Grype MCP Server

Anchore MCP server for Grype vulnerability scanner

Integrate Grype vulnerability scanning directly into AI-assisted development workflows through the Model Context Protocol (MCP).

🚀 Quick Start

Installation

Install using uvx (recommended):

uvx grype-mcp

Or using pipx:

pipx install grype-mcp

Or using pip:

pip install grype-mcp

MCP Client Setup

Claude Desktop

Add to your Claude Desktop configuration:

{
  "mcpServers": {
    "grype": {
      "command": "uvx",
      "args": ["grype-mcp"]
    }
  }
}

Other MCP Clients

For other MCP-compatible clients, add the server using:

• Command: uvx

• Args: ["grype-mcp"]

Start using Grype's vulnerability scanning capabilities!

🛠️ Available Tools

The Grype MCP server provides these tools for AI assistants:

System Management

• find_grype - Check if Grype is installed and get version info

• update_grype - Install or update Grype to the latest version

• get_db_info - Get vulnerability database status and version info

• update_db - Update the vulnerability database

Vulnerability Scanning

• scan_dir - Scan project directories for vulnerabilities

• scan_purl - Scan specific packages using PURL format (e.g., pkg:npm/lodash@4.17.20)

• scan_image - Scan container images for vulnerabilities

Vulnerability Research

• search_vulns - Search the vulnerability database by CVE, package name, or CPE

• get_vuln_details - Get detailed information about specific CVEs

💡 Example Usage

Once configured, you can ask:

• "Check if Grype is installed and up to date"

• "Scan my project directory for vulnerabilities"

• "Is pkg:npm/lodash@4.17.20 vulnerable?"

• "Scan the nginx:latest Docker image"

• "Search for Log4j vulnerabilities"

• "Get details about CVE-2021-44228"

🔧 Requirements

• Python 3.10+

• Grype (can be installed via the update_grype tool)

• Docker (optional, for container image scanning)

The MCP server can help install Grype if it's not already available using the update_grype tool.

📋 Supported Scanning Targets

• Directories - Scan entire projects with all their dependencies

• Container Images - Docker images from any registry

• Package URLs - Individual packages in PURL format

  • npm: pkg:npm/package@version

  • Python: pkg:pypi/package@version

  • Go: pkg:golang/package@version

  • Java: pkg:maven/group/artifact@version

  • And many more ecosystems

🏗️ Architecture

The MCP server acts as a bridge between AI assistants and Grype:

AI Assistant ↔ MCP Server ↔ Grype CLI ↔ Vulnerability Database

• Zero modifications to Grype required

• Structured JSON responses optimized for AI consumption

• Comprehensive error handling with helpful messages

• Automatic tool management for easy setup

🤝 Contributing

We welcome contributions! Please see:

• CONTRIBUTING.md - Contribution guidelines

• DEVELOPING.md - Development setup

• CODE_OF_CONDUCT.md - Community standards

📄 License

Licensed under the Apache License, Version 2.0. See LICENSE for details.

🔗 Related Projects

• Grype - Vulnerability scanner for container images and filesystems

• Syft - SBOM generation tool

• Model Context Protocol - Open protocol for AI assistant integrations

• Anchore Enterprise - Commercial SBOM-powered security platform

📞 Support

• GitHub Issues - Bug reports and feature requests

• Anchore Community Discourse - Community support and discussions

• Documentation - Full documentation

Made with ❤️ by the Anchore team for the AI-assisted development community