Hackerone Graphql Mcp Server
What is Hackerone Graphql Mcp Server
HackerOne GraphQL MCP Server is a Docker image that provides access to the HackerOne GraphQL API using the Model Context Protocol (MCP). It facilitates communication between clients and the API in a standardized way, enabling easy integration and interaction with HackerOne’s services.
Use cases
This tool can be used by developers and security researchers who wish to interact with HackerOne’s GraphQL API. It is particularly beneficial for automating vulnerability management processes, integrating with CI/CD pipelines, or building custom tools that leverage HackerOne’s capabilities. Additionally, it supports the secure handling of authentication tokens.
How to use
To use the server, run the Docker image with specific environment variables for the API endpoint, token, and allowed mutations. The command requires piping input from an MCP-compatible client, as the server is not designed to be executed directly. Proper configuration of the environment variables ensures secure and efficient communication with the HackerOne API.
Key features
Key features include support for only the stdio transport type, multi-architecture compatibility (amd64 and arm64), and configuration options for API token management and mutation allowances. Users can define their preferences for mutation permissions, ranging from none to all mutations.
Where to use
This Docker image is suitable for use in local development environments, continuous integration systems, or any applications requiring access to HackerOne’s GraphQL API. It can be integrated with various MCP-compatible clients and tools across different platforms, enhancing its versatility in various development workflows.
Overview
What is Hackerone Graphql Mcp Server
HackerOne GraphQL MCP Server is a Docker image that provides access to the HackerOne GraphQL API using the Model Context Protocol (MCP). It facilitates communication between clients and the API in a standardized way, enabling easy integration and interaction with HackerOne’s services.
Use cases
This tool can be used by developers and security researchers who wish to interact with HackerOne’s GraphQL API. It is particularly beneficial for automating vulnerability management processes, integrating with CI/CD pipelines, or building custom tools that leverage HackerOne’s capabilities. Additionally, it supports the secure handling of authentication tokens.
How to use
To use the server, run the Docker image with specific environment variables for the API endpoint, token, and allowed mutations. The command requires piping input from an MCP-compatible client, as the server is not designed to be executed directly. Proper configuration of the environment variables ensures secure and efficient communication with the HackerOne API.
Key features
Key features include support for only the stdio transport type, multi-architecture compatibility (amd64 and arm64), and configuration options for API token management and mutation allowances. Users can define their preferences for mutation permissions, ranging from none to all mutations.
Where to use
This Docker image is suitable for use in local development environments, continuous integration systems, or any applications requiring access to HackerOne’s GraphQL API. It can be integrated with various MCP-compatible clients and tools across different platforms, enhancing its versatility in various development workflows.
Content
HackerOne GraphQL MCP Server
A Docker image that provides access to HackerOne’s GraphQL API through the Model Context Protocol (MCP).
Supported MCP transport types: Currently only stdio transport is supported. Please file an issue if you require other transports.
Multi-Architecture Support: This image supports both Intel/AMD (amd64) and Apple Silicon (arm64) architectures.
Quick Start
- Run with an MCP client:
docker run -i --rm \ -e ENDPOINT="https://hackerone.com/graphql" \ -e TOKEN="<your_base64_encoded_token>" \ -e ALLOW_MUTATIONS="none" \ hackertwo/hackerone-graphql-mcp-server:latest
Docker Image Tags
latest: Latest stable release (only updated on version releases)dev-main: Development builds from main branch1.x.x: Specific version releasespr-<ref>: Pull request builds
Environment Variables
ENDPOINT: GraphQL endpoint URL (default: https://hackerone.com/graphql)TOKEN: Base64 encoded API token in format:base64(username:api_key)ALLOW_MUTATIONS: Controls which mutations are allowed (default: none)none: No mutations allowedexplicit: Only explicitly defined mutations allowedall: All mutations allowed
Generating an API Token
- Visit https://hackerone.com/settings/api_token/edit to generate an API key
- Encode as:
echo -n "username:api_key" | base64 - Use the resulting string as your TOKEN value
Example config in editor (Zed)
{
"context_servers": {
"hackerone-graphql-mcp-server": {
"command": {
"path": "/usr/local/bin/docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"ENDPOINT=https://hackerone.com/graphql",
"-e",
"TOKEN=<your_base64_encoded_token>",
"-e",
"ALLOW_MUTATIONS=none",
"hackertwo/hackerone-graphql-mcp-server:latest"
]
},
"settings": {}
}
}
}Notes
- The Docker container is designed to be piped into an MCP-compatible client
- Running the container directly will result in an error as it expects an MCP client connection
- The
-iflag is required to maintain standard input for the stdio transport - The
schema.graphqlin this repository may become outdated over time, you can download the latest one from HackerOne at https://hackerone.com/schema.graphql
Development
Creating a Release
To create a new release:
-
Create a new release in GitHub.
-
GitHub Actions will automatically:
- Build multi-architecture images (amd64, arm64)
- Push to Docker Hub with appropriate tags
- Update the
latesttag
Manual Build (Local Development)
For local development and testing:
# Setup buildx
docker buildx create --name multiarch --driver docker-container --use
docker buildx inspect --bootstrap
# Build and push the image
bin/build
# Clean up
docker buildx rm multiarch
Updating the GraphQL schema
curl https://hackerone.com/schema.graphql -o graphql/schema.graphql