Add CLI-Scanner Tool and fix app.region URLs (#9)

# Add CLI-Scanner Tool and fix app.region URLs

## Changes

* Adding the Sysdig CLI scanner tool
* The tool will help you run vuln scans against a particular image or
use the IaC mode for infrastructure scans
  * You need to have the `sysdig-cli-scanner` binary installed
* Overall format adjustments
* Add support for the https://app.region.sysdig.com URLs

---------

Signed-off-by: S3B4SZ17 <[email protected]>
Co-authored-by: Sebastian Zumbado <[email protected]>
Co-authored-by: S3B4SZ17 <[email protected]>

Author: alecron

.github/workflows/helm_test.yaml

@@ -4,13 +4,12 @@ name: Lint & Test helm chart
 on:
   pull_request:
     branches:
-      - beta
+      - main
     paths:
     - 'charts/**'
   push:
     branches:
       - main
-      - beta
     paths:
     - 'charts/**'
   workflow_call:
@@ -21,35 +20,9 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  set-charts:
-    # Required permissions
-    permissions:
-      contents: read
-      pull-requests: read
-    outputs:
-      charts: ${{ steps.charts.outputs.changes }}
-    name: "Set Charts"
-    runs-on: [ubuntu-latest]
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dorny/paths-filter@v2
-        id: charts
-        with:
-          base: ${{ github.ref_name }}
-          filters: |
-            sysdig-mcp:
-              - 'charts/sysdig-mcp/**'
   lint-charts:
-    needs: set-charts
     name: Lint new helm charts
     runs-on: [ubuntu-latest]
-    strategy:
-      matrix:
-        chart: ${{ fromJSON(needs.set-charts.outputs.charts) }}
-      # When set to true, GitHub cancels all in-progress jobs if any matrix job fails.
-      fail-fast: false
-      # The maximum number of jobs that can run simultaneously
-      max-parallel: 3
     steps:
 
     - uses: actions/checkout@v4
@@ -59,15 +32,17 @@ jobs:
     - name: Set up Helm
       uses: azure/setup-helm@v4
       with:
-        version: v3.5.0
+        version: v3.13.3
 
     - uses: actions/setup-python@v4
       with:
         python-version: '3.10'
         check-latest: true
 
     - name: Set up chart-testing
-      uses: helm/[email protected]
+      uses: helm/[email protected]
+      with:
+        version: v3.13.0
 
     - name: Run chart-testing (list-changed)
       id: list-changed
@@ -87,4 +62,5 @@ jobs:
 
     - name: Run chart-testing (install)
       if: steps.list-changed.outputs.changed == 'true'
-      run: ct install --target-branch ${{ github.event.repository.default_branch }} --chart-dirs charts
+      run: |
+          ct install --target-branch ${{ github.event.repository.default_branch }} --chart-dirs charts

.github/workflows/publish.yaml

@@ -5,15 +5,14 @@ on:
   push:
     branches:
       - main
-      - beta
     paths:
+      - '.github/workflows/**'
       - pyproject.toml
       - Dockerfile
       - '*.py'
       - tests/**
       - tools/**
       - utils/**
-  workflow_dispatch:
 
 concurrency:
   group: 'publish-${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
@@ -99,8 +98,6 @@ jobs:
           DEFAULT_BUMP: "patch"
           TAG_CONTEXT: 'repo'
           WITH_V: true
-          PRERELEASE_SUFFIX: "beta"
-          PRERELEASE: ${{ (github.base_ref == 'beta') && 'true' || (github.base_ref == 'main') && 'false' || (github.base_ref == 'integration') && 'false' || 'true' }}
 
       - name: Summary
         run: |

.github/workflows/test.yaml

@@ -65,6 +65,13 @@ jobs:
           TAG=v$(grep 'version =' pyproject.toml | sed -e 's/version = "\(.*\)"/\1/')
           echo "TAG=$TAG" >> "$GITHUB_OUTPUT"
 
+      - name: Get branch ref name
+        id: branch_ref
+        run: |
+          BRANCH_NAME=${{ github.base_ref || github.ref_name }}
+          echo "$BRANCH_NAME"
+          echo "BRANCH_NAME=$BRANCH_NAME" >> "$GITHUB_OUTPUT"
+
       - name: Get tag version
         id: semantic_release
         uses: anothrNick/[email protected]
@@ -73,8 +80,6 @@ jobs:
           DEFAULT_BUMP: "patch"
           TAG_CONTEXT: 'repo'
           WITH_V: true
-          PRERELEASE_SUFFIX: "beta"
-          PRERELEASE: ${{ (github.base_ref == 'beta') && 'true' || (github.base_ref == 'main') && 'false' || (github.base_ref == 'integration') && 'false' || 'true' }}
           DRY_RUN: true
 
       - name: Compare versions

README.md

@@ -1,5 +1,11 @@
 # MCP Server
 
+| App Test | Helm Test |
+|------|---------|
+| [![App Test](https://github.com/sysdiglabs/sysdig-mcp-server/actions/workflows/publish.yaml/badge.svg?branch=main)](https://github.com/sysdiglabs/sysdig-mcp-server/actions/workflows/publish.yaml) | [![Helm Test](https://github.com/sysdiglabs/sysdig-mcp-server/actions/workflows/helm_test.yaml/badge.svg?branch=main)](https://github.com/sysdiglabs/sysdig-mcp-server/actions/workflows/helm_test.yaml) |
+
+---
+
 ## Table of contents
 
 - [MCP Server](#mcp-server)
@@ -79,6 +85,21 @@ Get up and running with the Sysdig MCP Server quickly using our pre-built Docker
 
 ## Available Tools
 
+You can select what group of tools to add when running the server by adding/removing them from the `mcp.allowed_tools` list in the app_config.yaml file
+
+```yaml
+...
+mcp:
+  transport: stdio
+  ...
+  allowed_tools:
+    - "events-feed"
+    - "inventory"
+    - "vulnerability-management"
+    - "sysdig-sage"
+    - "sysdig-cli-scanner" # Only available in stdio local transport mode
+```
+
 <details>
 <summary><strong>Events Feed</strong></summary>
 
@@ -125,6 +146,15 @@ Get up and running with the Sysdig MCP Server quickly using our pre-built Docker
 
 </details>
 
+<details>
+<summary><strong>Sysdig CLI scanner</strong></summary>
+
+| Tool Name | Description | Sample Prompt |
+|-----------|-------------|----------------|
+| `run_sysdig_cli_scanner` | Run the Sysdig CLI Scanner to analyze a container image or IaC files for vulnerabilities and posture and misconfigurations. | "Scan this image ubuntu:latest for vulnerabilities" |
+
+</details>
+
 ### Available Resources
 
 - Sysdig Secure Vulnerability Management Overview:
@@ -165,6 +195,8 @@ This file contains the main configuration for the application, including:
 - **sysdig**: The Sysdig Secure host to connect to.
 - **mcp**: Transport protocol (stdio, sse, streamable-http), URL, host, and port for the MCP server.
 
+> You can set the path for the app_config.yaml using the `APP_CONFIG_FILE=/path/to/app_config.yaml` env var. By default the app will search the file in the root of the app.
+
 ### Environment Variables
 
 The following environment variables are required for configuring the Sysdig SDK:
@@ -244,6 +276,12 @@ configMap:
       transport: streamable-http
       host: "0.0.0.0"
       port: 8080
+      allowed_tools:
+        - "events-feed"
+        - "inventory"
+        - "vulnerability-management"
+        - "sysdig-sage"
+        - "sysdig-cli-scanner" # You need the sysdig-cli-scanner binary installed in your server to use this tool
 ```
 
 Install the chart

app_config.yaml

@@ -11,3 +11,9 @@ mcp:
   transport: stdio
   host: "localhost"
   port: 8080
+  allowed_tools:
+    - "events-feed"
+    - "sysdig-cli-scanner" # Only available in stdio local transport mode
+    - "vulnerability-management"
+    - "inventory"
+    - "sysdig-sage"

charts/sysdig-mcp/Chart.yaml

@@ -20,10 +20,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.2
+version: 0.1.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v0.1.2"
+appVersion: "v0.1.3"

charts/sysdig-mcp/templates/configmap.yaml

@@ -1,4 +1,3 @@
----
 {{- if .Values.configMap.enabled -}}
 apiVersion: v1
 kind: ConfigMap

charts/sysdig-mcp/templates/secrets.yaml

@@ -1,4 +1,3 @@
----
 {{- if .Values.sysdig.secrets.create -}}
 apiVersion: v1
 kind: Secret

charts/sysdig-mcp/values.schema.json

@@ -0,0 +1,141 @@
+{
+  "$schema": "https://json-schema.org/draft-07/schema#",
+  "title": "Values",
+  "type": "object",
+  "properties": {
+    "sysdig": {
+      "$ref": "#/$defs/SysdigConfig"
+    },
+    "oauth": {
+      "$ref": "#/$defs/OauthConfig"
+    }
+  },
+  "required": [
+    "configMap",
+    "sysdig"
+  ],
+  "$defs": {
+    "SysdigConfig": {
+      "type": "object",
+      "properties": {
+        "host": {
+          "type": [ "string", "null" ],
+          "description": "Sysdig Tenant Host",
+          "examples": [
+            "https://us2.app.sysdig.com",
+            "https://eu1.app.sysdig.com"
+          ]
+        },
+        "mcp": {
+          "type": "object",
+          "properties": {
+            "transport": {
+              "type": "string",
+              "enum": [
+                "streamable-http",
+                "sse",
+                "stdio"
+              ],
+              "description": "The transport protocol for the Sysdig MCP"
+            }
+          },
+          "required": [
+            "transport"
+          ]
+        },
+        "secrets": {
+          "type": "object",
+          "properties": {
+            "create": {
+              "type": "boolean",
+              "description": "Whether to create the secret"
+            },
+            "secureAPIToken": {
+              "type": [
+                "string",
+                "null"
+              ],
+              "description": "The API Token to access Sysdig Secure",
+              "examples": [
+                "12345678-1234-1234-1234-123456789012"
+              ]
+            }
+          },
+          "required": [
+            "create",
+            "secureAPIToken"
+          ]
+        }
+      },
+      "required": [
+        "host",
+        "mcp",
+        "secrets"
+      ],
+      "additionalProperties": false
+    },
+    "OauthConfig": {
+      "type": "object",
+      "properties": {
+        "secrets": {
+          "type": "object",
+          "properties": {
+            "create": {
+              "type": "boolean",
+              "description": "Whether to create the secret"
+            },
+            "clientId": {
+              "type": [
+                "string",
+                "null"
+              ],
+              "description": "The Client ID for the OAuth application",
+              "examples": [
+                "my-client-id"
+              ]
+            },
+            "clientSecret": {
+              "type": [
+                "string",
+                "null"
+              ],
+              "description": "The Client Secret for the OAuth application",
+              "examples": [
+                "my-client-secret"
+              ]
+            }
+          },
+          "required": [
+            "create",
+            "clientId",
+            "clientSecret"
+          ]
+        }
+      },
+      "required": [
+        "secrets"
+      ],
+      "additionalProperties": false
+    },
+    "AppConfig": {
+      "type": "object",
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+            "description": "Whether to create the application configuration"
+        },
+        "app_config": {
+          "type": [
+            "string",
+            "null"
+          ],
+          "description": "The application configuration in YAML format"
+        }
+      },
+      "required": [
+        "secrets"
+      ],
+      "additionalProperties": false
+    }
+  }
+}

charts/sysdig-mcp/values.yaml

@@ -8,7 +8,7 @@ image:
   repository: ghcr.io/sysdiglabs/sysdig-mcp-server
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "v0.1.2"
+  tag: "v0.1.3"
 
 imagePullSecrets: []
 nameOverride: ""
@@ -126,3 +126,9 @@ configMap:
       transport: streamable-http
       host: "0.0.0.0"
       port: 8080
+      allowed_tools:
+      - "events-feed"
+      - "sysdig-cli-scanner" # You need the sysdig-cli-scanner binary installed in your server to use this tool
+      - "vulnerability-management"
+      - "inventory"
+      - "sysdig-sage"