Contrast MCP Server

The Contrast MCP Server allows you to connect Contrast Security to your AI coding agent to automatically remediate vulnerabilities, update insecure libraries, and analyze security coverage—all through natural language prompts.

• Remediate vulnerabilities directly from Contrast Assess data
• Identify and update insecure third-party libraries with Contrast SCA insights
• Review route coverage, Protect/ADR findings, and other security metadata on demand

Warning

CRITICAL SECURITY WARNING: Exposing Contrast vulnerability data to an AI service that trains on your prompts can leak sensitive information. Only use mcp-contrast with environments that contractually guarantee data isolation and prohibit model training on your inputs.

Verify AI Data Privacy: Confirm that your service agreement prevents model training on your prompts and consult your security team before sharing Contrast data.

UNSAFE: Public consumer LLM sites (e.g., free ChatGPT, Gemini, Claude) that use prompts for training.

POTENTIALLY SAFE: Enterprise services with contractual privacy guarantees (e.g., Google Cloud AI, AWS Bedrock, Azure OpenAI).

Quick Start

Prerequisites

• Docker (recommended) or Java 17+ for JAR deployment
• Contrast API credentials (how to get API credentials)

VS Code (GitHub Copilot) - One-Click Install

Click the button above to automatically install in VS Code. For manual setup, see VS Code (GitHub Copilot) Installation Guide.

IntelliJ IDEA (GitHub Copilot)

Add this to your mcp.json configuration file and replace the placeholder values with your Contrast credentials:

{
  "servers": {
    "contrast": {
      "command": "docker",
      "args": [
        "run",
        "-e",
        "CONTRAST_HOST_NAME",
        "-e",
        "CONTRAST_API_KEY",
        "-e",
        "CONTRAST_SERVICE_KEY",
        "-e",
        "CONTRAST_USERNAME",
        "-e",
        "CONTRAST_ORG_ID",
        "-i",
        "--rm",
        "contrast/mcp-contrast:latest",
        "-t",
        "stdio"
      ],
      "env": {
        "CONTRAST_HOST_NAME": "example.contrastsecurity.com",
        "CONTRAST_API_KEY": "example",
        "CONTRAST_SERVICE_KEY": "example",
        "CONTRAST_USERNAME": "[email protected]",
        "CONTRAST_ORG_ID": "example"
      }
    }
  }
}

📖 Full IntelliJ (GitHub Copilot) Installation Guide - Includes step-by-step setup and JAR deployment option

Other AI Assistants

• Claude Code - Anthropic's official CLI tool
• Claude Desktop - Standalone Claude application
• Cline Plugin - VS Code alternative AI assistant
• All Other MCP Hosts - Complete installation guides for oterm and more

Sample Prompts

For the Developer

Remediate Vulnerabilities in Code

• Please list vulnerabilities for Application Y.
• Give me details about vulnerability X in Application Y.
• Review vulnerability X and fix it.

Third-Party Library Remediation

• Which libraries in Application X have high or critical vulnerabilities and are actively used?
• Update library X, which has a critical vulnerability, to the safe version.
• Which libraries in Application X are not being used?

Retrieve Applications by Tag

• Please give me the applications tagged with "backend."

Retrieve Applications by Metadata

• Please give me the applications with metadata "dev-team" and "backend-team."

Retrieve Vulnerabilities by Session Metadata

• Give me the session metadata for Application X.
• Give me the vulnerabilities in the latest session for Application X.
• Give me the vulnerabilities for session metadata "Branch Name" "feature/some-new-fix" for Application X.
• Give me the route coverage for the latest session for Application X.
• Give me the route coverage for session metadata "Branch Name" "feature/some-new-fix" for Application X.

For the Security Professional

• Please give me a breakdown of applications and servers vulnerable to CVE-xxxx-xxxx.
• Please list the libraries for the application named xxx and tell me what version of commons-collections is being used.
• Which vulnerabilities in Application X are being blocked by a Protect or ADR rule?

Getting the JAR File

If you're using JAR deployment (instead of Docker), you'll need the JAR file:

Download (Recommended)

Download the latest pre-built JAR from GitHub Releases.

The JAR file will be named mcp-contrast-X.X.X.jar.

Build from Source

Alternatively, you can build from source if you need the latest development version. Requires Java 17+:

mvn clean install

The built JAR will be located at target/mcp-contrast-X.X.X-SNAPSHOT.jar

Proxy Configuration

If you're behind a corporate firewall or proxy, you'll need to configure proxy settings for the MCP server to reach your Contrast instance. The configuration differs depending on whether you're using Docker or JAR deployment.

Java Process (JAR Deployment)

Choose ONE of the following based on how you're running the JAR:

Direct Java Command

Use this if you're running the JAR directly from the command line or a script.

Add these two system properties to your java command:

-Dhttp_proxy_host=proxy.example.com
-Dhttp_proxy_port=8080

Complete example:

java \
  -Dhttp_proxy_host=proxy.example.com \
  -Dhttp_proxy_port=8080 \
  -jar /path/to/mcp-contrast-X.X.X.jar \
  --CONTRAST_HOST_NAME=example.contrastsecurity.com \
  --CONTRAST_API_KEY=example \
  --CONTRAST_SERVICE_KEY=example \
  [email protected] \
  --CONTRAST_ORG_ID=example

MCP Configuration File

Use this if you're running the JAR through an MCP host (IntelliJ, Claude Desktop, Cline, etc.).

Add these two lines to the beginning of your args array:

"-Dhttp_proxy_host=proxy.example.com",
"-Dhttp_proxy_port=8080",

Complete example using IntelliJ's mcp.json:

{
  "servers": {
    "contrast": {
      "command": "java",
      "args": [
        "-Dhttp_proxy_host=proxy.example.com",
        "-Dhttp_proxy_port=8080",
        "-jar",
        "/path/to/mcp-contrast-X.X.X.jar",
        "--CONTRAST_HOST_NAME=example.contrastsecurity.com",
        "--CONTRAST_API_KEY=example",
        "--CONTRAST_SERVICE_KEY=example",
        "[email protected]",
        "--CONTRAST_ORG_ID=example"
      ]
    }
  }
}

Docker (Docker Deployment)

Choose ONE of the following based on how you're running Docker:

Direct Docker Run Command

Use this if you're running Docker directly from the command line.

Add these two environment variables to your docker run command:

-e http_proxy_host="proxy.example.com" \
-e http_proxy_port="8080" \

Complete example:

docker run \
  -e http_proxy_host="proxy.example.com" \
  -e http_proxy_port="8080" \
  -e CONTRAST_HOST_NAME=example.contrastsecurity.com \
  -e CONTRAST_API_KEY=example \
  -e CONTRAST_SERVICE_KEY=example \
  -e CONTRAST_USERNAME=example \
  -e CONTRAST_ORG_ID=example \
  -i --rm \
  contrast/mcp-contrast:latest \
  -t stdio

MCP Configuration File

Use this if you're running Docker through an MCP host (IntelliJ, VS Code, Claude Desktop, Cline, etc.).

Add these proxy settings:

Add to the args array (after the Contrast credentials):

"-e", "http_proxy_host",
"-e", "http_proxy_port",

Add to the env object:

"http_proxy_host": "proxy.example.com",
"http_proxy_port": "8080"

Complete example using IntelliJ's mcp.json:

{
  "servers": {
    "contrast": {
      "command": "docker",
      "args": [
        "run",
        "-e", "CONTRAST_HOST_NAME",
        "-e", "CONTRAST_API_KEY",
        "-e", "CONTRAST_SERVICE_KEY",
        "-e", "CONTRAST_USERNAME",
        "-e", "CONTRAST_ORG_ID",
        "-e", "http_proxy_host",
        "-e", "http_proxy_port",
        "-i", "--rm",
        "contrast/mcp-contrast:latest",
        "-t", "stdio"
      ],
      "env": {
        "CONTRAST_HOST_NAME": "example.contrastsecurity.com",
        "CONTRAST_API_KEY": "example",
        "CONTRAST_SERVICE_KEY": "example",
        "CONTRAST_USERNAME": "[email protected]",
        "CONTRAST_ORG_ID": "example",
        "http_proxy_host": "proxy.example.com",
        "http_proxy_port": "8080"
      }
    }
  }
}

For VS Code with input variables, see the VS Code Installation Guide.

Common Issues

If you are experiencing issues with the MCP server, here are some common troubleshooting steps:

Review Log

A log will be created, by default under /tmp/mcp-contrast.log either locally or within the Docker container. You can view this log to see if there are any errors or issues with the MCP server.

Enable Debug Logging

To enable debug logging you can add the following flag to the command line arguments when running the MCP server: --logging.level.root=DEBUG This can be added at this part of the docker command

        "--rm",
        "contrast/mcp-contrast:latest",
        "-t",
        "--logging.level.root=DEBUG",
        "stdio"
        ],

Certificate Issues

If the SSL Certificate for the Teamserver URL is not trusted, you may see the following error:

Failed to list applications: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

If this occurs you will need to add the certificate to the Java Truststore and then add the following to the command line arguments when running the MCP server: -Djavax.net.ssl.trustStore=/location/to/mcp-truststore.jks, -Djavax.net.ssl.trustStorePassword=yourpassword More details on how to do this can be found in the Java documentation. Or ask your LLM to help you with this.

Data Privacy

The Contrast MCP Server provides a bridge between your Contrast Data and the AI Agent/LLM of your choice. By using Contrast's MCP server you will be providing your Contrast Data to your AI Agent/LLM, it is your responsibility to ensure that the AI Agent/LLM you use complies with your data privacy policy. Depending on what questions you ask the following information will be provided to your AI Agent/LLM.

• Application Details
• Application Rule configuration
• Vulnerability Details
• Route Coverage data
• ADR/Protect Attack Event Details