Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

Security Scan Server

БесплатноНе проверен

An MCP server that provides CVE-driven security prompts for code review, enabling coding agents to get actionable security checks based on real vulnerabilities.

GitHubEmbed

Описание

An MCP server that provides CVE-driven security prompts for code review, enabling coding agents to get actionable security checks based on real vulnerabilities.

README

An MCP (Model Context Protocol) server that provides CVE-driven security prompts for code review.

What This Does

Security review checklists derived from real CVEs.

  1. Build phase: Ingests thousands of CVEs from NVD, then uses Claude to categorize them into generic software types (web-server, database, mobile-app, etc.)
  2. Runtime: Coding agents query "what security issues should I look for in a web server?" and get actionable prompts based on actual vulnerabilities that have occurred in that type of software

This means security guidance is:

  • Data-driven: Based on real CVEs, not theoretical vulnerabilities
  • Type-specific: Different checks for web servers vs databases vs mobile apps
  • Actionable: Written for code review, not product-specific

Installation

npm install
npm run build

Setup

Build the security prompts database

# 1. Ingest CVEs from NVD (can use NVD_API_KEY for faster rate)
npm run ingest

# 2. Build security prompts using Claude
ANTHROPIC_API_KEY=your-key npm run build-prompts

This analyzes all CVEs and creates a database of security check prompts organized by software type.

Usage as MCP Server

Add to your Claude Code configuration:

claude mcp add security-scan -- node /path/to/security-scan-mcp/dist/index.js

Or add to .claude.json:

{
  "mcpServers": {
    "security-scan": {
      "command": "node",
      "args": ["/path/to/security-scan-mcp/dist/index.js"]
    }
  }
}

MCP Tools

Security Prompts (Core Feature)

list_software_types

List all software types that have security prompts available.

Returns types like web-server, database, api-server, mobile-app, etc., along with:

  • code_signals: How to identify this type in code (e.g., "HTTP handling", "SQL queries")
  • prompt_count: Number of security checks available for this type

get_security_prompts_for_type

Get all security check prompts for a specific software type.

Parameters:

  • type_id (string, required): e.g., "web-server", "database"
  • severity (string, optional): Filter by critical/high/medium/low
  • format (string, optional): "json" or "checklist"

Returns: Security checks like:

{
  "title": "Header size validation",
  "check_prompt": "Verify that HTTP header sizes are validated before processing...",
  "severity": "high",
  "based_on_cves": ["CVE-2021-xxxx", "CVE-2022-yyyy"]
}

search_security_prompts

Full-text search across all security prompts.

Parameters:

  • query (string, required): e.g., "SQL injection", "buffer overflow"
  • limit (number, optional): Maximum results

Agent Workflow

1. Agent starts working on a codebase

2. Agent calls list_software_types
   → Sees types: web-server, database, api-server...
   → Sees code_signals for each type

3. Agent recognizes: "This code has Express routes, HTTP handling"
   → Matches "web-server" type

4. Agent calls get_security_prompts_for_type("web-server")
   → Gets 20+ security checks derived from real CVEs
   → "Verify header sizes are validated..."
   → "Check for request smuggling vulnerabilities..."

5. Agent reviews code against each prompt

CVE/CWE Database Tools

search_cves

Search the CVE database using full-text search.

get_cwe_info

Get detailed information about a specific CWE.

get_cves_by_cwe

Get CVEs related to a specific CWE.

get_top_cwes

Get the most dangerous CWEs for an application type.

get_database_stats

Get statistics about the vulnerability database.

How It Works

Building Security Prompts

  1. CVE Ingestion: Fetches CVEs from NVD API
  2. Analysis: Sends CVEs to Claude in batches
  3. Categorization: Claude identifies generic software type (web-server, database, etc.)
  4. Prompt Generation: Claude extracts the vulnerability pattern and creates actionable check prompts
  5. Storage: Saves to SQLite with full-text search

Database Schema

-- Software types (web-server, database, etc.)
software_types (
  type_id TEXT,           -- e.g., "web-server"
  name TEXT,              -- e.g., "Web Servers"
  description TEXT,
  code_signals TEXT       -- JSON: how to identify this type in code
)

-- Security check prompts by type
security_prompts (
  type_id TEXT,           -- References software_types
  title TEXT,             -- e.g., "Header size validation"
  check_prompt TEXT,      -- The actual prompt for code review
  severity TEXT,          -- critical/high/medium/low
  based_on_cves TEXT      -- JSON: CVE IDs this was derived from
)

Environment Variables

Variable Description Required
ANTHROPIC_API_KEY Claude API key for building security prompts For build-prompts
NVD_API_KEY API key for NVD CVE access Optional (rate limited without)
SECURITY_SCAN_DATA_DIR Database location Default: ~/.security-scan-mcp

CLI Testing

Test the MCP functions directly from the command line:

npm run cli help                    # Show all commands
npm run cli list-types              # List software types
npm run cli get-prompts web-server  # Get prompts for a type
npm run cli get-prompts web-server --severity critical --checklist
npm run cli search-prompts "SQL injection"
npm run cli search-cves "apache"
npm run cli cwe 79                  # Get CWE info
npm run cli top-cwes web            # Top CWEs for app type
npm run cli stats                   # Database statistics

Development

npm run build         # Build TypeScript
npm run dev           # Run in development mode
npm run ingest        # Ingest CVEs from NVD
npm run build-prompts # Build security prompts (requires ANTHROPIC_API_KEY)
npm run cli           # Test MCP functions via CLI
npm test              # Run tests

License

MIT

from github.com/chrischabot/security-scan-mcp

Установка Security Scan Server

У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.

▸ github.com/chrischabot/security-scan-mcp

FAQ

Security Scan Server MCP бесплатный?

Да, Security Scan Server MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для Security Scan Server?

Нет, Security Scan Server работает без API-ключей и переменных окружения.

Security Scan Server — hosted или self-hosted?

Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.

Как установить Security Scan Server в Claude Desktop, Claude Code или Cursor?

Открой Security Scan Server на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare Security Scan Server with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории development