> ## Documentation Index
> Fetch the complete documentation index at: https://ctpf.q-uestionable.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Overview

> Automated MCP server security scanning mapped to OWASP MCP Top 10, MITRE ATLAS, CWE, and OWASP Agentic Top 10

<Note>
  **Library / research fixture (Phase 1).** Audit is not a root `qai` CLI pillar
  after the CTPF reconnect shape cut. Use package imports or module entry points —
  not `qai audit`. The public CLI center is [`qai proxy`](/proxy/overview).
</Note>

The audit module scans MCP servers by enumerating exposed tools, resources, and prompts, then running security checks mapped to the OWASP MCP Top 10, MITRE ATLAS, CWE, and OWASP Agentic Top 10. It produces structured findings with severity ratings and remediation guidance.

## What It Tests

MCP servers execute real actions — running commands, querying databases, writing files. When misconfigured or compromised, they can leak credentials, escalate privileges, inject instructions into agent workflows, or execute arbitrary commands. The audit module checks for these issues systematically.

## How It Works

The audit scanning pipeline follows four steps:

1. **Connect** — Establish a connection to the target MCP server (stdio, SSE, or Streamable HTTP)
2. **Enumerate** — Discover all tools, resources, and prompts exposed by the server
3. **Scan** — Run each scanner module against the server's attack surface (static analysis, dynamic probing, or both)
4. **Report** — Output findings in JSON, SARIF, HTML, NDJSON, or CSV format with framework mappings

## Scanner Categories

The audit module includes 10 scanner modules, each targeting one OWASP MCP Top 10 category:

| Scanner            | Category                                  | Checks                                                                |
| ------------------ | ----------------------------------------- | --------------------------------------------------------------------- |
| `token_exposure`   | Token Mismanagement & Secret Exposure     | Credential leakage in schemas, responses, error messages              |
| `permissions`      | Privilege Escalation via Tools            | Excessive tool counts, dangerous categories, unconstrained parameters |
| `tool_poisoning`   | Tool Poisoning                            | Embedded instructions, Unicode tricks, suspicious patterns            |
| `supply_chain`     | Supply Chain & Integrity                  | Server identity, CVE checking, tool provenance                        |
| `injection`        | Command Injection via Tools               | Shell injection, argument injection, path traversal payloads          |
| `prompt_injection` | Indirect Prompt Injection                 | Injection patterns in tool responses                                  |
| `auth`             | Insufficient Authentication/Authorization | Unauthenticated enumeration, unencrypted transports                   |
| `audit_telemetry`  | Insufficient Audit & Telemetry            | Logging, monitoring, error handling capabilities                      |
| `shadow_servers`   | Shadow MCP Servers                        | Development markers, unmanaged deployment indicators                  |
| `context_sharing`  | Context Over-Sharing                      | Session data leakage, context oversharing, resource scope             |

## Report Formats

Generate findings in any format:

* **JSON** — Programmatic consumption, database integration
* **SARIF** — GitHub Code Scanning integration, CI/CD automation
* **HTML** — Human-readable reports with interactive navigation
* **NDJSON** — Streaming format for large scan results
* **CSV** — Spreadsheet analysis and reporting

<Tip>
  SARIF output integrates directly with GitHub Code Scanning. Use `gh code-scanning upload-sarif` to publish audit findings in your repository.
</Tip>

## Framework Mapping

Every finding is mapped to multiple security frameworks:

* **OWASP MCP Top 10** — Agentic AI security framework specific to MCP
* **OWASP Agentic Top 10** — Broader agentic AI security categories
* **MITRE ATLAS** — Machine learning attack tactics and techniques
* **CWE** — Software weakness catalog for root cause tracking

Mappings enable integration with your existing security tools and compliance workflows.

## What to Expect

Audit scanning is automated once invoked as a library: select scanners (or run all), and get a structured report. No manual iteration, no payload crafting. Scanners can be individually selected. New scanners can be added by subclassing `BaseScanner` and registering in the scanner registry.

## Next Steps

* [Audit CLI](/audit/cli) — Scan commands, flags, and options
* [Scanner Catalog](/audit/scanners) — Detailed description of each scanner
* [Framework Coverage](/audit/framework-coverage) — Mapping tables for OWASP, MITRE, and CWE
* [SARIF Output](/exports/sarif) — Report format and CI integration
* [Fixtures](/audit/fixtures) — Vulnerable test servers for scanner validation
