MCP Workflow: Security Leak Triage, Automated Fix, and PR (Claude Code CLI and Rovo Dev CLI)

Harish GargHarish Garg
3 min read

The goal of this MCP recipe is to detect newly introduced secrets in recent commits, propose minimal safe fixes, apply patches, and open a pull request that includes a rotation checklist and validation steps.


Prerequisites

  • Git repository with recent commits

  • Access to Claude Code CLI or Rovo Dev CLI

  • Installed MCP servers for:

    • Secret scanning (e.g., TruffleHog, GitGuardian, Cycode)

    • Git operations

    • Patch application or refactoring

  • Environment variables:

    • GIT_TOKEN for repository operations

    • SCANNER_API_KEY for your chosen secrets scanner

  • Optional: Pre-commit hook to prevent regressions


MCP Setup

Claude Code CLI

Place this in a project-scoped .mcp.json at your repo root:

{
  "mcpServers": {
    "trufflehog": {
      "command": "npx",
      "args": ["-y", "trufflehog", "filesystem", "--fail", "--json"]
    },
    "git": {
      "command": "python",
      "args": ["-m", "mcp_server_git"]
    },
    "patcher": {
      "command": "python",
      "args": ["-m", "mcp_server_filesystem", "."]
    }
  }
}

Add with:

claude mcp add --scope project trufflehog npx -y trufflehog filesystem --fail --json

Claude will prompt for approval when the project opens.


Rovo Dev CLI

Place this in ~/.rovodev/mcp.json:

{
  "mcpServers": {
    "trufflehog": {
      "command": "npx",
      "args": ["-y", "trufflehog", "filesystem", "--fail", "--json"]
    },
    "git": {
      "command": "python",
      "args": ["-m", "mcp_server_git"]
    },
    "patcher": {
      "command": "python",
      "args": ["-m", "mcp_server_filesystem", "."]
    }
  }
}

Permissions for file writes and tool calls are managed in ~/.rovodev/config.yml.


Prompts to Run in Either CLI

Discovery

Scan the last 20 commits for secrets using the secrets scanner MCP. Return findings as JSON with file path, start line, end line, detector, and confidence.

Plan

For each finding, propose the smallest safe fix. Remove or replace the secret, move it to a secret manager or environment variable, and mask it in tests where necessary. Note if rotation is required and list impacted systems.

Apply

Generate minimal patches per file and stage them on a new branch fix/secrets-sweep-<date>. Do not apply changes that break tests; propose fallback if necessary.

PR

Open a pull request and include docs/security/rotation-checklist.md with a checklist of systems to rotate, test verification steps, and CI status links. Add repo owners and SecOps as reviewers.


Validation Steps

  1. Re-run the secrets scanner locally against HEAD and confirm zero findings.

  2. CI build should pass with no new warnings.

  3. PR description should include rotation guidance and scope.

  4. If using a pre-commit hook, verify it blocks re-introduction of similar secrets.


Variations

  • Swap TruffleHog for GitGuardian or Cycode in .mcp.json

  • Scan a larger commit history or specific branches

  • Integrate with Jira in Rovo Dev CLI to auto-create rotation tickets


Troubleshooting

  • If Claude does not detect servers, confirm .mcp.json is in the project root and was added with claude mcp add --scope project.

  • If Rovo does not load servers, check ~/.rovodev/mcp.json for valid JSON syntax and restart the CLI.

  • For cross-platform issues, ensure npx and Python MCP servers are on your PATH.


Key Differences Noticed

  • Claude prompts for explicit approval on first use of each MCP server in project scope.

  • Rovo reads servers from a fixed location and uses config.yml for permission management, making setup predictable but less per-project flexible.


Back to the Cookbook

See the full Awesome MCP Workflows Cookbook for all 10 recipes.

0
Subscribe to my newsletter

Read articles from Harish Garg directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Harish Garg
Harish Garg

I build systems that blend AI and automation to solve real-world problems