Skip to main content

Contrast MCP server

The Contrast MCP server is a bridge between Contrast vulnerability data from our Interactive Application Security Testing (IAST) technology and an integrated development environment (IDE)-based AI agent. This bridge lets the agent identify vulnerable code and fix it from within the IDE. In addition to the vulnerability data itself, Contrast provides its -curated remediation guidance to the AI agent. This ensures the AI agent has all the information it needs to get the fix right the first time.

Legal disclaimer

When using Contrast's MCP server, depending on the information you input, that information will be fed into your LLM. Both the submission of data to the LLM and the output generated by the LLM will be subject to the terms of service of that LLM. Use of Contrast's MCP server is entirely at your own risk.

Contrast MCP server benefits

Using the Contrast MCP server with an AI coding agent lets developers swiftly and precisely remediate vulnerabilities that Contrast detects. While this is one of the main use cases, the flexible nature of the MCP technology means you could ask an AI agent to do just about anything with your Contrast data. For example, you could ask it to:

  • Prioritize and fix vulnerable libraries in applications based on library usage data.

  • Rapidly assess the impact of newly reported high-severity vulnerabilities across your applications.

  • Quickly identify and remove unused libraries using runtime class usage data.

  • And more...

Data from the Contrast MCP server

The Contrast MCP server provides an MCP client, and, by extension, the LLM, with access to vulnerability data from Contrast. Examples of the data you can access are:

  • Vulnerability type (for example, SQL injection, unsafe deserialization, or command injection)

  • Exact location in the code

  • The HTTP endpoint and HTTP request that triggered the vulnerability detection

  • Data flow through the application

  • User-controlled data that entered the vulnerable sink

  • Detailed instructions on how to fix the vulnerability

With this information, the coding agent that you prompt and guide can quickly and accurately remediate identified vulnerabilities.

Contrast MCP server installation and use

To install and use the MCP server, go to MCP Server for Contrast Security in GitHub.

Sample prompts for developers

  • Remediate vulnerabilities in code

    • List vulnerabilities for Application Y

    • Give me details about vulnerability X on Application Y

    • Review the vulnerability X and fix it.

  • Remediate vulnerabilities in third-party libraries

    • Which libraries in Application X have vulnerabilities High or Critical and are also being actively used.

    • Which libraries in Application X are not being used?

    • Update library X with a critical vulnerability to the safe version.

  • Retrieving applications based on tags

    • Give me the applications that have the backend tag.

  • Retrieving application based on metadata

    • Give me the applications that have dev-team and backend-team applied as metadata.

  • Retrieving vulnerabilities based on session metadata

    • Give me the session metadata for Application X.

    • Give me the vulnerabilities in the latest session for Application X.

    • Give me the vulnerabilities for session metadata Branch Name and feature for Application X.

    • Give me the route coverage for the latest session for Application X.

    • Give me the route coverage for session metadata Branch Name and feature for Application X.

Sample prompts for security teams

  • Give me a breakdown of applications and servers vulnerable to CVE-xxxx-xxxx.

  • List the libraries for Application X and tell me what version of commons-collections is being used.

  • Which vulnerabilities in Application X are being blocked by an ADR or Protect rule?

In this section: