SBOM MCP Server Extension for VS Code
Generate Software Bill of Materials (SBOM), scan for vulnerabilities, and analyze dependencies using AI assistants via the Model Context Protocol (MCP).
Features
- 🔍 Generate SBOM - Create CycloneDX SBOMs for any project
- 🛡️ Vulnerability Scanning - Scan dependencies for known security vulnerabilities
- 📊 Dependency Analysis - Get detailed insights about your project's dependencies
- 🤖 AI Integration - Use with GitHub Copilot, Claude, or any MCP-compatible AI assistant
- ⚡ 5 MCP Tools - generate_sbom, scan_vulnerabilities, analyze_dependencies, get_vulnerability_details, check_component_security
Requirements
- SBOM API Server - You need a running instance of the SBOMApp API server
- Node.js 18+ - Required for the MCP server runtime
- VS Code 1.85+ - With GitHub Copilot or MCP-compatible AI extension
Installation
- Install the extension from VS Code Marketplace
- Run command:
SBOM MCP: Set API Key to configure your API key
- Run command:
SBOM MCP: Configure Server to set up MCP integration
- Restart VS Code
Configuration
| Setting |
Description |
Default |
sbom-mcp.apiUrl |
URL of the SBOM API server |
http://localhost:3000 |
sbom-mcp.apiKey |
API key for authentication |
`` |
sbom-mcp.autoConfigureMcp |
Auto-configure MCP on activation |
true |
Available Commands
| Command |
Description |
SBOM MCP: Configure Server |
Set up MCP server in workspace |
SBOM MCP: Set API Key |
Configure API authentication |
SBOM MCP: Set API URL |
Set the SBOM server URL |
SBOM MCP: Generate SBOM for Current Workspace |
Generate SBOM immediately |
SBOM MCP: Check Vulnerabilities |
Scan workspace for vulnerabilities |
When using AI assistants, you can use these tools:
generate_sbom
Generate SBOM from a project path or Git URL.
"Generate an SBOM for my project at /path/to/project"
"Create SBOM for https://github.com/user/repo"
scan_vulnerabilities
Scan an existing SBOM file for vulnerabilities.
"Scan this SBOM file for vulnerabilities: /path/to/sbom.json"
analyze_dependencies
Get detailed dependency analysis and risk assessment.
"Analyze the dependencies in this project"
get_vulnerability_details
Get specific vulnerability information with CVE details.
"Show me all critical vulnerabilities in this project"
check_component_security
Check if a package is safe before using it.
"Is lodash version 4.17.21 secure?"
"Check security of express@4.18.2"
Example Usage with Copilot
After installation, try these prompts with GitHub Copilot:
- "Generate an SBOM for the current workspace"
- "What vulnerabilities exist in this project?"
- "Is the axios package version 1.6.0 secure?"
- "Analyze the dependencies and show me any security risks"
License
MIT License - see LICENSE for details.
Support
