exploitiq-plugin

ExploitIQ MCP Server

MCP server for the ExploitIQ/Agent Morpheus vulnerability analysis platform. Enables AI coding assistants (Claude Code, Cursor, Windsurf, etc.) to submit analyses, manage reports, and view results.

Also available as a Claude Code plugin with workflow skills for guided analysis, report management, and product management.

Setup

git clone --recurse-submodules https://github.com/RHEcosystemAppEng/exploitiq-mcp-server.git
cd exploitiq-mcp-server
npm install
npm run build

Usage

As a Claude Code Plugin (recommended)

Install as a Claude Code plugin to get both the MCP server connection and workflow skills:

# 1. Add the marketplace
/plugin marketplace add https://github.com/RHEcosystemAppEng/exploitiq-mcp-server.git

# 2. Install the plugin
/plugin install exploitiq-plugin@exploitiq-marketplace

This registers:

• The MCP server (connects to $EXPLOITIQ_MCP_URL or http://localhost:3000/mcp by default)
• Three workflow skills: /exploitiq-plugin:exploitiq-analyze, /exploitiq-plugin:exploitiq-reports, /exploitiq-plugin:exploitiq-products

The plugin is defined in .claude-plugin/plugin.json and the marketplace entry in .claude-plugin/marketplace.json. Skills are located in skills/ with one SKILL.md per workflow.

Set the EXPLOITIQ_MCP_URL environment variable to point to your MCP server instance:

export EXPLOITIQ_MCP_URL=https://exploitiq-mcp-server-<namespace>.apps.<cluster-domain>/mcp

As a Standalone MCP Server

Use this approach when you don't need the plugin skills, or when connecting from clients other than Claude Code.

Local (stdio)

Add to ~/.claude/settings.json:

{
  "mcpServers": {
    "exploitiq": {
      "command": "node",
      "args": ["/path/to/exploitiq-mcp-server/dist/index.js"],
      "env": {
        "EXPLOITIQ_CLIENT_URL": "http://localhost:8080"
      }
    }
  }
}

Or via CLI:

claude mcp add exploitiq -- node /path/to/exploitiq-mcp-server/dist/index.js

Remote (streamable-http)

Start the server:

EXPLOITIQ_CLIENT_URL=http://localhost:8080 node dist/http.js

With TLS:

EXPLOITIQ_CLIENT_URL=http://localhost:8080 \
EXPLOITIQ_MCP_SERVER_TLS_CERT=/path/to/cert.pem \
EXPLOITIQ_MCP_SERVER_TLS_KEY=/path/to/key.pem \
node dist/http.js

Connect from Claude Code:

claude mcp add --transport http exploitiq http://localhost:3000/mcp

With TLS:

claude mcp add --transport http exploitiq https://localhost:3000/mcp

OpenShift (cluster deployment)

Deploy to OpenShift using the manifest in deploy/exploitiq_mcp_server.yaml (or via the kustomize overlay in vulnerability-analysis/kustomize). The MCP server is exposed via an edge-TLS Route. Backend API auth uses the auto-detected ServiceAccount token.

Connect from Claude Code using the Route URL:

claude mcp add --transport http exploitiq \
  https://exploitiq-mcp-server-<namespace>.apps.<cluster-domain>/mcp

For example:

claude mcp add --transport http exploitiq \
  https://exploitiq-mcp-server-exploit-iq-testings.apps.ai-dev03.kni.syseng.devcluster.openshift.com/mcp

Or add to ~/.claude/settings.json:

{
  "mcpServers": {
    "exploitiq": {
      "type": "streamable-http",
      "url": "https://exploitiq-mcp-server-exploit-iq-testings.apps.ai-dev03.kni.syseng.devcluster.openshift.com/mcp"
    }
  }
}

Authentication

OAuth/OIDC

The MCP server acts as an OAuth intermediary: MCP clients (Claude Code, Cursor, etc.) register with the server via Dynamic Client Registration, and the server proxies authorization to the upstream OIDC provider using its own pre-registered credentials.

With OAuth enabled (after creating the OAuthClient CR), the same connection configuration works -- Claude Code will open a browser for OpenShift login on first use and refresh tokens automatically.

Verified with Claude Code. Cursor should also work but has not been tested. Other MCP clients (ChatGPT, Windsurf, GitHub Copilot, Gemini CLI) may work but are untested.

Setup

1. Register a client with your OIDC provider:

   OpenShift -- create an OAuthClient CR:

   export OAUTH_CLIENT_SECRET=$(oc get oauthclient exploit-iq-client -o jsonpath='{..secret}')
   # Or generate a new secret: export OAUTH_CLIENT_SECRET=$(openssl rand -base64 32)
   export MCP_ROUTE=$(oc get route exploitiq-mcp-server -o jsonpath='{.spec.host}')
   
   oc create -f - <<EOF
   apiVersion: oauth.openshift.io/v1
   kind: OAuthClient
   metadata:
     name: exploitiq-mcp-server
   grantMethod: prompt
   secret: $OAUTH_CLIENT_SECRET
   redirectURIs:
     - "https://${MCP_ROUTE}/oauth/callback"
   EOF