Skip to main content

Conviso MCP Server

img

Introduction

The Conviso MCP Server is a connector that exposes Conviso Platform data and actions to an LLM through the Model Context Protocol (MCP). MCP lets external services register named capabilities (tools) so an MCP-compatible client — Claude Desktop, Claude Code CLI, Cursor, or any other — can ask the model to fetch live, authoritative security context and perform operations, instead of relying on cached knowledge.

The server ships 42 tools in two families:

  • Read tools (31) — list and inspect companies, projects, assets, vulnerabilities, tickets, requirements, applications, scan histories, SBOM / supply-chain components, AI-Pentest artifacts and executions, threat-model artifacts, plus security metrics and deep links.
  • Write tools (11) — a generic, allowlisted mutation engine (list_mutationsdescribe_mutationexecute_mutation) plus curated shortcuts for the most common writes (change issue status, create vulnerabilities / projects / assets / tickets, run DAST, trigger an AI-Pentest).

Everything the server can do is bounded by the Conviso Platform API Key you provide — the data returned and the operations allowed match that key's permissions.

Quick install

Pick your client below and add the server, supplying your API key as CONVISO_API_KEY. Most examples run the published package with npx — no clone or build required. The write tools ship in all Node-based setups; only the Python edition (last tab) is read-only.

Read and write. The server acts only within the permissions of the API key you provide.

Register the server once and it's available in every project:

claude mcp add -s user -e CONVISO_API_KEY=<your_api_key> conviso-mcp -- npx -y @convisoappsec/mcp

Check it with claude mcp list (or run /mcp inside a session). Swap -s user for -s project to scope it to the current repo (.mcp.json).

Restart or reload your client after adding the entry. The tabs use the stdio transport; for Claude Cowork/Projects or remote hosting, use HTTP (Connector) mode below.


What you can do

DomainReadWrite
CompaniesList, inspect (plan, integrations, branding)
Vulnerabilities / IssuesList (rich filters), full technical detail, severity overview, per-asset and per-project viewsChange status, create/update (source-code, web, network), reassign, mark analyzed, bulk status, bulk delete
ProjectsList (filters), inspectCreate, update, change status, bulk status, bulk delete
AssetsList (filters), inspectCreate, update, run Conviso DAST
TicketsList, inspectCreate
Requirements / ChecklistsList by scope, inspect, list per projectCreate/update, attach to projects
ApplicationsList, inspect (with linked assets)Create, update, add/remove assets
ScansExecution history, coverage counts(read-only)
Supply chain / SBOMList components (license, versions, issues by severity)(read-only)
AI-PentestList artifacts, inspect scope & executions, execution resultsCreate/update artifact, trigger execution, cancel, retest
Threat ModelingList artifacts, inspect versionsCreate artifact/version, update, generate requirements
Metrics & linksMTTR over time, risk-score history, deep links, today's date

Tools reference

Read tools

DomainToolDescription
Generalget_companiesList companies accessible with the API key (search = name contains, label_eq = exact match).
Generalget_company_infoCompany detail: plan, integrations, branding metadata.
Vulnerabilitiesget_issuesList vulnerabilities for a company with rich filtering and sorting.
Vulnerabilitiesget_issueFull technical detail for one issue; optional vulnerable code snippet and raw HTTP request/response.
Vulnerabilitiesget_issues_by_asset_idSame filter set, scoped to a single asset.
Vulnerabilitiesget_issues_by_project_idSame filter set, scoped to a single project.
Vulnerabilitiesget_top_vulnerabilitiesCounts grouped by severity (risk overview), with optional filters.
Projectsget_projectsList security projects for a company, with filters and sorting.
Projectsget_projectMetadata for a specific project.
Assetsget_assetsList assets for a company, with rich filtering and sorting.
Assetsget_assetDetail for a specific asset.
Ticketsget_ticketsList tickets (paginated) with search and TicketSearch params.
Ticketsget_ticketOne ticket: status, priority, impact, assignee.
Requirementsget_requirementsList requirements/checklists for a scope (company).
Requirementsget_requirementOne requirement/checklist by id.
Requirementsget_project_requirementsRequirements attached to a specific project.
Applicationsget_applicationsList applications (name, url, riskScore, assetsCount).
Applicationsget_applicationOne application, including its linked assets.
Scansget_scan_historiesScan executions (status, integration, duration, vuln counts).
Scansget_asset_scans_countScan-coverage counts (assets with / without scans).
Supply chainget_sbom_componentsSBOM components: version, technology, package manager, license, issues by severity.
AI-Pentestget_pentest_artifactsList AI-Pentest artifacts (label, type, scheduling, latest execution).
AI-Pentestget_pentest_artifactOne artifact, including scope and its executions.
AI-Pentestget_pentest_executionExecution result: status, vuln count, severity breakdown, retest progress.
Threat Modelingget_threat_model_artifactsList threat-model artifacts (label, scope, latest version).
Threat Modelingget_threat_model_artifactOne artifact, including its versions (diagrams, notes, scope).
Metricsget_mttr_over_timeMTTR aggregated over a date range; severity/status/asset filters.
Metricsget_overall_risk_score_historyHistorical risk scores for trend analysis.
Utilitiescreate_project_urlDeep link to a project in the Platform.
Utilitiescreate_issue_urlDeep link to a specific issue.
Utilitiesget_today_dateCurrent date — useful to compute relative ranges ("last 30 days").

Write tools

GroupToolDescription
Enginelist_mutationsDiscover the permitted write operations (name, description, category, destructive flag).
Enginedescribe_mutationFull input schema for one mutation (fields, required, enums, nested inputs) + default return fields.
Engineexecute_mutationRun any allowlisted mutation by name with a generic input object.
Shortcutchange_issue_statusChange an issue/vulnerability status.
Shortcutcreate_source_code_vulnerabilityCreate a manual source-code (SAST-style) vulnerability on an asset.
Shortcutcreate_projectCreate a project.
Shortcutcreate_assetCreate an asset.
Shortcutcreate_ticketOpen a ticket.
Shortcutrun_dastStart a Conviso DAST scan on an asset.
Shortcuttrigger_pentestTrigger an AI-Pentest execution from an existing artifact.
Shortcutcreate_pentest_artifactCreate an AI-Pentest artifact (the scope/config a pentest runs against).

Prerequisites

  • Conviso Platform API Key — create it under Profile > API Keys.
  • An MCP-compatible client: Claude Desktop, Claude Code CLI, Cursor, or any client supporting stdio/HTTP MCP servers.
  • Node.js 20.10+ (for the Node edition / write tools) or Docker. The Python edition (read-only) needs Python 3.10+.

Generate the key in the Conviso Platform under Profile > API Keys and copy it — you'll pass it to the server as the CONVISO_API_KEY value in the steps below.

Create a Conviso API Key under Profile &gt; API Keys

Security recommendation

Create a dedicated API key for the MCP server and set an expiration date. Grant it only the permissions the workflow needs, and never commit it to version control.

Tips for better prompts

  • Provide the company ID once you know it — it unlocks most tools. If you don't have it, start with "List my companies".
  • Ask for links at the end of any vulnerability or project query — the model calls create_issue_url / create_project_url as a follow-up.
  • Combine context — the AI keeps conversation context, so "now get the details for the first one" works after a list.
  • Request formats — ask for tables, bullet lists, or raw JSON ("format as a markdown table", "give me just the IDs").

Security and privacy

  • The server operates strictly within the permissions of the provided API Key — for both reads and writes.
  • Writes are allowlisted. Only the operations listed above are reachable; destructive ones (delete / bulk / cancel / remove) are flagged so the client prompts for confirmation.
  • get_issue with return_vulnerable_data=true may return exploit code, raw HTTP requests/responses, or secrets — use with care.
  • Create a dedicated key with an expiration date; do not reuse a personal API key, and scope it to the minimum permissions needed.
  • Keep the API key out of version control — use environment variables or a secrets manager.

Privacy Policy

This connector communicates only with the Conviso Platform API (https://app.convisoappsec.com) using the API key you provide. It does not collect, store, or share your data with any third party — requests and responses stay between your MCP client and the Conviso Platform. Error logs go to stderr only.

Full privacy policy: iubenda.com/privacy-policy/55589285

Open source

The Conviso MCP Server is open source at github.com/convisoappsec/conviso-mcp. Contributions are welcome — bug reports, new tools, and improvements. See the repository's CONTRIBUTING.md to get started.

See also

  • Conviso Skills — reusable operational playbooks for bulk actions (vulnerability triage, owner assignment, asset risk normalization) via conviso-cli, with preview-first safety controls.

Support

If you need help, contact Conviso support: support@convisoappsec.com.

Discover Conviso Platform!

Contribute to the Docs

Found something outdated or missing? Help us improve the documentation with a quick suggestion or edit.

How to contribute

Resources

By exploring our content, you'll find resources that will enhance your understanding of the importance of a Security Application Program.

Conviso Blog: Explore our blog, which offers a collection of articles and posts covering a wide range of AppSec topics. The content on the blog is primarily in English.

Conviso's YouTube Channel: Access a wealth of informative videos covering various topics related to AppSec. Please note that the content is primarily in Portuguese.