MCP-SAST-Server

Provides an MCP server that orchestrates SAST tools, secret detection, dependencies, IaC security, and Kali tooling via Claude Code.
  • python

5

GitHub Stars

python

Language

6 months ago

First Indexed

2 months ago

Catalog Refreshed

Documentation & install

Readme and setup notes from the catalogue, plus a client-ready config you can copy for your MCP host.

Installation

Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "sengtocxoen-sast-mcp": {
      "command": "python",
      "args": [
        "/path/to/sast-mcp/client/sast_mcp_client.py",
        "--server",
        "http://YOUR_KALI_IP:6000"
      ]
    }
  }
}

You run a dedicated MCP server that connects Claude Code with a suite of security analysis tools, enabling automated, AI-assisted SAST, secret detection, dependency checks, IaC security, Kali Linux web/network tools, and more through simple MCP commands.

How to use

You interact with the MCP server by configuring Claude Code to communicate with the local or remote SAST MCP endpoint. Once configured, you can submit security analysis requests for your codebase, secret discovery, dependencies, infrastructure as code, and Kali Linux tools. Each request starts a background job and returns a job identifier you can use to poll progress and fetch results. Expect results to be saved to configured directories in multiple formats and ready for AI analysis.

Typical usage patterns include initiating a scan for a codebase with Semgrep or Bandit, checking Python or Node dependencies, inspecting Terraform or Kubernetes configurations, and running Kali Linux tools like Nmap or Nikto against targets. The system handles asynchronous execution, parallel scans, and result validation, so you can continue working while analyses run in the background.

How to install

Prerequisites vary by role. On the client workstation you need Python 3.8+ and Claude Code installed. On the server side (Kali Linux is recommended) you need Python 3.8+ and the security tools installed.

Step-by-step installation flow you can follow locally:

# 1) Clone the MCP-SAST-Server repository
git clone https://github.com/your-username/MCP-SAST-Server.git
cd MCP-SAST-Server

# 2) Install Python dependencies
pip install -r requirements.txt

# 3) Optional: prepare environment file
cp .env.example .env
# Edit .env with your settings (port, paths, timeouts)

Configure and start the server on Kali Linux (full-featured server recommended):

python3 server/sast_server.py --port 6000

Configure Claude Code on Windows to connect to the MCP server using the provided stdio configuration example. This defines the MCP client that runs the local Python script and talks to the Kali host at the specified address.

{
  "mcpServers": {
    "sast_tools": {
      "type": "stdio",
      "command": "python",
      "args": [
        "/path/to/sast-mcp/client/sast_mcp_client.py",
        "--server",
        "http://YOUR_KALI_IP:6000"
      ]
    }
  }
}

Additional configuration and notes

The server supports a configurable, multistage backend with parallel scans, result validation, and automatic file output. You can adjust timeouts, parallelism, and storage locations via a .env file. Example: set the default output directory, maximum workers, and job retention period to suit your environment.

Cross-platform path resolution automatically maps Windows paths to Linux mount points so you can reference files consistently from Claude Code regardless of the host OS.

Background processing ensures that scans run asynchronously. You can start multiple scans at once, monitor progress, and retrieve results when ready. Results are saved to a configured directory in JSON, TOON, and AI payload formats.

Security and maintenance

Hardening recommendations include restricting access to the MCP port with a firewall, adding API authentication for production use, and running the MCP server in an isolated VM or container. Regularly update all security tools to keep signatures current.

Monitor resource usage (memory, CPU, threads) and configure timeouts to prevent runaway scans. If a scan times out, partial results are saved so you do not lose data.

Troubleshooting

If you cannot connect to the SAST server, verify that the server is running on the expected host and port, check firewall rules, confirm Claude Code is pointed at the correct IP, and verify network connectivity between Windows and Kali.

If a path cannot be found during a scan, ensure the Windows share is mounted on Linux, confirm the MOUNT_POINT matches your configuration, and use forward slashes in Claude Code paths.

If a tool reports as unavailable in health checks, install the missing tool, verify it is in PATH, and test it manually (for example, run semgrep --version).

Project structure and notes

The project organizes client code, server code, tools, and configuration examples. Key components include the MCP client, the full-featured server, the lightweight server, and tool installation scripts. You can customize paths and configurations to fit your environment.

Available tools

Semgrep

Multi-language static analysis covering 30+ languages.

Bandit

Python security scanner.

ESLint Security

JavaScript/TypeScript security linting.

Gosec

Go security checker.

Brakeman

Ruby on Rails security scanner.

Graudit

Grep-based source code auditing.

Bearer

Security and privacy risk scanner.

TruffleHog

Secret scanner for git repos and filesystems.

Gitleaks

Fast secret detection for git repositories.

Safety

Python dependency vulnerability checker.

npm-audit

Node.js dependency security audit.

Dependency-Check

OWASP dependency scanner.

Snyk

Modern dependency and container scanner.

Checkov

Terraform, CloudFormation, Kubernetes, Dockerfile scanner.

tfsec

Terraform security scanner.

Trivy

Container and IaC vulnerability scanner.

Nikto

Web server vulnerability scanner.

Nmap

Network and port scanner.

SQLMap

SQL injection detection and exploitation.

WPScan

WordPress security scanner.

DIRB

Web content discovery scanner.

Lynis

System auditing and hardening tool.

ClamAV

Antivirus and malware scanner.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational