MCP Security Scanner: Real-Time Protection for AI Code Assistants

This pattern describes how to implement a Model Context Protocol (MCP) server that integrates four industry-standard security scanning tools (Checkov, Semgrep, Bandit, and ASH) to provide comprehensive code security analysis. The server enables AI coding assistants to automatically scan code snippets and Infrastructure as Code (IaC) configurations for security vulnerabilities, misconfigurations, and compliance violations.

The solution combines Checkov for scanning IaC files (including Terraform, CloudFormation, and Kubernetes manifests), Semgrep for analyzing multiple programming languages (such as Python, JavaScript, Java, and others), Bandit for specialized Python security scanning, and ASH (Automated Security Helper) for comprehensive multi-tool scanning with aggregated results.

It provides a unified interface for security scanning with standardized response formats, making it easier to integrate security checks into development workflows. The pattern uses Python and the MCP framework to deliver automated security feedback, helping developers identify and address security issues early in the development process while learning about security best practices through detailed findings.

This pattern is particularly valuable for organizations looking to enhance their development security practices through AI-assisted coding tools, providing continuous security scanning capabilities across multiple programming languages and infrastructure definitions.

Key features:

• Delta scanning of new code segments, reducing computational overhead
• Isolated security tool environments preventing cross-tool contamination
• Seamless integration with AI tools (Amazon Q Developer, Kiro, others)
• Real-time security feedback during code generation
• Customizable scanning rules for organizational compliance

Demo

Code Scanning Demo

Try these sample prompts with your AI assistant:

1. "Scan the current script and tell me the results"
2. "Scan lines 20-60 and tell me the results"
3. "Scan this Amazon DynamoDB table resource and tell me the result"

Code Generation with Security Scanning Demo

Try these sample prompts to generate secure code:

1. "Generate a Terraform configuration to create a DynamoDB table with encryption enabled and scan it for security issues"
2. "Create a Python Lambda function that writes to DynamoDB and scan it for vulnerabilities"
3. "Generate a CloudFormation template for an S3 bucket with proper security settings and verify it passes security checks"
4. "Write a Python script to query DynamoDB with pagination and scan for security best practices"
5. "Create a Kubernetes deployment manifest for a microservice with security hardening and validate it"

Architecture

Features

This MCP server enables AI assistants to perform comprehensive security analysis on code snippets using four powerful security scanning tools:

🛡️ Checkov - Infrastructure as Code Security

• Scans Infrastructure as Code (IaC) files for security misconfigurations
• Supports: Terraform, CloudFormation, Kubernetes, Dockerfile, ARM, Bicep, and more
• Detects compliance violations and security best practices

🔍 Semgrep - Source Code Security

• Analyzes source code for security vulnerabilities and bugs
• Supports: Python, JavaScript, TypeScript, Java, Go, C/C++, C#, Ruby, PHP, Scala, Kotlin, Rust
• Uses security-focused rulesets for comprehensive analysis

🐍 Bandit - Python Security Specialist

• Specialized Python security scanner
• Detects common Python security issues like insecure functions, hardcoded secrets, injection vulnerabilities
• Provides detailed confidence and severity ratings

🚀 ASH - Automated Security Helper

• Comprehensive multi-tool security scanner
• Runs multiple scanners in paralle

... View full README on GitHub