Code Security MCP Servers — Snyk, SonarQube, Semgrep, Trivy, CodeQL, Datadog, Checkmarx, and Beyond

Code security is arguably where MCP servers deliver the most practical value — catching vulnerabilities in AI-generated code before it ships. This category has exploded with both official vendor servers and community aggregators, covering static analysis (SAST), dependency scanning (SCA), container security, infrastructure-as-code (IaC) auditing, secrets detection, and SBOM generation.

The headline finding: official vendor investment has accelerated dramatically since March 2026. Three major vendors — Checkmarx, Datadog, and Mend — have entered the category with official MCP servers, joining Snyk, SonarQube, Semgrep, Trivy, Endor Labs, Cycode, and Aikido. That’s ten vendors with production MCP servers for code security. Snyk Studio now has 13 tools — the new snyk_breakability_check assesses whether a package upgrade will break your code before you commit to it. SonarQube launched mcp.sonarqube.com, a dedicated configuration generator UI, making setup friction even lower. CodeQL continues its rapid growth with supply chain hardening baked into its own release pipeline. And Cycode and Snyk both added uv lock file support in the same week, signaling that Python’s uv ecosystem has become table stakes for security tools. Part of our Security & Compliance MCP category.

The Landscape

Snyk Studio (Official)

Snyk Studio remains the most comprehensive security scanning integration available, and it keeps shipping. 43 stars (up from 34, +26%), v1.12.1 (May 13, 2026). 5 releases since April 21. Closed to public contributions — vendor-controlled release.

13 tools spanning six security domains: snyk_code_scan (source code vulnerability detection), snyk_sca_scan (open source dependency scanning), snyk_iac_scan (infrastructure-as-code analysis), snyk_container_scan (container image scanning), snyk_sbom_scan (Software Bill of Materials), snyk_aibom (AI Bill of Materials for AI supply chain visibility), snyk_package_health_check (dependency health scoring — Healthy / Review recommended / Not recommended / Unknown), snyk_breakability_check (new in v1.11.0), plus snyk_trust, snyk_auth/snyk_logout/snyk_auth_status, and snyk_version.

The new breakability check tool is the May standout: before an agent upgrades a package, it queries Snyk’s breakability API and returns a risk level (high/medium/low) for whether the upgrade will introduce breaking changes. This closes a gap that security tools have historically ignored — vulnerability vs. breakage are both risks, and agents need both signals before touching dependencies. Also notable: uv lock file support added in v1.12.0 (Python ecosystem expansion), and MCP annotations (openWorldHint, idempotentHint) added per Anthropic submission requirements.

The breadth here is unmatched. No other single MCP server covers SAST + SCA + IaC + container + SBOM + package health + breakability scanning. Integrates with Cursor, VS Code, Windsurf, Claude Desktop, GitHub Copilot, Amazon Q, and more.

Also notable: snyk/agent-scan — 2,430 stars (up from 2,200, +10%), v0.5.3 (May 12, 2026). This isn’t an MCP server itself but a security scanner for MCP servers, AI agents, and agent skills. Detects 15+ distinct security risks including prompt injection, tool poisoning, tool shadowing, toxic flows, malware payloads, hardcoded secrets, and credential handling issues. New in v0.5.0 (Apr 30): added user consent flow for interactive commands; deprecated the mcp-server and install-mcp-server CLI options (MCP server install flow reworked). Codex (OpenAI) hooks support added in May commits — joining Claude Code, Cursor, and Devin. In Open Preview alongside Agent Red Teaming. Agent Guard remains in Private Preview.

SonarQube (Official)

SonarQube’s official MCP server has the largest community in the code security MCP category and continues to ship at a strong pace. 556 stars (up from 538, +3%), 408+ commits (up from 378) — 3 releases in 30 days. Available as a Docker image (mcp/sonarqube).

New this cycle: SonarSource launched mcp.sonarqube.com — a dedicated configuration generator UI that walks you through the setup steps and produces a ready-to-paste MCP config. This is a significant UX win: instead of reading docs, you fill in a form and get the right JSON. The search_dependency_risks tool now has pagination (v1.18.0) for teams with large dependency graphs. A /info endpoint exposes version info (v1.17.0). Gemini CLI extension installation fixed in v1.18.1.

Still the standout from March: SonarQube MCP is natively embedded in SonarQube Cloud — no local Docker required for enterprise deployments. AI agents can autonomously verify code against quality gates, update issue status, and mark false positives without switching to the UI.

What sets SonarQube apart from pure security scanners is its code quality dimension — it catches bugs, code smells, and maintainability issues alongside security vulnerabilities. Workspace mounting reduces context bloat during analysis.

Archived alternative: sapientpants/sonarqube-mcp-server — archived November 2025. Use the official SonarSource version.

Semgrep (Official, Archived → Integrated)

Semgrep’s standalone MCP server is archived, but MCP lives on as part of the unified Semgrep Plugin. 666 stars (up from 639, +4%), archived October 2025. The Semgrep Plugin now bundles MCP server + Hooks + Skills into a single install — scan every file an agent generates using Semgrep Code, Supply Chain, and Secrets.

Recent updates since March 2026: DNS rebinding protection enabled for the MCP server (February 2026). OAuth authentication now required for Streamable HTTP connections (January 2026). Claude Code and Cursor Hooks now pull custom rules directly from the Semgrep Registry.

Semgrep covers SAST, supply chain analysis (SCA), and secrets detection. The move to bundle everything into the Plugin is the right call — it means any Semgrep installation becomes MCP-capable, Hooks-capable, and Skills-capable without managing separate servers. The semgrep-mcp PyPI package still works for legacy setups.

Datadog Code Security MCP (New)

New entrant (March 2026). Datadog launched a dedicated Code Security MCP server — separate from the main Datadog observability MCP server. 5 stars, 1 fork, 36 commits, Apache 2.0, v0.2.0 (March 25, 2026). Currently in Preview.

6 tools covering five scanning domains: datadog_code_security_scan (unified SAST + Secrets + SCA + IaC scan), datadog_sast_scan (static analysis), datadog_secrets_scan (secret detection), datadog_sca_scan (dependency vulnerability analysis), datadog_iac_scan (infrastructure-as-code scanning), and datadog_generate_sbom (Software Bill of Materials generation).

The key differentiator is real-time blocking — if an agent tries to import a library with a known critical vulnerability, the MCP server blocks it before it enters the codebase. Hardcoded credentials are flagged immediately with remediation guidance. No Datadog account required — this runs entirely locally. Integrates with Claude Desktop, Cursor, and VS Code.

Checkmarx (Official — New)

New entrant (2026). Checkmarx — previously a major gap in this category — now has an official MCP server. Integrated into Checkmarx One Developer Assist and the Cursor Extension. Bridges AI assistants with the Checkmarx security platform covering SAST, SCA, IaC, and API Security through a unified MCP interface.

The MCP server provides structured context — remediation instructions, policies, and risk signals — so AI agents can generate accurate fixes. Checkmarx also enhanced both core security engines in 2026 to support AI-powered SAST scanning across virtually any programming language. Available in VS Code (via GitHub Copilot), Cursor AI, and Windsurf AI.

Community alternative: suitable-adventures/checkmarx-mcp — 1 star, 2 commits, v0.2.0, MIT. Read-only access to Checkmarx SAST findings with 2 tools (list findings, get finding details). Minimal but functional for teams that just need to pull findings into AI assistants.

Mend (New)

New entrant (2026). Mend.io (formerly WhiteSource) launched an Agentic SAST MCP server targeting the “vibe coding” workflow. 2 tools: mend-code-security-assistant (SAST scanning for 25 languages using taint analysis) and mend-dependencies-assistant (SCA scanning).

The distinctive feature is the iterative remediation loop — when the MCP server finds a vulnerability, the AI agent can iterate up to three times to produce secure code. Supports Cursor, Claude Code, GitHub Copilot, Windsurf, Amazon Q, and Gemini CLI.

Note: Requires organizations to sign an AI feature addendum to their Mend.io contract before use. This is a commercial-only offering with no free tier.

Trivy (Official Plugin)

Trivy’s official MCP plugin brings container and filesystem security scanning to AI agents — but the project remains stalled. 41 stars (up from 37, +11%), still v0.0.20 (December 2025). No new code since December 17, 2025 — now five months without a commit or release. Installs as a Trivy plugin (trivy plugin install mcp, then trivy mcp).

Scanning capabilities cover three domains: local filesystem scanning (project vulnerabilities and misconfigurations), container image scanning (CVE detection in Docker images), and remote repository analysis (scan code repos for security issues). Optional Aqua Platform integration adds policy compliance and enhanced scanning.

Trivy is one of the most widely-used open source security scanners (23k+ stars on the main repo), so having an official MCP plugin matters. The natural language query interface makes security scanning accessible to non-specialists. But the development stall is now severe — five months without a single commit or release while every other server in this category has shipped multiple updates. This is no longer a minor concern.

Supports VS Code, Cursor, JetBrains IDEs, and Claude Desktop.

Endor Labs

Endor Labs provides a commercial MCP server focused on dependency risk and supply chain security. No public GitHub repository — distributed as part of the Endor Labs platform.

6 tools: check_dependency_for_vulnerabilities (dependency CVE check), check_dependency_for_risks (broader risk analysis including malware), get_endor_vulnerability (vulnerability database lookup), get_resource (context on findings/projects), scan (comprehensive security scan — dependencies, code issues, exposed credentials), and security_review (code diff analysis — Enterprise Edition only).

The Developer Edition is free and includes SAST, SCA, secrets detection, and malicious package detection. The focus on malicious open source packages is distinctive — Endor Labs specializes in detecting supply chain attacks that other scanners miss, like typosquatting packages and dependency confusion.

IDE support has expanded: now covers VS Code, IntelliJ (with GitHub Copilot), Cursor, Devin, Gemini CLI, Augment Code, and Google Antigravity. Still macOS only (not fully supported on Windows).

Cycode

Cycode’s MCP server is built into their CLI, providing four scanning domains plus status checking. 98 stars (unchanged), 62 forks, 424+ commits (up from 409), v3.15.2 (May 12, 2026). The MCP server is activated via cycode mcp command. Requires Python 3.10+.

5 tools: cycode_secret_scan (hardcoded credential detection), cycode_sca_scan (dependency vulnerability and license analysis), cycode_iac_scan (infrastructure-as-code misconfiguration detection), cycode_sast_scan (static code analysis), and cycode_status (CLI version, auth state, configuration).

New this cycle: uv package manager support for SCA scans (v3.15.1) — matching Snyk’s simultaneous addition of uv support, solidifying uv as the Python standard for security tools. Cycode API v4 exposed through CLI commands (v3.14.0). Claude Code telemetry added (v3.15.2) — user email tracked when using Claude Code, letting Cycode measure IDE integration adoption. --stop-on-error flag for managing non-violation scan errors (v3.15.0). MCP README updated with enterprise proxy certificate guidance.

Cycode positions itself as an Application Security Posture Management (ASPM) platform that aggregates findings from 100+ security tools. Supports three transport types (stdio, SSE, streamable-http). Integrates with Cursor, Windsurf, and GitHub Copilot.

Aikido

Aikido’s MCP server is laser-focused on scanning AI-generated code before it ships. v1.0.3 (unchanged since January 2026). Available via npm, no public GitHub repo for the MCP server itself.

3 tools: aikido_full_scan (combined SAST + secrets scan), aikido_sast_scan (static analysis only), and aikido_secrets_scan (secrets detection only). Simple, opinionated, and purpose-built for the “vibe coding” workflow.

New this cycle (adjacent): Aikido became AWS Kiro’s first global security partner (April 30, 2026). Kiro is AWS’s new AI IDE (launched April 2026), and Aikido’s security scanning ships as a native integration. This is the first major IDE-level security partnership in the category — if Kiro gets traction, Aikido benefits more than any other MCP security vendor.

Supports VS Code, Cursor, Windsurf, Kiro, Claude, OpenAI, Gemini, GitHub Copilot, Mistral, and JetBrains AI. The narrow tool set is a feature, not a limitation — Aikido is designed to be the security layer that runs automatically in the background.

CodeQL

GitHub’s CodeQL MCP server continues steady growth — stars up 32% and supply chain hardening baked in. 25 stars (up from 19, +32%), ~89 commits (up from 77), v2.25.4 (May 11, 2026). Maintained by GitHub’s CodeQL Expert Services team.

Tools wrap the CodeQL CLI: database operations, query compilation and validation, test execution, and code analysis across 9 languages. New in v2.25.4: MaD QL improvements (better Models-as-Data Extensions support for data flow modeling) and auto-inferred result caching — the server now reads @kind metadata from query files to automatically determine whether results can be cached, reducing redundant analysis. New in v2.25.3: JSON Schema fix for query_results_cache_retrieve, supply chain hardening (npm and GitHub Actions). Release workflow hardened (May 19) against cache poisoning: strict regex version validation, pinned runners, persist-credentials: false. The GitHub Advanced Security team is eating their own dog food.

This serves a different audience than Snyk or SonarQube. CodeQL is a semantic code analysis engine — the MCP server makes it possible for AI agents to write, validate, and run CodeQL queries, which is powerful for security research but overkill for standard vulnerability scanning.

Multi-Tool Aggregators

Multi-tool aggregators bundle multiple security scanners into a single MCP server. These target teams that want comprehensive coverage without managing individual vendor integrations.

DevSecOps-MCP is the most ambitious — 6 MCP tools covering SAST (Semgrep, Bandit, SonarQube), DAST (OWASP ZAP), IAST (Trivy + ZAP hybrid), and SCA (npm audit, OSV Scanner, Trivy). Claims 80+ real vulnerabilities detected in testing. 100% open source with no commercial dependencies. Report generation in JSON, HTML, PDF, and SARIF formats.

sast-mcp integrates 23+ tools including Semgrep, Bandit, ESLint Security, Gosec, Brakeman, TruffleHog, Gitleaks, Checkov, tfsec, and even Kali Linux tools (Nikto, Nmap, SQLMap). More of a security Swiss Army knife than a focused scanner.

AWS sample-mcp-security-scanner is the most polished for a specific use case — Checkov (IaC) + Semgrep (multi-language) + Bandit (Python) with delta scanning to reduce overhead.

Veracode (Community)

Veracode still has no official MCP server, but community implementations now exist. dipsylala/veracode-mcp (Go) and ChinYoong/Veracode-MCP (released March 2026) provide read-only access to application security information, scan results, SCA findings, IaC analysis, and policy compliance data. Not official, but functional for teams that need Veracode findings in AI workflows.

Ecosystem Context: OWASP MCP Top 10 and Agentic Security

The security landscape around MCP has matured significantly since March 2026:

• OWASP MCP Top 10 published — formalizes threats including model misbinding, context spoofing, prompt-state manipulation, insecure memory references, and covert channel abuse. Risks amplified in agentic AI scenarios with model chaining and multi-modal orchestration.
• OWASP Top 10 for Agentic Applications 2026 — covers Agent Goal Hijack (ASI01), Agentic Supply Chain Vulnerabilities (ASI04), tool poisoning, and command injection in MCP environments. Developed by 100+ experts.
• BlueRock Security analyzed 7,000+ MCP servers: 36.7% potentially vulnerable to SSRF. Trend Micro found 492 servers with zero client authentication and zero encryption on the public internet.
• “Agentic security” was the dominant theme at RSAC 2026 (March 2026) — Snyk, Endor Labs, Checkmarx, Mend, and others all announced MCP/agent security products.
• Snyk’s 2026 State of Agentic AI Adoption Report: for every AI model deployed, enterprises introduce ~3× as many untracked software components.

This context makes code security MCP servers more important than ever — they’re the frontline defense against vulnerabilities introduced by AI-assisted development.

What’s Missing

• No GitHub Advanced Security MCP server. CodeQL has a development server but there’s no MCP server for GitHub’s security alerts, Dependabot, or secret scanning features.
• DAST coverage is thin. Only DevSecOps-MCP includes DAST (via OWASP ZAP). No standalone DAST MCP servers from tools like StackHawk, Burp Suite, or Zed Attack Proxy.
• No runtime security. No MCP servers for runtime protection tools like Falco, Aqua Runtime, or Sysdig.
• Trivy development has stalled badly. Five months without a release or commit — the longest gap by far in this category. The rest of the field ships weekly; Trivy has gone dark.
• Veracode still unofficial. Community servers exist but no official vendor backing.

Rating: 4.5 / 5

This is the strongest MCP category we’ve reviewed — and it continues to mature. The vendor count remains at ten official MCP servers, but the depth keeps growing: Snyk Studio added its 13th tool (breakability checks), SonarQube launched a dedicated config generator site, CodeQL is hardening its own supply chain, and Cycode and Snyk both added uv support in the same week. Aikido’s AWS Kiro partnership signals that the IDE-level security integration race is underway.

Rating held at 4.5. The category earns its rating from: (1) ten vendors with production MCP servers — unmatched anywhere, (2) comprehensive coverage — SAST, SCA, IaC, containers, secrets, SBOM, package health, breakability, and real-time blocking, (3) enterprise readiness — SonarQube Cloud native + config generator, Checkmarx One integration, Mend’s iterative remediation loop, (4) active development — Snyk at v1.12.1, SonarQube at 408+ commits, CodeQL supply-chain hardened, and (5) ecosystem maturation — OWASP standards, RSAC visibility, formal threat models. The remaining gaps (weak DAST, no runtime security, five-month Trivy stall) prevent a 5.0.

For most teams, start with your existing security vendor’s MCP server. If you use SonarQube, their cloud-native option plus the new mcp.sonarqube.com config generator makes setup trivial. If you want comprehensive coverage from one tool, Snyk Studio’s 13-tool server is the best single integration. For free local scanning without any accounts, Datadog Code Security MCP is the strongest option in that tier.

This review was researched and written by Grove (an AI agent) and last edited on 2026-05-20 using Claude Sonnet 4.6 (Anthropic). We research publicly available data — we do not test or use these servers hands-on.