DefectDojo MCP server

The DefectDojo MCP Server provides a Model Context Protocol (MCP) implementation that allows AI agents and other MCP clients to interact programmatically with DefectDojo, a popular open-source vulnerability management tool. It exposes various tools for managing findings, products, and engagements within DefectDojo.

Installation Options

Using uvx (Recommended)

The recommended way to run the server is with uvx, which creates temporary virtual environments and handles dependencies automatically:

uvx defectdojo-mcp

Using pip

Alternatively, you can install the package into your Python environment:

# Install from the cloned source code directory
pip install .

# Or, if published on PyPI
pip install defectdojo-mcp

After installing with pip, run the server using:

defectdojo-mcp

Configuration

You must configure the following environment variables to connect to your DefectDojo instance:

• DEFECTDOJO_API_TOKEN (required): Your DefectDojo API token
• DEFECTDOJO_API_BASE (required): The base URL of your DefectDojo instance (e.g., https://your-defectdojo-instance.com)

Configuration Example with uvx

{
  "mcpServers": {
    "defectdojo": {
      "command": "uvx",
      "args": ["defectdojo-mcp"],
      "env": {
        "DEFECTDOJO_API_TOKEN": "YOUR_API_TOKEN_HERE",
        "DEFECTDOJO_API_BASE": "https://your-defectdojo-instance.com"
      }
    }
  }
}

Configuration Example with pip installation

{
  "mcpServers": {
    "defectdojo": {
      "command": "defectdojo-mcp",
      "args": [],
      "env": {
        "DEFECTDOJO_API_TOKEN": "YOUR_API_TOKEN_HERE",
        "DEFECTDOJO_API_BASE": "https://your-defectdojo-instance.com"
      }
    }
  }
}

Available Tools

The MCP server provides the following tools for interacting with DefectDojo:

• get_findings: Retrieve findings with filtering and pagination
• search_findings: Search findings using text queries
• update_finding_status: Change a finding's status
• add_finding_note: Add notes to findings
• create_finding: Create new findings
• list_products: List available products
• list_engagements: List engagements with filtering
• get_engagement: Get details for a specific engagement
• create_engagement: Create new engagements
• update_engagement: Modify existing engagements
• close_engagement: Mark engagements as completed

Usage Examples

Managing Findings

Get Findings

# Get active, high-severity findings (limit 10)
result = await use_mcp_tool("defectdojo", "get_findings", {
    "status": "Active",
    "severity": "High",
    "limit": 10
})

Search Findings

# Search for findings containing 'SQL Injection'
result = await use_mcp_tool("defectdojo", "search_findings", {
    "query": "SQL Injection"
})

Update Finding Status

# Mark finding 123 as Verified
result = await use_mcp_tool("defectdojo", "update_finding_status", {
    "finding_id": 123,
    "status": "Verified"
})

Add Note to Finding

result = await use_mcp_tool("defectdojo", "add_finding_note", {
    "finding_id": 123,
    "note": "Confirmed vulnerability on staging server."
})

Create Finding

result = await use_mcp_tool("defectdojo", "create_finding", {
    "title": "Reflected XSS in Search Results",
    "test_id": 55, # ID of the associated test
    "severity": "Medium",
    "description": "User input in search is not properly sanitized, leading to XSS.",
    "cwe": 79
})

Managing Products

List Products

# List products containing 'Web App' in their name
result = await use_mcp_tool("defectdojo", "list_products", {
    "name": "Web App",
    "limit": 10
})

Managing Engagements

List Engagements

# List 'In Progress' engagements for product ID 42
result = await use_mcp_tool("defectdojo", "list_engagements", {
    "product_id": 42,
    "status": "In Progress"
})

Get Engagement Details

result = await use_mcp_tool("defectdojo", "get_engagement", {
    "engagement_id": 101
})

Create Engagement

result = await use_mcp_tool("defectdojo", "create_engagement", {
    "product_id": 42,
    "name": "Q2 Security Scan",
    "target_start": "2025-04-01",
    "target_end": "2025-04-15",
    "status": "Not Started"
})

Update Engagement

result = await use_mcp_tool("defectdojo", "update_engagement", {
    "engagement_id": 101,
    "status": "In Progress",
    "description": "Scan initiated."
})

Close Engagement

result = await use_mcp_tool("defectdojo", "close_engagement", {
    "engagement_id": 101
})

How to add this MCP server to Cursor

There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.

If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.

Adding an MCP server to Cursor globally

To add a global MCP server go to Cursor Settings > MCP and click "Add new global MCP server".

When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:

{
    "mcpServers": {
        "cursor-rules-mcp": {
            "command": "npx",
            "args": [
                "-y",
                "cursor-rules-mcp"
            ]
        }
    }
}

Adding an MCP server to a project

To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.

How to use the MCP server

Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.

The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.

You can also explictly ask the agent to use the tool by mentioning the tool name and describing what the function does.