Security Scanner
This pattern describes how to implement a Model Context Protocol (MCP) server that integrates three industry-standard security scanning tools (Checkov, Semgrep, and Bandit) to provide comprehensive code security analysis. The server enables AI coding
What is Security Scanner?
Security Scanner is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to this pattern describes how to implement a model context protocol (mcp) server that integrates three industry-standard security scanning tools (checkov, semgrep, and bandit) to provide comprehensive co...
This pattern describes how to implement a Model Context Protocol (MCP) server that integrates three industry-standard security scanning tools (Checkov, Semgrep, and Bandit) to provide comprehensive code security analysis. The server enables AI coding
This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- This pattern describes how to implement a Model Context Prot
Use Cases
Maintainer
Works with
Installation
Manual Installation
npx sample-mcp-security-scannerConfiguration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use Security Scanner
The Sample MCP Security Scanner is a Python-based MCP server from AWS Samples that integrates four industry-standard security tools — Checkov, Semgrep, Bandit, and ASH (Amazon Security Hub scanner) — into a single MCP interface. It enables AI coding assistants to perform real-time security analysis on infrastructure-as-code, application source code, and generated code snippets, providing unified findings across Terraform, CloudFormation, Kubernetes, Dockerfiles, Python, JavaScript, Java, Go, and more.
Prerequisites
- Python 3.9+ and pip installed
- Docker installed (required for ASH scanner; optional for other tools)
- Claude Desktop or another MCP-compatible client
- Git to clone the repository
Clone the repository
Clone the AWS sample repository to your local machine.
git clone https://github.com/aws-samples/sample-mcp-security-scanner.git
cd sample-mcp-security-scannerInstall the security scanning tools
Install Checkov, Semgrep, and Bandit via pip. ASH runs as a Docker container and does not require a separate pip install.
pip install checkov semgrep bandit fastmcpSet environment variables
Configure the workspace root and optional log level. WORKSPACE_ROOT tells the scanner where your project files are located.
export WORKSPACE_ROOT=/path/to/your/project
export FASTMCP_LOG_LEVEL=ERROR # or DEBUG for troubleshootingConfigure Claude Desktop
Add the security scanner MCP server to your Claude Desktop configuration file.
{
"mcpServers": {
"security-scanner": {
"command": "python",
"args": ["/absolute/path/to/sample-mcp-security-scanner/server.py"],
"env": {
"WORKSPACE_ROOT": "/absolute/path/to/your/project",
"FASTMCP_LOG_LEVEL": "ERROR"
}
}
}
}Restart Claude Desktop and run your first scan
Restart Claude Desktop after saving the config. You can now ask Claude to scan code or infrastructure files using Checkov, Semgrep, Bandit, or the combined ASH scanner.
# Available MCP tools:
# checkov_scan - IaC scanning (Terraform, CloudFormation, K8s, Dockerfile)
# semgrep_scan - Multi-language source code analysis
# bandit_scan - Python-specific security detection
# ash_scan - Comprehensive multi-tool scan (runs all tools in parallel)Security Scanner Examples
Client configuration
Complete Claude Desktop configuration for the MCP Security Scanner server.
{
"mcpServers": {
"security-scanner": {
"command": "python",
"args": [
"/Users/yourname/projects/sample-mcp-security-scanner/server.py"
],
"env": {
"WORKSPACE_ROOT": "/Users/yourname/projects/my-app",
"FASTMCP_LOG_LEVEL": "ERROR"
}
}
}
}Prompts to try
Security scanning prompts to use with Claude after configuring the MCP server.
- "Scan the current Terraform files and report any security issues"
- "Generate a CloudFormation template for an S3 bucket with proper security settings and scan it"
- "Create a Python Lambda function that writes to DynamoDB and scan it for vulnerabilities"
- "Scan lines 20-60 of main.py with Bandit and explain any findings"
- "Run a full ASH scan on this project and summarize the critical findings"Troubleshooting Security Scanner
checkov, semgrep, or bandit commands not found
Install the tools in the same Python environment that will run the MCP server: 'pip install checkov semgrep bandit'. If using a virtual environment, ensure it is activated when Claude Desktop launches the server, or specify the full path to the Python binary.
ASH scanner fails with Docker errors
ASH requires Docker to be running. Start the Docker daemon and ensure your user has permission to run Docker commands (add yourself to the 'docker' group on Linux: 'sudo usermod -aG docker $USER' then log out and back in).
Scan returns no results for existing files
Verify that WORKSPACE_ROOT is set to the correct absolute path of your project. The scanner resolves file paths relative to WORKSPACE_ROOT. Use DEBUG log level (FASTMCP_LOG_LEVEL=DEBUG) to see which paths are being scanned.
Frequently Asked Questions about Security Scanner
What is Security Scanner?
Security Scanner is a Model Context Protocol (MCP) server that this pattern describes how to implement a model context protocol (mcp) server that integrates three industry-standard security scanning tools (checkov, semgrep, and bandit) to provide comprehensive code security analysis. the server enables ai coding It connects AI assistants to external tools and data sources through a standardized interface.
How do I install Security Scanner?
Follow the installation instructions on the Security Scanner GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.
Which AI clients work with Security Scanner?
Security Scanner works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is Security Scanner free to use?
Yes, Security Scanner is open source and available under the MIT-0 license. You can use it freely in both personal and commercial projects.
Security Scanner Alternatives — Similar Security Servers
Looking for alternatives to Security Scanner? Here are other popular security servers you can use with Claude, Cursor, and VS Code.
Casdoor
★ 13.6kAn open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD
ghidraMCP
★ 9.0kAn Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through
HexStrike AI
★ 8.9kHexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b
IDA Pro MCP
★ 8.7kEnables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.
Anthropic Cybersecurity Skills
★ 6.6k754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform
Hooker
★ 5.1k🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u
Browse More Security MCP Servers
Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up Security Scanner in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use Security Scanner?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.