🕷️ joern-mcp
A production-ready Model Context Protocol (MCP) server that provides AI assistants with static code analysis capabilities using Joern's Code Property Graph (CPG) technology.
Overview
The Joern MCP Server enables AI coding assistants to perform sophisticated static code analysis by leveraging Joern's powerful CPG-based analysis in isolated Docker environments. It implements the Model Context Protocol standard, making it compatible with various AI assistants and development environments.
Features
Static Code Analysis: Deep code analysis using Joern's CPG technology
Multi-Language Support: C/C++, Java, JavaScript/TypeScript, Python, Go, Kotlin, Scala, C#
Isolated Execution: All analysis runs in secure Docker containers
Intelligent Caching: Efficient CPG caching with configurable TTL
GitHub Integration: Direct analysis of GitHub repositories
Production Ready: Comprehensive error handling, logging, and monitoring
MCP Compliance: Full Model Context Protocol implementation
Quick Start
Prerequisites
Python 3.8+
Docker
Git
Installation
Clone the repository:
git clone https://github.com/Lekssays/joern-mcp.git cd joern-mcpInstall dependencies:
pip install -r requirements.txtBuild Joern Docker image:
# Option 1: Use the build script (recommended) ./build.sh # Option 2: Build manually docker build -t joern:latest .
Running the Server
Validate setup first:
Basic usage:
With configuration file:
Using environment variables:
Note: The
joern:latest
image is built locally using the included Dockerfile, not pulled from a registry.
Configuration
Create a config.yml
file for custom configuration:
Environment Variables
Variable | Description | Default |
| Joern Docker image |
|
| CPU limit for containers |
|
| Memory limit for containers |
|
| Container timeout (seconds) |
|
| Enable CPG caching |
|
| Cache size limit (GB) |
|
| Cache directory |
|
| GitHub access token | - |
| Logging level |
|
Usage with AI Assistants
VS Code with GitHub Copilot
Add to VS Code settings.json
:
Claude Desktop
Configure in Claude Desktop settings:
Available Tools
Core Tools
load_project
: Load code from GitHub URL or local pathgenerate_cpg
: Generate Code Property Graph for analysisrun_query
: Execute Joern queries against the CPGlist_projects
: List all loaded projectsproject_info
: Get detailed project informationcleanup_project
: Clean up project resources
Pre-built Queries
list_queries
: Access security, quality, and metrics queries
Security Queries
SQL injection detection
XSS sink identification
Hardcoded secrets discovery
Unsafe deserialization patterns
Quality Queries
Complex methods detection
Long methods identification
Duplicate code analysis
Unused variables discovery
Metrics Queries
Total methods/classes/files count
Average cyclomatic complexity
Example Usage
Load and Analyze a Project
Common Queries
Find all functions:
Find function calls:
Security analysis:
Complex methods:
Development
Project Structure
Running Tests
Run all tests:
Run with coverage:
Run integration tests (requires Docker):
Run specific test file:
Code Quality
Format code:
Lint code:
Troubleshooting
Common Issues
Docker connection error:
Ensure Docker is running
Check Docker daemon accessibility
Verify user permissions for Docker socket
Image not found:
Build the Joern image:
docker build -t joern:latest .
Check image name in configuration
Verify the build completed successfully:
docker images | grep joern
Docker build issues:
Ensure Docker has sufficient disk space
Check internet connectivity for downloading Joern
Try building with more verbose output:
docker build -t joern:latest . --progress=plain
Memory issues:
Increase Docker memory limit in config
Reduce concurrent analysis limit
Clear cache directory
Permission errors:
Check file/directory permissions
Ensure cache directory is writable
Verify Docker socket permissions
Logging
Enable debug logging for troubleshooting:
Contributing
Fork the repository
Create a feature branch:
git checkout -b feature-name
Make changes and add tests
Run tests and linting:
pytest && black . && flake8
Commit changes:
git commit -am 'Add feature'
Push to branch:
git push origin feature-name
Submit a pull request
License
MIT License - see LICENSE file for details.
Acknowledgments
Joern - Static analysis platform
Model Context Protocol - AI assistant integration standard
This server cannot be installed
local-only server
The server can only run on the client's local machine because it depends on local resources.
Enables AI assistants to perform sophisticated static code analysis using Joern's Code Property Graph technology. Supports multi-language analysis, security vulnerability detection, and code quality assessment through isolated Docker environments.