PCI DSS v4.0.1 static-analysis MCP server for Go payment service codebases. 12 scanners detect PAN/CVV exposure, weak crypto, missing audit logs, vulnerable deps, TLS misconfig, auth weaknesses, plus CycloneDX 1.6 SBOM generation. Each finding maps to the exact PCI requirement. AI-assisted triage via triage_findings tool. Keyless-signed multi-arch Docker image on ghcr.io.
Overview
pci-dss-mcp
Static-analysis MCP server that detects PCI DSS v4.0.1 violations in Go payment service codebases. Every finding maps to a specific PCI DSS requirement number. Built for developers, QSAs, and CI gates.
What it detects
12 scanners over Go source + configs, each mapped to PCI DSS requirements:
| Tool | Detects | PCI DSS |
|---|---|---|
scan_pan_data | PAN/CVV storage, masking, zeroing | 3.3.1, 3.4.1, 3.5.1 |
check_encryption | weak hashes, hardcoded keys, plain HTTP | 6.2.4, 4.2.1 |
check_tls_config | InsecureSkipVerify, weak MinVersion, prohibited ciphers | 4.2.1 |
check_secrets_in_configs | API keys, passwords, connection strings in configs | 8.6.2 |
check_error_handling | payment-handler error disclosure | 6.2.4 |
check_auth_strength | hardcoded passwords, weak password policy, missing MFA | 8.3.1, 8.3.6, 8.4.2 |
audit_log_coverage | missing/unstructured audit logs in payment handlers | 10.2.1 |
check_data_retention | CVV/PAN without TTL, incorrect memory zeroing | 3.2.1, 3.3.1 |
check_payment_page_scripts | CSP, SRI, nonce, FIM for payment pages | 6.4.3, 11.6.1 |
check_dependencies | vulnerable go.mod deps via OSV.dev (offline mode supported) | 6.3.3 |
generate_sbom | CycloneDX 1.6 SBOM with SPDX licenses | 6.3.2 |
triage_findings | AI-assisted prioritization + file:line enrichment | (orchestrator) |
Plus generate_compliance_report (full multi-scanner report), update_vulnerability_db (refresh OSV cache), explain_requirement (PCI DSS lookup).
Quick install (Docker)
{
"mcpServers": {
"pci-dss-mcp": {
"command": "docker",
"args": [
"run", "-i", "--rm",
"--mount", "type=bind,src=/path/to/your/go/src,dst=/path/to/your/go/src,readonly",
"ghcr.io/shyshlakov/pci-dss-mcp:v0.6.2"
]
}
}
}
src= and dst= mirror the same absolute path so the container sees your code at the same path your host uses.
Quick install (Go)
go install github.com/shyshlakov/pci-dss-mcp@v0.6.2
Then add {"command": "pci-dss-mcp"} to your MCP client config.
What pci-dss-mcp is NOT
- Not a replacement for broad SAST (Semgrep, CodeQL, gosec for OWASP-Top-10)
- Not a replacement for LLM-based code review
- Not a QSA replacement: static analysis covers ~6% of PCI DSS v4.0.1; a Qualified Security Assessor must sign off on the rest
Distribution
- MCP Registry:
io.github.shyshlakov/pci-dss-mcp - Docker:
ghcr.io/shyshlakov/pci-dss-mcp:v0.6.2(keyless-signed via cosign + OIDC) - Go:
go install github.com/shyshlakov/pci-dss-mcp@v0.6.2 - Source: https://github.com/shyshlakov/pci-dss-mcp
License
MIT
Server Config
{
"mcpServers": {
"pci-dss-mcp": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"--mount",
"type=bind,src=/path/to/your/go/src,dst=/path/to/your/go/src,readonly",
"ghcr.io/shyshlakov/pci-dss-mcp:v0.6.2"
]
}
}
}