Security teams invest significant time building threat intelligence feeds, vulnerability scanners, and policy engines, only to see developers overlook them due to separate dashboards and context-switching. Your security tools should integrate seamlessly into the environments where developers work: their IDE, CLI, and CI/CD pipeline.
This template provides a configuration for embedding security intelligence directly into developer workflows using Model Context Protocols (MCPs). MCPs create machine-readable security context that AI coding assistants and development tools can use without requiring developers to leave their environment.
Purpose of the Template
This MCP configuration template connects your security intelligence sources—vulnerability databases, policy rules, dependency risk scores, and compliance requirements—to the tools developers use daily. Instead of requiring developers to check a separate security dashboard, this approach surfaces relevant security context during key decision points: code review, dependency selection, or architecture design.
The template covers three integration points:
- Component risk intelligence: Real-time vulnerability and license data for dependencies
- Policy enforcement: Automated checks against your security and compliance rules
- Threat context: Relevant security advisories and attack patterns
Prerequisites
Before implementing this template, ensure you have:
- A centralized dependency inventory (SBOM repository or artifact registry with metadata)
- Defined security policies in a machine-readable format (JSON, YAML, or OPA Rego)
- Access to at least one threat intelligence source (NVD, GitHub Security Advisories, or commercial feed)
- Development teams using AI-assisted coding tools or IDEs that support MCP (Cursor, Cody, or similar)
- CI/CD pipeline with policy enforcement capabilities
You don't need all intelligence sources configured initially. Start with dependency vulnerability data and expand from there.
The Configuration Template
# mcp-security-context.yaml
# Model Context Protocol configuration for developer security intelligence
version: "1.0"
name: "security-intelligence-context"
description: "Provides security context for development decisions"
sources:
# Dependency vulnerability and risk intelligence
- name: "component-risk"
type: "dependency-intelligence"
provider: "your-sbom-platform"
endpoint: "${SBOM_API_URL}/api/v1/components"
authentication:
type: "bearer"
token: "${SBOM_API_TOKEN}"
cache_ttl: 3600
fields:
- vulnerability_count
- risk_score
- license_compliance
- known_malicious
- maintainer_reputation
# Security policy rules
- name: "security-policies"
type: "policy-engine"
provider: "internal"
endpoint: "${POLICY_ENGINE_URL}/api/policies"
authentication:
type: "api-key"
key: "${POLICY_API_KEY}"
cache_ttl: 7200
policies:
- dependency_approval
- cryptography_standards
- data_handling
- authentication_requirements
# Active threat intelligence
- name: "threat-advisories"
type: "threat-feed"
provider: "multi-source"
sources:
- name: "nvd"
url: "https://services.nvd.nist.gov/rest/json/cves/2.0"
rate_limit: 5_per_30s
- name: "github-advisories"
url: "https://api.github.com/advisories"
token: "${GITHUB_TOKEN}"
cache_ttl: 1800
filters:
severity: ["HIGH", "CRITICAL"]
ecosystem: ["npm", "pypi", "maven", "go"]
context_rules:
# When to surface component risk data
- trigger: "dependency_add"
action: "fetch_component_risk"
context_window: "immediate"
include_fields: ["vulnerability_count", "risk_score", "license_compliance"]
- trigger: "dependency_update"
action: "compare_risk_delta"
context_window: "immediate"
include_fields: ["vulnerability_count", "risk_score", "known_malicious"]
# When to check policies
- trigger: "code_completion"
action: "check_policies"
context_window: "on_demand"
patterns:
- "crypto.*"
- "password|secret|key"
- "jwt|session|auth"
# When to surface threat context
- trigger: "vulnerability_detected"
action: "fetch_threat_context"
context_window: "immediate"
include_fields: ["exploit_available", "attack_complexity", "mitigation_steps"]
output_format:
style: "conversational"
max_length: 500
include_citations: true
action_items: true
integration:
# IDE integration
ide_plugins:
- "cursor"
- "vscode-copilot"
- "jetbrains-ai"
# CLI integration
cli_tools:
- command: "security-check"
context: ["component-risk", "security-policies"]
- command: "dependency-add"
context: ["component-risk", "threat-advisories"]
# CI/CD integration
pipeline_stages:
- stage: "dependency-scan"
context: ["component-risk", "security-policies"]
blocking: true
- stage: "security-review"
context: ["threat-advisories", "security-policies"]
blocking: false
notification_rules:
# When to alert developers directly
- condition: "critical_vulnerability_in_dependency"
channel: "ide_notification"
severity: "error"
- condition: "policy_violation"
channel: "ide_warning"
severity: "warning"
- condition: "new_threat_advisory_for_dependency"
channel: "slack"
severity: "info"
How to Customize It
Start with one source: Begin with component risk data from your existing SBOM or dependency scanning tool. Add policy enforcement once developers trust the first integration.
Adjust trigger sensitivity: The context_rules section controls when security context appears. If developers report too many interruptions, increase cache_ttl values or change context_window from "immediate" to "on_demand" for lower-priority checks.
Tune output verbosity: Set max_length based on your team's preference. Developers using AI chat interfaces prefer longer, detailed responses (500+ tokens). Those using inline suggestions need concise output (150-200 tokens).
Configure blocking vs. advisory: In pipeline_stages, set blocking: true only for checks that should fail builds. Use blocking: false for intelligence that informs decisions but shouldn't stop deployment.
Customize policy patterns: Under context_rules.patterns, add regex patterns that match your organization's sensitive operations. Common additions: database connection strings, API endpoint definitions, file upload handlers.
Validation Steps
Test context retrieval: Run a dependency add command and verify that risk data appears within 2 seconds. If it takes longer, reduce cache_ttl or check API rate limits.
Verify policy enforcement: Attempt to add a dependency that violates your policies (wrong license, known vulnerability). The system should surface a warning before the dependency is committed.
Check threat feed accuracy: Review the last 10 threat advisories surfaced to developers. If more than 30% are irrelevant (wrong ecosystem, already patched), tighten your filters configuration.
Measure developer adoption: Track how often developers interact with security context vs. dismissing it. Aim for >60% engagement rate. Below 40% suggests the context is too noisy or not actionable.
Validate CI/CD integration: Run a build with a known vulnerable dependency. Confirm that the pipeline surfaces the vulnerability with remediation steps, not just a generic "security check failed" message.
The goal is actionable context at decision time. If developers start asking "what does the security system say about this?" before making changes, your integration is working.
