Contrast's MCP server allows you as a developer or security professional to quickly remediate vulnerabilities found by Contrast products. By combining the abilities of a LLM and Coding Agent of your choice and Contrast's unique vulnerability data it is possible to easily remediate vulnerabilities in your code or 3rd party libraries.
- Please list vulnerabilities for Application Y
- Give me details about vulnerability X on Application Y
- Review the vulnerability X and fix it.
- Which libraries in Application X have vulnerabilities High or Critical and are also being actively used.
- Update library X with Critical vulnerability to the Safe version.
- Which libraries in Application X are not being used?
- Please give me a breakdown of applications and servers vulnerable to CVE-xxxx-xxxx
- Please list the libraries for application named xxx and tell me what version of commons-collections is being used
- Which Vulnerabilities in application X are being blocked by a Protect / ADR Rule?
The Contrast MCP Server provides a bridge between your Contrast Data and the AI Agent/LLM of your choice. By using Contrast's MCP server you will be providing your Contrast Data to your AI Agent/LLM, it is your responsibility to ensure that the AI Agent/LLM you use complies with your data privacy policy. Depending on what questions you ask the following information will be provided to your AI Agent/LLM.
- Application Details
- Application Rule configuration
- Vulnerability Details
- Route Coverage data
- ADR/Protect Attack Event Details
Requires Java 17+
mvn clean install
To add the MCP Server to your local AI system, modify the config.json file and add the following
"mcpServers": {
"contrast-mcp": {
"command": "/usr/bin/java", "args": ["-jar","/Users/name/workspace/mcp-contrast/mcp-contrast/target/mcp-contrast-0.0.1-SNAPSHOT.jar",
"--CONTRAST_HOST_NAME=example.contrastsecurity.com",
"--CONTRAST_API_KEY=xxx",
"--CONTRAST_SERVICE_KEY=xxx",
"--CONTRAST_USERNAME=xxx.xxx@contrastsecurity.com",
"--CONTRAST_ORG_ID=xxx"]
}
}You obviously need to configure the above to match your contrast API Creds.
docker build -t mcp-contrast .docker run \
-e CONTRAST_HOST_NAME=example.contrastsecurity.com \
-e CONTRAST_API_KEY=example \
-e CONTRAST_SERVICE_KEY=example \
-e CONTRAST_USERNAME=example@exampe.com \
-e CONTRAST_ORG_ID=example \
-i contrast-mcp \
-t stdioDownload the Vulnerable Pet Clinic.
git clone https://github.com/Contrast-Security-OSS/vulnerable-spring-petclinic.git
Open the project in VSCode.
Edit the contrast_security.yaml file and configure it with your AGENT credentials
api:
url: https://xxx/Contrast
api_key: xxx
service_key: xxx
user_name: xxx
# All other contrast config is done in the docker-compose file. Do not check this file in to git!Then you can build and run using docker-compose
docker compose up --build
It will build and run the services that make up petclinic.
To build out the vulnerabilites and attack events run
./testscript.sh
Select option 25. ( this will exercise the app and perform attacks to populate the vulnerabilities and attack events)
Click following link >>> 
This will install the MCP Server. You will need to configure the server with your Contrast API credentials.
In VSCode go to settings and search for "mcp"
Edit the Settings.json or select modify in workspace. If you want to enable this MCP sever just for this workspace.
Then add the following to the settings.json file.
"mcp": {
"inputs": [],
"servers": {
"contrastmcp": {
"command": "docker",
"args": [
"run",
"-e",
"CONTRAST_HOST_NAME",
"-e",
"CONTRAST_API_KEY",
"-e",
"CONTRAST_SERVICE_KEY",
"-e",
"CONTRAST_USERNAME",
"-e",
"CONTRAST_ORG_ID",
"-i",
"--rm",
"contrast/mcp-contrast:latest",
"-t",
"stdio"
],
"env": {
"CONTRAST_HOST_NAME": "example.contrastsecurity.com",
"CONTRAST_API_KEY": "example",
"CONTRAST_SERVICE_KEY": "example",
"CONTRAST_USERNAME": "example@example.com",
"CONTRAST_ORG_ID": "example"
}
}
}Please note the credentials here are the API Credentials, not Agent credentials. You should also see a small start button appear in the json file as you can see above. Click it to start the MCP server.
Once complete you should see the Contrast MCP Tools in the Tools drop down and you should be ready to perform queries!
With the Cline plugin installed, select the MCP button in the top right corner of the screen.
Then select configure MCP Servers. This will open up a the JSON configuration for MCP.
Add the following the json configuration
{
"mcpServers": {
"contrastmcp": {
"command": "docker",
"args": [
"run",
"-e",
"CONTRAST_HOST_NAME",
"-e",
"CONTRAST_API_KEY",
"-e",
"CONTRAST_SERVICE_KEY",
"-e",
"CONTRAST_USERNAME",
"-e",
"CONTRAST_ORG_ID",
"-i",
"--rm",
"contrast/mcp-contrast:latest",
"-t",
"stdio"
],
"env": {
"CONTRAST_HOST_NAME": "example.contrastsecurity.com",
"CONTRAST_API_KEY": "example",
"CONTRAST_SERVICE_KEY": "example",
"CONTRAST_USERNAME": "example@example.com",
"CONTRAST_ORG_ID": "example"
},
"disabled": false,
"autoApprove": []
}
}
}Once done you should see the contrast mcp server appear in the list of MCP servers, if you expand it you should see a list of available tools.
oterm is terminal wrapper for ollama. One of its features is the ability to add MCP servers to specific LLM Models. https://ggozad.github.io/oterm/
If you need to configure a proxy for your Java process when using the standalone JAR, you can set the Java system properties for HTTP and HTTPS proxies:
java -Dhttp.proxyHost=proxy.example.com -Dhttp.proxyPort=8080 -Dhttps.proxyHost=proxy.example.com -Dhttps.proxyPort=8080 -jar /path/to/mcp-contrast-0.0.1-SNAPSHOT.jar --CONTRAST_HOST_NAME=example.contrastsecurity.com --CONTRAST_API_KEY=example --CONTRAST_SERVICE_KEY=example --CONTRAST_USERNAME=example@example.com --CONTRAST_ORG_ID=exampleIf your proxy requires authentication, you can also set:
java -Dhttp.proxyHost=proxy.example.com -Dhttp.proxyPort=8080 -Dhttps.proxyHost=proxy.example.com -Dhttps.proxyPort=8080 -Dhttp.proxyUser=username -Dhttp.proxyPassword=password -Dhttps.proxyUser=username -Dhttps.proxyPassword=password -jar /path/to/mcp-contrast-0.0.1-SNAPSHOT.jar --CONTRAST_HOST_NAME=example.contrastsecurity.com --CONTRAST_API_KEY=example --CONTRAST_SERVICE_KEY=example --CONTRAST_USERNAME=example@example.com --CONTRAST_ORG_ID=exampleWhen configuring in your config.json file, include the proxy settings in the args array:
"mcpServers": {
"contrast-assess": {
"command": "/usr/bin/java",
"args": [
"-Dhttp.proxyHost=proxy.example.com",
"-Dhttp.proxyPort=8080",
"-Dhttps.proxyHost=proxy.example.com",
"-Dhttps.proxyPort=8080",
"-jar",
"/Users/name/workspace/mcp-contrast/mcp-contrast/target/mcp-contrast-0.0.1-SNAPSHOT.jar",
"--CONTRAST_HOST_NAME=example.contrastsecurity.com",
"--CONTRAST_API_KEY=example",
"--CONTRAST_SERVICE_KEY=example",
"--CONTRAST_USERNAME=example@example.com",
"--CONTRAST_ORG_ID=example"
]
}
}When running the MCP server in Docker, you can configure the proxy by passing the relevant environment variables:
docker run \
-e HTTP_PROXY="http://proxy.example.com:8080" \
-e HTTPS_PROXY="http://proxy.example.com:8080" \
-e CONTRAST_HOST_NAME=example.contrastsecurity.com \
-e CONTRAST_API_KEY=example \
-e CONTRAST_SERVICE_KEY=example \
-e CONTRAST_USERNAME=example \
-e CONTRAST_ORG_ID=example \
-i \
contrast/mcp-contrast:latest \
-t stdio
For VS Code configuration with Docker and proxy, modify the settings.json like this:
"mcp": {
"inputs": [],
"servers": {
"contrast-mcp": {
"command": "docker",
"args": [
"run",
"-e",
"CONTRAST_HOST_NAME",
"-e",
"CONTRAST_API_KEY",
"-e",
"CONTRAST_SERVICE_KEY",
"-e",
"CONTRAST_USERNAME",
"-e",
"CONTRAST_ORG_ID",
"-e", "HTTP_PROXY=http://proxy.example.com:8080",
"-e", "HTTPS_PROXY=http://proxy.example.com:8080",
"-i",
"--rm",
"contrast/mcp-contrast:latest",
"-t",
"stdio"
],
"env": {
"CONTRAST_HOST_NAME": "example.contrastsecurity.com",
"CONTRAST_API_KEY": "example",
"CONTRAST_SERVICE_KEY": "example",
"CONTRAST_USERNAME": "example@example.com",
"CONTRAST_ORG_ID": "example",
"HTTP_PROXY": "http://proxy.example.com:8080",
"HTTP_PROXY": "http://proxy.example.com:8080"
}
}
}
}