DefectDojo MCP Server

This project provides a Model Context Protocol (MCP) server implementation for DefectDojo, a popular open-source vulnerability management tool. It allows AI agents and other MCP clients to interact with the DefectDojo API programmatically.

Features

This MCP server exposes tools for managing key DefectDojo entities:

• Findings: Fetch, search, create, update status, and add notes.
• Products: List available products.
• Engagements: List, retrieve details, create, update, and close engagements.

Installation & Running

There are a couple of ways to run this server:

Using uvx (Recommended)

uvx executes Python applications in temporary virtual environments, installing dependencies automatically.

uvx defectdojo-mcp

Using pip

You can install the package into your Python environment using pip.

# Install directly from the cloned source code directory
pip install .

# Or, if the package is published on PyPI
pip install defectdojo-mcp

Once installed via pip, run the server using:

defectdojo-mcp

Configuration

The server requires the following environment variables to connect to your DefectDojo instance:

• DEFECTDOJO_API_TOKEN (required): Your DefectDojo API token for authentication.
• DEFECTDOJO_API_BASE (required): The base URL of your DefectDojo instance (e.g., https://your-defectdojo-instance.com).

You can configure these in your MCP client's settings file. Here's an example using the uvx command:

{
  "mcpServers": {
    "defectdojo": {
      "command": "uvx",
      "args": ["defectdojo-mcp"],
      "env": {
        "DEFECTDOJO_API_TOKEN": "YOUR_API_TOKEN_HERE",
        "DEFECTDOJO_API_BASE": "https://your-defectdojo-instance.com"
      }
    }
  }
}

If you installed the package using pip, the configuration would look like this:

{
  "mcpServers": {
    "defectdojo": {
      "command": "defectdojo-mcp",
      "args": [],
      "env": {
        "DEFECTDOJO_API_TOKEN": "YOUR_API_TOKEN_HERE",
        "DEFECTDOJO_API_BASE": "https://your-defectdojo-instance.com"
      }
    }
  }
}

Available Tools

The following tools are available via the MCP interface:

• get_findings: Retrieve findings with filtering (product_name, status, severity) and pagination (limit, offset).
• search_findings: Search findings using a text query, with filtering and pagination.
• update_finding_status: Change the status of a specific finding (e.g., Active, Verified, False Positive).
• add_finding_note: Add a textual note to a finding.
• create_finding: Create a new finding associated with a test.
• list_products: List products with filtering (name, prod_type) and pagination.
• list_engagements: List engagements with filtering (product_id, status, name) and pagination.
• get_engagement: Get details for a specific engagement by its ID.
• create_engagement: Create a new engagement for a product.
• update_engagement: Modify details of an existing engagement.
• close_engagement: Mark an engagement as completed.

(See the original README content below for detailed usage examples of each tool)

Usage Examples

(Note: These examples assume an MCP client environment capable of calling use_mcp_tool)

Get Findings

# Get active, high-severity findings (limit 10)
result = await use_mcp_tool("defectdojo", "get_findings", {
    "status": "Active",
    "severity": "High",
    "limit": 10
})

Search Findings

# Search for findings containing 'SQL Injection'
result = await use_mcp_tool("defectdojo", "search_findings", {
    "query": "SQL Injection"
})

Update Finding Status

... View full README on GitHub