pci-dss-mcp
pci-dss-mcp is a static analysis MCP server that scans Go payment service codebases for PCI DSS v4.0.1 violations, mapping every finding to a specific requirement number.
Orchestration & Reporting
triage_findings— Run all scanners simultaneously with AI-assisted prioritization, file:line enrichment, triage hints, and middleware/import contextgenerate_compliance_report— Produce a full PCI DSS v4.0.1 report with requirement-level pass/fail status and severity counts (suitable for CI gates and audits)
Specialized Scanners
scan_pan_data— Detect PAN/SAD/CVV storage and logging violations (3.3.1, 3.4.1, 3.5.1); optional taint-flow analysis to reduce false positivescheck_encryption— Find weak hash algorithms (MD5/SHA1), hardcoded keys/IVs, and plain HTTP URLs (4.2.1, 6.2.4)check_tls_config— IdentifyInsecureSkipVerify, weakMinVersion, and prohibited cipher suites like RC4/3DES/NULL (4.2.1)check_secrets_in_configs— Scan.env,.yaml,.json,.tomlfiles for hardcoded API keys, passwords, and tokens (8.6.2)check_error_handling— Detect sensitive error disclosure in payment handlers (6.2.4)check_auth_strength— Find hardcoded passwords, weak password policies (min length < 12), missing MFA on payment routes, and weak webhook signatures (8.3.1, 8.3.6, 8.4.2, 8.6.2)audit_log_coverage— Detect payment handlers missing structured audit logging; framework-aware for net/http, gin, and echo (10.2.1)check_data_retention— Find Redis/DB storage of CVV/PAN without TTL, config files missing TTL on sensitive keys, and incorrect memory zeroing timing (3.2.1, 3.3.1)check_payment_page_scripts— Detect missing CSP headers,unsafe-inline/unsafe-evalin CSP, external scripts without SRI, and inline scripts without nonce (6.4.3, 11.6.1)check_dependencies— Scango.modagainst the OSV.dev vulnerability database in auto/online/offline modes (6.3.3)
Supporting Tools
generate_sbom— Generate a CycloneDX v1.6 SBOM fromgo.mod/go.sumin JSON or XML (6.3.2)explain_requirement— Look up any PCI DSS v4.0.1 requirement by ID to get its title, description, and testing procedureupdate_vulnerability_db— Download a fresh OSV Go vulnerability snapshot (~7.5 MB) for offline scanning
Cross-Cutting Features
Summary and flat response shapes with cursor-based pagination (10-minute TTL)
Filter by
min_severity(CRITICAL/HIGH/MEDIUM/LOW/INFO) andrule_filter(comma list or regex)Configurable file exclusion via glob patterns (vendor, generated files, mocks, etc.)
Optional inclusion of test files and git-untracked files
Operates via stdio MCP protocol, compatible with Claude Desktop, Cursor, and other MCP clients
pci-dss-mcp
Static analysis MCP server for Go payment service codebases. Every detected PCI DSS v4.0.1 violation in a Go payment service codebase is mapped to the specific requirement number before the code ships.
What it does
pci-dss-mcp is a stdio MCP server that runs 12 scanners, an orchestrator, and an AI triage engine over a Go payment service codebase. Each finding carries a requirement_id mapped to a specific PCI DSS v4.0.1 line item; see docs/requirement-mapping.md for the canonical rule-to-requirement table and testdata/vulnerable-payment-service/EXPECTED-FINDINGS.md for live golden output.
What pci-dss-mcp catches today
HTTP framework input flow into log / error / panic sinks. Tier 1 frameworks (gin, chi, gorilla/mux, net/http (Go 1.22+), echo v4, fiber v2) and Tier 1 loggers (log/slog, logrus, zap, zerolog, logr, klog, hclog) ship in v0.7. Tier 2 (kratos, apex/log, charmbracelet/log) lands in v0.8. Tier 3 (fasthttp, beego, iris, httprouter, project-internal) is user-configurable via Phase 25 YAML once shipped. See docs/http_input_taint.md.
What pci-dss-mcp is NOT
Not a replacement for broad SAST. Use Semgrep, CodeQL, or gosec for OWASP Top-10 and language-agnostic vulnerabilities.
Not a replacement for LLM-based code review. pci-dss-mcp maps payment-specific issues to PCI DSS requirement IDs; LLM agents catch broad bugs via reasoning. The two layers compose.
Not Go-agnostic. Go-specific AST patterns and taint flow tracing are what make the precision possible.
Not a QSA replacement. Static analysis covers ~6% of PCI DSS v4.0.1 requirements. A Qualified Security Assessor must sign off on the rest.
Related MCP server: gke-cred-audit
Install
Go install (primary)
Requires Go 1.25+:
go install github.com/shyshlakov/pci-dss-mcp@latestThe binary lands at $(go env GOPATH)/bin/pci-dss-mcp. See docs/install-from-source.md for PATH resolution, the macOS codesign provenance fix, cosign verification, and the MCP client JSON config.
Docker (alternative)
docker pull ghcr.io/shyshlakov/pci-dss-mcp:v0.6.2Useful for CI pipelines, QSA auditors who do not develop Go locally, or any environment without a host Go toolchain.
MCP Registry
Listed as io.github.shyshlakov/pci-dss-mcp at registry.modelcontextprotocol.io. Auto-published on every tag.
Usage
Add to your MCP client config (Claude Desktop claude_desktop_config.json, Cursor .cursor/mcp.json, or claude mcp add for Claude Code):
{
"mcpServers": {
"pci-dss-mcp": {
"command": "docker",
"args": ["run", "-i", "--rm",
"--mount", "type=bind,src=/Users/you/go/src,dst=/Users/you/go/src,readonly",
"ghcr.io/shyshlakov/pci-dss-mcp:v0.6.2"]
}
}
}src= and dst= mirror the same absolute path so the container sees your code at the same path your host uses; prompts pass the normal host path with no translation. For the go install variant and per-client examples, see docs/usage.md.
Two prompts to paste into your MCP client:
Run pci-dss-mcp triage on /Users/you/payments-service. Use min_severity=MEDIUM and group findings by PCI DSS requirement.Generate a PCI DSS compliance report for /Users/you/payments-service in JSON format. Show requirement-level pass/fail status and severity counts.
Tools
Tool | Purpose | Docs |
| All scanners + AI classification + file:line context in one call | |
| Raw requirement pass/fail report (orchestrator over all scanners) | |
| PAN/SAD storage and logging (3.3.1, 3.4.1, 3.5.1) | |
| Weak hashing, hardcoded keys, plain HTTP (4.2.1, 6.2.4) | |
| Insecure TLS configs (4.2.1) | |
| Credentials in config files (8.6.2) | |
| Error responses leaking sensitive context (6.2.4) | |
| Hardcoded passwords, weak policy, missing MFA, webhook signatures (8.3.1, 8.3.6, 8.4.2, 8.6.2) | |
| Missing audit logs on payment flows (10.2.1) | |
| Missing TTL, sensitive storage, missing zeroing (3.2.1, 3.3.1) | |
| Missing CSP/SRI/nonce on payment pages (6.4.3, 11.6.1) | |
| Vulnerable Go dependencies via OSV (6.3.3); govulncheck-style privacy: no module names sent to OSV.dev. See docs/check_dependencies.md. Also covers | |
| CycloneDX 1.6 SBOM from go.mod/go.sum (6.3.2) | |
| Look up a PCI DSS v4.0.1 requirement by ID |
All tools declare typed OutputSchema. See docs/tools.md for the catalog index and migration history.
Documentation
docs/usage.md, client setup, prompt templates, suppressing findings
docs/severity.md, severity model and rule-to-severity mapping
docs/taint.md, taint analysis defaults and toggles
docs/scoping.md, package exclusion and CDE scope
docs/comparison.md, pci-dss-mcp vs Semgrep / CodeQL / gosec / Snyk Code
docs/ci-cd.md, GitHub Actions and GitLab CI integration
docs/pci-coverage.md, PCI DSS v4.0.1 requirement coverage matrix
docs/install-from-source.md, source build, cosign verification, reload
docs/requirement-mapping.md, canonical rule_id to requirement_id table
CONTRIBUTING.md, development setup, fuzz targets
ROADMAP.md, planned features
CHANGELOG.md, version history
Status
Active development, pre v1.0. See ROADMAP.md and CHANGELOG.md.
License
MIT, see LICENSE.
pci-dss-mcp is a static analysis tool. It cannot replace a Qualified Security Assessor. Use its output as input to your compliance process, not as the compliance itself.
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/shyshlakov/pci-dss-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server