MCP server to perform a scan and produce an SBOM
Configuration
View docs{
"mcpServers": {
"gkhays-mcp-sbom-server": {
"command": "uv",
"args": [
"--directory",
"/path/to/mcp-sbom",
"run",
"mcp-sbom"
]
}
}
}You can run a dedicated MCP SBOM server that uses Trivy to scan software components and outputs a CycloneDX SBOM. This setup is designed to be run locally or in a controlled environment, enabling automatic SBOM generation as part of your software supply chain checks.
To run the MCP SBOM server, start it via your MCP client, which will invoke the local runtime tool to execute the server workflow. The server will perform a Trivy scan and produce an SBOM in CycloneDX format, making it easier to track open source components and vulnerabilities across your software.
Prerequisites include the runtime tool UV, the Trivy scanner, and Node.js. Ensure these are installed and available in your system PATH before proceeding.
# Install prerequisites as needed (examples). Install uv, Trivy, and Node.js from their official sources or package managers.
# No specific install commands are provided here since installation methods vary by platform.{
"mcpServers": {
"mcp_sbom": {
"command": "uv",
"args": [
"--directory",
"/path/to/mcp-sbom",
"run",
"mcp-sbom"
]
}
}
}If you need to inspect how the MCP SBOM server is being driven, you can use the MCP Inspector tool to run the server in debug mode.
npx @modelcontextprotocol/inspector uv --directory /path/to/mcp-sbom run mcp-sbomWhen running on Windows, use Windows-style paths for the working directory.
C:/Users/gkh/src/mcp-sbom-server/src/mcp_sbomExecutes the MCP SBOM workflow using the uv tool to start the server in a specified directory.
MCP Inspector is used to debug and validate MCP server operations by launching the inspector against the local server.