Summary
This server turns SARIF static analysis reports into a managed work queue for AI agents. It exposes a single tool with seven actions: load reports from tools like Semgrep or ESLint, pull the next batch of issues grouped by file, mark them as fixed or won't-fix, check progress, and export results. The batching solves a real problem where dumping 100+ issues into context overwhelms the agent, and the persistent state means your progress survives context compaction or session restarts. Reach for this when you're drowning in linter output and want the AI to systematically work through it file by file instead of losing its place halfway through.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
Sheriff-MCP
Sheriff is an MCP server that helps AI agents efficiently fix static analysis issues from SARIF reports.
Documentation | Installation | Tool Reference
Why Sheriff?
AI agents struggle with large static analysis reports:
- Context overload - 100+ issues overwhelm context windows
- Lost progress - Work is lost on context compaction or session restart
- Inefficient navigation - No batching means jumping between files repeatedly
Sheriff solves this by acting as a work queue manager:
- Intelligent batching - Issues grouped by file for efficient fixing
- Persistent progress - State survives compaction, restarts, and agent switches
- Scope filtering - Focus on specific rules, severities, or file patterns
- Compact responses - Minimal context usage with abbreviated field names
Supported Static Analysis Tools
Sheriff works with any tool that produces SARIF output:
| Tool | Language | SARIF Command |
|---|---|---|
| Qodana | Java/Kotlin/JS/Python | qodana scan |
| Semgrep | Multi-language | semgrep --sarif -o results.sarif |
| ESLint | JavaScript/TypeScript | eslint --format @microsoft/sarif |
| CodeQL | Multi-language | Built-in SARIF output |
| SpotBugs | Java | spotbugs -sarif |
| Bandit | Python | bandit -f sarif |
| Checkov | IaC | checkov -o sarif |
| Trivy | Container/IaC | trivy --format sarif |
| SonarQube | Multi-language | Built-in SARIF export |
Quick Start
1. Install
JAR (All Platforms) — Requires Java 21+
Download sheriff-mcp-1.0.2-all.jar from Releases.
Docker
docker pull ghcr.io/ryansmith4/sheriff-mcp:latest
MCP Registry
Clients that support the MCP Registry can install directly by name: io.github.ryansmith4/sheriff-mcp
See the Installation Guide for full details.
2. Configure Your MCP Client
Add Sheriff to your MCP client (Claude Code, Cursor, ChatGPT Desktop, etc.):
{
"mcpServers": {
"sheriff": {
"command": "java",
"args": ["-jar", "/path/to/sheriff-mcp-1.0.2-all.jar", "start"]
}
}
}
Or with Docker:
{
"mcpServers": {
"sheriff": {
"command": "docker",
"args": ["run", "-i", "--rm", "-v", ".:/data", "ghcr.io/ryansmith4/sheriff-mcp:latest"]
}
}
}
See the Agent Setup Guide for client-specific instructions and recommended agent instructions.
3. Use It
1. Run static analysis → qodana scan
2. Load into Sheriff → sheriff load target="results.sarif"
3. Get next file's issues → sheriff next
4. Fix all issues in file → [edit the code]
5. Mark as done → sheriff done fps=[...] status="fixed"
6. Repeat 3-5 → until remaining = 0
Sheriff exposes a single sheriff tool with 7 actions: load, next, done, progress, summary, reopen, and export. See the Tool Reference for full documentation.
Example Session
User: "Fix all ConstantValue issues in my codebase"
Agent: sheriff load target="build/qodana/qodana.sarif.json"
→ 136 total issues, 22 ConstantValue, 15 unused...
Agent: sheriff next scope={rule: "ConstantValue"}
→ 3 issues in Service.java with code snippets
Agent: [reads Service.java, fixes all 3 issues]
Agent: sheriff done fps=["88d32cab35478753", "ab1c2d3e12345678", "f9e8d7c6a1b2c3d4"] status="fixed"
→ 3 marked fixed, 19 remaining
... continues until remaining = 0
Security
All release artifacts are signed with Sigstore for supply chain security.
Verify JAR:
VERSION=1.0.2
cosign verify-blob \
--signature sheriff-mcp-${VERSION}-all.jar.sig \
--certificate sheriff-mcp-${VERSION}-all.jar.pem \
--certificate-identity-regexp "https://github.com/ryansmith4/sheriff-mcp" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
sheriff-mcp-${VERSION}-all.jar
Verify Docker image:
cosign verify ghcr.io/ryansmith4/sheriff-mcp:latest \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity-regexp="github.com/ryansmith4/sheriff-mcp"
See SECURITY.md for our security policy.
Contributing
Contributions welcome! See CONTRIBUTING.md for guidelines.
License
Apache License 2.0 - see LICENSE
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →Registryactive
Packageghcr.io/ryansmith4/sheriff-mcp:1.0.2
TransportSTDIO
UpdatedMar 24, 2026