Grype MCP Server

Anchore MCP server for Grype vulnerability scanner

Integrate Grype vulnerability scanning directly into AI-assisted development workflows through the Model Context Protocol (MCP).

🚀 Quick Start

Installation

Install using uvx (recommended):

uvx grype-mcp

Or using pipx:

pipx install grype-mcp

Or using pip:

pip install grype-mcp

MCP Client Setup

Claude Desktop

Add to your Claude Desktop configuration:

{
  "mcpServers": {
    "grype": {
      "command": "uvx",
      "args": ["grype-mcp"]
    }
  }
}

Other MCP Clients

For other MCP-compatible clients, add the server using:

• Command: uvx
• Args: ["grype-mcp"]

Start using Grype's vulnerability scanning capabilities!

🛠️ Available Tools

The Grype MCP server provides these tools for AI assistants:

System Management

• find_grype - Check if Grype is installed and get version info
• update_grype - Install or update Grype to the latest version
• get_db_info - Get vulnerability database status and version info
• update_db - Update the vulnerability database

Vulnerability Scanning

• scan_dir - Scan project directories for vulnerabilities
• scan_purl - Scan specific packages using PURL format (e.g., pkg:npm/lodash@4.17.20)
• scan_image - Scan container images for vulnerabilities

Vulnerability Research

• search_vulns - Search the vulnerability database by CVE, package name, or CPE
• get_vuln_details - Get detailed information about specific CVEs

💡 Example Usage

Once configured, you can ask:

• "Check if Grype is installed and up to date"
• "Scan my project directory for vulnerabilities"
• "Is pkg:npm/lodash@4.17.20 vulnerable?"
• "Scan the nginx:latest Docker image"
• "Search for Log4j vulnerabilities"
• "Get details about CVE-2021-44228"

🔧 Requirements

• Python 3.10+
• Grype (can be installed via the update_grype tool)
• Docker (optional, for container image scanning)

The MCP server can help install Grype if it's not already available using the update_grype tool.

📋 Supported Scanning Targets

• Directories - Scan entire projects with all their dependencies
• Container Images - Docker images from any registry
• Package URLs - Individual packages in PURL format
  • npm: pkg:npm/package@version
  • Python: pkg:pypi/package@version
  • Go: pkg:golang/package@version
  • Java: pkg:maven/group/artifact@version
  • And many more ecosystems

🏗️ Architecture

The MCP server acts as a bridge between AI assistants and Grype:

AI Assistant ↔ MCP Server ↔ Grype CLI ↔ Vulnerability Database

• Zero modifications to Grype required
• Structured JSON responses optimized for AI consumption
• Comprehensive error handling with helpful messages
• Automatic tool management for easy setup

🤝 Contributing

We welcome contributions! Please see:

• CONTRIBUTING.md - Contribution guidelines
• DEVELOPING.md - Development setup
• CODE_OF_CONDUCT.md - Community standards

📄 License

Licensed under the Apache License, Version 2.0. See LICENSE for details.

🔗 Related Projects

• Grype - Vulnerability scanner for container images and filesystems
• Syft - SBOM generation tool
• Model Context Protocol - Open protocol for AI assistant integrations
• Anchore Enterprise - Commercial SBOM-powered security platform

📞 Support

• GitHub Issues - Bug reports and feature requests
• Anchore Community Discourse - Community support and discussions
• Documentation - Full documentation

---

Made with ❤️ by the Anchore team for the AI-assisted development community