Detectors & Rules
The Igris Scanner ships with 20 detectors covering 91 rules. Each detector focuses on a specific attack surface. All detectors run in parallel during a scan.Credential Scanner
Detects secrets, tokens, and credentials hardcoded in MCP server configurations.| Rule | Severity | What it detects |
|---|---|---|
| AG-CRD-001 | Critical | Hardcoded API keys (AWS, GitHub, OpenAI, Stripe, etc.) |
| AG-CRD-002 | High | High-entropy strings (Shannon entropy > 4.5) |
| AG-CRD-003 | Critical | JWT tokens in config values |
| AG-CRD-004 | Critical | Database connection strings with embedded passwords |
| AG-CRD-005 | Critical | Private key material (RSA, EC, OpenSSH, DSA) |
args, env values, and connection strings.
Remediation: Use environment variable references ($SECRET_NAME) instead of hardcoded values.
Command Injection
Detects shell injection vectors in MCP server command configurations.| Rule | Severity | What it detects |
|---|---|---|
| AG-CMD-001 | Critical | Shell metacharacters (;, &&, ||, backticks, $()) |
| AG-CMD-002 | High | Unvalidated args with interpolation (${...}, $VAR, %VAR%) |
| AG-CMD-003 | Critical | Shell wrapper commands (sh -c, bash -c, cmd /c) |
| AG-CMD-004 | High | Environment variable injection via shell metacharacters |
command field and args array.
CVE Scanner
Scans MCP server packages against online CVE databases to detect known vulnerabilities in real time. The scanner extracts package names and versions from your config, queries vulnerability databases, and reports any matches with severity, CVE IDs, and remediation guidance.| Rule | Severity | What it detects |
|---|---|---|
| AG-CVE-001 | Varies | Known vulnerable package version (matched against online CVE databases) |
| AG-CVE-002 | Medium | Unpinned version for package with known vulnerabilities |
| AG-CVE-003 | Low | Deprecated package |
Path Traversal
Detects directory traversal and sensitive path access in MCP server arguments.| Rule | Severity | What it detects |
|---|---|---|
| AG-PTH-001 | High | Path traversal sequences (../) |
| AG-PTH-002 | Medium | Absolute paths to sensitive directories (/etc, /root, /proc) |
| AG-PTH-003 | Medium | Symlink-susceptible patterns (./) |
| AG-PTH-004 | Low | Home directory access (~, $HOME, %USERPROFILE%) |
OAuth Config Checker
Validates OAuth configuration in MCP servers for common misconfigurations.| Rule | Severity | What it detects |
|---|---|---|
| AG-AUTH-001 | Critical | Hardcoded client secret (should be env reference) |
| AG-AUTH-002 | High | Overly broad OAuth scopes (*, admin, >5 scopes) |
| AG-AUTH-003 | Medium | Missing PKCE configuration |
| AG-AUTH-004 | High | HTTP redirect URI (non-HTTPS, excluding localhost) |
| AG-AUTH-005 | Medium | Wildcard redirect URI (open redirect risk) |
Tool Poisoning
Detects attempts to manipulate AI agents through malicious tool definitions.| Rule | Severity | What it detects |
|---|---|---|
| AG-POISON-001 | Critical | Hidden instructions in tool descriptions (“ignore”, “override”, “system prompt”) |
| AG-POISON-002 | High | Tool name mimicking system tools (bash, exec, eval, sudo, admin) |
| AG-POISON-003 | Medium | Suspiciously long tool description (>500 chars) |
| AG-POISON-004 | High | Unicode homoglyph attack in tool name (e.g., Cyrillic ‘a’ vs ASCII ‘a’) |
| AG-POISON-005 | Critical | Injection patterns in inputSchema string values |
Privilege Escalation
Detects elevated privilege configurations that expand the attack surface.| Rule | Severity | What it detects |
|---|---|---|
| AG-PRIV-001 | Critical | Running as root or with --privileged flag |
| AG-PRIV-002 | High | Excessive filesystem permissions (Docker volumes mounting /etc, /root) |
| AG-PRIV-003 | Medium | Overly broad network access (Docker host networking) |
| AG-PRIV-004 | High | Dangerous Linux capabilities (SYS_ADMIN, NET_ADMIN, ALL) |
| AG-PRIV-005 | Critical | sudo or doas in command/args |
Rate Limit Checker
Validates rate limiting configuration for network-exposed MCP servers.| Rule | Severity | What it detects |
|---|---|---|
| AG-RATE-001 | Medium | No rate limiting on network-exposed server (SSE/HTTP transport) |
| AG-RATE-002 | Medium | Unreasonably high rate limit (>1000 req/min) |
| AG-RATE-003 | High | Missing rate limit on mutation tools (write, create, delete, execute) |
Audit Logging Checker
Validates logging configuration for compliance and forensics readiness.| Rule | Severity | What it detects |
|---|---|---|
| AG-AUDIT-001 | Medium | No logging configuration |
| AG-AUDIT-002 | Low | Logging to stdout only (non-persistent) |
| AG-AUDIT-003 | High | Missing logging on sensitive tools (write/delete/execute) |
| AG-AUDIT-004 | Low | No log rotation configured |
Version Pinning Checker
Ensures MCP server dependencies are pinned to specific versions to prevent supply chain attacks.| Rule | Severity | What it detects |
|---|---|---|
| AG-VER-001 | High | Unpinned Docker image (:latest or no tag) |
| AG-VER-002 | Medium | Unpinned npx/bunx package reference |
| AG-VER-003 | Medium | Git reference without commit SHA (branches/tags mutable) |
| AG-VER-004 | Low | Semver range instead of exact version (^, ~, >=) |
SSRF Scanner
Detects Server-Side Request Forgery vectors in MCP server URLs and configurations.| Rule | Severity | What it detects |
|---|---|---|
| AG-SSRF-001 | Critical | Internal network URL or cloud metadata endpoint (169.254.169.254, private IPs) |
| AG-SSRF-002 | High | Localhost URL on network transport (proxy misconfiguration risk) |
| AG-SSRF-003 | High | URL targeting known service ports (Redis 6379, PostgreSQL 5432, etc.) |
| AG-SSRF-004 | Medium | Dangerous URL schemes (file://, gopher://, dict://, ftp://) |
| AG-SSRF-005 | High | Cloud metadata endpoint referenced in env vars or args |
Network Exposure
Detects insecure network bindings, missing TLS, disabled certificate validation, and broad CORS.| Rule | Severity | What it detects |
|---|---|---|
| AG-NET-001 | Critical | Server listening on 0.0.0.0 (all interfaces exposed) |
| AG-NET-002 | High | HTTP or WebSocket URL without TLS for non-localhost addresses |
| AG-NET-003 | High | TLS certificate validation disabled (--insecure, NODE_TLS_REJECT_UNAUTHORIZED=0) |
| AG-NET-004 | Medium | DNS rebinding vulnerability (hostname on network transport) |
| AG-NET-005 | Medium | Wildcard CORS configuration (Access-Control-Allow-Origin: *) |
Shadowing & Confusion
Detects configurations where servers or tools can shadow, override, or confuse each other. This detector cross-references all servers in the config.| Rule | Severity | What it detects |
|---|---|---|
| AG-SHADOW-001 | Critical | Duplicate tool names across different servers (interception risk) |
| AG-SHADOW-002 | High | Tool names with high similarity across servers (typosquatting) |
| AG-SHADOW-003 | Medium | Server name resembling a well-known MCP service (impersonation) |
| AG-SHADOW-004 | High | Tool name overriding built-in AI capabilities (search, code, memory) |
Data Exfiltration
Detects tool configurations that could enable unauthorized data exfiltration to external endpoints.| Rule | Severity | What it detects |
|---|---|---|
| AG-EXFIL-001 | Critical | Tool with unconstrained URL/endpoint parameter (no domain allowlist) |
| AG-EXFIL-002 | High | HTTP client tool with unconstrained URL input |
| AG-EXFIL-003 | High | Server with both read and send capabilities (read-then-exfiltrate chain) |
| AG-EXFIL-004 | Critical | DNS exfiltration vector (unconstrained hostname/domain parameter) |
Rug Pull
Detects MCP server configurations vulnerable to rug pull attacks — where a server changes behavior after gaining initial trust.| Rule | Severity | What it detects |
|---|---|---|
| AG-RUG-001 | High | Remote server with no integrity verification (no content hash or cert pinning) |
| AG-RUG-002 | High | npx/bunx pulls latest version on every run (no pinned version) |
| AG-RUG-003 | Medium | Dynamic tool schemas on remote transport (schemas can change between sessions) |
| AG-RUG-004 | Critical | Server URL on free/ephemeral hosting (ngrok, replit, glitch, dynamic DNS) |
| AG-RUG-005 | Medium | Git-based server without commit SHA pinning |
Resource Exhaustion
Detects missing resource limits that could lead to denial of service.| Rule | Severity | What it detects |
|---|---|---|
| AG-RSRC-001 | Medium | No timeout configured for network server |
| AG-RSRC-002 | Medium | No memory limit on Docker container |
| AG-RSRC-003 | Low | No CPU limit on Docker container |
| AG-RSRC-004 | High | Tool with unbounded input size (no maxLength/maxItems) |
| AG-RSRC-005 | Medium | No process limit (—pids-limit) on Docker container |
Excessive Permissions
Detects tools and servers requesting more access than their described functionality requires.| Rule | Severity | What it detects |
|---|---|---|
| AG-PERM-001 | High | Read-only tools running with root/sudo permissions |
| AG-PERM-002 | Medium | Server exposes more than 20 tools (overly broad scope) |
| AG-PERM-003 | High | Wildcard or root path in allowedPaths |
| AG-PERM-004 | Medium | Server has both network access and filesystem access |
| AG-PERM-005 | High | Tool accepts arbitrary command/code input without constraints |
Response Injection
Detects tool configurations vulnerable to prompt injection through tool responses — where external content returned by a tool manipulates the AI agent.| Rule | Severity | What it detects |
|---|---|---|
| AG-INJECT-001 | High | Tool fetches external web content (fetch, scrape, browse) |
| AG-INJECT-002 | High | Tool reads user-controlled file content |
| AG-INJECT-003 | Medium | Tool queries database and returns raw results |
| AG-INJECT-004 | Critical | Tool executes code and returns output (eval, exec, repl) |
| AG-INJECT-005 | Medium | No output sanitization indicated for external-facing tools |
Cross-Server Leakage
Detects configurations where one MCP server can access another server’s data, credentials, or network. This detector cross-references all servers in the config.| Rule | Severity | What it detects |
|---|---|---|
| AG-XSRV-001 | High | Shared credential environment variables across servers |
| AG-XSRV-002 | High | Overlapping Docker volumes or filesystem paths |
| AG-XSRV-003 | Medium | Multiple servers sharing the same Docker network |
| AG-XSRV-004 | Critical | Server with network access can reach another server’s localhost endpoint |
| AG-XSRV-005 | Medium | Shared working directory or temp path between servers |
Transport Security
Detects insecure transport configurations including missing TLS, certificate issues, and network tunneling that bypasses encryption.| Rule | Severity | What it detects |
|---|---|---|
| AG-TLS-001 | Critical | SSE/HTTP transport without TLS (plaintext MCP traffic) |
| AG-TLS-002 | High | Custom CA certificate combined with TLS verification bypass |
| AG-TLS-003 | Medium | Stdio transport with SSH/socat/netcat tunneling (bypasses TLS) |
| AG-TLS-004 | High | Unencrypted WebSocket (ws:// instead of wss://) |
| AG-TLS-005 | Medium | No certificate pinning for remote HTTPS server |
Severity Levels
| Level | Color | Meaning |
|---|---|---|
| Critical | Red | Immediate exploitation risk — fix before deploying |
| High | Magenta | Serious vulnerability — fix before production use |
| Medium | Yellow | Notable weakness — should be addressed |
| Low | Cyan | Minor concern — fix when convenient |
| Info | Gray | Informational — no security impact |