FortiCNAPP MCP Server

FortiCNAPP MCP Server

MCP server for managing Fortinet FortiCNAPP via AI agents, enabling vulnerability scanning, agent management, and compliance monitoring.

Category
Visit Server

README

FortiCNAPP MCP Server

MCP server for managing Fortinet FortiCNAPP (Cloud Native Application Protection Platform) via AI agents. Built with FastMCP, deployed as a container.

FortiCNAPP (powered by Lacework) provides cloud security capabilities including vulnerability scanning, agent management, and compliance monitoring.

Tools

Tool Description
cnapp_health_check Check FortiCNAPP service health and connectivity
cnapp_validate_config Validate configuration settings and credentials
cnapp_get_agent_tokens Retrieve agent access tokens
cnapp_scan_image_vulnerabilities Scan container images for vulnerabilities

Every tool accepts optional cnapp_key_id, cnapp_key_secret, and cnapp_base_url parameters. If not provided, the server reads from environment variables. Per-call parameters override environment variables.

Connect from Claude Desktop

Add to your Claude Desktop config (~/Library/Application Support/Claude/claude_desktop_config.json on macOS):

{
  "mcpServers": {
    "forticnapp": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://mcp-forticnapp.fortidemoscloud.com/mcp"
      ]
    }
  }
}

Connect from Gemini CLI

Add to your Gemini settings (~/.gemini/settings.json):

{
  "mcpServers": {
    "forticnapp": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://mcp-forticnapp.fortidemoscloud.com/mcp"
      ]
    }
  }
}

Connect from Kiro / VS Code

Add to .kiro/settings/mcp.json or equivalent:

{
  "mcpServers": {
    "forticnapp": {
      "url": "https://mcp-forticnapp.fortidemoscloud.com/mcp"
    }
  }
}

Test with curl

# 1. Initialize session and capture Mcp-Session-Id from headers
export SESSION_ID=$(curl -s -i -X POST https://mcp-forticnapp.fortidemoscloud.com/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"test-curl","version":"1.0"}}}' \
  | grep -i "mcp-session-id" | awk '{print $2}' | tr -d '\r')

echo "Session ID: $SESSION_ID"

# 2. List tools using the captured Session ID
curl -s -X POST https://mcp-forticnapp.fortidemoscloud.com/mcp \
  -H "Content-Type: application/json" \
  -H "Mcp-Session-Id: $SESSION_ID" \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/list","params":{}}'

# 3. Call a tool (health check)
curl -s -X POST https://mcp-forticnapp.fortidemoscloud.com/mcp \
  -H "Content-Type: application/json" \
  -H "Mcp-Session-Id: $SESSION_ID" \
  -d '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"cnapp_health_check","arguments":{"cnapp_key_id":"YOUR_KEY_ID","cnapp_key_secret":"YOUR_KEY_SECRET","cnapp_base_url":"https://youraccount.lacework.net"}}}'

# 4. Scan image vulnerabilities
curl -s -X POST https://mcp-forticnapp.fortidemoscloud.com/mcp \
  -H "Content-Type: application/json" \
  -H "Mcp-Session-Id: $SESSION_ID" \
  -d '{"jsonrpc":"2.0","id":4,"method":"tools/call","params":{"name":"cnapp_scan_image_vulnerabilities","arguments":{"image_digest":"sha256:abc123...","cnapp_key_id":"YOUR_KEY_ID","cnapp_key_secret":"YOUR_KEY_SECRET"}}}'

Run locally

# Docker (with credentials from environment)
export FORTICNAPP_KEY_ID="your_key_id"
export FORTICNAPP_KEY_SECRET="your_key_secret"
export FORTICNAPP_BASE_URL="youraccount.lacework.net"
docker-compose up --build -d

# Or directly
uv sync
FORTICNAPP_KEY_ID="your_key_id" \
FORTICNAPP_KEY_SECRET="your_key_secret" \
FORTICNAPP_BASE_URL="youraccount.lacework.net" \
uv run uvicorn app.server:app --host 0.0.0.0 --port 8000

Server available at http://localhost:8000/mcp with health check at /health.

Deploy to Kubernetes

kubectl apply -f k8s-deployment.yaml

Exposes on NodePort 30083. Image: jviguerasfortinet/mcp-forticnapp-server:v1.0.0

Environment Variables

Variable Required Default Description
FORTICNAPP_KEY_ID Yes Lacework API key ID
FORTICNAPP_KEY_SECRET Yes Lacework API key secret (X-LW-UAKS value)
FORTICNAPP_BASE_URL No lwintseemea-eu.lacework.net Lacework API base URL or FQDN. Can be a full URL (https://myaccount.lacework.net) or just the FQDN (myaccount.lacework.net) — https:// is auto-prepended if missing.

Tool Parameters

cnapp_health_check / cnapp_validate_config / cnapp_get_agent_tokens

Parameter Required Description
cnapp_key_id No FortiCNAPP API key ID (uses FORTICNAPP_KEY_ID env var if not provided)
cnapp_key_secret No FortiCNAPP API key secret (uses FORTICNAPP_KEY_SECRET env var if not provided)
cnapp_base_url No FortiCNAPP API base URL or FQDN (e.g., myaccount.lacework.net). https:// is auto-prepended if missing. Uses FORTICNAPP_BASE_URL env var if not provided.

cnapp_scan_image_vulnerabilities

Parameter Required Default Description
image_digest Yes Docker image digest (e.g., sha256:abc123...)
cnapp_key_id No FortiCNAPP API key ID
cnapp_key_secret No FortiCNAPP API key secret
cnapp_base_url No FortiCNAPP API base URL or FQDN. https:// is auto-prepended if missing.
days_back No 3 Number of days to look back for scan data
deduplicate No true Remove duplicate vulnerabilities across layers

Authentication

The server uses Lacework bearer token authentication:

  1. Token Generation: Uses FORTICNAPP_KEY_SECRET (X-LW-UAKS header) and FORTICNAPP_KEY_ID to request bearer tokens from /api/v2/access/tokens
  2. Token Caching: Automatically caches tokens and refreshes before expiration (with 60s buffer)
  3. API Calls: All Lacework API calls use the cached bearer token in the Authorization: Bearer <token> header
  4. Retry Logic: Automatic retry with exponential backoff for transient failures
  5. URL Normalization: FORTICNAPP_BASE_URL accepts either a full URL (https://myaccount.lacework.net) or just the FQDN (myaccount.lacework.net) — the https:// scheme is always auto-prepended if missing

License

MIT

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured