Bugsy
Featuredby
Provides automatic security vulnerability remediation for code via a command‑line interface, supporting both live scans and analysis of pre‑generated SAST reports to generate fix patches and guide developers to review them.
Bugsy Overview
What is Bugsy about?
Bugsy enables developers to quickly identify and automatically fix security vulnerabilities in their source code. It works in two modes: Scan, which runs a SAST scan using Checkmarx or Snyk on a public GitHub/GitLab/ADO repository, and Analyze, which consumes an existing SAST report from supported tools (Checkmarx, CodeQL, Fortify, Snyk).
How to use Bugsy?
- CLI usage (recommended):
npx mobbdev <command> [options]mobbdev scan --repo <repo-url>– runs a fresh SAST scan and returns automated fixes.mobbdev analyze --scan-file <report.json> --repo <repo-url>– processes an existing report.
- MCP server (for AI assistants):
- Set
API_KEYenvironment variable with your Mobb API key. - Start the server:
npx mobbdev mcp. - Configure your AI client (e.g., Cursor) to call the
fix_vulnerabilitiestool.
- Set
Key features of Bugsy
- Dual operation modes – live scanning or analysis of existing SAST reports.
- Support for major SAST tools – Checkmarx, CodeQL, Fortify, Snyk.
- Automatic fix generation – produces code patches for every remediable vulnerability.
- MCP integration – allows AI assistants (Claude, etc.) to invoke vulnerability fixing directly from the development environment.
- CI/CD friendly – can be run in pipelines to automatically remediate findings.
Use cases of Bugsy
- Developer workflow – run
bugsy scanon a repository to instantly get fix suggestions while coding. - Automated review – integrate into CI pipelines to turn SAST findings into ready‑to‑apply patches.
- AI‑assisted security – enable an AI assistant to call the MCP
fix_vulnerabilitiestool, letting the assistant scan local changes and suggest patches. - Open‑source project maintenance – continuously monitor public repositories for new vulnerabilities and promptly generate fixes.
FAQ from Bugsy
- Do I need a paid account? The community edition works for public GitHub repositories. Private repo support is limited in time and requires a Mobb API key.
- Which SAST tools are supported? Checkmarx, GitHub CodeQL, OpenText Fortify, and Snyk.
- Can Bugsy detect vulnerabilities on its own? No. It relies on findings from the supported SAST tools.
- How do I set up the MCP server?
Export your
API_KEYand runnpx mobbdev mcp. Then add the server configuration to your AI client. - What if no changed files are found? Ensure you have modified, added, or staged files in the local Git repository before invoking the MCP tool.
Bugsy's README
Bugsy
Bugsy is a command-line interface (CLI) tool that provides automatic security vulnerability remediation for your code. It is the community edition version of Mobb, the first vendor-agnostic automated security vulnerability remediation tool. Bugsy is designed to help developers quickly identify and fix security vulnerabilities in their code.
What is Mobb?
Mobb is the first vendor-agnostic automatic security vulnerability remediation tool. It ingests SAST results from Checkmarx, CodeQL (GitHub Advanced Security), OpenText Fortify, and Snyk and produces code fixes for developers to review and commit to their code.
What does Bugsy do?
Bugsy has two modes - Scan (no SAST report needed) & Analyze (the user needs to provide a pre-generated SAST report from one of the supported SAST tools).
Scan
- Uses Checkmarx or Snyk CLI tools to run a SAST scan on a given open-source GitHub/GitLab/ADO repo
- Analyzes the vulnerability report to identify issues that can be remediated automatically
- Produces the code fixes and redirects the user to the fix report page on the Mobb platform
Analyze
- Analyzes the a Checkmarx/CodeQL/Fortify/Snyk vulnerability report to identify issues that can be remediated automatically
- Produces the code fixes and redirects the user to the fix report page on the Mobb platform
Disclaimer
This is a community edition version that only analyzes public GitHub repositories. Analyzing private repositories is allowed for a limited amount of time. Bugsy does not detect any vulnerabilities in your code, it uses findings detected by the SAST tools mentioned above.
Usage
Command Line Interface
You can simply run Bugsy from the command line, using npx:
npx mobbdev
This will show you Bugsy's usage help:
Bugsy - Trusted, Automatic Vulnerability Fixer 🕵️♂️
Usage:
mobbdev <command> [options]
Commands:
mobbdev scan Scan your code for vulnerabilities, get automated fixes right away.
mobbdev analyze Provide a vulnerability report and relevant code repository, get automated fixes right away.
Options:
-h, --help Show help [boolean]
Examples:
mobbdev scan -r https://github.com/WebGoat/WebGoat Scan an existing repository
Made with ❤️ by Mobb
To run a new SAST scan on a repo and get fixes, run the Bugsy Scan command. Example:
npx mobbdev scan --repo https://github.com/mobb-dev/simple-vulnerable-java-project
To get fixes for a pre-generated SAST report, run the Bugsy Analyze command. Example: npx mobbdev analyze --scan-file sast_results.json --repo https://github.com/mobb-dev/simple-vulnerable-java-project
Bugsy will automatically generate a fix for each supported vulnerability identified in the results, and refer the developer to review and commit the fixes to their code.
To see all the options Bugsy allows, use the Scan or Analyze commands with the -h option:
npx mobbdev scan -h
npx mobbdev analyze -h
Model Context Protocol (MCP) Server
Bugsy can also be used as an MCP server, allowing AI assistants like Claude to automatically scan and fix vulnerabilities in your code repositories.
Prerequisites
-
API Key: You need a Mobb API key to use the MCP server functionality
- Sign up at mobb.ai to get your API key
- Set the
API_KEYenvironment variable:export API_KEY=your_api_key_here
-
Local Git Repository: The MCP server analyzes git repositories with uncommitted changes
- Make sure your code is in a local git repository
- Have some modified, added, or staged files to analyze
Installation
Run mobb-mcp from command line:
npx mobbdev mcp
Configuration
Add Mobb MCP to your Cursor MCP client configuration:
API_URL is only required if you are not using https://app.mobb.ai
{
"mcpServers": {
"mobb-mcp": {
"command": "npx",
"args": ["mobbdev", "mcp"],
"env": {
"API_KEY": "your_mobb_api_key_here",
"API_URL": "optional__your_mobb_api_url_here"
}
}
}
}
Usage
Once configured, you can use the MCP server through your AI assistant:
-
Ask Claude to scan for vulnerabilities:
run a scan with mobb-mcpor
run fix-vulnerabilities mcp tool -
The MCP server will:
- Validate the repository path
- Check for git changes (modified, added, or staged files)
- Upload the changed files for analysis
- Generate automated fixes for detected vulnerabilities
- Return detailed fix recommendations
Available MCP Tools
fix_vulnerabilities: Scans the current code changes and returns fixes for potential vulnerabilities- Parameter:
path(string) - The path to the local git repository - Returns: Detailed vulnerability fixes with code patches and explanations
- Parameter:
Example MCP Workflow
- Make changes to your code
- Stage or modify files in git
- Ask your AI assistant: "Can you check my code for security vulnerabilities?"
- The assistant will use the MCP server to analyze your changes
- Receive detailed fix recommendations with code patches
Troubleshooting
- "API_KEY environment variable is not set": Make sure you've set your Mobb API key
- "Path is not a valid git repository": Ensure you're pointing to a valid git repository
- "No changed files found": Make sure you have modified, added, or staged files in your repository
Using Bugsy as part of a CI/CD pipeline
If you utilize SAST scans as part of the CI/CD pipeline, Bugsy can be easiy added and provide immediate fix for every issue detected. Here is a simple example of a command line that will run Bugsy in your pipeline:
npx mobbdev analyze --ci --scan-file $SAST_RESULTS_FILENAME --repo $CI_PROJECT_URL --ref $CI_COMMIT_REF_NAME --api-key $MOBB_API_KEY
Contribution
Install the dependencies and run the tests:
pnpm install
# or use npm run build:dev to watch for changes
pnpm run build
# or use npm test:watch to watch for changes
pnpm run test
Debugging
If you're using VSCode, you can use the launch.json file to debug the code. Run the CLI tests configuration to continuously run and debug the tests.
Getting support
If you need support using Bugsy or just want to share your thoughts and learn more, you are more than welcome to join our discord server
Bugsy Reviews
Login Required
Please log in to share your review and rating for this MCP.
Actions
Bugsy's Information
- Author
- mobb-dev
- Category
- Development Tools
- Language
- TypeScript
- License
- MIT License
- Version
- v1.0.171
- Stars
- 58
- Updated
- about 1 month ago
Configuration
{
"mcpServers": {
"bugsy-mcp": {
"command": "npx",
"args": [
"mobbdev",
"mcp"
],
"env": {
"API_KEY": "<YOUR_API_KEY>",
"API_URL": "optional__your_mobb_api_url_here"
}
}
}
}Configure Clients
Related MCP Servers
Discover more MCP servers with similar functionality and use cases
Zed
OfficialClientby zed-industries
Provides real-time collaborative editing powered by Rust, enabling developers to edit code instantly across machines with a responsive, GPU-accelerated UI.
Cline
Clientby cline
Provides autonomous coding assistance directly in the IDE, enabling file creation, editing, terminal command execution, browser interactions, and tool extension with user approval at each step.
Continue
Clientby continuedev
Provides continuous AI assistance across IDEs, terminals, and CI pipelines, offering agents, chat, inline editing, and autocomplete to accelerate software development.
GitHub MCP Server
by github
Enables AI agents, assistants, and chatbots to interact with GitHub via natural‑language commands, providing read‑write access to repositories, issues, pull requests, workflows, security data and team activity.
Goose
Clientby block
Automates engineering tasks by installing, executing, editing, and testing code using any large language model, providing end‑to‑end project building, debugging, workflow orchestration, and external API interaction.
Roo Code
OfficialClientby RooCodeInc
An autonomous coding agent that lives inside VS Code, capable of generating, refactoring, debugging code, managing files, running terminal commands, controlling a browser, and adapting its behavior through custom modes and instructions.
Mcp Agent
Clientby lastmile-ai
A lightweight, composable framework for building AI agents using Model Context Protocol and simple workflow patterns.
Firebase CLI
by firebase
Provides a command‑line interface to manage, test, and deploy Firebase projects, covering hosting, databases, authentication, cloud functions, extensions, and CI/CD workflows.
Gptme
Clientby gptme
Empowers large language models to act as personal AI assistants directly inside the terminal, providing capabilities such as code execution, file manipulation, web browsing, vision, and interactive tool usage.