security-mcp

security-mcp

Fetches GitHub Code Scanning alerts and applies minimal local patches to fix vulnerabilities, without creating branches, commits, or PRs.

Category
Visit Server

README

Security MCP Setup for Claude Code

This setup connects a custom security-mcp server to Claude Code so Claude can fetch GitHub Code Scanning alerts for the current repository and apply local patches.

The lifecycle is intentionally limited:

/fix-vuls
  → fetch open GitHub Code Scanning alerts
  → map alerts to local files
  → apply minimal local patches
  → stop

No branch, commit, push, PR, test run, build, or validation is performed by Claude.

The GitHub token used to fetch alerts is read from a .env file inside the repo where claude is run — it is never passed on the command line or committed to source control.


1. Add a .env file with your GitHub token

The GitHub token is not passed as a CLI flag. Instead, create a .env file inside the repo where you run claude (i.e. the org repo you want to scan, not the security-mcp server folder).

For the current v1, the token only needs access to read security/code scanning alerts.

macOS:

cd your-org-repo
echo "GITHUB_TOKEN=YOUR_GITHUB_TOKEN" > .env

Windows (PowerShell):

cd your-org-repo
"GITHUB_TOKEN=YOUR_GITHUB_TOKEN" | Out-File -Encoding utf8 .env

Windows (Command Prompt):

cd your-org-repo
echo GITHUB_TOKEN=YOUR_GITHUB_TOKEN > .env

Replace YOUR_GITHUB_TOKEN with a GitHub token that has permission to read Code Scanning alerts.

⚠️ Add .env to .gitignore so the token is never committed.


2. Connect MCP to Claude Code

From the same repo folder, add the MCP server (no token flag needed — security-mcp reads it from .env at runtime):

macOS:

claude mcp add security-mcp -- node /absolute/path/to/security-mcp/server.js

Example:

claude mcp add security-mcp -- node /Users/p.shreyas/workplace/experiment/code-vuls/security-mcp/server.js

Windows (PowerShell / Command Prompt):

claude mcp add security-mcp -- node C:\absolute\path\to\security-mcp\server.js

Example:

claude mcp add security-mcp -- node C:\Users\shreyas\workplace\experiment\code-vuls\security-mcp\server.js

3. Verify MCP connection

Run:

claude mcp list

Expected output:

security-mcp  ✓ Connected

If the server is not connected, restart Claude Code and verify the MCP path and .env file.


4. Open Claude Code in the target repo

Go to your org repo (the same folder containing your .env file):

macOS:

cd your-org-repo
claude

Example:

cd /Users/p.shreyas/workplace/vas-experience-api
claude

Windows (PowerShell / Command Prompt):

cd your-org-repo
claude

Example:

cd C:\Users\shreyas\workplace\vas-experience-api
claude

5. Test the MCP manually

Inside Claude Code, run this prompt:

Use the security-mcp tool to list open code scanning alerts for this current GitHub repo. Detect owner and repo from git remote.

Expected result:

Found open code scanning alerts:
- java/sql-injection ...
- java/path-injection ...
- java/log-injection ...

If you see this error:

Missing GITHUB_TOKEN in environment

Check the following:

  • A .env file exists in the repo folder you ran claude from (not the security-mcp server folder).
  • The .env file contains a line exactly like GITHUB_TOKEN=YOUR_GITHUB_TOKEN, with no quotes or extra spaces.
  • You restarted Claude Code (claude) after creating or editing .env.

If needed, remove and re-add the MCP:

macOS:

claude mcp remove security-mcp
claude mcp add security-mcp -- node /absolute/path/to/security-mcp/server.js

Windows:

claude mcp remove security-mcp
claude mcp add security-mcp -- node C:\absolute\path\to\security-mcp\server.js

Then restart Claude Code.


6. Create the Claude slash command

Inside the repo, create:

macOS:

mkdir -p .claude/commands
touch .claude/commands/fix-vuls.md

Windows (PowerShell):

New-Item -ItemType Directory -Force .claude\commands
New-Item -ItemType File -Force .claude\commands\fix-vuls.md

Windows (Command Prompt):

mkdir .claude\commands
type nul > .claude\commands\fix-vuls.md

Add this content to .claude/commands/fix-vuls.md:

You are a local security remediation agent for this repository.

Goal:
Fetch open GitHub code scanning vulnerabilities for the current repo and apply safe fixes locally only.

Use the Security MCP tools where available.

Lifecycle:
Your lifecycle ends immediately after applying patches locally.

Steps:
1. Detect the current GitHub owner/repo from git remote.
2. Fetch open GitHub code scanning alerts for this repo.
3. For each open alert, read:
   - rule ID
   - severity
   - affected file
   - affected line
   - alert message
   - code scanning location details
4. Map each alert to the matching local source file.
5. Apply the smallest safe patch that directly addresses the alert.
6. Stop after patching.
7. Summarize:
   - alerts patched
   - files changed
   - alerts skipped
   - reason for each skipped alert
   - reminder that validation was not run

Strict rules:
- Do not create a branch.
- Do not commit.
- Do not push.
- Do not create a PR.
- Do not auto-merge.
- Do not run tests.
- Do not run build.
- Do not run validation.
- Do not run dependency audit.
- Do not modify CI/CD configuration.
- Do not suppress CodeQL/code scanning alerts unless the alert is clearly false positive and the local code change is unnecessary.
- Do not delete tests.
- Do not make broad refactors.
- Do not change unrelated files.
- Keep all fixes minimal and local.

7. Run the final command

Inside Claude Code:

/fix-vuls

Expected final behavior:

Applied local patches for 3 code scanning alerts.

Files changed:
- src/main/java/...
- src/main/java/...

Skipped:
- Alert #12 because affected file was generated code.

Stopped after applying patches locally.

No tests, build, validation, branch, commit, push, or PR were performed.

8. Developer review

After Claude stops, the developer owns the next steps.

Recommended manual checks:

git diff

Then run project-specific validation manually, for example:

mvn test

or:

npm test

If the changes look good, the developer can manually create a branch, commit, push, and PR using the normal team workflow.


Final lifecycle

Developer runs /fix-vuls
        ↓
Claude detects GitHub repo
        ↓
Security MCP fetches Code Scanning alerts
        ↓
Claude applies minimal local patches
        ↓
Claude stops
        ↓
Developer reviews, tests, commits, and raises PR manually

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured