Synopsis

fcli util mcp-server start [-q=<SpEL expression>] [[-h] [--env-prefix=<envPrefix>] [--log-file=<logFile>] [--log-level=<logLevel>] [--log-mask=<logMaskLevel>] [--debug]]

Description

This command will start an MCP (Model Context Protocol) server that allows an LLM system to interact with Fortify products by executing fcli commands. For more information about MCP, please see https://modelcontextprotocol.io/. For now, only stdio transport is supported. Various LLM clients allow for configuring local stdio MCP servers; following is an example for the Copilot Eclipse plugin: { "servers": { "fcli": { "type": "stdio", "command": "/path/to/fcli", "args": ["util","mcp-server","start","--query=module=='fod'"] } }, …​

By default, the fcli MCP server will generate an MCP tool definition for every individual fcli command, excluding commands that are not relevant or pose a security risk in the context of an LLM. For example, non-runnable (container) commands are not relevant in LLM context, and thus are not included in MCP tool definitions. Similarly, any command that accepts user credentials is not included in MCP tool definitions, to avoid users from entering their credentials in an LLM system. Note that this means that LLMs cannot run fcli session login commands; you’ll need to have an active 'default' session for each of the modules that you want to interact with through the LLM system.

Note that LLMs pose limits on the number of enabled tools; enabling every fcli command as an MCP tool will most likely exceed this limit. Most LLM clients allow for enabling or disabling individual tools, however it’s recommended to utilize the --query option on this 'mcp-server start' command to have the fcli MCP server generate MCP tools for only a subset of fcli commands, for example '--query=module matches "ssc|sc-sast"' or '--query=module=="fod"'.

As clients often allow for easily enabling or disabling all tools provided by a given MCP server, you may want to define multiple fcli MCP servers with different queries. For example, with the queries shown above, you could define one MCP server for interacting with 'fcli fod' commands, and another MCP server for interacting with 'fcli ssc' and 'fcli sc-sast' commands.

Options

-q, --query=<SpEL expression>

Only display records for which the given Spring Expression Language (SpEL) expression returns true.

Generic fcli options

--debug

Enable both fcli trace logging and collection of extra debugging data on applicable fcli actions and commands, for example enabling debug logging on tools invoked through fcli tool run commands, or enabling server-side debug log generation.

--env-prefix=<envPrefix>

Environment variable prefix for resolving default option and parameter values. Default value: FCLI_DEFAULT.

-h, --help

Show this help message and exit. Use 'fcli <command> -h' to display help for subcommands.

--log-file=<logFile>

File where logging data will be written. Defaults to fcli.log in current directory if --log-level is specified.

--log-level=<logLevel>

Set logging level. Note that DEBUG and TRACE levels may result in sensitive data being written to the log file. Allowed values: TRACE, DEBUG, INFO, WARN, ERROR, NONE.

--log-mask=<logMaskLevel>

Masking level to apply to logging data. Allowed values: high, medium, low, none. Default value: medium. Note that this is on a best-effort basis; you should always check log contents for sensitive data before sharing or publishing logs.