CodeSlick MCP Server for Claude Code

Comprehensive security analysis for source code via Model Context Protocol (MCP). Run 248 security checks, detect secrets, scan dependencies, and generate SBOMs directly from Claude Code.

Features

- 248 Security Checks across 6 languages (JavaScript, TypeScript, Python, Java, Go, Terraform, Kubernetes)
- OWASP 2025 Compliance (95% coverage) with CVSS 3.1 scoring
- AI Code Detection with 150 signals (hallucinations, heuristics, LLM fingerprints)
- Secrets Detection for 38 patterns (API keys, passwords, tokens, certificates)
- Dependency Scanning for npm, pip, Maven, Gradle, Go modules
- SBOM Generation in SPDX 2.3 and CycloneDX 1.4 formats
- Malicious Package Detection for 66 known packages

Installation

$3

1. Open Claude Code
2. Navigate to Settings > Plugins
3. Search for "CodeSlick Security Analysis"
4. Click "Install"

$3

``bash npm install -g codeslick-mcp-server`

Then add to your Claude Code configuration (~/.claude/config.json):

`json { "mcpServers": { "codeslick": { "command": "codeslick-mcp", "args": [] } } }`

`$3`

`bash

`Clone the repository`


git clone https://github.com/VitorLourenco/codeslick2.git
cd codeslick2/packages/mcp-server
Install dependencies

npm install
Build

npm run build
Add to Claude Code config

{
  "mcpServers": {
    "codeslick": {
      "command": "node",
      "args": ["/absolute/path/to/codeslick2/packages/mcp-server/dist/index.js"]
    }
  }
}


Available Tools
$3
Run comprehensive security analysis on source code.

Parameters: -code(string, required): Source code to analyze -language (string, required): One of javascript, typescript, python, java, go, terraform, kubernetes-filename (string, optional): Filename for context

Example:

`Analyze this JavaScript code for security issues:

function login(username, password) { const query = "SELECT * FROM users WHERE username='" + username + "'"; // ... SQL injection vulnerability }`

Output: - Security score (0-100) - Vulnerability list with severity, CVSS score, OWASP/CWE mappings - Remediation guidance with before/after code examples - Attack vector descriptions

`$3`

Scan project dependencies for vulnerabilities.

Parameters: -content(string, required): Content of dependency file (package.json, requirements.txt, etc.) -type (string, required): One of npm, pip, maven, gradle, go

Example:

`Scan this package.json for vulnerable dependencies:

{ "dependencies": { "express": "4.16.0", "lodash": "4.17.0" } }`

Output: - Vulnerable packages with CVE IDs - Malicious package detection - Upgrade recommendations - Severity breakdown

`$3`

Generate Software Bill of Materials.

Parameters: -content(string, required): Content of dependency file -type (string, required): One of npm, pip, maven, gradle, go-format (string, optional): One of spdx, cyclonedx, both (default: both) -projectName(string, optional): Project name for metadata -projectVersion (string, optional): Project version for metadata

Example:

`Generate SBOM for this package.json in SPDX format:

{ "name": "my-app", "version": "1.0.0", "dependencies": { "react": "^18.0.0" } }`

Output: - SPDX 2.3 formatted SBOM - CycloneDX 1.4 formatted SBOM - Component count and metadata - License information

`$3`

Detect hardcoded secrets in source code.

Parameters: -code(string, required): Source code to scan -filename (string, optional): Filename for context

Example:

`Check this code for hardcoded secrets:

const config = { awsAccessKey: "AKIAIOSFODNN7EXAMPLE", dbPassword: "super_secret_password_123" };`

Output: - Detected secrets with pattern type - Severity (critical, high, medium) - Line numbers - Remediation steps - Risk descriptions

`Language Support`

| Language | Security Checks | Features | |----------|----------------|----------| | JavaScript | 28 checks | XSS, injection, insecure functions | | TypeScript | 56 checks | Type safety + JS checks | | Python | 47 checks | SQL injection, pickle, eval | | Java | 32 checks | XXE, deserialization, LDAP injection | | Go | 26 checks | SQL injection, file paths, crypto | | Terraform | 22 checks | AWS misconfigs, secrets, PII | | Kubernetes | 37 checks | RBAC, pod security, secrets |

`Security Check Categories`

- Injection Attacks: SQL, XSS, command injection, LDAP injection - Authentication/Authorization: Weak crypto, insecure sessions, RBAC issues - Sensitive Data Exposure: Hardcoded secrets, PII, API keys - XML/Deserialization: XXE, unsafe pickle, Java deserialization - Security Misconfiguration: Missing security headers, weak SSL, insecure defaults - Known Vulnerabilities: Malicious packages, outdated dependencies - AI Code Detection: LLM hallucinations, AI-generated patterns

`OWASP 2025 Coverage`

- A01:2021 - Broken Access Control: ✅ 100% - A02:2021 - Cryptographic Failures: ✅ 100% - A03:2021 - Injection: ✅ 100% - A04:2021 - Insecure Design: ✅ 95% - A05:2021 - Security Misconfiguration: ✅ 90% - A06:2021 - Vulnerable Components: ✅ 100% - A07:2021 - Authentication Failures: ✅ 100% - A08:2021 - Data Integrity Failures: ✅ 85% - A09:2021 - Logging Failures: ✅ 90% - A10:2021 - SSRF: ✅ 100%

Overall Coverage: 95%

`Examples`

`$3`

`User: Analyze this Python code for security issues:

import pickle import os

def load_data(filename): with open(filename, 'rb') as f: data = pickle.load(f) # Unsafe deserialization return data

def execute_command(user_input): os.system("ls " + user_input) # Command injection`

Claude Code Response:

`CodeSlick Security Analysis Report`

Language: python Security Score: 42/100 Total Vulnerabilities: 2

`Vulnerability Summary`

🔴 Critical: 2

---

`Top Vulnerabilities`

`$3`

Severity: CRITICAL CVSS Score: 9.8/10 OWASP: A08:2021 CWE: CWE-502

Recommendation: Use safe alternatives like JSON or XML. Never unpickle data from untrusted sources.

Fix:`python // Before: data = pickle.load(f)

// After: import json data = json.load(f)`Replace pickle with JSON for safe deserialization.

---

`$3`

Severity: CRITICAL CVSS Score: 9.8/10 OWASP: A03:2021 CWE: CWE-78

Recommendation: Use subprocess with shell=False and argument list instead of os.system().

Fix:`python // Before: os.system("ls " + user_input)

// After: subprocess.run(["ls", user_input], shell=False, check=True)`Use subprocess with argument array to prevent command injection.`

`$3`

`User: Scan these npm dependencies:

{ "dependencies": { "express": "4.16.0", "lodash": "4.17.0", "event-stream": "3.3.4" } }`

Claude Code Response:

`Dependency Scan Report`

Package Manager: npm Total Vulnerabilities: 3

`Vulnerability Summary`

🔴 Critical: 1 (malicious package) 🟠 High: 2 (known CVEs)

---

`Vulnerable Dependencies`

`$3`

Severity: CRITICAL Issue: Malicious package - Bitcoin wallet stealer (CVE-2018-3721) Fix: Remove immediately - use alternative package

`$3`

Severity: HIGH Issue: Prototype pollution (CVE-2019-10744) Fix: Upgrade to version 4.17.21

`$3`

Severity: HIGH Issue: Open redirect vulnerability (CVE-2018-3717) Fix: Upgrade to version 4.18.0``

Performance

- Analysis Speed: <3s for typical files (WebTool requirement)
- Memory Usage: Low (optimized AST traversal)
- False Positive Rate: <10% (context-aware filtering)

Privacy Policy

CodeSlick MCP Server prioritizes your privacy and security:

$3

- Local Processing Only: All code analysis is performed locally on your machine
- No Data Collection: We do not collect, store, or transmit your source code
- No Telemetry: No usage statistics, analytics, or tracking of any kind
- No Account Required: The MCP server works completely offline without authentication

$3

- Fully Offline: Security analysis runs without internet connectivity
- Optional External Calls: Only for dependency scanning (OSV.dev vulnerability database) if enabled
- No Third-Party Services: No data sent to CodeSlick servers or any third parties

$3

- Your Keys, Your Control: If using advanced AI features, your OpenRouter API key is used directly
- No Key Storage: API keys are not stored or logged by the MCP server
- No Access: CodeSlick does not see or have access to your API keys

$3

- MIT License: Fully open source and auditable
- Transparent Code: All source code available for security review
- No Hidden Functionality: What you see is what you get

$3

This MCP server is separate from the CodeSlick web service. For the web service privacy policy, see: https://codeslick.dev/privacy

$3

For privacy-related questions: privacy@codeslick.dev

Support

- Documentation: https://codeslick.dev/docs
- Issues: https://github.com/VitorLourenco/codeslick2/issues
- Email: support@codeslick.dev
- Discord: https://discord.gg/codeslick

License

Contributing

Contributions welcome! See CONTRIBUTING.md for guidelines.

Roadmap

- [ ] C/C++ language support
- [ ] Rust language support
- [ ] CloudFormation support
- [ ] Custom rule configuration
- [ ] CI/CD integration templates
- [ ] VS Code extension

Credits

Built with:
- @modelcontextprotocol/sdk - MCP SDK by Anthropic
- TypeScript - Type-safe JavaScript
- CodeSlick - Security analysis engine

---

Made with ❤️ by the CodeSlick team

CodeSlick MCP Server for Claude Code

Comprehensive security analysis for source code via Model Context Protocol (MCP). Run 248 security checks, detect secrets, scan dependencies, and generate SBOMs directly from Claude Code.

Features

Installation

$3

1. Open Claude Code
2. Navigate to Settings > Plugins
3. Search for "CodeSlick Security Analysis"
4. Click "Install"

$3

``bash npm install -g codeslick-mcp-server`

Then add to your Claude Code configuration (~/.claude/config.json):

`json { "mcpServers": { "codeslick": { "command": "codeslick-mcp", "args": [] } } }`

`$3`

`bash

`Clone the repository`


git clone https://github.com/VitorLourenco/codeslick2.git
cd codeslick2/packages/mcp-server
Install dependencies

npm install
Build

npm run build
Add to Claude Code config

{
  "mcpServers": {
    "codeslick": {
      "command": "node",
      "args": ["/absolute/path/to/codeslick2/packages/mcp-server/dist/index.js"]
    }
  }
}


Available Tools
$3
Run comprehensive security analysis on source code.

Example:

`Analyze this JavaScript code for security issues:

function login(username, password) { const query = "SELECT * FROM users WHERE username='" + username + "'"; // ... SQL injection vulnerability }`

Output: - Security score (0-100) - Vulnerability list with severity, CVSS score, OWASP/CWE mappings - Remediation guidance with before/after code examples - Attack vector descriptions

`$3`

Scan project dependencies for vulnerabilities.

Parameters: -content(string, required): Content of dependency file (package.json, requirements.txt, etc.) -type (string, required): One of npm, pip, maven, gradle, go

Example:

`Scan this package.json for vulnerable dependencies:

{ "dependencies": { "express": "4.16.0", "lodash": "4.17.0" } }`

Output: - Vulnerable packages with CVE IDs - Malicious package detection - Upgrade recommendations - Severity breakdown

`$3`

Generate Software Bill of Materials.

Example:

`Generate SBOM for this package.json in SPDX format:

{ "name": "my-app", "version": "1.0.0", "dependencies": { "react": "^18.0.0" } }`

Output: - SPDX 2.3 formatted SBOM - CycloneDX 1.4 formatted SBOM - Component count and metadata - License information

`$3`

Detect hardcoded secrets in source code.

Parameters: -code(string, required): Source code to scan -filename (string, optional): Filename for context

Example:

`Check this code for hardcoded secrets:

const config = { awsAccessKey: "AKIAIOSFODNN7EXAMPLE", dbPassword: "super_secret_password_123" };`

Output: - Detected secrets with pattern type - Severity (critical, high, medium) - Line numbers - Remediation steps - Risk descriptions

`Language Support`

`Security Check Categories`

`OWASP 2025 Coverage`

Overall Coverage: 95%

`Examples`

`$3`

`User: Analyze this Python code for security issues:

import pickle import os

def load_data(filename): with open(filename, 'rb') as f: data = pickle.load(f) # Unsafe deserialization return data

def execute_command(user_input): os.system("ls " + user_input) # Command injection`

Claude Code Response:

`CodeSlick Security Analysis Report`

Language: python Security Score: 42/100 Total Vulnerabilities: 2

`Vulnerability Summary`

🔴 Critical: 2

---

`Top Vulnerabilities`

`$3`

Severity: CRITICAL CVSS Score: 9.8/10 OWASP: A08:2021 CWE: CWE-502

Recommendation: Use safe alternatives like JSON or XML. Never unpickle data from untrusted sources.

Fix:`python // Before: data = pickle.load(f)

// After: import json data = json.load(f)`Replace pickle with JSON for safe deserialization.

---

`$3`

Severity: CRITICAL CVSS Score: 9.8/10 OWASP: A03:2021 CWE: CWE-78

Recommendation: Use subprocess with shell=False and argument list instead of os.system().

Fix:`python // Before: os.system("ls " + user_input)

// After: subprocess.run(["ls", user_input], shell=False, check=True)`Use subprocess with argument array to prevent command injection.`

`$3`

`User: Scan these npm dependencies:

{ "dependencies": { "express": "4.16.0", "lodash": "4.17.0", "event-stream": "3.3.4" } }`

Claude Code Response:

`Dependency Scan Report`

Package Manager: npm Total Vulnerabilities: 3

`Vulnerability Summary`

🔴 Critical: 1 (malicious package) 🟠 High: 2 (known CVEs)

---

`Vulnerable Dependencies`

`$3`

Severity: CRITICAL Issue: Malicious package - Bitcoin wallet stealer (CVE-2018-3721) Fix: Remove immediately - use alternative package

`$3`

Severity: HIGH Issue: Prototype pollution (CVE-2019-10744) Fix: Upgrade to version 4.17.21

`$3`

Severity: HIGH Issue: Open redirect vulnerability (CVE-2018-3717) Fix: Upgrade to version 4.18.0``

Performance

- Analysis Speed: <3s for typical files (WebTool requirement)
- Memory Usage: Low (optimized AST traversal)
- False Positive Rate: <10% (context-aware filtering)

Privacy Policy

CodeSlick MCP Server prioritizes your privacy and security:

$3

- MIT License: Fully open source and auditable
- Transparent Code: All source code available for security review
- No Hidden Functionality: What you see is what you get

$3

This MCP server is separate from the CodeSlick web service. For the web service privacy policy, see: https://codeslick.dev/privacy

$3

For privacy-related questions: privacy@codeslick.dev

Support

- Documentation: https://codeslick.dev/docs
- Issues: https://github.com/VitorLourenco/codeslick2/issues
- Email: support@codeslick.dev
- Discord: https://discord.gg/codeslick

License

Contributing

Contributions welcome! See CONTRIBUTING.md for guidelines.

Roadmap

- [ ] C/C++ language support
- [ ] Rust language support
- [ ] CloudFormation support
- [ ] Custom rule configuration
- [ ] CI/CD integration templates
- [ ] VS Code extension

Credits

Built with:
- @modelcontextprotocol/sdk - MCP SDK by Anthropic
- TypeScript - Type-safe JavaScript
- CodeSlick - Security analysis engine

---

Made with ❤️ by the CodeSlick team