A Docker image that provides access to HackerOne's GraphQL API through the Model Context Protocol (MCP).
Supported MCP transport types: Currently only stdio transport is supported. Please file an issue if you require other transports.
Multi-Architecture Support: This image supports both Intel/AMD (amd64) and Apple Silicon (arm64) architectures.
Built on Apollo MCP Server: This project is a thin wrapper around the upstream Apollo MCP Server, which exposes GraphQL operations as MCP tools.
- Run with an MCP client:
docker run -i --rm \ -e ENDPOINT="https://hackerone.com/graphql" \ -e TOKEN="<your_base64_encoded_token>" \ -e MUTATION_MODE="none" \ hackertwo/hackerone-graphql-mcp-server:1.0.6
latest: Latest stable release (only updated on version releases)dev-main: Development builds from main branch1.x.x: Specific version releasespr-<ref>: Pull request builds
| Variable | Description | Default |
|---|---|---|
ENDPOINT |
GraphQL endpoint URL | https://hackerone.com/graphql |
TOKEN |
Base64 encoded API token in format: base64(username:api_key) |
- |
MUTATION_MODE |
Controls which mutations are allowed: • none: No mutations allowed• explicit: Only explicitly defined mutations allowed• all: All mutations allowed |
none |
DISABLE_TYPE_DESCRIPTION |
If set to true, tools will have no type descriptions (e.g. "The returned value has type ...") |
false |
DISABLE_SCHEMA_DESCRIPTION |
If set to true, tools will have no schema description |
false |
- Visit https://hackerone.com/settings/api_token/edit to generate an API key
- Run the token generation script:
./scripts/generate_token.shThis will prompt for your username and API key, then automatically encode and copy the token to your clipboard. - Use the resulting string as your TOKEN value
- Visit https://hackerone.com/settings/api_token/edit to generate an API key
- Encode as:
echo -n "username:api_key" | base64 - Use the resulting string as your TOKEN value
- Go to an Agent node
- Go to tools
- Select custom MCP
- Put the following in the MCP parameters:
{
"command": "/usr/local/bin/docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"ENDPOINT=https://hackerone.com/graphql",
"-e",
"TOKEN=<your_base64_encoded_token>",
"-e",
"MUTATION_MODE=none",
"hackertwo/hackerone-graphql-mcp-server:1.0.6"
]
}{
"context_servers": {
"hackerone-graphql-mcp-server": {
"source": "custom",
"command": "/usr/local/bin/docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"ENDPOINT=https://hackerone.com/graphql",
"-e",
"TOKEN=<your_base64_encoded_token>",
"-e",
"MUTATION_MODE=none",
"hackertwo/hackerone-graphql-mcp-server:1.0.6"
]
}
}
}- The Docker container is designed to be piped into an MCP-compatible client
- Running the container directly will result in an error as it expects an MCP client connection
- The
-iflag is required to maintain standard input for the stdio transport - The
schema.graphqlin this repository may become outdated over time, you can download the latest one from HackerOne at https://hackerone.com/schema.graphql
- HackerOne-specific behavior, configuration, token handling, schema quirks, mutation allow-listing, etc.: open an issue in this repository.
- Generic MCP behavior, transports, protocol details, or GraphQL tool exposure mechanics: consider checking/filing upstream in apollographql/apollo-mcp-server.
This project depends on Apollo MCP Server, which is licensed under the MIT License.
Your use of this image includes use of Apollo MCP Server under its license; please review the upstream LICENSE.