CodeBadger
Enables static code analysis of GitHub repositories using Joern's Code Property Graph technology, supporting code browsing, taint analysis, and security vulnerability detection across multiple programming languages.
Provides static code analysis capabilities within VS Code through GitHub Copilot integration, enabling code property graph queries, dataflow analysis, and security scanning.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@CodeBadgerfind potential buffer overflow vulnerabilities in this C codebase"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
🦡 codebadger
codebadger is a containerized Model Context Protocol (MCP) server that gives AI agents and LLMs deep, queryable access to a codebase's structure and data flow through Joern Code Property Graphs (CPGs).
Point it at a Git repository, a local path, or even a pasted code snippet, and codebadger builds a CPG and exposes it over MCP — so an assistant can run CPGQL queries, trace data flow and taint, slice programs, and hunt for vulnerabilities across Java, C/C++, JavaScript, Python, Go, Kotlin, C#, Ghidra, Jimple, PHP, Ruby, and Swift.
It's a general-purpose foundation for both program analysis (understanding code structure, call graphs, and data flow) and vulnerability analysis (taint tracking, bug hunting, and PoC development) — useful for academic research as well as industry security and engineering work. It's built to scale to large analysis batches with per-CPG worker pools, memory-aware scheduling, and a Postgres/Redis backend.
News
codebadger and its paper - Bridging Code Property Graphs and Language Models for Program Analysis - were accepted at the Software Vulnerability Management Workshop @ ICSE 2026. 🎉
Related MCP server: CodeBadger Toolkit
Documentation
Everything a developer or security researcher needs lives in docs/:
Doc | What's in it |
Prerequisites and a 5-minute local setup. | |
Connecting MCP clients, the tool catalog, and a researcher workflow. | |
Every MCP tool by category, with a description of what each does. | |
| |
Postgres/Redis, memory sizing, | |
System design and diagrams. | |
Threat model, trust boundaries, and production hardening. | |
Add your own detectors. | |
Dev setup, tests, and guidelines. | |
What's shipped and what's next. |
Found a vulnerability using codebadger?
We'd love to hear about it - open a PR adding it to TROPHIES.md (CVE ID, project, one-line description, date).
Citation
@inproceedings{lekssays2026bridging,
title={Bridging Code Property Graphs and Language Models for Program Analysis},
author={Lekssays, Ahmed},
booktitle={Proceedings of the 2026 IEEE/ACM 4th International Workshop on Software Vulnerability Management},
pages={33--40},
year={2026}
}This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Lekssays/codebadger'
If you have feedback or need assistance with the MCP directory API, please join our Discord server