Grype MCP Server
OfficialClick on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Grype MCP ServerScan my project directory for vulnerabilities"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Grype MCP Server
Anchore MCP server for Grype vulnerability scanner
Integrate Grype vulnerability scanning directly into AI-assisted development workflows through the Model Context Protocol (MCP).
🚀 Quick Start
Installation
Install using uvx (recommended):
uvx grype-mcpOr using pipx:
pipx install grype-mcpOr using pip:
pip install grype-mcpMCP Client Setup
Claude Desktop
Add to your Claude Desktop configuration:
{
"mcpServers": {
"grype": {
"command": "uvx",
"args": ["grype-mcp"]
}
}
}Other MCP Clients
For other MCP-compatible clients, add the server using:
Command:
uvxArgs:
["grype-mcp"]
Start using Grype's vulnerability scanning capabilities!
Related MCP server: MCP SBOM Server
🛠️ Available Tools
The Grype MCP server provides these tools for AI assistants:
System Management
find_grype- Check if Grype is installed and get version infoupdate_grype- Install or update Grype to the latest versionget_db_info- Get vulnerability database status and version infoupdate_db- Update the vulnerability database
Vulnerability Scanning
scan_dir- Scan project directories for vulnerabilitiesscan_purl- Scan specific packages using PURL format (e.g.,pkg:npm/lodash@4.17.20)scan_image- Scan container images for vulnerabilities
Vulnerability Research
search_vulns- Search the vulnerability database by CVE, package name, or CPEget_vuln_details- Get detailed information about specific CVEs
💡 Example Usage
Once configured, you can ask:
"Check if Grype is installed and up to date"
"Scan my project directory for vulnerabilities"
"Is pkg:npm/lodash@4.17.20 vulnerable?"
"Scan the nginx:latest Docker image"
"Search for Log4j vulnerabilities"
"Get details about CVE-2021-44228"
🔧 Requirements
Python 3.10+
Grype (can be installed via the
update_grypetool)Docker (optional, for container image scanning)
The MCP server can help install Grype if it's not already available using the update_grype tool.
📋 Supported Scanning Targets
Directories - Scan entire projects with all their dependencies
Container Images - Docker images from any registry
Package URLs - Individual packages in PURL format
npm:
pkg:npm/package@versionPython:
pkg:pypi/package@versionGo:
pkg:golang/package@versionJava:
pkg:maven/group/artifact@versionAnd many more ecosystems
🏗️ Architecture
The MCP server acts as a bridge between AI assistants and Grype:
AI Assistant ↔ MCP Server ↔ Grype CLI ↔ Vulnerability DatabaseZero modifications to Grype required
Structured JSON responses optimized for AI consumption
Comprehensive error handling with helpful messages
Automatic tool management for easy setup
🤝 Contributing
We welcome contributions! Please see:
CONTRIBUTING.md - Contribution guidelines
DEVELOPING.md - Development setup
CODE_OF_CONDUCT.md - Community standards
📄 License
Licensed under the Apache License, Version 2.0. See LICENSE for details.
🔗 Related Projects
Grype - Vulnerability scanner for container images and filesystems
Syft - SBOM generation tool
Model Context Protocol - Open protocol for AI assistant integrations
Anchore Enterprise - Commercial SBOM-powered security platform
📞 Support
GitHub Issues - Bug reports and feature requests
Anchore Community Discourse - Community support and discussions
Documentation - Full documentation
Made with ❤️ by the Anchore team for the AI-assisted development community
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/anchore/grype-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server