Secure Audit Intake
MCPScan reviews should start with sanitized configuration whenever possible. Do not send production credentials, active API keys, customer data, private source code, or sensitive files through public GitHub issues or ordinary email.
Safe To Send First
- Sanitized MCP configuration files with secrets removed or replaced with placeholders.
- List of MCP servers, owners, business purpose, and whether each tool can read, write, delete, execute, or access external networks.
- Screenshots or exports of admin allowlists, registry URLs, OAuth settings, and approval policies.
- Non-sensitive notes about Copilot, Claude Code, Cursor, VS Code, Slack, Atlassian, or internal MCP rollout plans.
Do Not Send Publicly
- Production credentials, API keys, bearer tokens, OAuth client secrets, SSH keys, cookies, or session tokens.
- Customer data, regulated data, private database exports, or proprietary source code that is not required for review.
- Unredacted incident records, vulnerability details, or exploit paths in public GitHub issues.
Private Handoff Path
After purchase, MCPScan will confirm a private handoff path before reviewing sensitive material. Preferred options are a customer-owned private repository, a customer-owned shared folder, or an encrypted archive with the password sent through a separate channel.
If sensitive material is accidentally submitted through a public channel, MCPScan will pause intake, ask for rotation/redaction as needed, and continue only from a sanitized replacement.
Minimum Intake Package
- Contact person and security owner.
- Tools in scope and tools explicitly out of scope.
- Sanitized MCP configs and admin settings.
- Desired launch decision: approve, approve with guardrails, or block until remediation.
- Target delivery date and any internal review deadline.