Va Pentest
FreeNot checkedA Model Context Protocol server for automated security vulnerability assessment, combining OWASP Dependency-Check dependency scanning with custom code vulnerabi
About
A Model Context Protocol server for automated security vulnerability assessment, combining OWASP Dependency-Check dependency scanning with custom code vulnerability detection, and generating detailed HTML and JSON reports.
README
🔒 Model Context Protocol (MCP) Server for Security Vulnerability Assessment and Penetration Testing
A comprehensive Python-based MCP server that provides automated security scanning capabilities for projects. Combines OWASP Dependency-Check for dependency scanning with custom code vulnerability detection.
Features
🔍 Security Scanning
- Dependency Scanning: Uses OWASP Dependency-Check to identify known vulnerabilities in project dependencies
- Code Security Scanning: Custom regex-based vulnerability detection for:
- 🔐 Hardcoded Secrets (API keys, passwords, private keys, JWT tokens, database URLs, AWS credentials)
- 💉 SQL Injection patterns
- 🎯 Command Injection vulnerabilities
- ⚠️ Unsafe Operations (eval, pickle, dangerous imports, file permissions)
- 🌐 Cross-Site Scripting (XSS) vulnerabilities
- 🚶 Path Traversal vulnerabilities
📊 Report Generation
- HTML Reports: Beautiful, interactive HTML reports with vulnerability details and recommendations
- JSON Reports: Machine-readable JSON format for integration with other systems
- Comprehensive Summary: Risk assessment and vulnerability statistics
🛠️ MCP Protocol Support
- Full Model Context Protocol implementation
- Tool registration and management
- Resource handling
- Standardized request/response format
Installation
Prerequisites
- Python 3.8 or higher
- pip (Python package manager)
- OWASP Dependency-Check (optional - will attempt auto-install)
Setup
- Clone the repository
git clone https://github.com/banhongit7/va-pentest-mcp.git
cd va-pentest-mcp
- Create virtual environment
python -m venv venv
# On Windows
venv\Scripts\activate
# On macOS/Linux
source venv/bin/activate
- Install dependencies
pip install -r requirements.txt
- Install package
pip install -e .
Configuration
Environment Variables
Create a .env file in the project root:
# MCP Server Configuration
LOG_LEVEL=INFO
LOG_FILE=./logs/va-pentest-mcp.log
# Dependency Check Configuration
DEPENDENCY_CHECK_ENABLED=true
DEPENDENCY_CHECK_PATH=/path/to/dependency-check/bin/dependency-check
DEPENDENCY_CHECK_DB_DIR=./tools/dependency-check-db
# Code Scanner Configuration
CODE_SCANNER_ENABLED=true
SCAN_FOR_SECRETS=true
SCAN_FOR_SQL_INJECTION=true
SCAN_FOR_COMMAND_INJECTION=true
SCAN_FOR_UNSAFE_OPERATIONS=true
# Report Generation
GENERATE_HTML_REPORT=true
GENERATE_JSON_REPORT=true
# Python Path (for Windows)
PYTHONPATH=D:\mcp\va-pentest-mcp\src
MCP Configuration (config.json)
For OpenCode AI integration:
{
"$schema": "https://opencode.ai/config.json",
"mcp": {
"va-pentest-mcp": {
"type": "local",
"command": ["python", "-m", "va_pentest_mcp.server"],
"enabled": true,
"env": {
"PYTHONPATH": "D:\\mcp\\va-pentest-mcp\\src",
"PATH": "D:\\mcp\\va-pentest-mcp\\tools;{env:PATH}"
}
}
}
}
Usage
Starting the Server
python -m va_pentest_mcp.server
Or using the console script:
va-pentest-mcp
Available Tools
1. scan_dependencies
Scans project dependencies for known vulnerabilities using OWASP Dependency-Check.
{
"project_path": "/path/to/project"
}
2. scan_code
Scans source code for security vulnerabilities.
{
"project_path": "/path/to/project",
"file_extensions": [".py", ".js", ".java"] # Optional
}
3. scan_full
Runs complete security scan and generates reports.
{
"project_path": "/path/to/project",
"generate_reports": true
}
Project Structure
va-pentest-mcp/
├── src/
│ └── va_pentest_mcp/
│ ├── __init__.py # Package initialization
│ ├── server.py # Main MCP Server
│ ├── mcp_protocol.py # MCP Protocol Handler
│ ├── dependency_scanner.py # OWASP Dependency-Check Integration
│ ├── code_scanner.py # Custom Security Vulnerability Detection
│ ├── report_generator.py # HTML & JSON Report Generation
│ ├── config.py # Configuration Management
│ └── utils.py # Utility Functions
├── tools/ # External tools directory
│ ├── dependency-check/ # OWASP Dependency-Check binary
│ └── dependency-check-db/ # Vulnerability database
├── reports/ # Generated reports
│ ├── scan_report_YYYYMMDD_HHMMSS.html
│ └── scan_report_YYYYMMDD_HHMMSS.json
├── logs/ # Application logs
├── requirements.txt # Python dependencies
├── setup.py # Package setup script
├── README.md # This file
└── .gitignore # Git ignore rules
Vulnerability Detection
Hardcoded Secrets Detection
Detects:
- API Keys
- Passwords
- Private Keys (RSA, OPENSSH, DSA, EC)
- AWS Access Keys (AKIA...)
- JWT Tokens
- Database Connection Strings
Code Injection Detection
- SQL Injection via string concatenation, format strings, and direct queries
- Command Injection via os.system, subprocess, shell commands
Unsafe Operations
- eval() usage
- pickle/marshal usage
- Dangerous imports
- Insecure file permissions
Web Vulnerabilities
- XSS via innerHTML, dangerouslySetInnerHTML
- Path Traversal patterns
Report Output
HTML Report Features
- Executive Summary with Risk Assessment
- Vulnerability Statistics by Severity
- Detailed Vulnerability Listing
- Code Snippets with Line Numbers
- Remediation Recommendations
- Professional Styling
JSON Report Structure
{
"scan_info": {
"timestamp": "2024-01-01T12:00:00",
"project_path": "/path/to/project",
"scan_type": "Combined VA Scan"
},
"code_scan": {
"total_vulnerabilities": 5,
"vulnerabilities": [
{
"type": "Hardcoded Secret",
"severity": "CRITICAL",
"file": "config.py",
"line": 42,
"description": "Hardcoded API Key detected",
"recommendation": "Use environment variables instead"
}
]
},
"summary": {
"overall_risk": "HIGH",
"critical": 2,
"high": 3
}
}
Advanced Configuration
Custom File Extensions
file_extensions = ['.py', '.js', '.ts', '.java', '.go', '.rb', '.php', '.cs']
Severity Levels
- CRITICAL: Immediate action required
- HIGH: Significant security risk
- MEDIUM: Moderate risk, should be addressed
- LOW: Low risk, consider fixing
- INFO: Informational findings
Troubleshooting
dependency-check Not Found
# Try installing via pip
pip install dependency-check
# Or via npm
npm install -g dependency-check
# Or via homebrew (macOS)
brew install dependency-check
Permission Issues
# Make dependency-check executable
chmod +x /path/to/dependency-check
Windows Python Path
Ensure PYTHONPATH is correctly set in config.json:
"PYTHONPATH": "C:\\Users\\username\\va-pentest-mcp\\src"
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
License
MIT License - See LICENSE file for details
Security Note
This tool is designed for authorized security testing only. Always get proper authorization before testing security vulnerabilities in any system.
Support
For issues, questions, or suggestions:
- GitHub Issues: https://github.com/banhongit7/va-pentest-mcp/issues
- Email: [email protected]
VA Pentest MCP - Making security assessment automated and accessible 🚀
Installing Va Pentest
This server has no published package — it is built from source. Open the repository and follow its README.
▸ github.com/banhongit7/va-pentest-mcpFAQ
Is Va Pentest MCP free?
Yes, Va Pentest MCP is free — one-click install via Unyly at no cost.
Does Va Pentest need an API key?
No, Va Pentest runs without API keys or environment variables.
Is Va Pentest hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install Va Pentest in Claude Desktop, Claude Code or Cursor?
Open Va Pentest on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
GitHub
PRs, issues, code search, CI status
by GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
by mcpdotdirectCompare Va Pentest with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All development MCPs
