Add Sysdig CLI scanner tool (#7)

# Add Sysdig CLI scanner tool

## Changes

* Adding the Sysdig CLI scanner tool
* The tool will help you run vuln scans against a particular image or
use the IaC mode for infrastructure scans
  * You need to have the `sysdig-cli-scanner` binary installed
* Overall format adjustments

---------

Signed-off-by: S3B4SZ17 <sebastian.zumbado@sysdig.com>

Author: S3B4SZ17

.github/workflows/helm_test.yaml

@@ -4,8 +4,8 @@ name: Lint & Test helm chart
 on:
   pull_request:
     branches:
-      - main
       - beta
+      - main
     paths:
     - 'charts/**'
   push:
@@ -22,35 +22,9 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  set-charts:
-    # Required permissions
-    permissions:
-      contents: read
-      pull-requests: read
-    outputs:
-      charts: ${{ steps.charts.outputs.changes }}
-    name: "Set Charts"
-    runs-on: [ubuntu-latest]
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dorny/paths-filter@v2
-        id: charts
-        with:
-          base: ${{ github.ref_name }}
-          filters: |
-            sysdig-mcp:
-              - 'charts/sysdig-mcp/**'
   lint-charts:
-    needs: set-charts
     name: Lint new helm charts
     runs-on: [ubuntu-latest]
-    strategy:
-      matrix:
-        chart: ${{ fromJSON(needs.set-charts.outputs.charts) }}
-      # When set to true, GitHub cancels all in-progress jobs if any matrix job fails.
-      fail-fast: false
-      # The maximum number of jobs that can run simultaneously
-      max-parallel: 3
     steps:
 
     - uses: actions/checkout@v4
@@ -60,15 +34,17 @@ jobs:
     - name: Set up Helm
       uses: azure/setup-helm@v4
       with:
-        version: v3.5.0
+        version: v3.13.3
 
     - uses: actions/setup-python@v4
       with:
         python-version: '3.10'
         check-latest: true
 
     - name: Set up chart-testing
-      uses: helm/chart-testing-action@v2.6.1
+      uses: helm/chart-testing-action@v2.7.0
+      with:
+        version: v3.13.0
 
     - name: Run chart-testing (list-changed)
       id: list-changed
@@ -83,9 +59,10 @@ jobs:
       run: ct lint --target-branch ${{ github.event.repository.default_branch }} --chart-dirs charts
 
     - name: Create kind cluster
-      if: steps.list-changed.outputs.changed == 'true'
+      if: github.ref_name == 'beta' || github.ref_name == 'main'
       uses: helm/kind-action@v1.12.0
 
     - name: Run chart-testing (install)
-      if: steps.list-changed.outputs.changed == 'true'
-      run: ct install --target-branch ${{ github.event.repository.default_branch }} --chart-dirs charts
+      if: github.ref_name == 'beta' || github.ref_name == 'main'
+      run: |
+          ct install --target-branch ${{ github.event.repository.default_branch }} --chart-dirs charts

.github/workflows/publish.yaml

@@ -7,13 +7,13 @@ on:
       - main
       - beta
     paths:
+      - '.github/workflows/**'
       - pyproject.toml
       - Dockerfile
       - '*.py'
       - tests/**
       - tools/**
       - utils/**
-  workflow_dispatch:
 
 concurrency:
   group: 'publish-${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
@@ -45,7 +45,7 @@ jobs:
       - name: Extract version
         id: extract_version
         run: |
-          VERSION=$(grep 'version =' pyproject.toml | sed -e 's/version = "\(.*\)"/\1/')-$(echo $GITHUB_SHA | cut -c1-7)
+          VERSION=$(grep 'version =' pyproject.toml | sed -e 's/version = "\(.*\)"/\1/')
           echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT"
           TAG=v$(grep 'version =' pyproject.toml | sed -e 's/version = "\(.*\)"/\1/')
           echo "TAG=$TAG" >> "$GITHUB_OUTPUT"
@@ -100,7 +100,7 @@ jobs:
           TAG_CONTEXT: 'repo'
           WITH_V: true
           PRERELEASE_SUFFIX: "beta"
-          PRERELEASE: ${{ (github.base_ref == 'beta') && 'true' || (github.base_ref == 'main') && 'false' || (github.base_ref == 'integration') && 'false' || 'true' }}
+          PRERELEASE: ${{ (github.base_ref || github.ref_name == 'beta') && 'true' || ((github.base_ref || github.ref_name == 'main') && 'false' || 'true') }}
 
       - name: Summary
         run: |

.github/workflows/test.yaml

@@ -2,21 +2,6 @@
 name: Test
 
 on:
-  push:
-    branches:
-      - main
-      - beta
-      - integration
-      - feature/**
-      - release/**
-      - hotfix/**
-    paths:
-      - pyproject.toml
-      - Dockerfile
-      - '*.py'
-      - tests/**
-      - tools/**
-      - utils/**
   pull_request:
     paths:
       - pyproject.toml
@@ -80,6 +65,13 @@ jobs:
           TAG=v$(grep 'version =' pyproject.toml | sed -e 's/version = "\(.*\)"/\1/')
           echo "TAG=$TAG" >> "$GITHUB_OUTPUT"
 
+      - name: Get branch ref name
+        id: branch_ref
+        run: |
+          BRANCH_NAME=${{ github.base_ref || github.ref_name }}
+          echo "$BRANCH_NAME"
+          echo "BRANCH_NAME=$BRANCH_NAME" >> "$GITHUB_OUTPUT"
+
       - name: Get tag version
         id: semantic_release
         uses: anothrNick/github-tag-action@1.71.0
@@ -89,7 +81,7 @@ jobs:
           TAG_CONTEXT: 'repo'
           WITH_V: true
           PRERELEASE_SUFFIX: "beta"
-          PRERELEASE: ${{ (github.base_ref == 'beta') && 'true' || (github.base_ref == 'main') && 'false' || (github.base_ref == 'integration') && 'false' || 'true' }}
+          PRERELEASE: ${{ (github.base_ref || github.ref_name == 'beta') && 'true' || (((github.base_ref || github.ref_name == 'main') && 'false' || (github.base_ref || github.ref_name == 'integration') && 'false') || 'true') }}
           DRY_RUN: true
 
       - name: Compare versions

README.md

@@ -1,5 +1,11 @@
 # MCP Server
 
+| App Test | Helm Test |
+|------|---------|
+| [![App Test](https://github.com/sysdiglabs/sysdig-mcp-server/actions/workflows/publish.yaml/badge.svg?branch=main)](https://github.com/sysdiglabs/sysdig-mcp-server/actions/workflows/publish.yaml) | [![Helm Test](https://github.com/sysdiglabs/sysdig-mcp-server/actions/workflows/helm_test.yaml/badge.svg?branch=main)](https://github.com/sysdiglabs/sysdig-mcp-server/actions/workflows/helm_test.yaml) |
+
+---
+
 ## Table of contents
 
 - [MCP Server](#mcp-server)
@@ -79,6 +85,21 @@ Get up and running with the Sysdig MCP Server quickly using our pre-built Docker
 
 ## Available Tools
 
+You can select what group of tools to add when running the server by adding/removing them from the `mcp.allowed_tools` list in the app_config.yaml file
+
+```yaml
+...
+mcp:
+  transport: stdio
+  ...
+  allowed_tools:
+    - "events-feed"
+    - "inventory"
+    - "vulnerability-management"
+    - "sysdig-sage"
+    - "sysdig-cli-scanner" # Only available in stdio local transport mode
+```
+
 <details>
 <summary><strong>Events Feed</strong></summary>
 
@@ -125,6 +146,15 @@ Get up and running with the Sysdig MCP Server quickly using our pre-built Docker
 
 </details>
 
+<details>
+<summary><strong>Sysdig CLI scanner</strong></summary>
+
+| Tool Name | Description | Sample Prompt |
+|-----------|-------------|----------------|
+| `run_sysdig_cli_scanner` | Run the Sysdig CLI Scanner to analyze a container image or IaC files for vulnerabilities and posture and misconfigurations. | "Scan this image ubuntu:latest for vulnerabilities" |
+
+</details>
+
 ### Available Resources
 
 - Sysdig Secure Vulnerability Management Overview:
@@ -165,6 +195,8 @@ This file contains the main configuration for the application, including:
 - **sysdig**: The Sysdig Secure host to connect to.
 - **mcp**: Transport protocol (stdio, sse, streamable-http), URL, host, and port for the MCP server.
 
+> You can set the path for the app_config.yaml using the `APP_CONFIG_FILE=/path/to/app_config.yaml` env var. By default the app will search the file in the root of the app.
+
 ### Environment Variables
 
 The following environment variables are required for configuring the Sysdig SDK:
@@ -244,6 +276,12 @@ configMap:
       transport: streamable-http
       host: "0.0.0.0"
       port: 8080
+      allowed_tools:
+        - "events-feed"
+        - "inventory"
+        - "vulnerability-management"
+        - "sysdig-sage"
+        - "sysdig-cli-scanner" # You need the sysdig-cli-scanner binary installed in your server to use this tool
 ```
 
 Install the chart

app_config.yaml

@@ -11,3 +11,9 @@ mcp:
   transport: stdio
   host: "localhost"
   port: 8080
+  allowed_tools:
+    - "events-feed"
+    - "sysdig-cli-scanner" # Only available in stdio local transport mode
+    - "vulnerability-management"
+    - "inventory"
+    - "sysdig-sage"

charts/sysdig-mcp/Chart.yaml

@@ -20,10 +20,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.2
+version: 0.1.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v0.1.2"
+appVersion: "v0.1.3-beta.0"

charts/sysdig-mcp/templates/configmap.yaml

@@ -1,4 +1,3 @@
----
 {{- if .Values.configMap.enabled -}}
 apiVersion: v1
 kind: ConfigMap

charts/sysdig-mcp/templates/secrets.yaml

@@ -1,4 +1,3 @@
----
 {{- if .Values.sysdig.secrets.create -}}
 apiVersion: v1
 kind: Secret