MCP.so
Sign In

Contrast MCP Server

@Contrast-Security-OSS

About Contrast MCP Server

MCP Server for Contrast Security

Basic information

Category

Other

License

Apache-2.0

Runtime

java

Transports

stdio

Publisher

Contrast-Security-OSS

Config

No standard config provided

This server doesn't expose a parseable MCP config block in its README. See the repository for install instructions.

Repository

Tools

No tools detected

We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.

Overview

What is Contrast MCP Server?

The Contrast MCP Server connects Contrast Security to your AI coding agent so you can remediate vulnerabilities, update insecure libraries, and analyze security coverage through natural language. It comes in two forms—a hosted remote server for SaaS customers (recommended, with OAuth sign-in) and a local open-source server for on-premises and Enterprise On-Premises instances.

How to use Contrast MCP Server?

For the hosted server, add it to your MCP client using the endpoint URL https://<your-contrast-host>/mcp over Streamable HTTP with OAuth 2.0 PKCE (e.g., claude mcp add --transport http contrast-hosted-mcp https://app.contrastsecurity.com/mcp). For the local server, run it as a stdio process using Docker or Java 21+ with Contrast API credentials.

Key features of Contrast MCP Server

  • Two deployment options: hosted (remote, OAuth) and local (open-source, API keys)
  • Read-only hosted server prevents data modification
  • Tools for vulnerabilities, applications, libraries, attacks, route coverage, SAST, and issues/incidents
  • OAuth for hosted server; API keys for local server
  • Organization-scoped sessions with existing role-based access control
  • No data storage by the hosted server

Use cases of Contrast MCP Server

  • Search and view vulnerabilities across applications using natural language
  • List libraries used by an application and find apps affected by a specific CVE
  • Search attack events and get protection rules for an application
  • Retrieve route coverage data showing exercised vs. discovered routes
  • Get SAST scan results in SARIF format (local server only)

FAQ from Contrast MCP Server

What is the difference between the hosted and local versions?

The hosted server is a remote MCP server run by Contrast, uses OAuth sign-in (no API keys), is read-only, and requires a Contrast SaaS account. The local server runs on your machine with API keys, supports on-premises/EOP instances, and includes raw SARIF scan output.

What are the prerequisites for the hosted server?

You need a Contrast SaaS account with access to at least one organization, an MCP client that supports Streamable HTTP transport and OAuth 2.0 with PKCE, and a modern web browser for sign-in.

Is the hosted server read-only?

Yes, every tool in the hosted server is read-only. You cannot modify, update, or delete data through it.

Which MCP clients are supported?

Claude Code CLI, Codex CLI, GitHub Copilot CLI, opencode, and Claude Desktop are supported. Gemini CLI and VS Code Copilot plugin are not yet supported due to OAuth compatibility issues.

How does the security warning apply to this server?

Exposing Contrast vulnerability data to an AI service that trains on prompts can leak sensitive information. Only use the server with environments that guarantee data isolation and prohibit model training on your inputs. Avoid public consumer LLM sites and prefer enterprise services with contractual privacy guarantees.

Comments

More Other MCP servers