Python Code Review MCP Agent

Instructions

Implementation Reference

• src/index.ts:270-287 (handler)

  The main handler function that implements the security_audit tool. It validates input using SecurityAuditSchema, analyzes the Python code for security issues using the analyzer, generates a security report, adds custom security insights, and returns the formatted result.
  private async handleSecurityAudit(args: unknown) { const { code, filename } = SecurityAuditSchema.parse(args); const result = this.analyzer.analyzePythonCode(code, filename); const securityReport = this.formatter.generateSecurityReport(result); // Add additional security insights const securityInsights = this.generateSecurityInsights(result); return { content: [ { type: 'text', text: `${securityReport}\n\n${securityInsights}` } ] }; }
• src/index.ts:32-35 (schema)

  Zod schema defining the input parameters for the security_audit tool: code (required string) and filename (optional string, defaults to 'unknown.py'). Used for validation in the handler.
  const SecurityAuditSchema = z.object({ code: z.string().min(1, "Code cannot be empty"), filename: z.string().optional().default("unknown.py") });
• src/index.ts:106-124 (registration)

  Tool registration in the list of available tools returned by ListToolsRequestSchema. Defines name, description, and inputSchema matching the SecurityAuditSchema.
  { name: 'security_audit', description: 'Focused security vulnerability analysis for Python code. Identifies SQL injection, command injection, and other security risks.', inputSchema: { type: 'object', properties: { code: { type: 'string', description: 'Python code to audit for security vulnerabilities' }, filename: { type: 'string', description: 'Name of the file (optional)', default: 'unknown.py' } }, required: ['code'] } },
• src/index.ts:214-215 (registration)

  Dispatch in the CallToolRequestSchema handler switch statement that routes security_audit calls to the handleSecurityAudit method.
  case 'security_audit': return await this.handleSecurityAudit(args);
• src/index.ts:354-391 (helper)

  Helper method called by the handler to generate additional security insights, including vulnerability summaries, critical alerts, and proactive recommendations.
  private generateSecurityInsights(result: AnalysisResult): string { const securityIssues = result.issues.filter(i => i.type === 'security'); const insights = [ '## 🧠 **SECURITY INSIGHTS**', '' ]; if (securityIssues.length === 0) { insights.push('✅ **No immediate security vulnerabilities detected in this code.**'); insights.push(''); insights.push('**Proactive Security Measures:**'); insights.push('- Implement input validation for all user inputs'); insights.push('- Use environment variables for sensitive configuration'); insights.push('- Enable logging for security-relevant events'); insights.push('- Regularly update dependencies to patch known vulnerabilities'); return insights.join('\n'); } const vulnTypes = [...new Set(securityIssues.map(i => i.rule))]; insights.push(`**Vulnerability Types Found:** ${vulnTypes.length}`); insights.push(`**Most Common:** ${this.getMostCommonVulnerability(securityIssues)}`); insights.push(''); const criticalSecurity = securityIssues.filter(i => i.severity === 'critical'); if (criticalSecurity.length > 0) { insights.push('🚨 **CRITICAL SECURITY ALERT:**'); insights.push(`This code contains ${criticalSecurity.length} critical security vulnerabilities that could lead to:`); insights.push('- Data breaches and unauthorized access'); insights.push('- Remote code execution'); insights.push('- SQL injection attacks'); insights.push('- Complete system compromise'); insights.push(''); insights.push('**IMMEDIATE ACTION REQUIRED BEFORE DEPLOYMENT**'); } return insights.join('\n'); }