🦡 codebadger

A containerized Model Context Protocol (MCP) server providing static code analysis using Joern's Code Property Graph (CPG) technology with support for Java, C/C++, JavaScript, Python, Go, Kotlin, C#, Ghidra, Jimple, PHP, Ruby, and Swift.

News

codebadger and its accompanying paper — Bridging Code Property Graphs and Language Models for Program Analysis — have been accepted at the Software Vulnerability Management Workshop @ ICSE 2026. 🎉

Citation

@article{lekssays2026bridging,
  title={Bridging Code Property Graphs and Language Models for Program Analysis},
  author={Lekssays, Ahmed},
  journal={arXiv preprint arXiv:2603.24837},
  year={2026}
}

Found a vulnerability using codebadger?

If codebadger helped you discover a real-world vulnerability, we'd love to hear about it. Open a pull request adding it to TROPHIES.md — include the CVE ID, project, a one-line description, and the date.

Prerequisites

Before you begin, make sure you have:

• Docker and Docker Compose installed
• Python 3.10+ (Python 3.13 recommended)
• pip (Python package manager)

To verify your setup:

docker --version
docker-compose --version
python --version

Quick Start

1. Install Python Dependencies

# Create a virtual environment (optional but recommended)
python -m venv venv

# Install dependencies
pip install -r requirements.txt

2. Start the Docker Services (Joern)

docker compose up -d

This starts:

• Joern Server: Static code analysis engine (runs CPG generation and queries)

Verify services are running:

docker compose ps

3. Start the MCP Server

# Start the server
python main.py &

The MCP server will be available at http://localhost:4242.

4. Stop All Services

# Stop MCP server (Ctrl+C in terminal)

# Stop Docker services
docker-compose down
# Optional: Clean up everything
bash cleanup.sh

Cleanup Script

Use the provided cleanup script to reset your environment:

bash cleanup.sh

This will:

• Stop and remove Docker containers
• Kill orphaned Joern/MCP processes
• Clear Python cache (__pycache__, .pytest_cache)
• Optionally clear the playground directory (CPGs and cached codebases)

Integrations

GitHub Copilot Integration

Edit the MCP configuration file for VS Code (GitHub Copilot):

Path:

~/.config/Code/User/mcp.json

Example configuration:

{
  "inputs": [],
  "servers": {
    "codebadger": {
      "url": "http://localhost:4242/mcp",
      "type": "http"
    }
  }
}

Claude Code Integration

To integrate codebadger into Claude Desktop, edit:

Path:

Claude → Settings → Developer → Edit Config → claude_desktop_config.json

Add the following:

{
  "mcpServers": {
    "codebadger": {
      "url": "http://localhost:4242/mcp",
      "type": "http"
    }
  }
}

Available Tools

Core

• generate_cpg: Generate a Code Property Graph (CPG) for a codebase (local path or GitHub URL).
• get_cpg_status: Check whether a CPG exists and retrieve status metadata.
• run_cpgql_query: Execute a raw CPGQL query against a CPG and return structured results.
• get_cpgql_syntax_help: Show CPGQL syntax helpers, tips, and common error fixes.

Code browsing

• list_methods: List methods/functions with optional regex/file filters.
• list_files: Show source files as a paginated tree view.
• get_method_source: Retrieve the source code for a named method.
• list_calls: List call sites between functions (caller → callee).
• get_call_graph: Build a human-readable call graph (incoming or outgoing).
• list_parameters: Get parameter names, types, and order for a method.
• get_codebase_summary: High-level metrics (files, methods, calls, language).
• get_code_snippet: Return a file snippet by start/end line numb

... View full README on GitHub