Skip to main content
Code review MCP · mcp · 16 picks

MCP servers for code review workflows

MCP servers and adjacent agent tools for repository review, pull request triage, quality checks, and source-backed engineering review.

Curated by @heyclaude-editors Updated 2026-07-18

MCP servers and adjacent agent tools for repository review, pull request triage, quality checks, and source-backed engineering review.

Compared at a glance

The top 5 picks side by side on trust, install, platform support, and disclosed notes — full rationale for each below.

3 trust signals differ across this comparison (Package trust, Source provenance, Submitter).

Field

Build applications, analyze traffic, and manage security settings through Cloudflare

Open dossier

Debug faster with AI agents that access video recordings, console logs, and network requests

Open dossier

Security analysis and vulnerability scanning for dependencies

Open dossier

Configure and manage Stytch authentication services and workspace settings

Open dossier

The official Codacy MCP server (@codacy/codacy-mcp) that gives AI assistants access to the Codacy API for code quality, security, and coverage — listing repository and pull-request issues, retrieving file coverage and duplication, searching security (SRM) findings, inspecting analysis tools and patterns, and running local analysis with the Codacy CLI.

Open dossier
Next steps
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustDiffersPackage verifiedPackage verifiedPackage verifiedPackage verifiedPackage not verified
Source provenanceDiffersNo submission linkNo submission linkNo submission linkNo submission linkSource-backed
SubmitterDiffersdavion-knight
Install riskLow riskLow riskLow riskLow riskReview first
Notes Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓
BrandCloudflare logoCloudflareJam logoJamSocket logoSocketStytch logoStytchCodacy MCP Server logoCodacy MCP Server
Categorymcpmcpmcpmcpmcp
SourceFirst-partyFirst-partyFirst-partyFirst-partySource-backed
AuthorCloudflareJamSocketStytchcodacy
Added2025-09-182025-09-182025-09-182025-09-182026-07-08
Platforms
Harness
Source repo
Safety notesUse a least-privilege Cloudflare token because DNS, security, Worker, and deployment actions can affect production services.Share only Jam recordings and debugging captures that are intended for AI review, especially when they include production sessions.Treat dependency risk findings as triage input and verify impact before blocking releases or changing package policy.Restrict Stytch workspace and admin permissions because auth configuration changes can affect sign-in and account security.The `codacy_cli_analyze` tool runs Codacy CLI analysis locally on files or directories, and if the CLI is not installed the server will attempt to download and install it, so it can execute and install software on your machine. The Codacy Account API Token grants API access to the organizations and repositories your account can see, including private ones, so treat it as a secret and scope it to least privilege. Most tools are read-only analysis (issues, coverage, duplication, security findings), but `codacy_setup_repository` adds or follows a repository in Codacy, which is an account-write action. Security (SRM) tools surface real vulnerabilities and findings for your code, so handle that output carefully and avoid leaking it. Prefer a token scoped to the intended organization and a non-sensitive repository when an agent acts autonomously.
Privacy notesZone settings, analytics, logs, account identifiers, deployment metadata, and security configuration may be sent through model context.Screen recordings, console logs, network requests, URLs, cookies, and user-visible data may be exposed through model context.Package names, manifests, dependency graphs, repository context, and security findings may be sent through tool calls.User identities, authentication logs, session details, workspace settings, and security configuration may be sent through tool calls.The server calls the Codacy API with your token; repository metadata, code-quality issues, coverage, duplication, security findings, and pull-request data it returns are passed to the LLM/MCP client. Some tools return source-derived content — for example `codacy_get_pull_request_git_diff` returns a PR's Git diff and file-analysis tools return issue context — which can include real source code. Security findings can reveal sensitive vulnerability details about your codebase; review before sharing that output. The account token is provided via the `CODACY_ACCOUNT_TOKEN` environment variable in your MCP client config — keep that config out of version control and restrict access to it.
Prerequisites
  • Cloudflare account with active zones
  • Cloudflare API Token from https://dash.cloudflare.com/profile/api-tokens
  • Cloudflare Account ID (found in Cloudflare dashboard)
  • Node.js and npm/npx available for running the @cloudflare/mcp-server-cloudflare package
  • Jam account (sign up at https://jam.dev if needed)
  • Jam API token (Bearer token format: jam_sk_live_xxx) - get from Jam account settings or Developer Hub
  • Jam browser extension (optional but recommended for capturing bugs with full technical context)
  • HTTP transport support (remote MCP server at https://mcp.jam.dev/mcp)
  • Socket account (free or paid plan)
  • OAuth authentication setup (for mcp.socket.dev MCP connection)
  • Socket API key (for Socket API access, available in Socket Dashboard)
  • Network access to mcp.socket.dev (HTTPS required)
  • Stytch account (free or paid plan)
  • Stytch API key authentication (for mcp.stytch.dev MCP connection)
  • Stytch project_id and secret from Dashboard (test or live environment)
  • Network access to mcp.stytch.dev (HTTP transport, not HTTPS)
  • Node.js and npm, with the `npx` command working (the server runs via `npx -y @codacy/codacy-mcp`)
  • A Codacy account and an Account API Token from Codacy Account access management
  • For local analysis, the Codacy CLI v2 (macOS/Linux/Windows via WSL); the server installs it if it is missing
  • An MCP-compatible client (Claude Desktop, Cursor, VS Code, Windsurf, etc.)
Install
claude mcp add cloudflare --env CLOUDFLARE_API_TOKEN=YOUR_TOKEN --env CLOUDFLARE_ACCOUNT_ID=YOUR_ACCOUNT_ID && claude mcp list
claude mcp list && claude mcp status jam
claude mcp add --transport http socket https://mcp.socket.dev/ && claude mcp list
claude mcp add --transport http stytch http://mcp.stytch.dev/mcp && claude mcp list
npx -y @codacy/codacy-mcp
Config
{
  "mcpServers": {
    "cloudflare": {
      "env": {
        "CLOUDFLARE_API_TOKEN": "${CLOUDFLARE_API_TOKEN}",
        "CLOUDFLARE_ACCOUNT_ID": "${CLOUDFLARE_ACCOUNT_ID}"
      },
      "args": [
        "-y",
        "@cloudflare/mcp-server-cloudflare"
      ],
      "command": "npx",
      "type": "stdio"
    }
  }
}
{
  "mcpServers": {
    "jam": {
      "url": "https://mcp.jam.dev/mcp",
      "type": "http"
    }
  }
}
{
  "mcpServers": {
    "socket": {
      "url": "https://mcp.socket.dev/",
      "type": "http"
    }
  }
}
{
  "mcpServers": {
    "stytch": {
      "url": "http://mcp.stytch.dev/mcp",
      "type": "http"
    }
  }
}
{
  "mcpServers": {
    "codacy": {
      "command": "npx",
      "args": ["-y", "@codacy/codacy-mcp"],
      "env": {
        "CODACY_ACCOUNT_TOKEN": "<YOUR_TOKEN>"
      }
    }
  }
}
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool
  1. 01
    Why it made the cut

    Cloudflare MCP Server - MCP Servers is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.

  2. 02
    Why it made the cut

    Jam MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.

  3. 03
    Why it made the cut

    Socket MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.

  4. 04
    Why it made the cut

    Stytch MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.

  5. 05
    Why it made the cut

    Codacy MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  6. 06
    Why it made the cut

    PAL MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  7. 07
    Why it made the cut

    SonarQube MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  8. 08
    Why it made the cut

    Daloopa MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.

  9. 09
    Why it made the cut

    Git MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.

  10. 10
    Why it made the cut

    GitHub MCP Server for Claude is included because it has maintainer-built package, safety notes present, privacy notes present, first-party source posture.

  11. 11
    Why it made the cut

    HexStrike AI MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  12. 12
    Why it made the cut

    MATLAB MCP Core Server is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  13. 13
    Why it made the cut

    Microsoft MCP Gateway is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  14. 14
    Why it made the cut

    Pentest AI MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  15. 15
    Why it made the cut

    Roam Code is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

  16. 16
    Why it made the cut

    Searchcode MCP Server is included because it has safety notes present, privacy notes present, source-backed source posture.

    Reach for instead

    If this will touch credentials, local files, or production systems, inspect the upstream source first.

Missing a pick? Propose an edit to this list — every change goes through the same review queue as new entries.

Suggest a pick
Weekly · Sundays

Get the weekly brief

One calm read on Claude workflows. Sundays. No tracking pixels.

Unsubscribe any time. No tracking pixels. No partner blasts.