Command Palette

Search for a command to run...

UnylyUnyly
Browse all

Code Security

FreeNot checked

An MCP server that exposes a 216-rule Kotlin/JVM security analyzer to AI coding agents, enabling real-time security scanning and secure pattern retrieval for fr

GitHubEmbed

About

An MCP server that exposes a 216-rule Kotlin/JVM security analyzer to AI coding agents, enabling real-time security scanning and secure pattern retrieval for frameworks like Spring and Ktor.

README

CI License: MIT Python 3.11+

A security MCP server for AI coding agents. It gives Claude Code, Cursor, and other agents real security findings while they write, not after — and each language is analyzed by its best native security tool, not one generic scanner stretched across everything.

A specialist, not a generalist. Kotlin is analyzed by detekt with a 216-rule, framework-aware ruleset (Spring, WebFlux, Ktor, Quarkus, Micronaut, Vert.x); Java by SpotBugs + FindSecBugs; Python by Bandit; C# by the Roslyn security analyzers; JS/TS by ESLint + eslint-plugin-security — each the established native security analyzer for its language, routed automatically.

New languages arrive as their own native analyzer — never a single lowest-common-denominator scanner.

Quickstart

git clone https://github.com/JasminGuberinic/code-security-mcp
cd code-security-mcp
python3 -m venv .venv && .venv/bin/pip install -e ".[python]"

# Download the analyzers into an isolated cache (nothing global is touched):
./scripts/setup.sh                              # Kotlin + Java
./scripts/setup.sh --with-dotnet --with-eslint  # + C# and JS/TS (optional)

The script prints the claude mcp add … command to paste. Python works out of the box — the [python] extra installs Bandit.

Why

Generic assistants and multi-language scanners are shallow on framework idioms — they don't know that a @GetMapping is missing @PreAuthorize, that a WebClient trusts all certificates, or that a Vert.x cookie isn't HttpOnly. This server wraps a 216-rule, framework-aware analyzer (the kotlin-security-scanner detekt ruleset) and exposes it to agents through three tools.

Design principle: each language is handled by its best native security analyzer — routed automatically — never a single lowest-common-denominator generic scanner.

Languages

Language Analyzer Analyzes
Kotlin detekt + the 216-rule framework-aware ruleset source (.kt, .kts)
Java SpotBugs + FindSecBugs compiled bytecode — point at the project root (it finds build/classes, target/classes, …), a classes dir, or a .jar (build first)
Python Bandit source (.py) — no build, just pip install
C# Roslyn security analyzers builds the project — point at a .sln, .csproj, or its directory
JavaScript / TypeScript ESLint + eslint-plugin-security source (.js, .ts, .jsx, .tsx, …)

Tools

Tool What it does
security_scan(path) Scan a file/directory (Kotlin, Java, Python, C#, or JS/TS) and return every security finding (rule, line, severity, CWE).
review_diff(diff) Review a unified diff and flag only the issues the change introduces — a pre-commit self-check.
secure_pattern(task, framework?) Get the vetted secure way to do a risky task — before writing it.

For Kotlin, security_scan returns security findings only — detekt's built-in style/complexity rules are switched off, so the agent gets signal, not noise.

Example

"What's the secure way to create a session cookie in Vert.x?"

// secure_pattern(task = "create a session cookie", framework = "vertx")  →  CWE-614
val cookie = Cookie.cookie("session", token)
    .setSecure(true)      // only sent over HTTPS
    .setHttpOnly(true)    // hidden from JavaScript
    .setSameSite(CookieSameSite.STRICT)
response.addCookie(cookie)

Architecture

Clean, hexagonal (ports & adapters). Dependencies point inward; the domain knows nothing about detekt or MCP.

server.py            MCP surface + composition root   (knows MCP)
   │
application/         use cases: scan / review_diff / secure_pattern
   │
domain/              Finding, ScanResult, ports         (pure vocabulary)
   ↑ implemented by
adapters/            DetektAnalyzer, JavaAnalyzer, RoutingAnalyzer,
                     SARIF & diff parsers, pattern catalog

A RoutingAnalyzer sends each target to the analyzers that support it, so the use cases treat "one language" and "many" identically. Adding a language = one new adapter implementing the same LanguageAnalyzer port — the domain and use cases do not change.

Requirements

  • Python 3.11+
  • Kotlin: a JDK + the detekt CLI jar + the ruleset jar(s)
  • Java: a JDK + the SpotBugs jar + the FindSecBugs plugin jar
  • Python: Bandit (pip install "code-security-mcp[python]") — no JDK, no jars
  • C#: the .NET SDK (its Roslyn security analyzers are built in)
  • JS/TS: Node.js + ESLint with eslint-plugin-security (and typescript-eslint)

Each analyzer is optional and enabled independently — configure only the languages you need. (Python auto-enables whenever Bandit is installed.)

Configuration

./scripts/setup.sh fills these in for you and prints the ready-to-paste command; the reference below is for when you want to point at your own tools. The server locates its tools through environment variables:

Variable Meaning
KSM_JAVA Path to the java executable (shared)
KSM_DETEKT_CLI_JAR Kotlin: detekt CLI (-all) jar
KSM_PLUGIN_JARS Kotlin: comma-separated ruleset jar(s)
KSM_DETEKT_CONFIG Kotlin: (optional) path to a detekt.yml
KSM_SPOTBUGS_JAR Java: SpotBugs engine jar
KSM_FINDSECBUGS_JARS Java: comma-separated plugin jar(s) (FindSecBugs)
KSM_JAVA_AUXCLASSPATH Java: (optional) comma-separated dependency jars/dirs for more accurate analysis
KSM_DOTNET_ROOT C#: root of the .NET SDK install
KSM_NUGET_PACKAGES C#: (optional) NuGet cache dir (keeps restores isolated)
KSM_DOTNET_CLI_HOME C#: (optional) dotnet CLI home dir (keeps state isolated)
KSM_ESLINT_BIN JS/TS: path to the ESLint executable
KSM_ESLINT_CONFIG JS/TS: path to the security flat config (see configs/)

Python needs no variables — install Bandit and it is used automatically.

Use with Claude Code

claude mcp add code-security -s user \
  -e KSM_JAVA=/path/to/java \
  -e KSM_DETEKT_CLI_JAR=/path/to/detekt-cli-<ver>-all.jar \
  -e KSM_PLUGIN_JARS=/path/to/scanner-core.jar,/path/to/scanner-spring-boot.jar,... \
  -- /path/to/.venv/bin/code-security-mcp

Then ask the agent, e.g. "run security_scan on src/Main.kt" or "review_diff on my staged changes".

Development

python3 -m venv .venv
.venv/bin/pip install -e ".[dev]"
.venv/bin/pytest

The test suite is hermetic — it uses fake analyzers and hand-built SARIF / diff / Bandit-JSON fixtures, so it needs no external analyzer (JDK, detekt, SpotBugs, or Bandit) to run.

Roadmap

Each new language arrives as its own native, framework-aware analyzer adapter (never a generic multi-language scanner):

  • Kotlin — detekt + the 216-rule framework-aware ruleset.
  • Java — SpotBugs + FindSecBugs.
  • Python — Bandit.
  • C# — Roslyn security analyzers.
  • JavaScript / TypeScript — ESLint + eslint-plugin-security.
  • Deeper C# via Security Code Scan (taint analysis).
  • Zero-setup: auto-resolve the analyzer runtimes and rulesets.

License

MIT — see LICENSE.


Keywords: MCP server, Model Context Protocol, Kotlin security, JVM security, SAST, static analysis, detekt, Spring Security, AI coding agent, Claude Code, Cursor, secure coding.

from github.com/JasminGuberinic/code-security-mcp

Install Code Security in Claude Desktop, Claude Code & Cursor

Recommended · one command, every IDE
unyly install code-security-mcp

Installs into Claude Desktop, Claude Code, Cursor & VS Code — handles npx, uvx and build-from-source repos for you.

First time? Get the CLI: curl -fsSL https://unyly.org/install | sh

Or configure manually

Run in your terminal:

claude mcp add code-security-mcp -- uvx --from git+https://github.com/JasminGuberinic/code-security-mcp code-security-mcp

FAQ

Is Code Security MCP free?

Yes, Code Security MCP is free — one-click install via Unyly at no cost.

Does Code Security need an API key?

No, Code Security runs without API keys or environment variables.

Is Code Security hosted or self-hosted?

Self-hosted: the server runs locally on your machine via the install command above.

How do I install Code Security in Claude Desktop, Claude Code or Cursor?

Open Code Security on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.

Related MCPs

Compare Code Security with

Not sure what to pick?

Find your stack in 60 seconds

Author?

Embed badge for your README

Browse similar

All development MCPs