@cloudcraftwithfranck/govcloud-mcp

ironbank_lookup

Look up Iron Bank hardened container images to get registry paths, approved versions, Cosign verification commands, and pull secret configuration for any application.

Instructions

Look up Iron Bank hardened container images for any application. Returns the correct registry1.dso.mil registry path, latest approved version, Cosign verification commands, and pull secret configuration.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`imageName`	Yes	Application or image name e.g. "nginx", "postgres", "redis", "grafana"
`version`	No	Specific version to look up (optional — returns latest approved if omitted)

Implementation Reference

src/tools/platform-one/ironbank-lookup.ts:31-69 (handler)

The handler function `handleIronbankLookup` that executes the ironbank_lookup tool logic. It validates args with Zod schema, then calls Anthropic Claude with the PLATFORM_ONE_SYSTEM prompt to look up Iron Bank hardened container image details (registry path, version, cosign commands, CVE status, pull secrets, etc.) via an LLM prompt.

export async function handleIronbankLookup(args: unknown): Promise<string> {
  return runTool('ironbank_lookup', args, Schema, async ({ imageName, version }) => {
    const response = await anthropic.messages.create({
      model: MODEL,
      max_tokens: getTokenBudget('ironbank_lookup'),
      system: PLATFORM_ONE_SYSTEM,
      messages: [
        {
          role: 'user',
          content: `Look up the Iron Bank hardened container image for: **${imageName}**${version ? ` version ${version}` : ' (latest approved version)'}

Provide:
1. **Iron Bank Registry Path** — full registry1.dso.mil path (e.g., registry1.dso.mil/ironbank/opensource/nginx/nginx:1.25.3)
2. **Latest Approved Version** — version number and approval date
3. **Image Digest** — SHA256 digest for pinning (e.g., sha256:abc123...)
4. **Cosign Verification Commands**:
   \`\`\`bash
   cosign verify --key https://ironbank.dso.mil/cosign.pub registry1.dso.mil/ironbank/...
   \`\`\`
5. **CVE Status** — known CVE count (Critical/High/Medium/Low), last scan date
6. **Iron Bank Approval Status** — Approved / Conditionally Approved / In Progress
7. **Pull Secret Configuration**:
   - How to create the imagePullSecret for registry1.dso.mil
   - Kubernetes secret YAML
   - Docker config.json format
8. **Kubernetes Image Reference** — exact string to use in pod spec with digest pin
9. **Alternative Images** — if multiple IB variants exist (e.g., UBI-based vs Alpine)
10. **Chainguard Alternative** — if a Chainguard equivalent exists (cgr.dev path)
11. **Known Limitations or Caveats** — configuration differences from upstream image, required init containers, etc.
12. **Big Bang Values Reference** — where this image appears in Big Bang values.yaml (if applicable)

Use accurate Iron Bank registry paths under registry1.dso.mil/ironbank/. Common namespaces: ironbank/opensource/, ironbank/redhat/, ironbank/google/, ironbank/elastic/, ironbank/hashicorp/`,
        },
      ],
    });

    return response.content[0].type === 'text' ? response.content[0].text : '';
  });
}

src/tools/platform-one/ironbank-lookup.ts:26-29 (schema)
Zod validation schema (`Schema`) for ironbank_lookup: requires `imageName` (string 1-500 chars) and optional `version` (string max 500 chars).
```
const Schema = z.object({
  imageName: z.string().min(1).max(500),
  version: z.string().max(500).optional(),
});
```

src/tools/platform-one/ironbank-lookup.ts:6-24 (registration)

The tool definition object `ironbankLookupTool` with name 'ironbank_lookup', description, and JSON Schema input schema (imageName required, version optional).

export const ironbankLookupTool = {
  name: 'ironbank_lookup',
  description:
    'Look up Iron Bank hardened container images for any application. Returns the correct registry1.dso.mil registry path, latest approved version, Cosign verification commands, and pull secret configuration.',
  inputSchema: {
    type: 'object' as const,
    properties: {
      imageName: {
        type: 'string',
        description: 'Application or image name e.g. "nginx", "postgres", "redis", "grafana"',
      },
      version: {
        type: 'string',
        description: 'Specific version to look up (optional — returns latest approved if omitted)',
      },
    },
    required: ['imageName'],
  },
};

src/tools/index.ts:17-87 (registration)

Import and re-export: `ironbankLookupTool` is added to the `allTools` array (line 47) and `handleIronbankLookup` is dispatched in the `handleToolCall` switch/case (line 76) when tool name is 'ironbank_lookup'.

import { ironbankLookupTool, handleIronbankLookup } from './platform-one/ironbank-lookup.js';
import { addonConfiguratorTool, handleAddonConfigurator } from './platform-one/addon-configurator.js';

import { pipelineAuditTool, handlePipelineAudit } from './pipeline/pipeline-audit.js';
import { signingConfigTool, handleSigningConfig } from './pipeline/signing-config.js';
import { devsecopsScoreCardTool, handleDevsecopsScorecard } from './pipeline/devsecops-scorecard.js';

import { sspSectionTool, handleSspSection } from './documents/ssp-section.js';
import { contingencyPlanTool, handleContingencyPlan } from './documents/contingency-plan.js';

import { govcloudQuickstartTool, handleGovcloudQuickstart } from './govcloud-quickstart.js';

export const allTools = [
  // Compliance
  bicepAnalyzeTool,
  bicepRemediateTool,
  controlLookupTool,
  controlNarrativeTool,
  poamGenerateTool,
  atoReadinessTool,
  oscalFragmentTool,
  // Architecture
  landingZoneTool,
  landingZoneReferenceTool,
  serviceSelectTool,
  gccHighTool,
  privateEndpointTool,
  // Platform One
  bigbangValidateTool,
  bigbangHardenTool,
  ironbankLookupTool,
  addonConfiguratorTool,
  // Pipeline
  pipelineAuditTool,
  signingConfigTool,
  devsecopsScoreCardTool,
  // Documents
  sspSectionTool,
  contingencyPlanTool,
  // Meta
  govcloudQuickstartTool,
];

export async function handleToolCall(name: string, args: unknown): Promise<string> {
  switch (name) {
    case 'bicep_analyze':         return handleBicepAnalyze(args);
    case 'bicep_remediate':       return handleBicepRemediate(args);
    case 'control_lookup':        return handleControlLookup(args);
    case 'control_narrative':     return handleControlNarrative(args);
    case 'poam_generate':         return handlePoamGenerate(args);
    case 'ato_readiness':         return handleAtoReadiness(args);
    case 'oscal_fragment':        return handleOscalFragment(args);
    case 'landing_zone_design':   return handleLandingZone(args);
    case 'landing_zone_reference': return handleLandingZoneReference(args);
    case 'azure_service_selector': return handleServiceSelect(args);
    case 'gcc_high_guidance':     return handleGccHigh(args);
    case 'private_endpoint_map':  return handlePrivateEndpoint(args);
    case 'bigbang_validate':      return handleBigbangValidate(args);
    case 'bigbang_harden':        return handleBigbangHarden(args);
    case 'ironbank_lookup':       return handleIronbankLookup(args);
    case 'addon_configurator':    return handleAddonConfigurator(args);
    case 'pipeline_audit':        return handlePipelineAudit(args);
    case 'signing_config':        return handleSigningConfig(args);
    case 'devsecops_scorecard':   return handleDevsecopsScorecard(args);
    case 'ssp_section':           return handleSspSection(args);
    case 'contingency_plan':      return handleContingencyPlan(args);
    case 'govcloud_quickstart':   return handleGovcloudQuickstart(args);
    default:
      throw new Error(`Unknown tool: ${name}`);
  }
}

src/utils/tool-runner.ts:28-31 (helper)
Configuration helpers for ironbank_lookup: token budget of 1024 (line 28) and timeout of 15000ms (line 35).
```
  ironbank_lookup: 1024,
  govcloud_quickstart: 1024,
  bicep_analyze: 4096,
};
```

src/utils/response-validator.ts:23-31 (helper)

Response validation: ironbank_lookup has a minimum length requirement of 200 characters.

  ironbank_lookup: 200,
  addon_configurator: 300,
  gcc_high_guidance: 300,
  private_endpoint_map: 300,
  azure_service_selector: 200,
  signing_config: 300,
  devsecops_scorecard: 300,
  govcloud_quickstart: 200,
};

Tool Definition Quality

A4.2/5.0

Behavior4/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description must disclose behavior. It states the tool returns information (registry path, version, commands, config) without side effects, clearly indicating a read-only lookup. It does not explicitly state read-only, but the nature is inferred.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is two sentences with no wasted words. It front-loads the main action and then lists return values succinctly.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness4/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

For a simple lookup tool with no output schema, the description adequately covers what the tool does and what it returns. It could mention authentication or that it's a query, but the existing information is sufficient for correct use.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100% with both parameters described clearly in the input schema. The tool description adds no additional meaning beyond what the schema provides (e.g., imageName examples and version optionality).

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description explicitly states the tool looks up Iron Bank hardened container images, specifying the verb 'look up' and the resource. It details what is returned: registry path, latest approved version, Cosign commands, and pull secret config, clearly differentiating from sibling tools like 'addon_configurator' or 'bicep_analyze' which have distinct purposes.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description indicates the tool is for any application needing Iron Bank images, implying usage when such data is required. It does not explicitly state when not to use or mention alternatives, but the purpose is singular among siblings, so context is clear.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/cloudcwfranck/govcloud-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server