Know What To Trust Before It Runs
MCP Trust Registry
Discover MCP servers, tools, and capabilities with structured trust data to evaluate what to use, what to ship, and what to connect into production.
10,000+
Public MCP servers scanned
22+
Security rules evaluated
Built for the Teams Shaping the Agentic Ecosystem
The MCP Trust Registry supports different decisions across the agentic lifecycle, from discovery and development to deployment and governance.
Understand how BlueRock evaluates MCP servers for security risks.
What the MCP Trust Registry Enables
Use Trust Data Where Decisions Get Made
The MCP Trust Registry is designed to be used beyond the browser.
Teams can bring trust data into development workflows, CI/CD pipelines, and operational processes that shape what gets built, promoted, and connected into production.
That makes the registry useful not just for discovery, but for standardizing how MCP servers and tools are evaluated before they become part of shared execution paths.
Use trust data in CI/CD checks
Standardize MCP adoption workflows
Feed platform automation with better signals
Support production readiness decisions earlier
Generate Trust Data for Any MCP Server
BlueRock can analyze public or private MCP servers to generate the structured trust data needed for discovery, evaluation, and operational use.
This helps teams understand ownership, capability exposure, likely invocation patterns, and other signals that support safer adoption and better production decisions.
Scan a Public MCP Server
If you don't see a public MCP Server in the MCP Trust Registry, submit any public MCP server GitHub repo for a free, comprehensive security scan.
Get a Security Scan of Your Private MCP Server
Most enterprise MCP adoption is internal. Submit your private repo for the same 22-rule analysis. Get a full security report with code-level findings your team can act on immediately.
A Core Input to the Trust Context Engine
The MCP Trust Registry is one of the core sources of trust data used by BlueRock’s Trust Context Engine.
As agents invoke tools and MCP servers, registry data helps enrich execution with structured trust signals such as ownership, capability definitions, and other attributes needed to interpret and govern behavior more precisely.
That allows trust to travel with execution — improving both observability and guardrails across the Agentic Action Path.
The MCP Trust Registry scanned 10,000+ MCP servers. Here's what we found:
9.2%
of MCP servers have critical vulnerabilities
43%
of MCP servers have command injection flaws
36%
of MCP servers are vulnerable to SSRF
What it scans, what it finds, and how to use it.
What is the MCP Trust Registry?
The MCP Trust Registry is BlueRock's security-focused registry for MCP servers — scanning public and private MCP server builds for vulnerabilities and tool inventory using 22+ security rules. Every scan delivers a risk rating (Low, Medium, High, or Critical), code-level findings with remediation guidance, and a full inventory of every tool the server exposes. Public MCP server scans are free.
How widespread are MCP security vulnerabilities?
BlueRock's analysis of 10,000+ public MCP servers found that 9.2% have critical vulnerabilities, 43% have command injection flaws, and 36% are vulnerable to SSRF. BlueRock's own research showed that an unbounded URI call in a widely-used MCP server (86,000+ stars) could be exploited to take over cloud infrastructure by fetching instance metadata credentials.
What does a Trust Registry scan actually check?
The Trust Registry evaluates MCP servers across 22+ security rules covering four categories: exposure and authentication (unrestricted endpoints, unsafe token handling, missing scopes), tool risk, data and egress (SSRF/unbounded outbound fetch, mass data extraction patterns), and runtime dependencies (unpinned packages, CVEs, injection sinks). Analysis is code-level — not heuristics or signatures.
Can I scan my private or internal MCP servers?
Yes. Private repo scanning is available for enterprise and internal MCP deployments. Submit your private GitHub repo for the same 22-rule analysis used on public servers and get a full security report with code-level findings and developer-ready remediation steps.
How is the MCP Trust Registry different from a standard security scanner?
Standard security scanners evaluate general code patterns. The MCP Trust Registry evaluates MCP-specific risk: tool exposure, destructive operation inventory, agentic execution context, and trust posture — mapped to the OWASP MCP Top 10, MAESTRO, and MITRE CWE. It's built for how MCP servers surface capabilities to AI agents, not just general code vulnerabilities.