Skip to main content

Usage

superbox push [--name NAME] [--force]

Description

Publish an MCP server to the S3-backed registry with comprehensive security scanning.
Requires authentication - run superbox auth login first

Options

--name
string
MCP server name (reads from superbox.json if not provided)
--force
boolean
Force overwrite if server already exists in registry

What It Does

1

SonarQube Analysis

Creates project and scans code quality
2

Tool Discovery

Discovers MCP tools via regex patterns in Python/Node.js code
3

GitGuardian Scan

Scans for exposed secrets and credentials
4

Bandit Security Scan

Python-specific security vulnerability analysis
5

Generate Report

Creates unified security report
6

Upload to S3

Uploads server metadata and configuration to S3 registry

Security Pipeline

The 5-step security check includes:
  • SonarQube: Code quality, bugs, code smells, security hotspots
  • Bandit: Python security issues (SQL injection, XSS, etc.)
  • GitGuardian: Secret detection (API keys, tokens, credentials)
  • Tool Discovery: Validates MCP tool definitions
  • Unified Report: Comprehensive security assessment

Prerequisites

superbox.json

Run superbox init first

Environment Variables

Configure .env with AWS, SonarQube, GitGuardian credentials

Examples

superbox push --name my-mcp

Example Output

$ superbox push --name weather-mcp
Pushing server: weather-mcp
Running SonarCloud analysis...
 SonarQube scan complete
Discovering tools...
 Found 3 tools
Running GitGuardian scan...
 No secrets detected
Running Bandit scan...
 Security checks passed
Uploading to S3...
 Push complete

Next Steps

View Server

Inspect published server

Test Execution

Test server locally