The Model Context Protocol (MCP) lets an AI assistant call real tools instead of hallucinating answers. When you connect the Safeguard MCP server to Claude Desktop, Claude stops guessing about CVEs — it actually queries Safeguard's advisory feed, scans your local project, and reads your SBOMs. This walkthrough covers installation, configuration, and the first few workflows that make it worth the setup.
Why Connect Safeguard to Claude Desktop?
Because Claude on its own is a very good reasoner with an out-of-date security database. When you paste a package.json and ask "is anything vulnerable?", Claude is pattern-matching against training data, which is months behind. The Safeguard MCP server gives Claude a live scan_project, lookup_advisory, get_sbom, and suggest_fix set of tools, so answers are grounded in current advisory data and your actual lockfile — not an approximate memory of one.
Step 1: Install the Safeguard CLI
The MCP server ships as a subcommand of the CLI. If you haven't installed it yet:
curl -sSfL https://get.safeguard.sh/install.sh | sh -s -- --version v2.4.0
sg version
Then log in with a user token (MCP on a developer laptop is a personal context — use your user identity, not a project token):
sg login
Step 2: Test the MCP Server Locally
Before wiring it to Claude, verify the MCP server runs:
sg mcp serve --stdio --test
You should see a list of tools advertised: sg.scan, sg.sbom.get, sg.advisory.lookup, sg.fix.suggest, sg.ignore.list, and sg.policy.evaluate. Hit Ctrl-C to stop. If the test fails, run sg doctor to check auth and connectivity.
Step 3: Configure Claude Desktop
Claude Desktop reads MCP servers from a JSON file. The path depends on OS:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json - Linux:
~/.config/Claude/claude_desktop_config.json
Add the Safeguard entry:
{
"mcpServers": {
"safeguard": {
"command": "sg",
"args": ["mcp", "serve", "--stdio"],
"env": {
"SAFEGUARD_TOKEN": "sgp_user_...",
"SG_MCP_PROJECT_ROOT": "/Users/shadab/work"
}
}
}
}
SG_MCP_PROJECT_ROOT is the only directory the MCP server will read from. Everything outside it is denied, which keeps Claude from accidentally scanning your ~/.ssh or an unrelated client project sitting in another folder. Set it to whatever top-level directory you actually work in.
Step 4: Restart Claude Desktop
Fully quit Claude Desktop and reopen it. You'll see a small plug icon in the message composer. Click it — Safeguard should appear with a green dot and the list of tools. If it's red, click View Logs from the same menu and look for token or path errors. The most common mistake is a typo in the config JSON, since Claude Desktop silently skips invalid entries.
Step 5: Run Your First Grounded Prompt
In a new chat, try:
I have a Node project at
work/checkout-service. Run a Safeguard scan and tell me the top three issues sorted by exploitability, with remediation commands.
Claude will call sg.scan with the path, parse the findings, and return a grounded answer. It won't invent CVE numbers because the tool output is the source of truth. If it tries to guess anyway, you've misconfigured the tool — check that Claude accepted the tool call in the UI.
Step 6: Work With SBOMs Conversationally
Ask Claude to compare two SBOMs:
Compare the SBOM for
checkout-service@mainagainstcheckout-service@feat/payments. What new components does the feature branch introduce, and which of them have open advisories?
Under the hood, Claude calls sg.sbom.get twice and sg.advisory.lookup for each new component. You get a prose answer backed by real data, which is the right division of labor — the model handles the narrative, the tool handles the facts.
What Tools Does the MCP Server Expose?
Six primary tools, each scoped to read-only operations on the developer's own projects by default:
sg.scan— run a scan over a path, returns structured findingssg.sbom.get— fetch the CycloneDX SBOM for a project path or commit hashsg.advisory.lookup— look up a CVE or GHSA by ID, returns full advisory datasg.fix.suggest— propose a remediation for a specific findingsg.ignore.list— enumerate active ignore rules (to explain why a finding isn't flagged)sg.policy.evaluate— test a proposed dependency change against your policy
Write operations like "apply this fix" are off by default. Enable them with SG_MCP_ALLOW_WRITE=true only if you trust the model to edit your lockfile — personally I leave them disabled and apply fixes manually after reviewing the diff.
How Do I Limit What Claude Can See?
Three mechanisms, all stackable. First, SG_MCP_PROJECT_ROOT restricts the filesystem. Second, token scope — a user token is limited to projects you can access in the portal, and you can create a narrower token just for MCP via Account → Tokens → New MCP Token. Third, per-directory allowlists:
{
"mcpServers": {
"safeguard": {
"command": "sg",
"args": [
"mcp", "serve", "--stdio",
"--allow-path", "/Users/shadab/work/checkout-service",
"--allow-path", "/Users/shadab/work/payment-service",
"--deny-path", "/Users/shadab/work/client-confidential"
]
}
}
}
Deny rules take precedence. The MCP server rejects any tool call that touches a denied path with a clear error Claude will faithfully report back to you.
How Do I See What Claude Actually Asked the Server?
Tool calls are visible in Claude Desktop's UI (expand the tool call block in the transcript), but for debugging or audit you want the server log:
export SG_MCP_LOG=/tmp/safeguard-mcp.log
export SG_LOG=debug
Then tail /tmp/safeguard-mcp.log in a separate terminal. Every inbound tool call is logged with timestamp, arguments, and result size. For security-sensitive organizations, point SG_MCP_LOG at a log directory with appropriate rotation and retention.
How Do I Use MCP for PR Review?
Drop the diff into Claude and ask for a dependency-focused review:
Here's a PR diff. Call Safeguard to evaluate the dependency changes against our policy, and flag anything that would block CI. Use
sg.policy.evaluate.
Claude parses added/removed packages from the diff, calls sg.policy.evaluate with the proposed state, and returns a structured review. This is great for pre-review sanity checks — you can catch a risky eval-heavy npm package before a human reviewer even sees the PR.
How Do I Avoid Hitting Rate Limits?
Conversations that involve many lookups can burn through token quotas quickly. Enable the local advisory cache:
sg config set cache.local ~/.safeguard/cache
sg config set cache.ttl 900
The MCP server honors the cache transparently, so repeated sg.advisory.lookup calls for the same CVE during one session are essentially free. The default 15-minute TTL is short enough to catch advisory updates within a work session.
How Safeguard.sh Helps
Claude Desktop with Safeguard MCP turns "ask the AI about security" from a trust fall into a grounded workflow. Every answer Claude gives about your dependencies is backed by a tool call you can audit. You get the fluency of a capable model and the accuracy of a dedicated supply-chain scanner in the same conversation. Because the MCP server reuses the same CLI logic, the IDE extension, CI pipeline, and Claude all agree on what your risk looks like — no divergent tooling drift. If you live in Claude Desktop for reasoning and planning, adding Safeguard MCP is the highest-leverage ten-minute configuration you can do this week.