MCP Server
qtz-discovery-cli mcp serve starts a Model Context Protocol (MCP) server,
exposing all scan commands as tools that AI assistants (Claude Desktop, Cursor, Windsurf, etc.)
can call directly. Ask your AI to scan your codebase for quantum vulnerabilities without
leaving your editor.
Usage
qtz-discovery-cli mcp serve [--addr ADDRESS] [--transport TYPE]
# stdio transport — default, for Claude Desktop / Cursor
qtz-discovery-cli mcp serve
# SSE transport — listen on localhost (default when --addr is set)
qtz-discovery-cli mcp serve --addr 127.0.0.1:8080
# Streamable HTTP transport — MCP 2025-03-26 spec
qtz-discovery-cli mcp serve --addr 0.0.0.0:8080 --transport streamable-http
Flags
| Flag | Default | Description |
|---|
--addr | — | Address to listen on for HTTP transport (e.g. 127.0.0.1:8080). When omitted, stdio is used. |
--transport | sse | HTTP transport variant when --addr is set: sse or streamable-http. Ignored for stdio. |
--cors | false | Add CORS headers to streamable-HTTP responses (required for browser-based clients such as Claude.ai web). |
--tls-cert | — | Path to TLS certificate file for HTTPS (streamable-http only). |
--tls-key | — | Path to TLS private key file for HTTPS (streamable-http only). |
--base-url | — | Base URL advertised to SSE clients (e.g. https://qtz.example.com) — use when running behind an HTTPS reverse proxy. |
Transport endpoints
| Transport | Endpoint | Notes |
|---|
| stdio | stdin / stdout | Default. Use for Claude Desktop, Cursor, Windsurf. |
| sse | GET /sse · POST /message | Legacy SSE transport. |
| streamable-http | /mcp | Modern transport (MCP spec 2025-03-26). |
Claude Desktop Configuration
Add the following to your Claude Desktop configuration file:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"qtz": {
"command": "/path/to/qtz-discovery-cli",
"args": ["mcp", "serve"],
"env": {
"QTZ_SERVER_URL": "https://your-portal-url",
"QTZ_SERVER_ORG_ID": "your-org-id",
"QTZ_SERVER_API_KEY": "your-api-key"
}
}
}
}
Restart Claude Desktop after saving. You will see a qtz tool group appear in the tool picker.
Cursor / Windsurf Configuration
Add to your project's .cursor/mcp.json or .windsurf/mcp.json:
{
"servers": {
"qtz": {
"type": "stdio",
"command": "/path/to/qtz-discovery-cli",
"args": ["mcp", "serve"]
}
}
}
Available MCP Tools
Tools marked experimental require --experimental when starting the server:
qtz-discovery-cli mcp serve --experimental
| Tool | Description |
|---|
scan_source | AI-driven SAST + SCA of a local directory or remote Git URL. Detects hardcoded keys, weak algorithms, and vulnerable library usage across all file types. |
upload_findings | Upload scan results (JSON) to the Quantizant portal for AI risk scoring and compliance reporting. |
get_usage | Fetch LLM token usage summary from the connected Quantizant service. |
scan_network (experimental) | Analyze TLS/SSH endpoints for cipher suite strength, certificate quality, and quantum-risk scoring. |
scan_iac (experimental) | Scan Terraform, CloudFormation, and Pulumi configurations for cryptographic resource declarations. |
scan_infra (experimental) | Inventory cloud KMS/HSM keys — AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault. |
scan_runtime (experimental) | Inspect live processes, containers, and images for in-memory crypto assets. Supports eBPF tracing, OS trust store auditing, and registry inspection. |
scan_source parameters
| Parameter | Type | Description |
|---|
path | string (required) | Local path or remote Git URL to scan. |
sast | boolean | Enable SAST regex-based scanning (default: true). |
sca | boolean | Enable SCA dependency scanning (default: true). |
llm | boolean | Enable AI-driven deep analysis (requires server_url + api_key). |
llm_quality | string | Analysis depth: auto (default) | fast | deep | chain. |
scan_budget_usd | number | Max USD for LLM analysis (0 = unlimited). System auto-selects depth per file within budget. |
format | string | Output format: json (default) | cyclonedx | sarif. |
branch | string | Git branch to scan for remote URLs (default: main). |
min_severity | string | Minimum severity to report: critical | high | medium | low | info. |
server_url | string | qtz-discovery service URL for LLM proxy and upload. |
org_id | string | Organization ID for server authentication. |
api_key | string | API key for server authentication. |
resume | boolean | Resume a previously interrupted LLM scan (skips already-analyzed files). |
llm_max_files | number | Max source files sent to LLM per scan (0 = unlimited, default: 50). |
llm_batch_size | number | File chunks per LLM server request (default: 10). |
llm_chunk_window | number | Lines per chunk for large-file splitting (default: 300). |
llm_chunk_overlap | number | Overlap lines between adjacent chunks (default: 50, 0 = none). |
scan_network parameters (experimental)
| Parameter | Type | Description |
|---|
targets | string (required) | Comma-separated list of host:port endpoints to scan. |
timeout | string | Connection timeout per target (default: 10s). |
insecure | boolean | Skip TLS certificate verification. |
format | string | Output format: json (default) | cyclonedx. |
scan_iac parameters (experimental)
| Parameter | Type | Description |
|---|
path | string (required) | Directory containing IaC files to scan. |
terraform | boolean | Enable Terraform scanning (default: true). |
cloudformation | boolean | Enable CloudFormation scanning (default: true). |
pulumi | boolean | Enable Pulumi scanning (default: true). |
format | string | Output format: json (default) | cyclonedx. |
scan_infra parameters (experimental)
| Parameter | Type | Description |
|---|
provider | string (required) | Cloud/KMS provider: aws | gcp | azure | vault. |
region | string | Cloud region (AWS/Azure). |
project | string | GCP project ID. |
vault_addr | string | HashiCorp Vault address. |
vault_token | string | HashiCorp Vault token (or set VAULT_TOKEN env var). |
format | string | Output format: json (default) | cyclonedx. |
scan_runtime parameters (experimental)
| Parameter | Type | Description |
|---|
scan_type | string (required) | Scan mode: network | truststore | image | registry | pid | container | ebpf. |
pid | number | Process PID (required for scan_type=pid). |
memory | boolean | Also scan process memory for in-memory key material (use with scan_type=pid; requires privilege). |
container | string | Running container name or ID (required for scan_type=container). |
image | string | Container image ref to pull and scan, e.g. nginx:latest (required for scan_type=image). |
registry | string | Registry image ref to inspect without pulling (required for scan_type=registry). |
network_targets | string | Comma-separated host:port endpoints to probe (scan_type=network only; default: auto-discover local listeners). |
duration | string | Tracing window for scan_type=ebpf (default: 30s). |
format | string | Output format: json (default) | cyclonedx | sarif. |
upload_findings parameters
| Parameter | Type | Description |
|---|
findings_json | string (required) | JSON array of findings (as returned by any scan tool). |
server_url | string (required) | qtz-discovery service base URL. |
org_id | string (required) | Organization ID. |
api_key | string (required) | API key for authentication. |
target | string | Scan target label (optional, for display in the portal). |
get_usage parameters
| Parameter | Type | Description |
|---|
server_url | string (required) | qtz-discovery service base URL. |
org_id | string (required) | Organization ID. |
api_key | string (required) | API key for authentication. |
period | string | Billing period in YYYY-MM format (default: current month). |
Example AI Prompts
Once connected, you can use natural language to drive scans:
"Scan the current project directory for quantum-vulnerable cryptography and give me the top 5 critical findings."
"Check if api.example.com:443 is using any deprecated TLS ciphers or lacks a post-quantum key exchange."
"Scan the Terraform configs in ./infra for any cryptographic resources that use deprecated algorithms."
Portal Connection
Connect the MCP server to your Quantizant portal to enable AI risk scoring, the
upload_findings tool, and LLM-enhanced source analysis.
Set the following environment variables or add them to your config file:
# Environment variables
export QTZ_SERVER_URL=https://your-portal-url
export QTZ_SERVER_ORG_ID=your-org-id
export QTZ_SERVER_API_KEY=your-api-key
# Config file: ~/.qtz/config.yaml
server:
url: https://your-portal-url
org_id: your-org-id
api_key: your-api-key
Config files are searched in order: .qtz-discovery.yaml (current directory),
config.yaml (current directory), then ~/.qtz/config.yaml.
Security Considerations
- The MCP server runs with the same filesystem permissions as the invoking user.
- HTTP transport is not authenticated by default — only expose it on localhost or behind a reverse proxy with auth.
- API keys are never logged or exposed in tool responses.
- For team environments, prefer stdio transport through a per-user install rather than a shared HTTP server.