home / mcp / contrast mcp server
Bridges Contrast data to an AI agent to remediate vulnerabilities, update insecure libraries, and review security coverage.
Configuration
View docs{
"mcpServers": {
"contrast-security-oss-mcp-contrast": {
"command": "docker",
"args": [
"run",
"-e",
"CONTRAST_HOST_NAME",
"-e",
"CONTRAST_API_KEY",
"-e",
"CONTRAST_SERVICE_KEY",
"-e",
"CONTRAST_USERNAME",
"-e",
"CONTRAST_ORG_ID",
"-i",
"--rm",
"contrast/mcp-contrast:latest",
"-t",
"stdio"
],
"env": {
"CONTRAST_ORG_ID": "example",
"CONTRAST_API_KEY": "example",
"CONTRAST_USERNAME": "[email protected]",
"CONTRAST_HOST_NAME": "example.contrastsecurity.com",
"CONTRAST_SERVICE_KEY": "example"
}
}
}
}You connect Contrast Security to an AI coding assistant through the Contrast MCP Server to automatically remediate vulnerabilities, update insecure libraries, and analyze security coverage using natural language prompts. This enables proactive security actions driven by your prompts and Contrast data.
You interact with an MCP client to issue security-focused prompts. The server translates your prompts into actions that remediate vulnerabilities, update third‑party libraries, and retrieve security metadata such as route coverage, ADR/Protect findings, and related details. To get started, run the MCP server in a compatible environment and point your MCP client at it using the configured connection method. If you ever need to inspect or adjust behavior, review the available prompts and their corresponding actions to ensure you’re requesting the precise remediation or analysis you want.
Prerequisites you need before starting: Docker (recommended) or Java 17+ if you deploy a JAR directly. You also need Contrast API credentials to connect to your Contrast instance.
Step 1: Choose your deployment method. The MCP server is designed to run as a local (stdio) service via Docker in this setup.
Step 2: Prepare the MCP config. The official IntelliJ JSON configuration demonstrates how to run the MCP server via Docker with the required environment variables. Use the exact command and environment values shown in the example to ensure proper startup.
Step 3: Run the server. Use the prepared Docker run command to start the MCP server in stdio mode, providing all required credentials as environment variables.
Environment variables you’ll provide to connect to Contrast are listed here and should be included in your start command or configuration file.
Key environment variables shown in the example are:
- CONTRAST_HOST_NAME: Your Contrast host domain (e.g., example.contrastsecurity.com)
- CONTRAST_API_KEY: Your Contrast API key
- CONTRAST_SERVICE_KEY: Your Contrast service key
- CONTRAST_USERNAME: Your Contrast user email
- CONTRAST_ORG_ID: Your Contrast organization ID
If you encounter SSL certificate trust issues when connecting to the Teamserver URL, add the certificate to the Java truststore and include truststore settings in your startup arguments.
If you need verbose logs for debugging, enable debug logging by adding --logging.level.root=DEBUG to your startup arguments.
Using the Contrast MCP Server transfers your Contrast data to your AI agent or LLM. Ensure your data privacy policy covers this and verify that your AI service contracts prohibit unintended data training and ensure data isolation as required.
Remediate vulnerabilities directly from Contrast Assess data by issuing prompts that request fixes and patch guidance.
Identify and update insecure third-party libraries using Contrast SCA insights and prompts that specify the desired version or patch level.
Review route coverage, Protect/ADR findings, and other security metadata on demand to verify protection coverage and risk posture.