Provides container security scanning capabilities for Docker images and Dockerfiles using Trivy and other container security tools
Provides JavaScript/TypeScript security linting capabilities through ESLint Security for identifying security vulnerabilities in JavaScript and TypeScript code
Enables security scanning of git repositories for secrets and vulnerabilities using tools like TruffleHog and Gitleaks
Supports security analysis of GitHub repositories through integrated secret scanning and static analysis tools
Provides Infrastructure as Code security scanning for Kubernetes configurations using Checkov and other IaC security tools
Enables dependency security auditing for Node.js projects through npm audit integration to identify vulnerable packages
Provides security auditing capabilities for npm packages and dependencies to identify known vulnerabilities in Node.js projects
Offers multi-language dependency vulnerability scanning through OWASP Dependency-Check integration for identifying known vulnerable components
Provides comprehensive Python security analysis through Bandit for code scanning and Safety for dependency vulnerability checking
Enables Ruby on Rails security scanning through Brakeman integration to identify security vulnerabilities in Rails applications
Provides Infrastructure as Code security scanning for Terraform configurations using Checkov and tfsec to identify security misconfigurations
Enables container and Infrastructure as Code vulnerability scanning through Trivy integration for Docker images and IaC templates
MCP-SAST-Server
A comprehensive Model Context Protocol (MCP) server that integrates multiple SAST (Static Application Security Testing) tools with Claude Code AI, enabling automated security analysis and vulnerability scanning directly from your AI assistant.
Overview
This project provides a bridge between Claude Code and industry-standard security scanning tools, allowing developers to perform comprehensive security analysis through natural language commands.
Key Features
15+ SAST Tools Integration: Semgrep, Bandit, ESLint Security, TruffleHog, Gitleaks, and more
MCP Protocol: Seamless integration with Claude Code AI
Remote Execution: Run security tools on a dedicated security VM (Kali Linux) while working on Windows
Path Resolution: Automatic Windows ↔ Linux path mapping for cross-platform operation
Flexible Architecture: Choose between full-featured or lightweight server
Comprehensive Coverage: Code analysis, secret scanning, dependency checking, IaC security
Architecture
Supported Tools
Code Analysis
Semgrep - Multi-language static analysis (30+ languages)
Bandit - Python security scanner
ESLint Security - JavaScript/TypeScript security linting
Gosec - Go security checker
Brakeman - Ruby on Rails security scanner
Graudit - Grep-based source code auditing
Bearer - Security and privacy risk scanner
Secret Detection
TruffleHog - Secret scanner for git repos and filesystems
Gitleaks - Fast secret detection for git repositories
Dependency Scanning
Safety - Python dependency vulnerability checker
npm audit - Node.js dependency security audit
OWASP Dependency-Check - Multi-language dependency scanner
Infrastructure as Code
Checkov - Terraform, CloudFormation, Kubernetes, Dockerfile scanner
tfsec - Terraform security scanner
Trivy - Container and IaC vulnerability scanner
Installation
Prerequisites
Windows Machine (Client):
Python 3.8+
Claude Code installed
Linux Machine (Server - Kali Linux recommended):
Python 3.8+
Security tools installed (see Tool Installation)
Quick Start
1. Clone the Repository
2. Install Python Dependencies
3. Configure Server (Optional)
Copy the example environment file and customize:
4. Start SAST Server (on Kali Linux)
Option A: Full-Featured Server (recommended for complete functionality)
Option B: Simple Server (no external dependencies, basic functionality)
5. Configure Claude Code (on Windows)
Option A: Use the example configuration
Open
config.example.jsonin the repositoryCopy the configuration that matches your setup
Add it to your
.claude.jsonfileUpdate the paths and server URL
Option B: Manual configuration
Add the MCP server configuration to your .claude.json:
Important: Update these values:
/path/to/MCP-SAST-Server/sast_mcp_client.py- Full path to the MCP client scriptYOUR_KALI_IP- Your Kali Linux machine's IP address (e.g.,192.168.1.100)Port
6000- Change if you configured a different port
Windows Path Examples:
C:/Projects/MCP-SAST-Server/sast_mcp_client.pyF:/work/MCP-SAST-Server/sast_mcp_client.py
Linux/Mac Path Examples:
/home/user/MCP-SAST-Server/sast_mcp_client.py~/projects/MCP-SAST-Server/sast_mcp_client.py
6. Verify Installation
On Kali Linux:
In Claude Code:
Usage Examples
Security Scanning
Scan Python code for vulnerabilities:
Multi-language security audit:
Find secrets in repository:
Dependency Checking
Check Python dependencies:
Audit Node.js packages:
Infrastructure Security
Scan Terraform files:
Check Docker security:
Tool Installation
Installing Security Tools on Kali Linux
Many tools come pre-installed on Kali Linux. For missing tools:
Semgrep:
Bandit:
TruffleHog:
Gitleaks:
Checkov:
Safety:
Trivy:
For a complete installation guide, refer to each tool's official documentation.
Configuration
Server Configuration (.env file)
The server can be configured using environment variables or a .env file:
Using .env file (recommended):
Available Configuration Options:
Using environment variables directly:
Client Configuration (config.example.json)
For Claude Code configuration, see config.example.json which includes:
Windows with local Kali VM example
Windows with remote Kali server example
Linux/Mac configuration example
Simply copy the appropriate configuration to your .claude.json and update the paths and IP address.
Path Resolution
The server automatically resolves Windows paths to Linux mount paths:
F:/work/Project→/mnt/work/ProjectF:\work\Project→/mnt/work/Project
Configure your mount point using environment variables if different.
API Endpoints
Health Check
SAST Tools
Secret Scanning
Dependency Scanning
Infrastructure as Code
Container Security
Custom Commands
Project Structure
File Descriptions
Core Files:
sast_server.py- Main SAST server with .env support and path resolutionsast_mcp_client.py- MCP client that connects Claude Code to the serversimple_sast_server.py- Alternative server with no external dependencies
Configuration:
.env.example- Environment variables template for server configurationconfig.example.json- Claude Code integration examples for different setups
Documentation:
README.md- Complete project documentation (you're reading it!)CONTRIBUTING.md- Guidelines for contributing to the projectLICENSE- MIT License terms
Troubleshooting
Connection Issues
Problem: Cannot connect to SAST server
Solution:
Verify server is running:
curl http://KALI_IP:6000/healthCheck firewall settings on Kali Linux
Ensure IP address in
.claude.jsonis correctCheck network connectivity between Windows and Kali
Path Resolution Issues
Problem: Scans fail with "path not found"
Solution:
Verify Windows share is mounted on Linux:
ls /mnt/workCheck mount point configuration matches
MOUNT_POINTenvironment variableEnsure paths use forward slashes in
.claude.json
Tool Not Available
Problem: Health check shows tool as unavailable
Solution:
Install missing tools (see Tool Installation)
Verify tool is in PATH:
which semgrepTest tool manually:
semgrep --version
Security Considerations
Network Security: Use firewall rules to restrict access to SAST server port
Authentication: Consider adding API authentication for production use
Secrets: Never commit API keys or credentials to the repository
Isolation: Run SAST server in isolated VM or container
Updates: Regularly update security tools to get latest vulnerability signatures
Contributing
Contributions are welcome! Please:
Fork the repository
Create a feature branch (
git checkout -b feature/amazing-feature)Commit your changes (
git commit -m 'Add amazing feature')Push to the branch (
git push origin feature/amazing-feature)Open a Pull Request
License
This project is licensed under the MIT License - see the LICENSE file for details.
Acknowledgments
Model Context Protocol - MCP specification
Anthropic - Claude AI and Claude Code
All the amazing open-source security tool maintainers
Support
For issues, questions, or contributions:
Issues: GitHub Issues
Discussions: GitHub Discussions
Roadmap
Add authentication/authorization
Implement scan result caching
Add webhook notifications
Create web dashboard for scan results
Support for additional SAST tools
Docker containerization
CI/CD integration examples
Built with ❤️ for secure code development
This server cannot be installed
hybrid server
The server is able to function both locally and remotely, depending on the configuration or use case.
Integrates 15+ static application security testing tools (Semgrep, Bandit, TruffleHog, etc.) with Claude Code AI, enabling automated vulnerability scanning and security analysis through natural language commands. Supports cross-platform operation with remote execution on dedicated security VMs.