mcp-defectdojo

MCP server for DefectDojo vulnerability management, exposing 24 tools for managing products, engagements, tests, findings, scan imports, and finding lifecycle through the Model Context Protocol.

→ inspicere/mcp-defectdojo · listed on glama

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

Glama

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings

✅

No credential exfiltration, no sensitive file access, no obfuscation

Static analysis found nothing flowing your secrets to unexpected places.

✅

Open source with a license and README

Anyone can audit the code, the license is declared, and the publisher documents what it does.

🔐

You'll be asked for 8 credentials: AUDIT_HMAC_KEY, REQUIRE_AUDIT_HMAC_KEY, AUDIT_LOG_HTTPS_TOKEN, DEFECTDOJO_READ_API_KEY, DEFECTDOJO_WRITE_API_KEY, DEFECTDOJO_API_KEY, MCP_AUTH_TOKEN, MCP_READ_TOKEN

These are read from process.env at runtime. Make sure you trust where they’ll be sent.

// required environment variables

This server reads these from process.env. You'll be asked to provide them before it can run.

configALLOW_INSECURE_HTTP— false Allow http:// URLs (TLS required by default)

configDEFECTDOJO_URL— Edit .env — set and DEFECTDOJO_API_KEY

configDEFECTDOJO_API_KEY_ADMIN

configLOG_LEVEL— INFO DEBUG, INFO, WARNING, ERROR, CRITICAL

🔐 secretAUDIT_HMAC_KEY— (ephemeral) HMAC key for audit log integrity chain. Required for cross-restart log verification. Generate with: python3 -c "import secrets; print(secrets.token_hex(32))"

configFASTMCP_TRANSPORT— stdio Transport mode: stdio, sse, streamable-http, http

🔐 secretREQUIRE_AUDIT_HMAC_KEY— set =false to opt out (not recommended).

configAUDIT_LOG_FILE— (stderr only) Path for dedicated audit log file (JSON-lines, logrotate-compatible)

configAUDIT_LOG_SYSLOG— (disabled) Syslog destination. Format: [transport://]host[:port]. Transports: tcp, udp, tcp+tls (default).

configAUDIT_LOG_SYSLOG_CA— (system CAs) Custom CA certificate for syslog TLS verification

configAUDIT_LOG_HTTPS_URL— (disabled) HTTPS endpoint for log forwarding (JSON array POST)

🔐 secretAUDIT_LOG_HTTPS_TOKEN— (none) Bearer token for HTTPS endpoint authentication

configAUDIT_LOG_HTTPS_CA— (system CAs) Custom CA certificate path for HTTPS TLS verification — required when forwarding to a SIEM signed by an internal PKI (e.g. Caddy + Vault PKI).

configDEFECTDOJO_DEFAULT_FOUND_BY_ID

🔐 secretDEFECTDOJO_READ_API_KEY— Read-only API key (used for GET requests)

🔐 secretDEFECTDOJO_WRITE_API_KEY— Write API key (used for POST/PATCH requests)

🔐 secretDEFECTDOJO_API_KEY— Edit .env — set DEFECTDOJO_URL and

🔐 secretMCP_AUTH_TOKEN— admin role

🔐 secretMCP_READ_TOKEN— reader role

configUNTRUSTED_CONTENT_WRAPPING— Fix (legacy escape): Set =off to disable wrapping globally. Only use this if you have an independent untrusted-content boundary downstream.

configREQUIRE_AUTH— OPEN_ACCESS_MUTATION_RATE_LIMIT 10 Max mutations per rate window across all unauthenticated traffic (one shared bucket — applies only when =false)

configFASTMCP_HOST— 0.0.0.0 Bind address for network transports

// full audit trail

The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.

// improvement guidance — verified publishers only

We have 5 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.

// embed badge in your README

[![M8ven Score](https://m8ven.ai/badge/mcp/inspicere-mcp-defectdojo-jeqzv3)](https://m8ven.ai/mcp/inspicere-mcp-defectdojo-jeqzv3)

commit: 09e59ad4e40eec44a6786d692c7eb726f20c745e

code hash: 20ac75afb11c76c0f848cdae031bd3063d9817263976f28e4bb3b240b56e8bbb

verified: 6/16/2026, 1:28:04 PM

view raw JSON →