Skip to content

Client plugin config

How to register the Sonar MCP server with an MCP client (Claude Desktop, Claude Code, or any MCP-capable agent).

Connect over HTTPS with the secret token as a bearer header:

json
{
  "mcpServers": {
    "sonar": {
      "url": "https://mcp.astrixion.ai/mcp",
      "headers": { "Authorization": "Bearer <YOUR_MCP_AUTH_TOKEN>" }
    }
  }
}

This gives the agent the pentest surface (read + scan). See Setup.

Local (stdio)

For a co-located agent, launch the server as a subprocess. Defaults to the admin profile.

json
{
  "mcpServers": {
    "sonar": {
      "command": "node",
      "args": ["/absolute/path/to/apps/mcp-server/dist/index.js"],
      "env": {
        "BBM_BASE_URL": "http://localhost:3001",
        "BBM_USERNAME": "admin",
        "BBM_PASSWORD": "<password>"
      }
    }
  }
}

To restrict a local agent, set "BBM_MCP_PROFILE": "pentest" (or "readonly") in env.

Next

Pair the tools with the agent skills so the agent knows how to recon a target and drive a scan, not just which tools exist.