grade C

10 days ago

npm

opengrok-mcp-server

MCP server bridging OpenGrok search engine with AI for instant context across massive codebases

→ IcyHot09/opengrok-mcp-server· npm: opengrok-mcp-server· listed on npm

Install from

npm npm Glama

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings

✅

25 tools verified — handlers match their declared behaviour

2 read-only tools verified — handlers contain no write/delete/exec

✅

No credential exfiltration, no sensitive file access, no obfuscation

Static analysis found nothing flowing your secrets to unexpected places.

✅

Open source with a license and README

Anyone can audit the code, the license is declared, and the publisher documents what it does.

🔐

You'll be asked for 2 credentials: OPENGROK_PASSWORD, OPENGROK_PASSWORD_KEY

These are read from process.env at runtime. Make sure you trust where they’ll be sent.

// required environment variables

This server reads these from process.env. You'll be asked to provide them before it can run.

configHTTPS_PROXY

configHTTP_PROXY

configOPENGROK_ALLOWED_ORIGINS— comma-separated origins CORS allowlist (replaces wildcard CORS)

configOPENGROK_AUTH_SERVERS— comma-separated URLs Trusted authorization server URIs

configOPENGROK_BASE_URL— opengrok-mcp status Health check: validates connectivity and detects installed MCP clients. Reads config from ~/.claude.json, ~/.copilot/mcp-config.json, or Codex TOML when is not in env

configOPENGROK_CACHE_ENABLED— true (default) / false Enable TTL response cache

configOPENGROK_CACHE_MAX_SIZE— integer (default: 500) Max cache entries

configOPENGROK_CODE_MODE— Set =true to switch to a 5-tool interface optimised for multi-step investigations:

configOPENGROK_CONTEXT_BUDGET— standard (default) / minimal / generous Response size tier: 8 KB / 4 KB / 16 KB

configOPENGROK_JWKS_URI— URL JWKS endpoint for JWT validation (OAuth 2.1 resource server mode)

configOPENGROK_LOG_LEVEL— debug / info (default) Verbose structured logging to stderr

configOPENGROK_MAX_INLINE_LINES

configOPENGROK_MAX_RESPONSE_BYTES

configOPENGROK_MEMORY_BANK_DIR— path Override directory for active-task.md + investigation-log.md files

🔐 secretOPENGROK_PASSWORD— string Authentication password (prefer OS keychain via npx opengrok-mcp-server setup)

configOPENGROK_PASSWORD_FILE

🔐 secretOPENGROK_PASSWORD_KEY

configOPENGROK_RESOURCE_URI— URL This server's resource URI, advertised in RFC 9728 metadata

configOPENGROK_RESPONSE_FORMAT_OVERRIDE— tsv / toon / yaml / text / markdown Force a response format globally for all tools

configOPENGROK_SCOPE_MAP— scope:role,... Map JWT scopes to RBAC roles (e.g., read:readonly,admin:admin)

configOPENGROK_SEARCH_AND_READ_CAP

configOPENGROK_STRICT_OAUTH— true / false Reject requests without a valid JWT when OPENGROK_JWKS_URI is set

configOPENGROK_TIMEOUT— integer (seconds, default: 30) HTTP request timeout

configOPENGROK_USERNAME— string Authentication username (optional — leave unset for anonymous access)

configOPENGROK_VERIFY_SSL— true (default) / false Disable TLS verification for self-signed certs

configVSCODE_IPC_HOOK_CLI

configXDG_CONFIG_HOME

// full audit trail

The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.

// improvement guidance — verified publishers only

We have 4 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.

// embed badge in your README

[![M8ven Score](https://m8ven.ai/badge/mcp/npm-https-github-com-icyhot09-opengrok-mcp-server)](https://m8ven.ai/mcp/npm-https-github-com-icyhot09-opengrok-mcp-server)

commit: 344399522c438ad268434bd5487838e5453b0ebf

code hash: dde339b5c87923f212acbff040d53f5416fe188ffdf1df1477c9a106b686acff

verified: 4/11/2026, 1:46:43 PM

view raw JSON →