Safeguard.sh Documentation Center
MCP Integrations

Tool availability & gating

How Safeguard controls which MCP tools each tenant can see and call, with per-tool feature flags.

Safeguard's MCP server registers 650+ tools spanning vulnerability management, SBOM and supply-chain analysis, findings, compliance, cloud and API security, secrets, and more. Not every tool is exposed to every workspace. Instead, tool availability is governed per tenant so administrators decide exactly which capabilities their assistants can use.

How it works

Each MCP tool has its own feature flag of the form mcp:tool:<tool_name>. When your assistant connects, the server resolves the set of tools enabled for your tenant and uses that set for both:

  • Discovery (tools/list) — only enabled tools are advertised to the assistant, and
  • Execution (tools/call) — a call to a tool that is not enabled for your tenant is rejected.

Both surfaces resolve from the same source, so an assistant can never see a tool it cannot call, or call a tool it cannot see.

What's enabled by default

A fresh workspace starts with a curated default set of core tools covering the common onboarding loop — connect a repository, scan it, and browse the results:

  • Add an SCM integration
  • Scan a repository
  • List projects
  • List vulnerabilities
  • List findings

Every other tool stays available in the platform but is off until an administrator turns it on for the tenant.

Enabling more tools

Administrators enable or disable any tool per tenant from the Safeguard admin console, under Feature Flags. Search for a tool by name, toggle it on, and save — the change takes effect for new assistant sessions. This lets teams start narrow and widen access deliberately as they build trust in each capability.

Design principles

  • Least privilege by default. Only the curated default set is on out of the box; everything else is opt-in per tenant.
  • Tenant isolation. Enabled-tool resolution is scoped to your tenant, organization, and product context — one workspace's configuration never affects another's.
  • Fail safe, never fail open. If tool resolution cannot complete (for example, a transient outage), the server falls back to the small default set rather than exposing anything wider. An outage can never broaden what your assistant can do.
  • Stateless enforcement. The MCP server holds no database of its own; it resolves your enabled tools from Safeguard's authentication service at connection time.

On this page