sast-mcp-server 0.6.0__tar.gz

sast_mcp_server-0.6.0/.github/workflows/ci.yml

@@ -0,0 +1,47 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+    tags: ["v*"]
+  pull_request:
+    branches: [main]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - run: pip install ruff
+      - run: ruff check sast_mcp_server/
+
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      - run: pip install -e ".[dev]"
+      - run: pytest tests/ -v --tb=short
+
+  publish:
+    needs: [lint, test]
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/v')
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - run: pip install build
+      - run: python -m build
+      - uses: pypa/gh-action-pypi-publish@release/v1

sast_mcp_server-0.6.0/.gitignore

@@ -0,0 +1,42 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+
+# Distribution / packaging
+dist/
+build/
+*.egg-info/
+*.egg
+
+# Virtual environments
+.venv/
+venv/
+env/
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# Testing
+.pytest_cache/
+.coverage
+htmlcov/
+.mypy_cache/
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Project-specific
+.sast-mcp-ignore.json
+
+# Testing
+.pytest_cache/
+.coverage
+htmlcov/
+.mypy_cache/

sast_mcp_server-0.6.0/CHANGELOG.md

@@ -0,0 +1,126 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## [0.6.0] - 2026-06-12
+### Added
+- **DefectDojo integration**: New `upload_to_defectdojo` tool imports a SARIF
+  export into a DefectDojo engagement (`/api/v2/import-scan/`). Configured via
+  `DEFECTDOJO_URL` / `DEFECTDOJO_API_KEY` environment variables.
+- **GitHub Code Scanning integration**: New `upload_to_github` tool pushes a
+  gzipped+base64 SARIF report to `/repos/{owner}/{repo}/code-scanning/sarifs`.
+  Configured via the `GITHUB_TOKEN` environment variable.
+- **AI patch generation**: New `generate_fix_prompt` tool packages a cached
+  finding's vulnerable code and context into an LLM-ready prompt that asks for
+  a strict unified diff; the new `apply_patch` tool applies an agent-supplied
+  diff to disk via `git apply` (rejecting paths that escape the target).
+- **`integrations/` package** (`defectdojo.py`, `github.py`) and
+  **`enrichment/patch_prompt.py`** / **`enrichment/patch_apply.py`** modules.
+- `ScanCache.find_finding_by_hash()` to recover full finding details by hash.
+
+### Changed
+- Standardized a `name` class attribute on every scanner via `BaseScanner`,
+  replacing the inconsistent `name` property on the newer scanners.
+- Added `httpx` as an explicit runtime dependency.
+- The `fix_vulnerability` MCP prompt now drives the
+  `generate_fix_prompt` → `apply_patch` workflow.
+
+### Fixed
+- Resolved all `ruff` lint violations across the scanner modules so CI lint
+  passes again; cleaned up dead CVSS-parsing code in the OSV scanner and gave
+  it an honest `database_specific.severity` mapping.
+- Aligned scanner `scan()` signatures with the base class
+  (`modified_files: set[str] | None`), fixing Liskov/type violations.
+- Eliminated `coroutine was never awaited` warnings in the scanner test suite.
+
+## [0.5.0] - 2026-06-12
+### Added
+- **Gitleaks Integration**: Deep secret scanning across entire git histories to detect leaked API keys and tokens from past commits.
+- **OSV-Scanner Integration**: Advanced Software Composition Analysis (SCA) mapped to the Google OSV database.
+- **OWASP ZAP Integration (DAST)**: Dynamic Application Security Testing capability via Docker Compose orchestration (`run_active_scan` tool).
+
+## [0.4.0] - 2026-06-11
+### Added
+- **Streamable HTTP Transport**: Added `--transport streamable-http` for production remote deployments (MCP 2026 standard).
+- **JWT Authentication**: Replaced static API key with JWT scoped tokens (`SAST_MCP_JWT_SECRET`).
+- **Baseline Caching**: Scans are automatically cached. New tools `save_baseline` and `compare_baseline` to track security trends and regressions over time.
+- **MCP Resources**: Expose read-only security dashboards, cache metadata, configuration, and scanner status via `sast://` resource URIs.
+- **MCP Prompts**: Added pre-built security workflows for agents: `security_review`, `fix_vulnerability`, `pr_security_check`, and `compliance_report`.
+
+### Changed
+- SSE transport is now deprecated in favor of Streamable HTTP.
+- Dependency `pyjwt` added for authentication capabilities.
+
+## [0.3.0] - 2026-06-09
+
+### Added
+- **Trivy scanner** — 5th scanner covering dependency CVEs (SCA), secret detection, and IaC misconfigurations (Terraform, Kubernetes, Docker, CloudFormation)
+- **CodeQL scanner** — 6th scanner providing deep semantic SAST with data-flow and taint tracking (by GitHub); supports database caching for faster re-scans
+- **Checkov scanner** — 7th scanner for Infrastructure-as-Code policy enforcement with 1000+ built-in checks
+- **`scan_all` tool** — run ALL installed scanners in parallel with automatic content-based deduplication; shows which scanners were used vs. skipped
+- **`export_sarif` tool** — export scan results in SARIF 2.1.0 format for CI/CD integration (GitHub Code Scanning, GitLab SAST, Azure DevOps)
+- **SARIF module** (`sarif.py`) — bidirectional SARIF 2.1.0 conversion: Finding→SARIF for export, SARIF→Finding for CodeQL import
+- **Multi-scanner aggregator** (`aggregator.py`) — concurrent scanner execution with `asyncio.gather()`, hash-based deduplication keeping highest severity, severity-sorted output
+- **CodeQL language auto-detection** — counts file extensions in target directory to pick the dominant supported language
+- **CodeQL database caching** — stores database in `.sast-mcp-codeql-db/` to avoid rebuilding on every scan
+- **Trivy multi-type parsing** — unified parser for three different Trivy JSON output structures (Vulnerabilities, Secrets, Misconfigurations)
+- **Checkov multi-block parsing** — handles both single-dict and list-of-dicts output formats from Checkov
+- **IaC language detection** — detects Terraform, Kubernetes YAML, Dockerfile, CloudFormation, Bicep, and Helm files
+- **SARIF data flow support** — serializes `DataFlowStep` traces into SARIF `codeFlows` / `threadFlows`
+- **SARIF fingerprint preservation** — round-trips finding hashes through SARIF `fingerprints.primaryLocationHash`
+- **Comprehensive test suite** — 25+ new tests covering all three new scanners, SARIF export/parse, aggregator deduplication, and new server tools
+
+### Changed
+- Scanner factory now registers 7 scanners (was 4)
+- MCP server instructions updated to describe all 7 scanners and new tools
+- Updated `pyproject.toml` keywords to include trivy, codeql, checkov, sarif
+- Version bumped to 0.3.0
+
+## [0.2.0] - 2026-06-07
+
+### Added
+- **Semgrep scanner** — 4th scanner supporting 30+ languages with community rule registry
+- **SSE/HTTP transport** — remote deployments via `--transport sse --port 8080`
+- **API key authentication** — `SAST_MCP_API_KEY` env var for secure remote access
+- **`list_scanners` tool** — check available scanners and their installation status
+- **`unignore_vulnerability` tool** — reverse a previous ignore action
+- **`list_ignored_vulnerabilities` tool** — view all suppressed findings
+- **Typed data models** — `Finding`, `SeverityLevel`, `ConfidenceLevel` enums
+- **Tree-sitter JavaScript/TypeScript support** — AST-aware context for JS/TS files
+- **Configurable scan timeout** — `SAST_MCP_TIMEOUT` env var (default 300s)
+- **Structured logging** — logs to stderr only (prevents stdio transport corruption)
+- **Gemini CLI extension** — `gemini-extension.json` + `GEMINI.md` context file
+- **Cross-platform docs** — setup guides for Claude Desktop, OpenAI, Cursor
+- **Smithery.ai manifest** — marketplace listing for discovery
+- **Docker support** — Dockerfile with all scanners pre-installed
+- **CI/CD pipeline** — GitHub Actions for lint, test, and PyPI publish
+- **Comprehensive test suite** — 30+ tests covering all scanners, enrichment, and server logic
+- **Atomic ignore file writes** — prevents corruption on crash
+- **Timestamps in ignore entries** — audit trail for suppressed findings
+- **Backward-compatible ignore format** — migrates old `hash → reason` format
+
+### Fixed
+- **Bearer confidence hardcoded to HIGH** — now parsed from actual output
+- **njsscan severity hardcoded to HIGH** — now parsed from metadata
+- **njsscan only processed first file** — now handles all files in multi-file findings
+- **Scanner errors silently swallowed** — stderr now propagated in error messages
+- **Hash instability** — finding hashes no longer depend on line numbers
+- **tree-sitter deps declared but unused** — now actually used for JS/TS context
+- **Invalid severity/confidence accepted** — now validated against enum values
+- **Logging to stdout corrupted stdio transport** — fixed to log to stderr only
+
+### Changed
+- Restructured to proper Python package layout (`sast_mcp_server/`)
+- Updated `pyproject.toml` with full PyPI metadata, entry points, and tool configs
+- Scanner factory now supports dynamic registration and metadata queries
+- Replaced raw `Dict` returns with typed `Finding` dataclass
+
+## [0.1.0] - Initial Release
+
+### Added
+- Basic MCP server with Bandit, njsscan, and Bearer scanners
+- AST context enrichment for Python files
+- Git diff filtering
+- Finding ignore list
+- Severity and confidence filtering
+- Pagination support

sast_mcp_server-0.6.0/CLAUDE.md

@@ -0,0 +1,171 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+SAST MCP Server — a [FastMCP](https://github.com/jlowin/fastmcp)-based MCP server that exposes
+10 static/dynamic security scanners (Bandit, njsscan, Bearer, Semgrep, Trivy, CodeQL, Checkov,
+Gitleaks, OSV-Scanner, OWASP ZAP) as tools for AI agents (Gemini CLI, Claude Desktop, Cursor,
+OpenAI Agents, etc.). Findings are normalized into a typed `Finding` model, enriched with
+AST-aware code context, deduplicated across scanners, and can be exported as SARIF 2.1.0 for
+CI/CD.
+
+## Development Commands
+
+```bash
+# Install with dev dependencies (editable)
+pip install -e ".[dev]"
+
+# Run the full test suite
+pytest tests/ -v
+
+# Run a single test file
+pytest tests/test_scanners.py -v
+
+# Run a single test
+pytest tests/test_scanners.py::TestBanditScanner::test_parse_findings -v
+
+# Lint (this is what CI runs)
+ruff check sast_mcp_server/
+
+# Type check (configured in pyproject.toml, not enforced in CI)
+mypy sast_mcp_server/
+
+# Run the server locally (stdio transport, for MCP client integration)
+python -m sast_mcp_server
+# or, once installed:
+sast-mcp-server
+
+# Run as a remote HTTP server (Streamable HTTP is the current standard; SSE is deprecated)
+sast-mcp-server --transport streamable-http --host 0.0.0.0 --port 8080
+```
+
+CI (`.github/workflows/ci.yml`) runs `ruff check sast_mcp_server/` and
+`pytest tests/ -v --tb=short` across Python 3.10–3.13, then publishes to PyPI on `v*` tags.
+
+## Architecture
+
+### Entry point and server registration
+
+`sast_mcp_server/server.py` builds the `FastMCP` instance and registers all `@mcp.tool()`
+functions (`scan_vulnerabilities`, `scan_all`, `scan_git_history`, `run_active_scan`,
+`export_sarif`, `save_baseline`, `compare_baseline`, `list_scanners`, `ignore_vulnerability`,
+`unignore_vulnerability`, `list_ignored_vulnerabilities`, plus the v0.6.0 tools
+`upload_to_defectdojo`, `upload_to_github`, `generate_fix_prompt`, `apply_patch`).
+`register_resources(mcp)` and `register_prompts(mcp)` wire up MCP Resources and Prompts from
+`resources.py` / `prompts.py`. The decorated tool functions stay directly callable, so tests
+import and `await` them as plain functions.
+
+**Critical constraint:** all logging is configured to go to `stderr`
+(`logging.basicConfig(..., stream=sys.stderr)`). Never write to stdout — it corrupts the stdio
+MCP transport.
+
+### Scanner plugin architecture
+
+Each scanner lives in `sast_mcp_server/scanners/<name>.py` and subclasses `BaseScanner`
+(`scanners/base.py`), implementing:
+- `check_dependency()` — raises `RuntimeError` if the underlying CLI/binary isn't available.
+- `scan(target_path, min_severity, min_confidence, modified_files, timeout)` — runs the tool
+  (usually via `asyncio.create_subprocess_exec`, parsing JSON/SARIF stdout or a report file) and
+  returns `list[Finding]`.
+
+`scanners/factory.py` is the single source of truth for scanner registration:
+- `_SCANNER_REGISTRY` maps scanner name → class (used by `ScannerFactory.get_scanner()` /
+  `list_scanners()`).
+- `SCANNER_INFO` provides display metadata (description, languages, install command) for the
+  `list_scanners` tool and `sast://scanners` resource.
+
+Every scanner sets a `name` class attribute (declared as `ClassVar[str]` on `BaseScanner`) equal
+to its registry key; it is used both as `Finding.scanner` and by callers that persist results
+(e.g. `cache.save_scan(scanner.name, ...)`). To add a new scanner: implement the `BaseScanner`
+subclass (including `name`), register it in both `_SCANNER_REGISTRY` and `SCANNER_INFO` in
+`factory.py`, and export it from `scanners/__init__.py`.
+
+ZAP is the only DAST scanner — its `scan()` raises `NotImplementedError` and instead exposes
+`run_dynamic_scan()`, invoked via the dedicated `run_active_scan` tool, which orchestrates
+`docker compose up` → wait for the URL → run the `zap-baseline.py` container → `docker compose down`.
+
+### Finding pipeline
+
+1. Scanner produces raw `Finding` objects (`models.py`): `scanner`, `title`, `message`, `file`,
+   `line_start/end`, `severity` (`SeverityLevel`), `confidence` (`ConfidenceLevel`), `context`,
+   `language`, `finding_hash`, optional `data_flow: list[DataFlowStep]`.
+2. `finding_hash` is computed by `BaseScanner.generate_hash(file_path, title, code_snippet)` —
+   a SHA-256 of `file:title:normalized_snippet`, designed to stay stable across line-number
+   shifts but change if the vulnerable code moves elsewhere. This hash is the key used for
+   ignore-list entries, dedup, and baseline diffing.
+3. `enrichment/ast_context.get_function_context()` expands a bare line number into the full
+   enclosing function/class: native `ast` for Python, tree-sitter for JS/TS (if installed),
+   falling back to ±10 lines for everything else.
+4. `enrichment/ignore_manager.IgnoreManager` filters out findings whose hash is in
+   `<target>/.sast-mcp-ignore.json` (atomic write via temp-file + `os.replace`).
+5. `enrichment/git_diff.get_modified_files()` supports `git_diff_only=True` by intersecting
+   findings with `git diff --name-only HEAD`.
+
+### Multi-scanner aggregation (`aggregator.py`)
+
+`run_all_scanners()` checks `check_dependency()` for every registered scanner, runs the
+available ones concurrently with `asyncio.gather`, then `_deduplicate_findings()` collapses
+findings sharing a `finding_hash` (keeping the higher-severity / data-flow-bearing copy), and
+sorts the result by `SEVERITY_ORDER` (CRITICAL first). Returns
+`(findings, used_scanners, skipped_scanners)`.
+
+### Caching & baselines (`cache.py`)
+
+`ScanCache` persists scan results as JSON under `<target_path>/.sast-mcp-cache/`:
+- `save_scan(..., tag=...)` writes a timestamped file and, if `tag` is set, also overwrites
+  `<scanner>_tag_<tag>.json` (used as a named baseline).
+- `compare(baseline, current_findings)` returns a `ScanDiff` (new/fixed/unchanged findings +
+  per-severity trend), driving the `compare_baseline` tool and `pr_security_check` prompt.
+- `cleanup_expired()` removes non-tagged scans older than `SAST_MCP_CACHE_TTL` (default 24h).
+
+### SARIF (`sarif.py`)
+
+Bidirectional SARIF 2.1.0 conversion: `findings_to_sarif()` powers `export_sarif`;
+`parse_sarif()` is used by the CodeQL scanner to ingest CodeQL's native SARIF output and
+re-enrich it with AST context and stable hashes.
+
+### Dashboard integrations (`integrations/`)
+
+`integrations/defectdojo.py` and `integrations/github.py` push a SARIF export to external
+platforms via `httpx.AsyncClient`. Credentials come **only** from environment variables
+(`DEFECTDOJO_URL`/`DEFECTDOJO_API_KEY`, `GITHUB_TOKEN`) so secrets never land in tool arguments
+or transcripts. Both raise the shared `IntegrationError` (from `integrations/__init__.py`) on
+missing config, unreadable files, or non-2xx responses; the server tools catch it and return a
+friendly message. GitHub's endpoint requires the SARIF be gzip-compressed then base64-encoded.
+
+### AI patch generation (`enrichment/patch_prompt.py`, `enrichment/patch_apply.py`)
+
+Division of responsibility: the **server packages context**, the **agent generates the diff**,
+and `apply_patch` writes it. `build_patch_prompt()` recovers a finding by hash via
+`ScanCache.find_finding_by_hash()`, reads a line-numbered window of the source, and renders a
+prompt instructing an LLM to emit a strict unified diff. `apply_unified_diff()` shells out to
+`git apply` (works without a repo; rejects paths escaping the target unless `--unsafe-paths`,
+which we never pass) and supports `check_only` for a dry run.
+
+### Auth (`auth.py`)
+
+`AuthProvider` supports three modes selected by env vars: no auth (stdio/local — all scopes
+granted), static `SAST_MCP_API_KEY` (legacy), or `SAST_MCP_JWT_SECRET` (HMAC-SHA256 JWT with
+`scopes`/`exp` claims, scopes drawn from `SCOPE_SCAN_READ`/`SCOPE_SCAN_WRITE`/`SCOPE_CONFIG_WRITE`/
+`SCOPE_ADMIN`). `create_jwt()` is a helper for minting test tokens.
+
+### MCP Resources & Prompts
+
+- `resources.py` exposes read-only `sast://` URIs (`sast://scanners`, `sast://config`,
+  `sast://cache/{target_path}/latest`, `sast://cache/{target_path}/baseline/{tag}`,
+  `sast://ignore/{target_path}`, `sast://dashboard/{target_path}`) backed by `ScanCache` /
+  `IgnoreManager` / `ScannerFactory` — no scans are run.
+- `prompts.py` defines reusable workflow templates (`security_review`, `fix_vulnerability`,
+  `pr_security_check`, `compliance_report`) that return instruction strings guiding an agent
+  through a sequence of tool calls.
+
+## Testing conventions
+
+- Tests live in `tests/`, fixtures (recorded scanner JSON/SARIF output) in `tests/fixtures/`.
+- Subprocess-based scanners are tested by patching `asyncio.create_subprocess_exec` and
+  `asyncio.wait_for` to return a mocked process whose `communicate()` resolves to fixture bytes
+  (see the `_mock_subprocess` helper duplicated in `test_scanners.py` / `test_new_scanners.py`).
+- `pytest-asyncio` is in `auto` mode (`pyproject.toml`), so `async def test_*` functions need no
+  extra decorator beyond `@pytest.mark.asyncio` (already used throughout for consistency).

sast_mcp_server-0.6.0/Dockerfile

@@ -0,0 +1,26 @@
+FROM python:3.12-slim AS base
+
+# Install system dependencies for Bearer
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Bearer CLI
+RUN curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh
+
+# Set up Python environment
+WORKDIR /app
+
+# Install Python package and scanner dependencies
+COPY pyproject.toml README.md LICENSE ./
+COPY sast_mcp_server/ ./sast_mcp_server/
+
+RUN pip install --no-cache-dir . bandit njsscan
+
+# Create non-root user for security
+RUN useradd --create-home --shell /bin/bash scanner
+USER scanner
+
+# Default: run the MCP server in stdio mode
+ENTRYPOINT ["sast-mcp-server"]

sast_mcp_server-0.6.0/GEMINI.md

@@ -0,0 +1,100 @@
+## Tool Purpose
+
+This extension provides **SAST (Static Application Security Testing)** scanning capabilities.
+It can scan codebases for security vulnerabilities using industry-standard tools:
+Bandit (Python), njsscan (JavaScript/Node.js), Bearer (multi-language with data-flow analysis),
+Semgrep (30+ languages with community rule registry), Trivy (vulnerabilities, secrets, IaC),
+CodeQL (deep semantic analysis with taint tracking), Checkov (Infrastructure-as-Code policies),
+Gitleaks (deep secret scanning in git history), OSV-Scanner (Software Composition Analysis),
+and OWASP ZAP (Dynamic Application Security Testing via Docker orchestration).
+
+## Available Tools
+
+1. **`scan_vulnerabilities`** — Scan a directory for security vulnerabilities (SAST)
+2. **`scan_all`** — Run ALL installed scanners in parallel with deduplication
+3. **`scan_git_history`** — Scan the entire `.git` history for leaked secrets (Gitleaks)
+4. **`run_active_scan`** — Run a dynamic (DAST) baseline scan by orchestrating Docker Compose (ZAP)
+5. **`export_sarif`** — Export scan results in SARIF 2.1.0 format for CI/CD
+6. **`list_scanners`** — Check which scanners are installed and available
+7. **`ignore_vulnerability`** — Suppress a known false positive
+8. **`unignore_vulnerability`** — Re-enable a previously ignored finding
+9. **`list_ignored_vulnerabilities`** — Show all currently suppressed findings
+10. **`save_baseline`** — Save a scan result as a baseline for future comparison
+11. **`compare_baseline`** — Compare current codebase against a saved baseline
+12. **`upload_to_defectdojo`** — Import a SARIF export into a DefectDojo engagement
+13. **`upload_to_github`** — Upload a SARIF report to GitHub Code Scanning
+14. **`generate_fix_prompt`** — Build an LLM prompt to fix a finding as a unified diff
+15. **`apply_patch`** — Apply an agent-generated unified diff to disk (via `git apply`)
+
+## Usage Patterns
+
+### Initial Setup
+Always start by calling `list_scanners` to verify which tools are available on the user's system.
+
+### Choosing a Scanner
+- **Python projects** → use `scanner_name="bandit"` or `scanner_name="semgrep"`
+- **JavaScript/Node.js projects** → use `scanner_name="njsscan"` or `scanner_name="semgrep"`
+- **Multi-language or uncertain** → use `scanner_name="semgrep"` (broadest coverage)
+- **Data-flow analysis needed** → use `scanner_name="bearer"`
+- **Dependency CVEs / supply chain** → use `scanner_name="osv-scanner"` or `trivy`
+- **Secrets in git history** → use `scan_git_history`
+- **Deep semantic analysis** → use `scanner_name="codeql"` (slower but finds complex flaws)
+- **Infrastructure-as-Code policies** → use `scanner_name="checkov"`
+- **Dynamic Application Testing (DAST)** → use `run_active_scan` (orchestrates ZAP via Docker)
+- **Comprehensive scan** → use `scan_all` to run everything installed at once
+
+### Scanning Workflow
+1. Call `scan_vulnerabilities` (or `scan_all` for comprehensive coverage) with the project root path
+2. Review findings — focus on HIGH and CRITICAL severity first
+3. For each finding, suggest a fix based on the provided code context
+4. If the user confirms a false positive, use `ignore_vulnerability` with a clear reason
+
+### Regression & Trend Tracking (Baselines)
+When establishing a security posture or before a major refactor:
+1. Call `save_baseline(tag="main")` to snapshot the current state
+2. After changes, call `compare_baseline(tag="main")` to see newly introduced vs. fixed vulnerabilities
+
+### Using MCP Prompts (Workflows)
+You have access to pre-built security workflows via MCP prompts. You should invoke these when asked to perform a broad security task:
+- `security_review`: For a comprehensive codebase assessment
+- `fix_vulnerability`: For deep-dive remediation of a specific finding hash
+- `pr_security_check`: When reviewing a Pull Request or git diff
+- `compliance_report`: When asked about OWASP Top 10 or PCI-DSS compliance
+
+### Using MCP Resources (Context)
+You can access read-only contextual data without running a scan by requesting these resources:
+- `sast://dashboard/{target_path}`: View a high-level severity distribution and overall security posture
+- `sast://cache/{target_path}/latest`: View metadata of the most recent scans without waiting for execution
+
+### CI/CD Integration
+Use `export_sarif` to generate SARIF 2.1.0 output that can be uploaded to:
+- GitHub Code Scanning
+- GitLab SAST
+- Azure DevOps
+- Any SARIF-compatible security dashboard
+
+### Dashboard Upload & AI Remediation (v0.6.0)
+- After `export_sarif(output_path=...)`, push the report to a dashboard with
+  `upload_to_defectdojo` or `upload_to_github`. Credentials come from
+  environment variables only (`DEFECTDOJO_URL`/`DEFECTDOJO_API_KEY`,
+  `GITHUB_TOKEN`) — never ask the user to paste secrets as arguments.
+- To remediate a finding: call `generate_fix_prompt(target_path, finding_hash)`
+  to get an LLM-ready prompt, produce a unified diff, then `apply_patch` with
+  `check_only=True` before applying for real. The finding must come from a
+  cached scan (`scan_all`/`save_baseline`).
+
+### Incremental Scanning
+When reviewing a pull request or recent changes, use `git_diff_only=True` to only scan modified files.
+
+### Pagination
+For large codebases, use `min_severity="HIGH"` to focus on critical issues first,
+or use `limit` and `offset` for pagination.
+
+## Best Practices
+- Always explain findings in plain language, not just technical jargon
+- Provide concrete code fix suggestions alongside each finding
+- Group related findings together when presenting results
+- Use `min_severity="MEDIUM"` as a sensible default for most scans
+- When a scan returns many results, summarize the top issues before showing details
+- Use `scan_all` for the most comprehensive security assessment
+- **New for v0.4.0**: Use `compare_baseline` to highlight newly introduced vulnerabilities instead of overwhelming the user with legacy issues.

sast_mcp_server-0.6.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Abdellah
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.