Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. source-code
  2. Developers
  3. IDEs

Local SAST MCP

πŸ“˜

MCP is available with the Unified Security Bundle or the Ultimate Security Bundle

πŸ“˜

The information and documents generated by your AI system may contain errors, omissions, or inaccuracies and should not be relied upon without independent review and verification. Users are responsible for reviewing all AI-generated actions and results for accuracy, completeness, and suitability for their specific needs before making any decisions or taking any actions based on such output.

The JFrog Local SAST MCP is a tool that integrates with Model Context Protocol (MCP)-compatible AI assistants, such as GitHub Copilot or Cursor IDE. It uses the JFrog SAST engine to scan the entire codebase, analyze code semantics, and detect SAST vulnerabilities. The tool provides the AI assistant with immediate access to various aspects of the source code, such as security vulnerabilities and other security-related features. This is performed by reading and analyzing the code using the JFrog SAST source code analysis engine. It also supports capabilities like identifying and fixing vulnerabilities and detecting code duplication. The entire process runs locally, ensuring your source code never leaves your network. This is a key advantage for companies with strict security and privacy requirements.

SAST MCP List of Tools

ToolDescriptionPrimary Use Case
jfrog_sast_findings_summaryLists SAST security findings discovered by JFrog SAST in the format: #{vulnerability_id}: {rule_name}at{file_name}:{line_number}``. To fix a finding: (1) Use jfrog_sast_finding_details to get full details; (2) Review the relevant files in the data flow path; (3) Apply a fix based on the vulnerability description.Get a quick overview of all identified SAST vulnerabilities
jfrog_sast_finding_detailsProvides detailed information about a specific SAST finding, including its data flow path and remediation guidance. Requires the vulnerability_id from the findings summary.Investigate and fix a specific SAST vulnerability
jfrog_rescan_codebaseRe-scans the full codebase for vulnerabilities after changes. Automatically triggered on MCP startup. Can be manually triggered if needed. May take time depending on codebase size.Refresh scan results after code updates
jfrog_list_all_stringsLists all string literals in the codebase. Supports filtering by min_length, max_length, and filter_regex. Each result appears on a new line.Identify hardcoded strings (e.g., credentials, tokens)
jfrog_list_all_functionsLists all functions in the project, with optional filtering using filter_regex. Each result is a fully qualified function name.Inventory or audit project functions
jfrog_get_function_locationFinds the file name and line number for a given fully qualified function name. Returns all overloaded variants, if any.Locate function definitions quickly
jfrog_list_all_called_functionsLists all called functions in the codebase. Use include_internal to include internal calls, and filter_regex for filtering. Each result is a fully qualified name.Understand function usage and external dependencies
jfrog_get_function_callsLists all occurrences where a specific function is called, with exact file names and line numbers. More accurate than grep-based searches.Track down usage of a specific function
jfrog_list_all_typesLists all value types used in the codebase. Use filter_regex to narrow down results. Each result is shown as a fully qualified type name.Understand data structures used in the project
jfrog_similar_functionsDetects structurally similar functions, even with different variable names or comments. Optionally filter by min_instructions. Each group of similar functions is comma-separated.Identify duplicate logic or potential code reuse opportunities

Supported Technologies

All applications supporting MCP with the MCP Tools feature.

Installation

Visual Studio Code

Before You Begin

  • Install the latest JFrog CLI
  • Configure your Artifactory instance with JAS entitlements enabled using: 
    jf c add

Procedure

  1. Open the project you want to use MCP with.
  2. Go to View β†’ Command Palette, and select MCP: Add Server.
  3. Choose Command (stdio).
  4. For Command to run, enter: 
    jf source-mcp ${workspaceFolder}
  5. Set the Server ID (e.g., JFrog Source MCP).
  6. Choose Workspace Settings.
  7. Open the Copilot Chat tab, and enable Agent Mode.
  8. Click Select Tools and confirm that JFrog tools appear (initial indexing may take time in large projects).
  9. (Optional) Once MCP is set up, try prompting Copilot with:
    • β€œDo I have SAST vulnerabilities in my code?”
    • β€œCan you help me fix them?”

Troubleshooting

If something isn’t working as expected:

  1. Open the Command Palette > Show Output Channels.
  2. Select the relevant MCP output MCP: {server name}.
  3. In Copilot Chat, unfold the MCP tool call to view:
    • Tool input
    • Tool output

Cursor

Before You Begin

  • Install the latest JFrog CLI

  • Configure your Artifactory instance with JAS entitlements using:

    jf c add

Installing JFrog SAST MCP

  1. Open a project of interest in Cursor.

  2. Go to Command Palette β†’ Open MCP Settings.

  3. Click New MCP Server.

  4. Edit the opened JSON file to look like this:

    jsonCopyEdit{
  "mcpServers": {
    "jfrog-mcp": {
      "command": "jf",
      "args": ["source-mcp", "."]
    }
  }
}

  5. Go to Cursor Settings > MCP Tools, and confirm the new tools appear (may take time to load for large projects)

  6. (Optional) Once MCP is set up, try prompting the AI assistant with:

  • β€œDo I have SAST vulnerabilities in my code?”
  • β€œCan you help me fix them?”

Troubleshooting

  • If something isn’t working as expected:
  1. Open the Command Palette > Show Output Channels.
  2. Select the relevant MCP output MCP: {server name}.
  3. In the AI assistant chat, unfold the MCP tool call to view:
    • Tool input
    • Tool output

Updated 2 months ago