PolicyLayer Scan

Version updated for https://github.com/PolicyLayer/scan-action to version v1.

• This action is used across all versions by ? repositories.

Action Type

This is a Node action using Node version 20.

Go to the GitHub Marketplace to find the latest changes.

Action Summary

The PolicyLayer Scan Action is a GitHub Action designed to analyze MCP server configurations for security risks during pull requests. It identifies potential vulnerabilities by comparing the configuration against 115+ known servers and provides a detailed report via a comment on the PR. This action automates security reviews, ensures secrets remain private, and optionally enforces thresholds to prevent risky configurations from being merged.

Release notes

Scan your MCP config for security risks on every PR.

What it does

• Finds MCP server config in your repo
• Analyses against 115+ known servers, 2,500+ tools
• Posts a sticky PR comment with report URL and summary stats
• Optionally fails the check based on severity threshold

Quick start

- uses: PolicyLayer/scan-action@v1
  with:
    fail-on: high
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Privacy

Only server names and package identifiers are sent. API keys, tokens, env vars, and file paths are stripped before anything leaves the runner.

Links

• Example report
• CLI: npx -y policylayer scan
• Intercept

• PolicyLayer
• GitHub Actions