MCP.so
Sign In
Servers

Zfuzz

@Zfuzz-dev

Real security scanners for AI coding agents: SAST (441 rules), secret detection (419+ patterns), dependency CVEs, MCP/skill vetting, MITRE ATT&CK. Real scanners,

Overview

What is Zfuzz?

Zfuzz is an MCP server that integrates ten real security tools into AI coding agents, enabling them to scan code, secrets, dependencies, MCP configs, and more. It runs 100% locally with no account or telemetry.

How to use Zfuzz?

Install via claude mcp add zfuzz -- npx -y @zfuzz/mcp or add the standard MCP client configuration with the command npx and args ["-y", "@zfuzz/mcp"]. No configuration keys are mentioned beyond the JSON snippet.

Key features of Zfuzz

  • Plugs 10 real security tools into any AI agent.
  • scan_code covers SAST with 441 rules, taint analysis, 7 languages.
  • scan_secrets detects 419+ patterns plus entropy analysis.
  • scan_dependencies checks CVEs via OSV.dev.
  • scan_mcp_config and scan_skill vet for prompt injection and booby-trapped scripts.
  • 100% local, no account, no telemetry.

Use cases of Zfuzz

  • Prevent AI agents from shipping hardcoded keys or vulnerable dependencies.
  • Vet MCP configurations and skills for security risks before use.
  • Perform threat modeling and MITRE ATT&CK mapping during development.
  • Search for security procedures and reconcile permissions across code.

FAQ from Zfuzz

What security tools does Zfuzz include?

It includes scan_code, scan_secrets, scan_dependencies, scan_mcp_config, scan_skill, check_mitre, threat_model, search_security_procedures, explain_finding, and reconcile_permissions.

Does Zfuzz require an internet connection or an account?

No, Zfuzz runs 100% locally with no required account and no telemetry.

What languages are supported for code scanning?

Seven languages are supported for SAST with taint analysis and 441 rules.

Is Zfuzz open source and licensed?

Yes, it is licensed under Apache-2.0 and the repository is at https://github.com/Zfuzz-dev/zfuzz-mcp.

Tags

More from Developer Tools