Labsco
slvnlrt logo

reptor-mcp

โ˜… 8

from slvnlrt

An MCP server for Reptor/SysReptor that exposes the reptor CLI tool as a programmable service, configured via environment variables.

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedAccount requiredNeeds API keys

reptor-mcp: An MCP Server for Reptor/SysReptor

This project transforms the reptor CLI tool into an MCP (Model-Context-Protocol) server, exposing its powerful pentest reporting and automation features as a programmable service.

It allows other tools, scripts, or AI agents to programmatically interact with SysReptor via the MCP protocol, facilitating integration into automated workflows.

[!WARNING] Alpha Software: The underlying reptor CLI tool is in alpha. Its API may change, potentially breaking reptor-mcp.

[!CAUTION] No Authentication: This server has no authentication or authorization. It is designed for local use only. DO NOT EXPOSE IT TO THE INTERNET OR UNTRUSTED NETWORKS.

[!IMPORTANT] Data Sensitivity: If you handle sensitive project data, consider the implications of sending it to LLMs via this server. Use REPTOR_MCP_EXCLUDE_FIELDS to strip sensitive fields before they reach the LLM.

Features

  • Dynamic Tool Generation: Automatically creates MCP tools from all available reptor plugins (nmap, nessus, burp, zap, sslyze, etc.).
  • Direct API Tools: Provides structured tools for findings CRUD, schema discovery, and template management using reptor's Python API directly.
  • Field Exclusion: Strips sensitive fields from data before returning it to LLM clients (configurable via environment variable).
  • Async-Safe: Non-blocking event loop with thread-safe serialized plugin execution.

Client Connection

Connect an MCP client using a configuration like this (e.g., in mcp_settings.json):

{
  "mcpServers": {
    "reptor-mcp": {
      "type": "streamable-http",
      "url": "http://localhost:8008/mcp/"
    }
  }
}

Available Tools

Custom Tools (Direct API)

These tools use reptor's Python API directly for structured, schema-aware operations:

ToolDescription
list_findingsLists findings with filters (status, severity, title).
get_finding_detailsGets full details of a finding by ID.
get_finding_schemaDiscovers available finding fields, types, and constraints for a project. Call before create_finding or patch_finding.
create_findingCreates a new finding from a flat data dict.
patch_findingUpdates a single field on a finding.
delete_findingDeletes a finding by ID (requires explicit confirmation).
upload_templateUploads a finding template from JSON or TOML.

Plugin Tools (Dynamic Wrappers)

The server dynamically wraps all reptor CLI plugins as MCP tools:

CategoryTools
Vulnerability Importersnessus, burp, nmap, openvas, zap, qualys, sslyze
Finding Managementfinding, findingfromtemplate, deletefindings, exportfindings
Project Managementproject, createproject, deleteprojects, pushproject
Templatestemplate
Notes & Filesnote, file
Translationtranslate (via DeepL)
Import/Exportghostwriter, defectdojo, importers, packarchive, unpackarchive

The exact arguments for each tool can be inspected via a connected MCP client.

Relationship to reptor's Native MCP Server

Since reptor v0.33, reptor includes its own built-in MCP server (reptor mcp). The two servers are complementary:

Capabilityreptor-mcpNative reptor mcp
Findings CRUD:white_check_mark::white_check_mark:
Finding schema discovery:white_check_mark::white_check_mark:
Report sections CRUD:x::white_check_mark:
Vulnerability importers (nmap, nessus, burp, etc.):white_check_mark::x:
Project management (search, create, export, duplicate):white_check_mark::x:
Notes, files, translation:white_check_mark::x:
Templates management:white_check_mark::white_check_mark:
Field exclusion:white_check_mark::white_check_mark:

Architecture

mcp_server.py           # Server entry point, lifespan, configuration
โ”œโ”€โ”€ tool_generator.py   # Dynamic MCP tool generation from plugin argparse definitions
โ”‚   โ”œโ”€โ”€ signature_utils.py  # argparse โ†’ Python function signature translation
โ”‚   โ””โ”€โ”€ wrapper_utils.py    # Plugin execution, stdin/stdout capture, config handling
โ”œโ”€โ”€ custom_tools.py     # Direct API tools (findings CRUD, schema, templates)
โ””โ”€โ”€ tool_config.py      # Plugin exclusions, stdin consumers, config overwrite mappings

Key design decisions:

  • Plugin wrappers run in threads with a serialization lock, keeping the async event loop responsive while protecting shared state.
  • Custom tools use asyncio.to_thread() for non-blocking API calls.
  • Field exclusion recursively strips specified fields from all nested data structures before returning to the client.