sysdiglabs
diff --git a/‎.dockerignore
Lines changed: 17 additions & 0 deletions b/‎.dockerignore
Lines changed: 17 additions & 0 deletions
diff --git a/‎.gitignore
Lines changed: 71 additions & 0 deletions b/‎.gitignore
Lines changed: 71 additions & 0 deletions
diff --git a/‎AUTHORS
Lines changed: 8 additions & 0 deletions b/‎AUTHORS
Lines changed: 8 additions & 0 deletions
diff --git a/‎Dockerfile
Lines changed: 31 additions & 0 deletions b/‎Dockerfile
Lines changed: 31 additions & 0 deletions
diff --git a/‎LICENSE.txt
Lines changed: 1 addition & 0 deletions b/‎LICENSE.txt
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md
Lines changed: 206 additions & 0 deletions b/‎README.md
Lines changed: 206 additions & 0 deletions
diff --git a/‎app_config.yaml
Lines changed: 15 additions & 0 deletions b/‎app_config.yaml
Lines changed: 15 additions & 0 deletions
diff --git a/‎docs/assets/api-token-copy.png
200 KB b/‎docs/assets/api-token-copy.png
200 KB
diff --git a/‎docs/assets/settings-config-token.png
519 KB b/‎docs/assets/settings-config-token.png
519 KB
diff --git a/‎entrypoint.sh
Lines changed: 3 additions & 0 deletions b/‎entrypoint.sh
Lines changed: 3 additions & 0 deletions
diff --git a/‎image.png
485 KB b/‎image.png
485 KB
diff --git a/‎main.py
Lines changed: 25 additions & 0 deletions b/‎main.py
Lines changed: 25 additions & 0 deletions
@@ -0,0 +1,17 @@
+
+examples/
+.venv/
+.github/
+.idea/
+.vscode/
+.env
+.gitignore
+CONTRIBUTING.md
+flake8.ini
+flake.nix
+LICENSE.*
+README.md
+__pycache__/*
+lib/
+.python-version
+*.yaml
@@ -0,0 +1,71 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+env/
+build/
+!build/sysdig_client-1.0.0.tar.gz
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+*.egg-info/
+.installed.cfg
+*.egg
+.env
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*,cover
+.hypothesis/
+venv/
+.venv/
+.python-version
+.pytest_cache
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+#Ipython Notebook
+.ipynb_checkpoints
+
+# VSCode
+.vscode/
@@ -0,0 +1,8 @@
+If you are running a pair programming or mob programming session, add a
+line to the end of your commit message to honor, credit and thank your
+partners correctly in GitHub.
+
+Use this file to speedup the procedure, copying and pasting directly the adresses:
+
+Co-authored-by: Alejandro Magallón Soler <alejandro.magallon@sysdig.com>
+Co-authored-by: Sebastian Zumbado Herrera <sebastian.zumbado@sysdig.com>
@@ -0,0 +1,31 @@
+FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim AS builder
+ENV UV_COMPILE_BYTECODE=1 UV_LINK_MODE=copy
+
+# Disable Python downloads, because we want to use the system interpreter
+# across both images. If using a managed Python version, it needs to be
+# copied from the build image into the final image; see `standalone.Dockerfile`
+# for an example.
+
+WORKDIR /app
+COPY . /app
+RUN --mount=type=cache,target=/root/.cache/uv \
+--mount=type=bind,source=uv.lock,target=uv.lock \
+--mount=type=bind,source=pyproject.toml,target=pyproject.toml \
+uv sync --locked --no-install-project --no-editable
+RUN --mount=type=cache,target=/root/.cache/uv \
+    uv sync --locked --no-editable
+
+# Dinal image without uv
+FROM python:3.12-slim
+# It is important to use the image that matches the builder, as the path to the
+# Python executable must be the same
+
+# Copy the application from the builder
+COPY --from=builder --chown=app:app /app /app
+
+WORKDIR /app
+
+# Place executables in the environment at the front of the path
+ENV PATH="/app/.venv/bin:$PATH"
+
+ENTRYPOINT ["/bin/sh", "entrypoint.sh"]
@@ -0,0 +1 @@
+Copyright (c) 2025, Sysdig.  All Rights Reserved.
@@ -0,0 +1,206 @@
+# MCP Server
+
+## Description
+
+This is an implementation of an [MCP (Model Context Protocol) Server](https://modelcontextprotocol.io/quickstart/server) to allow different LLMs to query information from Sysdig Secure platform. **It is still in early development and not yet ready for production use.** New endpoints and functionalities will be added over time. The goal is to provide a simple and easy-to-use interface for querying information from Sysdig Secure platform using LLMs.
+
+## Available Tools
+
+<details>
+<summary><strong>Events Feed</strong></summary>
+
+| Tool Name | Description | Sample Prompt |
+|-----------|-------------|----------------|
+| `get_event_info` | Retrieve detailed information for a specific security event by its ID | "Get full details for event ID 123abc" |
+| `list_runtime_events` | List runtime security events with optional filters | "Show me high severity events from the last 2 hours in cluster1" |
+| `get_event_process_tree` | Retrieve the process tree for a specific event (if available) | "Get the process tree for event ID abc123" |
+
+</details>
+
+<details>
+<summary><strong>Inventory</strong></summary>
+
+| Tool Name | Description | Sample Prompt |
+|-----------|-------------|----------------|
+| `list_resources` | List inventory resources using filters (e.g., platform or category) | "List all exposed IAM resources in AWS" |
+| `get_resource` | Get detailed information about an inventory resource by its hash | "Get inventory details for hash abc123" |
+
+</details>
+
+<details>
+<summary><strong>Vulnerability Management</strong></summary>
+
+| Tool Name | Description | Sample Prompt |
+|-----------|-------------|----------------|
+| `list_runtime_vulnerabilities` | List runtime vulnerability scan results with filtering | "List running vulnerabilities in cluster1 sorted by severity" |
+| `list_accepted_risks` | List all accepted vulnerability risks | "Show me all accepted risks related to nginx containers" |
+| `get_accepted_risk` | Retrieve a specific accepted risk by ID | "Get details for accepted risk id abc123" |
+| `list_registry_scan_results` | List scan results for container registries | "List failed scans from harbor registry" |
+| `get_vulnerability_policy_by_id` | Get a specific vulnerability policy by ID | "Show policy ID 42" |
+| `list_vulnerability_policies` | List all vulnerability policies | "List all vulnerability policies for pipeline stage" |
+| `list_pipeline_scan_results` | List CI pipeline scan results | "Show me pipeline scans that failed for ubuntu images" |
+| `get_scan_result` | Retrieve detailed scan results by scan ID | "Get results for scan ID 456def" |
+
+</details>
+
+<details>
+<summary><strong>Sysdig Sage</strong></summary>
+
+| Tool Name | Description | Sample Prompt |
+|-----------|-------------|----------------|
+| `sysdig_sysql_sage_query` | Generate and run a SysQL query using natural language | "List top 10 pods by memory usage in the last hour" |
+
+</details>
+
+## Requirements
+
+### UV Setup
+
+You can use [uv](https://github.com/astral-sh/uv) as a drop-in replacement for pip to create the virtual environment and install dependencies.
+
+If you don't have `uv` installed, you can install it via (Linux and MacOS users):
+
+```bash
+curl -Ls https://astral.sh/uv/install.sh | sh
+```
+
+To set up the environment:
+
+```bash
+uv venv
+source .venv/bin/activate
+```
+
+This will create a virtual environment using `uv` and install the required dependencies.
+
+### Sysdig SDK
+
+You will need the Sysdig-SDK. You can find it in the `build` directory as a `.tar.gz` file that will be used by UV to install the package.
+
+## Configuration
+
+The application can be configured via the `app_config.yaml` file and environment variables.
+
+### `app_config.yaml`
+
+This file contains the main configuration for the application, including:
+
+- **app**: Host, port, and log level for the MCP server.
+- **sysdig**: The Sysdig Secure host to connect to.
+- **mcp**: Transport protocol (stdio, sse, streamable-http), URL, host, and port for the MCP server.
+
+### Environment Variables
+
+The following environment variables are required for configuring the Sysdig SDK:
+
+- `SYSDIG_HOST`: The URL of your Sysdig Secure instance (e.g., `https://secure.sysdig.com`).
+- `SYSDIG_SECURE_API_TOKEN`: Your Sysdig Secure API token.
+
+You can find your API token in the Sysdig Secure UI under **Settings > Sysdig Secure API**. Make sure to copy the token as it will not be shown again.
+
+![API_TOKEN_CONFIG](./docs/assets/settings-config-token.png)
+![API_TOKEN_SETTINGS](./docs/assets/api-token-copy.png)
+
+You can set these variables in your shell or in a `.env` file.
+
+You can also use `MCP_TRANSPORT` to override the transport protocol set in `app_config.yaml`.
+
+## Running the Server
+
+You can run the MCP server using either Docker or `uv`.
+
+### Docker
+
+To run the server using Docker, you first need to build the image:
+
+```bash
+docker build -t sysdig-mcp-server .
+```
+
+Then, you can run the container, making sure to pass the required environment variables:
+
+```bash
+docker run -e SYSDIG_HOST=<your_sysdig_host> -e SYSDIG_SECURE_API_TOKEN=<your_sysdig_secure_api_token> -p 8080:8080 sysdig-mcp-server
+```
+
+By default, the server will run using the `stdio` transport. To use the `streamable-http` or `sse` transports, set the `MCP_TRANSPORT` environment variable to `streamable-http` or `sse`:
+
+```bash
+docker run -e MCP_TRANSPORT=streamable-http -e SYSDIG_HOST=<your_sysdig_host> -e SYSDIG_SECURE_API_TOKEN=<your_sysdig_secure_api_token> -p 8080:8080 sysdig-mcp-server
+```
+
+### UV
+
+To run the server using `uv`, first set up the environment as described in the [UV Setup](#uv-setup) section. Then, run the `main.py` script:
+
+```bash
+uv run main.py
+```
+
+By default, the server will run using the `stdio` transport. To use the `streamable-http` or `sse` transports, set the `MCP_TRANSPORT` environment variable to `streamable-http` or `sse`:
+
+```bash
+MCP_TRANSPORT=streamable-http uv run main.py
+```
+
+## Client Configuration
+
+To use the MCP server with a client like Claude or Cursor, you need to provide the server's URL and authentication details.
+
+### Authentication
+
+When using the `sse` or `streamable-http` transport, the server requires a Bearer token for authentication. The token is passed in the `Authorization` header of the HTTP request.
+
+Additionally, you can specify the Sysdig Secure host by providing the `X-Sysdig-Host` header. If this header is not present, the server will use the value from `app_config.yaml`.
+
+Example headers:
+
+```
+Authorization: Bearer <your_sysdig_secure_api_token>
+X-Sysdig-Host: <your_sysdig_host>
+```
+
+### URL
+
+If you are running the server with the `sse` or `streamable-http` transport, the URL will be `http://<host>:<port>/sysdig-mcp-server/mcp`, where `<host>` and `<port>` are the values configured in `app_config.yaml` or the Docker run command.
+
+For example, if you are running the server locally on port 8080, the URL will be `http://localhost:8080/sysdig-mcp-server/mcp`.
+
+### Claude Desktop App
+
+For the Claude Desktop app, you can manually configure the MCP server by editing the `claude_desktop_config.json` file. This is useful for running the server locally with the `stdio` transport.
+
+1. **Open the configuration file**:
+    - Go to **Settings > Developer** in the Claude Desktop app.
+    - Click on **Edit Config** to open the `claude_desktop_config.json` file.
+
+2. **Add the MCP server configuration**:
+    - Add the following JSON object to the `mcpServers` section of the file.
+
+    ```json
+    {
+      "mcpServers": {
+        "sysdig-mcp-server": {
+          "command": "uv",
+          "args": [
+            "--directory",
+            "<path_to_your_sysdig_mcp_server_directory>",
+            "run",
+            "main.py"
+            ],
+          "env": {
+            "SYSDIG_HOST": "<your_sysdig_host>",
+            "SYSDIG_SECURE_API_TOKEN": "<your_sysdig_secure_api_token>",
+            "MCP_TRANSPORT": "stdio"
+          }
+        }
+      }
+    }
+    ```
+
+3. **Replace the placeholders**:
+    - Replace `<your_sysdig_host>` with your Sysdig Secure host URL.
+    - Replace `<your_sysdig_secure_api_token>` with your Sysdig Secure API token.
+    - Replace `<path_to_your_sysdig_mcp_server_directory>` with the absolute path to the `sysdig-mcp-server` directory.
+
+4. **Save the file** and restart the Claude Desktop app for the changes to take effect.
@@ -0,0 +1,15 @@
+---
+app:
+  host: "localhost"
+  port: 8080
+  log_level: "ERROR"
+  language: "en"
+
+sysdig:
+  host: "https://secure.sysdig.com"
+
+mcp:
+  transport: stdio
+  url: "http://localhost:8080/sysdig-mcp-server/mcp"
+  host: "localhost"
+  port: 8080
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+python3 main.py
@@ -0,0 +1,25 @@
+'''
+Main entry point for the MCP server application.
+'''
+import os, asyncio
+from dotenv import load_dotenv
+# Application config loader
+from utils.app_config import get_app_config
+# Register all tools so they attach to the MCP server
+from utils.mcp_server import run_stdio, run_http
+
+# Load environment variables from .env
+load_dotenv()
+
+app_config = get_app_config()
+
+if __name__ == "__main__":
+    # Choose transport: "stdio" or "sse" (HTTP/SSE)
+    transport = os.environ.get("MCP_TRANSPORT", app_config["mcp"]["transport"]).lower()
+
+    if transport == "stdio":
+        # Run MCP server over STDIO (local)
+        asyncio.run(run_stdio())
+    else:
+        # Run MCP server over streamable HTTP by default
+        run_http()
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Copyright (c) 2025, Sysdig. All Rights Reserved.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+#!/usr/bin/env bash`
	`2`	`+`
	`3`	`+python3 main.py`