@neondatabase/mcp-server-neon
v0.6.5MCP server for interacting with Neon Management API and databases
66
Total
20
Critical
30
High
16
Medium
Findings
unknownEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
7: export const SERVER_HOST = process.env.SERVER_HOST ?? `http://localhost:${SERVER_PORT}`;
8: export const CLIENT_ID = process.env.CLIENT_ID ?? '';
>>> 9: export const CLIENT_SECRET = process.env.CLIENT_SECRET ?? '';
10: export const UPSTREAM_OAUTH_HOST = process.env.UPSTREAM_OAUTH_HOST ?? 'https://oauth2.neon.tech';
11: export const REDIRECT_URI = `${SERVER_HOST}/callback`;Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
29: });
30: export const authorizationCodes = createKeyv({
>>> 31: connectionString: process.env.OAUTH_DATABASE_URL,
32: schema: SCHEMA,
33: table: 'authorization_codes',Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
6: export const SERVER_PORT = 3001;
7: export const SERVER_HOST = process.env.SERVER_HOST ?? `http://localhost:${SERVER_PORT}`;
>>> 8: export const CLIENT_ID = process.env.CLIENT_ID ?? '';
9: export const CLIENT_SECRET = process.env.CLIENT_SECRET ?? '';
10: export const UPSTREAM_OAUTH_HOST = process.env.UPSTREAM_OAUTH_HOST ?? 'https://oauth2.neon.tech';Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
5: export const IS_DEV = NODE_ENV === 'development';
6: export const SERVER_PORT = 3001;
>>> 7: export const SERVER_HOST = process.env.SERVER_HOST ?? `http://localhost:${SERVER_PORT}`;
8: export const CLIENT_ID = process.env.CLIENT_ID ?? '';
9: export const CLIENT_SECRET = process.env.CLIENT_SECRET ?? '';Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
2: config();
3: export const NEON_DEFAULT_DATABASE_NAME = 'neondb';
>>> 4: export const NODE_ENV = (process.env.NODE_ENV ?? 'production');
5: export const IS_DEV = NODE_ENV === 'development';
6: export const SERVER_PORT = 3001;Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
267: # Testing
268:
>>> 269: To run the tests you need to setup the `.env` file according to the `.env.example` file.
270:
271: ```bashReport false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
13: // Windows path - using %APPDATA%
14: // For Node.js, we access %APPDATA% via process.env.APPDATA
>>> 15: claudeConfigPath = path.join(process.env.APPDATA || '', 'Claude', 'claude_desktop_config.json');
16: }
17: else {Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
12: if (platform === 'win32') {
13: // Windows path - using %APPDATA%
>>> 14: // For Node.js, we access %APPDATA% via process.env.APPDATA
15: claudeConfigPath = path.join(process.env.APPDATA || '', 'Claude', 'claude_desktop_config.json');
16: }Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
13: export const COOKIE_SECRET = process.env.COOKIE_SECRET ?? '';
14: export const ANALYTICS_WRITE_KEY = process.env.ANALYTICS_WRITE_KEY ?? 'gFVzt8ozOp6AZRXoD0g0Lv6UQ6aaoS7O';
>>> 15: export const SENTRY_DSN = process.env.SENTRY_DSN ??
16: 'https://b3564134667aa2dfeaa3992a12d9c12f@o1373725.ingest.us.sentry.io/4509328350380033';Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
21: });
22: export const refreshTokens = createKeyv({
>>> 23: connectionString: process.env.OAUTH_DATABASE_URL,
24: schema: SCHEMA,
25: table: 'refresh_tokens',Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
74: \`\`\`
75:
>>> 76: Copy the above environment variables and place them in your \`.env.local\` file for Next.js project. Note that variables with \`NEXT_PUBLIC_\` prefix will be available in the client side.
77: `,
78: },Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
12: export const NEON_API_HOST = process.env.NEON_API_HOST ?? 'https://console.neon.tech/api/v2';
13: export const COOKIE_SECRET = process.env.COOKIE_SECRET ?? '';
>>> 14: export const ANALYTICS_WRITE_KEY = process.env.ANALYTICS_WRITE_KEY ?? 'gFVzt8ozOp6AZRXoD0g0Lv6UQ6aaoS7O';
15: export const SENTRY_DSN = process.env.SENTRY_DSN ??
16: 'https://b3564134667aa2dfeaa3992a12d9c12f@o1373725.ingest.us.sentry.io/4509328350380033';Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
256: If you're building an app with Next.js, to set up Neon Auth and Stack Auth, follow these steps:
257: 1. Provision a Neon Auth project with this tool
>>> 258: 2. Place the returned credentials in project's \`.env.local\` or \`.env\` file
259: - \`NEXT_PUBLIC_STACK_PROJECT_ID\`
260: - \`NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY\`Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
4: init({
5: dsn: SENTRY_DSN,
>>> 6: environment: process.env.NODE_ENV,
7: release: getPackageJson().version,
8: tracesSampleRate: 1.0,Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
11: export const REDIRECT_URI = `${SERVER_HOST}/callback`;
12: export const NEON_API_HOST = process.env.NEON_API_HOST ?? 'https://console.neon.tech/api/v2';
>>> 13: export const COOKIE_SECRET = process.env.COOKIE_SECRET ?? '';
14: export const ANALYTICS_WRITE_KEY = process.env.ANALYTICS_WRITE_KEY ?? 'gFVzt8ozOp6AZRXoD0g0Lv6UQ6aaoS7O';
15: export const SENTRY_DSN = process.env.SENTRY_DSN ??Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
10: export const UPSTREAM_OAUTH_HOST = process.env.UPSTREAM_OAUTH_HOST ?? 'https://oauth2.neon.tech';
11: export const REDIRECT_URI = `${SERVER_HOST}/callback`;
>>> 12: export const NEON_API_HOST = process.env.NEON_API_HOST ?? 'https://console.neon.tech/api/v2';
13: export const COOKIE_SECRET = process.env.COOKIE_SECRET ?? '';
14: export const ANALYTICS_WRITE_KEY = process.env.ANALYTICS_WRITE_KEY ?? 'gFVzt8ozOp6AZRXoD0g0Lv6UQ6aaoS7O';Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
8: export const CLIENT_ID = process.env.CLIENT_ID ?? '';
9: export const CLIENT_SECRET = process.env.CLIENT_SECRET ?? '';
>>> 10: export const UPSTREAM_OAUTH_HOST = process.env.UPSTREAM_OAUTH_HOST ?? 'https://oauth2.neon.tech';
11: export const REDIRECT_URI = `${SERVER_HOST}/callback`;
12: export const NEON_API_HOST = process.env.NEON_API_HOST ?? 'https://console.neon.tech/api/v2';Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
13: });
14: export const tokens = createKeyv({
>>> 15: connectionString: process.env.OAUTH_DATABASE_URL,
16: schema: SCHEMA,
17: table: 'tokens',Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
37: });
38: export const apiKeys = createKeyv({
>>> 39: connectionString: process.env.OAUTH_DATABASE_URL,
40: schema: SCHEMA,
41: table: 'api_keys',Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
5: const createKeyv = (options) => new Keyv({ store: new KeyvPostgres(options) });
6: export const clients = createKeyv({
>>> 7: connectionString: process.env.OAUTH_DATABASE_URL,
8: schema: SCHEMA,
9: table: 'clients',Report false positiveDecoded base64 content: ��!���������b
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��!�������'��-
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��!��u�?�)ݲ��
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ���������b�ۭ�܆)�
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: �Us��3:��e�H4.��C���.�
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��!���������b
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��ڗ+br�ڝ�r�',
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��ޭ�^E�ݢd��)�
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: {ki�B�'��*�u�퉩l
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��^��塿�j)���'
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��^��塿�j)���'
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��^��塿�j)���'
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: r����^ �Zm�2(+jب���Ԝ��
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: r�����7����Ԝ��
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: u�^���7����Ԝ��
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��Cj֛jǓi�^���Ԝ��
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��/�Ȩ�ר�����Ԝ��
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��ҪT�j{rب���Ԝ��
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: �+-:��,ڶ*'���Ԝ��
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: �+-:��,ڶ*'���Ԝ��
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: r�����7����Ԝ��
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: u�^���7����Ԝ��
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��ҪT�j{rب���Ԝ��
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��Cj֛jǓi�^���Ԝ��
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: r����^ �Zm�2(+jب���Ԝ��
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��/�Ȩ�ר�����Ԝ��
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��ݕ�ޱ��m�kjw!
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: }�\���jx�jب�7�j)l
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: }�\���jx�jب�7�j)l
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��ݕ�ޱ��m�kjw!
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.7 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.6 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positivePossible Base64-encoded payload (long encoded string)
Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.
128: };
129: export const generateRandomString = (length) => {
>>> 130: const charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
131: const array = new Uint8Array(length);
132: crypto.getRandomValues(array);Report false positiveHigh-entropy string (6.0 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (6.0 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.8 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.6 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.8 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.5 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (5.0 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.6 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.9 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.7 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveJavaScript fetch() call
Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.
1: async function fetchRawGithubContent(rawPath) {
2: const path = rawPath.replace('/blob', '');
>>> 3: return fetch(`https://raw.githubusercontent.com${path}`).then((res) => res.text());
4: }
5: export const NEON_RESOURCES = [Report false positiveHigh-entropy string (4.7 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveJavaScript fetch() call
Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.
2: import { handleDescribeBranch } from './describe-branch.js';
3: import { generateConsoleUrl, CONSOLE_URLS } from './urls.js';
>>> 4: export async function handleFetch({ id }, neonClient, extra) {
5: try {
6: // Parse the ID formatReport false positiveScan History
| Date | Risk | Findings | Files | Duration |
|---|---|---|---|---|
| Feb 25, 2026 | critical | 66 | 46 | 0.00s |
| Feb 23, 2026 | critical | 66 | 46 | 0.00s |
| Feb 22, 2026 | critical | 66 | 46 | 0.00s |