DevSecOps

v1.0.0Securitystable

A comprehensive Model Context Protocol (MCP) server that integrates SAST, DAST, IAST, SCA tools for AI-powered DevSecOps automation.

devsecops
Share:
16
Stars
0
Downloads
0
Weekly
0/5

What is DevSecOps?

DevSecOps is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to comprehensive model context protocol (mcp) server that integrates sast, dast, iast, sca tools for ai-powered devsecops automation.

A comprehensive Model Context Protocol (MCP) server that integrates SAST, DAST, IAST, SCA tools for AI-powered DevSecOps automation.

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • A comprehensive Model Context Protocol (MCP) server that int

Use Cases

Integrate SAST, DAST, IAST, and SCA security tools with AI.
Automate DevSecOps workflows for comprehensive code scanning.
Detect vulnerabilities across the software development lifecycle.
jmstar85

Maintainer

LicenseMIT
Languagetypescript
Versionv1.0.0
UpdatedMar 30, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx devsecops-mcp

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use DevSecOps

DevSecOps MCP is a security automation server that integrates four categories of application security testing — SAST (Semgrep, Bandit), DAST (OWASP ZAP), IAST (Trivy + ZAP hybrid), and SCA (npm audit, OSV Scanner, Trivy) — into a single MCP interface for AI assistants. It allows developers to trigger comprehensive security scans, generate reports in multiple formats (JSON, HTML, PDF, SARIF), and validate code against security policies all from a Claude conversation. It is intended for DevSecOps engineers who want to embed security scanning into AI-assisted code review and CI/CD workflows.

Prerequisites

  • Node.js 18 or later installed
  • A SonarQube instance or SonarCloud account with an API token (SONARQUBE_TOKEN)
  • OWASP ZAP installed and running with API access enabled (provides ZAP_API_KEY)
  • Optional: Trivy and OSV Scanner installed for container and dependency scanning
  • An MCP-compatible client such as Claude Desktop
1

Clone the repository

Clone the DevSecOps-MCP repository and navigate into it.

git clone https://github.com/jmstar85/DevSecOps-MCP.git
cd DevSecOps-MCP
2

Install Node.js dependencies

Install the required npm packages.

npm install
3

Configure environment variables

Copy the example env file and fill in your SonarQube token, ZAP API key, and other settings. SECURITY_STRICT_MODE=true causes scans to fail fast on high-severity findings.

cp .env.example .env
# Edit .env and set:
# SONARQUBE_TOKEN=your_sonarqube_token
# ZAP_API_KEY=your_zap_api_key
# NODE_ENV=production
# MCP_PORT=3000
# SECURITY_STRICT_MODE=false
4

Build and start the MCP server

Compile the TypeScript source and start the server in MCP mode.

npm run build
npm run start:mcp
5

Add to Claude Desktop config

Add the DevSecOps MCP server to your Claude Desktop configuration. The server runs as a local HTTP MCP endpoint.

{
  "mcpServers": {
    "devsecops-mcp": {
      "command": "node",
      "args": ["/path/to/DevSecOps-MCP/dist/index.js"],
      "env": {
        "SONARQUBE_TOKEN": "your_sonarqube_token",
        "ZAP_API_KEY": "your_zap_api_key",
        "NODE_ENV": "production",
        "MCP_PORT": "3000",
        "SECURITY_STRICT_MODE": "false"
      }
    }
  }
}
6

Run the test suite to verify all scanners

Execute the built-in test script that verifies real vulnerability detection across all four security testing methodologies.

node test-all-security.js

DevSecOps Examples

Client configuration

Claude Desktop config for DevSecOps MCP with SonarQube and ZAP credentials.

{
  "mcpServers": {
    "devsecops-mcp": {
      "command": "node",
      "args": ["/path/to/DevSecOps-MCP/dist/index.js"],
      "env": {
        "SONARQUBE_TOKEN": "your_sonarqube_token",
        "ZAP_API_KEY": "your_zap_api_key",
        "NODE_ENV": "production",
        "MCP_PORT": "3000",
        "SECURITY_STRICT_MODE": "false"
      }
    }
  }
}

Prompts to try

Example prompts for running security scans and generating reports through the six MCP tools.

- "Run a SAST scan on /path/to/my/source-code and report any high-severity findings"
- "Perform a DAST scan against http://localhost:8080 using OWASP ZAP"
- "Scan my project dependencies at /path/to/project for known CVEs using SCA"
- "Generate a security report in HTML format summarizing all scan results"
- "Validate my codebase against the OWASP Top 10 security policy"
- "Run a full IAST scan combining runtime analysis with static checks"

Troubleshooting DevSecOps

SAST scan fails with 'SonarQube connection refused' error

Verify that your SonarQube instance is running and accessible, and that SONARQUBE_TOKEN is a valid token with 'Execute Analysis' permissions. For SonarCloud, ensure the token is scoped to your organization. Check that the SonarQube URL in your configuration is correct.

DAST scan returns 'ZAP API key invalid' or fails to connect

Ensure OWASP ZAP is running in daemon mode with the API enabled: 'zap.sh -daemon -port 8090 -config api.key=your_zap_api_key'. Set ZAP_API_KEY in your .env to match the key you started ZAP with.

npm run build fails with TypeScript compilation errors

Ensure Node.js 18 or later is installed ('node --version'). Run 'npm install' again to ensure all devDependencies including the TypeScript compiler are present. If specific type errors appear, check that all required tools (Trivy, OSV Scanner) referenced in the code are either installed or their optional paths are unset.

Frequently Asked Questions about DevSecOps

What is DevSecOps?

DevSecOps is a Model Context Protocol (MCP) server that comprehensive model context protocol (mcp) server that integrates sast, dast, iast, sca tools for ai-powered devsecops automation. It connects AI assistants to external tools and data sources through a standardized interface.

How do I install DevSecOps?

Follow the installation instructions on the DevSecOps GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with DevSecOps?

DevSecOps works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is DevSecOps free to use?

Yes, DevSecOps is open source and available under the MIT license. You can use it freely in both personal and commercial projects.

DevSecOps Alternatives — Similar Security Servers

Looking for alternatives to DevSecOps? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "devsecops-mcp": { "command": "npx", "args": ["-y", "devsecops-mcp"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use DevSecOps?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides