Security Engineer Stack for VS Code
Configuration
{
"servers": {
"semgrep-mcp": {
"type": "stdio",
"command": "uvx",
"args": [
"semgrep-mcp"
]
},
"sonarqube-mcp": {
"type": "stdio",
"command": "docker",
"args": [
"run",
"--init",
"--pull=always",
"-i",
"--rm",
"mcp/sonarqube"
],
"env": {
"SONARQUBE_TOKEN": "YOUR_SONARQUBE_TOKEN",
"SONARQUBE_URL": "YOUR_SONARQUBE_URL",
"SONARQUBE_ORG": "YOUR_SONARQUBE_ORG"
}
},
"trivy-mcp": {
"type": "stdio",
"command": "trivy",
"args": [
"mcp"
]
},
"shodan-mcp": {
"type": "stdio",
"command": "npx",
"args": [
"-y",
"@burtthecoder/mcp-shodan"
],
"env": {
"SHODAN_API_KEY": "YOUR_SHODAN_API_KEY"
}
},
"virustotal-mcp": {
"type": "stdio",
"command": "npx",
"args": [
"-y",
"@burtthecoder/mcp-virustotal"
],
"env": {
"VIRUSTOTAL_API_KEY": "YOUR_VIRUSTOTAL_API_KEY"
}
},
"github-mcp": {
"type": "stdio",
"command": "npx",
"args": [
"-y",
"@modelcontextprotocol/server-github"
],
"env": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "YOUR_GITHUB_PERSONAL_ACCESS_TOKEN"
}
},
"docker-mcp": {
"type": "stdio",
"command": "npx",
"args": [
"-y",
"docker-mcp"
]
}
}
}Where to save
Paste the config above into:
.vscode/settings.json → mcp sectionEnvironment Variables
Replace the YOUR_ placeholders with your actual values.
SONARQUBE_TOKENrequiredSonarQube authentication token
Used by: SonarQube MCP
SONARQUBE_URLSonarQube Server URL (omit for SonarQube Cloud)
Used by: SonarQube MCP
SONARQUBE_ORGSonarQube Cloud organization key
Used by: SonarQube MCP
SHODAN_API_KEYrequiredShodan API key
Used by: Shodan MCP
VIRUSTOTAL_API_KEYrequiredVirusTotal API key
Used by: VirusTotal MCP
GITHUB_PERSONAL_ACCESS_TOKENrequiredGitHub personal access token
Used by: GitHub MCP
What’s in this stack
Static analysis security scanning with custom rules, AST analysis, and multi-language vulnerability detection. Official Semgrep implementation.
Runs static analysis rules to catch security vulnerabilities and dangerous code patterns before they reach production.
Code quality analysis, security hotspot detection, and vulnerability tracking from SonarQube Cloud or Server. Official SonarSource implementation.
Provides continuous code quality and security scanning with detailed remediation guidance for your development team.
Container image scanning, filesystem vulnerability detection, and infrastructure misconfiguration analysis. Official Aqua Security implementation.
Scans container images and infrastructure configs for known CVEs and misconfigurations in your deployment pipeline.
Internet-connected device search, IP reconnaissance, CVE lookups, and DNS intelligence via the Shodan API.
Discovers exposed services and open ports across your external attack surface before adversaries do.
Malware detection, file and URL analysis, IP and domain reputation checks, and threat relationship mapping via the VirusTotal API.
Analyzes suspicious files, URLs, and hashes against dozens of antivirus engines during incident investigation.
Access the GitHub API to manage repositories, issues, pull requests, branches, and workflows directly from your AI editor.
Reviews pull requests for security issues and manages security advisories across your organization's repositories.
Manage Docker containers, images, volumes, and networks. Run, stop, inspect, and monitor containers from your AI editor.
Audits container configurations and base images to enforce security policies in your build pipeline.