pci-dss-mcp
pci-dss-mcp is a static analysis MCP server that scans Go payment service codebases for PCI DSS v4.0.1 violations, mapping every finding to a specific requirement number.
Orchestration & Reporting
triage_findings— Run all scanners simultaneously with AI-assisted prioritization, file:line enrichment, triage hints, and middleware/import contextgenerate_compliance_report— Produce a full PCI DSS v4.0.1 report with requirement-level pass/fail status and severity counts (suitable for CI gates and audits)
Specialized Scanners
scan_pan_data— Detect PAN/SAD/CVV storage and logging violations (3.3.1, 3.4.1, 3.5.1); optional taint-flow analysis to reduce false positivescheck_encryption— Find weak hash algorithms (MD5/SHA1), hardcoded keys/IVs, and plain HTTP URLs (4.2.1, 6.2.4)check_tls_config— IdentifyInsecureSkipVerify, weakMinVersion, and prohibited cipher suites like RC4/3DES/NULL (4.2.1)check_secrets_in_configs— Scan.env,.yaml,.json,.tomlfiles for hardcoded API keys, passwords, and tokens (8.6.2)check_error_handling— Detect sensitive error disclosure in payment handlers (6.2.4)check_auth_strength— Find hardcoded passwords, weak password policies (min length < 12), missing MFA on payment routes, and weak webhook signatures (8.3.1, 8.3.6, 8.4.2, 8.6.2)audit_log_coverage— Detect payment handlers missing structured audit logging; framework-aware for net/http, gin, and echo (10.2.1)check_data_retention— Find Redis/DB storage of CVV/PAN without TTL, config files missing TTL on sensitive keys, and incorrect memory zeroing timing (3.2.1, 3.3.1)check_payment_page_scripts— Detect missing CSP headers,unsafe-inline/unsafe-evalin CSP, external scripts without SRI, and inline scripts without nonce (6.4.3, 11.6.1)check_dependencies— Scango.modagainst the OSV.dev vulnerability database in auto/online/offline modes (6.3.3)
Supporting Tools
generate_sbom— Generate a CycloneDX v1.6 SBOM fromgo.mod/go.sumin JSON or XML (6.3.2)explain_requirement— Look up any PCI DSS v4.0.1 requirement by ID to get its title, description, and testing procedureupdate_vulnerability_db— Download a fresh OSV Go vulnerability snapshot (~7.5 MB) for offline scanning
Cross-Cutting Features
Summary and flat response shapes with cursor-based pagination (10-minute TTL)
Filter by
min_severity(CRITICAL/HIGH/MEDIUM/LOW/INFO) andrule_filter(comma list or regex)Configurable file exclusion via glob patterns (vendor, generated files, mocks, etc.)
Optional inclusion of test files and git-untracked files
Operates via stdio MCP protocol, compatible with Claude Desktop, Cursor, and other MCP clients
pci-dss-mcp
Static analysis MCP server for Go payment service codebases. Every detected PCI DSS v4.0.1 violation in a Go payment service codebase is mapped to the specific requirement number before the code ships.
What it does
pci-dss-mcp is a stdio MCP server that runs 12 scanners, an orchestrator, and an AI triage engine over a Go payment service codebase. Each finding carries a requirement_id mapped to a specific PCI DSS v4.0.1 line item; see docs/requirement-mapping.md for the canonical rule-to-requirement table and testdata/vulnerable-payment-service/EXPECTED-FINDINGS.md for live golden output.
What pci-dss-mcp catches today
HTTP framework input flow into log / error / panic sinks. Tier 1 frameworks (gin, chi, gorilla/mux, net/http (Go 1.22+), echo v4, fiber v2) and Tier 1 loggers (log/slog, logrus, zap, zerolog, logr, klog, hclog) ship in v0.7. Tier 2 (kratos, apex/log, charmbracelet/log) lands in v0.8. Tier 3 (fasthttp, beego, iris, httprouter, project-internal) is user-configurable via Phase 25 YAML once shipped. See docs/http_input_taint.md.
What pci-dss-mcp is NOT
Not a replacement for broad SAST. Use Semgrep, CodeQL, or gosec for OWASP Top-10 and language-agnostic vulnerabilities.
Not a replacement for LLM-based code review. pci-dss-mcp maps payment-specific issues to PCI DSS requirement IDs; LLM agents catch broad bugs via reasoning. The two layers compose.
Not Go-agnostic. Go-specific AST patterns and taint flow tracing are what make the precision possible.
Not a QSA replacement. Static analysis covers ~6% of PCI DSS v4.0.1 requirements. A Qualified Security Assessor must sign off on the rest.
Install
Go install (primary)
Requires Go 1.25+:
go install github.com/shyshlakov/pci-dss-mcp@latestThe binary lands at $(go env GOPATH)/bin/pci-dss-mcp. See docs/install-from-source.md for PATH resolution, the macOS codesign provenance fix, cosign verification, and the MCP client JSON config.
Docker (alternative)
docker pull ghcr.io/shyshlakov/pci-dss-mcp:v0.6.2Useful for CI pipelines, QSA auditors who do not develop Go locally, or any environment without a host Go toolchain.
MCP Registry
Listed as io.github.shyshlakov/pci-dss-mcp at registry.modelcontextprotocol.io. Auto-published on every tag.
Usage
Add to your MCP client config (Claude Desktop claude_desktop_config.json, Cursor .cursor/mcp.json, or claude mcp add for Claude Code):
{
"mcpServers": {
"pci-dss-mcp": {
"command": "docker",
"args": ["run", "-i", "--rm",
"--mount", "type=bind,src=/Users/you/go/src,dst=/Users/you/go/src,readonly",
"ghcr.io/shyshlakov/pci-dss-mcp:v0.6.2"]
}
}
}src= and dst= mirror the same absolute path so the container sees your code at the same path your host uses; prompts pass the normal host path with no translation. For the go install variant and per-client examples, see docs/usage.md.
Two prompts to paste into your MCP client:
Run pci-dss-mcp triage on /Users/you/payments-service. Use min_severity=MEDIUM and group findings by PCI DSS requirement.Generate a PCI DSS compliance report for /Users/you/payments-service in JSON format. Show requirement-level pass/fail status and severity counts.
Tools
Tool | Purpose | Docs |
| All scanners + AI classification + file:line context in one call | |
| Raw requirement pass/fail report (orchestrator over all scanners) | |
| PAN/SAD storage and logging (3.3.1, 3.4.1, 3.5.1) | |
| Weak hashing, hardcoded keys, plain HTTP (4.2.1, 6.2.4) | |
| Insecure TLS configs (4.2.1) | |
| Credentials in config files (8.6.2) | |
| Error responses leaking sensitive context (6.2.4) | |
| Hardcoded passwords, weak policy, missing MFA, webhook signatures (8.3.1, 8.3.6, 8.4.2, 8.6.2) | |
| Missing audit logs on payment flows (10.2.1) | |
| Missing TTL, sensitive storage, missing zeroing (3.2.1, 3.3.1) | |
| Missing CSP/SRI/nonce on payment pages (6.4.3, 11.6.1) | |
| Vulnerable Go dependencies via OSV (6.3.3); govulncheck-style privacy: no module names sent to OSV.dev. See docs/check_dependencies.md. Also covers | |
| CycloneDX 1.6 SBOM from go.mod/go.sum (6.3.2) | |
| Look up a PCI DSS v4.0.1 requirement by ID |
All tools declare typed OutputSchema. See docs/tools.md for the catalog index and migration history.
Documentation
docs/usage.md, client setup, prompt templates, suppressing findings
docs/severity.md, severity model and rule-to-severity mapping
docs/taint.md, taint analysis defaults and toggles
docs/scoping.md, package exclusion and CDE scope
docs/comparison.md, pci-dss-mcp vs Semgrep / CodeQL / gosec / Snyk Code
docs/ci-cd.md, GitHub Actions and GitLab CI integration
docs/pci-coverage.md, PCI DSS v4.0.1 requirement coverage matrix
docs/install-from-source.md, source build, cosign verification, reload
docs/requirement-mapping.md, canonical rule_id to requirement_id table
CONTRIBUTING.md, development setup, fuzz targets
ROADMAP.md, planned features
CHANGELOG.md, version history
Status
Active development, pre v1.0. See ROADMAP.md and CHANGELOG.md.
License
MIT, see LICENSE.
pci-dss-mcp is a static analysis tool. It cannot replace a Qualified Security Assessor. Use its output as input to your compliance process, not as the compliance itself.
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/shyshlakov/pci-dss-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server