Configuration
Most projects ship with no config. When you need overrides, here they are.
CLI flags
| Flag | Alias | Description |
|---|---|---|
--format | -f | Output format: text / json / sarif / markdown. |
--output | -o | Write report to a file instead of stdout. |
--report | — | POST grade to the badge API. Requires owner/repo. |
--fail-on | — | Exit 1 if grade is below this threshold (A/B/C/D/F). |
--disable | — | Skip a check by OWASP ID. Repeatable. |
--ignore | — | Glob to exclude. Repeatable. |
--version | -V | Print version. -v is reserved. |
.mcp-sentry.json
{
"ignore": ["src/fixtures/**", "src/test/**"],
"disable": ["MCP08"],
"failOn": "B",
"report": { "owner": "acme", "repo": "my-mcp-server" }
}Inline suppression
// mcp-sentry-ignore: MCP05
exec(userInput);Suppressed findings are excluded from grading and reported with "suppressed": true.