SAST MCP Server
Enables AI agents to scan code for security vulnerabilities using multiple static analysis tools, with support for filtering, deduplication, and CI/CD integration.
README
SAST MCP Server
Static Application Security Testing (SAST) for AI agents. A production-ready MCP server that gives any AI agent the ability to scan code for security vulnerabilities.
Supports 7 industry-standard scanners:
| Scanner | Languages / Scope | Type |
|---|---|---|
| Bandit | Python | Security linter |
| njsscan | JavaScript, Node.js | Static analysis |
| Bearer | Python, JS, Ruby, Java, Go, PHP | Data-flow SAST |
| Semgrep | 30+ languages | Rule-based SAST |
| Trivy | All (CVEs, Secrets, IaC) | Multi-scanner |
| CodeQL | Python, JS, Java, Go, C/C++, C#, Ruby, Swift | Semantic SAST |
| Checkov | Terraform, K8s, Docker, CloudFormation | IaC policy scanner |
Works with any MCP-compatible agent: Gemini CLI, Claude Desktop, OpenAI Agents, Cursor, Windsurf, and more.
Features
- š 7 SAST scanners with unified output format
- š³ AST-aware context ā shows the full enclosing function, not just a line number
- š Severity & confidence filtering ā focus on what matters
- š Git diff mode ā scan only modified files for incremental reviews
- š Ignore management ā suppress false positives with audit trail
- š Pagination ā handle large codebases without overwhelming the agent
- š Dual transport ā stdio (local) or SSE/HTTP (remote deployments)
- š API key authentication ā secure remote deployments
- š¦ One command install ā
pip install sast-mcp-server - š Multi-scanner mode ā run all installed scanners in parallel with deduplication
- š SARIF export ā CI/CD integration with GitHub, GitLab, Azure DevOps
- šļø IaC scanning ā Terraform, Kubernetes, Docker security policies
- š Secret detection ā find hardcoded API keys, tokens, and passwords
- š¦ SCA / dependency CVEs ā scan lock files for known vulnerabilities
Quick Start
Install
pip install sast-mcp-server
Or run directly without installing:
uvx sast-mcp-server
Install at least one scanner
# Python projects
pip install bandit
# JavaScript/Node.js projects
pip install njsscan
# Multi-language (recommended)
pip install semgrep
# IaC, secrets, and dependency CVEs (recommended)
# See: https://aquasecurity.github.io/trivy/latest/getting-started/installation/
# IaC policy scanning
pip install checkov
# Deep semantic analysis
# See: https://github.com/github/codeql-cli-binaries/releases
# Data-flow analysis
# See: https://docs.bearer.com/installation/
Usage with AI Agents
Gemini CLI
Install as an extension:
gemini extensions install https://github.com/Skyrxin/sast-mcp-server
Or add to your ~/.gemini/settings.json:
{
"mcpServers": {
"sast": {
"command": "uvx",
"args": ["sast-mcp-server"]
}
}
}
Claude Desktop
Add to your claude_desktop_config.json:
{
"mcpServers": {
"sast": {
"command": "uvx",
"args": ["sast-mcp-server"]
}
}
}
See full Claude Desktop guide.
Cursor IDE
Add to Cursor Settings ā MCP Servers:
{
"mcpServers": {
"sast": {
"command": "uvx",
"args": ["sast-mcp-server"]
}
}
}
See full Cursor guide.
OpenAI Agents SDK
from agents.mcp import MCPServerStdio
sast_server = MCPServerStdio(command="uvx", args=["sast-mcp-server"])
See full OpenAI guide.
Available MCP Tools
scan_vulnerabilities
Scan a directory for security vulnerabilities using a specific scanner.
| Parameter | Type | Default | Description |
|---|---|---|---|
target_path |
string | required | Path to scan |
scanner_name |
string | "bearer" |
Scanner: bandit, njsscan, bearer, semgrep, trivy, codeql, checkov |
min_severity |
string | "LOW" |
Minimum severity: LOW, MEDIUM, HIGH, CRITICAL |
min_confidence |
string | "LOW" |
Minimum confidence: LOW, MEDIUM, HIGH |
git_diff_only |
bool | false |
Only scan git-modified files |
limit |
int | 50 |
Max findings to return |
offset |
int | 0 |
Pagination offset |
scan_all
Run ALL installed scanners in parallel with automatic deduplication. Recommended for comprehensive security scanning.
| Parameter | Type | Default | Description |
|---|---|---|---|
target_path |
string | required | Path to scan |
min_severity |
string | "MEDIUM" |
Minimum severity (higher default to reduce noise) |
min_confidence |
string | "LOW" |
Minimum confidence |
git_diff_only |
bool | false |
Only scan git-modified files |
limit |
int | 50 |
Max findings to return |
offset |
int | 0 |
Pagination offset |
export_sarif
Export scan results in SARIF 2.1.0 format for CI/CD integration.
| Parameter | Type | Default | Description |
|---|---|---|---|
target_path |
string | required | Path to scan |
scanner_name |
string | "bearer" |
Scanner to use |
min_severity |
string | "LOW" |
Minimum severity |
min_confidence |
string | "LOW" |
Minimum confidence |
output_path |
string | "" |
File path to write SARIF (empty = return as string) |
list_scanners
List available scanners, their installation status, and supported languages.
ignore_vulnerability
Suppress a finding from future scans (with audit trail).
unignore_vulnerability
Re-enable a previously suppressed finding.
list_ignored_vulnerabilities
Show all currently suppressed findings for a project.
SARIF / CI/CD Integration
Export scan results in SARIF 2.1.0 format for integration with CI/CD platforms:
# In your CI pipeline, use the MCP tool:
# export_sarif(target_path=".", scanner_name="semgrep", output_path="results.sarif")
# Then upload to GitHub Code Scanning:
# gh api /repos/{owner}/{repo}/code-scanning/sarifs -f sarif=@results.sarif
Compatible with: GitHub Code Scanning, GitLab SAST, Azure DevOps, VS Code SARIF Viewer.
Remote Deployment (SSE)
Run the server over HTTP/SSE for remote agent access:
# Start SSE server on port 8080
sast-mcp-server --transport sse --port 8080
# With API key authentication (recommended for production)
SAST_MCP_API_KEY=your-secret-key sast-mcp-server --transport sse --port 8080
Docker
docker build -t sast-mcp-server .
docker run -p 8080:8080 -e SAST_MCP_API_KEY=your-key sast-mcp-server --transport sse
Configuration
Environment Variables
| Variable | Default | Description |
|---|---|---|
SAST_MCP_TIMEOUT |
300 |
Scan timeout in seconds |
SAST_MCP_LOG_LEVEL |
INFO |
Log level: DEBUG, INFO, WARNING, ERROR |
SAST_MCP_API_KEY |
(none) | API key for SSE authentication |
Development
# Clone and install with dev dependencies
git clone https://github.com/Skyrxin/sast-mcp-server.git
cd sast-mcp-server
pip install -e ".[dev]"
# Run tests
pytest tests/ -v
# Lint
ruff check sast_mcp_server/
# Run locally
python -m sast_mcp_server
Project Structure
sast_mcp_server/
āāā __init__.py # Package version
āāā __main__.py # python -m entry point
āāā server.py # FastMCP server with all tools
āāā models.py # Typed data models (Finding, Severity, etc.)
āāā sarif.py # SARIF 2.1.0 export and parsing
āāā aggregator.py # Multi-scanner parallel execution + deduplication
āāā scanners/
ā āāā base.py # Abstract scanner base class
ā āāā factory.py # Scanner registry and factory
ā āāā bandit.py # Bandit (Python)
ā āāā njsscan.py # njsscan (JavaScript)
ā āāā bearer.py # Bearer (multi-language)
ā āāā semgrep.py # Semgrep (30+ languages)
ā āāā trivy.py # Trivy (CVEs, secrets, IaC)
ā āāā codeql.py # CodeQL (deep semantic SAST)
ā āāā checkov.py # Checkov (IaC policies)
āāā enrichment/
āāā ast_context.py # AST-aware code context extraction
āāā git_diff.py # Git diff for incremental scanning
āāā ignore_manager.py # Finding ignore list management
License
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.