MCP Setup

Connect your AI coding assistant to Nullify using the Model Context Protocol (MCP)

The Nullify CLI includes a built-in MCP server that gives AI coding assistants access to your security findings, triage tools, and more.

Prerequisites

Claude Code

Add Nullify as an MCP server:

claude mcp add nullify -- nullify mcp serve

The Nullify tools will be automatically available in your Claude Code sessions.

Cursor

Add to your project's .cursor/mcp.json:

{
  "mcpServers": {
    "nullify": {
      "command": "nullify",
      "args": ["mcp", "serve"]
    }
  }
}

Codex

Add to your Codex MCP configuration:

{
  "mcpServers": {
    "nullify": {
      "command": "nullify",
      "args": ["mcp", "serve"]
    }
  }
}

Available Tools

The MCP server provides the following tools:

SAST (Static Application Security Testing)

list_sast_findings - List SAST findings with filters (severity, status, repository)
get_sast_finding - Get details of a specific SAST finding
triage_sast_finding - Update the triage status of a SAST finding

SCA (Software Composition Analysis)

list_sca_dependency_findings - List dependency vulnerability findings
get_sca_dependency_finding - Get details of a specific dependency finding
list_sca_container_findings - List container vulnerability findings
get_sca_container_finding - Get details of a specific container finding

Secrets

list_secrets_findings - List detected secret findings
get_secrets_finding - Get details of a specific secret finding

DAST (Dynamic Application Security Testing)

list_dast_findings - List DAST findings
get_dast_finding - Get details of a specific DAST finding

CSPM (Cloud Security Posture Management)

list_cspm_findings - List cloud security findings
get_cspm_finding - Get details of a specific cloud finding

Admin

list_repositories - List repositories monitored by Nullify
get_repository - Get details of a specific repository

Classifier

list_assets - List discovered assets
get_asset - Get details of a specific asset

Verifying the Connection

After configuring your AI assistant, you can verify the connection by asking:

"List my critical SAST findings"

The assistant should use the list_sast_findings tool and return results from your Nullify instance.

Troubleshooting

"Not authenticated" error

Run nullify auth status to check your login status. If not authenticated, run nullify auth login.

Tools not appearing

Ensure the nullify binary is in your PATH. Run which nullify to verify.

Connection issues

Check that your host is correctly configured with nullify auth config.

PreviousAuthentication NextGeneral Configuration

Last updated 6 days ago

hashtagPrerequisites

hashtagClaude Code

hashtagCursor

hashtagCodex

hashtagAvailable Tools

hashtagSAST (Static Application Security Testing)

hashtagSCA (Software Composition Analysis)

hashtagSecrets

hashtagDAST (Dynamic Application Security Testing)

hashtagCSPM (Cloud Security Posture Management)

hashtagAdmin

hashtagClassifier

hashtagVerifying the Connection

hashtagTroubleshooting

hashtag"Not authenticated" error

hashtagTools not appearing

hashtagConnection issues