MCP Server
Model Context Protocol server with 20 security tools for AI assistants
What is MCP?
The Model Context Protocol (MCP) is an open standard that lets AI assistants use external tools. Instead of copy-pasting code into ChatGPT, your AI assistant can directly call Fortly's security tools during conversation.
This means you can say "analyze this code for vulnerabilities" in Claude Desktop or Cursor, and it will automatically run Fortly's SAST engine, secrets scanner, or dependency checker -- returning real results, not guesses.
Why it matters: Fortly is one of the first security platforms to offer an MCP server. Your AI assistant becomes a security expert with access to real scanning engines, not just training data.
Setup
Choose between remote (no installation) or local (via npx) mode.
// No installation needed — connects to Fortly's hosted MCP server// Works with Claude Desktop, Cursor, Windsurf, and any MCP client// Claude Desktop: ~/Library/Application Support/Claude/claude_desktop_config.json// Cursor: .cursor/mcp.json{ "mcpServers": { "fortly": { "url": "https://fortly-security.com/mcp", "headers": { "Authorization": "Bearer ft_sk_your_api_key" } } }}Claude Desktop
~/Library/Application Support/Claude/claude_desktop_config.json
Cursor
.cursor/mcp.json
20 Available Tools
| Tool | Description | Mode |
|---|---|---|
| fortly_scan_code | SAST analysis (45 rules, JS/Python/Java/Go) | OFFLINE |
| fortly_check_secrets | Detect 16 secret patterns in code | OFFLINE |
| fortly_scan_iac | Terraform/Docker/K8s misconfig (22 rules) | OFFLINE |
| fortly_generate_sbom | CycloneDX/SPDX bill of materials | OFFLINE |
| fortly_check_dependency | CVE check via OSV.dev | OFFLINE |
| fortly_explain_cve | Plain-language CVE explanation | OFFLINE |
| fortly_scan | DAST URL scanning | API |
| fortly_get_remediation | AI-powered fix preview | API |
| fortly_apply_fix | Apply AI-generated fix | API |
| fortly_batch_remediate | Fix all vulnerabilities in a scan | API |
| fortly_scan_sca | Software Composition Analysis | API |
| fortly_scan_diff | Compare two scans | API |
| fortly_compliance_check | Compliance verification | API |
| fortly_gap_analysis | LATAM compliance gap analysis | API |
| fortly_list_frameworks | 12 frameworks (6 LATAM) | API |
| fortly_export_compliance | Auditor evidence export | API |
| fortly_purple_team | MITRE ATT&CK attack chains | API |
| fortly_dashboard | Security metrics overview | API |
| fortly_scan_history | Trend analysis over time | API |
| fortly_evaluate_policy | Policy evaluation engine | API |
Real Usage Examples
Just describe what you want in natural language. Your AI assistant picks the right tool automatically.
"Analyze this code for security vulnerabilities"
fortly_scan_code Claude runs SAST analysis with 45 rules across JS, Python, Java, and Go. Returns vulnerability findings with severity, CWE, and remediation suggestions.
"Is it safe to use lodash 4.17.15?"
fortly_check_dependency Checks the dependency against OSV.dev for known CVEs. Returns vulnerability details and recommended upgrade version.
"Detect secrets in this config file"
fortly_check_secrets Scans for 16 secret patterns: AWS keys, GitHub tokens, database URLs, JWT secrets, private keys, and more. Works without any API key.
Prompts & Resources
Prompts (ask your AI)
security-review
Full security review of a codebase: SAST, secrets, dependencies, IaC, and compliance.
threat-model
STRIDE-based threat model generation with MITRE ATT&CK mapping.
Resources (reference data)
OWASP Top 10
Complete OWASP Top 10 2021 reference with descriptions, examples, and mitigations.
JS Secure Coding
JavaScript/TypeScript secure coding guide: XSS prevention, input validation, auth patterns.