Add config

Author: mtodor

README.md

@@ -22,6 +22,75 @@ Run the server:
 ./stackrox-mcp
 ```
 
+## Configuration
+
+The StackRox MCP server supports configuration through both YAML files and environment variables. Environment variables take precedence over YAML configuration.
+
+### Configuration File
+
+Specify a configuration file using the `--config` flag:
+
+```bash
+./stackrox-mcp --config=/path/to/config.yaml
+```
+
+See [examples/config-read-only.yaml](examples/config-read-only.yaml) for a complete configuration example.
+
+### Environment Variables
+
+All configuration options can be set via environment variables using the naming convention:
+
+```
+STACKROX_MCP__SECTION__KEY
+```
+
+Note the double underscore (`__`) separator between sections and keys.
+
+#### Examples
+
+```bash
+export STACKROX_MCP__CENTRAL__URL=central.stackrox:8443
+export STACKROX_MCP__GLOBAL__READ_ONLY_TOOLS=true
+export STACKROX_MCP__TOOLS__CONFIG_MANAGER__ENABLED=true
+```
+
+### Configuration Options
+
+#### Central Configuration
+
+Configuration for connecting to StackRox Central.
+
+| Option | Environment Variable | Type | Required | Default | Description |
+|--------|---------------------|------|----------|---------|-------------|
+| `central.url` | `STACKROX_MCP__CENTRAL__URL` | string | Yes | central.stackrox:8443 | URL of StackRox Central instance |
+| `central.insecure` | `STACKROX_MCP__CENTRAL__INSECURE` | bool | No | `false` | Skip TLS certificate verification |
+| `central.force_http1` | `STACKROX_MCP__CENTRAL__FORCE_HTTP1` | bool | No | `false` | Force HTTP/1.1 instead of HTTP/2 |
+
+#### Global Configuration
+
+Global MCP server settings.
+
+| Option | Environment Variable | Type | Required | Default | Description |
+|--------|---------------------|------|----------|---------|-------------|
+| `global.read_only_tools` | `STACKROX_MCP__GLOBAL__READ_ONLY_TOOLS` | bool | No | `true` | Only allow read-only tools |
+
+#### Tools Configuration
+
+Enable or disable individual MCP tools. At least one tool has to be enabled.
+
+| Option | Environment Variable | Type | Required | Default | Description |
+|--------|---------------------|------|----------|---------|-------------|
+| `tools.vulnerability.enabled` | `STACKROX_MCP__TOOLS__VULNERABILITY__ENABLED` | bool | No | `false` | Enable vulnerability management tools |
+| `tools.config_manager.enabled` | `STACKROX_MCP__TOOLS__CONFIG_MANAGER__ENABLED` | bool | No | `false` | Enable configuration management tools |
+
+### Configuration Precedence
+
+Configuration values are loaded in the following order (later sources override earlier ones):
+
+1. Default values
+2. YAML configuration file (if provided via `--config`)
+3. Environment variables (highest precedence)
+
 ## Development
 
 ### Available Make Targets

cmd/stackrox-mcp/main.go

@@ -3,6 +3,9 @@ package main
 import (
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
+	flag "github.com/spf13/pflag"
+
+	"github.com/stackrox/stackrox-mcp/internal/config"
 )
 
 func setupLogging() {
@@ -12,5 +15,14 @@ func setupLogging() {
 func main() {
 	setupLogging()
 
+	configPath := flag.String("config", "", "Path to configuration file (optional)")
+	flag.Parse()
+
+	cfg, err := config.LoadConfig(*configPath)
+	if err != nil {
+		log.Fatal().Err(err).Msg("Failed to load configuration")
+	}
+	log.Info().Interface("config", cfg).Msg("Configuration loaded successfully")
+
 	log.Info().Msg("Starting Stackrox MCP server")
 }

examples/config-read-only.yaml

@@ -0,0 +1,50 @@
+# StackRox MCP Server Configuration
+#
+# This is an example configuration file for the StackRox MCP server.
+# Copy this file and modify it according to your environment.
+#
+# Environment Variable Mapping:
+# All configuration options can be overridden using environment variables.
+# Environment variables take precedence over YAML configuration.
+#
+# Naming convention: STACKROX_MCP__SECTION__KEY
+# Example:
+#   central:
+#     url: central.stackrox:8443
+#
+# Can be overridden with:
+#   STACKROX_MCP__CENTRAL__URL=central.stackrox:8443
+
+# Central connection configuration
+central:
+  # Central URL (required, default: central.stackrox:8443)
+  # The URL of your StackRox Central instance
+  url: central.stackrox:8443
+
+  # Allow insecure TLS connection (optional, default: false)
+  # Set to true to skip TLS certificate verification
+  insecure: false
+
+  # Force HTTP1 (optional, default: false)
+  # Force HTTP/1.1 instead of HTTP/2
+  force_http1: false
+
+# Global MCP server configuration
+global:
+  # Allow only read-only MCP tools (optional, default: true)
+  # When true, only tools that perform read operations are available
+  # When false, both read and write tools may be available (if implemented)
+  read_only_tools: true
+
+# Configuration of MCP tools
+# Each tool has an enable/disable flag. At least one tool has to be enabled.
+tools:
+  # Vulnerability management tools
+  vulnerability:
+    # Enable vulnerability management tools (optional, default: false)
+    enabled: true
+
+  # Configuration management tools
+  config_manager:
+    # Enable configuration management tools (optional, default: false)
+    enabled: true

go.mod

@@ -9,9 +9,21 @@ require (
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.19 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/sys v0.12.0 // indirect
+	github.com/sagikazarmark/locafero v0.11.0 // indirect
+	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
+	github.com/spf13/afero v1.15.0 // indirect
+	github.com/spf13/cast v1.10.0 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/spf13/viper v1.21.0 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/text v0.28.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -1,24 +1,50 @@
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
+github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
+github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
+github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
+github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
 github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
+github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDcg+AAIFXc=
+github.com/sagikazarmark/locafero v0.11.0/go.mod h1:nVIGvgyzw595SUSUE6tvCp3YYTeHs15MvlmU87WwIik=
+github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw=
+github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U=
+github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
+github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
+github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
+github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
+github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
+github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
+go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
+golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

internal/config/config.go

@@ -0,0 +1,103 @@
+package config
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/spf13/viper"
+)
+
+// Config represents the complete application configuration
+type Config struct {
+	Central CentralConfig `mapstructure:"central"`
+	Global  GlobalConfig  `mapstructure:"global"`
+	Tools   ToolsConfig   `mapstructure:"tools"`
+}
+
+// CentralConfig contains StackRox Central connection configuration
+type CentralConfig struct {
+	URL        string `mapstructure:"url"`
+	Insecure   bool   `mapstructure:"insecure"`
+	ForceHTTP1 bool   `mapstructure:"force_http1"`
+}
+
+// GlobalConfig contains global MCP server configuration
+type GlobalConfig struct {
+	ReadOnlyTools bool `mapstructure:"read_only_tools"`
+}
+
+// ToolsConfig contains configuration for individual MCP tools
+type ToolsConfig struct {
+	Vulnerability VulnerabilityConfig `mapstructure:"vulnerability"`
+	ConfigManager ConfigManagerConfig `mapstructure:"config_manager"`
+}
+
+// VulnerabilityConfig contains configuration for vulnerability management tools
+type VulnerabilityConfig struct {
+	Enabled bool `mapstructure:"enabled"`
+}
+
+// ConfigManagerConfig contains configuration for config management tools
+type ConfigManagerConfig struct {
+	Enabled bool `mapstructure:"enabled"`
+}
+
+// LoadConfig loads configuration from YAML file and environment variables.
+// Environment variables take precedence over YAML configuration.
+// Env var naming convention: STACKROX_MCP__SECTION__KEY (double underscore as separator)
+// configPath: optional path to YAML configuration file (can be empty)
+func LoadConfig(configPath string) (*Config, error) {
+	v := viper.New()
+
+	setDefaults(v)
+
+	// Set up environment variable support
+	// Note: SetEnvPrefix adds a single underscore, so "STACKROX_MCP_" becomes the prefix
+	// We want double underscores between sections, so we use "__" in the replacer
+	v.SetEnvPrefix("STACKROX_MCP_")
+	v.SetEnvKeyReplacer(strings.NewReplacer(".", "__"))
+	v.AutomaticEnv()
+
+	if configPath != "" {
+		v.SetConfigFile(configPath)
+		if err := v.ReadInConfig(); err != nil {
+			return nil, fmt.Errorf("failed to read config file: %w", err)
+		}
+	}
+
+	var cfg Config
+	if err := v.Unmarshal(&cfg); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal config: %w", err)
+	}
+
+	if err := cfg.Validate(); err != nil {
+		return nil, fmt.Errorf("invalid configuration: %w", err)
+	}
+
+	return &cfg, nil
+}
+
+// setDefaults sets default values for configuration
+func setDefaults(v *viper.Viper) {
+	v.SetDefault("central.url", "central.stackrox:8443")
+	v.SetDefault("central.insecure", false)
+	v.SetDefault("central.force_http1", false)
+
+	v.SetDefault("global.read_only_tools", true)
+
+	v.SetDefault("tools.vulnerability.enabled", false)
+	v.SetDefault("tools.config_manager.enabled", false)
+}
+
+// Validate validates the configuration
+func (c *Config) Validate() error {
+	if c.Central.URL == "" {
+		return fmt.Errorf("central.url is required")
+	}
+
+	if !c.Tools.Vulnerability.Enabled && !c.Tools.ConfigManager.Enabled {
+		return fmt.Errorf("at least one tool has to be enabled")
+	}
+
+	return nil
+}