Summary
Package g0's core capabilities as an MCP server so developers can run security scans, adversarial tests, and inventory checks directly from their AI-powered IDE (Claude Code, Cursor, Windsurf, etc.).
Motivation
Developers are building agents inside AI-powered IDEs that support MCP. Instead of switching to a terminal to run g0 scan, they should be able to ask their IDE assistant to "scan this project for security issues" and get g0 results inline.
This also positions g0 as a composable tool in agentic workflows — other agents can call g0 for security assessment as part of CI, code review, or deployment pipelines.
Proposed Implementation
MCP Tools to Expose
-
g0_scan — Run security assessment on a path
- Input:
{ path: string, preset?: string, minConfidence?: string }
- Output: findings, scores, grade, summary
-
g0_inventory — Generate AI Bill of Materials
- Input:
{ path: string, format?: "json" | "cyclonedx" | "markdown" }
- Output: agents, tools, models, frameworks, MCP servers
-
g0_test — Run adversarial tests
- Input:
{ target: string, categories?: string[], adaptive?: boolean }
- Output: test results, vulnerable/resistant/inconclusive counts
-
g0_flows — Map agent execution paths
- Input:
{ path: string }
- Output: agent graph, data flows, toxic flows
-
g0_mcp — Assess MCP server configurations
- Input:
{ path: string }
- Output: MCP server findings, hash pins, rug-pull detection
-
g0_explain_finding — Explain a specific finding with remediation
- Input:
{ ruleId: string, framework?: string }
- Output: rule description, severity, standards mapping, fix guidance
MCP Resources to Expose
g0://rules — list all available security rulesg0://standards/{standard} — compliance mapping for a standardg0://last-scan — most recent scan results
Server Configuration
{
"mcpServers": {
"g0": {
"command": "npx",
"args": ["@guard0/g0", "mcp-server"]
}
}
}Files to Create
src/mcp-server/index.ts — MCP server entry pointsrc/mcp-server/tools.ts — tool definitions and handlerssrc/mcp-server/resources.ts — resource definitionssrc/cli/commands/mcp-server.ts — CLI command to start server- Update
package.json with mcp-server bin entry
Acceptance Criteria
Summary
Package g0's core capabilities as an MCP server so developers can run security scans, adversarial tests, and inventory checks directly from their AI-powered IDE (Claude Code, Cursor, Windsurf, etc.).
Motivation
Developers are building agents inside AI-powered IDEs that support MCP. Instead of switching to a terminal to run
g0 scan, they should be able to ask their IDE assistant to "scan this project for security issues" and get g0 results inline.This also positions g0 as a composable tool in agentic workflows — other agents can call g0 for security assessment as part of CI, code review, or deployment pipelines.
Proposed Implementation
MCP Tools to Expose
g0_scan— Run security assessment on a path{ path: string, preset?: string, minConfidence?: string }g0_inventory— Generate AI Bill of Materials{ path: string, format?: "json" | "cyclonedx" | "markdown" }g0_test— Run adversarial tests{ target: string, categories?: string[], adaptive?: boolean }g0_flows— Map agent execution paths{ path: string }g0_mcp— Assess MCP server configurations{ path: string }g0_explain_finding— Explain a specific finding with remediation{ ruleId: string, framework?: string }MCP Resources to Expose
g0://rules— list all available security rulesg0://standards/{standard}— compliance mapping for a standardg0://last-scan— most recent scan resultsServer Configuration
{ "mcpServers": { "g0": { "command": "npx", "args": ["@guard0/g0", "mcp-server"] } } }Files to Create
src/mcp-server/index.ts— MCP server entry pointsrc/mcp-server/tools.ts— tool definitions and handlerssrc/mcp-server/resources.ts— resource definitionssrc/cli/commands/mcp-server.ts— CLI command to start serverpackage.jsonwithmcp-serverbin entryAcceptance Criteria
g0 mcp-serverstarts an MCP server (stdio transport)npx @guard0/g0 mcp-server