Efficient MCP Workflow: Automated Security Fixes

The goal of this MCP recipe is to detect newly introduced secrets in recent commits, propose minimal safe fixes, apply patches, and open a pull request that includes a rotation checklist and validation steps.

Prerequisites

Git repository with recent commits
Access to Claude Code CLI or Rovo Dev CLI
Installed MCP servers for:
- Secret scanning (e.g., TruffleHog, GitGuardian, Cycode)
- Git operations
- Patch application or refactoring
Environment variables:
- GIT_TOKEN for repository operations
- SCANNER_API_KEY for your chosen secrets scanner
Optional: Pre-commit hook to prevent regressions

MCP Setup

Claude Code CLI

Place this in a project-scoped .mcp.json at your repo root:

{
  "mcpServers": {
    "trufflehog": {
      "command": "npx",
      "args": ["-y", "trufflehog", "filesystem", "--fail", "--json"]
    },
    "git": {
      "command": "python",
      "args": ["-m", "mcp_server_git"]
    },
    "patcher": {
      "command": "python",
      "args": ["-m", "mcp_server_filesystem", "."]
    }
  }
}

Add with:

claude mcp add --scope project trufflehog npx -y trufflehog filesystem --fail --json

Claude will prompt for approval when the project opens.

Rovo Dev CLI

Place this in ~/.rovodev/mcp.json:

{
  "mcpServers": {
    "trufflehog": {
      "command": "npx",
      "args": ["-y", "trufflehog", "filesystem", "--fail", "--json"]
    },
    "git": {
      "command": "python",
      "args": ["-m", "mcp_server_git"]
    },
    "patcher": {
      "command": "python",
      "args": ["-m", "mcp_server_filesystem", "."]
    }
  }
}

Permissions for file writes and tool calls are managed in ~/.rovodev/config.yml.

Prompts to Run in Either CLI

Discovery

Scan the last 20 commits for secrets using the secrets scanner MCP. Return findings as JSON with file path, start line, end line, detector, and confidence.

Plan

For each finding, propose the smallest safe fix. Remove or replace the secret, move it to a secret manager or environment variable, and mask it in tests where necessary. Note if rotation is required and list impacted systems.

Apply

Generate minimal patches per file and stage them on a new branch fix/secrets-sweep-<date>. Do not apply changes that break tests; propose fallback if necessary.

Open a pull request and include docs/security/rotation-checklist.md with a checklist of systems to rotate, test verification steps, and CI status links. Add repo owners and SecOps as reviewers.

Validation Steps

Re-run the secrets scanner locally against HEAD and confirm zero findings.
CI build should pass with no new warnings.
PR description should include rotation guidance and scope.
If using a pre-commit hook, verify it blocks re-introduction of similar secrets.

Variations

Swap TruffleHog for GitGuardian or Cycode in .mcp.json
Scan a larger commit history or specific branches
Integrate with Jira in Rovo Dev CLI to auto-create rotation tickets

Troubleshooting

If Claude does not detect servers, confirm .mcp.json is in the project root and was added with claude mcp add --scope project.
If Rovo does not load servers, check ~/.rovodev/mcp.json for valid JSON syntax and restart the CLI.
For cross-platform issues, ensure npx and Python MCP servers are on your PATH.

Key Differences Noticed

Claude prompts for explicit approval on first use of each MCP server in project scope.
Rovo reads servers from a fixed location and uses config.yml for permission management, making setup predictable but less per-project flexible.

Back to the Cookbook

See the full Awesome MCP Workflows Cookbook for all 10 recipes.

MCP Workflow: Security Leak Triage, Automated Fix, and PR (Claude Code CLI and Rovo Dev CLI)