DevSecOps MCP Server

A comprehensive Model Context Protocol (MCP) server that integrates Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), and Software Composition Analysis (SCA) tools for AI-powered DevSecOps automation.

🚀 Features

• SAST Integration: ✅ Semgrep, Bandit (verified)
• DAST Integration: ✅ OWASP ZAP (verified)
• IAST Integration: ✅ Trivy + OWASP ZAP hybrid (verified)
• SCA Integration: ✅ npm audit, OSV Scanner, Trivy (verified)
• Comprehensive Security Reports: JSON, HTML, PDF, SARIF formats
• Policy Enforcement: Configurable security thresholds and gates
• Docker Support: Full containerization with security tools
• Real-time Monitoring: Performance metrics and logging
• 100% Open Source: No commercial tool dependencies
• AI-Powered Analysis: Claude integration for intelligent security insights

🛠️ Architecture

src/
├── mcp/
│   ├── server.ts           # Main MCP server
│   ├── tools/
│   │   ├── sast-tool.ts    # SAST integration
│   │   ├── dast-tool.ts    # DAST integration  
│   │   ├── iast-tool.ts    # IAST integration
│   │   └── sca-tool.ts     # SCA integration
│   └── connectors/
│       ├── sonarqube.ts
│       ├── zap.ts
│       ├── trivy.ts
│       └── osv-scanner.ts
├── config/
│   ├── security-rules.yml
│   └── tool-configs.json
└── tests/security/

🔧 Installation

Prerequisites

• Node.js 18+
• Python 3.8+ (for security tools)
• Docker & Docker Compose (for containerized deployment)

Required Security Tools Installation (verified)

# SAST tools
pip3 install semgrep bandit

# DAST tools (Docker)
docker pull owasp/zap2docker-stable

# SCA tools (npm audit is included with Node.js)
# OSV Scanner (optional)
wget -qO- https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64.tar.gz | tar -xz -C /usr/local/bin

# Trivy (optional)  
wget -qO- https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh

Local Development

1. Clone the repository

   git clone <repository-url>
   cd DevSecOps-MCP
   

2. Install dependencies

   npm install
   

3. Configure environment

   cp .env.example .env
   # Edit .env with your tool credentials
   

4. Build the project

   npm run build
   

5. Start the server

   npm run start:mcp
   

Docker Deployment

1. Using Docker Compose (Recommended)

   # Copy environment file
   cp .env.example .env
   # Edit .env with your credentials
   
   # Start all services
   docker-compose up -d
   

2. Using Docker directly

   # Build image
   docker build -t devsecops-mcp .
   
   # Run container
   docker run -p 3000:3000 --env-file .env devsecops-mcp
   

🔌 MCP Client Configuration

To use this MCP server with Claude Desktop or other MCP clients, you need to configure the client settings.

Claude Desktop Configuration

1. Locate the Claude Desktop config file:

   • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
   • Windows: %APPDATA%\Claude\claude_desktop_config.json

2. Add the DevSecOps MCP server configuration:

   {
     "mcpServers": {
       "devsecops": {
         "command": "node",
         "args": ["dist/src/mcp/server.js"],
         "cwd": "/path/to/DevSecOps-MCP",
         "env": {
           "NODE_ENV": "production",
           "MCP_PORT": "3000",
           "LOG_LEVEL": "info",
           "SECURITY_STRICT_MODE": "true"
         }
       }
     }
   }
   

3. Alternative: Use the provided configuration file:

   # Copy the provided configuration
   cp .mcprc.json ~/Library/Application\ Support/Claude/claude_desktop_config.json
   
   # Edit the cwd path to match your installation
   

Other MCP Clients

For other MCP clients, use

... View full README on GitHub