mcp-server-git
Provides Git repository operations through MCP tools for AI-assisted version control workflows including status checking, diffing, committing, branching, and file staging.
79
/ 100 · Grade C
C = 70–79
“I need to perform Git operations programmatically through an AI assistant for version control tasks like checking status, viewing diffs, making commits, and managing branches.”
mcp-server-git earned Certified status with a trust score of 79/100 (Grade C). Adversarial testing produced 1 finding (1 high). Supply chain contains 116 components with 44 known vulnerabilities. Security scan: clean.
Trust Score Breakdown
Eight weighted signals composing the aggregate trust score
Scheme v2.0 · Weights provisional · Consumer confirmations and uptime use pipeline-derived baselines.
Findings
Security scan results, adversarial testing, and pipeline review
Security Scan — Cisco MCP Scanner
Adversarial Testing — 5 categories, 1 findings
The MCP server crashed while processing adversarial input. Crash occurred during test "Direct instruction override" on tool git_status. A robust server should handle all inputs gracefully without crashing.
Methodology v1.0 · 5 categories · ~55 attack patterns
Pipeline Review — 3 findings
Unmitigated high vulnerability in Scintilla@4.4.6: CVE-2019-16294
Unmitigated high vulnerability in Python@3.10.20: CVE-2023-36632
Unmitigated high vulnerability in Python@3.10.20: CVE-2026-4519
OWASP MCP Top 10 Coverage
Evaluation activity mapped to the OWASP MCP Top 10 risk framework
Excessive Agency & Permissions
Cisco scanner behavioral analysis of permission scope
Unauthorized Data Access
Category 3 (data exfiltration) attack patterns
Tool Poisoning
Category 1 (prompt injection) and Category 5 (context poisoning) attack patterns
Supply Chain Vulnerabilities
SBOM generation (syft/cdxgen) and vulnerability scanning (grype/osv-scanner/npm audit)
Command Injection
Category 2 (privilege escalation) and Category 6 (repo config injection) attack patterns
Intent Subversion
Category 1 (prompt injection) and Category 4 (capability squatting) attack patterns
Insecure Data Handling
Cisco scanner data flow and sensitive data handling analysis
Insufficient Logging
Not directly tested — logging adequacy requires runtime observation beyond current pipeline scope
Resource Exhaustion
Resource profiling (CPU, memory) during functional and adversarial testing
Context Injection
Category 5 (context poisoning) attack patterns
OWASP MCP Top 10 (Beta) — owasp.org/www-project-mcp-top-10
Supply Chain
SBOM analysis and vulnerability assessment
Components
116
Direct deps
1
Transitive deps
115
Total vulns
44
Vulnerability breakdown
Format: CycloneDX 1.5 · Generated: Mar 28, 2026
Behavioral Fingerprint
Runtime performance baseline for drift detection
Samples
652
Error rate
42.6%
Peak memory
34.8 MB
Avg CPU
—%
Response time distribution
Output size distribution
Per-tool performance
| Tool | p50 | p95 | Error rate | Samples |
|---|---|---|---|---|
| git_add | 6ms | 12ms | 32.0% | 51 |
| git_log | 9ms | 12ms | 53.3% | 43 |
| git_diff | 6ms | 12ms | 47.8% | 70 |
| git_show | 4ms | 7ms | 45.4% | 65 |
| git_reset | 4ms | 6ms | 36.8% | 36 |
| git_branch | 8ms | 15ms | 39.1% | 67 |
| git_commit | 5ms | 9ms | 40.4% | 65 |
| git_status | 4ms | 6ms | 34.4% | 42 |
| git_checkout | 5ms | 7ms | 41.4% | 65 |
| git_diff_staged | 5ms | 8ms | 46.1% | 41 |
| git_create_branch | 6ms | 9ms | 40.5% | 66 |
| git_diff_unstaged | 5ms | 8ms | 47.4% | 41 |
Fingerprint v1.0 · Baseline: Mar 28, 2026 · Status: baseline
Interface
Enumerated tools, resources, and prompts
Tools (12)
git_status
Shows the working tree status
git_diff_unstaged
Shows changes in the working directory that are not yet staged
git_diff_staged
Shows changes that are staged for commit
git_diff
Shows differences between branches or commits
git_commit
Records changes to the repository
git_add
Adds file contents to the staging area
git_reset
Unstages all staged changes
git_log
Shows the commit logs
git_create_branch
Creates a new branch from an optional base branch
git_checkout
Switches branches
git_show
Shows the contents of a commit
git_branch
List Git branches
Transport: stdio
Scope & Permissions
What this capability can and cannot access — derived from pipeline analysis
no
no
yes
no
yes
no
Side effects
May modify files on disk
Invokes external commands or tools
Behavioral Guarantees
Claims extracted from publisher documentation — each tagged with provenance
Shows working tree status via git_status tool
authorShows changes in working directory not yet staged via git_diff_unstaged tool
authorShows changes that are staged for commit via git_diff_staged tool
authorShows differences between branches or commits via git_diff tool
authorRecords changes to the repository via git_commit tool
authorAdds file contents to the staging area via git_add tool
authorUnstages all staged changes via git_reset tool
authorShows commit logs with optional date filtering via git_log tool
authorCreates new branches via git_create_branch tool
authorSwitches branches via git_checkout tool
authorShows contents of a commit via git_show tool
authorLists Git branches via git_branch tool
authorAccepts ISO 8601 format, relative dates, or absolute dates for timestamp filtering in git_log
authorReturns confirmation with new commit hash for git_commit operations
authorReturns confirmation of staged files for git_add operations
authorReturns confirmation of reset operation for git_reset
authorReturns confirmation of branch creation for git_create_branch
authorReturns confirmation of branch switch for git_checkout
authorKnown failure modes
Currently in early development - functionality and available tools are subject to change and expansion
Sources: author, protocol
Badge & Integration
Embed certification status in your README, docs, or CI pipeline
Certification Notes
Provenance observations from the pipeline
Publisher "Anthropic, PBC." is not verified — first certification from this publisher
Capability requires filesystem write access — review scope of file operations
Single contributor — no peer review evidence in commit history
Repository is 11 days old — recently created
Signed Artifact
Certification provenance and verification metadata
Pipeline Artifacts
Raw data files from this certification run — downloadable for independent verification
contract.json
Full unsigned contract
stage1-ingest.json
Ingest stage output
stage2a-sbom.json
SBOM generation results
stage2a-vulns.json
Vulnerability scan results
stage2b-security.json
Security scan results
stage3a-functional.json
Functional test results
stage3b-adversarial.json
Adversarial test results
stage3c-fingerprint.json
Behavioral fingerprint
stage4-certify.json
Certification decision + trust score
stage3a-measurements.json
Raw functional test measurements
stage3b-measurements.json
Raw adversarial test measurements
run-log.json
Pipeline execution log
Not all files may be present for every certification.