Overview
An MCP server written in TypeScript that acts as a bridge between AI agents and the Nikto web server scanner. The project is fully typed, production-ready, and offers multiple output formats: JSON for machine consumption and a rich CLI for human readability. It can optionally expose a REST API for remote scan management, status checks, and result retrieval. Deployment supports local execution and Docker-based isolation, with sandboxed execution, configurable timeouts, and minimal privileges to improve security. The server relies on environment variables (NIKTO_MODE, NIKTO_DOCKER_IMAGE, NIKTO_DOCKER_NETWORK, NIKTO_BINARY, LOG_LEVEL, etc.) and can automatically generate unique JSON output filenames per scan to avoid collisions. Prerequisites include Node.js 20+, a Nikto binary accessible in PATH, and an MCP client such as VS Code MCP Inspector, Cursor, Windsurf, Claude, Goose, or others. Quick Start shows running via MCP Inspector, and configuration examples cover common MCP clients. Security features include input validation, target/port/hostname validation, sandboxing, and safe defaults to prevent command injection and support concurrent scans.
Features
100% TypeScript
Fully typed, production-ready MCP server implementation for reliability and maintainability.
Multiple output formats
Supports JSON machine-readable output and a rich CLI for human-friendly results.
Optional REST API
Provides a REST API for remote scan management, status checks, and results retrieval.
Secure by default
Sandboxed execution with configurable timeouts and minimal privileges to reduce risk.
Docker support
Dockerized for isolation with proper volume mounting and JSON output handling.
Who Is This For?
- AI agents:Interact with Nikto scans via MCP for automated web security assessments.
- Security teams:Coordinate and manage Nikto scans within MCP-enabled workflows.
- MCP clients:VS Code, Cursor, Windsurf, Claude and others to run Nikto scans through MCP.
