, -1 low. Attack paths: -20 critical, -10 high. A single critical vulnerability appropriately dominates the score.

Get started in 60 seconds

Available as a .NET global tool, Docker image, or build from source. Windows, macOS, and Linux.

# Install (requires .NET 10 SDK)
dotnet tool install -g SignalSentinel.Scanner

# Verify
sentinel-scan --version
# Signal Sentinel Scanner v2.3.0

# Update
dotnet tool update -g SignalSentinel.Scanner

Quick scan:

# Auto-discover MCP configs + skills on the machine
sentinel-scan --discover --skills
# Scan a remote HTTP(S) MCP server (SSE or streamable)
sentinel-scan --remote https://mcp.example.com/mcp
# Scan a remote WebSocket MCP server
sentinel-scan --remote wss://mcp.example.com/ws
# CI gate - exit code 1 on critical/high, SARIF for GitHub Code Scanning
sentinel-scan --discover --skills --ci --format sarif -o results.sarif
# Air-gapped / offline scan
sentinel-scan --discover --skills --offline
# Baseline comparison for rug-pull detection
sentinel-scan --discover --baseline .sentinel-baseline.json
# Per-environment scan with suppression file
sentinel-scan --discover --environment prod --suppressions .sentinel-suppressions.json
# Confidence-aware triage (demote medium-confidence findings one level)
sentinel-scan --discover --skills --triage
# Delta between two scans
sentinel-scan diff scan-2026-04-01.json scan-2026-04-18.json

Command reference:

OptionShortDescription
--config <path>-cPath to MCP configuration file
--remote <url>-rRemote MCP server URL (http/https/ws/wss)
--discover-dAuto-discover MCP configurations
--skills [path]-sScan Agent Skills (auto-discover or specify path)
--format <fmt>-fOutput format: json, markdown, html, sarif
--output <path>-oOutput file path (default: stdout)
--ciCI mode - exit code 1 on critical/high
--offlineAir-gapped mode - zero network egress
--baseline <path>Baseline file for rug-pull detection
--update-baselineSave current scan as new baseline
--environment <name>Environment name for per-env baselines
--suppressions <path>Suppression file for accepted risks
--min-confidence <n>Filter findings below confidence threshold
--triageDemote medium-confidence findings one severity level
--verbose-vEnable verbose output
--timeout <sec>-tConnection timeout (default: 30, max: 300)
diff <a> <b>Compare two scan results and attribute grade changes

Auto-discovers across your AI tools

MCP Configuration Discovery

Claude Desktop
Cursor
VS Code
Windsurf
Zed

Agent Skill Discovery

Claude Code
Codex CLI
Cursor
Windsurf
Project-level

All MCP transports supported: stdio (local), HTTP/SSE (remote), Streamable HTTP, and WebSocket (ws/wss).

Integrate into your pipeline

In CI mode (--ci flag), the scanner returns exit code 1 when critical or high severity findings are detected. Exit code 0 = clean, 1 = findings detected, 2 = scan failed.

name: MCP Security Scan
on: [push, pull_request]

jobs:
  sentinel:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - name: Scan
        run: |
          docker run --rm -v ${{ github.workspace }}:/src \
            ghcr.io/signalcoding/signal-sentinel-scanner:2.3.0 \
            --discover --skills /src --ci --format sarif -o /src/sentinel.sarif
      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: sentinel.sarif

Purpose-built for MCP and Agent Skills

View full comparison page →

FeatureSignal SentinelInvariant MCP ScanPillar MCP Audit
MCP Server Scanning16 rules5 rules3 rules
Agent Skill Scanning9 rulesNoneNone
OWASP ASI MappingFull (ASI01-ASI10)PartialNone
OWASP AST MappingFull (AST01-AST10)NoneNone
OWASP MCP MappingFull (MCP01-MCP10)NoneNone
SARIF Outputv2.1.0NoNo
Offline / Air-gappedYesNoNo
Suppression WorkflowYesNoNo
Rug-Pull DetectionYesNoNo
Attack Path AnalysisYesNoNo
Bundled Script Analysis.py, .sh, .ps1, .js, .tsNoNo
Auto-Discovery (MCP)5 platforms2 platforms1 platform
Auto-Discovery (Skills)5 platformsNoneNone
WebSocket TransportYesNoNo
Open SourceApache 2.0PartialNo
Docker (Multi-arch)YesSingle archNone

Technical details

Version2.3.0
Runtime.NET 10 LTS
LanguageC# 14
Security Rules25 detection + 1 informational (16 MCP + 9 Skill + 1 Info)
OWASP FrameworksAgentic AI Top 10 + Agentic Skills Top 10 + MCP Top 10
Transportsstdio, HTTP/SSE, Streamable HTTP, WebSocket
LicenceApache 2.0
Unit Tests254 (all passing)
Typical scan time1-5 seconds
PlatformsWindows, macOS, Linux
Distribution.NET Tool (NuGet), Docker (GHCR), Source
Docker imageAlpine Linux, ~50MB, non-root, amd64/arm64
Output formatsJSON, Markdown, HTML, SARIF v2.1.0
Build quality0 warnings (warnings-as-errors enabled)
Published18 April 2026

Frequently asked questions

What is MCP?

The Model Context Protocol is an open standard created by Anthropic for connecting AI assistants to external tools and data sources. Adopted by OpenAI, Google, Microsoft, and the broader AI ecosystem.

What are Agent Skills?

Agent Skills are SKILL.md files that define reusable instructions, capabilities, and bundled scripts for AI coding assistants. Adopted by Claude Code, Codex CLI, Cursor, Windsurf, and 20+ platforms. They are a growing attack surface for prompt injection and supply chain attacks.

Why scan Agent Skills?

Community skill marketplaces host thousands of skills, and documented large-scale supply chain attacks have already been observed. A malicious skill can inject prompts, exfiltrate data, execute arbitrary code, and persist across sessions - all while appearing benign.

What is SARIF?

SARIF (Static Analysis Results Interchange Format) is an OASIS standard for expressing static analysis results. Signal Sentinel emits SARIF v2.1.0 so you can upload results directly to GitHub Code Scanning, Azure DevOps, Defender for Cloud, or any SARIF-compatible tool.

Can it run in air-gapped environments?

Yes. Pass --offline and the scanner refuses all network calls, DNS lookups, and outbound I/O. All detection runs from the local binary against local files. No telemetry, no callbacks, no model dependency.

What is the suppression workflow?

Create a .sentinel-suppressions.json file to accept specific findings with a justification, approver, expiry date, and per-environment scoping. Suppressed findings are retained in every report for audit trail. Counter-factual grading shows what your grade would be without suppressions.

Is Signal Sentinel free?

Yes. Free and open-source under Apache 2.0. No telemetry, no data collection, no registration required.

Does it send data anywhere?

No. Signal Sentinel runs entirely locally. The only network connections are to MCP servers you explicitly ask it to scan (disabled in --offline mode).

What transports are supported?

All four MCP transports: stdio (local processes), HTTP/SSE, Streamable HTTP, and WebSocket (ws/wss).

Can I use it in CI/CD?

Yes. Use --ci flag for exit code 1 on critical/high findings, and --format sarif for GitHub Code Scanning upload. Works with GitHub Actions, Azure DevOps, GitLab CI, Jenkins, and any CI system that runs .NET or Docker. Pre-commit hooks available for pre-commit.com, lefthook, and husky.

What .NET version is required?

.NET 10 SDK or later for the .NET global tool. Docker requires no .NET installation.

How do I report a security issue?

Email [email protected]. Do not open a public GitHub issue for security vulnerabilities.

What comes next?

Signal Sentinel Gateway (real-time MCP firewall) and Signal Sentinel Classify (document classification MCP server) are in development. See our product roadmap for details.

Secure your AI agent integrations today

25 security rules. Triple OWASP mapping. SARIF, offline mode, suppressions, triage, and counter-factual grading. Free, open source, and runs in seconds.

Last updated: May 2026