MCP Workflow: Security Leak Triage, Automated Fix, and PR (Claude Code CLI and Rovo Dev CLI)

The goal of this MCP recipe is to detect newly introduced secrets in recent commits, propose minimal safe fixes, apply patches, and open a pull request that includes a rotation checklist and validation steps.
Prerequisites
Git repository with recent commits
Access to Claude Code CLI or Rovo Dev CLI
Installed MCP servers for:
Secret scanning (e.g., TruffleHog, GitGuardian, Cycode)
Git operations
Patch application or refactoring
Environment variables:
GIT_TOKEN
for repository operationsSCANNER_API_KEY
for your chosen secrets scanner
Optional: Pre-commit hook to prevent regressions
MCP Setup
Claude Code CLI
Place this in a project-scoped .mcp.json
at your repo root:
{
"mcpServers": {
"trufflehog": {
"command": "npx",
"args": ["-y", "trufflehog", "filesystem", "--fail", "--json"]
},
"git": {
"command": "python",
"args": ["-m", "mcp_server_git"]
},
"patcher": {
"command": "python",
"args": ["-m", "mcp_server_filesystem", "."]
}
}
}
Add with:
claude mcp add --scope project trufflehog npx -y trufflehog filesystem --fail --json
Claude will prompt for approval when the project opens.
Rovo Dev CLI
Place this in ~/.rovodev/mcp.json
:
{
"mcpServers": {
"trufflehog": {
"command": "npx",
"args": ["-y", "trufflehog", "filesystem", "--fail", "--json"]
},
"git": {
"command": "python",
"args": ["-m", "mcp_server_git"]
},
"patcher": {
"command": "python",
"args": ["-m", "mcp_server_filesystem", "."]
}
}
}
Permissions for file writes and tool calls are managed in ~/.rovodev/config.yml
.
Prompts to Run in Either CLI
Discovery
Scan the last 20 commits for secrets using the secrets scanner MCP. Return findings as JSON with file path, start line, end line, detector, and confidence.
Plan
For each finding, propose the smallest safe fix. Remove or replace the secret, move it to a secret manager or environment variable, and mask it in tests where necessary. Note if rotation is required and list impacted systems.
Apply
Generate minimal patches per file and stage them on a new branch
fix/secrets-sweep-<date>
. Do not apply changes that break tests; propose fallback if necessary.
PR
Open a pull request and include
docs/security/rotation-checklist.md
with a checklist of systems to rotate, test verification steps, and CI status links. Add repo owners and SecOps as reviewers.
Validation Steps
Re-run the secrets scanner locally against
HEAD
and confirm zero findings.CI build should pass with no new warnings.
PR description should include rotation guidance and scope.
If using a pre-commit hook, verify it blocks re-introduction of similar secrets.
Variations
Swap TruffleHog for GitGuardian or Cycode in
.mcp.json
Scan a larger commit history or specific branches
Integrate with Jira in Rovo Dev CLI to auto-create rotation tickets
Troubleshooting
If Claude does not detect servers, confirm
.mcp.json
is in the project root and was added withclaude mcp add --scope project
.If Rovo does not load servers, check
~/.rovodev/mcp.json
for valid JSON syntax and restart the CLI.For cross-platform issues, ensure
npx
and Python MCP servers are on your PATH.
Key Differences Noticed
Claude prompts for explicit approval on first use of each MCP server in project scope.
Rovo reads servers from a fixed location and uses
config.yml
for permission management, making setup predictable but less per-project flexible.
Back to the Cookbook
See the full Awesome MCP Workflows Cookbook for all 10 recipes.
Subscribe to my newsletter
Read articles from Harish Garg directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Harish Garg
Harish Garg
I build systems that blend AI and automation to solve real-world problems