Get the FREE Ultimate OpenClaw Setup Guide →

mcp-sbom

MCP server to perform a scan and produce an SBOM

Installation
Run this command in your terminal to add the MCP server to Claude Code.
Run in terminal:
View docs
Command
claude mcp add --transport stdio gkhays-mcp-sbom-server uv --directory /path/to/mcp-sbom run mcp-sbom

How to use

This MCP server is designed to run a Trivy scan and generate a CycloneDX SBOM for the scanned image or project. It leverages uv to execute the mcp-sbom task in the configured directory. Once running, you can invoke the MCP workflow to produce an SBOM that can be consumed by other MCP tools or security pipelines. The server’s tooling focuses on coordinating the scan, transforming results into CycloneDX format, and providing a structured output suitable for dependency and vulnerability analysis. When using the MCP Inspector, you can connect to this server to inspect and validate the generated SBOM alongside the corresponding scan results.

How to install

Prerequisites:

  • uv (the MCP runner)
  • Trivy (for SBOM generation from the scan output)
  • Node.js (needed for MCP Inspector and related tooling)

Installation steps:

  1. Install prerequisites on your system (examples):
  2. Set up your MCP-SBOM directory where the server will run and store outputs. For example:
    • Create /path/to/mcp-sbom and place any needed configuration or scripts inside.
  3. Install MCP-related tooling (if required by your environment) and ensure uv is accessible from your PATH.
  4. Configure the MCP server in your environment (see mcp_config) and verify dependencies are installed.
  5. Synchronize dependencies if your setup uses uv sync (as shown in the docs): uv sync
  6. Run the MCP server using the provided configuration (example given in mcp_config): uv --directory /path/to/mcp-sbom run mcp-sbom

Additional notes

Tips and notes:

  • On Windows, paths may need to be specified with Windows-style paths, e.g., C:/Users/you/src/mcp-sbom-server/src/mcp-sbom.
  • The MCP Inspector can be used to validate and inspect the SBOM and scan results. Launch it via: npx @modelcontextprotocol/inspector uv --directory /path/to/mcp-sbom run mcp-sbom
  • Ensure Trivy is correctly installed and accessible in the environment running uv so that the scanning step can execute without path issues.
  • If you need to customize the working directory or the server name, adjust the mcpServers configuration accordingly and keep the directory structure consistent with what your MCP workflow expects.
  • When debugging, confirm that the specified directory contains the expected mcp-sbom entry point or script referenced by the uv command.

Related MCP Servers

pfsense

36

pfSense MCP Server enables security administrators to manage their pfSense firewalls using natural language through AI assistants like Claude Desktop. Simply ask "Show me blocked IPs" or "Run a PCI compliance check" instead of navigating complex interfaces. Supports REST/XML-RPC/SSH connections, and includes built-in complian

mcp-sandbox

36

Python sandboxes for llms

ez

31

The easiest path to getting an MCP server going

claude_autoapprove_mcp

27

An MCP server to inject auto-approve MCP functionality into Claude Desktop

aviationstack

16

An MCP server using the AviationStack API to fetch real-time flight data including airline flights, airport schedules, future flights and aircraft types ✈️.

pwndbg

15

An MCP tool endows AI agent with the capability to debug ELF

Sponsor this space

Reach thousands of developers