Nikto

A secure MCP server that enables AI agents to interact with the Nikto web server scanner for comprehensive web security scanning.
  • typescript

3

GitHub Stars

typescript

Language

6 months ago

First Indexed

2 months ago

Catalog Refreshed

Documentation & install

Readme and setup notes from the catalogue, plus a client-ready config you can copy for your MCP host.

Installation

Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "weldpua2008-nikto-mcp": {
      "command": "node",
      "args": [
        "/absolute/path/to/nikto-mcp/index.js"
      ],
      "env": {
        "LOG_LEVEL": "info",
        "NIKTO_MODE": "local",
        "NIKTO_BINARY": "/usr/local/bin/nikto",
        "SCAN_TIMEOUT": "3600",
        "MCP_STDOUT_LOGS": "allow",
        "NIKTO_DOCKER_IMAGE": "(not set)",
        "MAX_CONCURRENT_SCANS": "3",
        "NIKTO_DOCKER_NETWORK": "(not set)"
      }
    }
  }
}

You can run the Nikto MCP Server as a secure bridge between AI agents and the Nikto web scanner. It exposes a controlled, typed interface to initiate scans, manage results, and configure where and how scans run, with built-in safety features and optional remote management.

How to use

Use an MCP client to connect to the Nikto MCP Server. You will send scan requests, monitor progress, and retrieve results. The server supports local execution (via node with a Nikto-compatible index) and can be configured to run Nikto inside Docker for isolation. For common workflows, configure the MCP client with the provided stdio entry and start scans directly from your AI agent or MCP client frontend.

How to install

Prerequisites: you need Node.js 20 or newer and the Nikto scanner installed and accessible in your PATH. You also need an MCP client (for example MCP Inspector, VS Code MCP integration, Cursor, Windsurf, Claude Desktop, Goose, or similar). Install the Nikto MCP server configuration in your MCP client using the following steps.

{
  "mcpServers": {
    "nikto": {
      "command": "node",
      "args": ["/absolute/path/to/nikto-mcp/index.js"],
      "env": {
        "NIKTO_BINARY": "/usr/local/bin/nikto",
        "LOG_LEVEL": "info"
      }
    }
  }
}

Additional installation and run options

If you prefer running Nikto MCP with Docker for isolation, you can configure the server to run in docker mode. The configuration below shows how to pass environment variables for docker execution and logging.

{
  "mcpServers": {
    "nikto": {
      "command": "node",
      "args": ["/absolute/path/to/nikto-mcp/index.js"],
      "env": {
        "NIKTO_MODE": "docker",
        "NIKTO_DOCKER_IMAGE": "ghcr.io/sullo/nikto:latest",
        "NIKTO_DOCKER_NETWORK": "host",
        "LOG_LEVEL": "info"
      }
    }
  }
}

Prerequisites for different clients

Concrete steps to install and run the Nikto MCP Server with your preferred MCP client are described in the client guides. Use the stdio configuration shown above to integrate the Nikto MCP Server into your workflow.

Configuration

Environment variables control how scans run and how results are produced. The server exposes a number of options that you can tune via environment variables. These include the execution mode, the Docker image to use, the network mode, and logging level.

Security features and practices

The server emphasizes secure operation: input sanitization, validated targets and ports, sandboxed execution, and sensible timeouts. It prevents unintended command execution and conflicts between options by design.

Available tools and usage patterns

The server provides a set of tools to perform scans, check ongoing scan status, and stop scans. You can initialize a scan with a target URL and adjust parameters such as port, SSL usage, timeout, output format, and whether to perform a dry run.

Example usage

Typical usage in an MCP client involves sending a scan request with a target, then polling for status and retrieving the JSON output when complete.

Troubleshooting

If a scan does not start, verify that Nikto is accessible via the configured path, confirm the environment variables are set correctly, and check the logs for any sandboxing or timeout messages. Ensure that the selected mode (local or docker) matches the configuration and that the Docker image is available if using docker mode.

Notes on running and testing

To test the server locally, install the MCP Inspector tool and run the inspector against your Nikto MCP Server configuration to validate the integration before using it in production.

Example configuration blocks

{
  "mcpServers": {
    "nikto": {
      "command": "node",
      "args": ["/absolute/path/to/nikto-mcp/index.js"],
      "env": {
        "NIKTO_BINARY": "/usr/local/bin/nikto",
        "LOG_LEVEL": "info"
      }
    }
  }
}

Docker build and run

If you want to containerize the MCP server, you can build and run a Docker image that includes Nikto and the MCP server. This enables isolated scans and consistent environments across runs.

# Build the MCP server image with embedded Nikto
docker build -t nikto-mcp .

# Run the containerized MCP server
docker run --rm -i nikto-mcp

# Run with a custom configuration (local mode)
docker run --rm -i \
  -e NIKTO_MODE=local \
  -e LOG_LEVEL=debug \
  nikto-mcp

Environment variables

Key environment variables you may configure include: NIKTO_MODE, NIKTO_DOCKER_IMAGE, NIKTO_DOCKER_NETWORK, NIKTO_BINARY, LOG_LEVEL, MCP_STDOUT_LOGS, SCAN_TIMEOUT, MAX_CONCURRENT_SCANS.

Tools and endpoints

The Nikto MCP Server exposes tools for scanning, checking status, and stopping scans, enabling you to orchestrate comprehensive web security assessments from your MCP client.

Available tools

scan

Run Nikto Security Scan. Supports options to specify target, port, SSL, timeout, output format, and dry-run mode.

scan_status

Check the current status and results of an ongoing or completed scan by scanId.

stop_scan

Terminate a currently running scan by scanId.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational