Integrates reconnaissance and exploitation workflows for security testing, including service detection, vulnerability validation, and exploit execution with safety controls
Provides reference documentation for OWASP Top 10 vulnerability categories to guide security assessment workflows
Supports browser automation for live security testing as an alternative option for projects that already include Puppeteer
Provides methodology and documentation for CVE and dependency scanning, guiding AI agents through vulnerability detection in project dependencies
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@VibeDefender MCP Serverscan my code for security issues"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
π‘οΈ VibeDefender
Security Knowledge MCP Server for AI Coding Agents
Guide your AI agents through professional security assessments with methodology, documentation, and step-by-step workflows covering OWASP Top 10 and beyond.
Installation β’ Features β’ Quick Start β’ Configuration β’ Documentation
π Why VibeDefender?
Your AI coding agent (Claude Code, Cursor, etc.) already knows how to run commands. VibeDefender teaches it WHEN, WHY, and HOW to run security tools like a professional pentester.
Instead of guessing which security tools to run, your AI gets:
π Step-by-step security methodology - Professional assessment workflows
π― Plain English guidance - No security expertise required
π§ Tool installation guides - Automated setup assistance
π Always-current documentation - Live tool documentation proxy
β OWASP Top 10 coverage - Industry-standard vulnerability detection
β If you find VibeDefender useful, please star this repo! It helps others discover professional security testing for AI agents.
π¦ Installation
Direct from GitHub (Recommended)
npx github:yunusj/VibeDefender-MCPThis automatically clones, installs dependencies, builds, and runs the MCP server.
Global Installation
npm install -g github:yunusj/VibeDefender-MCP
vibedefender-mcp⨠Features
π― What Makes VibeDefender Different
β Knowledge-First Approach - Guides AI agents instead of executing tools directly β 5 Pre-Built Security Workflows - Setup, full scan, pre-push check, live testing, URL scanning β OWASP Top 10 Coverage - Comprehensive vulnerability detection (injection, XSS, auth, etc.) β Mandatory Runtime Analysis - Not just static analysis - tests your running application β Artifact Generation - Saves all scan results as JSON + markdown reports β Zero Security Knowledge Required - Plain English explanations for non-security developers β Tool Agnostic - Works with any MCP-compatible AI editor (Claude Code, Cursor, etc.)
π§ Integrated Security Tools
Trivy - CVE and dependency vulnerability scanning
Semgrep - Static code analysis with 2000+ security rules
Nuclei - Runtime security testing with template-based scanning
Metasploit - Optional integration for discovery and exploitation
π€ Supported AI Editors
Editor | Status | Notes |
Claude Code | β Fully Supported | Native MCP support |
Cursor | β Fully Supported | MCP configuration required |
Claude Desktop | β Fully Supported | Config in |
Google Antigravity | β Fully Supported | Same config as Claude Desktop |
π§ Philosophy
The MCP GUIDES, not executes.
Your AI agent (Claude Code, Cursor, etc.) already has the ability to run CLI commands. This MCP provides:
π Step-by-step methodology for security assessments
π§ Installation guides for required tools
π¬ Plain English explanations for non-technical users
π Documentation proxy for always-current tool docs
β‘ Quick Start
Install and configure (one-time setup):
{
"mcpServers": {
"vibedefender": {
"command": "npx",
"args": ["github:yunusj/VibeDefender-MCP"]
}
}
}Talk to your AI agent in plain English:
What You Say | What Happens |
π¬ "Help me set up security scanning" | π§ AI installs Trivy, Semgrep, Nuclei with guided steps |
π¬ "Scan my code for security issues" | π Full scan: dependencies + code + runtime + artifacts |
π¬ "Check my code before I push" | β‘ Fast critical-only check (< 30 seconds) |
π¬ "Test my app on localhost" | π Starts dev server + runs live security tests |
π¬ "Check this URL for vulnerabilities" | π― Tests specific URL with authorization check |
Get professional security reports with actionable fixes:
β
All scans saved to: security-scan-20241220-143022/
βββ trivy-results.json (Dependency vulnerabilities)
βββ semgrep-results.json (Code security issues)
βββ nuclei-results.json (Runtime vulnerabilities)
βββ REPORT.md (Human-readable summary)βοΈ Configuration
Claude Code
Add to your Claude Code MCP settings:
{
"mcpServers": {
"vibedefender": {
"command": "npx",
"args": ["github:yunusj/VibeDefender-MCP"]
}
}
}Claude Desktop
Add to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"vibedefender": {
"command": "npx",
"args": ["github:yunusj/VibeDefender-MCP"]
}
}
}Cursor
Add to Cursor's MCP settings (Settings β Features β MCP):
{
"mcpServers": {
"vibedefender": {
"command": "npx",
"args": ["github:yunusj/VibeDefender-MCP"]
}
}
}Google Antigravity
Same configuration as Claude Desktop.
π§ͺ Testing with MCP Inspector
Test the server before configuring in your editor:
npm install -g @modelcontextprotocol/inspector
npx @modelcontextprotocol/inspector npx github:yunusj/VibeDefender-MCPExpected: Web UI shows "Connected", lists all security:// resources and 5 workflow prompts.
π― Available Workflows
Workflow | Trigger Phrase | What It Does |
π§ | "Help me set up security scanning" | Checks installed tools, guides installation |
π | "Scan my code for security issues" | Full scan: static + runtime + artifacts |
β‘ | "Check my code before I push" | Fast check: critical issues only (< 30s) |
π | "Test my app on localhost" | Starts dev server + runs live tests |
π― | "Check this URL for vulnerabilities" | Tests specific URL (requires authorization) |
π οΈ Required Tools
The MCP guides you through installing these (just say "help me set up"):
Tool | Purpose | Install (macOS) |
π Trivy | CVE/dependency scanning |
|
π Semgrep | Static code analysis |
|
π Nuclei | Runtime testing (mandatory) |
|
ποΈ Metasploit Integration
Metasploit Framework is integrated for both discovery (reconnaissance) and exploitation phases.
Setup
Install external Metasploit MCP server:
# Clone the Metasploit MCP repository
git clone https://github.com/your-org/MetasploitMCP ~/MetasploitMCPSet environment variable (add to
~/.bashrcor~/.zshrc):
export METASPLOIT_MCP_PATH="$HOME/MetasploitMCP/start_mcp.sh"Verify installation:
npm run mcp:metasploit
# Should output: "Metasploit MCP Proxy running on stdio"Usage
Discovery Phase (Automatic):
Runs safe auxiliary modules for service detection
Port scanning and version detection
Correlates findings with CVE database
No exploitation attempts
Exploitation Phase (Requires Approval):
Executes exploits against validated vulnerabilities
Requires explicit human approval
Full session management and post-exploitation
Evidence gathering only (read-only)
Safety
β οΈ CRITICAL: Authorization Required
Only use on systems you own OR have written permission to test
Unauthorized access to computer systems is illegal
Discovery phase: Basic authorization sufficient
Exploitation phase: Explicit approval required
π Documentation
See
security://methodology/exploitationfor complete exploitation workflowSee
security://docs/metasploitfor detailed tool usageIncludes safety guidelines, workflow examples, and troubleshooting
π Available Resources
π Methodology Guides
Resource | Description |
| π How to find attack surface |
| π What to scan, in what order |
| β How to validate on live targets |
| π How to structure reports |
π Reference Documentation
Resource | Description |
| π¨ What CRITICAL/HIGH/MEDIUM/LOW mean |
| π Common weakness types |
| π‘οΈ OWASP vulnerability categories |
| π Browser automation choices |
π§ Tool Documentation
Resource | Description |
| π Overview of all tools |
| π Trivy quick start |
| π Semgrep quick start |
| π Nuclei quick start |
| π Playwright MCP info |
| ποΈ Metasploit basics |
π‘ Example Workflows
First Time Setup
You: Help me set up security scanning
AI: I'll check what tools you have installed...
[Runs version checks]
You're missing Trivy and Semgrep. Let me help you install them.
Trivy checks your dependencies for known vulnerabilities.
Run this to install: brew install aquasecurity/trivy/trivy
...Before Pushing Code
You: Check my code before I push
AI: Running quick pre-push security check...
[Runs trivy + semgrep for CRITICAL issues only]
β
All clear! No critical security issues found. Safe to push.
For a comprehensive scan including runtime testing, use the 'scan' workflow.Full Security Scan
You: Scan my code for security issues
AI: I see this is a Node.js project using Express.
First, checking for known vulnerabilities in dependencies...
[Runs trivy]
Found 3 critical issues in your packages:
1. lodash < 4.17.21 - allows prototype pollution
Fix: npm update lodash
...π Project Structure
src/
βββ index.ts # Main MCP server entry point
βββ resources/
β βββ static.ts # Bundled methodology & references
β βββ dynamic.ts # Tool documentation with search guidance
βββ prompts/
βββ workflows.ts # 5 user-friendly workflow promptsπ¨ Design Decisions
π« No execution tools - AI agents already have CLI access. We provide knowledge.
π¬ Plain English - Everything explained for non-technical users.
π Step-by-step - Prompts tell the AI exactly what to do at each step.
π Documentation proxy - Search patterns for always-current tool docs.
π¦ Minimal files - 4 files total, easy to understand and maintain.
π GitHub-based distribution - No npm publish, direct from source via npx.
π Browser Automation Options
For live testing that needs a browser:
Option | When to Use |
Playwright MCP | Claude Code, Cursor, most IDEs |
Browser Agent | Google Antigravity IDE (built-in) |
Puppeteer | If already in project |
π§ Troubleshooting
Build Errors
If you see TypeScript compilation errors when installing from GitHub:
npm cache clean --force
npx github:yunusj/VibeDefender-MCPMCP Server Not Connecting
Test with MCP Inspector first (see "Testing" section above)
Check Node.js version:
node --version(requires >= 22.0.0)Verify the server runs standalone:
npx github:yunusj/VibeDefender-MCP # Should output: "Security Knowledge MCP server running on stdio"Check editor configuration file syntax (valid JSON)
Restart your AI editor after configuration changes
Permission Errors
If you get EACCES errors:
# On Unix-like systems, the shebang should make it executable
# If not, manually set permissions on global install:
chmod +x $(which vibedefender-mcp)Update to Latest Version
npm cache clean --force
npx github:yunusj/VibeDefender-MCP
# Or for global install
npm uninstall -g vibedefender-mcp
npm install -g github:yunusj/VibeDefender-MCPβ οΈ Security Notice
β Only scan systems you are authorized to test
π Live validation (scan-url, scan-live) requires explicit authorization
π€ The AI will ask for confirmation before testing URLs
π Always get written permission before security testing
π‘οΈ Follow responsible disclosure practices
π€ Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
π License
MIT License - see LICENSE for details
β Show Your Support
If VibeDefender helps secure your code, please star this repository!
Made with π‘οΈ by security professionals, for developers
Resources
Looking for Admin?
Admins can modify the Dockerfile, update the server description, and track usage metrics. If you are the server author, to access the admin panel.