Info
MCP is available with the Unified Security Bundle or the Ultimate Security Bundle
Info
The information and documents generated by your AI system may contain errors, omissions, or inaccuracies and should not be relied upon without independent review and verification. Users are responsible for reviewing all AI-generated actions and results for accuracy, completeness, and suitability for their specific needs before making any decisions or taking any actions based on such output.
The JFrog Local SAST MCP is a tool that integrates with Model Context Protocol (MCP)-compatible AI assistants, such as GitHub Copilot or Cursor IDE. It uses the JFrog SAST engine to scan the entire codebase, analyze code semantics, and detect SAST vulnerabilities. The tool provides the AI assistant with immediate access to various aspects of the source code, such as security vulnerabilities and other security-related features. This is performed by reading and analyzing the code using the JFrog SAST source code analysis engine. It also supports capabilities like identifying and fixing vulnerabilities and detecting code duplication. The entire process runs locally, ensuring your source code never leaves your network. This is a key advantage for companies with strict security and privacy requirements.
SAST MCP List of Tools
| Tool | Description | Primary Use Case |
|---|---|---|
jfrog_sast_findings_summary | Lists SAST security findings discovered by JFrog SAST in the format: #{vulnerability_id}: {rule_name} at {file_name}:{line_number}. To fix a finding: (1) Use jfrog_sast_finding_details to get full details; (2) Review the relevant files in the data flow path; (3) Apply a fix based on the vulnerability description. | Get a quick overview of all identified SAST vulnerabilities |
jfrog_sast_finding_details | Provides detailed information about a specific SAST finding, including its data flow path and remediation guidance. Requires the vulnerability_id from the findings summary. | Investigate and fix a specific SAST vulnerability |
jfrog_rescan_codebase | Re-scans the full codebase for vulnerabilities after changes. Automatically triggered on MCP startup. Can be manually triggered if needed. May take time depending on codebase size. | Refresh scan results after code updates |
jfrog_list_all_strings | Lists all string literals in the codebase. Supports filtering by min_length, max_length, and filter_regex. Each result appears on a new line. | Identify hardcoded strings (e.g., credentials, tokens) |
jfrog_list_all_functions | Lists all functions in the project, with optional filtering using filter_regex. Each result is a fully qualified function name. | Inventory or audit project functions |
jfrog_get_function_location | Finds the file name and line number for a given fully qualified function name. Returns all overloaded variants, if any. | Locate function definitions quickly |
jfrog_list_all_called_functions | Lists all called functions in the codebase. Use include_internal to include internal calls, and filter_regex for filtering. Each result is a fully qualified name. | Understand function usage and external dependencies |
jfrog_get_function_calls | Lists all occurrences where a specific function is called, with exact file names and line numbers. More accurate than grep-based searches. | Track down usage of a specific function |
jfrog_list_all_types | Lists all value types used in the codebase. Use filter_regex to narrow down results. Each result is shown as a fully qualified type name. | Understand data structures used in the project |
jfrog_similar_functions | Detects structurally similar functions, even with different variable names or comments. Optionally filter by min_instructions. Each group of similar functions is comma-separated. | Identify duplicate logic or potential code reuse opportunities |
Supported Technologies
All applications supporting MCP with the MCP Tools feature.