The SD Elements MCP Server connects to the SD Elements API v2 to manage security projects, surveys, countermeasures, scans, reports, diagrams, and users through MCP clients like Cursor and Claude Desktop.
Core Capabilities:
Project Management: List, view, create, update, and delete projects; create projects from code with automated profile detection; manage project profiles and risk policies
Application & Business Unit Management: List, view, create, and update applications and business units to organize projects
Survey Management: View survey structures; update answers by ID or text matching; add, set, or remove answers; commit drafts to generate countermeasures; add question comments; search for answers by text
Countermeasure (Security Task) Management: List and view countermeasures with filtering by status and risk relevance; update status (Complete, Not Applicable, In Progress, etc.); add notes; get available task status choices
Scan Operations: List scan connections; trigger repository scans; check scan status; list all scans with optional project filtering
Diagram Management: List, view, create, update, and delete project diagrams
Advanced Reporting & Analytics: List, view, create, update, and run advanced reports in various formats; execute Cube API queries across multiple schemas (application, countermeasure, project, user, training, trends, etc.) for business intelligence
User Management: List users with active status filtering; view user details; get current authenticated user information
Utility Functions: Test API connectivity; make custom API requests to any endpoint
Configuration Features:
Supports STDIO and HTTP transport modes
Flexible authentication: environment variables or per-request credentials (HTTP mode)
Instance allowlisting for secure HTTP deployments
HTTPS enforcement with HTTP override option for development
Toolset selection: compact (default) or full legacy toolset via
SDE_TOOLSET=full
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@SD Elements MCP Servershow me the security countermeasures for project 'mobile-app-v2'"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Warning This project is a work in progress. Use at your own risk.
SD Elements MCP Server
MCP server for SD Elements API v2 (STDIO only). Use it from MCP clients to manage projects, surveys, countermeasures, scans, reports, diagrams, and users.
Quick start
Required configuration
SDE_HOST:https://your-sdelements-instance.comSDE_API_KEY:your-api-key-here
HTTP setup
Use HTTP mode when you want a long-running server instead of STDIO.
Credentials: do not set
SDE_HOSTorSDE_API_KEYin the server process. The HTTP server refuses to start if either is set (includingSDE_API_KEY). Each client request must provide credentials instead.Instance allowlist (required): set
MCP_SDE_INSTANCE_ALLOWLISTto a comma-separated list of allowed SDE hosts (for examplehttps://sde.example.com,https://sde2.example.com). Requests withSDE_HOSToutside this list are rejected.Port/host: configure with
MCP_PORT(default3000) andMCP_HOST(default127.0.0.1).Per-request auth: send
SDE_HOSTandSDE_API_KEYas headers (orsde_host/sde_api_keyin the initialize request body).
HTTPS unsafe mode
By default, the server rejects non-HTTPS SDE_HOST values. For local/dev instances that only serve HTTP, set:
This allows http:// hosts. Use only in trusted environments.
Example initialize request:
Client setup (Cursor + Claude Desktop)
Both clients use the same mcpServers object — the only difference is where you paste it.
Cursor: add this under MCP settings (Cursor “MCP Servers” /
mcpServers).Claude Desktop: add this to
claude_desktop_config.json.
Pick one execution style:
Option A (recommended): run from the GitHub repo via
npx(builds on install)
Option B: run from a local checkout (build output)
HTTP client setup (Cursor)
Start the HTTP server (npm run start:http) and set MCP_SDE_INSTANCE_ALLOWLIST as described above. Then configure Cursor with an HTTP MCP server entry:
Build
Local checkout build (for Option B)
Tools
Toolset selection: default is compact. Set
SDE_TOOLSET=fullto expose the legacy toolset.Note: diagrams and reporting tools are not exposed.
Compact tools (default):
project,application,business_unit,project_survey,project_countermeasures,library_searchplus Generic:
test_connection,api_request
Legacy tools (when :
Projects:
list_projects,get_project,create_project,update_project,create_project_from_codeLibrary search:
library_search(supports countermeasures, threats, components, weaknesses, profiles, risk policies, answers, countermeasure statuses, countermeasure how-tos)Applications:
list_applications,get_application,create_application,update_applicationBusiness units:
list_business_units,get_business_unit,create_business_unit,update_business_unitCountermeasures:
list_countermeasures,get_countermeasure,update_countermeasure,add_countermeasure_note,get_task_status_choicesSurveys:
get_project_survey,get_survey_answers_for_project,update_project_survey,find_survey_answers,set_project_survey_by_text,add_survey_answers_by_text,remove_survey_answers_by_text,commit_survey_draft,add_survey_question_commentScans:
list_scan_connections,scan_repository,get_scan_status,list_scansUsers:
list_users,get_user,get_current_userLibrary:
library_searchGeneric:
test_connection,api_request
Notes
Missing env vars: tools will fail if
SDE_HOST/SDE_API_KEYaren’t set.
