Secure Chain MCP Server

An MCP server that provides tools for checking the status of your software supply chain within the context of Secure Chain.

Development requirements

  1. Docker to deploy the tool.
  2. Docker Compose for container orchestration.
  3. It is recommended to use a GUI such as MongoDB Compass.
  4. The Neo4J browser interface to visualize the graph built from the data is in localhost:7474 when the container is running.
  5. Python 3.13 or higher.

Use Secure Chain MCP with VSCode

1. Register on Secure Chain

Go to Secure Chain official lading page, and register yourself as a user.

2. Add mcp configuration

Finally, inside the folder .vscode add the file mcp.json with the next configuration, and start the mcp server:

{
  "servers": {
    "Secure Chain MCP Server": {
      "type": "http",
      "url": "https://mcp.securechain.dev/mcp",
      "headers": {
        "X-Auth-Email": "your_email",
        "X-Auth-Pass": "your_super_secret_password"
      }
    }
  }
}

Deployment with docker

1. Clone the repository

Clone the repository from the official GitHub repository:

git clone https://github.com/securechaindev/securechain-mcp-server.git
cd securechain-mcp-server

2. Configure environment variables

Create a .env.local file from the .env.example file and place it in the root directory.

Get API Keys

  • How to get a GitHub API key.

  • Modify the Json Web Token (JWT) secret key and algorithm with your own. You can generate your own secret key with the command openssl rand -base64 32.

3. Create Docker network

Ensure you have the securechain Docker network created. If not, create it with:

docker network create securechain

4. Databases containers

For graphs and vulnerabilities information you need to download the zipped data dumps from Zenodo. Once you have unzipped the dumps, inside the root folder run the command:

docker compose up --build

The containerized databases will also be seeded automatically.

5. Start the application

Run the command from the project root:

docker compose -f dev/docker-compose.yml up --build

6. Create a User in Secure Chain local deployment

Go here and create an user, for example:

{
  "email": "mcp-bot@example.com",
  "password": "supersecre3T*"
}

7. Configure the MCP with VSCode

Inside the folder .vscode/ add the file mcp.json with this template:

{
  "servers": {
    "Secure Chain MCP Server": {
      "type": "http",
      "url": "http://localhost:8005/mcp",
      "headers": {
        "X-Auth-Email": "mcp-bot@example.com",
        "X-Auth-Pass": "supersecre3T*"
      }
    }
  }
}

And then start the MCP server and begin use it with Copilot for example.

Python Environment

The project uses Python 3.13 and the dependencies are listed in requirements.txt.

Setting up the development environment

  1. Create a virtual environment: 
    python3.13 -m venv depex-env
  2. Activate the virtual environment: 
    source depex-env/bin/activate
  3. Install dependencies: 
    pip install -r requirements.txt

Tools Specification

TOOL: get_package_status

Description: Check if a package exists and get its status in the dependency graph.

Input:

  • node_type: Type of node (PyPIPackage, NPMPackage, MavenPackage, CargoPackage, RubyGemsPackage, NuGetPackage).
  • package_name: Name of the package.


TOOL: get_package_ssc

Description: Check the direct and transitive software supply chain of a package in the dependency graph of the overall SSC.

Input:

  • node_type: Type of node (PyPIPackage, NPMPackage, MavenPackage, CargoPackage, RubyGemsPackage, NuGetPackage).
  • package_name: Name of the package.


TOOL: get_version_status

Description: Get the status of a specific version of a package in the dependency graph.

Input:

  • node_type: Type of node (PyPIPackage, NPMPackage, MavenPackage, CargoPackage, RubyGemsPackage, NuGetPackage).
  • package_name: Name of the package.
  • version_name: Name of the version.


TOOL: get_version_ssc

Description: Check the direct and transitive SSC of a version in the dependency graph of the overall SSC.

Input:

  • node_type: Type of node (PyPIPackage, NPMPackage, MavenPackage, CargoPackage, RubyGemsPackage, NuGetPackage).
  • package_name: Name of the package.
  • version_name: Name of the version.


TOOL: get_vulnerability

Description: Get the information of a vulnerability by the ID.

Input:

  • vulnerability_id: The ID of the vulnerability to look for.


TOOL: get_vulnerabilities_by_cwe

Description: Get the information of vulnerabilities related to a CWE by the CWE-ID.

Input:

  • cwe_id: The ID of the CWE to look for.


TOOL: get_vulnerabilities_by_exploit

Description: Get the information of vulnerabilities related to an exploit by the exploit ID.

Input:

  • exploit_id: The ID of the exploit to look for.


TOOL: get_exploit

Description: Get the information of an exploit by the ID.

Input:

  • exploit_id: The ID of the exploit to look for.


TOOL: get_exploits_by_vulnerability_id

Description: Get the information of exploits related to a vulnerability ID.

Input:

  • vulnerability_id: The ID of the vulnerability to look for associated exploits.


TOOL: get_cwe

Description: Get the information of a CWE by the ID.

Input:

  • cwe_id: The ID of the CWE to look for.


TOOL: get_cwes_by_vulnerability_id

Description: Get the information of CWEs related to a vulnerability ID.

Input:

  • vulnerability_id: The ID of the vulnerability to look for associated CWEs.


TOOL: get_vexs

Description: Get the VEXs for a given repository owner and name.

Input:

  • owner: The owner of the repository.
  • name: The name of the repository.
  • sbom_name: The name of the SBOM file.

License

GNU General Public License 3.0