MCP Server For Contrast Security
by
Provides a bridge between Contrast vulnerability data and AI agents, allowing automated remediation of code issues and third‑party library updates through LLM prompts.
MCP Server For Contrast Security Overview
What is MCP Server For Contrast Security about?
Enables developers and security professionals to query Contrast application and vulnerability data, then leverage a chosen LLM or coding agent to generate remediation code, update vulnerable libraries, or retrieve contextual information about applications, sessions, and attack events.
How to use MCP Server For Contrast Security?
- Build the project (requires Java 17+):
mvn clean install. - Run the server either as a standalone JAR:
or via Docker:java -jar target/mcp-contrast-0.0.1-SNAPSHOT.jar \ --CONTRAST_HOST_NAME=example.contrastsecurity.com \ --CONTRAST_API_KEY=… \ --CONTRAST_SERVICE_KEY=… \ --CONTRAST_USERNAME=… \ --CONTRAST_ORG_ID=…docker run -e CONTRAST_HOST_NAME=example.contrastsecurity.com \ -e CONTRAST_API_KEY=… -e CONTRAST_SERVICE_KEY=… \ -e CONTRAST_USERNAME=… -e CONTRAST_ORG_ID=… \ -i --rm contrast/mcp-contrast:latest -t stdio - Add the server definition to your AI tool’s
config.json/mcp.json(VS Code, IntelliJ, Claude Desktop, oterm, etc.) as shown in the README. - Issue prompts such as “list vulnerabilities for Application Y” or “update library X to a safe version” and let the LLM generate the remediation.
Key Features
- Secure bridge between Contrast data and any LLM or coding agent of your choice.
- Supports queries on applications, tags, metadata, sessions, route coverage, and ADR/Protect events.
- Automated code remediation and third‑party library upgrade suggestions.
- Multiple installation pathways: Maven build, Docker image, VS Code/IntelliJ extensions.
- Proxy and TLS configuration options for enterprise environments.
- Detailed logging with optional debug mode.
Use Cases
- Developer workflow: Quickly obtain vulnerability details and receive ready‑to‑apply patches while coding.
- Security operations: Pull aggregated vulnerability reports across applications for triage and risk assessment.
- Library management: Identify high‑severity vulnerable dependencies and get version upgrade recommendations.
- Compliance reporting: Export session metadata and attack event data for audit purposes.
- CI/CD integration: Run the server in a pipeline to automatically suggest fixes before merging code.
FAQ
Q: Does the server send my vulnerability data to the LLM provider? A: Yes, the server forwards data to the configured LLM. Use only AI services that guarantee data will not be used for training (e.g., enterprise‑grade offerings).
Q: What languages or frameworks does it support? A: The server is language‑agnostic; it merely retrieves data from Contrast. The LLM can generate code for Java, JavaScript, Python, etc., based on the prompt.
Q: How do I enable debug logging?
A: Add --logging.level.root=DEBUG to the command‑line arguments when starting the JAR or Docker container.
Q: My organization uses a proxy; can I configure it?
A: Yes. For Java, pass -Dhttp_proxy_host=… -Dhttp_proxy_port=…. For Docker, set http_proxy_host and http_proxy_port environment variables.
Q: The server fails with a certificate error. What should I do?
A: Import the server’s TLS certificate into a Java truststore and launch the process with -Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=yourpassword.
MCP Server For Contrast Security's README
Contrast MCP Server
The Contrast MCP Server allows you to connect Contrast Security to your AI coding agent to automatically remediate vulnerabilities, update insecure libraries, and analyze security coverage—all through natural language prompts.
- Remediate vulnerabilities directly from Contrast Assess data
- Identify and update insecure third-party libraries with Contrast SCA insights
- Review route coverage, Protect/ADR findings, and other security metadata on demand
[!WARNING] CRITICAL SECURITY WARNING: Exposing Contrast vulnerability data to an AI service that trains on your prompts can leak sensitive information. Only use mcp-contrast with environments that contractually guarantee data isolation and prohibit model training on your inputs.
Verify AI Data Privacy: Confirm that your service agreement prevents model training on your prompts and consult your security team before sharing Contrast data.
UNSAFE: Public consumer LLM sites (e.g., free ChatGPT, Gemini, Claude) that use prompts for training.
POTENTIALLY SAFE: Enterprise services with contractual privacy guarantees (e.g., Google Cloud AI, AWS Bedrock, Azure OpenAI).
Quick Start
Prerequisites
- Docker (recommended) or Java 17+ for JAR deployment
- Contrast API credentials (how to get API credentials)
VS Code (GitHub Copilot) - One-Click Install
Click the button above to automatically install in VS Code. For manual setup, see VS Code (GitHub Copilot) Installation Guide.
IntelliJ IDEA (GitHub Copilot)
Add this to your mcp.json configuration file and replace the placeholder values with your Contrast credentials:
{
"servers": {
"contrast": {
"command": "docker",
"args": [
"run",
"-e",
"CONTRAST_HOST_NAME",
"-e",
"CONTRAST_API_KEY",
"-e",
"CONTRAST_SERVICE_KEY",
"-e",
"CONTRAST_USERNAME",
"-e",
"CONTRAST_ORG_ID",
"-i",
"--rm",
"contrast/mcp-contrast:latest",
"-t",
"stdio"
],
"env": {
"CONTRAST_HOST_NAME": "example.contrastsecurity.com",
"CONTRAST_API_KEY": "example",
"CONTRAST_SERVICE_KEY": "example",
"CONTRAST_USERNAME": "example@example.com",
"CONTRAST_ORG_ID": "example"
}
}
}
}
📖 Full IntelliJ (GitHub Copilot) Installation Guide - Includes step-by-step setup and JAR deployment option
Other AI Assistants
- Claude Code - Anthropic's official CLI tool
- Claude Desktop - Standalone Claude application
- Cline Plugin - VS Code alternative AI assistant
- All Other MCP Hosts - Complete installation guides for oterm and more
Sample Prompts
For the Developer
Remediate Vulnerabilities in Code
- Please list vulnerabilities for Application Y.
- Give me details about vulnerability X in Application Y.
- Review vulnerability X and fix it.
Third-Party Library Remediation
- Which libraries in Application X have high or critical vulnerabilities and are actively used?
- Update library X, which has a critical vulnerability, to the safe version.
- Which libraries in Application X are not being used?
Retrieve Applications by Tag
- Please give me the applications tagged with "backend."
Retrieve Applications by Metadata
- Please give me the applications with metadata "dev-team" and "backend-team."
Retrieve Vulnerabilities by Session Metadata
- Give me the session metadata for Application X.
- Give me the vulnerabilities in the latest session for Application X.
- Give me the vulnerabilities for session metadata "Branch Name" "feature/some-new-fix" for Application X.
- Give me the route coverage for the latest session for Application X.
- Give me the route coverage for session metadata "Branch Name" "feature/some-new-fix" for Application X.
For the Security Professional
- Please give me a breakdown of applications and servers vulnerable to CVE-xxxx-xxxx.
- Please list the libraries for the application named xxx and tell me what version of commons-collections is being used.
- Which vulnerabilities in Application X are being blocked by a Protect or ADR rule?
Getting the JAR File
If you're using JAR deployment (instead of Docker), you'll need the JAR file:
Download (Recommended)
Download the latest pre-built JAR from GitHub Releases.
The JAR file will be named mcp-contrast-X.X.X.jar.
Build from Source
Alternatively, you can build from source if you need the latest development version. Requires Java 17+:
mvn clean install
The built JAR will be located at target/mcp-contrast-X.X.X-SNAPSHOT.jar
Proxy Configuration
If you're behind a corporate firewall or proxy, you'll need to configure proxy settings for the MCP server to reach your Contrast instance. The configuration differs depending on whether you're using Docker or JAR deployment.
Java Process (JAR Deployment)
Choose ONE of the following based on how you're running the JAR:
Direct Java Command
Use this if you're running the JAR directly from the command line or a script.
Add these two system properties to your java command:
-Dhttp_proxy_host=proxy.example.com
-Dhttp_proxy_port=8080
Complete example:
java \
-Dhttp_proxy_host=proxy.example.com \
-Dhttp_proxy_port=8080 \
-jar /path/to/mcp-contrast-X.X.X.jar \
--CONTRAST_HOST_NAME=example.contrastsecurity.com \
--CONTRAST_API_KEY=example \
--CONTRAST_SERVICE_KEY=example \
--CONTRAST_USERNAME=example@example.com \
--CONTRAST_ORG_ID=example
MCP Configuration File
Use this if you're running the JAR through an MCP host (IntelliJ, Claude Desktop, Cline, etc.).
Add these two lines to the beginning of your args array:
"-Dhttp_proxy_host=proxy.example.com",
"-Dhttp_proxy_port=8080",
Complete example using IntelliJ's mcp.json:
{
"servers": {
"contrast": {
"command": "java",
"args": [
"-Dhttp_proxy_host=proxy.example.com",
"-Dhttp_proxy_port=8080",
"-jar",
"/path/to/mcp-contrast-X.X.X.jar",
"--CONTRAST_HOST_NAME=example.contrastsecurity.com",
"--CONTRAST_API_KEY=example",
"--CONTRAST_SERVICE_KEY=example",
"--CONTRAST_USERNAME=example@example.com",
"--CONTRAST_ORG_ID=example"
]
}
}
}
Docker (Docker Deployment)
Choose ONE of the following based on how you're running Docker:
Direct Docker Run Command
Use this if you're running Docker directly from the command line.
Add these two environment variables to your docker run command:
-e http_proxy_host="proxy.example.com" \
-e http_proxy_port="8080" \
Complete example:
docker run \
-e http_proxy_host="proxy.example.com" \
-e http_proxy_port="8080" \
-e CONTRAST_HOST_NAME=example.contrastsecurity.com \
-e CONTRAST_API_KEY=example \
-e CONTRAST_SERVICE_KEY=example \
-e CONTRAST_USERNAME=example \
-e CONTRAST_ORG_ID=example \
-i --rm \
contrast/mcp-contrast:latest \
-t stdio
MCP Configuration File
Use this if you're running Docker through an MCP host (IntelliJ, VS Code, Claude Desktop, Cline, etc.).
Add these proxy settings:
Add to the args array (after the Contrast credentials):
"-e", "http_proxy_host",
"-e", "http_proxy_port",
Add to the env object:
"http_proxy_host": "proxy.example.com",
"http_proxy_port": "8080"
Complete example using IntelliJ's mcp.json:
{
"servers": {
"contrast": {
"command": "docker",
"args": [
"run",
"-e", "CONTRAST_HOST_NAME",
"-e", "CONTRAST_API_KEY",
"-e", "CONTRAST_SERVICE_KEY",
"-e", "CONTRAST_USERNAME",
"-e", "CONTRAST_ORG_ID",
"-e", "http_proxy_host",
"-e", "http_proxy_port",
"-i", "--rm",
"contrast/mcp-contrast:latest",
"-t", "stdio"
],
"env": {
"CONTRAST_HOST_NAME": "example.contrastsecurity.com",
"CONTRAST_API_KEY": "example",
"CONTRAST_SERVICE_KEY": "example",
"CONTRAST_USERNAME": "example@example.com",
"CONTRAST_ORG_ID": "example",
"http_proxy_host": "proxy.example.com",
"http_proxy_port": "8080"
}
}
}
}
For VS Code with input variables, see the VS Code Installation Guide.
Common Issues
If you are experiencing issues with the MCP server, here are some common troubleshooting steps:
Review Log
A log will be created, by default under /tmp/mcp-contrast.log either locally or within the Docker container. You can view this log to see if there are any errors or issues with the MCP server.
Enable Debug Logging
To enable debug logging you can add the following flag to the command line arguments when running the MCP server:
--logging.level.root=DEBUG
This can be added at this part of the docker command
"--rm",
"contrast/mcp-contrast:latest",
"-t",
"--logging.level.root=DEBUG",
"stdio"
],
Certificate Issues
If the SSL Certificate for the Teamserver URL is not trusted, you may see the following error:
Failed to list applications: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
If this occurs you will need to add the certificate to the Java Truststore and then add the following to the command line arguments when running the MCP server:
-Djavax.net.ssl.trustStore=/location/to/mcp-truststore.jks, -Djavax.net.ssl.trustStorePassword=yourpassword
More details on how to do this can be found in the Java documentation. Or ask your LLM to help you with this.
Data Privacy
The Contrast MCP Server provides a bridge between your Contrast Data and the AI Agent/LLM of your choice. By using Contrast's MCP server you will be providing your Contrast Data to your AI Agent/LLM, it is your responsibility to ensure that the AI Agent/LLM you use complies with your data privacy policy. Depending on what questions you ask the following information will be provided to your AI Agent/LLM.
- Application Details
- Application Rule configuration
- Vulnerability Details
- Route Coverage data
- ADR/Protect Attack Event Details
MCP Server For Contrast Security Reviews
Login Required
Please log in to share your review and rating for this MCP.
Similar MCP Servers like MCP Server For Contrast Security
Explore related MCPs that share similar capabilities and solve comparable challenges
SafeLine
by chaitin
A self‑hosted web application firewall and reverse proxy that protects web applications from attacks and exploits by filtering, monitoring, and blocking malicious HTTP/S traffic.
SafeDep Vet
by safedep
Provides enterprise‑grade open source software supply chain security by scanning source code, dependencies, containers and SBOMs, detecting vulnerabilities and malicious packages, and enforcing policy as code.
Semgrep MCP Server
by semgrep
Offers an MCP server that lets LLMs, agents, and IDEs run Semgrep scans to detect security vulnerabilities in source code.
Burp MCP Server
by PortSwigger
Enables Burp Suite to communicate with AI clients via the Model Context Protocol, providing an MCP server and bundled stdio proxy.
Cycode CLI
by cycodehq
Boost security in the development lifecycle via SAST, SCA, secrets, and IaC scanning.
Bugsy
by mobb-dev
Provides automatic security vulnerability remediation for code via a command‑line interface and an MCP server, leveraging findings from popular SAST tools such as Checkmarx, CodeQL, Fortify, and Snyk.
Keycloak MCP Server
by ChristophEnglisch
Provides AI‑powered administration of Keycloak users and realms through the Model Context Protocol, enabling automated creation, deletion, and listing of users and realms from MCP clients such as Claude Desktop.
OpenCTI MCP Server
by Spathodea-Network
Provides a Model Context Protocol server that enables querying and retrieving threat intelligence data from OpenCTI through a standardized interface.
Authenticator App MCP Server
Officialby firstorderai
Provides seamless access to two‑factor authentication codes and passwords for AI agents, enabling automated login while maintaining security.