Security MCP Turns Org Policies Into an API for Coding Agents
Security MCP is a configurable server that exposes security policies, risk context and paved roads to coding agents like Claude Code and Cursor via MCP tools.
Security MCP is a lightweight server that exposes an organization's security policies, risk context, paved roads and tool registry to coding agents such as Claude Code, Cursor and Codex through the MCP protocol. Its premise is straightforward: since agents now do most of the typing, security teams need a way to program the model's context rather than rely on changing human behavior, turning security into an API the agent can call at every step of its loop.
Each configured collection—policy_tool, risk_index, paved_road_tool, tool_registry—can pull from files, HTTP services, GitHub repos, other MCP servers, or signed OPA bundles, and names/scopes are entirely customizable, letting teams expose runbooks, ADRs or design-system docs the same way. tool_registry additionally lets teams register invokable actions like conftest checks or external HTTP endpoints as callable tools.
The CLI offers subcommands (init, validate, doctor, lint, serve) to scaffold config, verify source reachability, and run the server over stdio or HTTP, while a Docker image bundles GitHub integration and a gh-based launcher simplifies token handling. A JSONL audit log hashes call arguments to avoid leaking secrets or PII, giving platform and security teams a concrete mechanism for enforcing policy compliance in agent-driven development workflows.