Skip to main content

Usage

superbox push [--name NAME] [--force]

Description

Publish an MCP server to the R2-backed registry with comprehensive security scanning.
Requires authentication - run superbox auth login first

Options

--name
string
MCP server name (reads from superbox.json if not provided)
--force
boolean
Force overwrite if server already exists in registry

What It Does

1

SonarCloud Analysis

Runs SonarCloud static analysis and waits for the quality gate result.
2

Tool Discovery

Clones the repository to a temp directory and discovers MCP tools via regex (finds @*.tool() decorated functions).
3

Snyk Dependency Scan

Scans Python dependencies for known CVEs.
4

GitGuardian Scan

Scans for exposed secrets and credentials in the repository.
5

Bandit Security Scan

Python-specific security vulnerability analysis.
6

Upload to R2

Uploads server metadata and security report to the R2 registry as {name}.json.

Security Pipeline

The 5-step security check includes:
  • SonarCloud: Code quality, bugs, code smells, security hotspots
  • Tool Discovery: Validates MCP tool definitions exist in source code
  • Snyk: Dependency vulnerability detection
  • GitGuardian: Secret detection (API keys, tokens, credentials)
  • Bandit: Python security issues (SQL injection, XSS, etc.)

Prerequisites

superbox.json

Run superbox init first

Environment Variables

Configure .env with Cloudflare R2, SonarCloud, Snyk, and GitGuardian credentials

Examples

superbox push --name my-mcp

Example Output

$ superbox push --name weather-mcp
Pushing server: weather-mcp
Running SonarCloud analysis...
SonarCloud scan complete
Discovering tools...
Found 3 tools
Running Snyk dependency scan...
No vulnerabilities found
Running GitGuardian scan...
No secrets detected
Running Bandit scan...
Security checks passed
Uploading to R2 registry...
Push complete

Next Steps

View Server

Inspect published server

Test Server

Test before publishing