X
May 20, 2025
Contrast Security is proud to announce the launch of our MCP server. Smart assistants help you find and fix mistakes in your writing. Now, picture an assistant fixing security weaknesses in your code. An IDE-based AI agent, such as Copilot, armed with Contrast’s MCP server, can do just that!
Watch how the Contrast MCP server empowers an AI coding agent to quickly identify and fix a real-world SQL injection vulnerability.
This video showcases how the Contrast MCP server, combined with an AI assistant, simplifies the process of remediating a complex JNDI injection vulnerability.
The Contrast MCP server is a bridge between Contrast’s data — most notably, the powerful and contextual Interactive Application Security Testing (IAST) vulnerability data — and an integrated development environment- (IDE-) based AI agent. This bridge allows the agent to pinpoint the vulnerable code and fix it without ever leaving the IDE. In addition to the vulnerability data itself, Contrast provides its expert-curated remediation guidance to the AI agent. This ensures the AI has all the information it needs to get the fix right the first time.
Let’s take a deeper dive into the technology behind this innovation.
Model Context Protocol (MCP) is designed to enable Large Language Models (LLMs) inside of AI agents to access external data sources and tools. This significantly expands their utility by providing custom information and the ability to effect change in external systems, without the need of special training or development. MCP comprises two key components: the MCP client, which lives within AI tools like GitHub Copilot, Cline, Aider or Claude Desktop; and the MCP server, which exposes tools, services, and/or data.
Upon startup, the MCP client within the AI tool queries the configured MCP servers to retrieve a list of available tools and descriptions. This allows the AI tool to understand what's available and how to use it. When the AI is prompted, it knows what tools are available and can leverage those tools however it sees fit, enabling a multitude of use cases.
A simple example of MCP's power is its ability to expose a portion of the local filesystem to the MCP client and, subsequently, to the LLM. This enables the LLM to read and interact with local files, facilitating operations that would otherwise be impossible for a cloud-based LLM. Essentially, MCP bridges the gap between the LLM's execution environment and external resources, allowing for sophisticated interactions.
The Contrast MCP server provides the MCP client — and, by extension, the LLM — with access to Contrast Security’s vulnerability data. When used in conjunction with an agentic coding tool, it allows developers to efficiently and effectively remediate vulnerabilities because of the deep context Contrast provides. This is made possible because Contrast’s MCP server supplies the coding tool with detailed vulnerability information, including:
With this comprehensive information, the coding agent — which the developer prompts and then guides — can quickly and accurately remediate the identified vulnerability.
Leveraging Contrast’s MCP server in conjunction with an AI coding agent allows developers to swiftly and precisely remediate vulnerabilities that Contrast detects. While this appears to be the most powerful use case, given the flexible nature of the MCP technology, you could ask an AI agent to do just about anything with your Contrast data. For example:
These examples are not exhaustive; the true power of MCP lies in the flexibility it provides to users of LLMs.
We've created a video that guides you through using Contrast’s MCP server. The video also shows you how to fix the SQLi and JNDI vulnerabilities discussed in this article.
The versatility of MCP extends far beyond what we’ve covered here, and its ability to empower LLMs to interact with various systems opens up countless possibilities for improved security workflows. To get started and explore the Contrast MCP server firsthand, check out our repository on GitHub.
Joseph Beeton is a Senior Security Researcher for Contrast Security and a recovering Java Developer. He started his career as a Java developer writing archive/backup software before moving to a large financial company working on web applications and backend APIs. However, after a while, writing yet another microservice isn't that much fun anymore. Breaking them was, though. Thus, he moved to Application Security and from there on to Research.
