Skip to main content
Glama

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault
SAST_MCP_API_KEYNoAPI key for SSE authentication
SAST_MCP_TIMEOUTNoScan timeout in seconds300
SAST_MCP_LOG_LEVELNoLog level: DEBUG, INFO, WARNING, ERRORINFO

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": true
}
logging
{}
prompts
{
  "listChanged": false
}
resources
{
  "subscribe": false,
  "listChanged": false
}
extensions
{
  "io.modelcontextprotocol/ui": {}
}
experimental
{}

Tools

Functions exposed to the LLM to take actions

NameDescription
scan_vulnerabilitiesC

Scan a target directory for security vulnerabilities using a SAST tool.

ignore_vulnerabilityB

Ignore a specific vulnerability finding so it won't appear in future scans.

unignore_vulnerabilityA

Remove a vulnerability from the ignore list so it appears in future scans again.

list_scannersA

List all available SAST scanners, their status, and supported languages.

Returns information about each scanner including whether it is installed and ready to use, what languages it supports, and how to install it.

list_ignored_vulnerabilitiesB

List all currently ignored vulnerability findings for a project.

scan_git_historyA

Scan the entire git history for leaked secrets and credentials using Gitleaks.

Traditional SAST only scans the current state of files. This tool deeply analyzes the .git directory to find API keys, passwords, and tokens that were committed in the past but may still be valid.

run_active_scanA

Run an active dynamic scan (DAST) using OWASP ZAP.

Unlike SAST which only looks at code, this orchestrates spinning up the application via Docker Compose, waiting for it to be ready, and then running a ZAP dynamic baseline scan against the running instance.

export_sarifA

Run a SAST scan and export results in SARIF 2.1.0 format for CI/CD integration.

SARIF is the industry standard format consumed by GitHub Code Scanning, GitLab SAST, Azure DevOps, and other CI/CD platforms.

scan_allA

Scan with ALL installed scanners in parallel, returning deduplicated results.

Automatically detects which scanners are installed, runs them concurrently, and deduplicates findings across scanners using content-based hashing. This is the recommended tool for comprehensive security scanning.

scan_imageB

Scan a container image for vulnerabilities and secrets.

Pulls and analyzes a container image reference (e.g. nginx:1.25, ghcr.io/org/app@sha256:...) with Trivy or Grype, returning the same normalized findings as a source scan.

save_baselineB

Run a scan and save the results as a named baseline for future comparison.

compare_baselineA

Compare current scan results against a saved baseline.

Shows new vulnerabilities, fixed vulnerabilities, and severity trends.

evaluate_policyA

Run all scanners and evaluate findings against a CI security policy.

Returns an explicit PASS/FAIL verdict suitable for gating a pipeline. A threshold of -1 means "no limit" for that severity. When fail_on_new is set, the result also fails if any finding is new relative to the named baseline (created with save_baseline).

export_sbomA

Run all scanners and export an SBOM / vulnerability report.

Produces the supply-chain artifact enterprises expect. In CycloneDX mode, if Syft is installed the component inventory is the full dependency list (not just vulnerable packages); otherwise components are derived from findings. SPDX mode emits an SPDX 2.3 document.

generate_reportA

Run all scanners and render an executive security report (HTML or PDF).

compliance_reportB

Map findings to a compliance framework and report the posture.

Buckets all findings against OWASP Top 10, SANS CWE Top 25, PCI DSS, or CIS using each finding's CWE / OWASP metadata.

upload_to_defectdojoA

Upload a SARIF report to a DefectDojo engagement.

Requires the DEFECTDOJO_URL and DEFECTDOJO_API_KEY environment variables. Generate the SARIF file first with export_sarif(output_path=...).

upload_to_githubA

Upload a SARIF report to GitHub Code Scanning.

Requires a GITHUB_TOKEN environment variable with security_events: write scope. Generate the SARIF file first with export_sarif(output_path=...).

comment_on_prA

Post a security summary comment on a GitHub PR or GitLab merge request.

Credentials come from environment variables only: GITHUB_TOKEN for GitHub, or GITLAB_TOKEN (+ optional GITLAB_URL) for GitLab.

notify_slackA

Send a notification to the configured Slack incoming webhook.

Requires the SLACK_WEBHOOK_URL environment variable.

notify_teamsA

Send a notification to the configured Microsoft Teams incoming webhook.

Requires the TEAMS_WEBHOOK_URL environment variable.

create_jira_issueB

Open a Jira issue for a security finding.

Requires the JIRA_URL, JIRA_EMAIL, and JIRA_API_TOKEN environment variables.

generate_fix_promptA

Build an LLM-ready prompt to fix a cached finding as a unified diff.

Recovers the finding (by hash) from the scan cache, extracts an expanded window of the vulnerable source, and returns a prompt engineered to make an LLM emit a strict unified diff. After generating the patch, apply it with apply_patch.

apply_patchA

Apply an agent-generated unified diff to files under target_path.

Uses git apply, which refuses paths that escape the target directory. Run with check_only=True first to verify the patch applies cleanly before writing changes.

remediate_and_verifyA

Apply a fix and prove it worked: scan → patch → re-scan → confirm gone.

The closed remediation loop. Recovers the finding by hash, dry-runs the patch, re-scans the affected file before and after applying it, and returns PASS only if the finding's hash disappears and no new finding of equal or higher severity is introduced. On failure (and when auto_rollback), the patch is reverted so the working tree is left clean.

import_sarifA

Ingest an external SARIF file into the normalized finding pipeline.

Lets results from any SARIF-producing tool (Snyk, Veracode, CodeQL, a CI job, etc.) join the same dedup / baseline / dashboard flow as native scans. The findings are re-enriched with AST context and stable hashes on import.

triage_findingA

Triage a finding: get an exploitability prompt, or record a VEX decision.

Prompts

Interactive templates invoked by user choice

NameDescription
security_reviewComprehensive security review workflow for a codebase. Guides the agent through a full security assessment: scanning, baseline comparison, fix suggestions, and summary.
fix_vulnerabilityRemediation advisor for a specific vulnerability finding. Guides the agent through understanding and fixing a specific finding.
pr_security_checkPull request security gate — scan only changed files. Guides the agent through a focused PR security review.
compliance_reportGenerate a compliance report against a security standard. Supports: owasp-top-10, sans-top-25, pci-dss, cis-benchmark

Resources

Contextual data attached and managed by the client

NameDescription
get_scanner_infoList all available scanners, their install status, and languages.
get_server_configCurrent server configuration.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Skyrxin/sast-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server