FAQ about the CAST Imaging MCP Server

How it works:

• API Key Generation: You generate an API key from your CAST Imaging user profile (accessible after logging in)
• This API key is then passed to the MCP server via an mcp.json file using the x-api-key entry.

For GitHub Copilot in VS Code, you configure authentication in the .vscode/mcp.json file. Then when you start using Copilot, VS Code will prompt you to enter your API key, which it then includes in every request to the MCP server.

Key points:

• No separate MCP server credentials - you use your existing CAST Imaging API key
• The MCP server simply forwards this API key to the CAST Imaging APIs

• Metadata and analysis results (always included):

  • Application names, statistics, metrics
  • Transaction names, data graph names
  • Package dependencies, architectural information
  • Quality insights (CVE vulnerabilities, cloud readiness issues, structural flaws)
  • Object names, types, file paths
  • Relationships between components (caller/callee, dependencies)

• Source code snippets (controlled by the IMAGING_CODE setting - Ttis setting exists specifically because source code exposure is sensitive):

  • Default position: IMAGING_CODE=False - i.e. no source code is sent to the LLM
  • When enabled: IMAGING_CODE=True - code snippets from the database may be included in responses

• What is NOT sent:

  • No source code is sent to the LLM from disk (the MCP server does not have direct file access)
  • Database connection strings or credentials
  • Internal CAST Imaging configuration details

Source code protection:

• IMAGING_CODE setting (default: False):
  • Prevents source code snippets from being included in MCP responses
  • Must be explicitly enabled to access code
  • No direct file system access - the MCP server does not read your actual source code files

What IS exposed (by design):

• Application architecture - Component relationships, layers, dependencies
• Quality insights - CVE vulnerabilities, code smells, quality metrics
• Metadata - Object names, transaction names, database schema related to the specific query.

What is NOT exposed:

• Actual source code (unless IMAGING_CODE=True)
• Credentials or connection strings
• Proprietary algorithms

Protocols used:

• HTTP/HTTPS over TCP
• Model Context Protocol (MCP) - Streamable HTTP transport
• RESTful API calls to CAST Imaging backend

Encryption options:

• HTTP mode (default)
  • No certificates required
  • Set HTTPS_ENABLED=false in configuration

MCP Client → HTTP → MCP Server → CAST Imaging

• HTTPS mode
  • Nginx performs SSL termination
  • Requires SSL certificate and private key (CA-signed recommended)
  • Set HTTPS_ENABLED=true and provide certificates in certificates/ folder

MCP Client → HTTPS → Nginx Proxy → HTTP (internal port 8282) → MCP Server → CAST Imaging

MCP Server ports:

• HTTP mode: port 8282 (configurable via MCP_SERVER_PORT in .env)
• HTTPS mode: Port 8443 (Nginx SSL proxy)

CAST Imaging ports:

• Control Panel/Eureka: Port 8098 (default, configurable via PORT_CONTROL_PANEL)
• CAST Imaging Port: 8090 (default)

How it works:

• Per-request authentication: each AI client sends their own API key with every request
• No session management: no login/logout sessions that could block other users
• Async architecture: built on FastMCP with asynchronous request handling for concurrent operations