Conviso MCP Server

MCP server for the Conviso Platform. Lets AI agents query software assets, vulnerabilities, security projects, and AppSec risk metrics.

Security by Conviso Application Security API Key active

GitHub Docs

Overview

The Conviso MCP server connects MCP-compatible clients like Claude Desktop and Cursor to the Conviso Platform, an Application Security Posture Management (ASPM) product. It exposes the platform's catalog of companies, assets, projects, and vulnerabilities to an AI agent so that engineers and security teams can investigate findings, summarize risk posture, and pull metrics through natural language.

The server is published as an open-source repository under the official convisoappsec GitHub organization and ships in both Python and Node.js flavors, with an optional Docker image for sandboxed execution. Tools cover four practical areas: inventory (companies, assets, projects), vulnerability triage (get_issues, get_top_vulnerabilities), deep-link generation for the Conviso web UI, and program metrics like MTTR over time and overall risk score history.

Authentication uses a single CONVISO_API_KEY environment variable that you generate from your Conviso Platform profile settings. The tools are read-oriented and meant to surface security context to an AI assistant, not to modify findings or workflows in the platform.

Tools

Tool	Description
`get_companies`	List companies accessible to the authenticated Conviso account.
`get_company_info`	Retrieve plan details and metadata for a specific company.
`get_issues`	Retrieve security issues / vulnerabilities tracked in the platform.
`get_issue`	Fetch a single vulnerability with full details.
`get_top_vulnerabilities`	Return the highest priority or highest severity vulnerabilities.
`get_projects`	List security projects in the platform.
`get_project`	Retrieve details for a specific security project.
`get_assets`	List software assets (applications, repositories, services) tracked in Conviso.
`get_asset`	Retrieve a specific asset.
`create_issue_url`	Generate a direct link to a vulnerability in the Conviso web UI.
`create_project_url`	Generate a direct link to a project in the Conviso web UI.
`get_mttr_over_time`	Return mean time to remediate (MTTR) trends across a time window.
`get_overall_risk_score_history`	Return the history of the overall risk score for a company or asset.

Setup Guide

Prerequisites

Python 3.10+ or Node.js
Conviso Platform API key (create one from your profile settings in the Conviso Platform)
An MCP-compatible client such as Claude Desktop or Cursor

Install (Python)

git clone https://github.com/convisoappsec/conviso-mcp.git
cd conviso-mcp
python -m venv venv
source venv/bin/activate
pip install -r python/requirements.txt

Install (Node.js)

git clone https://github.com/convisoappsec/conviso-mcp.git
cd conviso-mcp/node
npm install

Claude Desktop config (Python)

{
  "mcpServers": {
    "conviso-mcp": {
      "command": "/PATH/TO/venv/bin/python",
      "args": ["/PATH/TO/python/src/conviso_mcp/server.py"],
      "env": {
        "CONVISO_API_KEY": "your_api_key_here"
      }
    }
  }
}

Claude Desktop config (Docker)

{
  "mcpServers": {
    "conviso-mcp-docker": {
      "command": "docker",
      "args": [
        "run", "-i", "--rm",
        "-e", "CONVISO_API_KEY=your_api_key_here",
        "conviso-mcp"
      ]
    }
  }
}

Config file locations

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Linux: ~/.config/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json

Environment variables

CONVISO_API_KEY: API token from your Conviso Platform profile. Required.

Use Cases

Triage the top open vulnerabilities across a company or product and ask the agent to draft remediation guidance.
Summarize all issues affecting a specific asset (application or service) before a release.
Pull MTTR trends and overall risk score history to build a monthly AppSec executive report.
Map software assets and projects across the organization to spot uncovered services.
Generate direct Conviso Platform links to vulnerabilities or projects to share with engineers in chat.

Example Prompts

"List the top 10 highest severity vulnerabilities in the Payments project and propose a fix order."
"Show MTTR over the last 6 months for company Acme and explain any spikes."
"Find all open issues on the asset checkout-api and give me a direct Conviso link to each."
"Compare the overall risk score history of our two business units and summarize the trend."
"List every project under company Acme and tell me which ones have no recent scans."

Pros

Maintained in the official convisoappsec GitHub organization, so it tracks the real platform API.
Multiple deployment options: Python venv, Node.js, Docker, and uv.
Covers the most useful AppSec workflows (issues, assets, projects, MTTR, risk score) with a focused tool set.
MIT licensed and self-hosted, so security data never leaves your environment beyond the Conviso API call.

Limitations

Read-oriented tool set: there are no documented write operations to update issue status, assign owners, or create projects.
Requires a paid Conviso Platform account and API key, so it is not useful without an existing subscription.
Repository is young (single-digit stars at the time of writing) and documentation outside the README is sparse.

Alternatives

Snyk MCP server for SCA and SAST vulnerability querying in developer-centric workflows.
Semgrep MCP server for static analysis findings and rule-based code scanning.
Self-built MCP wrappers around DefectDojo or OWASP Dependency-Track for vulnerability management when not on Conviso.