This is a Model Context Protocol (MCP) server that provides tools for code quality analysis, security vulnerability detection, and logging policy enforcement.
- Multi-language Support: JavaScript, TypeScript, Python, Go, Java, Rust.
- Security Scans: Wrappers for
npm audit,govulncheck,bandit,cargo audit, etc. - Quality Metrics: Basic lines of code and TODO counting (extensible to linters).
- Compliance: Checks for direct stdout logging.
- AI-Powered Remediation: Auto-generate fix suggestions for vulnerabilities.
- Custom Pattern Builder: Create organization-specific security patterns.
- SBOM Generation: Software Bill of Materials creation and analysis.
- Container Scanning: Docker image vulnerability analysis and Dockerfile review.
- Infrastructure as Code: Terraform, CloudFormation, and Kubernetes scanning.
- 🆕 SSL Certificate Scanning: Validate SSL/TLS certificates, check expiry, and protocol security.
- 🆕 RCE Vulnerability Detection: Dedicated scanner for Remote Code Execution vulnerabilities.
- 🆕 GitHub Integration: Manage pull requests directly via GitHub CLI.
- 🆕 Report Generation: Generate comprehensive security reports in JSON, Markdown, or HTML.
- Actionable Fix Suggestions: All scanning tools now provide fix suggestions with original/replacement code that users can directly apply.
All vulnerability scanning tools now include actionable fix suggestions in their output. Each finding includes:
{
"line": 25,
"type": "sql-injection",
"message": "SQL Injection vulnerability detected",
"code": "db.query(`SELECT * FROM users WHERE id = ${id}`)",
"fix": {
"original": "db.query(`SELECT * FROM users WHERE id = ${id}`)",
"replacement": "db.query('SELECT * FROM users WHERE id = ?', [id])",
"description": "Use parameterized queries to prevent SQL injection"
}
}| Tool | Fix Suggestion Coverage |
|---|---|
bugbounty_scan |
27+ vulnerability patterns with fixes |
detect_csrf_vulnerabilities |
5 CSRF patterns with fixes |
analyze_dockerfile |
11 Dockerfile security patterns |
scan_terraform |
14 Terraform security patterns |
scan_cloudformation |
4 CloudFormation patterns |
scan_kubernetes |
6 Kubernetes security patterns |
analyze_code_quality |
10 code quality patterns |
check_logging_policy |
10 logging compliance patterns |
@workspace use codeguardian tool Run a bug bounty scan on src/ and apply the suggested fixes for any SQL injection vulnerabilities found.
@workspace use codeguardian tool Analyze the Dockerfile and show me the fix suggestions for any security issues.
security_vulnerability_scan: Scans a directory for vulnerabilities using language-specific tools.detect_secret_exposure: Checks a file for potential hardcoded secrets.detect_csrf_vulnerabilities: Scans for CSRF vulnerabilities in forms and API calls.bugbounty_scan: Comprehensive scan covering 50+ vulnerability patterns (OWASP Top 10).ssl_certificate_scan: Check SSL/TLS certificate validity, expiry, chain, and protocol security.rce_vulnerability_scan: Dedicated scanner for Remote Code Execution vulnerabilities across multiple languages.
get_remediation: Get fix suggestions for a specific vulnerability type.get_bulk_remediation: Get remediation for multiple vulnerabilities at once.
create_custom_pattern: Create organization-specific security patterns.list_custom_patterns: List all custom patterns with filtering options.update_custom_pattern: Modify an existing pattern.delete_custom_pattern: Remove a pattern.scan_with_custom_patterns: Scan code using your custom patterns.export_custom_patterns: Export patterns to JSON for sharing.import_custom_patterns: Import patterns from JSON.
generate_sbom: Generate SBOM from project dependencies (CycloneDX/SPDX format).analyze_sbom: Analyze SBOM for outdated packages and license concerns.export_sbom: Export SBOM to file (uses syft if available).
scan_container_image: Scan Docker images for vulnerabilities (trivy/grype/docker scout).analyze_dockerfile: Security analysis of Dockerfile best practices.analyze_docker_compose: Check docker-compose.yml for security issues.list_container_security: Security status of running containers.
scan_terraform: Scan Terraform files for misconfigurations (tfsec/checkov/built-in).- Multi-Cloud Support: AWS, Google Cloud (GCP), and Azure patterns
scan_cloudformation: Scan CloudFormation templates for security issues.scan_kubernetes: Scan Kubernetes manifests for security risks.scan_iac: Combined IaC scanner that detects and reports all IaC files.
analyze_code_quality: Reports quality metrics for a file.check_logging_policy: Enforces logging best practices.
github_pull_requests: List, get, create, review, merge, and close pull requests via GitHub CLI.
generate_report: Generate comprehensive security/quality/compliance reports in JSON, Markdown, or HTML format.
-
Run/Debug:
- Open the
Run and Debugsidebar (Ctrl+Shift+D). - Select "Launch MCP Server" from the dropdown.
- Press F5. This will build the project and start the server.
- Note: This runs the server in stdio mode. To test it, you need an MCP client to connect to it.
- Open the
-
Use with VS Code as Client:
- The
.vscode/mcp.jsonfile is already configured. - If you have the MCP Extension installed, it should automatically detect the server (restart VS Code if needed).
- The
-
Using with GitHub Copilot:
- Ensure the MCP server is configured in
.vscode/mcp.json. - Open GitHub Copilot Chat in VS Code.
- Use prompts like:
Security Scan:
@workspace use codeguardian tool Run a security vulnerability scan on this project. It's a TypeScript project.Code Quality:
@workspace use codeguardian tool Analyze the code quality of the file src/index.ts using the analyze_code_quality tool.Secret Detection:
@workspace use codeguardian tool Check src/config.ts for any exposed secrets using detect_secret_exposure.Logging Compliance:
@workspace use codeguardian tool Check if src/utils/logger.ts follows logging best practices using check_logging_policy.CSRF Vulnerability Detection:
@workspace use codeguardian tool Scan the src/controllers directory for CSRF vulnerabilities using detect_csrf_vulnerabilities.Bug Bounty Scan (Comprehensive):
@workspace use codeguardian tool Run a comprehensive bug bounty security scan on this TypeScript project covering OWASP Top 10.Bug Bounty Scan with Severity Filter:
@workspace use codeguardian tool Run a bug bounty scan on src/ and only show high severity issues.AI-Powered Remediation:
@workspace use codeguardian tool Get remediation advice for sql-injection vulnerability in JavaScript.SBOM Generation:
@workspace use codeguardian tool Generate an SBOM (Software Bill of Materials) for this project in CycloneDX format.Container Scanning:
@workspace use codeguardian tool Scan the Dockerfile in this project for security issues using analyze_dockerfile.Docker Image Scan:
@workspace use codeguardian tool Scan the nginx:latest Docker image for vulnerabilities.Terraform Scanning:
@workspace use codeguardian tool Scan the terraform/ directory for security misconfigurations.Custom Pattern:
@workspace use codeguardian tool Create a custom security pattern to detect our internal API keys that start with "MYCOMPANY_".SSL Certificate Check:
@workspace use codeguardian tool Check the SSL certificate for api.example.com using ssl_certificate_scan.RCE Vulnerability Scan:
@workspace use codeguardian tool Scan src/ for Remote Code Execution vulnerabilities using rce_vulnerability_scan.GitHub Pull Requests:
@workspace use codeguardian tool List all open pull requests in this repository using github_pull_requests.Generate Security Report:
@workspace use codeguardian tool Generate a full security report for this project in markdown format. - Ensure the MCP server is configured in
-
Configuration:
- A run configuration
MCP Server: Build & Runhas been created in.idea/runConfigurations. - Select it from the run configurations dropdown.
- Click Run or Debug.
- A run configuration
-
Client Connection:
- Since IntelliJ doesn't have a native MCP client yet (as of early 2026), you run this as a standard Node.js app.
- You can use an external MCP client (like Claude Desktop) pointed to the running process or built file.
The security tool wraps these external CLIs. Install the ones you need:
- JavaScript/TypeScript:
npm(included with Node.js) - Go:
go install golang.org/x/vuln/cmd/govulncheck@latest - Python:
pip install bandit - Java: Maven (
mvn) - Rust:
cargo install cargo-audit
- Trivy (recommended):
brew install trivyor see https://trivy.dev - Grype:
brew install grypeor see https://github.com/anchore/grype - Docker Scout: Built into Docker Desktop
- tfsec (Terraform):
brew install tfsecorgo install github.com/aquasecurity/tfsec/cmd/tfsec@latest - checkov (multi-IaC):
pip install checkov - cfn-lint (CloudFormation):
pip install cfn-lint - kubesec (Kubernetes): See https://kubesec.io
- syft (recommended):
brew install syftor see https://github.com/anchore/syft
You can also run security scans directly from the command line using the included script. This is useful for CI/CD pipelines or quick checks without an MCP client.
npm run scan -- <directory_to_scan> <language>Examples:
# Scan a local Python project
npm run scan -- /Users/username/projects/my-python-app python
# Scan the current directory as TypeScript
npm run scan -- . typescript-
Install dependencies:
npm install
-
Build the server:
npm run build
-
Configure in your MCP client (e.g., VS Code, Claude Desktop):
VS Code (mcp.json):
{ "servers": { "codeguardian": { "type": "stdio", "command": "node", "args": ["/path/to/codeguardian-mcp-server/build/index.js"] } } }
- Run
npm run watchfor development.