MCP Servers & AI Tooling¶

TL;DR — Standard dev setup uses 5 MCP servers (Atlassian Rovo, Jenkins, Slack, cerebro, Playwright) plus direct CLIs for AWS, kubectl, Confluent. DevOps does not yet use AI; several devs do (Claude Code, Cursor). Internal Cortex app + cerebro-knowledge repo are active initiatives.

Overview¶

AI tooling at Securitize centers on Claude Code for developers, augmented by MCP servers that expose Bitbucket, Jira/Confluence, Jenkins, and internal services. For infrastructure, CLIs (AWS CLI, kubectl, Confluent CLI) are called directly — no dedicated MCP because the CLI output is equivalent or superior.

MCP Servers (standard setup)¶

MCP Server	Type	What it covers	Audience	Priority
Atlassian Rovo	Claude Code MCP (HTTP, OAuth + API token)	Jira (issues, transitions) + Confluence (pages, search) + Compass via OAuth; Bitbucket Cloud (repos, PRs, pipelines, code review) + agents via a second entry with API token. Two-entry split is a stopgap until Atlassian unifies under OAuth.	All devs	Required
Jenkins	Claude Code MCP	Jobs, builds, logs, deploy status	All devs + DevOps	Required
Slack	claude.ai connector	Messages, channels, alerts	All devs	Recommended
cerebro	Claude Code MCP	Internal coding standards, service catalog, API contracts	All devs	Required
Playwright	Claude Code MCP	Browser automation, E2E testing	QAs, frontend devs	Recommended

claude.ai connector: installed via Claude Code's cloud connector marketplace. Works in Claude Code, Claude Desktop, and claude.ai.

Claude Code MCP: requires the Claude Code CLI. Configured in project or user .mcp.json.

Atlassian Rovo MCP¶

The official Atlassian Rovo MCP server is one URL — https://mcp.atlassian.com/v1/mcp/authv2 — that fronts Jira, Confluence, Bitbucket Cloud, and Compass. At the time of writing it accepts two auth methods, each exposing a different subset:

Auth method	Tools exposed	When to use
OAuth 2.1 (interactive)	Jira + Confluence + Compass	Most things
API token (Basic auth)	Bitbucket Cloud, agents, pipelines	Anything Bitbucket

Both subsets are required, so the same URL is registered twice in Claude Code with different auth modes — at user scope, so the entries follow the developer across every project:

atlassian — OAuth → Jira + Confluence + Compass
atlassian-bitbucket — API token → Bitbucket Cloud

The two-entry split is a stopgap. When Atlassian moves Bitbucket Cloud onto the OAuth scope set on Rovo, the API-token entry can be removed and the single OAuth entry will cover all three products.

Prerequisites

The Atlassian org admin has enabled "Allow API token authentication" in Atlassian Admin → Security → Atlassian Rovo MCP server → Authentication. For Securitize this is already on.
Claude Code CLI (not just claude.ai web).
Bitbucket workspace linked to the Atlassian org (the case for securitize_dev).

OAuth entry — Jira + Confluence:

claude mcp add atlassian --scope user --transport http \
  https://mcp.atlassian.com/v1/mcp/authv2

The first tool call from this entry inside a Claude Code session opens the browser for OAuth login; approve once and the token persists across sessions.

API-token entry — Bitbucket:

Create a scoped Atlassian API token at id.atlassian.com → Security → API tokens → Create API token with scopes. App: Bitbucket Cloud. Minimum scopes: read:repository:bitbucket, read:pullrequest:bitbucket, read:pipeline:bitbucket. Add write:pipeline:bitbucket to allow re-running pipelines. Atlassian shows the token only once; copy it. Tokens start with ATATT....
Build the base64 credential. Use printf (not echo) to avoid a trailing newline that would corrupt the header:

AUTH=$(printf 'your.atlassian.email@securitize.io:ATATTyour-token-here' | base64)

Register the MCP via direct HTTP transport — mcp-remote stdio bridge mangles the Authorization header at user scope. Run in the same shell where AUTH was set:

node -e '
const fs = require("fs");
const file = `${process.env.HOME}/.claude.json`;
const conf = JSON.parse(fs.readFileSync(file, "utf8"));
conf.mcpServers = conf.mcpServers || {};
conf.mcpServers["atlassian-bitbucket"] = {
  type: "http",
  url: "https://mcp.atlassian.com/v1/mcp/authv2",
  headers: { Authorization: "Basic " + process.env.AUTH },
};
fs.writeFileSync(file, JSON.stringify(conf, null, 2));
console.log("Registered atlassian-bitbucket at user scope.");
'

Restart Claude Code afterwards.

API token is per-product

Atlassian API tokens are scoped to a single product. Jira/Confluence access stays on the OAuth atlassian entry — do not try to combine them in one token. Legacy unscoped tokens authenticate with full Jira + Confluence permissions and no Bitbucket, which is a larger blast radius than needed; stick with scoped tokens.

Verify:

claude mcp list

Both entries should report ✓ Connected. Inside a Claude Code session, /mcp shows the same status. The first-call OAuth prompt is normal for atlassian; atlassian-bitbucket should never prompt.

Rotate the Bitbucket token:

# Generate a fresh AUTH (steps 1 and 2 above), then:
node -e '
const fs = require("fs");
const file = `${process.env.HOME}/.claude.json`;
const conf = JSON.parse(fs.readFileSync(file, "utf8"));
conf.mcpServers["atlassian-bitbucket"].headers.Authorization = "Basic " + process.env.AUTH;
fs.writeFileSync(file, JSON.stringify(conf, null, 2));
console.log("Token rotated.");
'

Revoke the old token at id.atlassian.com → API tokens → Revoke.

Remove both entries:

claude mcp remove atlassian
claude mcp remove atlassian-bitbucket

Then revoke the API token at id.atlassian.com.

Troubleshooting:

Symptom	Cause	Fix
`atlassian-bitbucket` shows "Failed to connect"	Registered via `mcp-remote` stdio bridge instead of direct HTTP	Inspect with `node -e 'console.log(JSON.parse(require("fs").readFileSync(process.env.HOME + "/.claude.json")).mcpServers["atlassian-bitbucket"]?.type)'`. If `stdio`, re-register using the direct-HTTP snippet above.
401 from `atlassian-bitbucket`	Token expired or revoked, wrong email in the `email:token` pair (use the Atlassian login email, not a Bitbucket-only username), or `echo` was used instead of `printf` in step 2 (trailing newline corrupts the header).	Regenerate the token and re-run step 2 with `printf`.
Entry appears in `claude mcp list` under a project, not user	Registered without `--scope user`; default is local (project-scoped)	`claude mcp remove <entry>` and re-add with `--scope user`.
`--header "Authorization: Basic …"` got mangled in storage	Claude Code's stdio command parser splits the header at whitespace	Use the direct HTTP transport from step 3, which stores the header as a single JSON value.

Migrating from the community bitbucket-mcp:

If you previously installed the community bitbucket-mcp package (an older entry that fronted Bitbucket via npx -y bitbucket-mcp@latest + Basic auth), remove it after both Rovo entries above are verified:

claude mcp remove bitbucket

Then revoke the API token used by that entry at id.atlassian.com if it was scoped only to that package and is no longer needed.

Jenkins — `mcp-jenkins`¶

The MCP ships as a binary (install via Homebrew or equivalent — /opt/homebrew/bin/mcp-jenkins in a typical install).

Add to .mcp.json:

{
  "mcpServers": {
    "jenkins": {
      "command": "/opt/homebrew/bin/mcp-jenkins",
      "args": [
        "--jenkins-url", "https://jenkins-ops.rc.securitize.io",
        "--jenkins-username", "<your-jenkins-username>",
        "--jenkins-password", "<your-jenkins-api-token>"
      ]
    }
  }
}

Use a Jenkins API token, not your SSO password

Generate an API token from your Jenkins user profile (top-right menu → Configure → API Token). The --jenkins-password flag accepts either, but the API token is the safer choice.

cerebro — `@securitize/cerebro-mcp`¶

The cerebro MCP serves the internal cerebro-knowledge Bitbucket repo (skills, workflows, wiki, service catalog). The full config block, env-var table, source-repo link, and the branch-override mechanism for testing PRs locally live on the dedicated page: cerebro-knowledge repo.

CLIs used directly (no MCP needed)¶

Claude Code executes these CLIs directly via Bash. A dedicated MCP would be redundant — the CLI output is equivalent or superior.

CLI	What it covers	Install
AWS CLI	EKS, ECR, CloudWatch, RDS, S3, Parameter Store	Required for all devs (already installed)
kubectl	Pods, deployments, logs, rollouts, configmaps, secrets	Uses local kubeconfig
Confluent CLI	Topics, connectors, clusters, consumer groups	`brew install confluentinc/tap/cli` then `confluent login`

Why CLIs instead of MCP servers for infra¶

For AWS, Kubernetes, and Confluent, Claude Code already executes the CLIs directly via Bash — a dedicated MCP server would be redundant. Infrastructure MCP servers are useful in tools without terminal access (Claude Desktop, Cursor), but in Claude Code the CLI is equivalent.

Current AI adoption¶

Development¶

Claude Code and Cursor are in use across the development teams.
AI tools are not currently part of the DevOps team workflow.
AI is not integrated into CI/CD pipelines.

Initiatives in progress¶

cerebro-knowledge repo — Bitbucket repo served via the cerebro MCP. Centralizes the company's coding standards, operational playbooks, service catalog, and technical wiki in one content store. Full details on cerebro-knowledge repo.

Remote MCP — Accesses the cerebro-knowledge repo to serve content to all devs. In development.

Cortex (internal app) - Frontend + Backend app. - Connects to Confluence and Bitbucket with user credentials. - Chat interface with MCPs to review documents, repos, and generate interconnection diagrams. - Runs on a single Kubernetes pod. - Used by devs, QAs, and product members. - Connected to Logz.io for bug detection. - No dedicated maintainer currently assigned.

Per-repo AI instructions: AGENTS.md + CLAUDE.md pointer¶

Securitize repos that ship AI-readable instructions follow the open AGENTS.md convention so a single file works for any agent (Claude Code, Codex, Cline, Aider, Cursor's repo-rules):

AGENTS.md is the canonical project-instructions file at the repo root — single source of truth for stack, build/test commands, conventions, PR rules, etc.
CLAUDE.md is a one-line @AGENTS.md pointer. Claude Code resolves @<file> references and auto-loads the target, so Claude-specific behavior is preserved without duplicating content.

When creating or migrating a repo¶

Put project instructions in AGENTS.md at the repo root.
Add a CLAUDE.md containing exactly:
```
@AGENTS.md
```
If renaming an existing CLAUDE.md, use git mv CLAUDE.md AGENTS.md so file history follows the rename, then create a new CLAUDE.md with the pointer.

Tags¶

mcp #ai #tooling #claude-code #cli #cortex #cerebro #cerebro-knowledge¶