deep-code-security

Multi-language SAST and AI-powered fuzzing MCP server for Claude Code integration, enabling static and dynamic security analysis of code.

→ backspace-shmackspace/deep-code-security · listed on glama

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

Glama

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings

✅

No credential exfiltration, no sensitive file access, no obfuscation

Static analysis found nothing flowing your secrets to unexpected places.

🔐

You'll be asked for 1 credential: ANTHROPIC_API_KEY

These are read from process.env at runtime. Make sure you trust where they’ll be sent.

// required environment variables

This server reads these from process.env. You'll be asked to provide them before it can run.

configDCS_BRIDGE_MAX_TARGETS— 10 Max fuzz targets produced by SAST-to-Fuzz bridge

configDCS_FUZZ_ALLOWED_PLUGINS— export =python,c

🔐 secretANTHROPIC_API_KEY— "": "your-api-key-here"

configGOOGLE_CLOUD_PROJECT— (none) GCP project ID for Vertex AI (optional)

configCLOUD_ML_PROJECT_NUMBER— (none) GCP project number for Vertex AI (optional)

configANTHROPIC_VERTEX_PROJECT_ID— (none) Vertex AI project override (optional)

configDCS_FUZZ_C_COMPILE_FLAGS— "" Comma-separated gcc flags (e.g., -O2,-march=native)

configDCS_FUZZ_C_INCLUDE_PATHS— "" Comma-separated include paths for C harness compilation

configDCS_SCANNER_BACKEND— auto Scanner backend: semgrep, treesitter, or auto (prefer semgrep if available)

configDCS_REGISTRY_PATH— "": "/path/to/deep-code-security/registries",

configDCS_ALLOWED_PATHS— "": "/path/to/projects",

configDCS_SANDBOX_TIMEOUT— 30 Per-exploit timeout in seconds

configDCS_CONTAINER_RUNTIME— "": "auto",

configDCS_MAX_CONCURRENT_SANDBOXES— 2 Concurrency limit for sandbox execution

configDCS_MAX_FILES— 10000 Max files per scan

configDCS_MAX_RESULTS— 100 Max findings returned per hunt operation

configDCS_MAX_VERIFICATIONS— 50 Max findings to verify in auditor phase

configDCS_QUERY_TIMEOUT— 5.0 Tree-sitter query timeout in seconds

configDCS_QUERY_MAX_RESULTS— 1000 Max results per tree-sitter query

configDCS_SEMGREP_TIMEOUT— 120 Maximum seconds for Semgrep subprocess

configDCS_SEMGREP_RULES_PATH— registry>/semgrep Path to DCS Semgrep rule files

configDCS_FUZZ_MODEL— claude-sonnet-4-6 Claude model for input generation

configDCS_FUZZ_MAX_ITERATIONS— 10 Max fuzzing iterations

configDCS_FUZZ_INPUTS_PER_ITER— 10 Inputs generated per iteration

configDCS_FUZZ_TIMEOUT_MS— 5000 Per-input execution timeout

configDCS_FUZZ_MAX_COST_USD— 5.0 API cost budget

configDCS_FUZZ_OUTPUT_DIR— ./fuzzy-output Corpus and report output directory

configDCS_FUZZ_GCP_REGION— us-east5 GCP region for Vertex AI

configDCS_FUZZ_MCP_TIMEOUT— 120 Hard wall-clock timeout for MCP fuzz invocations

configDCS_OUTPUT_DIR

// full audit trail

The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.

// improvement guidance — verified publishers only

We have 3 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.

// embed badge in your README

[![M8ven Score](https://m8ven.ai/badge/mcp/backspace-shmackspace-deep-code-security-14quqk)](https://m8ven.ai/mcp/backspace-shmackspace-deep-code-security-14quqk)

commit: 80e448e5edc123c8296bc2225f86dae9cfb918f1

code hash: 65398c124e90e08a4393cb51f1e363dc82bc052518e08bb6cb407e6356ec1ac5

verified: 6/22/2026, 12:41:35 PM

view raw JSON →