codebadger-toolkit
Verified Safeby Lekssays
Overview
A containerized Model Context Protocol (MCP) server providing static code analysis using Joern's Code Property Graph (CPG) technology.
Installation
python main.py &Environment Variables
- MCP_HOST
- MCP_PORT
- MCP_LOG_LEVEL
- JOERN_BINARY_PATH
- JOERN_MEMORY_LIMIT
- JOERN_JAVA_OPTS
- CPG_GENERATION_TIMEOUT
- MAX_REPO_SIZE_MB
- QUERY_TIMEOUT
- QUERY_CACHE_ENABLED
- QUERY_CACHE_TTL
- WORKSPACE_ROOT
- CLEANUP_ON_SHUTDOWN
- JOERN_CONTAINER_NAME
Security Notes
The server itself does not use 'eval' or contain obvious malicious patterns. Input validation is applied to various parameters, including CPGQL queries, to prevent common injection attacks. However, the spawned Joern server instances run within a Docker container, and their ports (2000-2999) are mapped directly to the host's localhost interface by default (`docker-compose.yml`). These Joern instances currently lack explicit authentication (`joern.server_auth_username/password` from config are not passed to `JoernServerClient`), meaning any other process on the host machine could potentially interact with them directly, bypassing the MCP server's tool interface. While this is a local access risk rather than external network exposure, it's a notable design choice.
Similar Servers
mcp-watch
A comprehensive security scanner for Model Context Protocol (MCP) servers, detecting various vulnerabilities in their implementations.
ast-mcp-server
Provides an MCP (Model Context Protocol) server for code structure and semantic analysis using ASTs and ASGs, integrated with external AI clients like Claude Desktop.
treesitter-mcp
Provides a Model Context Protocol (MCP) server and CLI for static code analysis using Tree-sitter.
mcp-playground
A web-based developer tool for testing, inspecting, and debugging Model Context Protocol (MCP) servers, supporting OAuth integration, request logging, and interactive execution of tools, resources, and prompts.