dependency-management

The Sonatype MCP Server provides a remote MCP endpoint that AI assistants can query for real-time dependency intelligence. It centralizes security advisories, license compliance checks, vulnerability data, and remediation guidance for the dependencies used in your codebase. By wiring your MCP-enabled AI assistant to this endpoint, you can research library versions, understand risk factors, and receive actionable remediation recommendations directly within your IDE or coding workflow. The server is designed to be consumed via standard MCP clients or IDE integrations that support remote MCP servers, making it straightforward to plug into tools like Windsurf, Claude Code, VS Code Copilot, and other compatible environments.

To use it, configure one or more MCP clients to point at the provided HTTP MCP endpoint. The client will pass your API token in the Authorization: Bearer header. Once connected, you can query for dependency details, request vulnerability scans, verify license compliance against your policies, and obtain guidance on upgrading or remediating risky components. The tools emphasize features such as component version selection, real-time security advisories, remediation guidance, and overall dependency health analysis to help you maintain secure and compliant software supply chains.

Prerequisites:

• Node.js and npm installed on your machine (for running the MCP remote client via npx if needed).
• Access token for Sonatype MCP via guide.sonatype.com and a suitable client configuration.

Installation steps:

1. Ensure Node.js is installed. Verify with: node -v npm -v

2. Install or verify the mcp-remote client is available globally (optional if using npx): npm install -g mcp-remote

3. Configure your MCP client to point to the Sonatype MCP endpoint. You can use one of the following approaches depending on your environment.

   • Windsurf, VS Code Copilot, Junie, Cursor, or Codex integration: Use the provided configuration snippet and replace <your-token> with your API token.

4. Run a test connection to ensure authentication and connectivity are working: npx mcp-remote https://mcp.guide.sonatype.com/mcp --header "Authorization: Bearer <your-token>"

5. Integrate the configuration into your IDE or CI workflow as needed per the specific tool's instructions in this repo's guidance.

Notes and tips:

• Your API token should be kept secure. Do not commit tokens to version control; prefer environment variables or tool-specific credential stores.
• The Authorization header format is required: Authorization: Bearer <your-token>. You can pass the token directly or, in some ecosystems, set an environment variable and reference it in your tool's config.
• If you encounter rate limits or authentication errors, verify that the token has the necessary scopes for dependency intelligence and that you are targeting the correct MCP endpoint.
• This setup provides remote MCP access; local agent behavior (e.g., cache, rate limits) may vary by client. Consult the specific tool’s documentation for best practices on caching results and refreshing advisories.
• For IDEs that only support stdio MCP servers, you can still leverage mcp-remote via mcp-remote-based localhost proxies or by wrapping the calls as described in the integration guides.