# MCP Workflow: Security Leak Triage, Automated Fix, and PR (Claude Code CLI and Rovo Dev CLI)

The goal of this MCP recipe is to detect newly introduced secrets in recent commits, propose minimal safe fixes, apply patches, and open a pull request that includes a rotation checklist and validation steps.

---

## **Prerequisites**

* Git repository with recent commits
    
* Access to Claude Code CLI or Rovo Dev CLI
    
* Installed MCP servers for:
    
    * Secret scanning (e.g., TruffleHog, GitGuardian, Cycode)
        
    * Git operations
        
    * Patch application or refactoring
        
* Environment variables:
    
    * `GIT_TOKEN` for repository operations
        
    * `SCANNER_API_KEY` for your chosen secrets scanner
        
* Optional: Pre-commit hook to prevent regressions
    

---

## **MCP Setup**

### Claude Code CLI

Place this in a project-scoped `.mcp.json` at your repo root:

```json
{
  "mcpServers": {
    "trufflehog": {
      "command": "npx",
      "args": ["-y", "trufflehog", "filesystem", "--fail", "--json"]
    },
    "git": {
      "command": "python",
      "args": ["-m", "mcp_server_git"]
    },
    "patcher": {
      "command": "python",
      "args": ["-m", "mcp_server_filesystem", "."]
    }
  }
}
```

Add with:

```bash
claude mcp add --scope project trufflehog npx -y trufflehog filesystem --fail --json
```

Claude will prompt for approval when the project opens.

---

### Rovo Dev CLI

Place this in `~/.rovodev/mcp.json`:

```json
{
  "mcpServers": {
    "trufflehog": {
      "command": "npx",
      "args": ["-y", "trufflehog", "filesystem", "--fail", "--json"]
    },
    "git": {
      "command": "python",
      "args": ["-m", "mcp_server_git"]
    },
    "patcher": {
      "command": "python",
      "args": ["-m", "mcp_server_filesystem", "."]
    }
  }
}
```

Permissions for file writes and tool calls are managed in `~/.rovodev/config.yml`.

---

## **Prompts to Run in Either CLI**

**Discovery**

> Scan the last 20 commits for secrets using the secrets scanner MCP. Return findings as JSON with file path, start line, end line, detector, and confidence.

**Plan**

> For each finding, propose the smallest safe fix. Remove or replace the secret, move it to a secret manager or environment variable, and mask it in tests where necessary. Note if rotation is required and list impacted systems.

**Apply**

> Generate minimal patches per file and stage them on a new branch `fix/secrets-sweep-<date>`. Do not apply changes that break tests; propose fallback if necessary.

**PR**

> Open a pull request and include `docs/security/rotation-checklist.md` with a checklist of systems to rotate, test verification steps, and CI status links. Add repo owners and SecOps as reviewers.

---

## **Validation Steps**

1. Re-run the secrets scanner locally against `HEAD` and confirm zero findings.
    
2. CI build should pass with no new warnings.
    
3. PR description should include rotation guidance and scope.
    
4. If using a pre-commit hook, verify it blocks re-introduction of similar secrets.
    

---

## **Variations**

* Swap TruffleHog for GitGuardian or Cycode in `.mcp.json`
    
* Scan a larger commit history or specific branches
    
* Integrate with Jira in Rovo Dev CLI to auto-create rotation tickets
    

---

## **Troubleshooting**

* If Claude does not detect servers, confirm `.mcp.json` is in the project root and was added with `claude mcp add --scope project`.
    
* If Rovo does not load servers, check `~/.rovodev/mcp.json` for valid JSON syntax and restart the CLI.
    
* For cross-platform issues, ensure `npx` and Python MCP servers are on your PATH.
    

---

## **Key Differences Noticed**

* Claude prompts for explicit approval on first use of each MCP server in project scope.
    
* Rovo reads servers from a fixed location and uses `config.yml` for permission management, making setup predictable but less per-project flexible.
    

---

## **Back to the Cookbook**

[See the full Awesome MCP Workflows Cookbook](https://harishgarg.com/mcp-workflows-cookbook-10-end-to-end-recipes-for-claude-code-cli-and-rovo-dev-cli) for all 10 recipes.
