Tool Reference

Complete reference for all tools available through the ByteHide MCP server. Each tool can be invoked by your AI coding agent automatically based on your requests.

scan_code

Scan source code files for security vulnerabilities (SAST), hardcoded secrets, and code quality issues. Returns findings with severity, CWE references, exact line numbers, and fix recommendations.

Parameters

ParameterTypeRequiredDescription
filesarrayYesFiles to scan. Each item has a path (relative file path) and content (full source code)
scan_typestringNoWhat to scan for: sast, secrets, or all (default: all)
contextobjectNoGit context for linking results to your ByteHide dashboard

The context object accepts:

FieldDescription
git_remoteOutput of git remote get-url origin. Used as the project identifier
git_branchOutput of git branch --show-current. Associates findings with a branch
folder_nameWorkspace folder name. Used as fallback project name if git_remote is not available

Supported Languages

JavaScript, TypeScript, Python, Java, C#, PHP, Go, Rust, Swift, Kotlin, Objective-C, and Ruby.

How it works

  1. The AI agent reads the files you want to scan and sends their content to the tool
  2. ByteHide Radar analyzes the code for OWASP Top 10 vulnerabilities, CWE patterns, and hardcoded credentials
  3. If no project exists yet for this repository, one is created automatically in your ByteHide dashboard
  4. Results are returned inline with severity levels, affected lines, and actionable fix suggestions

Example usage

Ask your AI agent:

  • "Scan this file for security vulnerabilities"
  • "Check src/auth/login.ts for hardcoded secrets"
  • "Run a security audit on all files in the src/ directory"

Git Context

For best results, always work within a git repository. The tool automatically detects your remote URL and branch to link findings to the correct project in the ByteHide dashboard.

check_dependency

Check whether a specific package is safe to install. Returns known CVEs, severity, license information, and an upgrade recommendation if a safer version exists.

Parameters

ParameterTypeRequiredDescription
packagestringYesExact package name as published in the registry (e.g., lodash, express, flask)
versionstringNoSpecific version to check (e.g., 4.17.20). Checks the latest version if omitted
ecosystemstringNoPackage registry: npm, pypi, maven, nuget, go, rubygems, cargo, packagist (default: npm)
contextobjectNoGit context (same fields as scan_code)

Supported Ecosystems

EcosystemLanguageExample Package
npmJavaScript / TypeScriptexpress, lodash
pypiPythonflask, requests
mavenJavacom.google.guava:guava
nugetC#Newtonsoft.Json
goGogithub.com/gin-gonic/gin
rubygemsRubyrails, nokogiri
cargoRustserde, tokio
packagistPHPlaravel/framework

Example usage

Ask your AI agent:

  • "Is lodash@4.17.20 safe to install?"
  • "Check if the latest version of flask has any CVEs"
  • "Before I install jsonwebtoken, check if it's secure"

scan_dependencies

Scan all dependencies in a manifest file at once for known vulnerabilities. Reads the entire file and returns a summary grouped by severity, with upgrade recommendations for each vulnerable package.

Parameters

ParameterTypeRequiredDescription
contentstringYesThe complete, unmodified content of the manifest file
ecosystemstringNoPackage registry matching the manifest format (default: npm)
include_devbooleanNoInclude development dependencies in the scan (default: false)
contextobjectNoGit context (same fields as scan_code)

Supported Manifest Files

EcosystemFile
npmpackage.json
pypirequirements.txt, Pipfile
mavenpom.xml
nuget*.csproj
gogo.mod
rubygemsGemfile
cargoCargo.toml
packagistcomposer.json

What it returns

  • Total dependencies scanned
  • Number of vulnerable vs safe packages
  • For each vulnerable package: CVE identifiers, severity, affected versions, and recommended upgrade version
  • Summary grouped by severity (Critical, High, Medium, Low)

Example usage

Ask your AI agent:

  • "Audit my package.json for vulnerable dependencies"
  • "Scan requirements.txt for known CVEs"
  • "Check all dependencies in go.mod including dev dependencies"

list_projects

List all ByteHide projects in your organization. Useful for verifying your setup, finding project details, or exploring what's already being scanned.

Parameters

ParameterTypeRequiredDescription
searchstringNoFilter projects by name (case-insensitive partial match)

What it returns

For each project:

  • Project name and ID
  • Programming language
  • Connected ByteHide modules (Radar, Shield, Secrets, Monitor)
  • Assigned teams
  • Description (if set)

Example usage

Ask your AI agent:

  • "List my ByteHide projects"
  • "Show me all projects with 'api' in the name"
  • "What projects do I have in ByteHide?"

audit_ai_environment

Scan your AI development environment configuration files for security risks. Detects prompt injection vectors, risky MCP server configurations, credential exposure, overpermissioning, and cross-file attack chains.

100% Local — No Data Sent

This tool runs entirely on your machine. Your configuration files (.env, .claude.md, .mcp.json, etc.) are never sent to ByteHide servers. All analysis happens locally within the AI agent using built-in security rules.

Parameters

ParameterTypeRequiredDescription
filesarrayYesAI config files found in the workspace. Each item has a path and content
gitignorestringNoContent of .gitignore, used to check if sensitive files are protected from commits

Files to scan

The tool is designed to analyze these AI configuration files:

FilePurpose
.claude.md, CLAUDE.mdClaude system prompts
.cursorrules, .cursorignoreCursor AI rules
.github/copilot-instructions.mdGitHub Copilot instructions
AGENTS.mdAgent configurations
.mcp.json, .cursor/mcp.jsonMCP server configurations
.env, .env.localEnvironment variables
.vscode/settings.jsonVS Code settings
Dockerfile, docker-compose.ymlContainer configurations
.gitignoreGit ignore rules

What it detects

Prompt Injection — Dangerous instructions in AI prompts that could lead to data exfiltration, unauthorized commands, or security bypass.

MCP Server Risks — Unencrypted connections, unauthenticated remote servers, auto-install without version pinning, dangerous tool categories, and overly broad permissions.

Credential Exposure — Hardcoded API keys, tokens, and passwords for services like AWS, GitHub, OpenAI, Stripe, database connections, and more.

OverpermissioningdangerouslySkipPermissions, broad filesystem access, wildcard tool allowlists, privileged Docker containers, and --no-sandbox flags.

Git Protection — Checks whether sensitive files (.env, *.pem, *.key, credentials.json, .mcp.json) are properly listed in .gitignore.

What it returns

  • Security Score (0–100): overall health of your AI environment
  • Attack Chains: multi-step vulnerability paths (e.g., prompt injection leading to credential exfiltration)
  • Individual Findings: categorized by type and severity
  • Git Protection Status: which sensitive files are covered by .gitignore

Example usage

Ask your AI agent:

  • "Audit my AI development environment for security risks"
  • "Check if my .env file is exposed in the git repo"
  • "Are there any prompt injection risks in my Claude configuration?"

Automatic Project Creation

The tools scan_code, check_dependency, and scan_dependencies automatically create a project in your ByteHide dashboard when scanning a repository for the first time. The project name is derived from your git remote URL (e.g., github.com/your-org/your-repo becomes your-org/your-repo). If no git remote is available, the workspace folder name is used.

This means you don't need to manually create projects before using the MCP tools — just start scanning and everything is linked automatically.

Next Steps

Setup & Connection

Connect ByteHide MCP to Claude, Cursor, VS Code, and other AI agents.

MCP Overview

Overview of what ByteHide MCP offers and how it works.

CI/CD Integration

Automate Radar scans in your build pipeline with GitHub Actions, GitLab CI, and more.

Next
Introduction