FortiCNAPP MCP Server
Provides tools for managing FortiCNAPP (Cloud Native Application Protection Platform) including health check, config validation, agent tokens, and vulnerability scanning.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@FortiCNAPP MCP Servercheck health of my FortiCNAPP account"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
FortiCNAPP MCP Server
MCP server for managing Fortinet FortiCNAPP (Cloud Native Application Protection Platform) via AI agents. Built with FastMCP, deployed as a container.
FortiCNAPP (powered by Lacework) provides cloud security capabilities including vulnerability scanning, agent management, and compliance monitoring.
Tools
Tool | Description |
| Check FortiCNAPP service health and connectivity |
| Validate configuration settings and credentials |
| Retrieve agent access tokens |
| Scan container images for vulnerabilities |
Every tool accepts optional cnapp_key_id, cnapp_key_secret, and cnapp_base_url parameters. If not provided, the server reads from environment variables. Per-call parameters override environment variables.
Related MCP server: Spotter-SAST
Connect from Claude Desktop
Add to your Claude Desktop config (~/Library/Application Support/Claude/claude_desktop_config.json on macOS):
{
"mcpServers": {
"forticnapp": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://mcp-forticnapp.fortidemoscloud.com/mcp"
]
}
}
}Connect from Gemini CLI
Add to your Gemini settings (~/.gemini/settings.json):
{
"mcpServers": {
"forticnapp": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://mcp-forticnapp.fortidemoscloud.com/mcp"
]
}
}
}Connect from Kiro / VS Code
Add to .kiro/settings/mcp.json or equivalent:
{
"mcpServers": {
"forticnapp": {
"url": "https://mcp-forticnapp.fortidemoscloud.com/mcp"
}
}
}Test with curl
# 1. Initialize session and capture Mcp-Session-Id from headers
export SESSION_ID=$(curl -s -i -X POST https://mcp-forticnapp.fortidemoscloud.com/mcp \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"test-curl","version":"1.0"}}}' \
| grep -i "mcp-session-id" | awk '{print $2}' | tr -d '\r')
echo "Session ID: $SESSION_ID"
# 2. List tools using the captured Session ID
curl -s -X POST https://mcp-forticnapp.fortidemoscloud.com/mcp \
-H "Content-Type: application/json" \
-H "Mcp-Session-Id: $SESSION_ID" \
-d '{"jsonrpc":"2.0","id":2,"method":"tools/list","params":{}}'
# 3. Call a tool (health check)
curl -s -X POST https://mcp-forticnapp.fortidemoscloud.com/mcp \
-H "Content-Type: application/json" \
-H "Mcp-Session-Id: $SESSION_ID" \
-d '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"cnapp_health_check","arguments":{"cnapp_key_id":"YOUR_KEY_ID","cnapp_key_secret":"YOUR_KEY_SECRET","cnapp_base_url":"https://youraccount.lacework.net"}}}'
# 4. Scan image vulnerabilities
curl -s -X POST https://mcp-forticnapp.fortidemoscloud.com/mcp \
-H "Content-Type: application/json" \
-H "Mcp-Session-Id: $SESSION_ID" \
-d '{"jsonrpc":"2.0","id":4,"method":"tools/call","params":{"name":"cnapp_scan_image_vulnerabilities","arguments":{"image_digest":"sha256:abc123...","cnapp_key_id":"YOUR_KEY_ID","cnapp_key_secret":"YOUR_KEY_SECRET"}}}'Run locally
# Docker (with credentials from environment)
export FORTICNAPP_KEY_ID="your_key_id"
export FORTICNAPP_KEY_SECRET="your_key_secret"
export FORTICNAPP_BASE_URL="youraccount.lacework.net"
docker-compose up --build -d
# Or directly
uv sync
FORTICNAPP_KEY_ID="your_key_id" \
FORTICNAPP_KEY_SECRET="your_key_secret" \
FORTICNAPP_BASE_URL="youraccount.lacework.net" \
uv run uvicorn app.server:app --host 0.0.0.0 --port 8000Server available at http://localhost:8000/mcp with health check at /health.
Deploy to Kubernetes
kubectl apply -f k8s-deployment.yamlExposes on NodePort 30083. Image: jviguerasfortinet/mcp-forticnapp-server:v1.0.0
Environment Variables
Variable | Required | Default | Description |
| Yes | — | Lacework API key ID |
| Yes | — | Lacework API key secret (X-LW-UAKS value) |
| No |
| Lacework API base URL or FQDN. Can be a full URL ( |
Tool Parameters
cnapp_health_check / cnapp_validate_config / cnapp_get_agent_tokens
Parameter | Required | Description |
| No | FortiCNAPP API key ID (uses |
| No | FortiCNAPP API key secret (uses |
| No | FortiCNAPP API base URL or FQDN (e.g., |
cnapp_scan_image_vulnerabilities
Parameter | Required | Default | Description |
| Yes | — | Docker image digest (e.g., sha256:abc123...) |
| No | — | FortiCNAPP API key ID |
| No | — | FortiCNAPP API key secret |
| No | — | FortiCNAPP API base URL or FQDN. |
| No | 3 | Number of days to look back for scan data |
| No | true | Remove duplicate vulnerabilities across layers |
Authentication
The server uses Lacework bearer token authentication:
Token Generation: Uses
FORTICNAPP_KEY_SECRET(X-LW-UAKS header) andFORTICNAPP_KEY_IDto request bearer tokens from/api/v2/access/tokensToken Caching: Automatically caches tokens and refreshes before expiration (with 60s buffer)
API Calls: All Lacework API calls use the cached bearer token in the
Authorization: Bearer <token>headerRetry Logic: Automatic retry with exponential backoff for transient failures
URL Normalization:
FORTICNAPP_BASE_URLaccepts either a full URL (https://myaccount.lacework.net) or just the FQDN (myaccount.lacework.net) — thehttps://scheme is always auto-prepended if missing
License
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/jmvigueras/mcp-forticnapp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server