Skip to content

MCP server

The AlertaVuln MCP server lets any Model Context Protocol client - Claude Code, Claude Desktop, Cursor, or your own agent - query and manage your AlertaVuln organisation directly: list projects, triage alerts, pull SAST findings, check packages against CVE intelligence, and manage your tech stack and webhooks.

The hosted server is live at:

https://alertavuln.com/mcp

The server (internally mcp-router) is a small, stateless Go service that exposes the AlertaVuln REST API as MCP tools. It is a proxy: it holds no secrets and no database of its own. Every tool call is forwarded to the AlertaVuln API using the API key you present.

It supports two transports:

  • HTTP (the hosted endpoint) - MCP streamable HTTP (JSON-RPC over HTTP), stateless. Your org API key is forwarded per request from the Authorization: Bearer av_live_... header (or X-AlertaVuln-Key if your client can’t set Authorization). The key is never stored - it lives only for the duration of that request’s tool calls.
  • stdio (the local binary, default transport) - a single session where the key is read once at startup from the ALERTAVULN_API_KEY environment variable. ALERTAVULN_API_URL overrides the API base URL and defaults to https://alertavuln.com.

You authenticate with a per-organisation API key: the prefix av_live_ followed by 64 hex characters. Create one in the web app on the Settings page, in the API Keys panel (org-admin only). When you create a key you choose a name and a scope:

  • ReadOnly - can call all read tools (list / get / check / find).
  • ReadWrite - additionally allowed to call the write tools (create, update, delete, acknowledge, sync, test).

The Settings page API Keys panel with a key named mcp-server, showing its av_live_ prefix and scope

Create the key under Settings, in the API Keys panel - here named for the MCP server. Demo data.

Replace av_live_YOUR_KEY_HERE with your key in each snippet.

Add the hosted server with one command:

Terminal window
claude mcp add --transport http alertavuln https://alertavuln.com/mcp \
--header "Authorization: Bearer av_live_YOUR_KEY_HERE"

Or declare it in your project’s .mcp.json:

.mcp.json
{
"mcpServers": {
"alertavuln": {
"type": "http",
"url": "https://alertavuln.com/mcp",
"headers": {
"Authorization": "Bearer av_live_YOUR_KEY_HERE"
}
}
}
}

For air-gapped setups, or when you prefer not to send your key through a bridge, the same binary runs as a local stdio MCP server. Supply the key via the environment instead of a header:

{
"mcpServers": {
"alertavuln": {
"command": "mcp-router",
"env": {
"ALERTAVULN_API_KEY": "av_live_YOUR_KEY_HERE",
"ALERTAVULN_API_URL": "https://alertavuln.com"
}
}
}
}

In stdio mode the key is read once at startup; ALERTAVULN_API_URL may be omitted - it defaults to https://alertavuln.com.

The server registers 28 tools. Tools marked write require a ReadWrite-scoped key; a read-only key calling them gets back “this API key is read-only or lacks permission”.

Tool Access Description
get_org read Get your organisation (id, name, contact email, timestamps)
list_members read List members of your organisation
list_invites read List pending / recently accepted invites
get_audit_log read One page of the org audit log
Tool Access Description
list_projects read List all projects in your org
get_project read Get a single project by id
create_project write Create a new project
update_project write Update a project’s settings
delete_project write Delete a project and all its data
Tool Access Description
list_alerts read List a project’s vulnerability alerts, triaged REDYELLOWGREEN; filter by status, acknowledged, resolved, page
get_alert read Get a single alert by id within a project
acknowledge_alert write Acknowledge an alert, with an optional note
Tool Access Description
list_sast_findings read List a project’s current SAST findings, tiered RED / YELLOW / GREEN; filter by state (open / all / fixed), severity, and source repo
list_sast_scan_jobs read List a project’s server-side scan-job history (status, source repo, tier counts, queued time)
Tool Access Description
list_tech_stack read List a project’s tracked packages with health flags
add_tech_stack_item write Add a package to a project’s tech stack
update_tech_stack_item write Update a tech-stack item in place
remove_tech_stack_item write Remove a package from the tech stack
sync_tech_stack write Reconcile a project’s tech stack from a parsed dependency manifest
Tool Access Description
list_webhooks read List a project’s notification webhooks
add_webhook write Add a notification webhook (slack, googlechat, teams, discord, generic)
update_webhook write Update a webhook
delete_webhook write Delete a webhook
test_webhook write Send a test notification to a webhook
Tool Access Description
check_package read Pre-flight a single package coordinate against AlertaVuln intelligence: matching CVEs (severity / CVSS / EPSS / KEV), maintenance health, suggested safe version
find_exposed read Find every project in your org with an alert for a given CVE id (blast-radius lookup)
get_package_health read List a project’s at-risk (deprecated / unmaintained) packages
export_sbom read Export a project’s SBOM (CycloneDX by default, optionally with VEX) - requires an Enterprise subscription

The hosted server exposes an unauthenticated liveness endpoint:

Terminal window
curl -i https://alertavuln.com/mcp/health
# expect: HTTP/1.1 200 OK ... ok

With auth in place, an MCP initialize handshake identifies the server as alertavuln (version 0.1.0), and tools/list enumerates the tools above. If your key is missing, malformed, or revoked, tool calls fail with “authentication failed” (HTTP 401 from the API).

  • CI/CD - gate pipelines with the CLI
  • av sast scan - the local scan whose findings list_sast_findings surfaces
  • Install the CLI - the installer that also delivers mcp-router