Feature-rich MCP server for Black Duck Polaris — trigger SAST/SCA/DAST scans, query findings, generate reports (SBOM, SPDX, CycloneDX), manage policies, triage issues, and more. Works with Claude Code, Claude Desktop, GitHub Copilot, Cursor, and any MCP-compatible AI tool.
Package Exports
blackduck-polaris-mcp-server
blackduck-polaris-mcp-server/build/index.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (blackduck-polaris-mcp-server) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
blackduck-polaris-mcp-server
The most comprehensive MCP (Model Context Protocol) server for Black Duck Polaris. Trigger SAST/SCA/DAST scans, query findings, triage issues, generate and download reports (SBOM, SPDX, CycloneDX), manage policies, and more — all from your AI coding assistant.
Works With
Claude Code | Claude Desktop | GitHub Copilot | Cursor | Windsurf | VS Code (MCP extensions) | any MCP-compatible AI tool
Quick Start
Prerequisites
You need a Polaris API token. Generate one at Profile > Account > Access Tokens in your Polaris instance.
Claude Code
claude mcp add blackduck-polaris -ePOLARIS_URL=https://your-instance.polaris.blackduck.com -ePOLARIS_API_TOKEN=your-token -- npx blackduck-polaris-mcp-server
You: Trigger a SAST and SCA scan on the main branch of project X
AI: [calls polaris_trigger_scan] Scan triggered, test ID: abc-123
You: Check the scan status
AI: [calls polaris_get_test] Status: COMPLETED. 12 new issues found.
You: Show me the critical issues
AI: [calls polaris_list_issues with severity filter] Found 3 critical issues...
You: Show me the code for the first one
AI: [calls polaris_get_occurrence_snippet] Here's the vulnerable code at line 42...
You: Get remediation advice
AI: [calls polaris_get_remediation] Black Duck Assist suggests...
Generate a compliance report
You: Generate an SPDX report for application Y
AI: [calls polaris_generate_report] Report queued, ID: rpt-456
You: Is it ready?
AI: [calls polaris_get_report_status] Status: COMPLETED
You: Download it
AI: [calls polaris_download_report] Here's your SPDX v2.3 report...
Export issues to Jira
You: Show me all high-severity SAST issues
AI: [calls polaris_list_issues] Found 8 high-severity SAST issues
You: Export the first 3 to Jira
AI: [calls polaris_export_issues_to_tracker] 3 issues exported to Jira
Comparison with Existing MCP Servers
Feature
This Server
mtgibbs/polaris-mcp
@black-duck/mcp-server
Portfolio navigation
Full CRUD
Read only
-
Issue querying
RSQL filters
Basic
-
Issue triage
Dismiss/assign/severity
-
-
AI remediation
Read + feedback
Read only
-
Trigger scans
SAST/SCA/DAST
-
Local only
Report generation
14 types
-
-
Report download
PDF/JSON/XML
-
-
Policy management
Full CRUD
-
-
SCM integration
Full
-
-
Bug tracker export
Jira/ADO
-
-
Audit logs
Query + CSV export
-
-
IAM
Users/groups/tokens
-
-
Notifications
Preferences
-
-
Total tools
66
~10
~3
Environment Variables
Variable
Required
Description
POLARIS_URL
Yes
Your Polaris instance URL (e.g., https://polaris.blackduck.com)
POLARIS_API_TOKEN
Yes
API token from Profile > Account > Access Tokens
Development
git clone https://github.com/your-username/blackduck-polaris-mcp-server.git
cd blackduck-polaris-mcp-server
npminstallnpm run build
npm start