Drop-in templates for CI/CD and agent runtimes.
Add this workflow to .github/workflows/mcptrust.yml to block pull requests that drift from the lockfile.
name: MCPTrust Verification
on: [pull_request]
jobs:
verify:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install MCPTrust
run: go install github.com/mcptrust/mcptrust/cmd/mcptrust@latest
- name: Verify Signature
run: mcptrust verify
- name: Check for Drift
# Requires running the server.
# Ensure your server dependencies are installed first.
run: |
npm install
mcptrust diff -- "npx -y @modelcontextprotocol/server-filesystem /tmp"Use this shell script in GitLab CI, Jenkins, or locally.
#!/bin/bash
set -e
# 1. Install (if not present)
if ! command -v mcptrust &> /dev/null; then
go install github.com/mcptrust/mcptrust/cmd/mcptrust@latest
fi
# 2. Verify signature integrity
echo "Verifying lockfile signature..."
mcptrust verify
# 3. Check for drift against live server
# (Assumes 'npm start' runs your server)
echo "Checking for capability drift..."
mcptrust diff -- "npx -y @modelcontextprotocol/server-filesystem /tmp"To ensure your agent only uses approved tools at runtime, you can wrap the server execution.
// Example: Node.js Agent Runtime
import { spawn } from 'child_process';
import { execSync } from 'child_process';
function startSecureServer(serverPath) {
// 1. Verify before starting
try {
execSync('mcptrust verify', { stdio: 'inherit' });
} catch (e) {
console.error("Lockfile verification failed! Refusing to start.");
process.exit(1);
}
// 2. Start the server
return spawn('node', [serverPath], { stdio: 'inherit' });
}