Skip to content

MCP Server Overview

The MCP server lets AI assistants — Claude Code, Cursor, OpenCode, Codex, Claude Web, Claude Desktop — read your Vygl data and trigger AI verification, all without leaving the editor. Authenticate with an API key for editor clients or via OAuth for web clients (no key needed).

Reads

ToolWhat it does
list_authorized_orgsList the orgs this connector can act in (the entry point for multi-org users).
list_projectsList all projects in your organization.
search_findingsSearch findings with filters — severity, status, scan type, file path, project, rule, AI verdict.
get_finding_detailFull context on a finding — snippet, AI verdict, reasoning, history.
get_security_postureOrg-wide summary — severity counts, MTTR, AI coverage.
get_project_healthPer-project health score with severity breakdown.
list_container_imagesAll scanned images with CVE counts.
get_container_image_detailImage layer breakdown and vulnerable packages.
search_image_vulnerabilitiesVulnerabilities (CVEs) in container images.
get_container_correlationsSource dependencies that share a CVE with container findings.
get_container_analysisCached AI risk summary for an image.
list_memoriesList organizational memory entries.
preview_memoryRender a draft memory’s effective system prompt without saving.
suggest_memory_from_findingAsk the LLM to draft a memory based on a specific finding.

Writes

ToolWhat it does
ai_verify_findingTrigger AI verification on a finding; returns verdict + reasoning + suggested fix.
triage_findingSet a single finding’s status (false_positive, ignored, acknowledged, etc.).
bulk_triage_findingsTriage multiple findings in one call.
create_memoryCreate an organizational memory entry.
ClientAuth
Claude Code, Cursor, OpenCode, CodexAPI key (Bearer token).
Claude Web, Claude DesktopOAuth 2.1 Dynamic Client Registration.

Editor clients use the same API keys you generate in Settings → API Keys. Web clients click “Add custom integration” in Claude, enter the Vygl MCP URL, and complete a browser OAuth flow — no key management.

Every MCP request is scoped to the organization that owns the API key (or the user’s signed-in org for OAuth). Permissions and rate limits match the API key’s scopes — the MCP server is not a privilege bypass.

If your connector is authorized for multiple Vygl orgs (e.g. an OAuth user who belongs to several), call list_authorized_orgs first to discover the available org_ids, then pass org_id on subsequent tool calls to disambiguate.

See IDE Setup for ready-to-paste configs for every supported client.