Skip to content

Updating the filter expression description for the tools #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jul 4, 2025
Merged

Updating the filter expression description for the tools #5

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ddd9a19
fix: Changing the description of some tools for the filter query lang…
S3B4SZ17 Jul 2, 2025
2923335
Updating the init and conventions config of the mcp server
S3B4SZ17 Jul 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions .github/workflows/publish.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,20 +84,22 @@ jobs:
runs-on: ubuntu-latest
needs: push_to_registry
steps:
- name: Check out the repo
- name: Check out repository
uses: actions/checkout@v4
with:
ref: ${{ github.sha }} # required for better experience using pre-releases
fetch-depth: '0' # Required due to the way Git works, without it this action won't be able to find any or the correct tags

- name: Get tag version
id: semantic_release
uses: anothrNick/github-tag-action@1.73.0
uses: anothrNick/github-tag-action@1.71.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DEFAULT_BUMP: "patch"
TAG_CONTEXT: ${{ (github.base_ref != 'main') && 'branch' || 'repo' }}
TAG_CONTEXT: 'repo'
WITH_V: true
PRERELEASE_SUFFIX: "beta"
PRERELEASE: ${{ (github.base_ref != 'main') && 'true' || 'false' }}
DRY_RUN: false
INITIAL_VERSION: ${{ needs.push_to_registry.outputs.tag }}

- name: Summary
run: |
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,11 +66,11 @@ jobs:
permissions:
contents: write # required for creating a tag
steps:
- name: Check out the repo
- name: Check out repository
uses: actions/checkout@v4
with:
ref: ${{ github.head_ref }} # checkout the correct branch name
fetch-depth: 0
ref: ${{ github.sha }} # required for better experience using pre-releases
fetch-depth: '0' # Required due to the way Git works, without it this action won't be able to find any or the correct tags

- name: Extract current version
id: pyproject_version
Expand All @@ -80,15 +80,15 @@ jobs:

- name: Get tag version
id: semantic_release
uses: anothrNick/github-tag-action@1.73.0
uses: anothrNick/github-tag-action@1.71.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DEFAULT_BUMP: "patch"
TAG_CONTEXT: ${{ (github.base_ref != 'main') && 'branch' || 'repo' }}
TAG_CONTEXT: 'repo'
WITH_V: true
PRERELEASE_SUFFIX: "beta"
PRERELEASE: ${{ (github.base_ref != 'main') && 'true' || 'false' }}
DRY_RUN: true
INITIAL_VERSION: ${{ steps.pyproject_version.outputs.TAG }}

- name: Compare versions
run: |
Expand Down
2 changes: 2 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,6 @@ COPY --from=builder --chown=app:app /app/app_config.yaml /app

RUN pip install /app/sysdig_mcp_server.tar.gz

USER 1001:1001

ENTRYPOINT ["sysdig-mcp-server"]
8 changes: 8 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
- [Description](#description)
- [Quickstart Guide](#quickstart-guide)
- [Available Tools](#available-tools)
- [Available Resources](#available-resources)
- [Requirements](#requirements)
- [UV Setup](#uv-setup)
- [Configuration](#configuration)
Expand Down Expand Up @@ -124,6 +125,13 @@ Get up and running with the Sysdig MCP Server quickly using our pre-built Docker

</details>

### Available Resources

- Sysdig Secure Vulnerability Management Overview:
- VM documentation based on the following [url](https://docs.sysdig.com/en/sysdig-secure/vulnerability-management/)
- Sysdig Filter Query Language Instructions:
- Sysdig Filter Query Language for different API endpoint filters

## Requirements

### UV Setup
Expand Down
13 changes: 6 additions & 7 deletions charts/sysdig-mcp/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,13 +46,12 @@ podLabels: {}
podSecurityContext: {}
# fsGroup: 2000

securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
securityContext:
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001

service:
type: ClusterIP
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[project]
name = "sysdig-mcp-server"
version = "0.1.1"
version = "0.1.2-beta.0"
description = "Sysdig MCP Server"
readme = "README.md"
requires-python = ">=3.12"
Expand Down
143 changes: 137 additions & 6 deletions tools/inventory/tool.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@
from utils.query_helpers import create_standard_response

# Configure logging
log = logging.getLogger(__name__)
logging.basicConfig(format="%(asctime)s-%(process)d-%(levelname)s- %(message)s", level=os.environ.get("LOGLEVEL", "ERROR"))
log = logging.getLogger(__name__)

# Load app config (expects keys: mcp.host, mcp.port, mcp.transport)
app_config = get_app_config()
Expand Down Expand Up @@ -69,12 +69,143 @@ def tool_list_resources(
Field(
description=(
"""
Sysdig Secure filter expression for inventory resources,
base filter: platform in ("GCP", "AWS", "Azure", "Kubernetes"),
Examples:
not isExposed exists; category in ("IAM") and isExposed exists; category in ("IAM","Audit & Monitoring")
Use the filter-query-language to filter the results.

List of supported fields:
- field: accountName
Description: The account name that will be included in the results.
- field: accountId
Description: The account id that will be included in the results.
- field: cluster
Description: The kubernetes cluster that will be included in the results.
- field: externalDNS
Description: The external DNS that will be included in the results.
- field: distribution
Description: The kubernetes distribution that will be included in the results.
- field: integrationName
Description: The name of the integration an IaC resource belongs to.
- field: labels
Description: The resource labels that will be included in the results.
- field: location
Description: The web address of an IaC Manifest.
- field: name
Description: The names that will be included in the results.
- field: namespace
Description: The namespace that will be included in the results.
- field: nodeType
Description: The nodeType that will be included in the results.
- field: osName
Description: The operating system that will be included in the results.
- field: osImage
Description: The operating system image that will be included in the results.
- field: organization
Description: The organization that will be included in the results.
- field: platform
Description: The platform that will be included in the results.
- field: control.accepted
Description: Include (or Exclude) only resources with accepted results.
Supported operators: exists and not exists.
- field: policy
Description: Include resources that applied the selected policies.
Supported operators: in, not in, exists, not exists.
- field: control.severity
Description: Include resources that have violated risks in the selected severities.
Supported operators: in, not in.
- field: control.failed
Description: Include resources that have violated the selected risks.
Supported operators: in, not in, exists, not exists.
- field: policy.failed
Description: Include resources that failed the selected policies.
Supported operators: in, not in, exists, not exists.
- field: policy.passed
Description: Include resources that passed the selected policies.
Supported operators: in, not in, exists, not exists.
- field: projectName
Description: The project name that will be included in the results.
- field: projectId
Description: The project id that will be included in the results.
- field: region
Description: The regions that will be included in the results.
- field: repository
Description: The Repository an IaC resource belongs to.
- field: resourceOrigin
Description: Origin of the resource. Supported values: Code, Deployed.
- field: type
Description: The resource types that will be included in the results.
- field: subscriptionName
Description: The Azure subscription name that will be included in the results.
- field: subscriptionId
Description: The Azure subscription id that will be included in the results.
- field: sourceType
Description: The source type of an IaC resource.
Supported values: YAML, Kustomize, Terraform, Helm.
- field: version
Description: OCP Cluster versions that will be included in the results.
- field: zone
Description: The zones that will be included in the results.
- field: category
Description: The category that will be included in the results.
Supported operators: in, not in.
- field: isExposed
Description: Specifies whether the resource to return is exposed to the internet.
Supported operators: exists and not exists.
- field: validatedExposure
Description: Specifies whether the resource to return is exposed to the internet and could be reach
by our network exposure validator. Supported operators: exists and not exists.
- field: arn
Description: The AWS ARN of the resource.
- field: resourceId
Description: The Azure or GCP Resource Identifier of the resource.
- field: container.name
Description: Filters the resource by a container.
- field: architecture
Description: Image architecture.
- field: baseOS
Description: Image Base OS.
- field: digest
Description: Image Digest.
- field: imageId
Description: Image Id.
- field: os
Description: Image OS.
- field: container.imageName
Description: Image Pullstring.
- field: image.registry
Description: Image Registry.
- field: image.tag
Description: Image tag.
- field: package.inUse
Description: Package in use filter. Supported operators: exists and not exists.
- field: package.info
Description: Filters by a package using the format [packge name] - field: [version].
- field: package.path
Description: Filters by package path.
- field: package.type
Description: Package type.
- field: vuln.cvssScore
Description: Filter by vulnerability CVSS. Supported operators: = and >=.
- field: vuln.hasExploit
Description: Filters resources by the existence of vulnerabilities with exploits.
Supported operators: exists and not exists.
- field: vuln.hasFix
Description: Filters resources by the existence of vulnerabilities with fixes.
Supported operators: exists and not exists.
- field: vuln.name
Description: Filter by vulnerability name.
- field: vuln.severity
Description: Filter by vulnerability severity. Supported operators: in, not in, exists and not exists.
- field: machineImage
Description: Filter by host machine image.
"""
)
),
examples=[
'zone in ("zone1") and machineImage = "ami-0b22b359fdfabe1b5"',
'(projectId = "1235495521" or projectId = "987654321") and vuln.severity in ("Critical")',
'vuln.name in ("CVE-2023-0049")',
'vuln.cvssScore >= "3"',
'container.name in ("sysdig-container") and not labels exists',
'imageId in ("sha256:3768ff6176e29a35ce1354622977a1e5c013045cbc4f30754ef3459218be8ac")',
],
),
] = 'platform in ("GCP", "AWS", "Azure", "Kubernetes")',
page_number: Annotated[int, Field(ge=1, description="Page number for pagination (1-based index)")] = 1,
Expand Down
82 changes: 48 additions & 34 deletions tools/vulnerability_management/tool.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,14 +73,34 @@ def tool_list_runtime_vulnerabilities(
Field(
description=(
"""
Logical filter expression to select runtime vulnerabilities.
Supports operators: =, !=, in, exists, contains, startsWith. Combine with and/or/not.
Key fields include: asset.type, aws.account.id, aws.host.name, aws.region,
cloudProvider, cloudProvider.account.id, cloudProvider.region,
gcp.instance.id, gcp.instance.zone, gcp.project.id, gcp.project.numericId,
host.hostName, kubernetes.cluster.name, kubernetes.namespace.name, kubernetes.node.name,
kubernetes.pod.container.name, kubernetes.workload.name, kubernetes.workload.type,
workload.name, workload.orchestrator
Use the filter-query-language to filter the results.

Key fields include:
- asset.type
- aws.account.id
- aws.host.name
- aws.region
- cloudProvider
- cloudProvider.account.id
- cloudProvider.region
- gcp.instance.id
- gcp.instance.zone
- gcp.project.id
- gcp.project.numericId
- host.hostName
- kubernetes.cluster.name
- kubernetes.namespace.name
- kubernetes.node.name
- kubernetes.pod.container.name
- kubernetes.workload.name
- kubernetes.workload.type
- workload.name
- workload.orchestrator

The supported fields are all the fields of the Scope above, plus::
- freeText
- hasRunningVulns
- hasRunningVulns.
"""
),
examples=[
Expand Down Expand Up @@ -208,20 +228,18 @@ def tool_list_registry_scan_results(
Optional[str],
Field(
description=(
"Logical filter expression to select registry scan results. "
"Supports operators: =, !=, in, exists, contains, startsWith. "
"Combine with and/or/not. "
"Key selectors include: "
'- policyStatus (values "noPolicy", "failed", "passed", "accepted"), '
"- registry.vendor, registry.name, freeText"
"""
Use the filter-query-language to filter the results.

The supported fields are:
- freeText
- vendor
"""
),
examples=[
'policyStatus in ("noPolicy") and registry.vendor = "harbor"',
'registry.vendor = "dockerv2" and registry.name = "index.docker.io"',
'registry.vendor = "harbor" and freeText in ("redis")',
'policyStatus in ("failed") and registry.vendor = "harbor"'
'policyStatus in ("passed", "accepted") and registry.vendor = "harbor"',
'registry.vendor = "dockerv2" and registry.name = "registry.access.redhat.com"',
'freeText = "alpine:latest" and vendor = "docker"',
'vendor = "ecr"',
'vendor = "harbor" and freeText in ("redis")',
],
),
] = None,
Expand All @@ -235,13 +253,10 @@ def tool_list_registry_scan_results(
filter (Optional[str]): Logical filter expression to select registry scan results.
Supports operators: =, !=, in, exists, contains, startsWith.
Combine with and/or/not.
Key selectors include:
- policyStatus (values "noPolicy", "failed", "passed", "accepted"),
- registry.vendor, registry.name, freeText
Key selectors include: freeText (string), vendor (e.g., "docker", "ecr", "harbor").
Examples:
- policyStatus in ("noPolicy") and registry.vendor = "harbor"
- registry.vendor = "dockerv2" and registry.name = "index.docker.io"
- registry.vendor = "harbor" and freeText in ("redis")
- freeText = "alpine:latest" and vendor = "docker"
- vendor = "ecr"
limit (int): Maximum number of results to return.
cursor (Optional[str]): Pagination cursor. If None, returns the first page.

Expand Down Expand Up @@ -335,17 +350,16 @@ def tool_list_pipeline_scan_results(
Optional[str],
Field(
description=(
"Logical filter expression to select pipeline scan results. "
"Supports operators: =, !=, in, exists, contains, startsWith. "
"Combine with and/or/not. "
"Key selectors include: "
"- policyEvaluationsPassed (true/false), "
"- freeText (string)."
"""
Use the filter-query-language to filter the results.

The supported fields are:
- freeText
"""
),
examples=[
"policyEvaluationsPassed = true",
'freeText in ("nginx")',
'freeText in ("ubuntu")',
'policyEvaluationsPassed = false and freeText in ("ubuntu")',
],
),
] = None,
Expand Down
Loading