A Model Context Protocol (MCP) server that provides Claude Code with direct access to your local CI/CD security tools:
- Trivy - Vulnerability scanning for code and containers
- SonarQube - Code quality and security analysis
- Dependency-Track - SBOM and dependency vulnerability management
- Gitea - Git repository management
- Drone CI - CI/CD pipeline management
- Docker Registry - Container image management
cd mcp-server
npm installnpm run buildAdd the MCP server to your Claude Code configuration.
Windows: Edit %APPDATA%\Claude\claude_desktop_config.json
macOS: Edit ~/Library/Application Support/Claude/claude_desktop_config.json
Linux: Edit ~/.config/Claude/claude_desktop_config.json
Add this configuration:
{
"mcpServers": {
"cicd-security": {
"command": "node",
"args": ["C:/Users/keeh/OneDrive - Mansoft/Skrivebord/Mock Servers/ci-co/mcp-server/dist/index.js"],
"env": {
"GITEA_URL": "http://localhost:3000",
"GITEA_USER": "localadmin",
"GITEA_PASSWORD": "admin123",
"DRONE_URL": "http://localhost:8085",
"DRONE_TOKEN": "",
"SONARQUBE_URL": "http://localhost:9000",
"SONARQUBE_USER": "admin",
"SONARQUBE_PASSWORD": "admin",
"DTRACK_URL": "http://localhost:8081",
"DTRACK_API_KEY": "",
"TRIVY_URL": "http://localhost:4954",
"REGISTRY_URL": "http://localhost:5000"
}
}
}
}Dependency-Track API Key:
- Go to http://localhost:8082
- Login (admin/admin)
- Administration → Access Management → Teams → Automation
- Copy the API Key
- Add to
DTRACK_API_KEYin config
Drone CI Token:
- Go to http://localhost:8085
- Login via Gitea
- Click your profile → Token
- Copy the token
- Add to
DRONE_TOKENin config
After saving the configuration, restart Claude Code to load the MCP server.
| Tool | Description |
|---|---|
trivy_scan_path |
Scan a local directory for vulnerabilities |
trivy_scan_image |
Scan a Docker image for vulnerabilities |
| Tool | Description |
|---|---|
sonar_list_projects |
List all SonarQube projects |
sonar_get_issues |
Get bugs, vulnerabilities, code smells |
sonar_get_security_hotspots |
Get security hotspots |
sonar_get_metrics |
Get quality metrics |
| Tool | Description |
|---|---|
dtrack_list_projects |
List all projects |
dtrack_get_vulnerabilities |
Get vulnerabilities for a project |
dtrack_get_findings |
Get all security findings |
dtrack_get_components |
Get all dependencies |
| Tool | Description |
|---|---|
gitea_list_repos |
List all repositories |
gitea_get_repo |
Get repository details |
gitea_get_branches |
List branches |
gitea_get_commits |
Get commit history |
gitea_create_repo |
Create a new repository |
gitea_migrate_repo |
Migrate from GitHub |
| Tool | Description |
|---|---|
drone_list_repos |
List synced repositories |
drone_get_builds |
Get build history |
drone_get_build |
Get build details |
drone_get_build_logs |
Get build step logs |
drone_trigger_build |
Trigger a new build |
| Tool | Description |
|---|---|
registry_list_images |
List all images |
registry_get_tags |
Get image tags |
| Tool | Description |
|---|---|
security_scan_all |
Run comprehensive security scan with all tools |
Once configured, you can ask Claude Code:
- "Scan this project for vulnerabilities"
- "Check for security issues in my code"
- "What CVEs affect my dependencies?"
- "Scan the nginx:latest image for vulnerabilities"
- "Show me the SonarQube issues for my project"
- "What security hotspots were found?"
- "Get the code quality metrics"
- "List my Gitea repositories"
- "Migrate my-repo from GitHub to Gitea"
- "Show recent commits for my-project"
- "Create a new repository called my-app"
- "Show me the recent builds for my-project"
- "Why did the last build fail?"
- "Get the logs for build #5"
- "Trigger a new build"
- "Run a full security scan on this project"
- "Check the status of all CI/CD services"
The MCP server also provides these resources:
| Resource URI | Description |
|---|---|
cicd://status |
Health status of all services |
cicd://config |
Current configuration |
| Variable | Default | Description |
|---|---|---|
GITEA_URL |
http://localhost:3000 | Gitea server URL |
GITEA_USER |
localadmin | Gitea username |
GITEA_PASSWORD |
admin123 | Gitea password |
DRONE_URL |
http://localhost:8085 | Drone CI URL |
DRONE_TOKEN |
(empty) | Drone API token |
SONARQUBE_URL |
http://localhost:9000 | SonarQube URL |
SONARQUBE_USER |
admin | SonarQube username |
SONARQUBE_PASSWORD |
admin | SonarQube password |
DTRACK_URL |
http://localhost:8081 | Dependency-Track API URL |
DTRACK_API_KEY |
(empty) | Dependency-Track API key |
TRIVY_URL |
http://localhost:4954 | Trivy server URL |
REGISTRY_URL |
http://localhost:5000 | Docker Registry URL |
- Check the path in claude_desktop_config.json is correct
- Ensure the server is built (
npm run build) - Check Claude Code logs for errors
- Ensure Docker containers are running:
docker compose ps - Check service URLs in environment variables
- Verify credentials are correct
- Get API key from http://localhost:8082
- Add to
DTRACK_API_KEYenvironment variable
- Get token from http://localhost:8085 (Profile → Token)
- Add to
DRONE_TOKENenvironment variable
# Install dependencies
npm install
# Build
npm run build
# Run tests
npm test
# Run with coverage
npm run test:coverage
# Development mode (watch)
npm run devThe MCP server is a thin wrapper around @cicd/shared:
mcp-server/
├── src/
│ ├── index.ts # MCP server entry point
│ ├── handlers.ts # Re-exported from @cicd/shared
│ ├── handlers.test.ts
│ └── index.test.ts
├── package.json
└── tsconfig.json
All business logic lives in the shared library, making the server easy to maintain and test.
- API Reference - Complete tool and handler documentation
- Developer Guide - How to extend the platform
- Main README - Platform overview
MIT