sysdig-mcp-server

sysdiglabs/sysdig-mcp-server

3.3

If you are the rightful owner of sysdig-mcp-server and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.

This document provides a structured overview of the Model Context Protocol (MCP) Server designed for querying information from the Sysdig Secure platform using LLMs.

The MCP Server is an innovative solution that facilitates seamless interaction between large language models (LLMs) and the Sysdig Secure platform. It is designed to provide a straightforward interface for querying security events, inventory resources, and vulnerability management data. Although still in its early development phase, the server aims to enhance the capabilities of LLMs by enabling them to access and process security-related information efficiently. The server supports various transport protocols, including stdio, sse, and streamable-http, allowing for flexible integration with different client applications. By leveraging the Sysdig SDK, the MCP Server ensures secure and authenticated communication with the Sysdig Secure platform, making it a reliable tool for security professionals and developers.

Features

  • Supports multiple transport protocols (stdio, sse, streamable-http) for flexible integration.
  • Provides a simple interface for querying Sysdig Secure platform data using LLMs.
  • Utilizes the Sysdig SDK for secure and authenticated communication.
  • Offers detailed configuration options via app_config.yaml and environment variables.
  • Compatible with Docker and UV for easy deployment and execution.

Usages

usage with Claude Desktop using uv

{
  "mcpServers": {
    "sysdig-mcp-server": {
      "command": "uv",
      "args": [
        "--directory",
        "<path_to_your_sysdig_mcp_server_directory>",
        "run",
        "main.py"
      ],
      "env": {
        "SYSDIG_HOST": "<your_sysdig_host>",
        "SYSDIG_SECURE_TOKEN": "<your_sysdig_secure_api_token>",
        "MCP_TRANSPORT": "stdio"
      }
    }
  }
}

usage with Claude Desktop using docker

{
  "mcpServers": {
    "sysdig-mcp-server": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "-e",
        "SYSDIG_HOST",
        "-e",
        "MCP_TRANSPORT",
        "-e",
        "SYSDIG_SECURE_TOKEN",
        "ghcr.io/sysdiglabs/sysdig-mcp-server"
      ],
      "env": {
        "SYSDIG_HOST": "<your_sysdig_host>",
        "SYSDIG_SECURE_TOKEN": "<your_sysdig_secure_api_token>",
        "MCP_TRANSPORT": "stdio"
      }
    }
  }
}

Tools

  1. get_event_info

    Retrieve detailed information for a specific security event by its ID.

  2. list_runtime_events

    List runtime security events with optional filters.

  3. get_event_process_tree

    Retrieve the process tree for a specific event (if available).

  4. list_resources

    List inventory resources using filters (e.g., platform or category).

  5. get_resource

    Get detailed information about an inventory resource by its hash.

  6. list_runtime_vulnerabilities

    List runtime vulnerability scan results with filtering.

  7. list_accepted_risks

    List all accepted vulnerability risks.

  8. get_accepted_risk

    Retrieve a specific accepted risk by ID.

  9. list_registry_scan_results

    List scan results for container registries.

  10. get_vulnerability_policy_by_id

    Get a specific vulnerability policy by ID.

  11. list_vulnerability_policies

    List all vulnerability policies.

  12. list_pipeline_scan_results

    List CI pipeline scan results.

  13. get_scan_result

    Retrieve detailed scan results by scan ID.

  14. sysdig_sysql_sage_query

    Generate and run a SysQL query using natural language.