SAST MCP Server
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@SAST MCP Serverscan ./src for high severity vulnerabilities using semgrep"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
SAST MCP Server
Static Application Security Testing (SAST) for AI agents. A production-ready MCP server that gives any AI agent the ability to scan code for security vulnerabilities.
Supports 7 industry-standard scanners:
Scanner | Languages / Scope | Type |
Python | Security linter | |
JavaScript, Node.js | Static analysis | |
Python, JS, Ruby, Java, Go, PHP | Data-flow SAST | |
30+ languages | Rule-based SAST | |
All (CVEs, Secrets, IaC) | Multi-scanner | |
Python, JS, Java, Go, C/C++, C#, Ruby, Swift | Semantic SAST | |
Terraform, K8s, Docker, CloudFormation | IaC policy scanner |
Works with any MCP-compatible agent: Gemini CLI, Claude Desktop, OpenAI Agents, Cursor, Windsurf, and more.
Features
🔍 7 SAST scanners with unified output format
🌳 AST-aware context — shows the full enclosing function, not just a line number
📊 Severity & confidence filtering — focus on what matters
🔀 Git diff mode — scan only modified files for incremental reviews
🙈 Ignore management — suppress false positives with audit trail
📄 Pagination — handle large codebases without overwhelming the agent
🌐 Dual transport — stdio (local) or SSE/HTTP (remote deployments)
🔐 API key authentication — secure remote deployments
📦 One command install —
pip install sast-mcp-server🚀 Multi-scanner mode — run all installed scanners in parallel with deduplication
📋 SARIF export — CI/CD integration with GitHub, GitLab, Azure DevOps
🏗️ IaC scanning — Terraform, Kubernetes, Docker security policies
🔑 Secret detection — find hardcoded API keys, tokens, and passwords
📦 SCA / dependency CVEs — scan lock files for known vulnerabilities
Related MCP server: VSGuard MCP
Quick Start
Install
pip install sast-mcp-serverOr run directly without installing:
uvx sast-mcp-serverInstall at least one scanner
# Python projects
pip install bandit
# JavaScript/Node.js projects
pip install njsscan
# Multi-language (recommended)
pip install semgrep
# IaC, secrets, and dependency CVEs (recommended)
# See: https://aquasecurity.github.io/trivy/latest/getting-started/installation/
# IaC policy scanning
pip install checkov
# Deep semantic analysis
# See: https://github.com/github/codeql-cli-binaries/releases
# Data-flow analysis
# See: https://docs.bearer.com/installation/Usage with AI Agents
Gemini CLI
Install as an extension:
gemini extensions install https://github.com/Skyrxin/sast-mcp-serverOr add to your ~/.gemini/settings.json:
{
"mcpServers": {
"sast": {
"command": "uvx",
"args": ["sast-mcp-server"]
}
}
}Claude Desktop
Add to your claude_desktop_config.json:
{
"mcpServers": {
"sast": {
"command": "uvx",
"args": ["sast-mcp-server"]
}
}
}See full Claude Desktop guide.
Cursor IDE
Add to Cursor Settings → MCP Servers:
{
"mcpServers": {
"sast": {
"command": "uvx",
"args": ["sast-mcp-server"]
}
}
}See full Cursor guide.
OpenAI Agents SDK
from agents.mcp import MCPServerStdio
sast_server = MCPServerStdio(command="uvx", args=["sast-mcp-server"])See full OpenAI guide.
Available MCP Tools
scan_vulnerabilities
Scan a directory for security vulnerabilities using a specific scanner.
Parameter | Type | Default | Description |
| string | required | Path to scan |
| string |
| Scanner: |
| string |
| Minimum severity: |
| string |
| Minimum confidence: |
| bool |
| Only scan git-modified files |
| int |
| Max findings to return |
| int |
| Pagination offset |
scan_all
Run ALL installed scanners in parallel with automatic deduplication. Recommended for comprehensive security scanning.
Parameter | Type | Default | Description |
| string | required | Path to scan |
| string |
| Minimum severity (higher default to reduce noise) |
| string |
| Minimum confidence |
| bool |
| Only scan git-modified files |
| int |
| Max findings to return |
| int |
| Pagination offset |
export_sarif
Export scan results in SARIF 2.1.0 format for CI/CD integration.
Parameter | Type | Default | Description |
| string | required | Path to scan |
| string |
| Scanner to use |
| string |
| Minimum severity |
| string |
| Minimum confidence |
| string |
| File path to write SARIF (empty = return as string) |
list_scanners
List available scanners, their installation status, and supported languages.
ignore_vulnerability
Suppress a finding from future scans (with audit trail).
unignore_vulnerability
Re-enable a previously suppressed finding.
list_ignored_vulnerabilities
Show all currently suppressed findings for a project.
SARIF / CI/CD Integration
Export scan results in SARIF 2.1.0 format for integration with CI/CD platforms:
# In your CI pipeline, use the MCP tool:
# export_sarif(target_path=".", scanner_name="semgrep", output_path="results.sarif")
# Then upload to GitHub Code Scanning:
# gh api /repos/{owner}/{repo}/code-scanning/sarifs -f sarif=@results.sarifCompatible with: GitHub Code Scanning, GitLab SAST, Azure DevOps, VS Code SARIF Viewer.
Remote Deployment (SSE)
Run the server over HTTP/SSE for remote agent access:
# Start SSE server on port 8080
sast-mcp-server --transport sse --port 8080
# With API key authentication (recommended for production)
SAST_MCP_API_KEY=your-secret-key sast-mcp-server --transport sse --port 8080Docker
docker build -t sast-mcp-server .
docker run -p 8080:8080 -e SAST_MCP_API_KEY=your-key sast-mcp-server --transport sseConfiguration
Environment Variables
Variable | Default | Description |
|
| Scan timeout in seconds |
|
| Log level: |
| (none) | API key for SSE authentication |
Development
# Clone and install with dev dependencies
git clone https://github.com/Skyrxin/sast-mcp-server.git
cd sast-mcp-server
pip install -e ".[dev]"
# Run tests
pytest tests/ -v
# Lint
ruff check sast_mcp_server/
# Run locally
python -m sast_mcp_serverProject Structure
sast_mcp_server/
├── __init__.py # Package version
├── __main__.py # python -m entry point
├── server.py # FastMCP server with all tools
├── models.py # Typed data models (Finding, Severity, etc.)
├── sarif.py # SARIF 2.1.0 export and parsing
├── aggregator.py # Multi-scanner parallel execution + deduplication
├── scanners/
│ ├── base.py # Abstract scanner base class
│ ├── factory.py # Scanner registry and factory
│ ├── bandit.py # Bandit (Python)
│ ├── njsscan.py # njsscan (JavaScript)
│ ├── bearer.py # Bearer (multi-language)
│ ├── semgrep.py # Semgrep (30+ languages)
│ ├── trivy.py # Trivy (CVEs, secrets, IaC)
│ ├── codeql.py # CodeQL (deep semantic SAST)
│ └── checkov.py # Checkov (IaC policies)
└── enrichment/
├── ast_context.py # AST-aware code context extraction
├── git_diff.py # Git diff for incremental scanning
└── ignore_manager.py # Finding ignore list managementLicense
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Skyrxin/sast-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server