Synopsis

fcli util mcp-server start -m=<module> [[-h] [--env-prefix=<prefix>] [--log-file=<logFile>] [--log-level=<logLevel>] [--log-mask=<level>] [--debug]]

Description

This command will start an MCP (Model Context Protocol) server that allows an LLM system to interact with Fortify products by executing fcli commands. For more information about MCP, please see https://modelcontextprotocol.io/.

For now, only local stdio transport is supported. MCP server configuration may vary across IDEs and other LLM clients; the following snippet shows how to configure two MCP servers covering respectively 'fcli ssc' and 'fcli sc-sast' commands in IDEs like Visual Studio Code or Eclipse:

{ "servers": { "fcli-ssc": { "type": "stdio", "command": "/path/to/fcli", "args": ["util","mcp-server","start","--module=ssc"] }, "fcli-sc-sast": { "type": "stdio", "command": "/path/to/fcli", "args": ["util","mcp-server","start","--module=sc-sast"] } } }

By default, the fcli MCP server will generate an MCP tool definition for every individual fcli command in the specified module, excluding:

  • Non-runnable (container) commands, as these are not relevant in LLM context

  • Potentially disruptive or destructive commands like (most) update, delete, clear, and purge commands

  • Any command that requires sensitive data like credentials to be specified, to avoid users from entering their sensitive data in an LLM system

Note that the latter means that LLMs cannot run fcli session login commands; you’ll need to have one or more active sessions for each of the products that you want to interact with through the LLM. In your LLM chat, you can ask for a specific session to be used for executing a given operation.

For now, only commands from product-related fcli modules like 'fod' or 'ssc' can be exposed as MCP tools. If you require any of the other fcli modules like 'fcli tool' or 'fcli util' to be exposed as MCP tools, we can consider this for a future release.

As LLMs pose limits on the number of enabled tools, and clients often allow for easily enabling or disabling all tools provided by a given MCP server, each fcli MCP server instance only supports a single fcli module. For example, you can configure separate MCP servers for ssc, sc-sast, and sc-dast modules, but keep the sc-dast MCP tools disabled until you need them.

In a future fcli version, we plan on adding support for registering fcli actions as MCP tools, as well as adding new fcli actions for running various tpes of scans. For example, once we’ve introduced a sast-scan or debricked-scan action, LLMs would then be able to simply invoke a single MCP tool to run such a scan, with the fcli action taking care of combining commands for installing and running tools, submitting scan requests, and optionally waiting for scan completion and importing results into SSC.

Options

-m, --module=<module>

Fcli module to expose through this MCP server instance.

Generic fcli options (also see documentation link below)

--debug

Enable collection of debug logs.

--env-prefix=<prefix>

Prefix for resolving default option values. Default value: FCLI_DEFAULT.

-h, --help

Use 'fcli [command] -h' to display help for fcli (sub-)commands.

--log-file=<logFile>

Write log output to file. Default: ./fcli.log if logging is enabled.

--log-level=<logLevel>

Set logging level: TRACE, DEBUG, INFO, WARN, ERROR, NONE.

--log-mask=<level>

Log mask level: high, medium, low, none. Default: medium. Masking is done on a best-effort basis; no guarantee that all sensitive data will be masked.