Skip to main content
Glama

🦡 codebadger

codebadger is a containerized Model Context Protocol (MCP) server that gives AI agents and LLMs deep, queryable access to a codebase's structure and data flow through Joern Code Property Graphs (CPGs).

Point it at a Git repository, a local path, or even a pasted code snippet, and codebadger builds a CPG and exposes it over MCP — so an assistant can run CPGQL queries, trace data flow and taint, slice programs, and hunt for vulnerabilities across Java, C/C++, JavaScript, Python, Go, Kotlin, C#, Ghidra, Jimple, PHP, Ruby, and Swift.

It's a general-purpose foundation for both program analysis (understanding code structure, call graphs, and data flow) and vulnerability analysis (taint tracking, bug hunting, and PoC development) — useful for academic research as well as industry security and engineering work. It's built to scale to large analysis batches with per-CPG worker pools, memory-aware scheduling, and a Postgres/Redis backend.

News

codebadger and its paper - Bridging Code Property Graphs and Language Models for Program Analysis - were accepted at the Software Vulnerability Management Workshop @ ICSE 2026. 🎉

Related MCP server: CodeBadger Toolkit

Documentation

Everything a developer or security researcher needs lives in docs/:

Doc

What's in it

Installation

Prerequisites and a 5-minute local setup.

Usage

Connecting MCP clients, the tool catalog, and a researcher workflow.

Available Tools

Every MCP tool by category, with a description of what each does.

Configuration

config.yaml / env reference, telemetry.

Deployment

Postgres/Redis, memory sizing, shared vs pool, large batches.

Architecture

System design and diagrams.

Security

Threat model, trust boundaries, and production hardening.

Custom Tools

Add your own detectors.

Contributing

Dev setup, tests, and guidelines.

Roadmap

What's shipped and what's next.

Found a vulnerability using codebadger?

We'd love to hear about it - open a PR adding it to TROPHIES.md (CVE ID, project, one-line description, date).

Citation

@inproceedings{lekssays2026bridging,
  title={Bridging Code Property Graphs and Language Models for Program Analysis},
  author={Lekssays, Ahmed},
  booktitle={Proceedings of the 2026 IEEE/ACM 4th International Workshop on Software Vulnerability Management},
  pages={33--40},
  year={2026}
}
A
license - permissive license
-
quality - not tested
B
maintenance

Maintenance

–Maintainers
2hResponse time
2wRelease cycle
19Releases (12mo)
Commit activity
Issues opened vs closed

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Lekssays/codebadger'

If you have feedback or need assistance with the MCP directory API, please join our Discord server