Guard FAQs

Question 1

How does Guard help fix identified security issues?

Accepted Answer

Guard includes an interactive configuration hardening tool (`mcp-guard fix`) that can automatically extract hardcoded secrets into environment variables, adjust file permissions, write tool restriction rules, add configs to .gitignore, and flag hygiene issues. You can preview changes or apply them automatically.

Question 2

What is Guard and what does it do?

Accepted Answer

Guard is a comprehensive security tool designed for Model Context Protocol (MCP) servers. It identifies hardcoded secrets, command/prompt injection risks, SSRF, and policy violations in server configurations through static analysis, and provides runtime security enforcement.

Question 3

How can Guard be integrated into existing development and deployment workflows?

Accepted Answer

Guard offers flexible integration options: it can be added to CI/CD pipelines with SARIF output for code scanning, provides programmatic and REST APIs, and can be configured as an MCP server for clients like Claude Desktop, Claude Code, Cursor, and VS Code, enabling on-demand security scans.

Question 4

What types of vulnerabilities can Guard detect in MCP server configurations?

Accepted Answer

Guard detects a wide range of vulnerabilities including leaked secrets (API keys, tokens, database URLs), injection risks (shell metacharacters, prompt injection), authentication gaps, Server-Side Request Forgery (SSRF) vulnerabilities, and compliance policy violations across GDPR, SOC 2, HIPAA, ISO 27001, and PCI DSS.

Question 5

Can Guard enforce security policies at runtime for MCP servers?

Accepted Answer

Yes, the `@mcp-guard/gateway` component acts as a stdio proxy that sits between clients (like Claude) and any MCP server. It enforces YAML-defined security policies on every JSON-RPC frame, checking tool calls before they reach the server and scanning responses for exfiltration targets.

Guard

Guard

Key Features

Use Cases

Key Features

Use Cases