AI Security Crew
Allows searching existing threat models stored in Confluence to avoid duplicates, and potentially writing threat models to Confluence spaces.
Allows pulling security requirements directly from Jira tickets, enabling security assessments based on ticket content.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@AI Security Crewrun a lightweight security review for my new Express API"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
AI Security Crew
A lightweight MCP server for security reviews built for vibe coding — injects security requirements prior to code generation, scans dependencies for CVEs, and verifies generated code, all without breaking your coding rhythm.
Jump to installation:
MCP Server — full feature set with Jira, Confluence, CVE scanning (with reachability), and threat modeling
Claude Code Plugin — install 3 security skills globally in Claude Code (no Jira/MCP needed)
Claude Code Skills only — manually add slash commands to a specific project
Claude Code Plugin
Install all three security skills directly into Claude Code — no MCP server, no Jira, no configuration required.
/plugin install Srajangpt1/ai_security_crewThis gives you three commands available in any project:
Command | When to use |
| Before coding — get risk level, OWASP guidelines, and a security prompt for AI code generation |
| After coding — review code for vulnerabilities with a checklist and prioritized fixes |
| For new features — identify threats with evidence links, mitigations, and optional |
Related MCP server: VulScan-MCP
Claude Code Skills
If you prefer to add the skills to a specific project only (instead of globally), clone this repo and the slash commands in .claude/commands/ are available automatically in Claude Code when working in the project directory.
Tools
Pre-coding
Tool | When to Use |
| Before any coding task — get security requirements and guidelines for your tech stack |
| Before coding from a Jira ticket — pull security requirements directly from the ticket |
| For significant new features — generate a structured threat model (STRIDE, attack surfaces) |
Dependency security
Tool | When to Use |
| When adding packages — confirm they exist with valid versions (catches hallucinated package names) |
| When adding packages — scan for CVEs and check reachability in your code |
Post-coding
Tool | When to Use |
| After generating code — AI-powered security review against OWASP guidelines |
Threat model persistence
Tool | When to Use |
| Before creating a new threat model — check if one already exists in Confluence |
| After |
Agent Workflow
The server automatically sends workflow instructions to any connecting agent (Claude, Cursor, etc.) via the MCP initialize handshake. Agents will follow this workflow without additional configuration:
Before coding — call
lightweight_security_review(orassess_ticket_securityfor Jira tickets)When adding packages — call
verify_packages, thenscan_dependencieswith the code that uses themAfter generating code — call
verify_code_securityand follow thereview_promptto report findingsFor significant features — call
perform_threat_modeland persist withupdate_threat_model_file
Dependency Scanning
scan_dependencies uses OSV.dev to find CVEs and performs reachability analysis to determine if vulnerable code paths are actually called:
Status | Meaning |
| Vulnerable function is called in your code — action required |
| Vulnerable function is not called |
| Package is not imported at all |
| AI analyzed the code but could not determine reachability |
| No code snippets were passed to the tool |
Reachability is determined by (in order): OSV function-level symbols → keyword matching against the vuln summary → AI analysis via ctx.sample().
Quick Start
1. Build the image
docker build -t mcp-security-review:latest .2. Configure your IDE
Add to your MCP config (Claude Desktop, Cursor, etc.):
{
"mcpServers": {
"sec-review": {
"command": "docker",
"args": [
"run", "--rm", "-i",
"-e", "JIRA_URL",
"-e", "JIRA_USERNAME",
"-e", "JIRA_API_TOKEN",
"-e", "CONFLUENCE_URL",
"-e", "CONFLUENCE_USERNAME",
"-e", "CONFLUENCE_API_TOKEN",
"mcp-security-review:latest"
],
"env": {
"PATH": "/usr/local/bin:/usr/bin:/bin",
"JIRA_URL": "https://your-domain.atlassian.net",
"JIRA_USERNAME": "your-email@example.com",
"JIRA_API_TOKEN": "your-token"
}
}
}
}Authentication
Supported methods:
API Token (Jira/Confluence Cloud):
JIRA_API_TOKEN,CONFLUENCE_API_TOKENPersonal Access Token (Server/Data Center):
JIRA_PERSONAL_TOKEN,CONFLUENCE_PERSONAL_TOKENOAuth 2.0 (Cloud): run
docker run --rm -it mcp-security-review:latest --oauth-setup
HTTP Transport
Run as a persistent HTTP service instead of stdio:
# Streamable HTTP (recommended)
docker run --rm -p 8000:8000 mcp-security-review:latest --transport streamable-http
# SSE
docker run --rm -p 8000:8000 mcp-security-review:latest --transport sseSecurity Guidelines
Includes 101 OWASP Cheat Sheets loaded automatically into security assessments. Add your own org-specific guidelines:
python3 scripts/add_custom_guideline.pyOr manually create markdown files in src/mcp_security_review/security/guidelines/docs/:
category: your_category
priority: high
tags: tag1, tag2, tag3
# Your Guideline Title
...See docs/ADDING_CUSTOM_GUIDELINES.md for details.
Contributing
Check CONTRIBUTING.md for development setup.
Make changes and submit a pull request.
Pre-commit hooks enforce code quality (Ruff, Prettier, Pyright). Run uv run pytest before submitting.
Security
Never commit API tokens. See SECURITY.md for best practices.
License
Licensed under MIT — see LICENSE.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Srajangpt1/ai-security-crew'
If you have feedback or need assistance with the MCP directory API, please join our Discord server