Lanalyzer MCP Server

Lanalyzer

Lanalyzer is an advanced Python static taint analysis tool designed to detect potential security vulnerabilities in Python projects. It identifies data flows from untrusted sources (Sources) to sensitive operations (Sinks) and provides detailed insights into potential risks.

📖 Table of Contents

Lanalyzer

✨ Features

Taint Analysis: Tracks data flows from sources to sinks.
Customizable Rules: Define your own sources, sinks, sanitizers, and taint propagation paths.
Static Analysis: No need to execute the code.
Extensibility: Easily add new rules for detecting vulnerabilities like SQL Injection, XSS, and more.
Detailed Reports: Generate comprehensive analysis reports with vulnerability details and mitigation suggestions.
Command-Line Interface: Run analyses directly from the terminal.

🚀 Getting Started

Prerequisites

Python 3.10 or higher
uv (recommended for dependency management)

Installation

Option 1: Install from PyPI (Recommended)

# Using pip
pip install lanalyzer

# Using uv (recommended)
uv add lanalyzer

# With MCP support
uv add lanalyzer[mcp]

Option 2: Install from Source

Clone the repository:
git clone https://github.com/bayuncao/lanalyzer.git cd lanalyzer
Install dependencies:
# Install basic dependencies make install # Install with development dependencies make install-dev # Install with MCP support make install-mcp # Install everything (dev + MCP) make install-all

💻 Usage

Basic Analysis

Run a taint analysis on a Python file:

lanalyzer --target <target_file> --config <config_file> --pretty --output <output_file> --log-file <log_file> --debug

Command-Line Options

--target: Path to the Python file or directory to analyze.
--config: Path to the configuration file.
--output: Path to save the analysis report.
--log-file: Path to save the log file.
--pretty: Pretty-print the output.
--detailed: Show detailed analysis statistics.
--debug: Enable debug mode with detailed logging.

Example

lanalyzer --target example.py --config rules/sql_injection.json --pretty --output example_analysis.json --log-file example_analysis.log --debug

🤝 Contributing

We welcome contributions! Please see the CONTRIBUTING.md file for guidelines on how to contribute to Lanalyzer.

For development setup, building, and publishing instructions, see DEVELOPMENT.md.

📄 License

This project is licensed under the GNU Affero General Public License v3.0. See the LICENSE file for details.

📞 Contact

Contact

Issues: GitHub Issues
Email: support@mx-crafts.com

🧩 Model Context Protocol (MCP) Support

Lanalyzer now supports the Model Context Protocol (MCP), allowing it to run as an MCP server that AI models and tools can use to access taint analysis functionality through a standard interface.

Installing MCP Dependencies

If you're using pip:

pip install "lanalyzer[mcp]"

If you're using uv:

uv add lanalyzer[mcp]

Starting the MCP Server

There are multiple ways to start the MCP server:

Using Python Module:

# View help information
python -m lanalyzer.mcp --help

# Start the server (default port 8001)
python -m lanalyzer.mcp run --port 8001 --debug

Using the lanalyzer Command-Line Tool:

# View help information
lanalyzer mcp --help

# Start the server (default port 8000)
lanalyzer mcp run --port 8000 --debug

# Use development mode
lanalyzer mcp dev

Using Makefile (Recommended for Development):

# Start MCP server
make mcp-server

# Start MCP server with debug mode
make mcp-server-debug

# Test MCP CLI
make mcp-test

MCP Server Features

The MCP server provides the following core functionalities:

Code Analysis: Analyze Python code strings for security vulnerabilities
File Analysis: Analyze specific files for security vulnerabilities
Path Analysis: Analyze entire directories or projects for security vulnerabilities
Vulnerability Explanation: Provide detailed explanations of discovered vulnerabilities
Configuration Management: Get, validate, and create analysis configurations

For detailed MCP API documentation, see MCP Tools Reference.

Integration with AI Tools

The MCP server can be integrated with AI tools that support the MCP protocol:

# Using the FastMCP client
from fastmcp import FastMCPClient

# Create a client connected to the server
client = FastMCPClient("http://127.0.0.1:8000")

# Analyze code
result = client.call({
    "type": "analyze_code",
    "code": "user_input = input()\nquery = f\"SELECT * FROM users WHERE name = '{user_input}'\"",
    "file_path": "example.py",
    "config_path": "/path/to/config.json"
})

# Print analysis results
print(result)

Using in Cursor

If you're working in the Cursor editor, you can directly ask the AI to use Lanalyzer to analyze your code:

Please use lanalyzer to analyze the current file for security vulnerabilities and explain the potential risks.

MCP Command-Line Options

The MCP server supports the following command-line options:

For python -m lanalyzer.mcp run:

--debug: Enable debug mode with detailed logging
--host: Set the server listening address (default: 127.0.0.1)
--port: Set the server listening port (default: 8001)
--transport: Transport protocol (sse or streamable-http)

For lanalyzer mcp run:

--debug: Enable debug mode
--port: Set the server listening port (default: 8000)

Advanced MCP Usage

Custom Configurations

You can use the get_config, validate_config, and create_config tools to manage vulnerability detection configurations:

# Get the default configuration
config = client.call({
    "type": "get_config"
})

# Create a new configuration
result = client.call({
    "type": "create_config",
    "config_data": {...},  # Configuration data
    "config_path": "/path/to/save/config.json"  # Optional
})

Batch File Analysis

Analyze an entire project or directory:

result = client.call({
    "type": "analyze_path",
    "target_path": "/path/to/project",
    "config_path": "/path/to/config.json",
    "output_path": "/path/to/output.json"  # Optional
})

📊 Analysis Results Format

The analysis results are returned in JSON format with the following main sections:

vulnerabilities: List of detected security vulnerabilities
call_chains: Data flow paths from sources to sinks
summary: Analysis statistics and overview
imports: Import information for analyzed files

For detailed format specification, see Output Format Documentation.

This server cannot be installed

security - not tested

license - permissive license

quality - not tested

How are these scores calculated?

remote-capable server

The server can be hosted and run remotely because it primarily relies on remote services or has no dependency on the local environment.

Provides Python code security analysis through the Model Context Protocol, enabling AI tools to detect potential vulnerabilities like SQL injection and XSS by identifying tainted data flows from untrusted sources to sensitive operations.

Related MCP Servers

Argus
athapong
-
security
A
license
-
quality
A Model Context Protocol tool for analyzing code repositories, performing security scans, and assessing code quality across multiple programming languages.
Last updated -
Python
MIT License
Python MCP Server
hesiod-au
-
security
A
license
-
quality
A Model Context Protocol server that extracts and analyzes Python code structures, focusing on import/export relationships between files to help LLMs understand code context.
Last updated -
4
Python
MIT License
ExploitDB MCP Server
Cyreslab-AI
-
security
A
license
-
quality
A Model Context Protocol server that enables AI assistants to search and retrieve information about security exploits and vulnerabilities from the Exploit Database, enhancing cybersecurity research capabilities.
Last updated -
4
TypeScript
MIT License
CodeAnalysis MCP Server
0xjcf
A
security
F
license
A
quality
A comprehensive Model Context Protocol server for advanced code analysis that provides tools for syntax analysis, dependency visualization, and AI-assisted development workflow support.
Last updated -
28
3
Python

View all related MCP servers