harness-code-security-mcp
v0.1.0
Published
Qwiet / Harness SAST & SCA MCP server (stdio)
Maintainers
Readme
Harness Code Security MCP
harness-code-security-mcp is the Qwiet AI by Harness MCP server for agent-driven security workflows:
- run
sl analyze - list and triage findings
- fetch data flows
- request and apply Qwiet AutoFix recommendations
- look up package CVEs
The npm package ships a bundled stdio MCP runtime and a small launcher. It is a proprietary runtime distribution, not a source-code distribution. The launcher is the public harness-code-security-mcp binary; it checks for a newer npm-published runtime at startup at most once per day and falls back to the bundled runtime if the update check fails.
Install
npm install -g harness-code-security-mcpThen configure your agent MCP server to run:
{
"mcpServers": {
"harness-code-security-mcp": {
"command": "harness-code-security-mcp",
"env": {
"QWIET_API_HOST": "app.shiftleft.io",
"SL_HOME": "${HOME}/.shiftleft"
}
}
}
}Credentials
Run sl auth first so ~/.shiftleft/config.json contains orgId and accessToken.
The MCP server can install or update the Qwiet CLI under ~/.shiftleft through the sl_ensure_cli tool. Code analysis runs locally through sl analyze; scan results upload to Qwiet AI by Harness.
Launcher Controls
harness-code-security-mcp --no-auto-updatedisables startup update checks.harness-code-security-mcp --version-pin x.y.zruns a specific npm package version from the launcher's local cache.harness-code-security-mcp --debugprints launcher diagnostics to stderr.
The launcher never writes progress to stdout during normal MCP operation; stdout is reserved for MCP JSON-RPC.
