Listen to this Post

Introduction:
Artificial intelligence agents are increasingly tasked with writing, reviewing, and maintaining code, yet they operate with a critical blind spot: they lack any awareness of a project’s security history. Without context of past vulnerabilities and their fixes, these agents are prone to reintroducing known bugs, wasting computational tokens on rediscovering risks, and missing subtle variants of old flaws. Security Context, a new free service from ProjectDiscovery.io, addresses this gap by providing AI agents with ready-to-use security intelligence derived from a project’s commit history and disclosed CVEs, fundamentally changing how AI interacts with code.
Learning Objectives:
- Understand how Security Context leverages commit history and CVE data to create actionable security intelligence for AI agents.
- Learn to integrate the Security Context MCP server into agent workflows for code generation and review.
- Master the use of `SECURITY_CONTEXT.md` and `VARIANT_LEADS.md` to prevent regressions and discover new vulnerabilities.
- Explore practical command-line and API methods to generate and query security context for any open-source repository.
- Gain insights into advanced workflows combining Security Context with existing security tools for comprehensive vulnerability management.
You Should Know:
1. Setting Up the Security Context MCP Server
The primary method for agents to consume Security Context is through the Model Context Protocol (MCP) server. This allows seamless integration with AI agents like Cursor, Claude Desktop, or custom-built assistants. The configuration is straightforward and requires a one-time setup in your agent’s configuration file.
To add the server, you’ll need to modify the agent’s configuration file (often `config.json` or mcp_settings.json). Below is the JSON block to add:
{
"mcpServers": {
"securitycontext": {
"url": "https://securitycontext.dev/mcp"
}
}
}
Step-by-step guide:
- Locate your AI agent’s MCP configuration file. For Claude Desktop on Windows, this is typically
%APPDATA%\Claude\claude_desktop_config.json; on macOS, it is~/Library/Application Support/Claude/claude_desktop_config.json. - Open the file in a text editor and add the `securitycontext` entry to the `mcpServers` object.
- Save the file and restart your AI agent application.
- Verify the connection by using a simple command: In Claude Desktop, you can ask: “Use the get_security_context tool for the repository ProjectDiscovery/nuclei.”
- If successful, your agent should return the security context data. On Linux, you can test the API endpoint directly using
curl: `curl https://securitycontext.dev/api/context?repo=ProjectDiscovery/nuclei`.
2. Core Tools for Agent Integration
Security Context exposes three primary tools that agents can invoke. Understanding these tools is essential for building robust security-aware AI workflows.
The `get_security_context` tool retrieves the `SECURITY_CONTEXT.md` file for a given repository. This file contains a summary of all security fixes and their associated CVEs. The `get_vulnerability_leads` tool returns the `VARIANT_LEADS.md` file, which pinpoints potential variant vulnerabilities. The `create_security_context` tool triggers the on-demand generation of these files for repositories not yet indexed.
Here is how you might use these tools programmatically via the API:
Retrieve security context for a specific repository
curl -X GET "https://securitycontext.dev/api/context?repo=kubernetes/kubernetes" -H "Accept: application/json"
Retrieve vulnerability leads for a repository
curl -X GET "https://securitycontext.dev/api/leads?repo=kubernetes/kubernetes" -H "Accept: application/json"
Trigger on-demand creation for a new repository
curl -X POST "https://securitycontext.dev/api/create" -H "Content-Type: application/json" -d '{"repo": "https://github.com/example/project"}'
This approach provides flexibility, allowing agents to fetch context on-demand without clogging their token budget with irrelevant data.
3. Understanding SECURITY_CONTEXT.md: The Regression Prevention Playbook
`SECURITY_CONTEXT.md` is the foundational file that any AI agent should load before modifying code. It serves as a historical ledger of security fixes, outlining what was vulnerable, how it was patched, and where in the codebase these fixes occurred. This context acts as a guardrail, preventing the agent from regressing known vulnerabilities.
The file structure typically includes a table of all relevant CVEs, the files and commit hashes of the fixes, and a brief description of the issue. By ingesting this, an agent gains instant awareness of sensitive areas. For example, if an agent is asked to add a new feature to a function that previously had an XSS vulnerability, the `SECURITY_CONTEXT.md` will flag this function, prompting the agent to implement proper output encoding.
Here’s a practical workflow:
- Agent loads SECURITY_CONTEXT.md: At the start of any major code generation task, the agent fetches this file.
- Contextual analysis: The agent parses the file to identify which components have a history of security issues.
- Informed code generation: When generating new code or modifying existing code, the agent checks its output against the patterns described in the file.
- Automated testing: The agent can write specific unit tests to ensure the fix is not undone. For instance, a developer might instruct the agent: “Write a test to ensure that the input sanitization introduced in commit `f7a8b9c` is always applied.”
4. Hunting with VARIANT_LEADS.md: Finding the Unfixed Bug
While `SECURITY_CONTEXT.md` is defensive, `VARIANT_LEADS.md` is offensive. It is designed for security researchers, bug bounty hunters, and AI agents tasked with finding new vulnerabilities. This file analyzes the current codebase and identifies patterns that match a historical fix but appear to be missing the corresponding patch. Each lead provides a file, line number, the suspected sink function, a severity rating, and the reasoning.
For example, if a past fix addressed a SQL injection vulnerability by adding parameterized queries to a set of functions, `VARIANT_LEADS.md` will scan the current codebase for any similar-looking functions that still use string concatenation for SQL queries. This turns the historical fix into a template for finding new bugs.
A step-by-step workflow for bug hunting with an AI agent:
1. Fetch VARIANT_LEADS.md: The agent retrieves this file at the beginning of a security review session.
2. Analyze leads: The agent systematically goes through each lead, understanding the context of the pattern.
3. Deep inspection: For each lead, the agent examines the surrounding code to determine if the fix is truly missing or if there is a compensating control elsewhere.
4. Proof of Concept generation: If a true positive is identified, the agent can be tasked with generating a proof-of-concept (PoC) exploit to demonstrate the vulnerability.
5. Reporting: The agent can then generate a detailed report and, if connected to a ticketing system, file an issue directly.
- Integrating with Windows and Linux for Local Auditing
While Security Context is primarily a cloud service, its output can be integrated into local security audits. On Windows, you can use PowerShell to fetch and process the data. On Linux, `curl` and `jq` are your go-to tools. This is particularly useful for CI/CD pipelines where you want to block builds that touch sensitive areas.
Windows PowerShell example:
Fetch security context for a repo and save as JSON
$context = Invoke-RestMethod -Uri "https://securitycontext.dev/api/context?repo=ProjectDiscovery/nuclei"
$context | ConvertTo-Json | Out-File -FilePath "security_context.json"
Parse to find all files with high severity fixes
$highSeverityFiles = $context | Where-Object { $_.severity -eq "High" } | Select-Object -ExpandProperty file
Linux Bash script for CI/CD:
!/bin/bash Check if the modified files in a pull request touch any file listed in SECURITY_CONTEXT.md REPO="my-org/my-project" git diff --1ame-only HEAD~1 > changed_files.txt curl -s "https://securitycontext.dev/api/context?repo=$REPO" | jq -r '.files[]' > security_files.txt Using grep to find overlap overlap=$(grep -Fxf changed_files.txt security_files.txt) if [ -1 "$overlap" ]; then echo "Warning: Your changes affect security-sensitive files. Review your changes." exit 1 fi
6. On-Demand Context Creation and Caching
Security Context indexes thousands of popular projects, but the repository you are working on might not be in the list. The `create_security_context` tool handles this. It triggers a build process that analyzes the repository’s commit history and CVE data, generating the context files in seconds to minutes. This is a crucial feature for organizations with private repositories or niche open-source projects.
The process works by cloning the repository, parsing the Git log for security-related commits (often identified by keywords like “CVE”, “vulnerability”, “security fix”), and cross-referencing these with publicly disclosed CVEs from the National Vulnerability Database (NVD). The result is a `SECURITY_CONTEXT.md` and `VARIANT_LEADS.md` file that is cached for future requests. For private repositories, you would need to host the server internally with appropriate access controls.
7. Security Context as a Complement to SAST/DAST
Security Context should not replace traditional Static Application Security Testing (SAST) or Dynamic Application Security Testing (DAST), but rather complement them. SAST tools like SonarQube or Checkmarx can find a broad spectrum of issues but often produce high false-positive rates. Security Context provides a high-signal, low-1oise dataset based on historical reality—bugs that actually caused problems.
Integrating Security Context into a CI/CD pipeline can act as a pre-filter. For example, you can use Security Context to identify which files are “high-risk.” Your SAST scanner can then run a deeper, more targeted analysis on those files, or you can prioritize remediation efforts. Furthermore, you can use the `VARIANT_LEADS.md` to generate specific rules for your SAST tool, turning historical context into active scanning rules. For instance, if `VARIANT_LEADS.md` flags a pattern, you can write a custom SonarQube rule to catch that pattern in future commits.
What Undercode Say:
- Key Takeaway 1: Security Context fundamentally solves the problem of AI agents lacking historical security awareness, providing a concrete and free method to prevent regression bugs. By ingesting
SECURITY_CONTEXT.md, agents can ensure that the fixes of yesterday are not undone by the code of today. - Key Takeaway 2: The generation of `VARIANT_LEADS.md` is a paradigm shift for AI-assisted vulnerability research. It effectively turns an agent into a junior security researcher, using past fixes as a template to discover new variants, which is a testament to the power of data-driven security.
The core insight is the relevance of historical security fixes. As the post correctly notes, “the places that got patched for security tend to be the places that matter again.” This is a brilliant heuristic. Security Context operationalizes this by making that historical data machine-readable and agent-actionable. The free, no-auth model is crucial for widespread adoption. It democratizes access to high-quality security context, which is especially valuable for open-source projects that lack dedicated security teams. However, the service’s reliance on public commit messages means it might miss fixes that are not clearly labeled as security-related. For optimal results, organizations should consider integrating this with internal workflows, potentially using it to enforce rules about commit messages that reference CVEs.
Prediction:
- +1 Widespread adoption of tools like Security Context will become a standard best practice in AI-driven development, leading to a measurable decline in regression vulnerabilities across major open-source projects within the next 18 months.
- +1 The integration of historical security context into AI agents will spur the creation of “security-aware” code generation models, where models are fine-tuned on datasets like SECURITY_CONTEXT.md to inherently avoid past mistakes.
- -1 As the service grows, it may become a high-value target for attackers. An adversary could attempt to poison the historical data in their own open-source projects, creating a false sense of security, or use the `VARIANT_LEADS.md` from others as a primary reconnaissance vector for finding vulnerabilities before they are patched.
- -1 The current reliance on commit messages for identifying security fixes poses a risk of incomplete context. Projects with poor commit discipline or those that backport fixes without explicit mention will be underrepresented, leading agents to miss critical security boundaries.
- +1 The methodology behind Security Context will likely be extended to other domains beyond open-source, such as internal enterprise repositories, by creating private instances of the service. This will be a key driver for its long-term viability.
- +1 The “variant hunting” capability will evolve to include AI-driven pattern generation, where agents don’t just find missing checks but proactively generate new defense mechanisms based on historical attack patterns, effectively making the system self-healing.
- -1 The simplicity of the model—matching patterns from fixes—could lead to an over-focus on known vulnerability classes, potentially causing agents to overlook novel vulnerability types that do not have a historical precedent. This could create a “known knowns” blind spot in AI-driven security reviews.
▶️ Related Video (70% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Ehsandeepsingh Were – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


