# GitGuardian MCP

> GitGuardian connects your workspace to any AI agent, letting you manage secret leaks and audit security without leaving your flow. Use it to scan code snippets, list active incidents, deploy decoy credentials (honeytokens), and check compliance logs instantly via natural conversation.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** secret-detection, vulnerability-scanning, incident-response, cybersecurity, honeytokens, code-security

## Description

This MCP lets you strengthen your organization's security by automating the detection of leaked secrets. You talk to your agent, and it handles the heavy lifting—scanning code for hardcoded API keys or AWS credentials before they cause a breach. If an incident is already active, you don't have to log into multiple dashboards; you can ask your agent to list secret incidents, assign them to specific team members, or even update their status right away. You can also build detection layers by creating and managing decoy honeytokens that flag unauthorized access attempts across your private infrastructure. Because Vinkius hosts this MCP, your agent gets instant access to all the security tools needed, allowing you to operate as a 24/7 Security Operations Center assistant directly from your IDE or terminal.

## Tools

### assign_secret_incident
This tool lets you assign ownership of an existing secret leak incident to a specific team member.

### bulk_prefix_lookup
It performs a bulk lookup for common honeytoken hashes, helping confirm if a decoy credential was triggered.

### create_custom_tag
You create specific tags to categorize or label security findings within your workspace.

### create_honeytoken_note
This tool allows you to attach contextual notes directly to a honeytoken for documentation purposes.

### create_honeytoken
You deploy new decoy credentials (honeytokens) into your system, increasing detection coverage.

### create_honeytoken_with_context
This lets you create a honeytoken and simultaneously add specific contextual information to it.

### create_team
You establish new teams within your GitGuardian account for grouping users with shared security responsibilities.

### delete_custom_tag
This removes a custom tag you previously created, cleaning up unnecessary labels.

### delete_custom_tags_key
You delete an entire key of custom tags when they are no longer needed.

### get_custom_tag
This retrieves the details for a specific, existing custom tag by its name or ID.

### get_health
You check the overall API health status of your connected GitGuardian account to ensure proper connection.

### get_honeytoken
This retrieves all stored details for a single honeytoken, letting you review its setup and usage history.

### get_quotas
You view an overview of your current API usage quotas to prevent service interruptions.

### get_secret_incident
This tool retrieves all historical and current details related to a specific secret leak incident.

### get_self_api_token
You pull the full details of the API token currently being used by your agent client.

### ignore_secret_incident
If a leak is false positive or benign, you can mark it as ignored to clear up unnecessary alerts.

### list_api_tokens
You get a list of all API tokens associated with your workspace for auditing purposes.

### list_audit_log_event_names
This lists every type of event that can be tracked and audited within your workspace history.

### list_audit_logs
You view a comprehensive list of all activity logs, showing who did what and when in the workspace.

### list_custom_tags
This retrieves an overview of every custom tag you have set up for organization.

### list_health_check_history
You view a record of past health checks to track stability over time for a specific instance.

### list_health_checks
This lists the current and recent health check records available for your monitored environment.

### list_honeytoken_events
You retrieve a list of all events triggered by any honeytoken, showing detection activity.

### list_honeytoken_notes
This shows you all the documentation notes that have been attached to your honeytokens.

### list_honeytoken_sources
You see a list of sources where any given honeytoken has appeared, pinpointing potential intrusion points.

### list_honeytokens
This provides an overview and list of all currently active decoy credentials (honeytokens).

### list_ip_allowlist
You view the current rules defining which IP addresses are permitted access to your system.

### list_ips
This lists all official and monitored IP address ranges belonging to GitGuardian's infrastructure.

### list_members
You view a roster of all user accounts who have access to the workspace.

### list_scim_groups
This lists groups that are synced or managed via SCIM protocols, helping with identity management.

### list_scim_users
You view a list of users who have been imported into the workspace using SCIM standards.

### list_secret_incidents
This retrieves a comprehensive list and summary of all detected secret leaks in your entire codebase or repository.

### list_sources
You view every source type (e.g., GitHub, GitLab) that is currently connected and being monitored for secrets.

### list_team_memberships
This shows which specific users belong to which security teams within your organization.

### list_teams
You get an overview and list of all defined security teams in the workspace.

### multiscan_content
This tool allows you to scan multiple large files or documents simultaneously for patterns indicating secrets.

### reset_honeytoken
If a decoy credential is compromised, this resets it so that you can redeploy a fresh copy immediately.

### resolve_secret_incident
When a security issue has been fixed and verified, you use this to formally close out the incident record.

### revoke_honeytoken
You deactivate a honeytoken, preventing it from being triggered or reported on further.

### revoke_self_api_token
This immediately cancels and revokes the specific API token your agent is currently using for connectivity.

### scan_and_create_incidents
You run a scan on new content, and if secrets are found, this automatically generates official incident records.

### scan_content
This scans a single provided piece of content or code snippet to immediately check for any sensitive data patterns.

### trigger_health_check
You force the system to run an immediate health check on your monitored environment, verifying uptime and connectivity status.

### trigger_source_scans
This manually kicks off scans across all connected sources (like repositories) to catch any recent changes that might contain secrets.

### update_custom_tag_full
You perform a complete, full replacement of the details associated with an existing custom tag.

### update_custom_tag_partial
This modifies only specific fields of an existing custom tag without affecting its other metadata.

### update_custom_tags_key
You update the key definition for a group of custom tags when their purpose changes.

### update_honeytoken
If an existing decoy credential needs modification (like changing its name), this updates its details while keeping it active.

### update_secret_incident
You modify the status or assigned personnel of a secret incident after initial detection.

## Prompt Examples

**Prompt:** 
```
List the most recent secret incidents in my workspace.
```

**Response:** 
```
I've retrieved the latest incidents. There are 3 active leaks: a 'GitHub Personal Access Token' in repository 'web-app' and two 'AWS Keys' in 'legacy-service'. Would you like the details for the GitHub token leak?
```

**Prompt:** 
```
Create a new AWS honeytoken named 'Internal-Dev-Decoy'.
```

**Response:** 
```
Successfully created the honeytoken 'Internal-Dev-Decoy'. The AWS Access Key ID is `AKIA...` and the Secret Key is provided in the metadata. You can now place this in your environment to detect intruders.
```

**Prompt:** 
```
Scan this code for secrets: 'const apiKey = "sk_live_51MzX..."'
```

**Response:** 
```
Scan complete. I detected a 'Stripe Live Secret Key' in the provided string. This is a high-severity finding. I recommend rotating this key immediately and removing it from your source code.
```

## Capabilities

### Scan Code for Secrets
You feed the MCP code snippets or documents and it finds sensitive data like private keys, tokens, and passwords.

### Manage Breaches and Incidents
You can list active leaks, get full details on a specific secret incident, and resolve them when remediation is complete.

### Deploy Decoy Credentials
The MCP allows you to create honeytokens—fake credentials placed in your system that alert you if they are ever used by an unauthorized party.

### Audit Compliance and Activity
You retrieve detailed logs of workspace activity, track who did what, and ensure the environment meets security policy requirements.

### Organize Security Teams
The MCP helps you manage team memberships and API tokens to coordinate security efforts across different groups in your company.

## Use Cases

### Preventing Accidental Key Commits
A developer is about to push a new feature branch. Instead of running local checks, they ask their agent: 'Scan this file for secrets.' The agent uses `scan_content` and immediately flags an exposed Stripe key, allowing the developer to fix it before committing.

### Responding to Suspected Breaches
A security analyst notices strange activity. They ask the agent to list all honeytokens events. The agent uses `list_honeytoken_events`, which shows that a decoy AWS key was used in an unexpected region, guiding the investigation immediately.

### Auditing Team Access
A manager needs to know who has access rights across environments. They ask the agent to list all workspace members and then use `list_team_memberships` to verify if a departed employee still belongs to critical groups.

### Maintaining Compliance Records
During an audit, you need proof of security controls. You ask the agent to list audit logs for the last quarter. The MCP uses `list_audit_logs` and provides a structured report showing all critical actions taken.

## Benefits

- You stop guessing about security. By using the `scan_content` tool, your agent instantly checks any code snippet you provide for sensitive data before it ever makes it into a commit.
- Incident response is faster. Instead of manually checking dashboards, you ask to list secret incidents and then use `assign_secret_incident` or `update_secret_incident` to manage the fix status right in your chat interface.
- You build better defenses with honeytokens. Running `create_honeytoken` lets you deploy fake keys across your infrastructure, and if they trigger an event (which you can list using `list_honeytoken_events`), you know exactly where an intruder is looking.
- Compliance checks get automated. You can ask the MCP to run a full audit by listing all audit logs or checking the IP allowlist rules without logging into separate compliance portals.
- Your team coordination improves. The MCP lets you manage teams via `create_team` and track who has access using tools like `list_members`, keeping your security operations organized.

## How It Works

The bottom line is you get an automated security analyst that lives inside your existing workflow and doesn't require switching tabs.

1. First, subscribe to this MCP and provide your specific GitGuardian API Key.
2. Next, tell your AI client what you want to check—for example, 'Scan the latest pull request for secrets,' or 'List all active honeytokens.'
3. Finally, your agent processes the request using the underlying tools, returning a clean summary of detected leaks, incident status, or audit results.

## Frequently Asked Questions

**How do I use GitGuardian MCP to find leaked API keys?**
You ask your agent to scan specific code snippets using the `scan_content` tool. It immediately checks that content against known patterns for secrets and reports any findings, telling you which key was exposed.

**Can GitGuardian MCP manage my team's security roles?**
Yes, you use tools like `list_teams` or `list_members` to see who is in the system. You can then use `assign_secret_incident` to assign ownership of a breach to specific team members.

**What are honeytokens and how does GitGuardian MCP help?**
Honeytokens are fake credentials that act as tripwires. The MCP lets you deploy them using `create_honeytoken`. If they get used, the system alerts you via `list_honeytoken_events`, showing exactly where an intruder went.

**Is GitGuardian MCP better than just looking at audit logs?**
Theoretically, yes. While you can use `list_audit_logs` to see general activity, this MCP connects that log data directly to specific secret incidents and team responsibilities, giving context.

**How do I clean up old or false positive leaks with GitGuardian MCP?**
First, you check the details using `get_secret_incident`. Once confirmed as benign or fixed, you use `ignore_secret_incident` to mark it in the system, keeping your active incident list clean.