DevGrid MCP Server

Once connected, you can ask your AI assistant questions like "show me all critical vulnerabilities", "what components does the payments app depend on?", or "give me a portfolio overview" and it will call DevGrid tools to get live answers.

Connecting Your Client

Server URL

https://prod.api.devgrid.io/mcp

Claude Desktop

Add this to your Claude Desktop config file (~/Library/Application Support/Claude/claude_desktop_config.json on macOS):

{
  "mcpServers": {
    "devgrid": {
      "url": "https://prod.api.devgrid.io/mcp"
    }
  }
}

Restart Claude Desktop. You will be prompted to log in with your DevGrid account the first time.

Claude.ai

Go to Settings, scroll to MCP Servers, click "Add Server", and enter the server URL above.

Cursor / Windsurf

Add to your .cursor/mcp.json or equivalent config:

{
  "mcpServers": {
    "devgrid": {
      "url": "https://prod.api.devgrid.io/mcp"
    }
  }
}

Claude Code

claude mcp add devgrid --transport streamable-http https://prod.api.devgrid.io/mcp

Authentication

The server uses OAuth 2.1 with PKCE. Most MCP clients handle this automatically:

1. Your client discovers the auth configuration from the server
2. A browser window opens for you to log in with your DevGrid credentials
3. After login, the client stores your token and authenticates automatically

All data is scoped to your DevGrid account. You will only see entities belonging to your organization.

Permissions

Most tools are available to all authenticated users. Some tools require additional permissions:

• Vulnerability tools require read:vulnerability
• Repository tools require read:repository

If you get an "Access denied" error, contact your DevGrid admin to grant the required permission.

Available Tools

Search

Components

Applications

Portfolios

Technologies

Journeys

Incidents

Incident states: new, in_progress, on_hold, resolved, closed, canceled, reopened

Priority: 0 (P0, highest) through 7 (P7, lowest)

Changes

Change types: standard, normal, emergency, expedited

Risk levels: critical, high, medium, low

Statuses: draft, pending_approval, approved, scheduled, in_progress, implementing, testing, completed, closed, cancelled, failed, rolled_back

Vulnerabilities

Severity levels: CRITICAL, HIGH, MEDIUM, LOW, INFO, UNKNOWN

Statuses: detected, confirmed, dismissed, resolved

Scan types: sast, sca, container_scanning, and others

Relationships

Common relationship types:

• portfolio-contains-application
• application-has-component
• technology-has-version

Repositories

External systems: github, gitlab, bitbucket, azure-devops

Pagination

All list tools support pagination:

• limit -- maximum results to return (1-100, default 20)
• offset -- number of results to skip (default 0)

Responses include metadata.hasMore which is true when more results are available. To page through results:

1. Call with { limit: 50, offset: 0 }
2. If hasMore is true, call again with { limit: 50, offset: 50 }
3. Continue until hasMore is false

Response Format

All tools return JSON with this structure:

List responses:

{
  "data": [ ... ],
  "metadata": {
    "count": 5,
    "limit": 20,
    "offset": 0,
    "hasMore": false
  }
}

Single-item responses:

{
  "data": { "id": "...", "name": "...", ... }
}

Search responses:

{
  "data": {
    "entities": [ ... ],
    "relationships": [ ... ],
    "blueprints": [ ... ]
  },
  "metadata": {
    "query": "auth",
    "entityCount": 3,
    "relationshipCount": 1,
    "blueprintCount": 0,
    "totalCount": 4
  }
}

Errors:

{
  "error": "Component with id abc-123 not found"
}

Prompts

The server includes pre-built workflow prompts. In clients that support them, these appear as slash commands:

Example Workflows

Find a component and its dependencies

"Find the auth-service component and show me what it depends on"

The assistant will:

1. components_list with name: "auth-service" to find it
2. components_get with the ID for full details
3. components_dependencies with depth: 2 for the dependency tree

Review your security posture

"Show me all critical unresolved vulnerabilities"

The assistant will:

1. vulnerabilities_summary for an overview
2. vulnerabilities_list with severity: "CRITICAL" and status: "detected"
3. vulnerability_identifiers_list to get CVE details for each

Triage incidents

"What incidents need attention right now?"

The assistant will:

1. incidents_summary for a high-level view
2. incidents_list with state: "new" for unacknowledged incidents
3. incidents_get for details on high-priority items

Explore a portfolio

"Give me an overview of the payments portfolio"

The assistant will:

1. portfolios_list with name: "payments" to find it
2. portfolios_apps to list its applications
3. vulnerabilities_summary and incidents_summary for health indicators

Search across everything

"Search for anything related to authentication"

The assistant will:

1. search with query: "authentication" to find matching entities, relationships, and blueprints in one call

Troubleshooting

"Authentication required" error Your token has expired. Most clients will automatically re-authenticate. If not, disconnect and reconnect the server in your client settings.

"Access denied: missing read:vulnerability permission" Your DevGrid user account doesn't have permission for this resource. Ask your DevGrid admin to grant the required permission.

Empty results All data is scoped to your organization's account. If you're not seeing expected data, verify you're logged in with the correct DevGrid account.

Tool not found Make sure your client is connected to the correct server URL. Disconnect and reconnect if the tool list seems stale.