Cybersecurity Stack for Windsurf

Advanced5 servers20.0K tokens

Configuration

{
  "mcpServers": {
    "semgrep-mcp": {
      "command": "uvx",
      "args": [
        "semgrep-mcp"
      ]
    },
    "sonarqube-mcp": {
      "command": "docker",
      "args": [
        "run",
        "--init",
        "--pull=always",
        "-i",
        "--rm",
        "mcp/sonarqube"
      ],
      "env": {
        "SONARQUBE_TOKEN": "YOUR_SONARQUBE_TOKEN",
        "SONARQUBE_URL": "YOUR_SONARQUBE_URL",
        "SONARQUBE_ORG": "YOUR_SONARQUBE_ORG"
      }
    },
    "trivy-mcp": {
      "command": "trivy",
      "args": [
        "mcp"
      ]
    },
    "shodan-mcp": {
      "command": "npx",
      "args": [
        "-y",
        "@burtthecoder/mcp-shodan"
      ],
      "env": {
        "SHODAN_API_KEY": "YOUR_SHODAN_API_KEY"
      }
    },
    "virustotal-mcp": {
      "command": "npx",
      "args": [
        "-y",
        "@burtthecoder/mcp-virustotal"
      ],
      "env": {
        "VIRUSTOTAL_API_KEY": "YOUR_VIRUSTOTAL_API_KEY"
      }
    }
  }
}

Where to save

Paste the config above into:

~/.codeium/windsurf/mcp_config.json

Environment Variables

Replace the YOUR_ placeholders with your actual values.

SONARQUBE_TOKENrequired

SonarQube authentication token

Used by: SonarQube MCP

SONARQUBE_URL

SonarQube Server URL (omit for SonarQube Cloud)

Used by: SonarQube MCP

SONARQUBE_ORG

SonarQube Cloud organization key

Used by: SonarQube MCP

SHODAN_API_KEYrequired

Shodan API key

Used by: Shodan MCP

VIRUSTOTAL_API_KEYrequired

VirusTotal API key

Used by: VirusTotal MCP

What’s in this stack

Semgrep MCP7 tools

Static analysis security scanning with custom rules, AST analysis, and multi-language vulnerability detection. Official Semgrep implementation.

Your first line of defense. Scan code for vulnerabilities with 2,000+ built-in rules or write custom ones. Catches SQL injection, XSS, and hardcoded secrets before they ship.

SonarQube MCP13 tools

Code quality analysis, security hotspot detection, and vulnerability tracking from SonarQube Cloud or Server. Official SonarSource implementation.

Continuous code quality and security analysis. Track security hotspots, review vulnerability trends, and enforce quality gates across your projects.

Trivy MCP5 tools

Container image scanning, filesystem vulnerability detection, and infrastructure misconfiguration analysis. Official Aqua Security implementation.

Scan container images and filesystems for CVEs before deployment. Catches vulnerable dependencies in Docker images and IaC misconfigurations in Terraform/CloudFormation.

Shodan MCP7 tools

Internet-connected device search, IP reconnaissance, CVE lookups, and DNS intelligence via the Shodan API.

Reconnaissance and attack surface monitoring. Look up exposed services, check IP reputation, and search for CVEs affecting your infrastructure.

VirusTotal MCP8 tools

Malware detection, file and URL analysis, IP and domain reputation checks, and threat relationship mapping via the VirusTotal API.

Analyze suspicious files, URLs, IPs, and domains against 70+ antivirus engines. Map threat relationships to understand attack vectors and indicators of compromise.

Other editors

Claude Code Cursor VS Code Claude Desktop Continue