Current Version: 1.2.4 Requires Python 3.10 or higher
A Model Context Protocol (MCP) server for integrating with StackHawk's security scanning platform. Helps developers set up StackHawk, run security scans, and triage findings to fix vulnerabilities β all from within an LLM-powered IDE or chat.
- Features
- Installation
- Usage
- Configuration
- Available Tools
- Testing & Development
- Example Configurations
- Integrating with LLMs and IDEs
- Contributing
- License
- Setup: Detect your project, create a StackHawk application, and generate a ready-to-scan
stackhawk.yml - Scan: Run StackHawk scans directly from your IDE or chat (with install help if the CLI is missing)
- Triage: Get actionable findings at or above your failure threshold for remediation
- Validate: Check YAML configs against the official schema and validate field paths to prevent hallucination
- Custom User-Agent: All API calls include a versioned
User-Agentheader
- Install via pip (make sure you have write permission to your current python environment):
> pip install stackhawk-mcp # Requires Python 3.10 or higher
Or Install via pip in a virtual env:
> python3 -m venv ~/.virtualenvs/mcp
> source ~/.virtualenvs/mcp/bin/activate
> (mcp) pip install stackhawk-mcp
# Requires Python 3.10 or higherOr Install via pip using pyenv:
> pyenv shell 3.10.11
> pip install stackhawk-mcp
# Requires Python 3.10 or higherOr Install locally from this repo:
> pip install --user .
# Run this command from the root of the cloned repository- Set your StackHawk API key:
> export STACKHAWK_API_KEY="your-api-key-here"
python -m stackhawk_mcp.serverpython -m stackhawk_mcp.http_serverpytestStackHawk MCP can be used as a tool provider for AI coding assistants and LLM-powered developer environments, enabling security scanning setup, YAML validation, and vulnerability triage directly in your workflow.
- Setup:
- Follow the installation instructions above to install
stackhawk-mcpin your python environment. - In Cursor, go to
Cursor Settings->Tools & Integrations->MCP Tools - Add a "New MCP Server" with the following json, depending on your setup:
- Using a virtual env at
~/.virtualenvs/mcp:{ "mcpServers": { "stackhawk": { "command": "/home/bobby/.virtualenvs/mcp/bin/python", "args": ["-m", "stackhawk_mcp.server"], "env": { "STACKHAWK_API_KEY": "${env:STACKHAWK_API_KEY}" }, "disabled": false } } } - Using pyenv:
{ "mcpServers": { "stackhawk": { "command": "/home/bobby/.pyenv/versions/3.10.11/bin/python3", "args": ["-m", "stackhawk_mcp.server"], "env": { "STACKHAWK_API_KEY": "${env:STACKHAWK_API_KEY}" }, "disabled": false } } } - Or use python directly:
{ "mcpServers": { "stackhawk": { "command": "python3", "args": ["-m", "stackhawk_mcp.server"], "env": { "STACKHAWK_API_KEY": "${env:STACKHAWK_API_KEY}" } } } } - Then make sure the "stackhawk" MCP Tool is enabled
- Using a virtual env at
- Follow the installation instructions above to install
- Usage:
- Use Cursor's tool invocation to call StackHawk MCP tools (e.g., vulnerability search, YAML validation).
- Example prompt:
Validate this StackHawk YAML config for errors.
- Setup:
- Deploy the MCP HTTP server and expose it to your LLM system (local or cloud).
- Use the LLM's tool-calling or function-calling API to connect to the MCP endpoint.
- Pass the required arguments (e.g., org_id, yaml_content) as specified in the tool schemas.
- Example API Call:
{ "method": "tools/call", "params": { "name": "validate_stackhawk_config", "arguments": {"yaml_content": "..."} } } - Best Practices:
- Use anti-hallucination tools to validate field names and schema compliance.
- Always check the tool's output for warnings or suggestions.
- Setup:
- Add StackHawk MCP as a tool provider or extension in your IDE, pointing to the local or remote MCP server endpoint.
- Configure environment variables as needed.
- Usage:
- Invoke setup, scanning, validation, and triage tools directly from the IDE's command palette or tool integration panel.
- Ensure the MCP server is running and accessible from your LLM or IDE environment.
- Review the Available Tools & API section for supported operations.
- For advanced integration, see the example tool usage in this README or explore the codebase for custom workflows.
StackHawk can be added to the GitHub Coding Agent as an MCP server or as its own GitHub Custom Agent.
You can add StackHawk MCP to the GitHub Copilot Coding Agent. This gives the agent all the stackhawk/ tools.
StackHawk MCP installation into the Coding Agent
General instructions on GitHub
For StackHawk MCP, the MCP Configuration JSON should look something like this:
{
"mcpServers": {
"stackhawk": {
"type": "local",
"tools": [
"*"
],
"command": "uvx",
"args": [
"stackhawk-mcp"
],
"env": {
"STACKHAWK_API_KEY": "COPILOT_MCP_STACKHAWK_API_KEY"
}
}
}
}Then in the Repository's Settings->Environments->copilot->Environment Secrets, add COPILOT_MCP_STACKHAWK_API_KEY with your StackHawk API Key.
Installation verification instructions
You can the StackHawk Onboarding Agent as a custom agent at the enterprise, organization, or repository level in GitHub. When added, the StackHawk Onboarding Agent becomes a selectable option in the Copilot Agent Chat with context to help with onboarding, plus it installs stackhawk-mcp so the agent has access to all of those tools.
StackHawk Onboarding Agent installation
The general approach is to take the StackHawk Onboarding Agent defintion and apply it to either the desired repository, enterprise, or organization in GitHub.
- Instructions for installing into a repository on GitHub
- Instructions for installing into an enterprise on GitHub
- Instructions for installing into an organization GitHub
Note that the mcp-servers block in the StackHawk Onboarding Agent definition references an environment variable called COPILOT_MCP_STACKHAWK_API_KEY. Go to the Repository's Settings->Environments->copilot->Environment Secrets, add COPILOT_MCP_STACKHAWK_API_KEY with your StackHawk API Key.
- All HTTP requests include a custom
User-Agentheader:User-Agent: StackHawk-MCP/{version} - The version is set in
stackhawk_mcp/server.pyasSTACKHAWK_MCP_VERSION. - Set your API key via the
STACKHAWK_API_KEYenvironment variable.
The MCP server exposes 7 tools organized around the developer workflow:
| Phase | Tool | Description |
|---|---|---|
| Discover | get_organization_info |
Get org details, teams, and applications |
| Discover | list_applications |
List applications in an organization |
| Setup | setup_stackhawk_for_project |
Detect language, find/create app, generate stackhawk.yml |
| Validate | validate_stackhawk_config |
Validate YAML against the official StackHawk schema |
| Validate | validate_field_exists |
Check if a field path is valid in the schema (anti-hallucination) |
| Scan | run_stackhawk_scan |
Run a StackHawk scan via the CLI (returns install help if CLI is missing) |
| Triage | get_app_findings_for_triage |
Get findings at/above the configured failure threshold |
# Set up StackHawk for a project
result = await server.call_tool("setup_stackhawk_for_project", {"host": "http://localhost:3000"})
# Validate a YAML config
result = await server.call_tool("validate_stackhawk_config", {"yaml_content": "..."})
# Run a scan
result = await server.call_tool("run_stackhawk_scan", {})
# Get findings to triage
result = await server.call_tool("get_app_findings_for_triage", {})Official Schema URL: https://download.stackhawk.com/hawk/jsonschema/hawkconfig.json
pytestpytest tests/test_ux_improvements.py
pytest tests/test_user_scenarios.pyblack stackhawk_mcp/mypy stackhawk_mcp/app:
applicationId: "12345678-1234-1234-1234-123456789012"
env: "dev"
host: "http://localhost:3000"
name: "Development App"
description: "Local development environment"app:
applicationId: "87654321-4321-4321-4321-210987654321"
env: "prod"
host: "https://myapp.com"
name: "Production App"
description: "Production environment"
authentication:
type: "form"
username: "your-username"
password: "your-password"
loginUrl: "https://myapp.com/login"
usernameField: "username"
passwordField: "password"
hawk:
spider:
base: true
ajax: false
maxDurationMinutes: 30
scan:
maxDurationMinutes: 60
threads: 10
startupTimeoutMinutes: 5
failureThreshold: "high"
tags:
- name: "environment"
value: "production"
- name: "application"
value: "myapp"Contributions are welcome! Please open issues or pull requests for bug fixes, new features, or documentation improvements.
Apache License 2.0. See LICENSE for details.
Version bumps are managed via the "Prepare Release" GitHub Actions workflow. When triggering this workflow, you can select whether to bump the minor or major version. The workflow will automatically update version files, commit, and push the changes to main.
Note: The workflow is protected against infinite loops caused by automated version bump commits.
All CI/CD git operations use a GitHub App token for authentication.
The git user and email are set from the repository secrets HAWKY_APP_USER and HAWKY_APP_USER_EMAIL.
Workflows are designed to skip jobs if the latest commit is an automated version bump, preventing workflow loops.
- Go to the "Actions" tab on GitHub.
- Select the "Prepare Release" workflow.
- Click "Run workflow" and choose the desired bump type (minor or major).
- The workflow will handle the rest!