CAST MCP Server for Gatekeeper installation on Linux via Docker
Overview
This guide covers the installation of the CAST MCP Server for Gatekeeper on Linux via Docker. It’s intended for:
- Direct installation on Linux, via Docker
- new installations (i.e. from scratch)
- in-place updates to a new release
The installation package com.castsoftware.gatekeeper.mcpserver.docker includes an installation script (run.sh) and configuration files. All Docker images are pulled direct from https://hub.docker.com during the installation.
How it works
The MCP Server sits between an AI client and the CAST Imaging for Gatekeeper REST API:
- A user types a natural-language query in their AI assistant (e.g., “Show me security violations for MyApp”).
- The AI client (Claude / Copilot) identifies the right MCP Tool to call.
- The MCP Server receives the structured tool call, validates inputs, and forwards the request to the API.
- The response is normalised and returned to the AI, which presents a human-readable summary.
Requirements
The CAST MCP Server for Gatekeeper is a standalone component and can therefore be installed wherever convenient in your local environment, e.g. on a dedicated machine, or on a machine already used by other CAST Imaging components.
When using a dedicated machine, CAST recommends following the general hardware and software requirements but note that the component does not require:
- a Java JRE/JDK
Other requirements:
- MCP Server runs as a Docker container on TCP port 8283 although you can change this in the
.envfile (see below). You may therefore need to adjust firewall rules to allow incoming connections to this port - see software requirements for more information about supported Linux OS, Docker Engine and Docker Compose
- a minimum of 2GB free disk space
- An MCP-aware client such as GitHub Copilot (Visual Studio Code), Claude Desktop, or Cursor
- a functioning release of CAST Imaging for Gatekeeper (Dashboards) installed (MCP Server interacts with the
imaging-servicescomponent) in your network (see CAST Imaging compatibility below) - a CAST Imaging API key, see Generating an API key
CAST Imaging compatibility
| MCP Server release | Required API version/CAST Imaging release |
|---|---|
| ≥ 3.0.0-beta1 | ≥ 3.6.2-funcrel |
MCP-aware client connection routing
MCP-aware clients connect directly to CAST Imaging via its public gateway - instead of direct to the MCP Server. As a result, CAST Imaging 3.6.2-funcrel or later is required as the target installation to ensure proper routing back to the MCP Server. This integration ensures all query requests are routed through CAST Imaging.
HTTPS
If you require a secure HTTPS connection between your MCP-aware client and the MCP Server, you must enable HTTPS on the CAST Imaging gateway - see HTTPS configuration.
Note also that if the CAST Imaging gateway is configured in HTTPS mode, then the CONTROL_PANEL_SSL_ENABLED option must be set to true in the MCP Server itself (see Step 3 - Configure your installation).
Installation process
Step 1 - Verify connection to CAST Imaging
Before proceeding, ensure you can access CAST Imaging (the imaging-services component) from the machine where you intend to install MCP Server by running the following (tailored to your own environment):
$ curl -H "x-api-key: <your-imaging-api-key>" http://<your_imaging_public_URL>:8090/dashboards/rest/server
The expected output is at least one entry similar to:
[
{
"href": "55c46218-c3f3-44ad-9042-7e1791ec7cbf",
"name": "55c46218-c3f3-44ad-9042-7e1791ec7cbf",
"dbType": "ADG",
"version": "8.4.10",
"schema": "app1_central",
"dbmsVersion": "PostgreSQL",
"componentsIndexStatus": "upToDate",
"violationsIndexStatus": "toCreate",
"systems": {
"href": "55c46218-c3f3-44ad-9042-7e1791ec7cbf/systems",
"name": "All Systems. A system represents a portfolio of applications."
},
"applications": {
"href": "55c46218-c3f3-44ad-9042-7e1791ec7cbf/applications",
"name": "All Applications. An application represents ..."
},
"nbOfApplications": 1,
"configurations": {
"href": "55c46218-c3f3-44ad-9042-7e1791ec7cbf/configuration/snapshots",
"name": "All configuration snapshots ..."
},
"results": {
"href": "55c46218-c3f3-44ad-9042-7e1791ec7cbf/results",
"name": "Results by snapshots, by systems, by ..."
},
"commonCategories": null,
"tags": null
}
]
Step 2 - Download the installation media
Download the installer using curl:
$ curl -# -O -J "https://extend.castsoftware.com/api/package/download/com.castsoftware.gatekeeper.mcpserver.docker/<version>?platform=linux_x64" -H "x-nuget-apikey: <api-key>" -H "accept: application/octet-stream"
Where:
-#: enables a download progress bar.-O: (--remote-name) ensures the file is downloaded and saved to the current folder using the same name as the remote file.-J: (--remote-header-name) ensures the-Ooption uses the server-specified Content-Disposition filename instead of extracting a filename from the URL. If the server-provided filename contains a path, that is stripped off before the filename is used.<version>: uselatestto download the most recent release, or specify the specific release, e.g.,1.0.1-funcrel.-H: (--header) defines the additional header to include in information sent.<api-key>: your CAST Extend API key (obtain this from https://extend.castsoftware.com/#/profile/settings )
Example for latest release:
$ curl -# -O -J "https://extend.castsoftware.com/api/package/download/com.castsoftware.gatekeeper.mcpserver.docker/latest?platform=linux_x64" -H "x-nuget-apikey: a9999a9a-c999-999d-999b" -H "accept: application/octet-stream"
Unzip the resulting ZIP file anywhere on your local disk. The following files/folders will be created:
com.castsoftware.gatekeeper.mcpserver.docker.<version>/
├── config/
│ └── app.config
├── copilot-instructions.md
├── docker-compose.yml
├── README.md
├── run.sh
└── .env # Hidden file (use `ls -a` to view)
Step 3 - Configure your installation
app.config
Locate the config/app.config file at the root of the unzipped installation media. Open the file with a text editor and update the installation variables to match your environment:
HOST_CONTROL_PANEL=localhost # Required: IP address/hostname/FQDN of the machine on which the "imaging-services" component is installed. You can use localhost if MCP Server is installed on the same machine as the "imaging-services" component.
PORT_CONTROL_PANEL=8098 # Default port on which the CAST Imaging Control Panel service (part of the "imaging-services" component) is running - unless you have changed this during the CAST Imaging installation, leave it as is
MCP_SERVER_PORT=8283 # Default listening port for MCP Server
SERVICE_NAME="GatekeeperMCPServer" # Default service name for MCP Server
SERVICE_HOST="" # Required: IP address/hostname/FQDN of the machine on which the MCP Server will be installed (i.e. the current machine). Do not set as "localhost".
CONTROL_PANEL_SSL_ENABLED=false # When set to true, allows communication with a CAST Imaging instance which is configured to use HTTPS.
Step 4 - Run the installation
Run the following commands:
$ chmod +x run.sh # makes the installation script executable
$ ./run.sh
Verify the installation by checking Docker containers (you should see one Docker container hosting the MCP Server):
$ docker ps
Verify the health endpoint of the MCP Server:
$ curl http://<mcp-server>:8283/mcp/healthcheck
Expected response:
{
"status": "healthy",
"service": "mcp-server",
"details": {
"dashboard_client": "available",
"dashboard_api": "configured"
}
}
Check logs if needed:
$ docker logs <container-name>
Step 5 - Configure your MCP-aware client
VS Code with GitHub Copilot
Create .vscode/mcp.json in your project root and update to match your environment:
{
"inputs": [
{
"id": "dashboard-key",
"type": "promptString",
"description": "CAST Dashboard API Key"
}
],
"servers": {
"dashboard": {
"type": "http",
"url": "http[s]://<fqdn-or-IP-address-imaging-services-machine:[port]>/mcp/gatekeeper",
"headers": {
"x-api-key": "${input:dashboard-key}"
}
}
}
}
VS Code will prompt for the API key when you first use the MCP server. Credentials are stored securely in VS Code’s secret storage.
Claude Desktop
Edit %APPDATA%\Claude\claude_desktop_config.json and update to match your environment:
{
"mcpServers": {
"dashboard": {
"url": "http[s]://<fqdn-or-IP-address-imaging-services-machine:[port]>/mcp/gatekeeper",
"headers": {
"x-api-key": "your-api-key"
}
}
}
}
Cursor
Start the MCP Server first, then create .cursor/mcp.json and update to match your environment:
{
"mcpServers": {
"dashboard": {
"type": "http",
"url": "http[s]://<fqdn-or-IP-address-imaging-services-machine:[port]>/mcp/gatekeeper",
"headers": {
"x-api-key": "your-api-key"
}
}
}
}
Cursor uses HTTP transport only - the MCP server must be running before you start Cursor.
Step 6 - Test your MCP-aware client
- Launch your MCP-aware client
- Enter your CAST Imaging API key when prompted
- Run a test query, for example:
What applications are available?
or:
Show me the compliance status for MyApp
How many days of technical debt does MyApp have?
List the top 10 security violations for MyApp
If successful (see below), you’re ready to use your MCP Client with your MCP Server.
Success indicators
✅ Connection successful if you receive:
- Valid application listings
- Compliance or quality metrics
- Violation details
❌ Check configuration if you see:
- Connection errors
- Authentication failures
- Empty application lists
Example prompts
Prompts are pre-configured workflow templates. They instruct the AI agent which tools to call, in what order, and how to format the output. Unlike tools, prompts do not call the API directly - they return instructional messages that guide the AI.
| Prompt Name | Parameters | What it does |
|---|---|---|
assess_iso5055_compliance |
application_name |
Full ISO-5055 compliance assessment: fetch ISO-5055 compliance status, retrieve critical violations, produce executive summary with criteria breakdown and remediation priority list |
identify_security_violations |
application_name, snapshot? |
Security violation scan (criterion 60016): retrieve all security violations, separate critical violations, rank by propagation risk, produce remediation recommendations with file paths |
calculate_technical_debt |
application_name, snapshot? |
Technical debt assessment: fetch debt metrics across all health factors, break down by criterion, fetch top-criterion violations, build sprint-based remediation roadmap |
analyze_quality_trends |
application_name, snapshots? |
Quality trend analysis: fetch compliance for multiple snapshots, compute violation deltas per criterion, classify as Improving / Stable / Degrading / Regressing, highlight regressions with added violations |
get_violations_guided |
application_name, snapshot? |
Guided violations workflow: fetch available business criteria, ask user all 8 filter parameters at once, call get_violations with collected inputs, display paginated results in a table |
Example natural-language queries
Assess ISO-5055 compliance for MyApp
Identify security violations in MyApp snapshot 6
Calculate technical debt for MyApp
Show quality trends for MyApp across the last 3 snapshots
List violations for MyApp — guide me through the filters
Available tools
Tools are functions the AI agent can call directly. Each tool maps to one or more Dashboard REST API call.
get_compliance_status
Get compliance status - quality indicators, violation counts, and health factors for an application.
| Parameter | Type | Required | Description |
|---|---|---|---|
application_name |
string | Yes | Exact application name in Dashboard |
quality_indicators |
string | No | Comma-separated criterion IDs e.g. "60016,60013". Omit for all criteria. |
snapshot |
string | No | See Snapshot Syntax below. Default = latest. |
technologies |
string | No | e.g. "JEE,HTML5" or "$all" |
include_technical_criteria |
boolean | No | Set true to drill into individual criteria |
Example natural-language queries:
- “Show me the compliance status for MyApp”
- “Compare security violations between snapshot 5 and 6 for MyApp”
- “Get quality indicators for MyApp filtered by JEE technology”
get_technical_debt
Get technical debt metrics — remediation effort in minutes and equivalent 8-hour work days.
| Parameter | Type | Required | Description |
|---|---|---|---|
application_name |
string | Yes | Application name |
snapshot |
string | No | Snapshot selector |
quality_indicators |
string | No | Criterion ID to drill into (e.g. "60016") |
include_technical_criteria |
boolean | No | Return technical criteria debt breakdown |
technologies |
string | No | Technology filter |
Example natural-language queries:
- “How many days of technical debt does MyApp have?”
- “Show technical debt breakdown by health factor for MyApp”
- “What is the security-related debt for MyApp in the last 3 months?”
get_violations
Get detailed violations with file paths, line numbers, rule details, and remedial actions. Supports pagination.
| Parameter | Type | Required | Description |
|---|---|---|---|
application_name |
string | Yes | Application name |
snapshot |
string | No | Snapshot selector |
business_criterion |
string | No | Criterion ID or name (e.g. "60016" or "Security"). Default: Total Quality Index (60017). |
rule_pattern |
string | No | "ISO-5055", "CISQ", a rule ID, or "none" to skip |
status |
string | No | "added", "updated", "unchanged", or "none" (all) |
technologies |
string | No | Technology filter |
nb_rows |
int / string | No | Violations per page: 10–1000 or "$all" |
start_row |
int | No | Pagination offset. Default: 1 |
include_findings |
boolean | No | Fetch source code locations and rule details (slower — triggers extra API calls) |
object_fullname |
string | No | Filter to a specific component by full name (e.g. “com.myapp.MyClass”). Supports substring match. |
Example natural-language queries:
- “List the top 50 security violations added in the latest snapshot of MyApp”
- “Show me ISO-5055 violations for MyApp with source code locations”
- “Get all unchanged Robustness violations for MyApp in JEE technology”
Snapshot Syntax Reference
All tools that accept a snapshot parameter support the same flexible syntax:
| Input | Meaning |
|---|---|
(omitted) / "latest" |
Most recent snapshot |
"6" |
Snapshot number 6 |
"5,6" |
Compare snapshots 5 and 6 in one call |
Troubleshooting
Common checks:
- Check the container is running:
docker ps
- Verify port availability:
netstat -tlnp | grep 8283
- Check logs:
docker logs <container-name>
# or
tail -f /app/logs/mcp_dashboard.log
- Test connectivity to the API:
curl -H "x-api-key: <your-imaging-api-key>" http://<your_imaging_public_URL>:8090/dashboards/rest/server
- If you see
"DashboardClient cannot be initialized", the Control Panel is likely using HTTPS - setCONTROL_PANEL_SSL_ENABLED=trueinconfig/app.config.
Update process
To update to a new release of CAST Gatekeeper MCP Server:
- Download the installation media for the target release
- Unzip the installation media
- Update the
config/app.configfile to set theSERVICE_HOSTparameter to the IP address, hostname, or FQDN of the machine where MCP Server is installed (the current machine). Important: do not set this as “localhost” - Run the following commands:
$ docker ps
$ docker stop <container-name>
- Restart using the run script from the new installer location:
$ chmod +x run.sh # makes the installation script executable
$ ./run.sh
What does the update do?
This process preserves your existing configuration and data while updating the Docker image and scripts, i.e. the following will occur:
- Stop the existing containers from the old installation location.
- Update the
docker-compose.ymlin the old installation location with the new Docker image. - Migrate configuration parameters, preserving your existing settings and adding new ones.
- Restart the MCP Server service.
Uninstall process
Stop and remove the containers:
$ cd /path/to/installer-folder
$ docker-compose down
Optionally remove associated Docker images:
$ docker image ls | grep GateKeeper-mcp
$ docker rmi <image-id> # only if you are sure
$ docker volume ls | grep Dashboard-mcp
$ docker volume rm <volume-name> # only if you are sure
Then delete the installer directory:
$ rm -rf /path/to/installer-folder