--- description: "Integrate the Fluid Attacks MCP server to use natural language queries in AI tools (examples in Claude and Cursor). Also, integrate our scanners into your SDLC using AI agents." keywords: "Ai tools, Fluid Attacks Mcp server, Mcp on Claude, Mcp on Cursor, Mcp on Vs Code, Fluid Attacks Ai integrations, get vulnerability information via chat, Fluid Attacks documentation" other: private: false title: Installation --- import { Image } from "@/components/image"; import { Callout } from "nextra/components"; # Installation This guide explains how to install the local MCP server in Claude and use the remote MCP server in Cursor and VS Code. Besides, you can learn how to integrate **Fluid Attacks security scanners** into your software development lifecycle (SDLC) using **AI agents**. ## Prerequisites - To use the Fluid Attacks MCP Server, you need an AI assistant that supports MCP, such as Claude (via Cursor, Claude Desktop, VS Code, etc.). - Do you want to access information about vulnerabilities? If so, you need a Fluid Attacks API token. This is optional for public tools. - Do you want to run security scans? If so, you need to have [Docker installed](https://docs.fluidattacks.com/integrations/mcp-server/docker-installation). Also, it is recommended to [configure an AGENTS.md file](https://docs.fluidattacks.com/integrations/mcp-server/installation#add-agentsmd-to-your-project-using-fluid-attacks-mcp-server) in the project root directory. ## MCP server in Claude See the [requirements of the MCP server](https://help.fluidattacks.com/portal/en/kb/articles/local-tools) on Claude. ### Install the runtime environment Follow these steps to install Node.js, which is required for using Fluid Attacks' MCP server. If you already have Node.js v22 installed, simply skip to the next section according to your needs. 1. It is recommended that you install Node Version Manager (nvm), as it allows you to have different versions of Node.js and switch between them according to your current needs. To install nvm, open your terminal and run the following: ``` curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.2/install.sh | bash ``` Close and reopen your terminal or run the following command to load nvm into your current session: ``` \. "$HOME/.nvm/nvm.sh" ``` 2. Install the Node.js version 22 with the following command (v18 or higher is required): ``` nvm install 22 ``` ### Set up in Claude Set up Fluid Attacks' MCP server in Claude following these instructions: 1. Go to the menu bar, click on **Claude** and then **Settings**. Open Claude settings

2. Switch to the **Developer** tab and click the **Edit Config** button. Find Edit Config in Claude

3. You are presented with a folder that contains the file claude_desktop_config.json. Open this file with a text editor. 4. Paste the following into the configuration file, replacing `` with the previously generated Fluid Attacks API token. ```json { "mcpServers": { "fluidattacks-mcp": { "command": "npx", "args": [ "--cache", "/tmp/fluidattacks-mcp", "-y", "@fluidattacks/mcp" ], "env": { "API_TOKEN": "" } } } } ``` 5. Save the file and close both it and Claude. To interact with the platform, reopen Claude and start chatting! See an example below. ### Example in Claude The following example shows the generation of a vulnerability report for a specific group in a specific organization. The prompt is the following: _Using Fluid Attacks' API, please generate a one-page report of the vulnerabilities found in the Narrabri group of the Imamura organization._ Prompt Claude to use the Fluid Attacks platform

Prompt Claude to use the Fluid Attacks platform

Claude asks for permission before using a tool by the MCP server. The following screenshot references the `fetch_group_vulnerabilities` tool, which accesses the group's vulnerability information (such as vulnerability [status and severity](https://help.fluidattacks.com/portal/en/kb/articles/see-where-vulnerabilities-are-and-more-details#See_where_vulnerabilities_are_located)). Check out a description of [each tool and capability](https://docs.fluidattacks.com/integrations/mcp-server/capabilities-and-use-cases). Allow the Fluid Attacks tools on Claude

Claude then mentions the tools run and provides an outline of the report while generating the one-page document. Generate a Fluid Attacks vulnerability report on Claude

Generate a Fluid Attacks vulnerability report on Claude

## Remote MCP server in Cursor Do not forget to [generate an API token](https://help.fluidattacks.com/portal/en/kb/articles/explore-the-user-menu#Generate_or_revoke_the_API_Token) for the setup. ### Configuration Use Fluid Attacks' remote MCP server in Cursor, following these instructions: 1. Go to [Cursor's MCP Directory](https://cursor.com/docs/context/mcp/directory) and search for the Fluid Attacks server. 2. Click on the **Add to Cursor** button: Fluid Attacks server on Cursor MCP Directory

Fluid Attacks server on Cursor MCP Directory

3. Once you see this warning message in your browser, click the **Open Link** or **Open Cursor.app** button: Open Cursor link

4. Optional: Add the token generated from the Fluid Attacks platform. If you do not have a token, you can leave the default setting. Please note that the token is required to access information about your groups on the platform. Installing Fluid Attacks MCP server on Cursor

Installing Fluid Attacks MCP server on Cursor

5. Click on the **Install** button. 6. Verify that the server is active before using it to request vulnerability scans or reports containing information about your groups. fluidattacks-mcp is enabled for Cursor

7. You can now use the Fluid Attacks MCP server in Cursor. Use Fluid Attacks MCP on Cursor

### Example in Cursor The following example shows the request for the vulnerability with the highest CVSS score in a specific file within a particular group in a specific organization. The prompt used is the following: _From the Fluid Attacks API, what is the highest severity (CVSS) vulnerability in the basketitems.ts file of the Clickable group within the Imamura Organization?_ Prompt Cursor to use the Fluid Attacks platform

Prompt Cursor to use the Fluid Attacks platform

Cursor asks for confirmation before running a tool by the MCP server. The following screenshot references the `fetch_group_vulnerabilities` tool, which retrieves vulnerability information (such as vulnerability [status and severity](https://help.fluidattacks.com/portal/en/kb/articles/see-where-vulnerabilities-are-and-more-details#See_where_vulnerabilities_are_located)) from a specific file. Read a description of [each tool and capability](https://docs.fluidattacks.com/integrations/mcp-server/capabilities-and-use-cases). Allow the Fluid Attacks tool on Cursor

Cursor then responds with the type of vulnerability's name, as well as breaks down its CVSS score and informs of the lines of code where the vulnerability is present. Query Cursor about findings by Fluid Attacks

Query Cursor about findings by Fluid Attacks

## Remote MCP server in VS Code Do not forget to [generate an API token](https://help.fluidattacks.com/portal/en/kb/articles/explore-the-user-menu#Generate_or_revoke_the_API_Token) for the setup. ### Configuration Use Fluid Attacks' remote MCP server in VS Code, following these instructions: 1. Open VS Code's search bar (cmd + P) and type "> MCP: Open User Configuration". 2. Select the option shown in the image below: Start MCP configuration on VS Code

3. Fluid Attacks the MCP Server in the **servers** section of the file: ```json { "servers": { "fluidattacks-mcp": { "type": "http", "url": "https://app.fluidattacks.com/mcp/messages/", "headers": { "Authorization": "Bearer " } } } } ``` 4. Optional: Replace `` with your Fluid Attacks API token. 5. Save the file. 6. As shown in the image below, click on **Start**. Start using MCP on VS Code

7. The number of tools and prompts should be shown. 8. To enable the AI Agent to use our MCP tools, click on the **Configure tools** option. Enable the AI Agent on VS Code

9. On the opened window, search for "fluidattacks-mcp", enable the tools you want to use, and click the **OK** button: Selecting fluidattacks-mcp on VS Code

10. You can now use the Fluid Attacks MCP server in VS Code. Using Fluid Attacks MCP on VS Code

## Share the server configuration with your team **Requirements:** (**1**) [Have Node.js installed](https://docs.fluidattacks.com/integrations/mcp-server/installation#install-the-runtime-environment) and (**2**) create the environment variable called "FLUID_ATTACKS_API_TOKEN". You can keep the Fluid Attacks MCP server configuration in your code repository for your entire team to use. Simply add the following to your IDE configuration folder within your repository and have your team meet the above requirements: ```json { "mcpServers": { "fluidattacks-mcp": { "command": "npx", "args": [ "--cache", "/tmp/fluidattacks-mcp", "-y", "@fluidattacks/mcp", "https://app.fluidattacks.com/mcp/messages/" ] } } } ``` With this option, the API token is not hard-coded; it remains an environment variable, allowing the MCP server configuration to be versioned without issues. ## Security considerations - **API token security:** Store tokens securely, never commit to version control. - **Data sensitivity:** Be cautious when sharing vulnerability data. ## Integrate our scanners into your SDLC using AI When using AI-powered development tools, such as Cursor, GitHub Copilot, or similar AI coding assistants, you can configure them to automatically execute Fluid Attacks security scanners at appropriate points in your SDLC. This integration helps you ensure that security vulnerabilities are detected and addressed early. Before integrating our security scanners with AI agents, ensure that you have Docker installed in your system, that Fluid Attacks' MCP server is configured in your AI development environment, and that you have write access to your project directory for configuration files and scan results. ### Add AGENTS.md to your project using Fluid Attacks' MCP server On the chat of your AI agent, start by typing `/fluidattacks-mcp/` and then select the following command: ``` /fluidattacks-mcp/config_agents_md ``` ### Add AGENTS.md to your project manually #### 1. Create the AGENTS.md file Add an **AGENTS.md** file to your project root directory. This file contains instructions that AI agents will follow to determine when and how to execute security scanners. The **AGENTS.md** file should be placed at the root of your project: ``` your-project/ ├── AGENTS.md # Add this file ├── src/ ├── package.json └── ... ``` #### 2. Add the AGENTS.md content ```markdown # Project Instructions ## Execute Security Scanners ### Execute SCA Scanner When: - New dependencies are added to the project - Dependencies are updated to new versions - Lock files are modified (e.g.,`package-lock.json`, `uv.lock`) - User explicitly requests a dependency security scan - Setting up a new project for the first time - Before deploying to production - Before pushing to the repository ### Execute SAST Scanner When: - Source code changes are made to application files - New features or modules are added - Security-sensitive code is modified (authentication, authorization) - User explicitly requests a code security scan - Before committing significant code changes - During code reviews - Before deploying to production - Before pushing to the repository ### Execute Both Scanners When: - A complete security audit is needed - Major project updates involving both code and dependencies - Pre-deployment security check - User requests a full security scan ## Prerequisites - Docker installed on the system - No Dockerfile creation needed - only download the Docker images - Write access to the project directory for configuration files and results ## Fluid Attacks Scanner ### Purpose Scan the project for vulnerabilities using the Fluid Attacks MCP tools. ### Step-by-Step Instructions #### 1. Use Fluid Attacks MCP tools to configure and run the scanner #### 2. Add the output file to .gitignore #### 3. Remediate vulnerabilities - Review the output file - If there are vulnerabilities, remediate them ## Best Practices for Agents ### 1. Configuration File Management - Always verify the correct paths for include/exclude before running - Adjust configuration based on project structure - Use `.gitignore` as a reference for exclude patterns - Store configuration files in the project root and add them to .gitignore - Add the output file (Fluid-Attacks-Results.csv) to .gitignore ## When to Run What | Scenario | Scanner | Priority | | ----------------------------- | ------- | -------- | | New dependency added | SCA | High | | Code changes in auth/security | SAST | Critical | | Weekly security audit | Both | Medium | | Pre-deployment check | Both | Critical | | Dependency version update | SCA | High | | New feature development | SAST | Medium | | Third-party library added | SCA | High | | API endpoint changes | SAST | High | ## Integration with Development Workflow - On Code Changes: Run SAST if source files modified - On Dependency Changes: Run SCA if dependency files modified - On User Request: Run appropriate scanner(s) - Help with remediation: Always create/update security reports - Re-scan: After fixes to verify remediation ``` ### Troubleshooting If the scanners are not being executed automatically: - Verify that **AGENTS.md** exists in your project root - Ensure the Fluid Attacks MCP server is properly configured - Check that Docker is installed and running - Verify that the AI agent has read access to **AGENTS.md** - You can ask the AI agent to execute the scanners: "Run fluid attacks scanners." - You can use [Fluid Attacks prompts](https://docs.fluidattacks.com/integrations/mcp-server/capabilities-and-use-cases#specialized-prompts) If the scanners report false positives: - Review the specific vulnerability details - Adjust scanner configuration if needed - Document acceptable exceptions in your project documentation - Consider reaching out to Fluid Attacks support for clarification