Your First Certification

This tutorial walks you through the complete certification pipeline – from submitting an MCP server to downloading a certified artifact. By the end, you will understand how code moves through ingestion, analysis, scoring, and distribution.

Before You Begin

Make sure the platform is running. You need all three services active:

# Terminal 1: Hub web server
make dev

# Terminal 2: Analysis worker
make dev-worker

# Terminal 3: Registry
make dev-registry

Verify services are healthy:

curl -sf http://localhost:8080/health && echo "Hub OK"
curl -sf http://localhost:8081/health && echo "Registry OK"

If you have not set up the platform yet, follow the Quick Start guide first.

Step 1: Register an MCP Server

Via the Web Dashboard

1. Open the Hub dashboard at http://localhost:8080
2. Sign in with your configured authentication provider
3. Navigate to MCP Servers in the sidebar
4. Click Add MCP Server
5. Choose your ingestion method:
   • Git Repository: Provide the repository URL (e.g., https://github.com/your-org/my-mcp-server)
   • Upload: Upload a tarball or zip archive of your MCP server source code
6. Fill in the required metadata:
   • Name: A unique identifier (e.g., my-mcp-server)
   • Version: Semantic version (e.g., 1.0.0)
   • Language: The primary language (Python, TypeScript, JavaScript, or Go)
7. Click Submit for Certification

Via the CLI

If you prefer the command line, use the MCP Client to push directly:

# Navigate to your MCP server project
cd /path/to/my-mcp-server

# Push to the hub for certification
mcp-client push \
  --name my-mcp-server \
  --version 1.0.0 \
  --hub http://localhost:8080

Step 2: Understand the Certification Pipeline

Once you submit your MCP server, the platform processes it through several stages. Here is what happens behind the scenes:

 You submit code
      |
      v
 [1. INGEST]       Hub receives source code, validates schema
      |
      v
 [2. DISPATCH]     Hub-worker uploads tarball to S3,
                   publishes ANALYZE job to AMQP
      |
      v
 [3. ANALYZE]      Scan-worker downloads tarball,
                   runs 46+ security detectors across
                   14 vulnerability classes (A through N)
      |
      v
 [4. POST-ANALYZE] Hub-worker downloads results,
                   maps controls, computes score
      |
      v
 [5. CERTIFY]      Score maps to certification level (0-3)
      |
      v
 [6. PUBLISH]      Certified artifact published to registry
                   with immutable SHA-256 digest

The analysis step is asynchronous. Depending on the size of your codebase, it typically takes between 10 seconds and a few minutes.

Step 3: Monitor Analysis Progress

In the Dashboard

Navigate to your MCP server’s detail page. You will see a real-time status indicator showing the current pipeline stage:

• Queued – Waiting for a scan-worker to pick up the job
• Analyzing – Security analysis in progress
• Scoring – Computing the deterministic security score
• Certified – Analysis complete, artifact published
• Failed – An error occurred during processing

In the Logs

You can also follow progress in the worker logs:

# Hub worker output (Terminal 2)
# Look for messages like:
# "dispatching ANALYZE job for [email protected]"
# "received ANALYZE_COMPLETE for [email protected]"
# "computed score: 82/100, cert_level: 2"

Step 4: Review Analysis Results

Once the status changes to Certified, click on the certification badge to view the detailed results.

Security Score

The score is a deterministic value from 0 to 100, computed from the analysis findings. It maps to a certification level:

Vulnerability Classes

The scanner checks for 14 vulnerability classes, labeled A through N:

Each finding includes a severity level, a description, the affected file and line number, and a recommended remediation.

Security Snapshot

Every certified artifact includes an immutable security snapshot containing:

• Full list of findings with severity and remediation
• Controls mapping (which security controls passed or failed)
• Software Bill of Materials (SBOM)
• Attestation metadata (who analyzed it, when, with which scanner version)

Step 5: Download the Certified Artifact

Via the MCP Client

The most common way to consume certified artifacts is through the MCP Client:

# Resolve and download the certified package
mcp-client pull [email protected]

# Verify the artifact integrity (SHA-256 digest check)
mcp-client verify [email protected]

The client automatically validates the content-addressed digest to ensure the artifact has not been tampered with since certification.

Via the Registry API

You can also interact with the registry directly:

# Resolve the package to get download metadata
curl -s http://localhost:8081/v1/resolve/my-mcp-server/1.0.0 | jq .

# Download the bundle
curl -s http://localhost:8081/v1/download/my-mcp-server/1.0.0 -o my-mcp-server-1.0.0.tar.gz

Step 6: Execute the Certified Server

Run the certified MCP server with full sandboxing and policy enforcement:

# Run with default security policies
mcp-client run [email protected]

# Run with a minimum certification level requirement
mcp-client run [email protected] --min-cert-level 2

# Run with resource limits
mcp-client run [email protected] --max-memory 512m --max-cpu 1.0

The client enforces your configured security policies before execution. If the artifact does not meet the required certification level, execution is blocked with a clear error message.

What You Have Accomplished

In this tutorial you have:

1. Submitted an MCP server to the Hub for certification
2. Watched it flow through the analysis pipeline
3. Reviewed the security score and detailed findings
4. Downloaded the certified artifact from the registry
5. Executed the server with sandboxing and policy enforcement

Next Steps

• Publish from GitHub – Automate ingestion with Git integration
• Enforce Security Policies – Set minimum certification requirements
• Set Up an Organization – Manage teams and access controls
• Architecture – Deep dive into how the components connect