cd /news/developer-tools/i-published-my-first-github-marketpl… · home topics developer-tools article
[ARTICLE · art-33677] src=dev.to ↗ pub= topic=developer-tools verified=true sentiment=↑ positive

I published my first GitHub Marketplace Action: Aster Guard MCP

A developer published Aster Guard MCP, a lightweight, local-first security scanner for MCP and Claude Code configuration files, on the GitHub Marketplace. The tool statically scans configuration files for risk patterns such as exposed SSH keys, cloud credentials, and environment variables, providing a risk score, grade, and findings. It is designed as a pre-connection check to help developers assess the safety of MCP servers before integrating them into AI coding environments.

read2 min views2 publishedJun 19, 2026

I just published my first GitHub Marketplace Action: Aster Guard MCP.

Marketplace:

https://github.com/marketplace/actions/aster-guard-mcp

Repository:

https://github.com/Aster-Works/aster-guard

It is a lightweight, local-first security scanner for MCP and Claude Code configuration files.

The goal is intentionally small:

Before connecting an MCP server to your AI coding environment, check whether the configuration looks safe enough to trust.

MCP is becoming a very practical way to connect AI coding tools to real developer systems.

Depending on the MCP server, an AI agent may gain access to:

That is powerful. It is also a meaningful security boundary.

For example, a single .mcp.json

entry can define a command to run, expose environment variables, grant filesystem access, or connect to a remote endpoint. Tool descriptions can also contain hidden instructions that shape how an agent behaves.

So I wanted a small check that runs before that connection happens.

Aster Guard statically scans MCP and Claude Code configuration files.

The important part is what it does not do:

It looks for risk patterns such as:

.ssh

, cloud credentials, and .env

The output includes a risk score, a grade, findings, and recommended next steps in English and Japanese.

You can run it without installing anything globally:

npx -y @asterworks/aster-guard scan

Or scan a specific config file:

npx -y @asterworks/aster-guard scan .mcp.json

Now that it is on GitHub Marketplace, you can add it to a workflow:

- uses: Aster-Works/aster-guard@v0.3.2
  with:
    path: .
    fail-on: high

You can also produce SARIF and upload the result to GitHub code scanning:

- uses: Aster-Works/aster-guard@v0.3.2
  with:
    path: .
    fail-on: high
    sarif: results.sarif

- uses: github/codeql-action/upload-sarif@v3
  if: always()
  with:
    sarif_file: results.sarif

Aster Guard is not trying to be a full security platform.

It is not a runtime firewall, antivirus tool, SIEM, or complete supply-chain scanner. It is a narrow pre-connection check for MCP configuration risk.

That narrow scope is deliberate. I wanted something that individual developers and small teams can run quickly before trusting an unfamiliar MCP server.

This is still early, so the most useful feedback is practical:

If you are experimenting with MCP or Claude Code, I would love for you to try it on a real configuration and open an issue with anything confusing, noisy, or missing.

Links:

source & further reading
dev.to — original article How I built a mind map that's just a Markdown list (and why that makes AI streaming almost free) I built a Claude Code skill that finds customers, not competitors, on Reddit & LinkedIn DeepSeek V4 Pro vs GPT-4o: Real Benchmark Comparison (June 2026)
── more in #developer-tools 4 stories · sorted by recency
── more on @github marketplace 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/i-published-my-first…] indexed:0 read:2min 2026-06-19 ·