Skip to content

Add reproducible MCP safety receipt and CI/SARIF gate? #13

Description

@KryptosAI

Hi Dropbox Dash MCP maintainers. I maintain MCP Observatory, an OSS tool for producing reproducible MCP server receipts, safe attack-readiness evidence, risk graphs, and GitHub Code Scanning/SARIF gates.

This repo is a good candidate because it exposes an enterprise-search MCP boundary and uses OAuth/API credentials, which downstream agent users will naturally want to review before depending on it in production.

I did not run anything against Dropbox services or credentials. The useful next step would be a no-secret fixture mode that can safely exercise startup/list_tools in CI, then add a weekly SARIF gate. The generated command would look roughly like:

npx @kryptosai/mcp-observatory setup-ci --all --command "uv --directory . run src/mcp_server_dash.py" --sarif --schedule weekly

A good PR could add:

  • a no-secret fixture/mock mode for CI
  • an MCP Observatory target config for that mode
  • generated Markdown/JSON receipt evidence
  • optional SARIF upload to GitHub Code Scanning

If you have a preferred safe startup command or fixture approach, I’m happy to open a focused PR around that. No vulnerability claim here; this is about giving agent users a reproducible trust receipt before wiring enterprise search into automated workflows.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions