MCP.so
Sign In

Cycode

@cycodehq

About Cycode

Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning

Basic information

Config

Add this server to your MCP-compatible client using the configuration below.

{
  "mcpServers": {
    "cycode": {
      "command": "uvx",
      "args": [
        "cycode",
        "mcp"
      ],
      "env": {
        "CYCODE_CLIENT_ID": "your-cycode-id",
        "CYCODE_CLIENT_SECRET": "your-cycode-secret-key",
        "CYCODE_API_URL": "https://api.cycode.com",
        "CYCODE_APP_URL": "https://app.cycode.com"
      }
    }
  }
}

Tools

5

Get Cycode CLI version, authentication status, and configuration information. Use this tool when you need to: - verify Cycode CLI is properly configured - check authentication status - get CLI version information - troubleshoot setup issues - confirm service connectivity Returns: JSON string containing CLI status, version, and configuration details

Scan files for hardcoded secrets. Use this tool when you need to: - scan code for hardcoded secrets, API keys, passwords, tokens - verify that code doesn't contain exposed credentials - detect potential security vulnerabilities from secret exposure Args: files: Dictionary mapping file paths to their content Returns: JSON string containing scan results and any secrets found

Scan files for Software Composition Analysis (SCA) - vulnerabilities and license issues. Use this tool when you need to: - scan dependencies for known security vulnerabilities - check for license compliance issues - analyze third-party component risks - verify software supply chain security - review package.json, requirements.txt, pom.xml and other dependency files Important: You must also include lock files (like package-lock.json, Pipfile.lock, etc.) to get accurate results. You must provide manifest and lock files together. Args: files: Dictionary mapping file paths to their content Returns: JSON string containing scan results, vulnerabilities, and license issues found

Scan files for Infrastructure as Code (IaC) misconfigurations. Use this tool when you need to: - scan Terraform, CloudFormation, Kubernetes YAML files - check for cloud security misconfigurations - verify infrastructure compliance and best practices - detect potential security issues in infrastructure definitions - review Docker files for security issues Args: files: Dictionary mapping file paths to their content Returns: JSON string containing scan results and any misconfigurations found

Scan files for Static Application Security Testing (SAST) - code quality and security flaws. Use this tool when you need to: - scan source code for security vulnerabilities - detect code quality issues and potential bugs - check for insecure coding practices - verify code follows security best practices - find SQL injection, XSS, and other application security issues Args: files: Dictionary mapping file paths to their content Returns: JSON string containing scan results and any security flaws found

Overview

What is Cycode?

Cycode is an MCP server that exposes Cycode's scanning capabilities to AI systems via the Model Context Protocol. It allows AI models to interact with Cycode CLI tools for security scanning.

How to use Cycode?

Install the Cycode CLI globally (pip install cycode or brew install cycode), authenticate with cycode auth, then start the server with the command cycode mcp. The server supports stdio, sse, and streamable-http transports.

Key features of Cycode

  • Exposes Cycode scanning tools to AI systems via MCP.
  • Supports three transport types: stdio, SSE, streamable-http.
  • Provides five scanning and status tools.
  • Configurable host and port for non-stdio transports.
  • Requires Python 3.10 or later.
  • Debug logging available via -v or environment variable.

Use cases of Cycode

  • Scan files for hardcoded secrets using cycode_secret_scan.
  • Perform Software Composition Analysis for vulnerabilities and license issues.
  • Detect Infrastructure as Code misconfigurations.
  • Run Static Application Security Testing for code quality and security flaws.
  • Check Cycode CLI version, authentication status, and configuration.

FAQ from Cycode

What Python versions are supported?

The MCP command is available only for Python 3.10 and above.

What authentication is required?

You must authenticate Cycode CLI using cycode auth or configure CYCODE_CLIENT_ID and CYCODE_CLIENT_SECRET environment variables.

How do I start the server with different transports?

Use -t option: cycode mcp -t stdio, cycode mcp -t sse -p 8080, or cycode mcp -t streamable-http -H 0.0.0.0 -p 9000.

Can I run the server in the background?

Yes, for SSE or streamable-HTTP transports you can start the server with & and then configure the client URL.

Where can I find debug logs?

Enable debug logging with cycode -v mcp or set CYCODE_CLI_VERBOSE=1.

Comments

More Developer Tools MCP servers