codebadger

codebadger is an MCP server that provides static code analysis using Joern's Code Property Graph (CPG) technology. It exposes a set of tools for codebase ingestion, CPG generation, querying, and code navigation across multiple languages including Java, C/C++, JavaScript, Python, Go, Kotlin, C#, and more. You can generate a CPG from a local path or a GitHub URL, inspect the resulting graph with CPGQL queries, browse code structure (files, methods, call graphs), and perform taint and vulnerability analyses to find potential issues. The server is intended to be run alongside a Joern service (containerized via Docker) and a Python-based MCP interface that exposes endpoints for these capabilities. To use, start Joern services with Docker, then run the MCP server (python main.py) and access it at http://localhost:4242/mcp. Tools like generate_cpg, get_cpg_status, run_cpgql_query, and get_cfg are available for interactions, along with code browsing, semantic analysis, taint analysis, and export/reporting functions. Integrations for editors and assistants (e.g., GitHub Copilot and Claude) are supported through configured mcp.json or claude_desktop_config.json entries that point to http://localhost:4242/mcp.

Prerequisites:

• Docker and Docker Compose installed
• Python 3.10+ (Python 3.13 recommended)
• pip (Python package manager)

Installation steps:

1. Clone or download the repository and navigate to the project folder.
2. (Optional) Create and activate a Python virtual environment:

python -m venv venv
# On Windows:
venv\Scripts\activate
# On macOS/Linux:
source venv/bin/activate

3. Install Python dependencies:

pip install -r requirements.txt

4. Start Joern (via Docker Compose):

docker compose up -d

5. Start the MCP server:

python main.py &

6. Verify the MCP server is running by visiting http://localhost:4242/mcp or by checking logs:

curl http://localhost:4242/mcp/health

7. Optional: Use the provided cleanup script to reset the environment:

bash cleanup.sh

Note: Ensure Docker, Docker Compose, and Python are installed and accessible in your environment before starting. The MCP server relies on environment variables to configure host/port, Joern, and CPG generation settings as described in the Configuration section.

Tips and common considerations:

• The MCP server relies on a running Joern service; ensure Joern is accessible via the configured JOERN_BINARY_PATH inside the container or host environment.
• You can override settings using environment variables or a config.yaml/config.yaml-based approach as documented in the repository; common vars include MCP_HOST, MCP_PORT, CPG_GENERATION_TIMEOUT, and QUERY_TIMEOUT.
• If you encounter issues with long CPG generation times, adjust CPG_GENERATION_TIMEOUT and ensure sufficient resources are allocated to the container/host.
• If you use the Claude or Copilot integrations, ensure the URLs in their config files point to http://localhost:4242/mcp and that the MCP server is reachable from the integration host.
• The cleanup.sh script helps reset Docker containers, kill stray processes, and clear Python caches; run as needed during development.
• For production deployment, consider wiring the MCP server behind a reverse proxy and securing it with appropriate authentication and TLS as needed.