kubescape

The Kubescape MCP Server is a middleware component that exposes Kubernetes vulnerability manifests and related tools through the Mark3 Labs MCP protocol. It connects to your Kubernetes cluster (via your kubeconfig/context) and leverages Kubescape's vulnerability storage API to provide discovery, listing, and querying capabilities for vulnerability manifests at both image and workload levels. Through the MCP interface, clients can enumerate available vulnerability manifests, retrieve the full set of vulnerabilities in a specific manifest, and obtain detailed matches for a given CVE within that manifest. Vulnerability manifests are exposed as MCP resources under Kubescape-specific templates, enabling standardized access across MCP-enabled tooling.

To use the server, run the binary (it listens for MCP protocol requests on standard IO). Once running, you can invoke the built-in MCP tools exposed by the server, such as listing vulnerability manifests, listing vulnerabilities within a manifest, and listing CVE matches within a manifest. The server translates MCP requests into interactions with the Kubescape storage layer, returning manifest data and vulnerability details in MCP-compatible responses. Ensure your tooling is configured to communicate over MCP and target the server instance to leverage the vulnerability data for images and workloads in your cluster.

Prerequisites:

• Go 1.18+ installed on your machine
• Access to a Kubernetes cluster with kubeconfig context configured
• Git to clone the repository (optional if you already have the source)

Install and run locally:

1. Clone the repository (if you haven't already): git clone https://github.com/slashben/kubescape-mcp-server.git cd kubescape-mcp-server

2. Build the server binary: go build -o ks-mcpserver ks-mcpserver.go

3. Run the server: ./ks-mcpserver

4. Verify the server is listening for MCP protocol requests via stdio as described in the project docs. You can then connect MCP clients to this process to perform discovery, listing, and CVE queries against your Kubernetes cluster.

Tips and considerations:

• The server relies on Kubernetes access via kubeconfig; ensure the appropriate context is active and the user has permissions to read vulnerability manifests via Kubescape storage APIs.
• The MCP resources exposed by Kubescape follow the kubescape://vulnerability-manifests/{namespace}/{manifest_name}/... template conventions described in the README.
• If you encounter authentication or RBAC issues, verify that your kubeconfig context is correct and that the service account or user running the server has permission to access the relevant resources.
• This is a playground project; production deployments should consider security hardening, proper RBAC, and versioned releases.
• For development, ensure code is formatted with gofmt and linted prior to PRs or local testing.