# I published my first GitHub Marketplace Action: Aster Guard MCP

> Source: <https://dev.to/asterworks/i-published-my-first-github-marketplace-action-aster-guard-mcp-1d74>
> Published: 2026-06-19 07:14:19+00:00

I just published my first GitHub Marketplace Action: **Aster Guard MCP**.

Marketplace:

[https://github.com/marketplace/actions/aster-guard-mcp](https://github.com/marketplace/actions/aster-guard-mcp)

Repository:

[https://github.com/Aster-Works/aster-guard](https://github.com/Aster-Works/aster-guard)

It is a lightweight, local-first security scanner for MCP and Claude Code configuration files.

The goal is intentionally small:

Before connecting an MCP server to your AI coding environment, check whether the configuration looks safe enough to trust.

MCP is becoming a very practical way to connect AI coding tools to real developer systems.

Depending on the MCP server, an AI agent may gain access to:

That is powerful. It is also a meaningful security boundary.

For example, a single `.mcp.json`

entry can define a command to run, expose environment variables, grant filesystem access, or connect to a remote endpoint. Tool descriptions can also contain hidden instructions that shape how an agent behaves.

So I wanted a small check that runs before that connection happens.

Aster Guard statically scans MCP and Claude Code configuration files.

The important part is what it does **not** do:

It looks for risk patterns such as:

`.ssh`

, cloud credentials, and `.env`

The output includes a risk score, a grade, findings, and recommended next steps in English and Japanese.

You can run it without installing anything globally:

```
npx -y @asterworks/aster-guard scan
```

Or scan a specific config file:

```
npx -y @asterworks/aster-guard scan .mcp.json
```

Now that it is on GitHub Marketplace, you can add it to a workflow:

```
- uses: Aster-Works/aster-guard@v0.3.2
  with:
    path: .
    fail-on: high
```

You can also produce SARIF and upload the result to GitHub code scanning:

```
- uses: Aster-Works/aster-guard@v0.3.2
  with:
    path: .
    fail-on: high
    sarif: results.sarif

- uses: github/codeql-action/upload-sarif@v3
  if: always()
  with:
    sarif_file: results.sarif
```

Aster Guard is not trying to be a full security platform.

It is not a runtime firewall, antivirus tool, SIEM, or complete supply-chain scanner. It is a narrow pre-connection check for MCP configuration risk.

That narrow scope is deliberate. I wanted something that individual developers and small teams can run quickly before trusting an unfamiliar MCP server.

This is still early, so the most useful feedback is practical:

If you are experimenting with MCP or Claude Code, I would love for you to try it on a real configuration and open an issue with anything confusing, noisy, or missing.

Links: