Securing the MCP Ecosystem: Production Patterns for Transparency and Trust - Lisa Tagliaferri & Trevor Dunlap, Chainguard

by Lisa Tagliaferri, Trevor Dunlap

Day 1 · Empire Complex (7th Floor) · Security and Operations · 20 min · 4 min read

AI Safety & Ethics Applied AI

TL;DR

Chainguard rebuilt the Grafana MCP server from source, cutting its vulnerabilities from 100+ to zero. They built a documentation MCP server serving 2,000+ container image guides with content scanning and Cosign signing. The team evaluated seven open source MCP scanners and found false positives and disagreement. Their pipeline uses Wolfi base, workload identity federation, and a 7-day CVE SLA.

Real MCP Attacks and Scanner Gaps

▶ Watch (0:50)

The risk has moved. Malicious MCP servers already exfiltrate emails via hidden BCC headers. Cross-tool data leaks sent hundreds of WhatsApp messages to attackers. Parasitic tool chains chain legitimate tools into coordinated malicious workflows. These are real incidents exposing personal information. Meanwhile, security tooling lags. Lisa and Trevor evaluated seven open source MCP scanners. The scanners disagree heavily, generate false positives, and flag expected behavior as vulnerabilities. Specialized tools are not where they need to be.

Rebuilding Grafana MCP from Source Slashed 100+ CVEs

▶ Watch (3:08)

The upstream Grafana MCP Docker image had over 100 vulnerabilities. It is a Go application with 150+ direct and indirect dependencies. Chainguard rebuilt it from source instead of trusting the upstream binary. They used Wolfi, a minimal base image, eliminating unnecessary dependencies. They patched CVEs, signed the image with Cosign, and generated a full SBOM. Continuous scanning runs with a 7-day SLA for critical patches. The result: a hardened image with known provenance and zero vulnerabilities.

Content MCP Demands Input Defense, Not Just Output Hardening

▶ Watch (7:38)

The documentation MCP serves 2,000+ container image guides to AI assistants. Its threat model is different from infrastructure MCPs. The server cannot execute code, but it can influence every AI assistant that uses it. A compromised source repo, a bad merge, or a poisoned dependency can inject malicious instructions into the LLM’s context. Provenance signs the bundle as trusted, which amplifies the attack. Chainguard defends the input choke point: content annotation strips HTML comments, scans for prompt injection patterns, and runs Git Leaks. Tuned secret scanning avoids false positives from legitimate base64 digests. Every stage carries commit sha and timestamp provenance.

Repeatable Pipeline: Minimal Base, No Secrets, Signed Artifacts

▶ Watch (13:03)

The same patterns apply to both infrastructure and content MCPs: minimal base image, no static secrets, signed artifacts, CVE SLA. Chainguard’s pipeline runs source, compile, build, scan, sign, publish, verify. GitHub Actions hardened runner restricts egress. Workload identity federation eliminates long-lived keys. Every image build pushes an SBOM generated by Syft. Cosign keyless signing records in Rekor. Content scanning is tuned for the specific artifact. The base image inherits a 7-day critical CVE target. Many MCP servers in the wild lack any of these controls.

Q&A

Are there really that many MCPs with no SBOM attached? Yes, you can generate an SBOM yourself using Syft, but it is not attached within the image itself. ▶ Watch (17:53)

Do you scan for token pass-through patterns or other MCP-specific issues? The team evaluated AI-specific scanners, but they saw variation and false positives. Traditional scanners like Grype look at dependencies. MCP-specific scanning is still new and needs to catch up. ▶ Watch (18:32)

Notable Quotes

“A year ago MCP security was theoretical. Not anymore.” Lisa Tagliaferri · ▶ Watch (0:52)

“We’ve seen malicious MCP server exfiltrating user emails via hidden BCC headers.” Lisa Tagliaferri · ▶ Watch (0:59)

“The server can’t technically execute code or access your systems, but it could do something that’s arguably worse. It could influence every AI assistant that uses it, and those assistants do have access.” Lisa Tagliaferri · ▶ Watch (9:38)

“One compromised source repo, one bad merge, and every downstream consumer gets poisoned content wrapped in that trusted signature.” Lisa Tagliaferri · ▶ Watch (11:09)

Key Takeaways

Evaluate MCP scanners; today they disagree and produce false positives.
Rebuild MCP servers from source to control dependencies and patch CVEs.
Use minimal base images, signed artifacts, and workload identity federation.

About the Speaker(s)

Lisa Tagliaferri is Senior Director of Developer Enablement at Chainguard and a maintainer of Sigstore’s documentation. The author of “How To Code in Python” and a Linux Foundation course developer, Lisa focuses on helping developers and maintainers adopt CNCF and OpenSSF tooling.

Trevor Dunlap is a senior software engineer at Chainguard. He holds a Ph.D. in Computer Science with a focus on automating the enhancement of vulnerability data. Trevor is an advocate for open source software security and enjoys competing on Kaggle.

Filed under

AI Safety & Ethics Applied AI