playbooks

home / mcp / defectdojo mcp server

DefectDojo MCP Server

An experimental ModelContextProtocol server connecting LLMs to DefectDojo for AI-powered security workflows. Enables natural language interaction with vulnerability data, simplifies security analysis, and automates reporting through a lightweight middleware integration.

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "jamiesonio-defectdojo-mcp": {
      "command": "uvx",
      "args": [
        "defectdojo-mcp"
      ],
      "env": {
        "DEFECTDOJO_API_BASE": "https://your-defectdojo-instance.com",
        "DEFECTDOJO_API_TOKEN": "YOUR_API_TOKEN_HERE"
      }
    }
  }
}

This MCP server lets you interact with DefectDojo programmatically through a standardized set of tools. You can fetch and manage findings, inspect products, and handle engagements from MCP-enabled clients, enabling automation and AI workflows.

How to use

You connect an MCP client to the DefectDojo MCP Server to perform common vulnerability management tasks. Use the client to list, search, create, and update findings; list and retrieve products; and manage engagements. Each operation exposes a clear tool you can call from your automation scripts or AI agents. Keep your DefectDojo API token secure and supply the base URL of your DefectDojo instance when configuring the MCP server in your client.

How to install

Prerequisites you need before running the MCP server are a Python runtime and a tool to execute MCP commands. You will set up the server either by using the uvx runner to create a temporary virtual environment or by installing the package directly with pip.

# Option 1: Run with uvx (recommended)
uvx defectdojo-mcp

# Option 2: Install via pip from the source directory
pip install .

after installation, run the server with:
defectdojo-mcp

Configuration and usage notes

Configure your MCP client with the required environment variables to connect to DefectDojo. You must provide your API token and the base URL of your DefectDojo instance.

{
  "mcpServers": {
    "defectdojo": {
      "command": "uvx",
      "args": ["defectdojo-mcp"],
      "env": {
        "DEFECTDOJO_API_TOKEN": "YOUR_API_TOKEN_HERE",
        "DEFECTDOJO_API_BASE": "https://your-defectdojo-instance.com"
      }
    }
  }
}

Security and maintenance

Protect your API token as a secret and rotate it regularly. Use HTTPS for your DefectDojo base URL and limit MCP access to trusted clients. Keep the MCP server up to date with security patches and monitor usage for unusual activity.

Troubleshooting tips

If the server fails to start, verify that Python is installed, the chosen runner (uvx or pip-installed entry point) is accessible in your environment, and that the environment variables are set correctly. Check that the DefectDojo instance is reachable at the provided base URL and that the API token has the necessary permissions.

Available tools

get_findings

Retrieve findings with optional filters for status, severity, and pagination.

search_findings

Search findings by query text with optional filters and pagination.

update_finding_status

Update the status of a specific finding (e.g., Active, Verified, False Positive).

add_finding_note

Add a textual note to a finding.

create_finding

Create a new finding associated with a test.

list_products

List products with optional name/type filtering and pagination.

list_engagements

List engagements with optional product_id/status/name filters and pagination.

get_engagement

Get details for a specific engagement by ID.

create_engagement

Create a new engagement for a product.

update_engagement

Modify details of an existing engagement.

close_engagement

Mark an engagement as completed.