馃敟AgentScoreMCP Security

Policy Gate

Capability Governance For MCP Dependencies

Install the workflow. Push. The gate runs. No API key, no signup. See what powers your AI gains, track capability changes between runs, and force stale approvals back into review.

Start Free Pilot

Save as .github/workflows/agentscore.yml, push, and the gate runs on the next PR. Auto-provisions via GitHub OIDC.

Install (60 seconds)

name: AgentScore Policy Gate
on: [push, pull_request]

jobs:
  policy-gate:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v4
      - uses: Thezenmonster/mcp-verdict-action@v1
        with:
          fail-on: block

No API key. First push authenticates with GitHub OIDC and auto-provisions your repo.

Preview your repo

See what MCP capabilities the gate would find in your repo. No install needed.

What changes on a real run

Current power surface

File write, repo write, outbound network, browser automation, database access.

Latest diff

New: browser automation via @playwright/mcp. Removed: none.

Review state

Repo write approved until May 13. Browser automation needs approval. Stale if version or tool manifest changes.

Policy Console

Repo Capability State

Inspect what powers a repo currently gives to AI, what changed in the latest run, which capabilities are approved, and what needs reapproval. OIDC keeps CI keyless; browser reads still use a repo or admin key today.

Redis/RedisInsight pinned MCP versions after our scan. Our data is part of the OWASP MCP Top 10. 350+ packages monitored. 6,000+ scans.

Persist capability history

Scan history, monitored packages, repo inventory, and repo runs all retain capability state.

Show diffs, not just scores

New and removed powers are tracked between repo runs so reviewers see what changed.

Approve at capability level

Approval records are tied to repo, package, capability, package version, and tool manifest hash.

Reapproval when things drift

Expiry, version changes, or tool-manifest changes push a capability back into review.

What The Gate Decides

  • Which MCP packages are present in this repo.
  • What capabilities those packages expose to AI.
  • What powers are new or removed versus the previous run.
  • Which capabilities are approved, expired, stale, or unreviewed.
  • Whether the package verdict still passes repo policy.
Start Free PilotRequest Review