SAST MCP Server
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| SAST_MCP_API_KEY | No | API key for SSE authentication | |
| SAST_MCP_TIMEOUT | No | Scan timeout in seconds | 300 |
| SAST_MCP_LOG_LEVEL | No | Log level: DEBUG, INFO, WARNING, ERROR | INFO |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": true
} |
| logging | {} |
| prompts | {
"listChanged": false
} |
| resources | {
"subscribe": false,
"listChanged": false
} |
| extensions | {
"io.modelcontextprotocol/ui": {}
} |
| experimental | {} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| scan_vulnerabilitiesC | Scan a target directory for security vulnerabilities using a SAST tool. |
| ignore_vulnerabilityB | Ignore a specific vulnerability finding so it won't appear in future scans. |
| unignore_vulnerabilityA | Remove a vulnerability from the ignore list so it appears in future scans again. |
| list_scannersA | List all available SAST scanners, their status, and supported languages. Returns information about each scanner including whether it is installed and ready to use, what languages it supports, and how to install it. |
| list_ignored_vulnerabilitiesB | List all currently ignored vulnerability findings for a project. |
| scan_git_historyA | Scan the entire git history for leaked secrets and credentials using Gitleaks. Traditional SAST only scans the current state of files. This tool deeply
analyzes the |
| run_active_scanA | Run an active dynamic scan (DAST) using OWASP ZAP. Unlike SAST which only looks at code, this orchestrates spinning up the application via Docker Compose, waiting for it to be ready, and then running a ZAP dynamic baseline scan against the running instance. |
| export_sarifA | Run a SAST scan and export results in SARIF 2.1.0 format for CI/CD integration. SARIF is the industry standard format consumed by GitHub Code Scanning, GitLab SAST, Azure DevOps, and other CI/CD platforms. |
| scan_allA | Scan with ALL installed scanners in parallel, returning deduplicated results. Automatically detects which scanners are installed, runs them concurrently, and deduplicates findings across scanners using content-based hashing. This is the recommended tool for comprehensive security scanning. |
| scan_imageB | Scan a container image for vulnerabilities and secrets. Pulls and analyzes a container image reference (e.g. |
| save_baselineB | Run a scan and save the results as a named baseline for future comparison. |
| compare_baselineA | Compare current scan results against a saved baseline. Shows new vulnerabilities, fixed vulnerabilities, and severity trends. |
| evaluate_policyA | Run all scanners and evaluate findings against a CI security policy. Returns an explicit PASS/FAIL verdict suitable for gating a pipeline. A
threshold of |
| export_sbomA | Run all scanners and export an SBOM / vulnerability report. Produces the supply-chain artifact enterprises expect. In CycloneDX mode, if Syft is installed the component inventory is the full dependency list (not just vulnerable packages); otherwise components are derived from findings. SPDX mode emits an SPDX 2.3 document. |
| generate_reportA | Run all scanners and render an executive security report (HTML or PDF). |
| compliance_reportB | Map findings to a compliance framework and report the posture. Buckets all findings against OWASP Top 10, SANS CWE Top 25, PCI DSS, or CIS using each finding's CWE / OWASP metadata. |
| upload_to_defectdojoA | Upload a SARIF report to a DefectDojo engagement. Requires the DEFECTDOJO_URL and DEFECTDOJO_API_KEY environment variables.
Generate the SARIF file first with |
| upload_to_githubA | Upload a SARIF report to GitHub Code Scanning. Requires a GITHUB_TOKEN environment variable with |
| comment_on_prA | Post a security summary comment on a GitHub PR or GitLab merge request. Credentials come from environment variables only: GITHUB_TOKEN for GitHub, or GITLAB_TOKEN (+ optional GITLAB_URL) for GitLab. |
| notify_slackA | Send a notification to the configured Slack incoming webhook. Requires the SLACK_WEBHOOK_URL environment variable. |
| notify_teamsA | Send a notification to the configured Microsoft Teams incoming webhook. Requires the TEAMS_WEBHOOK_URL environment variable. |
| create_jira_issueB | Open a Jira issue for a security finding. Requires the JIRA_URL, JIRA_EMAIL, and JIRA_API_TOKEN environment variables. |
| generate_fix_promptA | Build an LLM-ready prompt to fix a cached finding as a unified diff. Recovers the finding (by hash) from the scan cache, extracts an expanded
window of the vulnerable source, and returns a prompt engineered to make
an LLM emit a strict unified diff. After generating the patch, apply it
with |
| apply_patchA | Apply an agent-generated unified diff to files under target_path. Uses |
| remediate_and_verifyA | Apply a fix and prove it worked: scan → patch → re-scan → confirm gone. The closed remediation loop. Recovers the finding by hash, dry-runs the
patch, re-scans the affected file before and after applying it, and returns
PASS only if the finding's hash disappears and no new finding of equal
or higher severity is introduced. On failure (and when |
| import_sarifA | Ingest an external SARIF file into the normalized finding pipeline. Lets results from any SARIF-producing tool (Snyk, Veracode, CodeQL, a CI job, etc.) join the same dedup / baseline / dashboard flow as native scans. The findings are re-enriched with AST context and stable hashes on import. |
| triage_findingA | Triage a finding: get an exploitability prompt, or record a VEX decision. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
| security_review | Comprehensive security review workflow for a codebase. Guides the agent through a full security assessment: scanning, baseline comparison, fix suggestions, and summary. |
| fix_vulnerability | Remediation advisor for a specific vulnerability finding. Guides the agent through understanding and fixing a specific finding. |
| pr_security_check | Pull request security gate — scan only changed files. Guides the agent through a focused PR security review. |
| compliance_report | Generate a compliance report against a security standard. Supports: owasp-top-10, sans-top-25, pci-dss, cis-benchmark |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
| get_scanner_info | List all available scanners, their install status, and languages. |
| get_server_config | Current server configuration. |
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Skyrxin/sast-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server