Skip to content

BoostSecurity MCP Server

What is the BoostSecurity MCP Server?

The BoostSecurity MCP (Model-Context-Protocol) Server is a security safeguard designed for developers using agentic AI coding assistants (like Cursor, Claude Code, VS Code Copilot, etc.).

Agentic AI systems accelerate development but can also introduce serious supply chain risks by suggesting or adding third-party code packages without scrutiny. The BoostSecurity MCP server acts as an intelligent checkpoint to mitigate these risks.

It automatically analyzes every package an AI agent attempts to introduce into your project. It inspects the package for risks before it gets installed, flags unsafe dependencies, and can recommend secure, maintained alternatives. It also serves as a proactive security agent, informing you of existing security issues in your repository when queried.

Its core functions include validate_package for new packages, which verifies whether a given package is safe to use, and direct interaction with your prioritized risk backlog from the security team via authenticated API connectivity with Boostsecurity.io.

Repository & API Connectivity

In addition to package validation via validate_package, the BoostSecurity MCP server provides three additional capabilities via API connectivity:

  • get_finding – Retrieve specific security findings from your repository
  • get_violations – Query all security violations in your codebase
  • get_violations_by_package – Analyze violations associated with specific packages

This allows your AI agent to: - Query security issues in your current repository - Analyze existing dependencies for vulnerabilities, maintenance status, etc. - Provide context aware SAST vulnerability remediation code directly in your IDE

This feature is available by configuring a Read-Only API key from your BoostSecurity account. The API connectivity tool enables your AI agent to query your repository's security posture, analyze dependencies, and receive context aware-remediation, all without leaving your IDE.

How to Enable API Connectivity

  1. Navigate to the Settings page and click on Application Keys.

  2. Generate a Read-Only API key by entering the Key name and assinging it a Viewer role.

    • These keys provide read access only — no modifications possible.

    Note

    The API key needs to be generated by a Boost Admin in your organization.

  3. Configure the key in your MCP client (i.e., Claude Code, Windsurf, VS Code, ect):

  4. For most clients, add it as an environment variable, header, or in the MCP server config (e.g., BOOST_API_KEY=your_read_only_key).
  5. Some clients may prompt for it when the tool is first used.
  6. Once set, your AI agent can use the connectivity tool automatically or when prompted (e.g., "Scan my repo for security issues").

Note: The validate_package tool works without an API key (public/anonymous access). API connectivity features require a key for authenticated access to your Boostsecurity findings and codebase risk analysis.

🛡️ Why Use It? The Problem & The Solution

The Problem: Agentic AI and Supply Chain Risk

AI coding agents are powerful, but they don't inherently understand software supply chain security. Without safeguards, they can easily introduce packages that:

  • Contain Malware: Malicious code hidden within a seemingly useful package.
  • Have Known Vulnerabilities: Contain high or critical severity issues (CVEs) that attackers can exploit.
  • Are Typosquatted: Mimic legitimate libraries to trick users (e.g., reqeusts instead of requests).
  • Are End-of-Life (EOL): No longer maintained or supported, meaning security flaws will not be fixed.
  • Are "Hallucinations": Don't actually exist in the package registry.

The Solution: A Security Safeguard

The BoostSecurity MCP server integrates directly with your AI assistant to eliminate these risks at the source.

Key Benefits:

  • Block Unsafe Packages: Automatically prevents the introduction of malicious, vulnerable, or EOL dependencies.
  • Verify Package Health: Confirms that dependencies are legitimate, actively maintained, and supported.
  • Get Safer Alternatives: When a risk is detected, the server provides recommendations for secure alternatives or patched versions.
  • Reduce Supply Chain Risk: Strengthens your software supply chain by default.
  • Innovate Confidently: Allows your team to fully leverage the speed of agentic AI without compromising on security.
  • Simple & Free: No account creation is required to use the server.