Documentation
Gated audits the security posture of MCP servers. This is the reference for what it checks and how. The catalog lists every check grouped into five families; each check declares the findings it raises, the intensity it runs at, and the spec clauses it proves.
Overview
Every scan runs a set of checks against one authorized target. Which checks run depends on the family they belong to, the intensity of the scan, and what the scan can discover about your server. Start with the check catalog to see the full surface, read the dependency model to understand why a check runs, sits out, or is skipped, or jump straight to a family below.
Check families
Five families partition the catalog by the question each check answers.
Can the server be coerced into doing something it shouldn't? Auth gaps, injection surfaces, token leaks, tools exposed without scope.
Does the server follow the specs it claims to? MCP, OAuth, JSON-RPC, HTTP, TLS — all the contracts a stable building block depends on.
Is it pleasant to integrate against? Schema correctness, error shape, descriptive metadata, predictable tool behavior.
Does it stay correct under load and partial failure? Timeouts, retries, idempotency, cancellation, behavior at the edges.
Will it bankrupt the team that adopts it? Payload bloat, chatty tools, unbounded responses, expensive defaults.
Scan intensities
Intensity decides how far a scan reaches. Each step up runs everything the level below it does, plus more invasive checks. Read the full breakdown, or jump to a level below.
What the server says about itself. Reads TLS, OAuth metadata, tools/list, serverInfo. No new connections. Safe in CI on every PR.
Whether the server does what it says. Bounded, targeted requests to verify declared behavior — does an invalid token actually get rejected? Production-safe with rate-limit awareness.
What happens at the edges. Iterates the tool surface, walks pagination, bursts to trigger rate-limit behavior, opens many connections. Best on staging, or production with explicit opt-in.
What a determined attacker can extract. LLM-driven attack construction, prompt injection, tool poisoning, sustained exploitation chains. Opt-in per scan.