Heroku MCP Server
MCP server for managing Heroku apps, add-ons, databases, pipelines, and deployments via the Heroku CLI
Score Breakdown
Server Info
- Package
- @heroku/mcp-server
- Registry
- npm
- Repository
- heroku/heroku-mcp-server
- Maintainer
- HerokuVendor
- Category
- Cloud & Infrastructure
- Tags
- paasdeploymentdynos
- Last Scanned
- 7 Apr 2026
Findings
11 issuesAuthentication & Identity
HIGHNo per-request auth - requires instance-per-user
Stdio-only transport via StdioServerTransport. Auth is via HEROKU_API_KEY env var, used as Bearer token for Heroku API requests. Commands are executed through a Heroku CLI REPL subprocess. AI tools are conditionally registered only if @heroku/plugin-ai is installed. For multi-tenant deployment, the platform must spawn a separate server instance per user.
Add HTTP/SSE transport to accept per-request Authorization headers, or implement the MCP OAuth spec.
Tool Schema Quality
HIGHRequired fields missing on 1 write operations
Write tools without required field declarations: create_app.
Add required arrays to all write/delete tool schemas.
MEDIUMOnly 4 of 36 schemas have parameter constraints
Most schemas lack maxLength, enum, or pattern constraints on string parameters.
Add constraints to string parameters, especially on write operations.
CRITICALDangerous execution surface: pg_psql: executes arbitrary SQL via command parameter or file
Tool allows raw code/query execution which could be exploited via prompt injection.
Use parameterized queries or validated command sets.
CRITICALDangerous execution surface: deploy_one_off_dyno: executes arbitrary shell commands on a Heroku dyno
Tool allows raw code/query execution which could be exploited via prompt injection.
Use parameterized queries or validated command sets.
Permission Granularity
MEDIUM4 tools combine read and write operations
Moderate separation. Read tools (list_*, get_*, pg_info, pg_ps, pg_locks, pg_outliers, pg_credentials, pg_maintenance, pg_backups) are distinct from write tools (create_*, rename_*, maintenance_*, ps_scale, ps_restart, deploy_*, pipelines_promote). Admin-level tools (pg_psql, pg_kill, pg_upgrade, deploy_one_off_dyno) are NOT separated and cannot be selectively disabled. No annotations (readOnlyHint, destructiveHint) are used. pg_psql description says 'modify schema, manage data' but is lumped with read tools.
Split into separate read and write tools.
HIGH4 destructive operations not isolated
Admin/delete tools are mixed with regular operations and cannot be independently disabled.
Namespace admin tools separately for independent access control.
LLM Safety
MEDIUM3 tool descriptions are too vague
Short or generic descriptions make tool selection unreliable.
Expand descriptions with specific actions, data types, and side effects.
Data Exposure
MEDIUM6 list operations lack pagination
No pagination support on any list tools. All list operations return full results from the Heroku CLI. No field selection support. JSON output is optional via json flag on some tools (list_apps, list_teams, list_private_spaces, ps_list, pipelines_list, pipelines_info). Logs are streamed from the CLI without pagination.
Add limit/offset or cursor-based pagination.
LOWNo field selection on responses
Responses return full records rather than projected fields.
Implement field selection to return only relevant fields.
Maintenance & Trust
MEDIUM14 dependency vulnerabilities (5 high)
npm audit found 5 high severity CVEs.
Update vulnerable dependencies.
Tools
36 total| Name | Description | Risk |
|---|---|---|
| list_apps | List Heroku apps: owned, collaborator access, team/space filtering | read |
| get_app_info | Get app details: config, dynos, addons, access, domains | read |
| create_app | Create app: custom name, region (US/EU), team, private space | write |
| rename_app | Rename app: validate and update app name | write |
| maintenance_on | Enable maintenance mode and redirect traffic for a Heroku app | write |
| maintenance_off | Disable maintenance mode and restore normal app operations | write |
| get_app_logs | App logs: monitor/debug/filter by dyno/process/source | read |
| list_private_spaces | Lists Heroku Private Spaces with CIDR blocks, regions, compliance and capacity details. | read |
| list_teams | Lists accessible Heroku Teams. | read |
| list_addons | List add-ons: all apps or specific app, detailed metadata | read |
| get_addon_info | Get add-on details: plan, state, billing | read |
| create_addon | Create add-on: specify service, plan, custom names | write |
| list_addon_services | List available add-on services and features | read |
| list_addon_plans | List service plans: features, pricing, availability | read |
| pg_psql | Execute SQL queries: analyze, debug, modify schema, manage data | admin |
| pg_info | View database status: config, metrics, resources, health | read |
| pg_ps | Monitor active queries: progress, resources, performance | read |
| pg_locks | Analyze locks: blocked queries, deadlocks, concurrency | read |
| pg_outliers | Find resource-heavy queries: performance, patterns, optimization | read |
| pg_credentials | Manage access: credentials, permissions, security, monitoring | read |
| pg_kill | Stop processes: stuck queries, blocking transactions, runaway operations | admin |
| pg_maintenance | Track maintenance: windows, schedules, progress, planning | read |
| pg_backups | Manage backups: schedules, status, verification, recovery | read |
| pg_upgrade | Upgrade PostgreSQL: version migration, compatibility, safety | admin |
| ps_list | List and monitor Heroku app dynos. | read |
| ps_scale | Scale Heroku app dynos. Adjust quantities, change sizes. | write |
| ps_restart | Restart Heroku app processes. | write |
| pipelines_create | Creates new Heroku deployment pipeline with configurable stages, apps, and team settings | write |
| pipelines_promote | Promotes apps between pipeline stages with configurable target applications | write |
| pipelines_list | Lists accessible Heroku pipelines with ownership and configuration details | read |
| pipelines_info | Displays detailed pipeline configuration, stages, and connected applications | read |
| deploy_to_heroku | Use for all deployments. Deploys new/existing apps to Heroku. | write |
| deploy_one_off_dyno | Run code/commands in Heroku one-off dyno with network and filesystem access. | admin |
| list_ai_available_models | List available AI inference models | read |
| provision_ai_model | Provision AI model access for app | write |
| make_ai_inference | Make inference request to Heroku AI API | write |
Deploy Heroku MCP Server securely
CompleteFlow adds per-user authentication, permission scoping, and audit logging to any MCP server out of the box.
Deploy on CompleteFlow