Black Duck MCP
Black Duck MCP brings Signal's AI-powered security analysis directly into your development environment. It enables code scanning through leading coding assistants – including Claude, Gemini, Cursor, Copilot, and others – so you can detect security issues, receive actionable insights, and apply recommended fixes quickly and consistently.
Key Features & Benefits
- Changes Scan:
- Performs fast, incremental security scans focused only on the code changes introduced by the developer.
- Ideal for early-stage detection of issues as code is written
- File Scan:
- Runs a targeted security analysis on specific files or directories.
- Best suited for projects that do not use Git or for developers who want to analyze specific portions of the codebase
- Cross-Platform Support:
- Works on Windows, macOS, and Linux
Requirements
Getting started
Step 1: Add to your MCP client
Add the following configuration to your MCP client (using Claude user level config as example):
{
"mcpServers": {
"black-duck-signal": {
"command": "npx",
"args": ["-y", "@black-duck/mcp-server"],
"env": {
"BLACKDUCK_MCP_GATEWAY_KEY": "your-api-key-here"
}
}
}
}
Step 2: Your first scan
Use one of following prompts in your MCP client to get you started:
Scan my code changes for security vulnerabilities
Your MCP client should execute a security scan and report any vulnerabilities found on the code changes made. Requires that the project is git based to determine what files have changed.
Scan the changed files with respect to the main branch
Your MCP client should execute a security scan taking into account only code changes in the current branch vs the main branch and report any vulnerabilities found on the code changes made. Requires that the project is git based to determine what files have changed.
Scan all files under folder foobar for security vulnerabilities
Your MCP client should execute a security scan and report any vulnerabilities found.
Tools
| Tool | Parameters | Returns | Best Use Cases |
|---|
run_changes_security_scan | projectPath (required): Absolute path to git project
gitPatchMode (required):
• all-uncommitted: Scan staged + unstaged changes
• reference-branch: Scan changes since branching
referenceBranch (optional): Reference branch name (e.g., main)
scanEntireFileContent (optional): When true, scans entire content of changed files instead of just changed lines. Default: false | • sarifFilePath: Path to SARIF report
• status: success or failure
• resourceUris: MCP resource URIs
• issueCounts: Counts by severity
• analysisGuidance: Analysis steps | • Faster: Analyzes only changed code
• Focused: Shows issues from your changes
• Iterative: Perfect for dev workflows & CI/CD
• Efficient: Reduces scan cost and time |
run_security_scan | projectPath (required): Absolute path to project
filePaths (required): Array of file/directory absolute paths to scan | • sarifFilePath: Path to SARIF report
• status: success or failure
• resourceUris: MCP resource URIs
• issueCounts: Counts by severity
• analysisGuidance: Analysis steps | • Analyzing specific files/directories
• Focused security review of critical paths
• Quick checks during development
• Non-git projects |
Optional Configuration
The Black Duck Signal MCP server supports the following environment variables:
| Variable | Default | Description |
|---|
BLACKDUCK_MCP_GATEWAY_KEY | None (required) | API key for enhanced AI analysis |
BLACKDUCK_HOME | User's home directory | Override the default .blackduck folder location |
BLACKDUCK_MCP_TOOL_TIMEOUT | 1800000 (30 min) | Scan timeout in milliseconds |
BLACKDUCK_MCP_LOG_LEVEL | info | Log level: error, warn, info, or debug |
You can set these variables in your MCP client configuration:
{
"mcpServers": {
"black-duck": {
"command": "npx",
"args": ["-y", "@black-duck/mcp-server"],
"env": {
"BLACKDUCK_MCP_GATEWAY_KEY": "your-api-key-here",
"BLACKDUCK_MCP_LOG_LEVEL": "debug"
}
}
}
}
Logging and Troubleshooting
Log Location
All MCP logs are written to /Users/<username>/.blackduck/mcp/logs/ for linux/mac and C:\Users\<Username>\AppData\Roaming\BlackDuck\mcp\logs\ (customizable via BLACKDUCK_HOME):
black-duck-mcp.log - Combined log (all levels)black-duck-mcp-error.log - Error-only log
IP Allowlist
The following URLs and IP addresses must be accessible for the MCP server to function properly:
| URL | IP Address |
|---|
repo.blackduck.com | 34.149.5.115 |
llm.core.blackduck.com | 104.18.36.253 |
Ensure your firewall allows outbound HTTPS (port 443) connections to these endpoints
License
This project is licensed under the MIT License.
Resources
