MCP SBOM Server

Instructions

Implementation Reference

• src/mcp_sbom/server.py:41-59 (handler)

  The 'scan' tool handler, decorated with @mcp.tool() for registration in FastMCP, executes the Trivy scan via exec_trivy helper and returns the SBOM JSON or error.
  async def scan(image: str): """ Execute Trivy scanner to generate SPDX SBOM for a container image. Supports the SPDX JSON format. Args: image (str): The container image name/reference to scan Returns: str: Test response or error message """ try: logger.info(f"MCP SBOM tool called with image: {image}") result = await exec_trivy(image) logger.debug(f"Trivy execution result: {result}") return result except Exception as e: logger.error(f"Exception in trivy tool: {str(e)}") return f"Error: {str(e)}"
• src/mcp_sbom/server.py:14-39 (helper)

  Helper function that asynchronously executes the Trivy command to scan the container image and load the resulting SBOM JSON.
  async def exec_trivy(image: str): try: logger.info(f"Starting Trivy scan for image: {image}") cmd = [ "trivy", "image", "--format", "cyclonedx", "--output", "sbom.json", image ] # result = subprocess.run(cmd, capture_output=True, text=True) process = await asyncio.create_subprocess_exec( *cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE ) stdout, stderr = await process.communicate() logger.info(f"Trivy scan completed with return code {process.returncode}") if process.returncode == 0: with open("sbom.json", "r") as f: sbom_content = json.load(f) return sbom_content except Exception as e: logger.error(f"Exception in exec_trivy: {str(e)}") return f"Error: {str(e)}"