2025-11-15 –, Hochschule München - R0.Foyer
Learn how to build a universal, AI-assisted security agent using MCP to integrate multiple static analysis tools, generate vulnerability reports, suggest fixes, and produce ready-to-use secure code.
In this workshop, we will build an automated security agent that leverages multiple static code analysis tools through the MCP (Model Context Protocol). The agent analyzes code using a variety of scanners, correlates the results, suggests AI-based vulnerability fixes, and generates detailed reports from each tool.
Our Goal:
To develop a universal security agent that integrates the capabilities of several static analysis tools via MCP. These tools are lightweight, easy to develop, and simple to plug into the system.
Static Analysis Tools (MCPs) Used in This Workshop:
- Bandit – Security analysis for Python code
- Detect Secrets – Secret detection within code
- Pip Audit – Python dependency vulnerability scanning
- Circle Test – Compliance checks against security policies
- Semgrep – Advanced, pattern-based static code analysis
These five MCP-based tools cover different layers of software security. They are modular and interchangeable, allowing for flexible extension and replacement.
By the end of the workshop we'll have:
- A tool capable of performing comprehensive static security scans
- The ability to run targeted checks (e.g., SQL injection, shell injection, secret detection) by selecting relevant MCPs
- The ability to conduct vulnerability assessments, including downloading AI-suggested, fixed versions of our code
Bonus (Time Permitting):
We'll also explore how to debug MCPs using @modelcontextprotocol/inspector.
Deliverables:
- Full security reports from all tools
- AI-generated suggestions for code fixes
- A ready-to-use, patched version of your code, downloadable and easily integrated into your CI/CD workflow
MCP, AI Agents, Static Code Analysis
Platform Engineer | OSS Contributor
Vlad is a seasoned full-stack developer with over a decade of experience building and maintaining scalable B2B platforms, as well as a dedicated open-source contributor. He currently works at Cybergizer in a hybrid SWE/CRE/SRE role, focusing on production reliability, systems design, and cross-functional engineering using languages like Ruby, Elixir, and Rust.
He is a member of the Diesel.rs contributor team and the creator of opencryptolist.xyz, a platform dedicated to fostering open-source contributions in the blockchain industry. Vlad is also the author of idlGuesser.xyz – a tool to get IDL and source code info from closed-source Solana programs, using AI-based reverse engineering. He has open-sourced, maintained, and contributed to several libraries in the Ruby and Rust ecosystems (including pkcs12cracker, solscan-mcp, and visual-cryptography).
He is also a writer for EffectiveProgrammer, AI Advances, IT Next, and Level Up Coding, and a three-time hackathon winner.