DevSecOps
A comprehensive Model Context Protocol (MCP) server that integrates SAST, DAST, IAST, SCA tools for AI-powered DevSecOps automation.
What is DevSecOps?
DevSecOps is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to comprehensive model context protocol (mcp) server that integrates sast, dast, iast, sca tools for ai-powered devsecops automation.
A comprehensive Model Context Protocol (MCP) server that integrates SAST, DAST, IAST, SCA tools for AI-powered DevSecOps automation.
This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- A comprehensive Model Context Protocol (MCP) server that int
Use Cases
Maintainer
Works with
Installation
Manual Installation
npx devsecops-mcpConfiguration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use DevSecOps
DevSecOps MCP is a security automation server that integrates four categories of application security testing — SAST (Semgrep, Bandit), DAST (OWASP ZAP), IAST (Trivy + ZAP hybrid), and SCA (npm audit, OSV Scanner, Trivy) — into a single MCP interface for AI assistants. It allows developers to trigger comprehensive security scans, generate reports in multiple formats (JSON, HTML, PDF, SARIF), and validate code against security policies all from a Claude conversation. It is intended for DevSecOps engineers who want to embed security scanning into AI-assisted code review and CI/CD workflows.
Prerequisites
- Node.js 18 or later installed
- A SonarQube instance or SonarCloud account with an API token (SONARQUBE_TOKEN)
- OWASP ZAP installed and running with API access enabled (provides ZAP_API_KEY)
- Optional: Trivy and OSV Scanner installed for container and dependency scanning
- An MCP-compatible client such as Claude Desktop
Clone the repository
Clone the DevSecOps-MCP repository and navigate into it.
git clone https://github.com/jmstar85/DevSecOps-MCP.git
cd DevSecOps-MCPInstall Node.js dependencies
Install the required npm packages.
npm installConfigure environment variables
Copy the example env file and fill in your SonarQube token, ZAP API key, and other settings. SECURITY_STRICT_MODE=true causes scans to fail fast on high-severity findings.
cp .env.example .env
# Edit .env and set:
# SONARQUBE_TOKEN=your_sonarqube_token
# ZAP_API_KEY=your_zap_api_key
# NODE_ENV=production
# MCP_PORT=3000
# SECURITY_STRICT_MODE=falseBuild and start the MCP server
Compile the TypeScript source and start the server in MCP mode.
npm run build
npm run start:mcpAdd to Claude Desktop config
Add the DevSecOps MCP server to your Claude Desktop configuration. The server runs as a local HTTP MCP endpoint.
{
"mcpServers": {
"devsecops-mcp": {
"command": "node",
"args": ["/path/to/DevSecOps-MCP/dist/index.js"],
"env": {
"SONARQUBE_TOKEN": "your_sonarqube_token",
"ZAP_API_KEY": "your_zap_api_key",
"NODE_ENV": "production",
"MCP_PORT": "3000",
"SECURITY_STRICT_MODE": "false"
}
}
}
}Run the test suite to verify all scanners
Execute the built-in test script that verifies real vulnerability detection across all four security testing methodologies.
node test-all-security.jsDevSecOps Examples
Client configuration
Claude Desktop config for DevSecOps MCP with SonarQube and ZAP credentials.
{
"mcpServers": {
"devsecops-mcp": {
"command": "node",
"args": ["/path/to/DevSecOps-MCP/dist/index.js"],
"env": {
"SONARQUBE_TOKEN": "your_sonarqube_token",
"ZAP_API_KEY": "your_zap_api_key",
"NODE_ENV": "production",
"MCP_PORT": "3000",
"SECURITY_STRICT_MODE": "false"
}
}
}
}Prompts to try
Example prompts for running security scans and generating reports through the six MCP tools.
- "Run a SAST scan on /path/to/my/source-code and report any high-severity findings"
- "Perform a DAST scan against http://localhost:8080 using OWASP ZAP"
- "Scan my project dependencies at /path/to/project for known CVEs using SCA"
- "Generate a security report in HTML format summarizing all scan results"
- "Validate my codebase against the OWASP Top 10 security policy"
- "Run a full IAST scan combining runtime analysis with static checks"Troubleshooting DevSecOps
SAST scan fails with 'SonarQube connection refused' error
Verify that your SonarQube instance is running and accessible, and that SONARQUBE_TOKEN is a valid token with 'Execute Analysis' permissions. For SonarCloud, ensure the token is scoped to your organization. Check that the SonarQube URL in your configuration is correct.
DAST scan returns 'ZAP API key invalid' or fails to connect
Ensure OWASP ZAP is running in daemon mode with the API enabled: 'zap.sh -daemon -port 8090 -config api.key=your_zap_api_key'. Set ZAP_API_KEY in your .env to match the key you started ZAP with.
npm run build fails with TypeScript compilation errors
Ensure Node.js 18 or later is installed ('node --version'). Run 'npm install' again to ensure all devDependencies including the TypeScript compiler are present. If specific type errors appear, check that all required tools (Trivy, OSV Scanner) referenced in the code are either installed or their optional paths are unset.
Frequently Asked Questions about DevSecOps
What is DevSecOps?
DevSecOps is a Model Context Protocol (MCP) server that comprehensive model context protocol (mcp) server that integrates sast, dast, iast, sca tools for ai-powered devsecops automation. It connects AI assistants to external tools and data sources through a standardized interface.
How do I install DevSecOps?
Follow the installation instructions on the DevSecOps GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.
Which AI clients work with DevSecOps?
DevSecOps works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is DevSecOps free to use?
Yes, DevSecOps is open source and available under the MIT license. You can use it freely in both personal and commercial projects.
DevSecOps Alternatives — Similar Security Servers
Looking for alternatives to DevSecOps? Here are other popular security servers you can use with Claude, Cursor, and VS Code.
Casdoor
★ 13.6kAn open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD
ghidraMCP
★ 9.0kAn Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through
HexStrike AI
★ 8.9kHexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b
IDA Pro MCP
★ 8.7kEnables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.
Anthropic Cybersecurity Skills
★ 6.6k754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform
Hooker
★ 5.1k🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u
Browse More Security MCP Servers
Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up DevSecOps in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use DevSecOps?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.