MCP Server Integration
The Model Context Protocol (MCP) is an open standard created by Anthropic for connecting AI assistants to external tools and data sources. Instead of building separate plugins for every AI platform, a single MCP server works with any compatible client.
ScanRook publishes an MCP server that gives any AI assistant the ability to scan Docker and OCI images for vulnerabilities, look up specific CVEs, check packages for known issues, and analyze license compliance — all through natural conversation.
npm package: scanrook-mcp
Available tools
The MCP server exposes these tools to any connected AI assistant.
| Tool | Description | Auth Required |
|---|---|---|
| scan_image | Scan a Docker/OCI image for vulnerabilities | Yes |
| scan_status | Check scan progress and results | Yes |
| get_findings | Get detailed vulnerability findings | Yes |
| search_cve | Look up a specific CVE | No |
| list_scans | List recent scans | Yes |
| analyze_licenses | Check license compliance | Yes |
| compare_scans | Compare findings between scans | Yes |
| check_package | Check a package for known vulnerabilities | No |
Tools marked No under Auth Required work without an API key. This means anyone can use search_cve and check_package for free, without creating an account.
Setup with Claude Code
Add ScanRook as an MCP server in Claude Code to scan images and check CVEs from your terminal.
Step 1: Install the MCP server globally.
npm install -g scanrook-mcpStep 2: Add the server to your Claude Code settings. Open ~/.claude/settings.json (global) or .claude/settings.json (project) and add the following:
{
"mcpServers": {
"scanrook": {
"command": "scanrook-mcp",
"env": {
"SCANROOK_API_KEY": "your-api-key-here"
}
}
}
}Alternatively, run directly with npx without a global install:
{
"mcpServers": {
"scanrook": {
"command": "npx",
"args": ["-y", "scanrook-mcp"],
"env": {
"SCANROOK_API_KEY": "your-api-key-here"
}
}
}
}Replace your-api-key-here with your ScanRook API key. See the Getting an API Key section below.
Setup with Claude Desktop
Use ScanRook tools directly in the Claude Desktop app.
Add the following to your Claude Desktop configuration file:
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"scanrook": {
"command": "npx",
"args": ["-y", "scanrook-mcp"],
"env": {
"SCANROOK_API_KEY": "your-api-key-here"
}
}
}
}Restart Claude Desktop after saving. The ScanRook tools will appear in the tools menu.
Setup with other AI tools
Any MCP-compatible client can connect to ScanRook.
The ScanRook MCP server uses the standard stdio transport, which means any client that supports MCP can connect to it. Point your client at the scanrook-mcp command (or npx -y scanrook-mcp) and configure these environment variables:
SCANROOK_API_KEY— your API key (required for authenticated tools)SCANROOK_API_URL— API base URL (optional, defaults tohttps://scanrook.io)
Getting an API key
Create an API key from the ScanRook dashboard.
- Sign in at scanrook.io
- Go to Dashboard -> API Keys (or navigate to
/dashboard/settings/api-keys) - Click Create API Key
- Copy the key — it starts with
dgk_ - Set it as
SCANROOK_API_KEYin your MCP configuration
You do not need an API key for search_cve and check_package. These public tools work without authentication.
Example conversations
Once connected, you can ask your AI assistant things like:
- “Scan nginx:1.27 for vulnerabilities”
- “What's the status of my last scan?”
- “Show me critical findings from my nginx scan”
- “Is CVE-2024-6387 in my image?”
- “Check if lodash 4.17.20 has any known vulnerabilities”
- “Analyze the licenses in my last scan”
- “Compare my last two scans — what changed?”
- “What are the most exploited CVEs right now?”
The AI assistant calls the appropriate ScanRook tools behind the scenes. You see the results inline in the conversation — no need to switch between tools or dashboards.
Troubleshooting
Common issues and how to fix them.
“Connection refused”
Make sure SCANROOK_API_KEY is set in the env block of your MCP configuration. The server will not start without a reachable API endpoint.
“Unauthorized”
Your API key may be invalid or revoked. Verify it at /dashboard/settings/api-keys. Generate a new key if needed.
“Command not found”
The scanrook-mcp binary is not installed or not on your PATH. Run npm install -g scanrook-mcp or use the npx configuration instead.
Source code
The MCP server is open source.