mcp-sct
Cybersecurity MCP server. Scans code for OWASP Top 10 vulnerabilities (28 rules), checks dependencies for CVEs across 6 ecosystems, suggests AI-powered fixes (Ollama/OpenAI/Anthropic), and generates s
mcp
model-context-protocol
security
+4
|MCP-SCT - Security Code Testing
MCP server for cybersecurity analysis. Built with Go (core runtime) and Python (AI bridge).
Tools
| Tool | Description |
|---|---|
| scan_code | Static security analysis with 28 rules covering OWASP Top 10 |
| check_dependencies | CVE detection via OSV.dev for 6 ecosystems |
| suggest_fixes | AI-powered fix suggestions (Ollama, OpenAI, Anthropic) |
| generate_report | Security reports in Markdown, JSON, or SARIF 2.1.0 |
| run_security_test | Integration with semgrep, bandit, gosec, npm audit |
| get_security_guidelines | Best practices for 13+ security topics |
Security Rules (28 total)
- Python (9): SQL injection, command injection, XSS, hardcoded secrets, insecure deserialization, weak crypto, SSRF, insecure random, open redirect
- JavaScript/TypeScript (9): SQL injection, XSS DOM, command injection, hardcoded secrets, prototype pollution, NoSQL injection, path traversal, insecure cookies, ReDoS
- Go (5): SQL injection, command injection, path traversal, insecure TLS, error info leak
- Java (5): SQL injection, insecure deserialization, XXE, hardcoded secrets, log injection
Taint Analysis
Tracks data flow from user input (13 sources) through variable assignments to dangerous functions (23 sinks) with sanitizer detection.
Dependency Checking
6 ecosystems: Go (go.mod), npm (package.json), PyPI (requirements.txt), Maven (pom.xml), Rust (Cargo.lock), PHP (composer.lock)
AI Fix Suggestions
3 providers with graceful fallback to rule-based suggestions:
- Ollama (local, free)
- OpenAI (GPT-4o)
- Anthropic (Claude)
Report Formats
- Markdown - human-readable
- JSON - machine-readable
- SARIF 2.1.0 - GitHub Code Scanning / GitLab SAST integration