What is Kubescape Mcp Server

Kubescape MCP Server is a middleware component that exposes Kubernetes vulnerability manifests and related tools via the Mark3 Labs MCP protocol, enabling the discovery, listing, and querying of vulnerabilities at both image and workload levels in Kubernetes clusters.

Use cases

Use cases for Kubescape MCP Server include vulnerability assessment in CI/CD pipelines, monitoring Kubernetes workloads for vulnerabilities, and integrating with security tools to enhance Kubernetes security posture.

How to use

To use Kubescape MCP Server, first ensure Go (1.18+) is installed. Clone the repository, build the server using ‘go build -o ks-mcpserver ks-mcpserver.go’, and run it. The server requires access to your Kubernetes cluster and uses the Kubescape storage API to fetch vulnerability manifests. Utilize available tools such as ‘list_vulnerability_manifests’, ‘list_vulnerabilities_in_manifest’, and ‘list_vulnerability_matches_for_cve’ for various queries.

Key features

Key features include listing available vulnerability manifests for images and workloads, querying all vulnerabilities in a given manifest, querying all matches for a specific CVE in a manifest, and exposing vulnerability manifest resources via MCP resource templates.

Where to use

Kubescape MCP Server is primarily used in DevOps and security contexts, particularly in environments where Kubernetes is deployed and vulnerability management is critical.

Kubescape MCP Server

:exclamation: Warning: This is a playground project and most likely will be moved to Kubescape organization soon.

Kubescape MCP Server is a middleware component that exposes Kubernetes vulnerability manifests and related tools via the Mark3 Labs MCP protocol. It enables discovery, listing, and querying of vulnerabilities at both image and workload levels in your Kubernetes cluster.

Features

• List available vulnerability manifests for images and workloads
• Query all vulnerabilities in a given manifest
• Query all matches for a specific CVE in a manifest
• Expose vulnerability manifest resources via MCP resource templates

Usage

1. Build and Run

   • Ensure you have Go installed (1.18+ recommended).
   • Clone the repository and build the server:

     go build -o ks-mcpserver ks-mcpserver.go
     ./ks-mcpserver
     

   • The server will start and listen for MCP protocol requests via stdio.

2. Kubernetes Access

   • The server requires access to your Kubernetes cluster and expects the appropriate kubeconfig/context.
   • It uses the Kubescape storage API to fetch vulnerability manifests.

3. MCP Tools

   • The following tools are available:
     • list_vulnerability_manifests: Discover available vulnerability manifests at image and workload levels.
     • list_vulnerabilities_in_manifest: List all vulnerabilities in a given manifest.
     • list_vulnerability_matches_for_cve: List all vulnerability matches for a given CVE in a given manifest.

4. Resource Templates

   • Vulnerability manifests are exposed as MCP resources, e.g.:
     • kubescape://vulnerability-manifests/{namespace}/{manifest_name}/cve_list
     • kubescape://vulnerability-manifests/{namespace}/{manifest_name}/cve_details/{cve_id}

Development

• Contributions are welcome! Please open issues or pull requests for bug fixes, features, or documentation improvements.
• Ensure code is formatted with gofmt and passes linting.

License

This project is licensed under the Apache 2.0 or MIT License. See LICENSE for details.