AI Security Crew

AI Security Crew

A lightweight MCP server for security reviews that injects security requirements before code generation, scans dependencies for CVEs, and verifies generated code without disrupting workflow.

Category
Visit Server

README

AI Security Crew

Run Tests License

A lightweight MCP server for security reviews built for vibe coding — injects security requirements prior to code generation, scans dependencies for CVEs, and verifies generated code, all without breaking your coding rhythm.

Jump to installation:

  • MCP Server — full feature set with Jira, Confluence, CVE scanning (with reachability), and threat modeling
  • Claude Code Plugin — install 3 security skills globally in Claude Code (no Jira/MCP needed)
  • Claude Code Skills only — manually add slash commands to a specific project

Claude Code Plugin

Install all three security skills directly into Claude Code — no MCP server, no Jira, no configuration required.

/plugin install Srajangpt1/ai_security_crew

This gives you three commands available in any project:

Command When to use
/sec-review Before coding — get risk level, OWASP guidelines, and a security prompt for AI code generation
/verify-code After coding — review code for vulnerabilities with a checklist and prioritized fixes
/threat-model For new features — identify threats with evidence links, mitigations, and optional threat-model.md

Claude Code Skills

If you prefer to add the skills to a specific project only (instead of globally), clone this repo and the slash commands in .claude/commands/ are available automatically in Claude Code when working in the project directory.

Tools

Pre-coding

Tool When to Use
lightweight_security_review Before any coding task — get security requirements and guidelines for your tech stack
assess_ticket_security Before coding from a Jira ticket — pull security requirements directly from the ticket
perform_threat_model For significant new features — generate a structured threat model (STRIDE, attack surfaces)

Dependency security

Tool When to Use
verify_packages When adding packages — confirm they exist with valid versions (catches hallucinated package names)
scan_dependencies When adding packages — scan for CVEs and check reachability in your code

Post-coding

Tool When to Use
verify_code_security After generating code — AI-powered security review against OWASP guidelines

Threat model persistence

Tool When to Use
search_previous_threat_models Before creating a new threat model — check if one already exists in Confluence
update_threat_model_file After perform_threat_model — write the threat model to threat-model.md in the repo

Agent Workflow

The server automatically sends workflow instructions to any connecting agent (Claude, Cursor, etc.) via the MCP initialize handshake. Agents will follow this workflow without additional configuration:

  1. Before coding — call lightweight_security_review (or assess_ticket_security for Jira tickets)
  2. When adding packages — call verify_packages, then scan_dependencies with the code that uses them
  3. After generating code — call verify_code_security and follow the review_prompt to report findings
  4. For significant features — call perform_threat_model and persist with update_threat_model_file

Dependency Scanning

scan_dependencies uses OSV.dev to find CVEs and performs reachability analysis to determine if vulnerable code paths are actually called:

Status Meaning
reachable Vulnerable function is called in your code — action required
not_reachable Vulnerable function is not called
not_imported Package is not imported at all
uncertain AI analyzed the code but could not determine reachability
no_code_provided No code snippets were passed to the tool

Reachability is determined by (in order): OSV function-level symbols → keyword matching against the vuln summary → AI analysis via ctx.sample().

Quick Start

1. Build the image

docker build -t mcp-security-review:latest .

2. Configure your IDE

Add to your MCP config (Claude Desktop, Cursor, etc.):

{
  "mcpServers": {
    "sec-review": {
      "command": "docker",
      "args": [
        "run", "--rm", "-i",
        "-e", "JIRA_URL",
        "-e", "JIRA_USERNAME",
        "-e", "JIRA_API_TOKEN",
        "-e", "CONFLUENCE_URL",
        "-e", "CONFLUENCE_USERNAME",
        "-e", "CONFLUENCE_API_TOKEN",
        "mcp-security-review:latest"
      ],
      "env": {
        "PATH": "/usr/local/bin:/usr/bin:/bin",
        "JIRA_URL": "https://your-domain.atlassian.net",
        "JIRA_USERNAME": "your-email@example.com",
        "JIRA_API_TOKEN": "your-token"
      }
    }
  }
}

Authentication

Supported methods:

  • API Token (Jira/Confluence Cloud): JIRA_API_TOKEN, CONFLUENCE_API_TOKEN
  • Personal Access Token (Server/Data Center): JIRA_PERSONAL_TOKEN, CONFLUENCE_PERSONAL_TOKEN
  • OAuth 2.0 (Cloud): run docker run --rm -it mcp-security-review:latest --oauth-setup

HTTP Transport

Run as a persistent HTTP service instead of stdio:

# Streamable HTTP (recommended)
docker run --rm -p 8000:8000 mcp-security-review:latest --transport streamable-http

# SSE
docker run --rm -p 8000:8000 mcp-security-review:latest --transport sse

Security Guidelines

Includes 101 OWASP Cheat Sheets loaded automatically into security assessments. Add your own org-specific guidelines:

python3 scripts/add_custom_guideline.py

Or manually create markdown files in src/mcp_security_review/security/guidelines/docs/:

category: your_category
priority: high
tags: tag1, tag2, tag3

# Your Guideline Title
...

See docs/ADDING_CUSTOM_GUIDELINES.md for details.

Contributing

  1. Check CONTRIBUTING.md for development setup.
  2. Make changes and submit a pull request.

Pre-commit hooks enforce code quality (Ruff, Prettier, Pyright). Run uv run pytest before submitting.

Security

Never commit API tokens. See SECURITY.md for best practices.

License

Licensed under MIT — see LICENSE.

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured