Skip to main content
This guide walks you through installing Golf Scanner and running your first security audit. By the end, you’ll have a risk score for every MCP server configured on your machine.

What You’ll Learn

  • How to install Golf Scanner
  • How to audit your MCP servers with a single command
  • How to interpret risk scores and findings
  • How to use JSON output for CI/CD pipelines

Prerequisites

  • macOS or Linux
  • Homebrew (recommended) or Go 1.23+
1

Install Golf Scanner

Verify the installation:
golf-scanner version
Checkpoint: You see a version string like golf-scanner v0.1.0.
2

Run a Security Audit

Run the audit command — it discovers all MCP servers configured across your IDEs and checks each one against 20 security checks:
golf-scanner audit
Golf Scanner finds configuration files for Claude Code, Cursor, VS Code, Windsurf, Gemini CLI, Kiro, and Antigravity, then runs security checksCheckpoint: You see a summary table with scores and severity counts for each server.
3

Read the Results

The audit output shows:
  • Score: 0–100 risk score (higher is better). Hard-capped at 30 for critical findings, 59 for high findings.
  • Risk level: Low (≥60), Moderate (>30), or High (≤30)
  • Severity counts: Number of critical, high, medium, and pass findings per server
For detailed findings including remediation advice:
golf-scanner audit --verbose
For just the summary table:
golf-scanner audit --quiet
Checkpoint: You can identify which servers need attention based on their score and severity.

Next Steps

CLI Reference

All commands, flags, and options

Understanding Results

How scores, severities, and server types work

Security Checks

What each of the 20 checks detects