Drift Detection
Explain continuous monitoring and how to respond to drift.
What is Drift?
Definition: Any difference between the locked state and the live server state.
Causes:
- Server updated (new version deployed)
- Configuration change (different flags)
- Supply chain attack (malicious modification)
Detecting Drift
Command:
mcptrust check -- "npx -y @scope/server /args"
# Exit 0 = no drift
# Exit 1 = drift detected
# Exit 2 = runtime/usage errorDetailed Output:
mcptrust diff -- "npx -y @scope/server /args"Shows: tool name, drift type, severity, before/after values.
Drift in CI
Example GitHub Action:
- uses: mcptrust/mcptrust/.github/actions/mcptrust@v0.1.1
with:
mode: check
server_command: 'npx -y @scope/server /tmp'
# Fails PR if drift detectedDrift at Runtime (Proxy)
Command:
mcptrust proxy --lock mcp-lock.json -- "npx -y @scope/server /tmp"Behavior:
- Before bridging traffic, performs preflight drift check.
- If drift exceeds
--fail-onthreshold, refuses to start.
Responding to Drift
Decision Matrix:
| Scenario | Action |
|---|---|
| You deployed a new server version | Re-lock, review changes, re-sign |
| Upstream released a patch | Review release notes, re-lock if safe |
| Unexpected new tool appeared | INVESTIGATE. Possible attack. |
| Description typo fixed | Re-lock (low risk) |
| Schema changed | Carefully review new arguments. Re-lock only if safe. |