Kira-Lite MCP Server

Real-time security scanning for AI coding assistants — by Offgrid Security

Kira-Lite catches vulnerabilities before code is written to disk. It integrates into your AI coding assistant via MCP (Model Context Protocol) and scans every code change for OWASP Top 10, CWEs, hardcoded secrets, and insecure patterns.

Why Kira-Lite

Security tools shouldn't live in a separate tab. Kira-Lite runs inside your AI coding assistant — the same place you write code. No context switching, no separate dashboards, no CI pipeline to wait for.

• Scans before code hits disk — vulnerabilities are caught and fixed in the same conversation
• Works where you already are — Claude Code, Cursor, Windsurf, or any MCP-compatible editor
• Zero config to start — one npx command, no API keys, no accounts
• Your code stays local — nothing is sent to external servers; all scanning happens on your machine

Quick Start

# Install globally
npm install -g @offgridsec/kira-lite-mcp

# Or run directly
npx @offgridsec/kira-lite-mcp

Setup

1. Register MCP Server (one-time, global)

Claude Code:

claude mcp add --scope user kira-lite -- npx -y @offgridsec/kira-lite-mcp

Cursor / Windsurf / Other MCP Clients:

Add to your MCP configuration:

{
  "kira-lite": {
    "command": "npx",
    "args": ["-y", "@offgridsec/kira-lite-mcp"]
  }
}

2. Per-Project Setup (Claude Code only)

After registering the MCP server, you also need to copy two files into each project where you want automatic scanning:

| File | What it does | |------|-------------| | CLAUDE.md | Tells Claude to call scan_code before every Edit/Write — without this, Claude won't scan automatically | | .claude/settings.local.json | Auto-allows the kira-lite MCP tools (no approval prompts) and adds a post-write hook as a safety net |

Without these files, the MCP tools are still available but Claude won't use them unless you ask manually.

New project (no existing CLAUDE.md or settings):

# macOS / Linux
cp $(npm root -g)/@offgridsec/kira-lite-mcp/config/CLAUDE.md .
mkdir -p .claude
cp $(npm root -g)/@offgridsec/kira-lite-mcp/config/settings.local.json .claude/settings.local.json

# Windows (PowerShell)
$pkg = (npm root -g) + "\@offgridsec\kira-lite-mcp"
Copy-Item "$pkg\config\CLAUDE.md" .
New-Item -ItemType Directory -Force .claude | Out-Null
Copy-Item "$pkg\config\settings.local.json" .claude\settings.local.json

Already have a CLAUDE.md or settings? See INSTALL.md for merge instructions (Scenarios B, C, D).

Cursor / Windsurf users: You do not need to copy these files. Those editors handle MCP tool instructions differently.

MCP Tools

| Tool | Description | |------|-------------| | scan_code | Scan a code snippet before writing to disk | | scan_file | Scan an existing file on disk. Auto-triggers dependency vulnerability scanning on lockfiles | | scan_diff | Compare original vs modified code — reports only NEW vulnerabilities | | scan_dependencies | Scan project dependencies for known CVEs via OSV.dev (supports 13 lockfile formats across 11 ecosystems) | | fix_vulnerability | Get fix guidance for a specific vulnerability ID or CWE | | get_config | View current Kira-Lite configuration | | set_config | Change scan frequency and other settings |

Configuration

Kira-Lite supports user-configurable scan frequency via ~/.kira-lite/config.json.

Scan Modes

| Mode | Behavior | |------|----------| | "every-edit" | Scan on every scan_code / scan_diff / scan_file call (default) | | "on-save" | Only scan via scan_file (file on disk); scan_code / scan_diff return instantly | | "manual" | All scans are skipped — you must explicitly request scans |

Change scan mode

Use the set_config MCP tool:

set_config({ scanMode: "on-save" })

Or create/edit ~/.kira-lite/config.json manually:

{
  "scanMode": "on-save"
}

Check current mode

get_config()

Note: The default mode is "every-edit", which preserves the original behavior when no config file exists.

How It Works

Kira-Lite ships with Kira-Core, a compiled Go binary that includes all 376 security rules and runs entirely on your machine. No external tools required.

| Platform | Kira-Core Support | |----------|------------------| | macOS (arm64, x64) | Bundled | | Linux (x64, arm64) | Bundled | | Windows (x64) | Bundled |

If Kira-Core is not available for your platform, Kira-Lite falls back to its built-in regex engine, which provides the same rule coverage.

Dependency Vulnerability Scanning

Kira-Lite scans your project's third-party dependencies for known CVEs using the OSV.dev database — the same data source behind Google's osv-scanner. No API keys, no accounts, no external tools required.

How It Works

1. Automatic — When scan_file is called on a lockfile, dependency scanning triggers automatically alongside the code scan
2. Manual — Call scan_dependencies with a project_path or lockfile_path for on-demand full scans

Supported Lockfiles

| Ecosystem | Lockfile | Languages | |-----------|----------|-----------| | npm | package-lock.json, yarn.lock, pnpm-lock.yaml | JavaScript, TypeScript | | PyPI | requirements.txt, Pipfile.lock | Python | | Go | go.sum | Go | | Maven | gradle.lockfile | Java, Kotlin | | crates.io | Cargo.lock | Rust | | RubyGems | Gemfile.lock | Ruby | | Packagist | composer.lock | PHP | | NuGet | packages.lock.json | C#, .NET, F# | | Pub | pubspec.lock | Dart, Flutter | | Hex | mix.lock | Elixir, Erlang |

What You Get

For each vulnerable dependency, Kira-Lite reports:

• Severity — Critical / High / Medium / Low (mapped from CVSS scores)
• Advisory ID — GHSA or OSV identifier
• CVE aliases — Associated CVE numbers
• Installed version — The version in your lockfile
• Fixed version — The minimum version that resolves the vulnerability
• Description — What the vulnerability is and how it can be exploited
• Remediation — Specific upgrade command to fix it

Example Output

## Kira-Lite Dependency Scan Results

**Packages scanned:** 142
**Vulnerable packages:** 2

#### [HIGH] [email protected] — Command Injection
- Advisory: GHSA-35jh-r3h4-6jhm (CVE-2021-23337)
- Fixed version: 4.17.21
- Fix: Upgrade lodash to >=4.17.21

#### [MEDIUM] [email protected] — Cross-Site Request Forgery
- Advisory: GHSA-wf5p-g6vw-rhxx (CVE-2023-45857)
- Fixed version: 1.6.0
- Fix: Upgrade axios to >=1.6.0

What It Detects

376 built-in rules across 15 languages/formats and 19 security categories, covering 45+ distinct CWEs.

At a Glance

| Metric | Count | |--------|-------| | Built-in regex rules | 376 | | Languages & formats | 15 | | Security categories | 19 | | CWEs covered | 45+ | | Secret detectors | 92 (30 core + 62 extended) | | Dependency ecosystems | 11 (npm, PyPI, Go, Maven, crates.io, RubyGems, Packagist, NuGet, Pub, Hex) | | Lockfile formats | 13 |

Severity Distribution

| Severity | Rules | Action | |----------|-------|--------| | Critical | ~145 | Block — do not write code (RCE, SQLi, hardcoded secrets, command injection) | | High | ~155 | Block — do not write code (XSS, SSRF, path traversal, privilege escalation) | | Medium | ~60 | Warn user (missing rate limiting, CORS issues, unpinned dependencies) | | Low | ~16 | Inform user (missing logging, verbose errors, debug flags) |

Standards Compliance

OWASP Top 10:2025

| OWASP ID | Category | Kira Coverage | |----------|----------|---------------| | A01 | Broken Access Control | BOLA/IDOR patterns, missing CSRF, mass assignment, CORS misconfiguration | | A02 | Security Misconfiguration | Debug mode, verbose errors, permissive CORS, default credentials | | A03 | Vulnerable & Outdated Components | Dependency CVE scanning via OSV.dev (13 lockfile formats, 11 ecosystems), unpinned dependencies, missing lockfile integrity, suspicious install scripts | | A04 | Cryptographic Failures | MD5/SHA1, ECB mode, hardcoded keys, Math.random for security, weak TLS | | A05 | Injection | SQL, command, XSS, SSTI, NoSQL, LDAP, header, log, ReDoS, SpEL injection | | A06 | Insecure Design | Fail-open patterns, missing auth checks, unrestricted file uploads | | A07 | Authentication Failures | Hardcoded credentials, missing rate limiting, JWT alg:none, insecure sessions | | A08 | Software & Data Integrity | Missing SRI hashes, unsigned CI/CD artifacts, unpinned GitHub Actions | | A09 | Logging & Monitoring Failures | Empty catch blocks, swallowed exceptions, sensitive data in logs | | A10 | Server-Side Request Forgery | User-controlled URLs in fetch/requests/axios without allowlist validation |

OWASP API Security Top 10

| API ID | Category | Kira Coverage | |--------|----------|---------------| | API1 | Broken Object Level Authorization | Direct object references without ownership validation | | API2 | Broken Authentication | Missing rate limiting on login, insecure token storage | | API3 | Broken Object Property Level Authorization | Mass assignment (Object.assign/spread from req.body) | | API4 | Unrestricted Resource Consumption | Missing pagination, GraphQL depth/complexity limits | | API5 | Broken Function Level Authorization | Missing auth middleware on endpoints | | API6 | Unrestricted Access to Sensitive Business Flows | Missing rate limiting on API routes | | API7 | Server-Side Request Forgery | SSRF via user-controlled URLs | | API8 | Security Misconfiguration | CORS wildcards, GraphQL introspection in production | | API9 | Improper Inventory Management | API keys in URLs instead of headers | | API10 | Unsafe Consumption of APIs | Disabled TLS verification, missing certificate validation |

OWASP LLM Top 10:2025

| LLM ID | Category | Kira Coverage | |--------|----------|---------------| | LLM01 | Prompt Injection | User input concatenated into prompt templates | | LLM02 | Insecure Output Handling | LLM output passed to eval/exec/SQL/shell, rendered as raw HTML | | LLM04 | Data and Model Poisoning | Unvalidated external content in embeddings | | LLM06 | Excessive Agency | Unrestricted tool access in function-calling agents |

Ref: CVE-2025-53773 (GitHub Copilot RCE, CVSS 9.6)

Security Categories

| Category | Rules | What It Catches | |----------|-------|-----------------| | Injection | 45 | SQL injection, command injection, XSS, SSTI, NoSQL injection, LDAP injection, header injection, log injection, ReDoS, Expression Language injection | | Secrets & Credentials | 93 | AWS, GitHub, GitLab, Slack, Stripe, Google, SendGrid, Twilio, npm, PyPI, Docker Hub, OpenAI, Anthropic, Azure (Storage, DevOps, SAS, App Config), Heroku, Supabase, Firebase, private keys, JWTs, connection strings, generic API keys, + 63 extended detectors: Groq, HuggingFace, Replicate, xAI/Grok, DeepSeek, ElevenLabs, Cohere (AI/ML); GCP Service Account, DigitalOcean, Fly.io, Vercel, Netlify, Alibaba Cloud (Cloud); CircleCI, Buildkite, Terraform Cloud, Pulumi, Drone, Travis (CI/CD); Discord, Telegram, Teams, Postmark, MessageBird, Vonage (Comms); PayPal, Square, Razorpay (Payments); Datadog, New Relic, Grafana, Sentry, PagerDuty, Splunk, Honeycomb, Logz.io (Monitoring); HashiCorp Vault, Portainer, ngrok (Infra); Shopify, Atlassian/Jira, Confluent, Okta, Auth0, Linear, Notion, Figma, Asana, Airtable, Bitbucket, NuGet, RubyGems (SaaS) | | Cryptography | 22 | MD5, SHA1, DES, ECB mode, Math.random/rand() for security, disabled TLS verification, weak TLS versions, timing attacks on secret comparison, hardcoded keys/IVs | | Deserialization | 15 | pickle, yaml.load, Marshal, shelve, dill, Java ObjectInputStream, XMLDecoder, PHP unserialize, BinaryFormatter (.NET), node-serialize | | Authentication & Sessions | 12 | JWT alg:none, missing cookie flags (HttpOnly/Secure/SameSite), OAuth implicit flow, missing CSRF protection, missing rate limiting on login, insecure random for tokens | | Supply Chain | 13 + OSV | Unpinned GitHub Actions (CVE-2025-30066), suspicious postinstall scripts, obfuscated install hooks, lockfile manipulation, unpinned dependencies, self-hosted runner risks, + dependency CVE scanning via OSV.dev across 11 ecosystems | | CI/CD Pipeline | 13 | Missing SHA pinning, pwn requests (pull_request_target), secrets in logs, script injection via github.event, curl|bash, overly permissive permissions, unsafe GITHUB_ENV writes, cache poisoning | | Container Security | 13 | Unpinned base images, running as root, ADD vs COPY, secrets in ENV/ARG, Docker socket mounts, privileged mode, missing HEALTHCHECK, sensitive port exposure | | Kubernetes | 18 | Privileged containers, host namespaces, dangerous capabilities (ALL/SYS_ADMIN/NET_RAW), missing resource limits, sensitive hostPath mounts, cluster-admin RBAC, wildcard permissions, hardcoded secrets in pod specs | | Infrastructure as Code | 18 | Public S3 buckets, open security groups, IAM wildcards, missing encryption (EBS/RDS/state), publicly accessible databases, hardcoded provider credentials, overly permissive Lambda roles | | API Security | 10 | BOLA/IDOR patterns, mass assignment, CORS misconfiguration, GraphQL introspection/depth/complexity, missing pagination, API keys in URLs | | AI/LLM Security | 4 | LLM output executed as code (ref: CVE-2025-53773), XSS via AI output, SQL injection via AI output, prompt injection | | Frontend & Browser | 10 | postMessage without origin check, localStorage for tokens, open redirects, Vue v-html, clickjacking, WebSocket hijacking (CSWSH), double encoding bypass, Unicode normalization | | File Operations | 8 | Path traversal, unrestricted file upload, symlink attacks, predictable temp files, world-writable permissions (chmod 777) | | Memory Safety (C/C++) | 17 | Buffer overflow (gets/strcpy/strcat/sprintf/scanf), format string vulnerabilities, integer overflow, use-after-free, dangerous functions, TOCTOU race conditions | | Encoding & Canonicalization | 3 | Double URL encoding bypass, Unicode normalization attacks, HTTP parameter pollution | | Race Conditions | 4 | TOCTOU in file operations, goroutine data races, check-then-act without locking | | Error Handling | 4 | Empty catch blocks, swallowed exceptions, missing set -e in shell, discarded error returns in Go | | Information Disclosure | 5 | Debug mode in production (Flask/Django/Rails), phpinfo(), verbose error pages, logging sensitive data |

Framework-Specific Coverage

Kira-Lite includes rules tailored to popular frameworks, catching misconfigurations that generic scanners miss:

| Framework | Key Detections | |-----------|---------------| | Django | DEBUG=True in production, hardcoded SECRET_KEY, CSRF exemptions, mass assignment (exclude vs fields), ALLOWED_HOSTS wildcard | | Flask | Debug mode enabled, hardcoded secret key, missing CSRF protection | | Spring | CSRF disabled, permitAll on sensitive endpoints, SpEL injection | | Rails | Hardcoded secret_key_base, debug breakpoints (binding.pry, byebug), permit! mass assignment | | Express.js | Missing helmet/CORS middleware, prototype pollution, NoSQL injection via req.body | | ASP.NET | Html.Raw XSS, BinaryFormatter deserialization, SqlCommand injection, disabled request validation | | Vue.js | v-html directive with dynamic content (XSS) | | React | dangerouslySetInnerHTML with unsanitized input |

Languages & Formats

| Language | Built-in Rules | Key Detections | |----------|---------------|----------------| | JavaScript / TypeScript | 144 | SQLi, XSS, command injection, prototype pollution, JWT misconfig, SSRF, NoSQL injection, CORS, eval, insecure random, timing attacks, GraphQL, OAuth, WebSocket, LLM output execution, prompt injection, supply chain, 93 secret detectors | | Python | 134 | SQLi, command injection, eval/exec, pickle/yaml/marshal deserialization, SSTI, SSRF, Django (CSRF, mass assignment, DEBUG, SECRET_KEY), Flask debug/secret, disabled TLS (verify=False), insecure random, XXE, temp file races, CORS, 93 secret detectors | | YAML (K8s, CI/CD, Docker Compose) | 124 | Privileged containers, host namespaces, dangerous capabilities, RBAC wildcards, hostPath mounts, unpinned GitHub Actions, pwn requests, secrets in logs, script injection, permissions, 93 secret detectors | | Java | 112 | SQLi, XXE, deserialization (ObjectInputStream, XMLDecoder), command injection, SSRF, weak crypto, LDAP injection, Spring Security (CSRF, permitAll), SpEL injection, disabled TLS, log injection, 93 secret detectors | | Ruby | 110 | SQLi, command injection, eval/send/constantize, mass assignment (permit!), YAML.load/Marshal.load, XSS (html_safe, raw), SSRF, CSRF skip, open redirect, hardcoded secret_key_base, 93 secret detectors | | Go | 109 | SQLi, command injection, path traversal, SSRF, weak crypto, insecure random, disabled TLS (InsecureSkipVerify), template injection, race conditions, unchecked errors, unsafe pointer, 93 secret detectors | | C# | 109 | SQLi (SqlCommand, EF Core), XSS (Html.Raw), command injection, path traversal, XXE, BinaryFormatter deserialization, weak crypto, disabled TLS, LDAP injection, CORS, mass assignment, open redirect, 93 secret detectors | | PHP | 106 | SQLi, command injection (system/exec/backticks), eval, LFI/RFI (include with user input), XSS, unserialize, extract(), file upload, deprecated mysql_*, SSRF, XXE, phpinfo(), 93 secret detectors | | Shell / Bash | 105 | eval injection, unquoted variables, curl|bash, chmod 777, predictable temp files, hardcoded credentials, SSH host key bypass, SQL in shell, missing set -e, 93 secret detectors | | JSON | 95 | Hardcoded secrets, IAM policy wildcards, suspicious install scripts in package.json, 93 secret detectors | | Terraform / HCL | 85 | Public S3 buckets, open security groups, IAM wildcards, missing encryption, publicly accessible RDS, hardcoded credentials in provider blocks, 93 secret detectors | | C / C++ | 84 | Buffer overflow (gets, strcpy, sprintf, scanf), format string, integer overflow, use-after-free, command injection (system, popen), insecure random, TOCTOU, 93 secret detectors | | Dockerfile | 78 | Unpinned base images, running as root, ADD vs COPY, secrets in ENV/ARG, Docker socket mount, curl|bash, sensitive ports, 93 secret detectors | | Rust | 67 | Secrets detection (93 detectors: API keys, private keys, connection strings, credentials, AI/ML tokens, cloud provider keys, CI/CD tokens, SaaS tokens) | | HTML | 1 | Hardcoded Google API keys |

CWE Coverage

The built-in rules map to 50+ distinct CWEs, including:

| CWE | Description | Rules | |-----|-------------|-------| | CWE-798 | Hardcoded Credentials | 90+ | | CWE-89 | SQL Injection | 15+ | | CWE-78 | OS Command Injection | 14+ | | CWE-327 | Weak Cryptography | 12+ | | CWE-502 | Insecure Deserialization | 12+ | | CWE-250 | Execution with Unnecessary Privileges | 10+ | | CWE-79 | Cross-Site Scripting (XSS) | 8+ | | CWE-94 | Code Injection | 8+ | | CWE-295 | Improper Certificate Validation | 7+ | | CWE-918 | Server-Side Request Forgery (SSRF) | 7+ | | CWE-22 | Path Traversal | 6+ | | CWE-829 | Inclusion of Untrusted Functionality | 6+ | | CWE-338 | Insecure PRNG | 5+ | | CWE-120 | Buffer Overflow | 5+ | | CWE-269 | Improper Privilege Management | 5+ | | CWE-284 | Improper Access Control | 5+ | | CWE-611 | XML External Entity (XXE) | 4+ | | CWE-352 | Cross-Site Request Forgery (CSRF) | 3+ | | CWE-1321 | Prototype Pollution | 2+ | | CWE-134 | Format String Vulnerability | 1+ | | CWE-190 | Integer Overflow | 1+ | | CWE-416 | Use After Free | 1+ |

Development

npm install
npm run build
npm run dev    # watch mode

Privacy

Kira-Lite collects anonymous, non-personalized telemetry (tool usage stats, rule IDs, scan durations). No source code, file paths, or personal data is ever collected.

Opt out by setting KIRA_TELEMETRY=off in your environment.

See PRIVACY.md for full details.

License

Elastic License 2.0 (ELv2) — Offgrid Security