mcp

This MCP server exposes tools to manage automated patching of container images using the Copacetic workflow. It supports version discovery, guidance on which Copacetic tools to use, scanning container images for vulnerabilities with Trivy, and several patching modes (report-based, platform-selective, and comprehensive). You can run the server via Docker and invoke the included MCP commands to scan images, generate vulnerability reports, and apply patches across one or more platforms. Use the docker-based server configuration to integrate with your CI/CD or local development environment and leverage Docker daemon access to patch images directly.

To begin, run the Docker-based MCP server as described in the configuration. Once running, you can call the MCP tools in your workflow: first use scan-container to generate vulnerability reports, then use patch-report-based to patch using those reports, or use patch-platform-selective or patch-comprehensive to patch specific or all platforms respectively without scanning. The version tool lets you check the Copacetic CLI version, and workflow-guide provides actionable guidance on choosing the right tool for your patching scenario.

Prerequisites:

• Docker installed and running on your host (or suitable container runtime).
• Access to Copacetic CLI, Trivy, and Docker with emulation enabled for multi-arch images if you intend to patch across multiple platforms.
• network access as required for pulling images and vulnerability databases.

Install and run steps (Docker option):

1. Ensure Docker is installed and running on your machine.

2. Pull and run the MCP server using the Docker command in your MCP configuration, for example:

   docker run --rm -i
   --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock
   --mount type=bind,source=${HOME}/.docker/config.json,target=/root/.docker/config.json
   ghcr.io/project-copacetic/mcp-server:latest

3. In your project, configure MCP in mcp.json (or your editor's integration) to point to the running server image as shown in the README example.

4. Ensure the Copacetic CLI, Trivy, and Docker with emulation are installed and accessible from the environment where you run MCP.

If you prefer a local Node/JS setup, consult the repository for any package-specific instructions, but the provided Docker option is the recommended approach for this server.

Security note: When mounting the Docker socket into a container, the MCP server gains essentially root access to the host Docker daemon. Only run trusted images and environments. If you rely on registry credentials, ensure that ${HOME}/.docker/config.json is mounted securely. You may also need to adapt DOCKER_HOST settings in environments where Docker is available through a non-standard socket. The server relies on Trivy for vulnerability scanning when using scan-container; ensure Trivy databases are up to date for accurate results. The patching modes (report-based, platform-selective, comprehensive) offer different trade-offs between thoroughness and speed—choose based on your patching policy and risk tolerance.