home / mcp / mcp sbom server

MCP SBOM Server

MCP server to perform a scan and produce an SBOM

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "gkhays-mcp-sbom-server": {
      "command": "uv",
      "args": [
        "--directory",
        "/path/to/mcp-sbom",
        "run",
        "mcp-sbom"
      ]
    }
  }
}

You can run a dedicated MCP SBOM server that uses Trivy to scan software components and outputs a CycloneDX SBOM. This setup is designed to be run locally or in a controlled environment, enabling automatic SBOM generation as part of your software supply chain checks.

How to use

To run the MCP SBOM server, start it via your MCP client, which will invoke the local runtime tool to execute the server workflow. The server will perform a Trivy scan and produce an SBOM in CycloneDX format, making it easier to track open source components and vulnerabilities across your software.

How to install

Prerequisites include the runtime tool UV, the Trivy scanner, and Node.js. Ensure these are installed and available in your system PATH before proceeding.

# Install prerequisites as needed (examples). Install uv, Trivy, and Node.js from their official sources or package managers.
# No specific install commands are provided here since installation methods vary by platform.

Configuration

{
  "mcpServers": {
    "mcp_sbom": {
      "command": "uv",
      "args": [
        "--directory",
        "/path/to/mcp-sbom",
        "run",
        "mcp-sbom"
      ]
    }
  }
}

Debugging

If you need to inspect how the MCP SBOM server is being driven, you can use the MCP Inspector tool to run the server in debug mode.

npx @modelcontextprotocol/inspector uv --directory /path/to/mcp-sbom run mcp-sbom

Windows notes

When running on Windows, use Windows-style paths for the working directory.

C:/Users/gkh/src/mcp-sbom-server/src/mcp_sbom

Available tools

uv_run

Executes the MCP SBOM workflow using the uv tool to start the server in a specified directory.

mcp_inspector

MCP Inspector is used to debug and validate MCP server operations by launching the inspector against the local server.