Integrates reconnaissance and exploitation workflows for security testing, including service detection, vulnerability validation, and exploit execution with safety controls
Provides reference documentation for OWASP Top 10 vulnerability categories to guide security assessment workflows
Supports browser automation for live security testing as an alternative option for projects that already include Puppeteer
Provides methodology and documentation for CVE and dependency scanning, guiding AI agents through vulnerability detection in project dependencies
๐ก๏ธ VibeDefender
Security Knowledge MCP Server for AI Coding Agents
Guide your AI agents through professional security assessments with methodology, documentation, and step-by-step workflows covering OWASP Top 10 and beyond.
Installation โข Features โข Quick Start โข Configuration โข Documentation
๐ Why VibeDefender?
Your AI coding agent (Claude Code, Cursor, etc.) already knows how to run commands. VibeDefender teaches it WHEN, WHY, and HOW to run security tools like a professional pentester.
Instead of guessing which security tools to run, your AI gets:
๐ Step-by-step security methodology - Professional assessment workflows
๐ฏ Plain English guidance - No security expertise required
๐ง Tool installation guides - Automated setup assistance
๐ Always-current documentation - Live tool documentation proxy
โ OWASP Top 10 coverage - Industry-standard vulnerability detection
โญ If you find VibeDefender useful, please star this repo! It helps others discover professional security testing for AI agents.
๐ฆ Installation
Direct from GitHub (Recommended)
This automatically clones, installs dependencies, builds, and runs the MCP server.
Global Installation
โจ Features
๐ฏ What Makes VibeDefender Different
โ Knowledge-First Approach - Guides AI agents instead of executing tools directly โ 5 Pre-Built Security Workflows - Setup, full scan, pre-push check, live testing, URL scanning โ OWASP Top 10 Coverage - Comprehensive vulnerability detection (injection, XSS, auth, etc.) โ Mandatory Runtime Analysis - Not just static analysis - tests your running application โ Artifact Generation - Saves all scan results as JSON + markdown reports โ Zero Security Knowledge Required - Plain English explanations for non-security developers โ Tool Agnostic - Works with any MCP-compatible AI editor (Claude Code, Cursor, etc.)
๐ง Integrated Security Tools
Trivy - CVE and dependency vulnerability scanning
Semgrep - Static code analysis with 2000+ security rules
Nuclei - Runtime security testing with template-based scanning
Metasploit - Optional integration for discovery and exploitation
๐ค Supported AI Editors
Editor | Status | Notes |
Claude Code | โ Fully Supported | Native MCP support |
Cursor | โ Fully Supported | MCP configuration required |
Claude Desktop | โ Fully Supported | Config in |
Google Antigravity | โ Fully Supported | Same config as Claude Desktop |
๐ง Philosophy
The MCP GUIDES, not executes.
Your AI agent (Claude Code, Cursor, etc.) already has the ability to run CLI commands. This MCP provides:
๐ Step-by-step methodology for security assessments
๐ง Installation guides for required tools
๐ฌ Plain English explanations for non-technical users
๐ Documentation proxy for always-current tool docs
โก Quick Start
Install and configure (one-time setup):
Talk to your AI agent in plain English:
What You Say | What Happens |
๐ฌ "Help me set up security scanning" | ๐ง AI installs Trivy, Semgrep, Nuclei with guided steps |
๐ฌ "Scan my code for security issues" | ๐ Full scan: dependencies + code + runtime + artifacts |
๐ฌ "Check my code before I push" | โก Fast critical-only check (< 30 seconds) |
๐ฌ "Test my app on localhost" | ๐ Starts dev server + runs live security tests |
๐ฌ "Check this URL for vulnerabilities" | ๐ฏ Tests specific URL with authorization check |
Get professional security reports with actionable fixes:
โ๏ธ Configuration
Claude Code
Add to your Claude Code MCP settings:
Claude Desktop
Add to ~/Library/Application Support/Claude/claude_desktop_config.json:
Cursor
Add to Cursor's MCP settings (Settings โ Features โ MCP):
Google Antigravity
Same configuration as Claude Desktop.
๐งช Testing with MCP Inspector
Test the server before configuring in your editor:
Expected: Web UI shows "Connected", lists all security:// resources and 5 workflow prompts.
๐ฏ Available Workflows
Workflow | Trigger Phrase | What It Does |
๐ง | "Help me set up security scanning" | Checks installed tools, guides installation |
๐ | "Scan my code for security issues" | Full scan: static + runtime + artifacts |
โก | "Check my code before I push" | Fast check: critical issues only (< 30s) |
๐ | "Test my app on localhost" | Starts dev server + runs live tests |
๐ฏ | "Check this URL for vulnerabilities" | Tests specific URL (requires authorization) |
๐ ๏ธ Required Tools
The MCP guides you through installing these (just say "help me set up"):
Tool | Purpose | Install (macOS) |
๐ Trivy | CVE/dependency scanning |
|
๐ Semgrep | Static code analysis |
|
๐ Nuclei | Runtime testing (mandatory) |
|
๐๏ธ Metasploit Integration
Metasploit Framework is integrated for both discovery (reconnaissance) and exploitation phases.
Setup
Install external Metasploit MCP server:
Set environment variable (add to
~/.bashrcor~/.zshrc):
Verify installation:
Usage
Discovery Phase (Automatic):
Runs safe auxiliary modules for service detection
Port scanning and version detection
Correlates findings with CVE database
No exploitation attempts
Exploitation Phase (Requires Approval):
Executes exploits against validated vulnerabilities
Requires explicit human approval
Full session management and post-exploitation
Evidence gathering only (read-only)
Safety
โ ๏ธ CRITICAL: Authorization Required
Only use on systems you own OR have written permission to test
Unauthorized access to computer systems is illegal
Discovery phase: Basic authorization sufficient
Exploitation phase: Explicit approval required
๐ Documentation
See
security://methodology/exploitationfor complete exploitation workflowSee
security://docs/metasploitfor detailed tool usageIncludes safety guidelines, workflow examples, and troubleshooting
๐ Available Resources
๐ Methodology Guides
Resource | Description |
| ๐ How to find attack surface |
| ๐ What to scan, in what order |
| โ How to validate on live targets |
| ๐ How to structure reports |
๐ Reference Documentation
Resource | Description |
| ๐จ What CRITICAL/HIGH/MEDIUM/LOW mean |
| ๐ Common weakness types |
| ๐ก๏ธ OWASP vulnerability categories |
| ๐ Browser automation choices |
๐ง Tool Documentation
Resource | Description |
| ๐ Overview of all tools |
| ๐ Trivy quick start |
| ๐ Semgrep quick start |
| ๐ Nuclei quick start |
| ๐ญ Playwright MCP info |
| ๐๏ธ Metasploit basics |
๐ก Example Workflows
First Time Setup
Before Pushing Code
Full Security Scan
๐ Project Structure
๐จ Design Decisions
๐ซ No execution tools - AI agents already have CLI access. We provide knowledge.
๐ฌ Plain English - Everything explained for non-technical users.
๐ Step-by-step - Prompts tell the AI exactly what to do at each step.
๐ Documentation proxy - Search patterns for always-current tool docs.
๐ฆ Minimal files - 4 files total, easy to understand and maintain.
๐ GitHub-based distribution - No npm publish, direct from source via npx.
๐ Browser Automation Options
For live testing that needs a browser:
Option | When to Use |
Playwright MCP | Claude Code, Cursor, most IDEs |
Browser Agent | Google Antigravity IDE (built-in) |
Puppeteer | If already in project |
๐ง Troubleshooting
Build Errors
If you see TypeScript compilation errors when installing from GitHub:
MCP Server Not Connecting
Test with MCP Inspector first (see "Testing" section above)
Check Node.js version:
node --version(requires >= 22.0.0)Verify the server runs standalone:
npx github:yunusj/VibeDefender-MCP # Should output: "Security Knowledge MCP server running on stdio"Check editor configuration file syntax (valid JSON)
Restart your AI editor after configuration changes
Permission Errors
If you get EACCES errors:
Update to Latest Version
โ ๏ธ Security Notice
โ Only scan systems you are authorized to test
๐ Live validation (scan-url, scan-live) requires explicit authorization
๐ค The AI will ask for confirmation before testing URLs
๐ Always get written permission before security testing
๐ก๏ธ Follow responsible disclosure practices
๐ค Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
๐ License
MIT License - see LICENSE for details
โญ Show Your Support
If VibeDefender helps secure your code, please star this repository!
Made with ๐ก๏ธ by security professionals, for developers