crdant/mbta-mcp-server
If you are the rightful owner of mbta-mcp-server and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.
An MCP server that communicates with the MBTA API to provide Boston-area transit information.
MBTA MCP Server
An MCP server that communicates with the MBTA API to provide Boston-area transit information.
This Machine Learning Control Protocol (MCP) server integrates with the Massachusetts Bay Transportation Authority (MBTA) API to provide real-time and scheduled transit information for the Boston area. It enables AI assistants to access MBTA data through a standardized interface.
Features
- Real-time transit predictions
- Service alerts and disruptions
- Route and schedule information
- Accessibility information
- Trip planning assistance
- Location-based station finding
Installation
Docker
docker pull ghcr.io/crdant/mbta-mcp-server:latest
docker run -e MBTA_API_KEY="your-api-key" ghcr.io/crdant/mbta-mcp-server:latest
Go Installation
go install github.com/username/mbta-mcp-server@latest
Configuration
Set your MBTA API key in the environment:
export MBTA_API_KEY="your-api-key"
Usage
The server implements the MCP stdio protocol for local usage with AI assistants.
For more detailed information, see the .
Supply Chain Security
Container Image Signing
All container images are signed using Sigstore's Cosign with keyless signing. This allows users to verify that the container image was built by our GitHub Actions CI/CD pipeline.
Signing Security Practice
We follow the best practice for container image signing:
We sign only the image digest (content hash) - This is the most secure approach since the digest is a unique, immutable identifier for the specific content. By signing only the digest, we avoid any potential security issues that could arise from mutable tags like latest.
Verifying Container Images
To verify our container images, always verify by digest:
# Get the digest first (using any tag to lookup the image)
DIGEST=$(crane digest ghcr.io/crdant/mbta-mcp-server:1.2.3)
# Verify the image by digest
cosign verify \
--certificate-identity "https://github.com/crdant/mbta-mcp-server/.github/workflows/build.yml@refs/heads/main" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
ghcr.io/crdant/mbta-mcp-server@$DIGEST
Software Bill of Materials (SBOM)
Each build generates a comprehensive Software Bill of Materials (SBOM) that lists all components included in the container image. The SBOM is:
- Generated during the build process
- Signed with a GitHub-issued certificate using the actions/attest-sbom tool
- Available as a GitHub Actions artifact with each build
- Attached to the container image as an attestation by digest
To verify the SBOM attestation:
# Get the digest first (most reliable approach)
DIGEST=$(crane digest ghcr.io/crdant/mbta-mcp-server:1.2.3)
# Verify the SBOM attestation by digest
cosign verify-attestation \
--certificate-identity "https://github.com/crdant/mbta-mcp-server/.github/workflows/build.yml@refs/heads/main" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
--type spdx \
ghcr.io/crdant/mbta-mcp-server@$DIGEST
Vulnerability Scanning
We use Trivy to scan our container images for vulnerabilities:
- Container images are automatically scanned after they're built
- Results are uploaded to GitHub Security in SARIF format
- Critical and High severity vulnerabilities are reported
- Scans focus on vulnerabilities with available fixes
These security measures help ensure our software supply chain is secure and transparent from source code to container deployment.