MCP.directory
Cycode Security Scanner

Cycode Security Scanner

Official
cycodehq

Performs comprehensive security scans on code repositories to detect vulnerabilities, secrets, misconfigurations, and other security issues using Cycode's platform.

Integrates with Cycode's security platform to perform automated SAST, SCA, IaC, and secrets scanning on local files, Git repositories, and commit ranges with detailed vulnerability reports and remediation guidance.

96348 views65Local (stdio)
auth securitydeveloper tools
GitHub

What it does

  • Scan repositories for hardcoded secrets
  • Detect infrastructure as code misconfigurations
  • Analyze software composition vulnerabilities
  • Run static application security testing
  • Scan specific commit ranges or branches
  • Generate detailed vulnerability reports with remediation guidance

Best for

DevOps teams implementing security scanning in CI/CDDevelopers wanting to catch security issues before commitsSecurity teams auditing codebases for vulnerabilities
Supports multiple scan types (SAST, SCA, IaC, secrets)Can scan local files, repositories, or commit ranges

About Cycode Security Scanner

Cycode Security Scanner is an official MCP server published by cycodehq that provides AI assistants with tools and capabilities via the Model Context Protocol. Use Cycode Security Scanner for automated SAST and site scanner virus checks on local files and repos, with detailed vul It is categorized under auth security, developer tools.

How to install

You can install Cycode Security Scanner in your AI client of choice. Use the install panel on this page to get one-click setup for Cursor, Claude Desktop, VS Code, and other MCP-compatible clients. This server runs locally on your machine via the stdio transport.

License

Cycode Security Scanner is released under the MIT license. This is a permissive open-source license, meaning you can freely use, modify, and distribute the software.

Cycode CLI User Guide

The Cycode Command Line Interface (CLI) is an application you can install locally to scan your repositories for secrets, infrastructure as code misconfigurations, software composition analysis vulnerabilities, and static application security testing issues.

This guide walks you through both installation and usage.

Table of Contents

  1. Prerequisites
  2. Installation
    1. Install Cycode CLI
      1. Using the Auth Command
      2. Using the Configure Command
      3. Add to Environment Variables
        1. On Unix/Linux
        2. On Windows
    2. Install Pre-Commit Hook
  3. Cycode CLI Commands
  4. MCP Command
    1. Starting the MCP Server
    2. Available Options
    3. MCP Tools
    4. Usage Examples
  5. Scan Command
    1. Running a Scan
      1. Options
        1. Severity Threshold
        2. Monitor
        3. Cycode Report
        4. Package Vulnerabilities
        5. License Compliance
        6. Lock Restore
      2. Repository Scan
        1. Branch Option
      3. Path Scan
        1. Terraform Plan Scan
      4. Commit History Scan
        1. Commit Range Option (Diff Scanning)
      5. Pre-Commit Scan
      6. Pre-Push Scan
    2. Scan Results
      1. Show/Hide Secrets
      2. Soft Fail
      3. Example Scan Results
        1. Secrets Result Example
        2. IaC Result Example
        3. SCA Result Example
        4. SAST Result Example
      4. Company Custom Remediation Guidelines
    3. Ignoring Scan Results
      1. Ignoring a Secret Value
      2. Ignoring a Secret SHA Value
      3. Ignoring a Path
      4. Ignoring a Secret, IaC, or SCA Rule
      5. Ignoring a Package
      6. Ignoring via a config file
  6. Report command
    1. Generating SBOM Report
  7. Import command
  8. Scan logs
  9. Syntax Help

Prerequisites

  • The Cycode CLI application requires Python version 3.9 or later. The MCP command is available only for Python 3.10 and above. If you're using an earlier Python version, this command will not be available.
  • Use the cycode auth command to authenticate to Cycode with the CLI
    • Alternatively, you can get a Cycode Client ID and Client Secret Key by following the steps detailed in the Service Account Token and Personal Access Token pages, which contain details on getting these values.

Installation

The following installation steps are applicable to both Windows and UNIX / Linux operating systems.

[!NOTE] The following steps assume the use of python3 and pip3 for Python-related commands; however, some systems may instead use the python and pip commands, depending on your Python environment’s configuration.

Install Cycode CLI

To install the Cycode CLI application on your local machine, perform the following steps:

  1. Open your command line or terminal application.

  2. Execute one of the following commands:

    • To install from PyPI:

      pip3 install cycode

    • To install from Homebrew:

      brew install cycode

    • To install from GitHub Releases navigate and download executable for your operating system and architecture, then run the following command:

    cd /path/to/downloaded/cycode-cli
chmod +x cycode
./cycode

  3. Finally authenticate the CLI. There are three methods to set the Cycode client ID and credentials (client secret or OIDC ID token):

Using the Auth Command

[!NOTE] This is the recommended method for setting up your local machine to authenticate with Cycode CLI.

  1. Type the following command into your terminal/command line window:

    cycode auth

  2. A browser window will appear, asking you to log into Cycode (as seen below):

    Cycode login

  3. Enter your login credentials on this page and log in.

  4. You will eventually be taken to the page below, where you'll be asked to choose the business group you want to authorize Cycode with (if applicable):

    authorize CLI

    [!NOTE] This will be the default method for authenticating with the Cycode CLI.

  5. Click the Allow button to authorize the Cycode CLI on the selected business group.

    allow CLI

  6. Once completed, you'll see the following screen if it was selected successfully:

    successfully auth

  7. In the terminal/command line screen, you will see the following when exiting the browser window:

    Successfully logged into cycode

Using the Configure Command

[!NOTE] If you already set up your Cycode Client ID and Client Secret through the Linux or Windows environment variables, those credentials will take precedent over this method.

  1. Type the following command into your terminal/command line window:

    cycode configure

  2. Enter your Cycode API URL value (you can leave blank to use default value).

    Cycode API URL [https://api.cycode.com]: https://api.onpremise.com

  3. Enter your Cycode APP URL value (you can leave blank to use default value).

    Cycode APP URL [https://app.cycode.com]: https://app.onpremise.com

  4. Enter your Cycode Client ID value.

    Cycode Client ID []: 7fe5346b-xxxx-xxxx-xxxx-55157625c72d

  5. Enter your Cycode Client Secret value (skip if you plan to use an OIDC ID token).

    Cycode Client Secret []: c1e24929-xxxx-xxxx-xxxx-8b08c1839a2e

  6. Enter your Cycode OIDC ID Token value (optional).

    Cycode ID Token []: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

  7. If the values were entered successfully, you'll see the following message:

    Successfully configured CLI credentials!

    or/and

    Successfully configured Cycode URLs!

If you go into the .cycode folder under your user folder, you'll find these credentials were created and placed in the credentials.yaml file in that folder. The URLs were placed in the config.yaml file in that folder.

Add to Environment Variables

On Unix/Linux:

export CYCODE_CLIENT_ID={your Cycode ID}

and

export CYCODE_CLIENT_SECRET={your Cycode Secret Key}

If your organization uses OIDC authentication, you can provide the ID token instead (or in addition):

export CYCODE_ID_TOKEN={your Cycode OIDC ID token}

On Windows

  1. From the Control Panel, navigate to the System menu:

    system menu

  2. Next, click Advanced system settings:

    advanced system setting

  3. In the System Properties window that opens, click the Environment Variables button:

    environments variables button

  4. Create CYCODE_CLIENT_ID and CYCODE_CLIENT_SECRET variables with values matching your ID and Secret Key, respectively. If you authenticate via OIDC, add CYCODE_ID_TOKEN with your OIDC ID token value as well:

    environment variables window

  5. Insert the cycode.exe into the path to complete the installation.

Install Pre-Commit Hook

Cycode's pre-commit and pre-push hooks can be set up within your local repository so that the Cycode CLI application will identify any issues with your code automatically before you commit or push it to your codebase.

[!NOTE] pre-commit and pre-push hooks are not available for IaC scans.

Perform the following steps to install the pre-commit hook:

Installing Pre-Commit Hook

  1. Install the pre-commit framework (Python 3.9 or higher must be installed):

    pip3 install pre-commit

  2. Navigate to

README truncated. View full README on GitHub.

Alternatives

Chrome DevTools MCP

Chrome DevTools MCP

chromedevtools
28.1k

AI-driven control of live Chrome via Chrome DevTools: browser automation, debugging, performance analysis and network mo

OfficialPopular
3613
Chrome DevTools

Chrome DevTools

chromedevtools
28.1k

Use Chrome DevTools for web site test speed, debugging, and performance analysis. The essential chrome developer tools f

OfficialPopular
3.7k161
GitHub

GitHub

github
27.6k

Extend your developer tools with GitHub MCP Server for advanced automation, supporting GitHub Student and student packag

OfficialRemotePopular
4.2k212
Repomix

Repomix

yamadashy
22.3k

Optimize your codebase for AI with Repomix—transform, compress, and secure repos for easier analysis with modern AI tool

OfficialPopular
9277

Related Skills

Browse all skills
openai-knowledge

Use when working with the OpenAI API (Responses API) or OpenAI platform features (tools, streaming, Realtime API, auth, models, rate limits, MCP) and you need authoritative, up-to-date documentation (schemas, examples, limits, edge cases). Prefer the OpenAI Developer Documentation MCP server tools when available; otherwise guide the user to enable `openaiDeveloperDocs`.

0
onvifscan

ONVIF device security scanner for testing authentication and brute-forcing credentials. Use when you need to assess security of IP cameras or ONVIF-enabled devices.

0
static-analysis

Expertise in LLVM-based static analysis including dataflow analysis, pointer analysis, taint tracking, and program verification. Use this skill when implementing security scanners, bug finders, code quality tools, or performing program analysis research.

0
firebase-apk-scanner

Scans Android APKs for Firebase security misconfigurations including open databases, storage buckets, authentication issues, and exposed cloud functions. Use when analyzing APK files for Firebase vulnerabilities, performing mobile app security audits, or testing Firebase endpoint security. For authorized security research only.

0
azure-identity-rust

Azure Identity SDK for Rust authentication. Use for DeveloperToolsCredential, ManagedIdentityCredential, ClientSecretCredential, and token-based authentication. Triggers: "azure-identity", "DeveloperToolsCredential", "authentication rust", "managed identity rust", "credential rust".

0
ccxt-typescript

CCXT cryptocurrency exchange library for TypeScript and JavaScript developers (Node.js and browser). Covers both REST API (standard) and WebSocket API (real-time). Helps install CCXT, connect to exchanges, fetch market data, place orders, stream live tickers/orderbooks, handle authentication, and manage errors. Use when working with crypto exchanges in TypeScript/JavaScript projects, trading bots, arbitrage systems, or portfolio management tools. Includes both REST and WebSocket examples.

0