What is Defectdojo Mcp

defectdojo-mcp is an experimental ModelContextProtocol server that connects large language models (LLMs) to DefectDojo, facilitating AI-powered security workflows. It allows for natural language interaction with vulnerability data, streamlining security analysis and automating reporting through lightweight middleware integration.

Use cases

Use cases for defectdojo-mcp include automating vulnerability reporting, facilitating natural language queries for security data, and integrating AI capabilities into existing DefectDojo workflows to improve response times and accuracy in security assessments.

How to use

To use defectdojo-mcp, you can run the server using ‘uvx’ or ‘pip’. Install it via pip with ‘pip install defectdojo-mcp’, and then run the server using ‘defectdojo-mcp’. Ensure to set the required environment variables for connecting to your DefectDojo instance.

Key features

Key features of defectdojo-mcp include managing findings (fetching, searching, creating, updating status, and adding notes), listing available products, and managing engagements (listing, retrieving details, creating, updating, and closing engagements).

Where to use

defectdojo-mcp is primarily used in the field of cybersecurity, particularly in vulnerability management and security analysis workflows, where AI can enhance the efficiency and effectiveness of data handling.

DefectDojo MCP Server

This project provides a Model Context Protocol (MCP) server implementation for DefectDojo, a popular open-source vulnerability management tool. It allows AI agents and other MCP clients to interact with the DefectDojo API programmatically.

Features

This MCP server exposes tools for managing key DefectDojo entities:

• Findings: Fetch, search, create, update status, and add notes.
• Products: List available products.
• Engagements: List, retrieve details, create, update, and close engagements.

Installation & Running

There are a couple of ways to run this server:

Using uvx (Recommended)

uvx executes Python applications in temporary virtual environments, installing dependencies automatically.

uvx defectdojo-mcp

Using pip

You can install the package into your Python environment using pip.

# Install directly from the cloned source code directory
pip install .

# Or, if the package is published on PyPI
pip install defectdojo-mcp

Once installed via pip, run the server using:

defectdojo-mcp

Configuration

The server requires the following environment variables to connect to your DefectDojo instance:

• DEFECTDOJO_API_TOKEN (required): Your DefectDojo API token for authentication.
• DEFECTDOJO_API_BASE (required): The base URL of your DefectDojo instance (e.g., https://your-defectdojo-instance.com).

You can configure these in your MCP client’s settings file. Here’s an example using the uvx command:

{
  "mcpServers": {
    "defectdojo": {
      "command": "uvx",
      "args": [
        "defectdojo-mcp"
      ],
      "env": {
        "DEFECTDOJO_API_TOKEN": "YOUR_API_TOKEN_HERE",
        "DEFECTDOJO_API_BASE": "https://your-defectdojo-instance.com"
      }
    }
  }
}

If you installed the package using pip, the configuration would look like this:

{
  "mcpServers": {
    "defectdojo": {
      "command": "defectdojo-mcp",
      "args": [],
      "env": {
        "DEFECTDOJO_API_TOKEN": "YOUR_API_TOKEN_HERE",
        "DEFECTDOJO_API_BASE": "https://your-defectdojo-instance.com"
      }
    }
  }
}

Available Tools

The following tools are available via the MCP interface:

• get_findings: Retrieve findings with filtering (product_name, status, severity) and pagination (limit, offset).
• search_findings: Search findings using a text query, with filtering and pagination.
• update_finding_status: Change the status of a specific finding (e.g., Active, Verified, False Positive).
• add_finding_note: Add a textual note to a finding.
• create_finding: Create a new finding associated with a test.
• list_products: List products with filtering (name, prod_type) and pagination.
• list_engagements: List engagements with filtering (product_id, status, name) and pagination.
• get_engagement: Get details for a specific engagement by its ID.
• create_engagement: Create a new engagement for a product.
• update_engagement: Modify details of an existing engagement.
• close_engagement: Mark an engagement as completed.

(See the original README content below for detailed usage examples of each tool)

Usage Examples

(Note: These examples assume an MCP client environment capable of calling use_mcp_tool)

Get Findings

# Get active, high-severity findings (limit 10)
result = await use_mcp_tool("defectdojo", "get_findings", {
    "status": "Active",
    "severity": "High",
    "limit": 10
})

Search Findings

# Search for findings containing 'SQL Injection'
result = await use_mcp_tool("defectdojo", "search_findings", {
    "query": "SQL Injection"
})

Update Finding Status

# Mark finding 123 as Verified
result = await use_mcp_tool("defectdojo", "update_finding_status", {
    "finding_id": 123,
    "status": "Verified"
})

Add Note to Finding

result = await use_mcp_tool("defectdojo", "add_finding_note", {
    "finding_id": 123,
    "note": "Confirmed vulnerability on staging server."
})

Create Finding

result = await use_mcp_tool("defectdojo", "create_finding", {
    "title": "Reflected XSS in Search Results",
    "test_id": 55, # ID of the associated test
    "severity": "Medium",
    "description": "User input in search is not properly sanitized, leading to XSS.",
    "cwe": 79
})

List Products

# List products containing 'Web App' in their name
result = await use_mcp_tool("defectdojo", "list_products", {
    "name": "Web App",
    "limit": 10
})

List Engagements

# List 'In Progress' engagements for product ID 42
result = await use_mcp_tool("defectdojo", "list_engagements", {
    "product_id": 42,
    "status": "In Progress"
})

Get Engagement

result = await use_mcp_tool("defectdojo", "get_engagement", {
    "engagement_id": 101
})

Create Engagement

result = await use_mcp_tool("defectdojo", "create_engagement", {
    "product_id": 42,
    "name": "Q2 Security Scan",
    "target_start": "2025-04-01",
    "target_end": "2025-04-15",
    "status": "Not Started"
})

Update Engagement

result = await use_mcp_tool("defectdojo", "update_engagement", {
    "engagement_id": 101,
    "status": "In Progress",
    "description": "Scan initiated."
})

Close Engagement

result = await use_mcp_tool("defectdojo", "close_engagement", {
    "engagement_id": 101
})

Development

Setup

1. Clone the repository.
2. It’s recommended to use a virtual environment:

   python -m venv .venv
   source .venv/bin/activate # On Windows use `.venv\Scripts\activate`
   

3. Install dependencies, including development dependencies:

   pip install -e ".[dev]"
   

License

This project is licensed under the MIT License - see the LICENSE file for details.

Contributing

Contributions are welcome! Please feel free to open an issue for bugs, feature requests, or questions. If you’d like to contribute code, please open an issue first to discuss the proposed changes.