Back to /mcp
Beta · docs are evolving

MCP Server quick start.

Connect any MCP-compatible AI tool to vul.ninja in about 30 seconds. This page covers the install config and the three tools your agent can call. Deeper reference docs land alongside GA — for now, this is the canonical setup.

Step 1

Get an API key.

Sign up on /get-started. The key is shown once after signup; treat it like any other bearer token. Keys scope to your account and inherit the same read-only cloud connections you've already set up.

Step 2

Add the server to your MCP client.

Drop this into your client's MCP config (Claude Code: claude_desktop_config.json; Cursor: the MCP settings panel; Windsurf: the MCP servers tab). Replace YOUR_API_KEY with the value from step 1.

claude_desktop_config.json
{
  "mcpServers": {
    "vulninja": {
      "type": "http",
      "url": "https://mcp.vul.ninja",
      "headers": {
        "Authorization": "Bearer YOUR_API_KEY"
      }
    }
  }
}

The server speaks HTTP, not stdio — so you can also call it from any MCP-compatible client we haven't named here.

Step 3

The tools.

Your agent discovers these automatically once the server is connected. No prompting required — Claude Code and Cursor both call them on the right triggers (e.g. assess_iac_change fires before an apply).

Available now

assess_iac_change

Run a security review on a Terraform plan, CloudFormation template, or Kubernetes manifest before the agent applies it.

input (example)
{
  "format": "terraform",
  "plan": "<terraform plan output>"
}
output (example)
{
  "verdict": "blocked",
  "findings": [
    {
      "rule": "public_acl_on_sensitive_bucket",
      "severity": "critical",
      "resource": "aws_s3_bucket.prod_data_store",
      "fix_hint": "Remove ACL; enforce bucket policy + Block Public Access."
    }
  ]
}
evaluate_iam_policy

Risk-score an IAM policy or role document. Catches wildcards, privilege-escalation paths, and missing condition keys.

input (example)
{
  "policy_document": { "Version": "2012-10-17", "Statement": [...] }
}
output (example)
{
  "risk": "high",
  "findings": [
    {
      "rule": "overprivileged_deploy_role",
      "issue": "iam:* on Resource:*",
      "suggested_scope": "s3:PutObject on arn:aws:s3:::deploys/*"
    }
  ]
}
get_remediation

Return a contextual fix for a finding. Common findings get template-based fixes (no LLM call); novel findings get an AI-generated diff.

input (example)
{
  "finding_id": "public_acl_on_sensitive_bucket",
  "resource_snippet": "<offending HCL block>"
}
output (example)
{
  "fix_kind": "template",
  "diff": "<unified diff>",
  "notes": "Removes ACL and adds Block Public Access."
}
check_secret_exposureMulti-cloud

Scans the proposed change for hardcoded secrets, exposed env vars, and credential leakage before they ship. Returns the offending location and a fix-pattern reference. Pairs naturally with get_remediation.

Coming soon · Azure expansion

AWS shipped first because that's where the customer set lives today. Azure parity is the next milestone — these four tools are in development now.

evaluate_rbac_assignmentAzure

Azure RBAC analog of evaluate_iam_policy — flags overprivileged role assignments before commit.

assess_arm_templateAzure

Bicep / ARM template review — same contract as assess_iac_change, narrowed to Azure-native deployment files.

audit_key_vaultAzure

Checks Key Vault access policies, network restrictions, and rotation hygiene against vul.ninja's rule set.

evaluate_nsgAzure

Azure Network Security Group review — risky ingress, exposed admin ports, missing tier separation.

What we store and what we don't.

IaC files are never stored. Findings (rule, severity, location) are stored so you can review them in your dashboard.

When you call get_remediation and we generate a contextual diff, the offending snippet is sent to Anthropic's API — Anthropic doesn't train on API content, and the snippet isn't stored in vul.ninja's database afterward.

Template-based remediation (the most common path) doesn't send anything anywhere — the fix is returned from a hand-curated template.

Read the full positioning →

What's next.

We're shipping deeper reference docs (full schema, error codes, rate limits) alongside GA. If you hit something that's not covered here, email support@vul.ninja — bug reports during the beta jump the queue.

Get an API keyBack to /mcp