FAQ about the CAST Imaging on Cloud MCP Server

How it works:

• API Key Generation: You generate an API key from your CAST Imaging on Cloud user profile (accessible after logging in)
• This API key is then passed to the MCP server via an mcp.json file using the x-api-key entry.

For GitHub Copilot in VS Code, you configure authentication in the .vscode/mcp.json file as explained in Getting started with the MCP Server. Then when you start using Copilot, VS Code will prompt you to enter your API key, which it then includes in every request to the MCP server.

Key points:

• No separate MCP server credentials - you use your existing CAST Imaging on Cloud API key
• The MCP server simply forwards this API key to the CAST Imaging on Cloud APIs

• Metadata and analysis results (always included):

  • Application names, statistics, metrics
  • Transaction names, data graph names
  • Package dependencies, architectural information
  • Quality insights (CVE vulnerabilities, cloud readiness issues, structural flaws)
  • Object names, types, file paths
  • Relationships between components (caller/callee, dependencies)

• What is NOT sent:

  • No source code is sent to the LLM from disk (the MCP server does not have direct file access)
  • Database connection strings or credentials
  • Internal CAST Imaging on Cloud configuration details

• No source code is sent to the LLM from disk
• No direct file system access: the MCP server doe not read your actual source code files

What IS exposed (by design):

• Application architecture - Component relationships, layers, dependencies
• Quality insights - CVE vulnerabilities, code smells, quality metrics
• Metadata - Object names, transaction names, database schema related to the specific query.

What is NOT exposed:

• Actual source code
• Credentials or connection strings
• Proprietary algorithms