This pattern describes how to implement a Model Context Protocol (MCP) server that integrates three industry-standard security scanning tools (Checkov, Semgrep, and Bandit) to provide comprehensive code security analysis. The server enables AI coding assistants to automatically scan code snippets and Infrastructure as Code (IaC) configurations for security vulnerabilities, misconfigurations, and compliance violations.
The solution combines Checkov for scanning IaC files (including Terraform, CloudFormation, and Kubernetes manifests), Semgrep for analyzing multiple programming languages (such as Python, JavaScript, Java, and others), and Bandit for specialized Python security scanning.
It provides a unified interface for security scanning with standardized response formats, making it easier to integrate security checks into development workflows. The pattern uses Python and the MCP framework to deliver automated security feedback, helping developers identify and address security issues early in the development process while learning about security best practices through detailed findings.
This pattern is particularly valuable for organizations looking to enhance their development security practices through AI-assisted coding tools, providing continuous security scanning capabilities across multiple programming languages and infrastructure definitions.
Key features:
- Delta scanning of new code segments, reducing computational overhead
- Isolated security tool environments preventing cross-tool contamination
- Seamless integration with AI tools (Amazon Q Developer, Kiro, others)
- Real-time security feedback during code generation
- Customizable scanning rules for organizational compliance
Try these sample prompts with your AI assistant:
- "Scan the current script and tell me the results"
- "Scan lines 20-60 and tell me the results"
- "Scan this Amazon DynamoDB table resource and tell me the result"
Try these sample prompts to generate secure code:
- "Generate a Terraform configuration to create a DynamoDB table with encryption enabled and scan it for security issues"
- "Create a Python Lambda function that writes to DynamoDB and scan it for vulnerabilities"
- "Generate a CloudFormation template for an S3 bucket with proper security settings and verify it passes security checks"
- "Write a Python script to query DynamoDB with pagination and scan for security best practices"
- "Create a Kubernetes deployment manifest for a microservice with security hardening and validate it"
This MCP server enables AI assistants to perform comprehensive security analysis on code snippets using three powerful security scanning tools:
- Scans Infrastructure as Code (IaC) files for security misconfigurations
- Supports: Terraform, CloudFormation, Kubernetes, Dockerfile, ARM, Bicep, and more
- Detects compliance violations and security best practices
- Analyzes source code for security vulnerabilities and bugs
- Supports: Python, JavaScript, TypeScript, Java, Go, C/C++, C#, Ruby, PHP, Scala, Kotlin, Rust
- Uses security-focused rulesets for comprehensive analysis
- Specialized Python security scanner
- Detects common Python security issues like insecure functions, hardcoded secrets, injection vulnerabilities
- Provides detailed confidence and severity ratings
Note: The following instructions are for macOS/Linux. For Windows and other code assistants, see the AWS MCP Repository README for platform-specific instructions.
- Python >=3.10, <=3.13
- uv package manager (install from Astral)
This MCP server is not available via PyPI for enhanced security and control:
- Security: Verify the exact code you're running by inspecting the repository
- Control: Pin to specific versions and review changes before updating
- Performance: Local caching improves startup speed and reduces network dependencies
- Trust: Avoid potential package name confusion or use of unsecure mcp servers
You can install this server using one of two methods:
Clone or download the repository locally:
git clone git@github.com:aws-samples/sample-mcp-security-scanner.git
cd sample-mcp-security-scannerThen configure your MCP client to use the local path (see configuration examples below).
Configure your MCP client to install directly from GitHub using:
git+https://github.com/aws-samples/sample-mcp-security-scanner.git@main
This method automatically downloads and installs the server without requiring a local clone (see configuration examples below).
The server automatically installs:
checkov>=3.0.0- IaC security scannersemgrep>=1.45.0- Source code security scannerbandit>=1.7.5- Python security scannermcp[cli]>=1.11.0- MCP frameworkpydantic>=1.10.0- Data validationloguru>=0.6.0- Logging
Configure your MCP client to use the server. The configuration varies by client and supports both local path and GitHub installation methods.
Install in Kiro
See Kiro Model Context Protocol Documentation for details.
- Navigate
Kiro>MCP Servers - Add a new MCP server by clicking the
Open MCP Configbutton. - Paste one of the configurations below:
Replace /path/to/sample-mcp-security-scanner with your actual repository path:
{
"mcpServers": {
"security-scanner": {
"command": "uvx",
"args": [
"--from",
"/path/to/sample-mcp-security-scanner",
"security_scanner_mcp_server"
],
"env": {
"FASTMCP_LOG_LEVEL": "ERROR"
},
"disabled": false,
"autoApprove": []
}
}
}{
"mcpServers": {
"security-scanner": {
"command": "uvx",
"args": [
"--from",
"git+https://github.com/aws-samples/sample-mcp-security-scanner.git@main",
"security_scanner_mcp_server"
],
"env": {
"FASTMCP_LOG_LEVEL": "ERROR"
},
"disabled": false,
"autoApprove": []
}
}
}Install in Amazon Q Developer
See Amazon Q Developer documentation for details.
- Manual Configuration
- Edit the MCP configuration file at
~/.aws/amazonq/mcp.json(global) or.amazonq/mcp.json(local). - Use one of the configurations below:
- Edit the MCP configuration file at
Replace /path/to/sample-mcp-security-scanner with your actual repository path:
{
"mcpServers": {
"security-scanner": {
"command": "uvx",
"args": [
"--from",
"/path/to/sample-mcp-security-scanner",
"security_scanner_mcp_server"
],
"env": {
"FASTMCP_LOG_LEVEL": "ERROR"
}
}
}
}{
"mcpServers": {
"security-scanner": {
"command": "uvx",
"args": [
"--from",
"git+https://github.com/aws-samples/sample-mcp-security-scanner.git@main",
"security_scanner_mcp_server"
],
"env": {
"FASTMCP_LOG_LEVEL": "ERROR"
}
}
}
}Install in Cline
- Install the Cline VS Code Extension.
- Click the extension to open it and select MCP Servers.
- Select the Installed tab, then click Configure MCP Servers to open the
cline_mcp_settings.jsonfile. - Add one of the configurations below:
Replace /path/to/sample-mcp-security-scanner with your actual repository path:
{
"mcpServers": {
"security-scanner": {
"command": "uvx",
"args": [
"--from",
"/path/to/sample-mcp-security-scanner",
"security_scanner_mcp_server"
],
"env": {
"FASTMCP_LOG_LEVEL": "ERROR"
},
"disabled": false,
"autoApprove": []
}
}
}{
"mcpServers": {
"security-scanner": {
"command": "uvx",
"args": [
"--from",
"git+https://github.com/aws-samples/sample-mcp-security-scanner.git@main",
"security_scanner_mcp_server"
],
"env": {
"FASTMCP_LOG_LEVEL": "ERROR"
},
"disabled": false,
"autoApprove": []
}
}
}For configuration instructions for Cursor, Windsurf, VS Code, Claude Desktop, and other MCP clients, see the AWS MCP Repository README.
Scan Infrastructure as Code files for security issues.
Parameters:
code(string): IaC content to scanformat_type(string): Format type (terraform, cloudformation, kubernetes, dockerfile, etc.)
Scan source code for security vulnerabilities.
Parameters:
code(string): Source code content to scanlanguage(string): Programming language (python, javascript, java, etc.)
Scan Python code for security issues (Python-specific).
Parameters:
code(string): Python code content to scan
Get information about supported formats and languages.
- terraform: .tf, .tfvars, .tfstate
- cloudformation: .yaml, .yml, .json, .template
- kubernetes: .yaml, .yml
- dockerfile: Dockerfile
- arm: .json (Azure Resource Manager)
- bicep: .bicep
- serverless: .yml, .yaml
- helm: .yaml, .yml, .tpl
- github_actions: .yml, .yaml
- gitlab_ci: .yml, .yaml
- ansible: .yml, .yaml
- python: .py
- javascript: .js
- typescript: .ts
- java: .java
- go: .go
- c: .c
- cpp: .cpp
- csharp: .cs
- ruby: .rb
- php: .php
- scala: .scala
- kotlin: .kt
- rust: .rs
- python: .py files
All scanning tools return a consistent response format:
{
"success": true,
"tool": "checkov|semgrep|bandit",
"format_type": "terraform",
"language": "python",
"total_issues": 3,
"findings": [
{
"check_id": "CKV_AWS_20",
"severity": "HIGH",
"description": "S3 Bucket has an ACL defined which allows public access",
"line_number": 3,
"resource": "aws_s3_bucket.example"
}
],
"summary": {
"high": 1,
"medium": 2,
"low": 0
}
}This MCP server is designed to work with AI coding assistants like Kiro, Amazon Q Developer, Cline and others. The AI can:
- Analyze generated code: Automatically scan code snippets for security issues
- Provide context-aware suggestions: Get language and format-specific security recommendations
- Continuous security feedback: Integrate security scanning into the development workflow
- Educational insights: Learn about security best practices through detailed findings
# Clone and install
git clone git@github.com:aws-samples/sample-mcp-security-scanner.git
cd sample-mcp-security-scanner
uv pip install -e .
# Run the server
python -m security_scanner_mcp_server.server# Test with sample code
python examples/test_scanner.pyMIT License - see LICENSE file for details.
Contributions welcome! Please read CONTRIBUTING.md for guidelines.
Pattern created by Ivan Girardi (AWS) and Iker Reina Fuente (AWS).
This tool is designed to improve security by identifying vulnerabilities. However:
- Always review findings manually
- Keep scanning tools updated
- Use in conjunction with other security measures and tools
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.