ScanRook
Integrations

ScanRook MCP Server: Let AI Assistants Scan for Vulnerabilities

We built an MCP server that gives Claude, GPT, and any MCP-compatible AI assistant vulnerability scanning superpowers. Ask your AI to scan an image, check a CVE, or analyze licenses — it calls ScanRook behind the scenes and returns the results inline.

What we built

The ScanRook MCP server is a lightweight bridge between AI assistants and the ScanRook scanning platform. It exposes eight tools — scanning images, checking scan status, retrieving findings, looking up CVEs, listing scans, analyzing licenses, comparing scan results, and checking individual packages — all through the Model Context Protocol.

Once connected, you can have conversations like “Scan nginx:1.27 for vulnerabilities” or “Is CVE-2024-6387 in my image?” and the AI assistant handles everything: calling the right tool, waiting for results, and presenting findings in plain language.

Why MCP?

The Model Context Protocol is becoming the standard for connecting AI assistants to external tools. Anthropic created MCP as an open specification, and it has been adopted by Claude Code, Claude Desktop, and a growing number of third-party AI clients.

The alternative — building separate plugins for every AI platform — does not scale. A ChatGPT plugin cannot be used in Claude. A Claude tool does not work in Cursor. MCP solves this: one server, every client. We write the integration once and it works everywhere MCP is supported.

What you can do

Here are real examples of what becomes possible once you connect ScanRook to your AI assistant:

  • “Scan nginx:1.27 for vulnerabilities” — the assistant calls scan_image, monitors progress with scan_status, and summarizes findings when done.
  • “Check if lodash 4.17.20 has any known vulnerabilities” — calls check_package (no API key needed) and lists any CVEs with severity and fix versions.
  • “Compare my last two scans — what changed?” — uses compare_scans to show new, fixed, and unchanged vulnerabilities between builds.
  • “Analyze the licenses in my last scan” — calls analyze_licenses and flags copyleft or restricted licenses that may affect distribution.

How to set it up

Setup takes about two minutes. Install the npm package, add a JSON block to your AI client's configuration, and you are ready to go.

# Install globally
npm install -g scanrook-mcp

Then add the server to your client's MCP configuration. For Claude Code, add to ~/.claude/settings.json:

{
  "mcpServers": {
    "scanrook": {
      "command": "scanrook-mcp",
      "env": {
        "SCANROOK_API_KEY": "your-api-key-here"
      }
    }
  }
}

Get your API key from Dashboard > API Keys. Keys start with dgk_. Two tools — search_cve and check_package — work without an API key, so you can try those immediately.

For detailed setup instructions for Claude Desktop and other AI tools, see the full MCP integration docs.

The tools

The MCP server exposes eight tools, each designed for a specific security workflow:

  • scan_image — kick off a vulnerability scan against any public or private Docker/OCI image.
  • scan_status — poll a running scan for progress percentage and stage information.
  • get_findings — retrieve the full list of vulnerabilities from a completed scan, with severity, CVSS, EPSS, and fix versions.
  • search_cve — look up any CVE by ID to get its description, severity, affected packages, and fix status. No API key required.
  • list_scans — see your recent scans with status and summary counts.
  • analyze_licenses — check all packages in a scan for license types and flag potential compliance issues.
  • compare_scans — diff two scans to see what vulnerabilities were introduced, fixed, or unchanged.
  • check_package — check any package name and version against vulnerability databases. No API key required.

Architecture

The data flow is straightforward. Your AI assistant sends a request to the MCP server running locally on your machine. The MCP server translates the tool call into an API request to scanrook.io (or your self-hosted instance). ScanRook processes the request — dispatching a scan, querying the database, or fetching a report — and returns structured data. The MCP server formats the response and hands it back to the AI assistant, which presents it in natural language.

AI Assistant
  |
  v (stdio)
scanrook-mcp (local process)
  |
  v (HTTPS)
ScanRook API (scanrook.io)
  |
  v
Scanner + Database + S3

The MCP server is stateless. It does not store any data locally — all state lives on the ScanRook platform. This means you can run it on any machine and get the same results.

Open source

The MCP server is fully open source under the MIT license. We welcome contributions — whether that is adding new tools, improving error handling, or adding support for new AI clients.

If you build something interesting with it, we would love to hear about it.

Get started

npm install -g scanrook-mcp
Setup guideGitHub reponpm packageBack to blog