What You Can Do
Connect your AI coding agent to MindFort and work with your security findings without leaving your editor. Once connected, you can:- Browse your targets and findings
- Read full finding details, evidence, and remediation advice
- Resolve or archive findings
- Leave comments and notes on findings
- Ask your agent to investigate a vulnerability and suggest a fix right in your codebase
- Have your agent remediate findings by writing patches informed by MindFort’s evidence and remediation advice
MCP Use Cases
Use MCP when the next step needs local code context, developer workflow control, or your team’s preferred AI coding assistant.| Use Case | Example Prompt |
|---|---|
| Investigate a finding locally | Pull the critical MindFort finding for this repo, inspect the relevant code, and explain the vulnerable path. |
| Generate a local patch | Use the MindFort evidence and remediation advice to patch this finding in my working tree. |
| Compare finding evidence to source | Find where this endpoint is implemented and verify whether the reported access-control bug matches the code. |
| Prepare an engineering ticket | Summarize this MindFort finding, likely root cause, and proposed fix for the backend team. |
| Leave remediation notes | Add a MindFort comment saying this was patched in PR #482 and needs retest after deploy. |
| Triage from the editor | List high severity findings for this target and help me pick the first one to fix. |
| Update finding status | Mark this finding as resolved after confirming the fix and leave a note with the validation details. |
MCP vs. Platform Patching
Use Patching when you want MindFort to generate a pull request directly from the platform. Use MCP when you want a local AI copilot such as Cursor, Claude Code, or Codex to use MindFort context while it works in your own repository checkout. This is useful when the fix requires local build steps, repo-specific review, broader code investigation, or team-specific engineering conventions.Install
Pick your editor and follow the steps below.Cursor
Or add to .cursor/mcp.json manually:
Claude Code
Run in your terminal:/mcp inside Claude Code to sign in.
Or add to .mcp.json in your project:
Codex
Run in your terminal:~/.codex/config.toml:
Other MCP Clients
Any MCP-compatible client can connect using this URL:Sign In
MindFort uses your existing MindFort account. No API keys needed.- Add the MindFort MCP server using any method above.
- Your agent will prompt you to sign in on first use.
- Complete the sign-in in your browser.
- You’re connected — the agent handles the rest automatically.
How to Use It
Just talk to your agent naturally. Here are some things you can say:- “Show me my MindFort findings” — see your vulnerabilities sorted by severity
- “What critical vulnerabilities do I have?” — filter to the most urgent issues
- “Tell me more about that finding” — get full details including evidence and remediation advice
- “Mark it as resolved” — update the finding status
- “Add a note: patched in PR #482” — leave a comment attributed to your account
- “What did MindFort find?” — quick overview of your security posture
- “Triage my findings” — work through findings one by one
- “List my targets” — see what applications MindFort is testing
- “Investigate this finding and fix it” — the agent reads the finding details, locates the vulnerable code, and writes a patch
- “How would I remediate this vulnerability?” — get a walkthrough based on MindFort’s remediation advice
Comments you add through your agent appear in the MindFort dashboard as if you wrote them directly. They are attributed to your account, not the agent.
Filtering findings
Thelist_findings tool accepts the same filters as GET /v1/findings. Ask your agent to pass them explicitly, or use phrasing like “active vulnerabilities only” so it sets the right arguments.
| Argument | Default | Description |
|---|---|---|
target_id | — | Limit to one target |
assessment_id | — | Limit to one assessment run |
status | ACTIVE | ACTIVE, RESOLVED, or ARCHIVED |
exclude_secured | false | Omit informational secured probes when true |
severity | — | critical, high, medium, low, or info |
sort_by | severity | severity or created_at |
limit / offset | 25 / 0 | Pagination (max limit 100) |
status. Use total from the tool result for the full count — not just the length of the first page.
Match the dashboard Open tab: status=ACTIVE and exclude_secured=true.
After a deploy: you do not need to reinstall MCP. Restart your editor or start a new chat so the client refreshes the tool schema from https://api.mindfort.app/mcp.
See Findings API for REST examples and a dashboard mapping table.
Troubleshooting
Agent can't connect
Agent can't connect
Make sure the URL is exactly
https://api.mindfort.app/mcp and your network allows HTTPS connections. Restart your agent and try again.Sign-in doesn't complete
Sign-in doesn't complete
Try clearing the MCP connection and adding it again. In Claude Code, run
/mcp, select MindFort, and choose re-authenticate. If it still fails, contact support@mindfort.ai.Finding disappears after resolving
Finding disappears after resolving
This is expected when
list_findings uses the default status=ACTIVE. Pass status=RESOLVED or status=ARCHIVED to list findings in those lifecycle states. Resolved and archived findings are also visible in the MindFort dashboard under the Secured and Archived tabs.API or MCP count differs from the dashboard
API or MCP count differs from the dashboard
The dashboard Open tab hides informational secured probes by default. Pass
exclude_secured=true on list_findings (or GET /v1/findings) to match that view. Use assessment_id when comparing counts for a single assessment run. Archived findings require status=ARCHIVED. See Findings API.New filters not available after an update
New filters not available after an update
No reinstall is required — the MCP URL stays the same. Restart your agent or IDE, or start a new chat, so the client reloads the tool schema from the server.