MCP Server
PrimusSecurity.MCP is an ASP.NET minimal API that exposes Primus Security capabilities to AI agents via the Model Context Protocol. Once running, tools like Claude Desktop, VS Code Copilot, and Cursor can scan your code, generate remediation patches, explain rules, and check quality gates — all without leaving the AI conversation.
Start the server
cd tools/PrimusSecurity.MCP
dotnet run
# → Listening on http://localhost:5200
# → MCP manifest: http://localhost:5200/.well-known/mcp-manifest
Connect to Claude Desktop
In ~/.config/claude/claude_desktop_config.json (macOS/Linux) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"primus-security": {
"url": "http://localhost:5200"
}
}
}
Restart Claude Desktop. The four tools below appear automatically.
Tools
list_findings
Runs a full Primus Security scan on a path and returns all findings.
Input:
{ "path": "/absolute/path/to/your/project" }
Output:
{
"totalFindings": 3,
"qualityGateStatus": "FAILED",
"findings": [
{
"ruleId": "PS-SEC-001",
"title": "SQL Injection",
"severity": "Critical",
"file": "Controllers/UserController.cs",
"line": 42,
"message": "User input flows directly into SQL command."
}
]
}
Example prompt:
"Scan my project at /Users/jane/myapp and tell me what security issues need fixing first."
get_patch
Generates a before/after remediation patch for a finding.
Input:
{
"ruleId": "PS-SEC-001",
"detectedSnippet": "var sql = \"SELECT * FROM Users WHERE id = '\" + userId + \"'\""
}
Output:
Patch for PS-SEC-001:
Title: Fix: SQL Injection
Explanation: User input is directly concatenated into SQL queries...
Confidence: 92%
--- Before ---
var sql = "SELECT * FROM Users WHERE id = '" + userId + "'";
db.Execute(sql);
+++ After ---
var sql = "SELECT * FROM Users WHERE id = @id";
using var cmd = new SqlCommand(sql, connection);
cmd.Parameters.AddWithValue("@id", userId);
db.Execute(cmd);
Example prompt:
"Generate a fix for the SQL injection on line 42 in UserController.cs"
explain_rule
Returns the full description, severity, and compliance mappings for a rule.
Input:
{ "ruleId": "PS-SEC-001" }
Output:
Rule: PS-SEC-001
Name: SQL Injection
Severity: Critical
Type: Vulnerability
OWASP: A03:2021 - Injection
CWE: CWE-89
What: User-controlled input is directly concatenated into SQL queries
Why: Attackers can manipulate the SQL statement to read or delete data
How to fix: Use parameterised queries or an ORM — never concatenate user input
Standards: OWASP Top 10, PCI-DSS 6.3.1, ISO 27001
Example prompt:
"Explain rule PS-SEC-004 and show me what it looks for."
check_quality_gate
Scans a path and evaluates the quality gate — returns pass/fail and reasons.
Input:
{ "path": "/absolute/path/to/your/project" }
Output:
Quality Gate: FAILED
Findings: 5 total (Critical: 2, High: 1)
Violations:
- Quality gate failed: 2 Critical vulnerabilities found (threshold: 0).
- Quality gate failed: 1 hardcoded secret(s) detected — zero tolerance enforced.
Example prompt:
"Would this code pass our security quality gate before I raise a PR?"
Configuration
The MCP server reads PrimusSecurity settings from appsettings.json:
{
"PrimusSecurity": {
"QualityGate": {
"MaxCritical": 0,
"MaxHigh": 0,
"MaxSecrets": 0,
"BlockOnNewSecrets": true
},
"LocalCveDatabase": "data/cve-database"
}
}
Security note
The MCP server exposes local scan capabilities only — it does not have access to external APIs or the internet. Run it on localhost only. Do not expose port 5200 publicly.
VS Code Copilot / Cursor
The same MCP URL works with any MCP-compatible AI client. In VS Code with the Copilot MCP extension, add the server URL in settings:
// .vscode/settings.json
{
"copilot.mcp.servers": {
"primus-security": {
"url": "http://localhost:5200"
}
}
}