The MCP SBOM Server is a tool that scans container images using Trivy to generate Software Bill of Materials (SBOMs) in both SPDX JSON and CycloneDX formats.
Container Image Scanning: Executes Trivy scans on specified container images
Multiple SBOM Formats: Supports both SPDX JSON and CycloneDX standards
MCP Integration: Operates as a server adhering to the Model Context Protocol (MCP)
Compatibility: Works with Python 3.12 and MCP 1.6
Debugging: Provides tools for debugging via MCP Inspector
Requirements: Needs
uv,trivy, andNode.jsfor installation/executionWindows Support: Includes guidance for Windows systems
Performs container and application vulnerability scanning using Trivy and produces a Software Bill of Materials (SBOM) in CycloneDX format.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@MCP SBOM Serverscan my Dockerfile for vulnerabilities and generate an SBOM"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
MCP SBOM Server
MCP server to perform a Trivy scan and produce an SBOM in CycloneDX format.
Installation
Prerequisites
Install the following.
MCP Clients
Configuration
Building
This project employsuv.
Synchronize dependencies and update the lockfile.
Debugging
MCP Inspector
Use MCP Inspector.
Launch the MCP Inspector as follows:
Windows
When running on Windows, use paths of the style: