MCP servers for code review workflows
MCP servers and adjacent agent tools for repository review, pull request triage, quality checks, and source-backed engineering review.
MCP servers and adjacent agent tools for repository review, pull request triage, quality checks, and source-backed engineering review.
Compared at a glance
The top 5 picks side by side on trust, install, platform support, and disclosed notes — full rationale for each below.
3 trust signals differ across this comparison (Package trust, Source provenance, Submitter).
| Field | Build applications, analyze traffic, and manage security settings through Cloudflare Open dossier | Debug faster with AI agents that access video recordings, console logs, and network requests Open dossier | Security analysis and vulnerability scanning for dependencies Open dossier | Configure and manage Stytch authentication services and workspace settings Open dossier | The official Codacy MCP server (@codacy/codacy-mcp) that gives AI assistants access to the Codacy API for code quality, security, and coverage — listing repository and pull-request issues, retrieving file coverage and duplication, searching security (SRM) findings, inspecting analysis tools and patterns, and running local analysis with the Codacy CLI. Open dossier |
|---|---|---|---|---|---|
| Next steps | |||||
| Trust | |||||
| Review status | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed |
| Package trustDiffers | Package verified | Package verified | Package verified | Package verified | Package not verified |
| Source provenanceDiffers | No submission link | No submission link | No submission link | No submission link | Source-backed |
| SubmitterDiffers | — | — | — | — | davion-knight |
| Install risk | Low risk | Low risk | Low risk | Low risk | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Brand | |||||
| Category | mcp | mcp | mcp | mcp | mcp |
| Source | First-party | First-party | First-party | First-party | Source-backed |
| Author | Cloudflare | Jam | Socket | Stytch | codacy |
| Added | 2025-09-18 | 2025-09-18 | 2025-09-18 | 2025-09-18 | 2026-07-08 |
| Platforms | |||||
| Harness | |||||
| Source repo | — | — | — | — | — |
| Safety notes | ✓Use a least-privilege Cloudflare token because DNS, security, Worker, and deployment actions can affect production services. | ✓Share only Jam recordings and debugging captures that are intended for AI review, especially when they include production sessions. | ✓Treat dependency risk findings as triage input and verify impact before blocking releases or changing package policy. | ✓Restrict Stytch workspace and admin permissions because auth configuration changes can affect sign-in and account security. | ✓The `codacy_cli_analyze` tool runs Codacy CLI analysis locally on files or directories, and if the CLI is not installed the server will attempt to download and install it, so it can execute and install software on your machine. The Codacy Account API Token grants API access to the organizations and repositories your account can see, including private ones, so treat it as a secret and scope it to least privilege. Most tools are read-only analysis (issues, coverage, duplication, security findings), but `codacy_setup_repository` adds or follows a repository in Codacy, which is an account-write action. Security (SRM) tools surface real vulnerabilities and findings for your code, so handle that output carefully and avoid leaking it. Prefer a token scoped to the intended organization and a non-sensitive repository when an agent acts autonomously. |
| Privacy notes | ✓Zone settings, analytics, logs, account identifiers, deployment metadata, and security configuration may be sent through model context. | ✓Screen recordings, console logs, network requests, URLs, cookies, and user-visible data may be exposed through model context. | ✓Package names, manifests, dependency graphs, repository context, and security findings may be sent through tool calls. | ✓User identities, authentication logs, session details, workspace settings, and security configuration may be sent through tool calls. | ✓The server calls the Codacy API with your token; repository metadata, code-quality issues, coverage, duplication, security findings, and pull-request data it returns are passed to the LLM/MCP client. Some tools return source-derived content — for example `codacy_get_pull_request_git_diff` returns a PR's Git diff and file-analysis tools return issue context — which can include real source code. Security findings can reveal sensitive vulnerability details about your codebase; review before sharing that output. The account token is provided via the `CODACY_ACCOUNT_TOKEN` environment variable in your MCP client config — keep that config out of version control and restrict access to it. |
| Prerequisites |
|
|
|
|
|
| Install | | | | | |
| Config | | | | | |
| Citations | |||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
- 01
Cloudflare MCP Server - MCP Servers
Build applications, analyze traffic, and manage security settings through Cloudflare
Added 10mo agoSafety ✓ Privacy ✓by CloudflareWhy it made the cutCloudflare MCP Server - MCP Servers is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.
- 02
Jam MCP Server for Claude
Debug faster with AI agents that access video recordings, console logs, and network requests
Added 10mo agoSafety ✓ Privacy ✓by JamWhy it made the cutJam MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.
- 03
Socket MCP Server for Claude
Security analysis and vulnerability scanning for dependencies
Added 10mo agoSafety ✓ Privacy ✓by SocketWhy it made the cutSocket MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.
- 04
Stytch MCP Server for Claude
Configure and manage Stytch authentication services and workspace settings
Added 10mo agoSafety ✓ Privacy ✓by StytchWhy it made the cutStytch MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.
- 05
Codacy MCP Server
Official Codacy MCP server: inspect code-quality and security (SRM) findings, file/PR coverage and duplication, and run local Codacy CLI analysis.
Added 11d agoSafety ✓ Privacy ✓by codacy · submitted by davion-knightWhy it made the cutCodacy MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.
Reach for insteadIf this will touch credentials, local files, or production systems, inspect the upstream source first.
- 06
PAL MCP Server
Let Claude Code, Codex, Gemini CLI, Cursor, and other clients consult multiple models and CLI subagents through PAL MCP.
Added 1mo agoSafety ✓ Privacy ✓by Beehive Innovations · submitted by oktofeesh1Why it made the cutPAL MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.
Reach for insteadIf this will touch credentials, local files, or production systems, inspect the upstream source first.
- 07
SonarQube MCP Server
Connect Claude to SonarQube Server or Cloud for code quality, security, issues, hotspots, measures, quality gates, branches, and snippets.
Added 1mo agoSafety ✓ Privacy ✓by SonarSource · submitted by oktofeesh1Why it made the cutSonarQube MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.
Reach for insteadIf this will touch credentials, local files, or production systems, inspect the upstream source first.
- 08
Daloopa MCP Server for Claude
Access high-quality fundamental financial data from SEC filings and investor presentations
Added 10mo agoSafety ✓ Privacy ✓by DaloopaWhy it made the cutDaloopa MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.
- 09
Git MCP Server for Claude
Official MCP server providing Git repository tools for reading, searching, and manipulating Git repositories
Added 10mo agoSafety ✓ Privacy ✓by AnthropicWhy it made the cutGit MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.
- 10
GitHub MCP Server for Claude
Official GitHub MCP server providing comprehensive GitHub API access for repository management, file operations, and search functionality
Added 10mo agoSafety ✓ Privacy ✓by GitHubWhy it made the cutGitHub MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.
- 11
HexStrike AI MCP Server
Run authorized pentesting and security research workflows through HexStrike AI's MCP server and security-tool orchestration layer.
Added 1mo agoSafety ✓ Privacy ✓by 0x4m4 · submitted by oktofeesh1Why it made the cutHexStrike AI MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.
Reach for insteadIf this will touch credentials, local files, or production systems, inspect the upstream source first.
- 12
MATLAB MCP Core Server
Connect Claude to a licensed MATLAB install for code analysis, script execution, toolbox detection, testing, and custom MATLAB tools.
Added 1mo agoSafety ✓ Privacy ✓by MathWorks · submitted by oktofeesh1Why it made the cutMATLAB MCP Core Server is included because it has safety notes present, privacy notes present, source-backed source posture.
Reach for insteadIf this will touch credentials, local files, or production systems, inspect the upstream source first.
- 13
Microsoft MCP Gateway
Deploy and manage MCP server adapters in Kubernetes, route clients through session-aware gateway endpoints, register tools, and control access with bearer auth and Entra ID app roles.
Added 1mo agoSafety ✓ Privacy ✓by microsoft · submitted by oktofeesh1Why it made the cutMicrosoft MCP Gateway is included because it has safety notes present, privacy notes present, source-backed source posture.
Reach for insteadIf this will touch credentials, local files, or production systems, inspect the upstream source first.
- 14
Pentest AI MCP Server
Connect Claude to authorized pentest-ai engagements, tools, probes, and findings.
Added 1mo agoSafety ✓ Privacy ✓by 0xSteph · submitted by oktofeesh1Why it made the cutPentest AI MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.
Reach for insteadIf this will touch credentials, local files, or production systems, inspect the upstream source first.
- 15
Roam Code
Let Claude query a local code graph before and after code changes.
Added 1mo agoSafety ✓ Privacy ✓by Cranot · submitted by oktofeesh1Why it made the cutRoam Code is included because it has safety notes present, privacy notes present, source-backed source posture.
Reach for insteadIf this will touch credentials, local files, or production systems, inspect the upstream source first.
- 16
Searchcode MCP Server
Analyze and search public Git repositories through a remote code intelligence MCP server.
Added 1mo agoSafety ✓ Privacy ✓by searchcode.com · submitted by oktofeesh1Why it made the cutSearchcode MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.
Reach for insteadIf this will touch credentials, local files, or production systems, inspect the upstream source first.
Missing a pick? Propose an edit to this list — every change goes through the same review queue as new entries.
Suggest a pickGet the weekly brief
One calm read on Claude workflows. Sundays. No tracking pixels.
Unsubscribe any time. No tracking pixels. No partner blasts.