DefectDojo
MCP server for DefectDojo: 24 tools with RBAC, HMAC audit chain, and SIEM forwarding
Verdict not yet evaluated for this tool. The hybrid eval runs adversarial cases first; coverage rolls out as the corpus expands. Until a verdict is recorded, an agent should treat this tool as not-yet-cleared and fall back to its own checks. Method: hybrid eval, four-state verdict, honest limits.
{
"mcpServers": {
"mcp-defectdojo": {
"command": "uvx",
"args": [
"mcp-defectdojo"
],
"env": {
"DEFECTDOJO_URL": "<defectdojo_url>",
"DEFECTDOJO_API_KEY": "<your-defectdojo_api_key>",
"DEFECTDOJO_READ_API_KEY": "<your-defectdojo_read_api_key>",
"DEFECTDOJO_WRITE_API_KEY": "<your-defectdojo_write_api_key>",
"MCP_AUTH_TOKEN": "<your-mcp_auth_token>",
"AUDIT_HMAC_KEY": "<your-audit_hmac_key>"
}
}
}
}DEFECTDOJO_URLBase URL of the DefectDojo instance (must use https:// unless ALLOW_INSECURE_HTTP=true)
DEFECTDOJO_API_KEYAPI key for DefectDojo (generate at DefectDojo > API v2 > Your API Key). Use DEFECTDOJO_READ_API_KEY + DEFECTDOJO_WRITE_API_KEY for least-privilege dual-key mode.
DEFECTDOJO_READ_API_KEYOptional read-only API key (used for GET requests in dual-key mode)
DEFECTDOJO_WRITE_API_KEYOptional write API key (used for POST/PATCH in dual-key mode)
MCP_AUTH_TOKENBearer token granting admin-role access (legacy single-token mode — prefer MCP_ROLE_<NAME>=<token>:<role> for RBAC)
AUDIT_HMAC_KEYHMAC key for audit log integrity chain. Required for cross-restart log verification on network transports. Generate with: python3 -c 'import secrets; print(secrets.token_hex(32))'
AI-powered trading strategy development: backtesting, market data, and portfolio analysis
Feature flagging and A/B testing platform with AI-first experimentation workflows.
Query Meta Ads performance data — accounts, campaigns, ad sets, ads, metrics & settings.