DevGuard MCP Server

[seb-kw]

We've been experimenting with an MCP server integration for DevGuard, and we'd love your thoughts before we take it further.

What the PoC can do:

• Set up DevGuard projects and repositories via natural language
• Trigger scans on your repos
• Surface and manage vulnerabilities through conversation

→ Check out the project & demo video

---

The part we're uncertain about: vulnerability handling

Making vulnerability management accessible through plain language feels like a genuine step forward — lower friction, faster triage, broader reach. But it also gives us pause.

LLMs are imperfect reasoners. Research on machine bias, hallucination, and over-reliance suggests that when an AI confidently recommends a course of action, users often defer to it — even in high-stakes domains where independent judgment matters most. Vulnerability management is exactly that kind of domain: wrong calls can mean unpatched CVEs, misplaced priorities, or a false sense of security. We want the UX to be empowering, not a shortcut that erodes critical thinking.

---

We're genuinely unsure where the right line is, and we think this community is well-placed to have that conversation. What's your instinct — and has your experience with AI-assisted security tooling shaped that view?

[timbastin]

For setup and onboarding, I see clear value. Using natural language to create projects or trigger scans reduces friction and helps people get started faster. That’s a net positive.

But once it comes to actually handling vulnerabilities, I struggle to see meaningful upside beyond a perceived one. This is not a domain where abstraction helps — it’s one where understanding is essential. You need to know why something is vulnerable, how it can be exploited, and what the trade-offs of a fix are. If an AI starts recommending actions in a conversational way, there’s a real risk that users defer to it instead of engaging with the problem themselves.

That’s not just theoretical — we’ve seen how confident AI suggestions can lead to over-reliance, even when they’re wrong. In vulnerability management, that could mean missed edge cases, incorrect prioritization, or a false sense of security.

I’d lean toward using AI as a supporting tool rather than an acting one. For example:
“Here are the exact lines and context where the issue occurs — please review.”
That kind of assistive guidance could speed up triage without removing the need for human judgment.

So for me, the line would be:

AI for discovery, context, and navigation → makes sense
AI for decision-making or remediation → risky, and likely counterproductive

If the goal is long-term security maturity, I’d prioritize helping users build understanding rather than automating the parts that require it.