Skip to main content
Glama

SAST MCP Server

by Sengtocxoen
GitHub
Python
MIT License
  • Linux
  • Apple
OverviewInspectNewEndpointsSchemaRelated ServersReviewsScore
Need Help?View Source CodeReport Issue

MCP-SAST-Server

A comprehensive Model Context Protocol (MCP) server that integrates multiple SAST (Static Application Security Testing) tools with Claude Code AI, enabling automated security analysis and vulnerability scanning directly from your AI assistant.

Overview

This project provides a bridge between Claude Code and industry-standard security scanning tools, allowing developers to perform comprehensive security analysis through natural language commands.

Key Features

  • 15+ SAST Tools Integration: Semgrep, Bandit, ESLint Security, TruffleHog, Gitleaks, and more

  • MCP Protocol: Seamless integration with Claude Code AI

  • Remote Execution: Run security tools on a dedicated security VM (Kali Linux) while working on Windows

  • Path Resolution: Automatic Windows ↔ Linux path mapping for cross-platform operation

  • Flexible Architecture: Choose between full-featured or lightweight server

  • Comprehensive Coverage: Code analysis, secret scanning, dependency checking, IaC security

Architecture

┌─────────────────┐ ┌──────────────────┐ ┌─────────────────┐ │ Claude Code │ MCP │ MCP Client │ HTTP │ SAST Server │ │ (Windows) │◄───────►│ sast_mcp_client │◄───────►│ (Kali Linux) │ │ │ │ .py │ │ │ └─────────────────┘ └──────────────────┘ └─────────────────┘ │ ▼ ┌─────────────────┐ │ Security Tools │ │ - Semgrep │ │ - Bandit │ │ - TruffleHog │ │ - Checkov │ │ - And more... │ └─────────────────┘

Supported Tools

Code Analysis

  • Semgrep - Multi-language static analysis (30+ languages)

  • Bandit - Python security scanner

  • ESLint Security - JavaScript/TypeScript security linting

  • Gosec - Go security checker

  • Brakeman - Ruby on Rails security scanner

  • Graudit - Grep-based source code auditing

  • Bearer - Security and privacy risk scanner

Secret Detection

  • TruffleHog - Secret scanner for git repos and filesystems

  • Gitleaks - Fast secret detection for git repositories

Dependency Scanning

  • Safety - Python dependency vulnerability checker

  • npm audit - Node.js dependency security audit

  • OWASP Dependency-Check - Multi-language dependency scanner

Infrastructure as Code

  • Checkov - Terraform, CloudFormation, Kubernetes, Dockerfile scanner

  • tfsec - Terraform security scanner

  • Trivy - Container and IaC vulnerability scanner

Installation

Prerequisites

Windows Machine (Client):

  • Python 3.8+

  • Claude Code installed

Linux Machine (Server - Kali Linux recommended):

Quick Start

1. Clone the Repository

git clone https://github.com/your-username/MCP-SAST-Server.git cd MCP-SAST-Server

2. Install Python Dependencies

pip install -r requirements.txt

3. Configure Server (Optional)

Copy the example environment file and customize:

cp .env.example .env # Edit .env with your settings (port, paths, timeouts)

4. Start SAST Server (on Kali Linux)

Option A: Full-Featured Server (recommended for complete functionality)

python3 sast_server.py --port 6000

Option B: Simple Server (no external dependencies, basic functionality)

python3 simple_sast_server.py --port 6000

5. Configure Claude Code (on Windows)

Option A: Use the example configuration

  1. Open config.example.json in the repository

  2. Copy the configuration that matches your setup

  3. Add it to your .claude.json file

  4. Update the paths and server URL

Option B: Manual configuration

Add the MCP server configuration to your .claude.json:

{ "mcpServers": { "sast_tools": { "type": "stdio", "command": "python", "args": [ "/path/to/MCP-SAST-Server/sast_mcp_client.py", "--server", "http://YOUR_KALI_IP:6000" ] } } }

Important: Update these values:

  • /path/to/MCP-SAST-Server/sast_mcp_client.py - Full path to the MCP client script

  • YOUR_KALI_IP - Your Kali Linux machine's IP address (e.g., 192.168.1.100)

  • Port 6000 - Change if you configured a different port

Windows Path Examples:

  • C:/Projects/MCP-SAST-Server/sast_mcp_client.py

  • F:/work/MCP-SAST-Server/sast_mcp_client.py

Linux/Mac Path Examples:

  • /home/user/MCP-SAST-Server/sast_mcp_client.py

  • ~/projects/MCP-SAST-Server/sast_mcp_client.py

6. Verify Installation

On Kali Linux:

curl http://localhost:6000/health

In Claude Code:

@sast_tools Check the SAST server health and show me available tools

Usage Examples

Security Scanning

Scan Python code for vulnerabilities:

@sast_tools Run a Bandit scan on F:/work/MyProject/backend with high severity filter

Multi-language security audit:

@sast_tools Use Semgrep with OWASP Top 10 rules to scan F:/work/MyProject

Find secrets in repository:

@sast_tools Scan F:/work/MyProject for leaked secrets using TruffleHog

Dependency Checking

Check Python dependencies:

@sast_tools Run Safety check on F:/work/MyProject/requirements.txt

Audit Node.js packages:

@sast_tools Run npm audit on F:/work/MyProject/frontend with critical severity

Infrastructure Security

Scan Terraform files:

@sast_tools Use Checkov to scan Terraform configurations in F:/work/MyProject/terraform

Check Docker security:

@sast_tools Scan F:/work/MyProject/Dockerfile with Trivy

Tool Installation

Installing Security Tools on Kali Linux

Many tools come pre-installed on Kali Linux. For missing tools:

Semgrep:

pip3 install semgrep

Bandit:

pip3 install bandit

TruffleHog:

pip3 install trufflehog

Gitleaks:

wget https://github.com/gitleaks/gitleaks/releases/download/v8.18.0/gitleaks_8.18.0_linux_x64.tar.gz tar -xzf gitleaks_8.18.0_linux_x64.tar.gz sudo mv gitleaks /usr/local/bin/

Checkov:

pip3 install checkov

Safety:

pip3 install safety

Trivy:

wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list sudo apt update sudo apt install trivy

For a complete installation guide, refer to each tool's official documentation.

Configuration

Server Configuration (.env file)

The server can be configured using environment variables or a .env file:

Using .env file (recommended):

# Copy the example file cp .env.example .env # Edit .env with your settings nano .env

Available Configuration Options:

# Server Port (default: 6000) API_PORT=6000 # Debug Mode (default: 0) DEBUG_MODE=0 # Command Timeout in seconds (default: 3600) COMMAND_TIMEOUT=3600 # Max timeout limit (default: 7200) MAX_TIMEOUT=7200 # Path Mapping (for Windows/Linux cross-platform) MOUNT_POINT=/mnt/work WINDOWS_BASE=F:/work

Using environment variables directly:

export API_PORT=6000 export DEBUG_MODE=1 export MOUNT_POINT=/mnt/work export WINDOWS_BASE=F:/work

Client Configuration (config.example.json)

For Claude Code configuration, see config.example.json which includes:

  • Windows with local Kali VM example

  • Windows with remote Kali server example

  • Linux/Mac configuration example

Simply copy the appropriate configuration to your .claude.json and update the paths and IP address.

Path Resolution

The server automatically resolves Windows paths to Linux mount paths:

  • F:/work/Project/mnt/work/Project

  • F:\work\Project/mnt/work/Project

Configure your mount point using environment variables if different.

API Endpoints

Health Check

GET /health

SAST Tools

POST /api/sast/semgrep POST /api/sast/bandit POST /api/sast/bearer POST /api/sast/graudit POST /api/sast/gosec POST /api/sast/brakeman POST /api/sast/eslint-security

Secret Scanning

POST /api/secrets/trufflehog POST /api/secrets/gitleaks

Dependency Scanning

POST /api/dependencies/safety POST /api/dependencies/npm-audit POST /api/dependencies/dependency-check

Infrastructure as Code

POST /api/iac/checkov POST /api/iac/tfsec

Container Security

POST /api/container/trivy

Custom Commands

POST /api/command

Project Structure

MCP-SAST-Server/ ├── sast_server.py # Full-featured SAST server (recommended) ├── simple_sast_server.py # Lightweight alternative (minimal dependencies) ├── sast_mcp_client.py # MCP client for Claude Code integration ├── requirements.txt # Python dependencies ├── .env.example # Server configuration template ├── config.example.json # Claude Code configuration examples ├── .gitignore # Git ignore rules ├── LICENSE # MIT License ├── CONTRIBUTING.md # Contribution guidelines └── README.md # This file (main documentation)

File Descriptions

Core Files:

  • sast_server.py - Main SAST server with .env support and path resolution

  • sast_mcp_client.py - MCP client that connects Claude Code to the server

  • simple_sast_server.py - Alternative server with no external dependencies

Configuration:

  • .env.example - Environment variables template for server configuration

  • config.example.json - Claude Code integration examples for different setups

Documentation:

  • README.md - Complete project documentation (you're reading it!)

  • CONTRIBUTING.md - Guidelines for contributing to the project

  • LICENSE - MIT License terms

Troubleshooting

Connection Issues

Problem: Cannot connect to SAST server

Solution:

  1. Verify server is running: curl http://KALI_IP:6000/health

  2. Check firewall settings on Kali Linux

  3. Ensure IP address in .claude.json is correct

  4. Check network connectivity between Windows and Kali

Path Resolution Issues

Problem: Scans fail with "path not found"

Solution:

  1. Verify Windows share is mounted on Linux: ls /mnt/work

  2. Check mount point configuration matches MOUNT_POINT environment variable

  3. Ensure paths use forward slashes in .claude.json

Tool Not Available

Problem: Health check shows tool as unavailable

Solution:

  1. Install missing tools (see Tool Installation)

  2. Verify tool is in PATH: which semgrep

  3. Test tool manually: semgrep --version

Security Considerations

  • Network Security: Use firewall rules to restrict access to SAST server port

  • Authentication: Consider adding API authentication for production use

  • Secrets: Never commit API keys or credentials to the repository

  • Isolation: Run SAST server in isolated VM or container

  • Updates: Regularly update security tools to get latest vulnerability signatures

Contributing

Contributions are welcome! Please:

  1. Fork the repository

  2. Create a feature branch (git checkout -b feature/amazing-feature)

  3. Commit your changes (git commit -m 'Add amazing feature')

  4. Push to the branch (git push origin feature/amazing-feature)

  5. Open a Pull Request

License

This project is licensed under the MIT License - see the LICENSE file for details.

Acknowledgments

Support

For issues, questions, or contributions:

Roadmap

  • Add authentication/authorization

  • Implement scan result caching

  • Add webhook notifications

  • Create web dashboard for scan results

  • Support for additional SAST tools

  • Docker containerization

  • CI/CD integration examples

Built with ❤️ for secure code development

This server cannot be installed

-
security - not tested
A
license - permissive license
-
quality - not tested

How are these scores calculated?

hybrid server

The server is able to function both locally and remotely, depending on the configuration or use case.

Integrates 15+ static application security testing tools (Semgrep, Bandit, TruffleHog, etc.) with Claude Code AI, enabling automated vulnerability scanning and security analysis through natural language commands. Supports cross-platform operation with remote execution on dedicated security VMs.

  1. Overview
    1. Key Features
  2. Architecture
    1. Supported Tools
      1. Code Analysis
      2. Secret Detection
      3. Dependency Scanning
      4. Infrastructure as Code
    2. Installation
      1. Prerequisites
      2. Quick Start
    3. Usage Examples
      1. Security Scanning
      2. Dependency Checking
      3. Infrastructure Security
    4. Tool Installation
      1. Installing Security Tools on Kali Linux
    5. Configuration
      1. Server Configuration (.env file)
      2. Client Configuration (config.example.json)
      3. Path Resolution
    6. API Endpoints
      1. Health Check
      2. SAST Tools
      3. Secret Scanning
      4. Dependency Scanning
      5. Infrastructure as Code
      6. Container Security
      7. Custom Commands
    7. Project Structure
      1. File Descriptions
    8. Troubleshooting
      1. Connection Issues
      2. Path Resolution Issues
      3. Tool Not Available
    9. Security Considerations
      1. Contributing
        1. License
          1. Acknowledgments
            1. Support
              1. Roadmap

                New MCP Servers

                MCP directory API

                We provide all the information about MCP servers via our MCP API.

                curl -X GET 'https://glama.ai/api/mcp/v1/servers/Sengtocxoen/sast-mcp'

                If you have feedback or need assistance with the MCP directory API, please join our Discord server