# Codebase Security Review with MCP

Project teams can connect the HackenProof MCP to their development workflow — using bug bounty reports as a direct feedback loop into their codebase. Instead of manually reading reports and cross-referencing code, your team can let Claude analyze reports against your actual source code in real time.

### How it works

1. **Clone your project repo locally** and open it in Claude Code
2. **Connect the HackenProof MCP** via `.mcp.json` in your project root
3. **Ask Claude to review incoming reports** against your codebase

Claude has simultaneous access to your source code (via the local project) and your bug bounty reports (via MCP), so it can:

* **Validate reported vulnerabilities** — check if the described attack vector actually exists in your code
* **Locate affected code paths** — find the exact files, functions, and lines related to a report
* **Assess impact** — determine if the vulnerability is exploitable given your architecture and existing mitigations
* **Suggest fixes** — propose code changes based on understanding both the vulnerability and your codebase
* **Identify patterns** — spot similar vulnerabilities across your codebase that weren't reported

### Your review pipeline

```
Report submitted → Fetch via MCP → Validate against code → Fix → Tag & resolve
       ↑                                    ↓
       └──── "Find similar patterns" ───────┘
```

### Why this scales

Each bug bounty report teaches the AI a new attack pattern. When Claude validates a reentrancy finding in one contract, you can ask it to scan your entire codebase for the same pattern — across every file, every module, every chain.

This gets especially powerful when you have:

* **Large codebases** — hundreds of contracts or services that are impossible to manually cross-reference with every report
* **Multiple implementations** — different versions, forks, or deployments of the same logic where the same bug might exist
* **High report volume** — the more reports you receive, the more attack patterns Claude learns to look for. A 50-report audit contest becomes a 50-pattern codebase scan

### Example workflow

Open your project in Claude Code with HackenProof MCP connected:

> "Fetch all new reports for our-company/our-program and check each one against our codebase. For each report, tell me: is the vulnerability real, where is it in our code, and how should we fix it?"

Claude will:

1. Pull new reports via `list_reports` and `get_report_details`
2. Read the vulnerability description and PoC steps
3. Search your local codebase for the affected code
4. Verify whether the issue exists
5. Provide a summary with file paths, risk assessment, and fix suggestions

### Practical examples

**Validate a smart contract finding:**

> "Report HACK-42 claims there's a reentrancy vulnerability in the withdraw function. Check our contracts and tell me if this is valid."

Claude reads the report, finds the relevant contract in your repo, traces the call flow, and confirms whether the reentrancy guard is missing or if the reporter is wrong.

**Cross-reference scope:**

> "Check if the target mentioned in report HACK-55 matches any of our deployed contracts or endpoints in this repo."

**Batch review after an audit contest:**

> "We just finished an audit contest on our-program. Fetch all triaged reports and create a summary of confirmed issues grouped by contract file, with severity and recommended fixes."

**Proactive vulnerability scanning:**<br>

> "Report HACK-30 found an unchecked return value in TokenSwap.sol. Search our entire codebase for similar patterns — unchecked external calls or missing return value checks."

### Close the loop

MCP isn't just for reading reports — your team can act directly from the IDE:

* Confirm a finding is valid → change state to "Triaged" and set severity
* Need more details from the researcher → post a comment asking for clarification
* Found and fixed the issue → tag the report as `fix-deployed` and move to "Resolved"
* Spotted duplicates while reviewing code → group them with `dup-` labels

The entire lifecycle — from report to fix to resolution — happens without leaving your editor.

### Best practices for large programs

* **Start with `get_report_sizes`** before fetching full reports — saves time on large reports with huge PoCs
* **Use the `fields` parameter** on `get_report_details` to fetch only what you need (e.g., just `vulnerability_description`)
* **Combine with git blame** — ask Claude to check who last modified the affected code and when
* **Track fixes with labels** — use `add_labels` to tag reports as `fix-in-progress`, `fix-deployed`, etc.
* **Batch review by severity** — use `list_reports` with `severity=["Critical", "High"]` to prioritize what matters first

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.hackenproof.com/dashboard/mcp-server/codebase-security-review-with-mcp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.