VSGuard MCP - Vulnerability Scanner & Guard

A production-ready Model Context Protocol (MCP) server that provides real-time OWASP ASVS security guidance and vulnerability scanning for AI coding agents.

VSGuard = Vulnerability Scanner + Guard - Powered by FastMCP 2.0

🎯 Overview

This MCP server integrates with Claude Desktop, Cursor, and other MCP-compatible tools to enable proactive security during code generation. It helps AI agents write secure code from the start by providing:

• 📋 OWASP ASVS Requirements - Real-time security guidance based on ASVS v4.0

• 🔍 Vulnerability Scanning - Static analysis using Semgrep with custom ASVS rules

• 🛠️ Secure Code Fixes - Actionable remediation with code examples

• 🤖 LLM-Optimized Output - Formatted for maximum comprehension by AI agents

✨ Features

Three Core Tools

1. check_security_requirements - Get relevant ASVS requirements before writing code

2. scan_code - Analyze code for vulnerabilities with ASVS mappings

3. suggest_fix - Generate secure code alternatives with explanations

Security Coverage

• ✅ Authentication (ASVS Chapter 2)

• ✅ Session Management (ASVS Chapter 3)

• ✅ Access Control (ASVS Chapter 4)

• ✅ Input Validation & Injection Prevention (ASVS Chapter 5)

• ✅ Cryptography (ASVS Chapters 6-9)

• ✅ Data Protection

Supported Languages

• Python (primary)

• JavaScript/TypeScript

• Java, Go, Ruby, PHP, C/C++, C#, Rust (via Semgrep)

🚀 Quick Start

Prerequisites

• Python 3.11+

• pip or Poetry

• Semgrep (for scanning)

Installation

Running the Server

Configure Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json:

Or with Poetry:

Or use FastMCP CLI (simplest):

Restart Claude Desktop to load the server.

📖 Usage Examples

Example 1: Get Security Requirements

In Claude Desktop:

Claude will call:

Response:

[... more requirements ...]

Can you check this code for security issues?

def login(username, password): query = f"SELECT * FROM users WHERE username = '{username}'" cursor.execute(query)

Response:

Remediation: Use parameterized queries with placeholders instead of string concatenation.

Example:

How do I fix this SQL injection vulnerability?

Response:

✅ Secure Code

📝 Explanation

Use parameterized queries (prepared statements) instead of string concatenation.

🛡️ Security Benefits

• Prevents SQL injection attacks

• Separates code from data

vsguard-mcp/ ├── src/ │ ├── server.py # MCP server entry point │ ├── config.py # Configuration │ ├── models.py # Pydantic data models │ │ │ ├── asvs/ │ │ ├── loader.py # Load ASVS from YAML │ │ ├── mapper.py # Map findings to ASVS │ │ └── requirements.py # Requirement models │ │ │ ├── scanners/ │ │ ├── base.py # Abstract scanner │ │ └── semgrep_scanner.py # Semgrep integration │ │ │ ├── fixes/ │ │ ├── generator.py # Fix generator │ │ └── templates.py # Fix templates │ │ │ └── utils/ │ └── formatters.py # LLM-optimized formatting │ ├── data/ │ ├── asvs/ # ASVS requirements (YAML) │ │ ├── authentication.yaml │ │ ├── session_management.yaml │ │ ├── validation.yaml │ │ └── cryptography.yaml │ │ │ └── rules/ # Custom Semgrep rules │ ├── authentication.yaml │ ├── injection.yaml │ ├── cryptography.yaml │ └── session.yaml │ └── tests/ # Test suite

🧪 Testing

📊 Coverage

Current implementation includes:

• 40+ ASVS Requirements across authentication, session management, input validation, and cryptography

• 25+ Custom Semgrep Rules detecting common vulnerabilities

• 10+ Fix Templates with secure code examples

• Multiple Languages supported (Python, JavaScript, TypeScript, etc.)

Vulnerability Detection

• SQL Injection (ASVS 5.3.4, 5.3.5)

• Cross-Site Scripting (ASVS 5.3.3, 5.3.10)

• Weak Password Validation (ASVS 2.1.1, 2.1.7)

• Weak Cryptography (ASVS 6.2.2, 6.2.5)

• Hardcoded Secrets (ASVS 2.3.1, 14.3.3)

• Session Management Issues (ASVS 3.x)

• XML External Entity (XXE) (ASVS 5.5.2)

• Command Injection (ASVS 5.3.4)

• And more...

🎓 How It Works

1. ASVS Requirements Database

The server loads OWASP ASVS v4.0 requirements from structured YAML files:

2. Static Analysis with Semgrep

Custom Semgrep rules detect ASVS violations:

3. Intelligent Mapping

Findings are automatically mapped to ASVS requirements by:

• Vulnerability type (sql_injection → ASVS 5.3.4)

• CWE ID (CWE-89 → ASVS 5.3.4, 5.3.5)

• Code patterns (login endpoints → authentication requirements)

4. LLM-Optimized Output

All responses are formatted for maximum LLM comprehension:

• Clear structure with headers and sections

• Code examples with syntax highlighting

• Severity indicators (🔴 🟠 🟡)

• Actionable remediation steps

• ASVS requirement references

🔧 Extending the Server

Add New ASVS Requirements

Create/edit YAML files in data/asvs/:

Add Custom Semgrep Rules

Create YAML files in data/rules/:

Add Fix Templates

Edit src/fixes/templates.py:

🤝 Contributing

Contributions welcome! Areas for improvement:

1. More ASVS Requirements - Cover additional chapters

2. More Languages - Expand language support

3. More Scanners - Integrate Bandit, detect-secrets

4. Better AI Integration - Improve LLM output formatting

5. Performance - Optimize scanning speed

⚡ Powered By

• FastMCP 2.0 - Modern Python framework for MCP servers

• Semgrep - Static analysis engine

• OWASP ASVS - Security verification standard

📝 License

MIT License - see LICENSE file for details.

🔗 Resources

• OWASP ASVS

• Model Context Protocol

• Semgrep

• Claude Desktop

🙏 Acknowledgments

• OWASP for the ASVS standard

• Anthropic for the MCP protocol

• Semgrep for the scanning engine

📧 Support

For issues, questions, or contributions, please open an issue on GitHub.

Built with ❤️ for secure AI-assisted development