1. Create an API key
In KollGuard go to Settings → API keys and create a key. It's shown once — copy it. Keys look like kgr_… and are read-only: they can read findings, posture, scans, and stats, and can never change anything. Revoke a key any time.
2. Connect your IDE (MCP)
Add the KollGuard MCP server to your client's config, with your key. It's the open-source kollguard-mcp package — run via npx, nothing to install. The same snippet works in every MCP client:
{
"mcpServers": {
"kollguard": {
"command": "npx",
"args": ["-y", "kollguard-mcp"],
"env": { "KOLLGUARD_API_KEY": "kgr_your_key_here" }
}
}
}| Client | Where the config lives |
|---|---|
| Claude Code | .mcp.json in your project root (or `claude mcp add`) |
| Claude Desktop | claude_desktop_config.json (Settings → Developer → Edit Config) |
| Grok CLI | .grok/settings.json (or /mcps in the TUI) |
| Cursor | .cursor/mcp.json |
| VS Code | .vscode/mcp.json (native), or your Cline / Continue extension settings |
| Windsurf | ~/.codeium/windsurf/mcp_config.json (Settings → MCP) |
| Zed | settings.json → context_servers |
| Goose | ~/.config/goose/config.yaml (extensions), or `goose configure` |
MCP is an open standard, so any MCP-compatible client works — the JSON above is identical everywhere; only the file location differs. Then ask your agent things like: "List my KollGuard projects, then pull the open critical & high findings for the api-server project and propose fixes." (In a multi-project org, have it call kollguard_list_projects first, then pass that projectId to the other tools.)
Tools the server exposes
| kollguard_list_projects | Your projects (repo/db groups) with ids — call first to pick one in a multi-project org |
| kollguard_list_findings | Findings (filter by projectId / severity / status / framework), each mapped to controls + remediation |
| kollguard_get_posture | Open findings, risk score, per-framework gaps, top risks (incl. a byProject breakdown) |
| kollguard_list_scans | Recent scan runs with severity counts |
| kollguard_stats | Headline stats: open findings, by severity & framework, scans last 7 days |
3. Or use the REST API directly
Prefer a script or CI step? Hit the API with the same key. Base URL https://api.kollguard.com/v1:
curl -H "Authorization: Bearer kgr_your_key_here" \ https://api.kollguard.com/v1/findings
| Endpoint | Returns |
|---|---|
| GET /v1/findings | Findings, optional ?severity= ?status= ?framework= |
| GET /v1/posture | Aggregated posture + top risks |
| GET /v1/scans | Recent scan runs |
| GET /v1/stats | Headline stats |
All endpoints are GET and tenant-scoped to the key. Findings are JSON, each mapped to SOC 2 / HIPAA + 10 more frameworks with remediation.
FAQ
- What can a KollGuard API key do?
- A `kgr_` API key is read-only and GET-only: it can read your findings, posture, scans, and stats, but can never change anything in your account. Create and revoke keys in Settings → API keys.
- Which IDEs and tools work with the KollGuard MCP server?
- Any MCP-compatible client — Claude Code, Cursor, VS Code (Cline/Continue), Windsurf, and Zed all use the same config shape. The server is the npm package kollguard-mcp, run via npx. The REST API works with any HTTP client (curl, a CI step, a script).
- What is the KollGuard API base URL?
- https://api.kollguard.com/v1 — for example, https://api.kollguard.com/v1/findings. Authenticate with an Authorization: Bearer kgr_… header.