Current Version: 1.0.3 Requires Python 3.10 or higher
A Model Context Protocol (MCP) server for integrating with StackHawk's security scanning platform. Provides security analytics, YAML configuration management, sensitive data/threat surface analysis, and anti-hallucination tools for LLMs.
- Features
- Installation
- Usage
- Configuration
- Available Tools & API
- YAML & Anti-Hallucination
- Sensitive Data & Threat Surface
- Testing & Development
- Example Configurations
- Contributing
- License
- Integrating with LLMs and IDEs
- Security Analytics: Organization, application, and vulnerability tools
- YAML Configuration Tools: Creation, validation, schema reference, anti-hallucination field validation
- Sensitive Data & Threat Surface Analysis: Repository, application, and data exposure mapping
- Custom User-Agent: All API calls include a versioned
User-Agentheader - Comprehensive Test Suite: Automated tests for all major features
- Install via pip (make sure you have write permission to your current python environment):
> pip install stackhawk-mcp # Requires Python 3.10 or higher
Or Install via pip in a virtual env:
> python3 -m venv ~/.virtualenvs/mcp
> source ~/.virtualenvs/mcp/bin/activate
> (mcp) pip install stackhawk-mcp
# Requires Python 3.10 or higherOr Install via pip using pyenv:
> pyenv shell 3.10.11
> pip install stackhawk-mcp
# Requires Python 3.10 or higherOr Install locally from this repo:
> pip install --user .
# Run this command from the root of the cloned repository- Set your StackHawk API key:
> export STACKHAWK_API_KEY="your-api-key-here"
python -m stackhawk_mcp.serverpython -m stackhawk_mcp.http_serverpytestStackHawk MCP can be used as a tool provider for AI coding assistants and LLM-powered developer environments, enabling security analytics, YAML validation, and anti-hallucination features directly in your workflow.
- Setup:
- Follow the installation instructions above to install
stackhawk-mcpin your python environment. - In Cursor, go to
Cursor Settings->Tools & Integrations->MCP Tools - Add a "New MCP Server" with the following json, depending on your setup:
- Using a virtual env at
~/.virtualenvs/mcp:{ "mcpServers": { "stackhawk": { "command": "/home/bobby/.virtualenvs/mcp/bin/python", "args": ["-m", "stackhawk_mcp.server"], "env": { "STACKHAWK_API_KEY": "${env:STACKHAWK_API_KEY}" }, "disabled": false } } } - Using pyenv:
{ "mcpServers": { "stackhawk": { "command": "/home/bobby/.pyenv/versions/3.10.11/bin/python3", "args": ["-m", "stackhawk_mcp.server"], "env": { "STACKHAWK_API_KEY": "${env:STACKHAWK_API_KEY}" }, "disabled": false } } } - Or use python directly:
{ "mcpServers": { "stackhawk": { "command": "python3", "args": ["-m", "stackhawk_mcp.server"], "env": { "STACKHAWK_API_KEY": "${env:STACKHAWK_API_KEY}" } } } } - Then make sure the "stackhawk" MCP Tool is enabled
- Using a virtual env at
- Follow the installation instructions above to install
- Usage:
- Use Cursor's tool invocation to call StackHawk MCP tools (e.g., vulnerability search, YAML validation).
- Example prompt:
Validate this StackHawk YAML config for errors.
- Setup:
- Deploy the MCP HTTP server and expose it to your LLM system (local or cloud).
- Use the LLM's tool-calling or function-calling API to connect to the MCP endpoint.
- Pass the required arguments (e.g., org_id, yaml_content) as specified in the tool schemas.
- Example API Call:
{ "method": "tools/call", "params": { "name": "validate_stackhawk_config", "arguments": {"yaml_content": "..."} } } - Best Practices:
- Use anti-hallucination tools to validate field names and schema compliance.
- Always check the tool's output for warnings or suggestions.
- Setup:
- Add StackHawk MCP as a tool provider or extension in your IDE, pointing to the local or remote MCP server endpoint.
- Configure environment variables as needed.
- Usage:
- Invoke security analytics, YAML validation, or sensitive data tools directly from the IDE's command palette or tool integration panel.
- Ensure the MCP server is running and accessible from your LLM or IDE environment.
- Review the Available Tools & API section for supported operations.
- For advanced integration, see the example tool usage in this README or explore the codebase for custom workflows.
- All HTTP requests include a custom
User-Agentheader:User-Agent: StackHawk-MCP/{version} - The version is set in
stackhawk_mcp/server.pyasSTACKHAWK_MCP_VERSION. - Set your API key via the
STACKHAWK_API_KEYenvironment variable.
- Organization Info: Get details about StackHawk organizations
- Application Management: List/search applications with security status
- Vulnerability Search: Search for vulnerabilities across applications
- Security Dashboard: Generate executive dashboards
- Vulnerability Reporting: Generate detailed reports and analysis
- Trend Analysis: Analyze vulnerability trends
- Critical Findings: Get high-priority findings
- Executive Summaries: Generate executive-level summaries
- Create Config: Generate StackHawk YAML config files
- Validate Config: Validate YAML against the official schema
- Schema Reference: Fetch the latest StackHawk schema
- Schema Caching: 24-hour TTL, manual refresh
- Anti-Hallucination: Field validation tools
- Sensitive Data Reporting: Organization, app, and repo-level
- Trend Analysis: Track sensitive data exposure
- Critical Data Findings: Identify high-risk data
- Surface Mapping: Map sensitive data and threat surfaces
# Get organization info
org_info = await server._get_organization_info(org_id="your-org-id")
# Validate a YAML config
result = await server._validate_stackhawk_config(yaml_content="...")
# Get application vulnerabilities
vulns = await server._get_application_vulnerabilities(app_id="your-app-id")- Field Validation: Prevents LLMs from suggesting invalid fields
- Schema Reference: Always up-to-date with the official StackHawk schema
- AI Suggestions: Use
suggest_configurationfor YAML recommendations - YAML Validation: Validate any config with
validate_stackhawk_config
Official Schema URL: https://download.stackhawk.com/hawk/jsonschema/hawkconfig.json
- Data Type Categorization: PII, PCI, PHI
- Risk Assessment: Risk scoring, levels, and factors
- Exposure Mapping: Application and repository analysis
- Trend Analysis: Time-based, app, repo, and data type trends
- Surface Mapping: Entry points, risk heatmap, exposure analysis
pytestpytest tests/test_sensitive_data.py
pytest tests/test_repository_analysis.pyblack stackhawk_mcp/mypy stackhawk_mcp/app:
applicationId: "12345678-1234-1234-1234-123456789012"
env: "dev"
host: "https://localhost:3000"
name: "Development App"
description: "Local development environment"app:
applicationId: "87654321-4321-4321-4321-210987654321"
env: "prod"
host: "https://myapp.com"
name: "Production App"
description: "Production environment"
authentication:
type: "form"
username: "your-username"
password: "your-password"
loginUrl: "https://myapp.com/login"
usernameField: "username"
passwordField: "password"
hawk:
spider:
base: true
ajax: false
maxDurationMinutes: 30
scan:
maxDurationMinutes: 60
threads: 10
startupTimeoutMinutes: 5
failureThreshold: "high"
tags:
- name: "environment"
value: "production"
- name: "application"
value: "myapp"Contributions are welcome! Please open issues or pull requests for bug fixes, new features, or documentation improvements.
Apache License 2.0. See LICENSE for details.
Version bumps are managed via the "Prepare Release" GitHub Actions workflow. When triggering this workflow, you can select whether to bump the minor or major version. The workflow will automatically update version files, commit, and push the changes to main.
Note: The workflow is protected against infinite loops caused by automated version bump commits.
All CI/CD git operations use a GitHub App token for authentication.
The git user and email are set from the repository secrets HAWKY_APP_USER and HAWKY_APP_USER_EMAIL.
Workflows are designed to skip jobs if the latest commit is an automated version bump, preventing workflow loops.
- Go to the "Actions" tab on GitHub.
- Select the "Prepare Release" workflow.
- Click "Run workflow" and choose the desired bump type (minor or major).
- The workflow will handle the rest!