Introduction to the MCP server | Fluid Attacks Help

Introduction to the MCP

What is MCP?

MCP (Model Context Protocol) is a communication standard that allows AI assistants (e.g., Claude, ChatGPT, Gemini) to connect with external tools and services.

What is the Fluid Attacks MCP Server?

Fluid Attacks' MCP implementation is a software component that allows AI systems to connect and work with the Fluid Attacks platform over the Internet. Thanks to this integration, you can query the platform using natural language without leaving your preferred AI tool. Examples of what you can do with it:
  1. Monitor your security posture: Get real-time information about vulnerabilities in your applications
  2. Run security scans: Execute automated security tests on your code
  3. Investigate vulnerabilities: Dive deep into security issues and understand them better
  4. Get remediation guidance: Receive step-by-step instructions to fix security problems
  5. Access knowledge base: Search through Fluid Attacks' security documentation
  6. Manage your projects: View and organize your security testing projects

Key terms

  1. Group: A security testing project (e.g., "MobileApp" or "WebPortal")
  2. Weakness: A type of vulnerability (e.g., SQL Injection)
  3. Vulnerability: A specific instance of a security issue in your code
  4. Root: What you're testing (code repo, website, IP address)
  5. SAST: Scanning source code for security issues
  6. SCA: Checking dependencies for known vulnerabilities
  7. Forces: Automated security checks in your CI/CD pipeline
  8. Treatment: How you're handling a vulnerability (fixing, accepting, etc.)

Key capabilities of our MCP

  1. Analytics: See security trends and metrics
    1. Usage example: "Show risk over time for the organization ORGANIZATION_NAME."
  2. Vulnerabilities: Find and track security issues
    1. Usage example: "List all XSS-related vulnerabilities in the group GROUP_NAME."
  3. Projects: Manage security testing projects
    1. Usage example: "What is the configuration of each group in the organization ORGANIZATION_NAME?"
  4. Assets: View tested applications and code
    1. Usage example: "List Git repositories of the group GROUP_NAME that are being scanned for security issues."
  5. Scanning: Run automated security tests
    1. Usage example: "Scan my dependencies."
  6. DevSecOps: Monitor pipeline security checks
    1. Usage example: "Show the latest scan results for the group GROUP_NAME."
  7. Knowledge: Search security documentation
    1. Usage example: "How to fix SQLi reported in the group GROUP_NAME?"

More usage examples

You can ask our AI Agent or configure our MCP server to perform the following actions (we list the objective along with which prompt to use):
  1. Check daily status: "Show me today's security summary for the organization ORGANIZATION_NAME."
  2. Before deploying: "Run a complete security scan."
  3. Assign work to team: "List all untreated vulnerabilities by priority for the group GROUP_NAME."
  4. Learn about an issue: "Explain [vulnerability type] reported in the group GROUP_NAME."
  5. Track progress: "Show remediation metrics for this sprint for the group GROUP_NAME."
  6. Compliance reporting: "Generate a vulnerability report by severity for the group GROUP_NAME."
  7. Verify automation: "Show latest CI/CD security scan results in the group GROUP_NAME."
  8. Understand a finding: "Get details for vulnerability VULNERABILITY_UUID/NAME in the group GROUP_NAME."
  9. Check dependencies: "Scan my packages for vulnerabilities."
  10. Review a project: "Show me all information for the group GROUP_NAME."

Further reading

  1. How to install the MCP and how to integrate our scanners into your SDLC using AI
  2. MCP capabilities and how to use them
  3. How to install Docker (prerequisite to run the scanners)
Idea
Tip for best results: Be specific by mentioning project names, vulnerability types, or time periods.