# MCP Setup

The Nullify CLI includes a built-in MCP server that gives AI coding assistants access to your security findings, triage tools, and more.

## Prerequisites

* [Install the Nullify CLI](https://docs.nullify.ai/cli/install)
* [Authenticate with your Nullify instance](https://docs.nullify.ai/cli/install/authentication)

## Claude Code

Add Nullify as an MCP server:

```bash
claude mcp add nullify -- nullify mcp serve
```

The Nullify tools will be automatically available in your Claude Code sessions.

## Cursor

Add to your project's `.cursor/mcp.json`:

```json
{
  "mcpServers": {
    "nullify": {
      "command": "nullify",
      "args": ["mcp", "serve"]
    }
  }
}
```

## Codex

Add to your Codex MCP configuration:

```json
{
  "mcpServers": {
    "nullify": {
      "command": "nullify",
      "args": ["mcp", "serve"]
    }
  }
}
```

## Available Tools

The MCP server provides the following tools:

### SAST (Static Application Security Testing)

* `list_sast_findings` - List SAST findings with filters (severity, status, repository)
* `get_sast_finding` - Get details of a specific SAST finding
* `triage_sast_finding` - Update the triage status of a SAST finding

### SCA (Software Composition Analysis)

* `list_sca_dependency_findings` - List dependency vulnerability findings
* `get_sca_dependency_finding` - Get details of a specific dependency finding
* `list_sca_container_findings` - List container vulnerability findings
* `get_sca_container_finding` - Get details of a specific container finding

### Secrets

* `list_secrets_findings` - List detected secret findings
* `get_secrets_finding` - Get details of a specific secret finding

### DAST (Dynamic Application Security Testing)

* `list_dast_findings` - List DAST findings
* `get_dast_finding` - Get details of a specific DAST finding

### CSPM (Cloud Security Posture Management)

* `list_cspm_findings` - List cloud security findings
* `get_cspm_finding` - Get details of a specific cloud finding

### Admin

* `list_repositories` - List repositories monitored by Nullify
* `get_repository` - Get details of a specific repository

### Classifier

* `list_assets` - List discovered assets
* `get_asset` - Get details of a specific asset

## Verifying the Connection

After configuring your AI assistant, you can verify the connection by asking:

> "List my critical SAST findings"

The assistant should use the `list_sast_findings` tool and return results from your Nullify instance.

## Troubleshooting

### "Not authenticated" error

Run `nullify auth status` to check your login status. If not authenticated, run `nullify auth login`.

### Tools not appearing

Ensure the `nullify` binary is in your PATH. Run `which nullify` to verify.

### Connection issues

Check that your host is correctly configured with `nullify auth config`.