anchore/grype-mcp
If you are the rightful owner of grype-mcp and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.
Grype MCP Server integrates the Grype vulnerability scanner into AI-assisted development workflows using the Model Context Protocol (MCP).
Grype MCP Server
Anchore MCP server for Grype vulnerability scanner
Integrate Grype vulnerability scanning directly into AI-assisted development workflows through the Model Context Protocol (MCP).
🚀 Quick Start
Installation
Install using uvx (recommended):
uvx grype-mcp
Or using pipx:
pipx install grype-mcp
Or using pip:
pip install grype-mcp
MCP Client Setup
Claude Desktop
Add to your Claude Desktop configuration:
{
"mcpServers": {
"grype": {
"command": "uvx",
"args": ["grype-mcp"]
}
}
}
Other MCP Clients
For other MCP-compatible clients, add the server using:
- Command:
uvx - Args:
["grype-mcp"]
Start using Grype's vulnerability scanning capabilities!
🛠️ Available Tools
The Grype MCP server provides these tools for AI assistants:
System Management
find_grype- Check if Grype is installed and get version infoupdate_grype- Install or update Grype to the latest versionget_db_info- Get vulnerability database status and version infoupdate_db- Update the vulnerability database
Vulnerability Scanning
scan_dir- Scan project directories for vulnerabilitiesscan_purl- Scan specific packages using PURL format (e.g.,pkg:npm/lodash@4.17.20)scan_image- Scan container images for vulnerabilities
Vulnerability Research
search_vulns- Search the vulnerability database by CVE, package name, or CPEget_vuln_details- Get detailed information about specific CVEs
💡 Example Usage
Once configured, you can ask:
- "Check if Grype is installed and up to date"
- "Scan my project directory for vulnerabilities"
- "Is pkg:npm/lodash@4.17.20 vulnerable?"
- "Scan the nginx:latest Docker image"
- "Search for Log4j vulnerabilities"
- "Get details about CVE-2021-44228"
🔧 Requirements
- Python 3.10+
- Grype (can be installed via the
update_grypetool) - Docker (optional, for container image scanning)
The MCP server can help install Grype if it's not already available using the update_grype tool.
📋 Supported Scanning Targets
- Directories - Scan entire projects with all their dependencies
- Container Images - Docker images from any registry
- Package URLs - Individual packages in PURL format
- npm:
pkg:npm/package@version - Python:
pkg:pypi/package@version - Go:
pkg:golang/package@version - Java:
pkg:maven/group/artifact@version - And many more ecosystems
- npm:
🏗️ Architecture
The MCP server acts as a bridge between AI assistants and Grype:
AI Assistant ↔ MCP Server ↔ Grype CLI ↔ Vulnerability Database
- Zero modifications to Grype required
- Structured JSON responses optimized for AI consumption
- Comprehensive error handling with helpful messages
- Automatic tool management for easy setup
🤝 Contributing
We welcome contributions! Please see:
- - Contribution guidelines
- - Development setup
- - Community standards
📄 License
Licensed under the Apache License, Version 2.0. See for details.
🔗 Related Projects
- Grype - Vulnerability scanner for container images and filesystems
- Syft - SBOM generation tool
- Model Context Protocol - Open protocol for AI assistant integrations
- Anchore Enterprise - Commercial SBOM-powered security platform
📞 Support
- GitHub Issues - Bug reports and feature requests
- Anchore Community Discourse - Community support and discussions
- Documentation - Full documentation
Made with ❤️ by the Anchore team for the AI-assisted development community