SBOMApp MCP Server
Connect to a remote SBOM MCP Server for AI-powered software bill of materials analysis, vulnerability scanning, and dependency management.
🚀 Quick Start Guide
Step 1: Install the Extension
- Open VS Code
- Go to Extensions (
Ctrl+Shift+X or Cmd+Shift+X on Mac)
- Search for "SBOMApp MCP Server"
- Click Install
Or install directly from the VS Code Marketplace
- Press
Ctrl+Shift+P (or Cmd+Shift+P on Mac) to open Command Palette
- Type "SBOMApp: Configure Remote Server" and press Enter
- Enter your Server URL:
- Format:
http://your-server:3000 or http://your-server:3000/mcp
- Example:
http://localhost:3000 or https://sbom.company.com
- Enter your API Key (provided by your administrator)
Step 3: Test the Connection
- Press
Ctrl+Shift+P again
- Type "SBOMApp: Test Connection" and press Enter
- You should see a success message with available tools count
Step 4: Start Using with Copilot
Once connected (green status bar shows ✓), you can ask GitHub Copilot:
"Check if lodash 4.17.0 has any security vulnerabilities"
"Generate an SBOM for my current project"
"Analyze the dependencies in this repository"
Features
- 🔗 Easy Configuration: Simple setup wizard to connect to your SBOM MCP Server
- 🔐 Secure Authentication: Bearer token authentication with secure storage
- ✅ Connection Testing: Verify your server connection before use
- 📊 Status Bar Indicator: See connection status at a glance
- 🛠️ Tool Browser: View all available SBOM analysis tools
- 🤖 Copilot Integration: Seamlessly works with GitHub Copilot
Commands
| Command |
Description |
SBOMApp: Configure Remote Server |
Set up server URL and API key |
SBOMApp: Test Connection |
Verify connection to the server |
SBOMApp: Show Available Tools |
Browse available SBOM analysis tools |
SBOMApp: Disconnect |
Disconnect from the server |
Configuration
This extension provides the following settings:
| Setting |
Description |
Default |
sbomRemoteMcp.serverUrl |
URL of the remote SBOM MCP Server |
(empty) |
sbomRemoteMcp.apiKey |
API key for authentication |
(empty) |
sbomRemoteMcp.autoConnect |
Auto-connect on VS Code startup |
true |
sbomRemoteMcp.showStatusBar |
Show status in status bar |
true |
Once connected, you can use these SBOM analysis tools with GitHub Copilot:
| Tool |
Description |
generate_sbom |
Generate SBOM from project path or Git URL |
scan_vulnerabilities |
Scan SBOM for security vulnerabilities |
analyze_dependencies |
Analyze project dependencies and risks |
get_vulnerability_details |
Get detailed CVE information |
check_component_security |
Check if a package has known vulnerabilities |
list_project_sboms |
List stored SBOMs in database |
compare_sboms |
Compare two SBOMs for changes |
get_license_compliance |
Analyze license compliance |
💬 Example Copilot Prompts
Once configured, try asking Copilot these questions:
Security Scanning
- "Check if lodash 4.17.0 has any security vulnerabilities"
- "Is express version 4.17.1 secure to use?"
- "Scan my project for vulnerable dependencies"
SBOM Generation
- "Generate an SBOM for my current project"
- "Create a software bill of materials for /path/to/project"
Dependency Analysis
- "Analyze the dependencies in this repository"
- "What are the risks in my project's dependencies?"
- "Show me the dependency tree for this project"
License Compliance
- "What licenses are used by my project's dependencies?"
- "Check for copyleft licenses in my project"
- "Analyze license compliance for my dependencies"
Requirements
- VS Code 1.85.0 or higher
- Access to a running SBOM MCP Server
- Valid API key for authentication
🔑 Getting an API Key
Contact your SBOM MCP Server administrator to obtain an API key.
For Server Administrators:
The API key is typically configured as:
GITLAB_CI_API_KEY environment variable, orMCP_API_KEY environment variable
Troubleshooting
Connection Failed
- Verify the server URL is correct (should end with
/mcp)
- Check that the server is running and accessible
- Ensure your API key is valid and not expired
- Check if firewall allows the connection
- Make sure the connection is established (green ✓ in status bar)
- Check VS Code MCP settings are configured correctly
- Try disconnecting and reconnecting
- Restart VS Code if issues persist
Status Bar Not Showing
- Check that
sbomRemoteMcp.showStatusBar is enabled in settings
- Try reloading VS Code (
Ctrl+Shift+P → "Reload Window")
Authentication Errors
- Verify your API key is correct
- Ensure the API key has proper permissions
- Contact your administrator if the key was recently rotated
Privacy & Security
- API keys are stored in VS Code's secure storage
- All communication uses HTTPS (when configured)
- No data is sent to third parties
- Credentials are never logged or exported
License
MIT License
Support
For issues or feature requests, please contact your SBOM MCP Server administrator or visit our GitHub repository.
Support
- 📧 Email: sbomappsupport@iarm.com
