feat: Add new SysQL Query tool

alecron · web-flow · commit 8be7a8e91cd4 · 2025-10-20T17:27:59.000+02:00
diff --git a/README.md b/README.md
@@ -101,6 +101,7 @@ Get up and running with the Sysdig MCP Server quickly using our pre-built Docker
 | Tool Name | Description | Sample Prompt |
 |-----------|-------------|----------------|
 | `generate_and_run_sysql` | Generate and run a SysQL query using natural language | "List top 10 pods by memory usage in the last hour" |
+| `run_sysql` | Execute a pre-written SysQL query directly (use only when user provides explicit query) | "Run this query: MATCH CloudResource WHERE type = 'aws_s3_bucket' LIMIT 10" |
 
 </details>
 
@@ -184,7 +185,7 @@ To use the MCP server tools, your API token needs specific permissions in Sysdig
 |--------------|---------------------|---------------------------|
 | **CLI Scanner** | `secure.vm.cli-scanner.exec` | Vulnerability Management: "CLI Execution" (EXEC) |
 | **Threat Detection (Events Feed)** | `policy-events.read` | Threats: "Policy Events" (Read) |
-| **SysQL** | `sage.exec`, `risks.read` | Sage: "Use Sage chat" (EXEC) + Risks: "Access to risk feature" (Read) |
+| **SysQL** | `sage.exec`, `risks.read` | SysQL: "AI Query Generation" (EXEC) + Risks: "Access to risk feature" (Read) |
 
 **Additional Permissions:**
 
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "sysdig-mcp-server"
-version = "0.3.1"
+version = "0.4.0"
 description = "Sysdig MCP Server"
 readme = "README.md"
 requires-python = ">=3.12"
diff --git a/tools/sysql/tool.py b/tools/sysql/tool.py
@@ -81,3 +81,54 @@ async def tool_generate_and_run_sysql(self, ctx: Context, question: str) -> dict
         except ToolError as e:
             self.log.error(f"Failed to execute SysQL query: {e}")
             raise e
+
+
+    async def tool_run_sysql(self, ctx: Context, sysql_query: str) -> dict:
+        """
+        Executes a pre-written SysQL query directly against the Sysdig API and returns the results.
+
+        Use this tool ONLY when the user provides an explicit SysQL query. Do not improvise or
+        generate queries. For natural language questions, use generate_and_run_sysql instead.
+
+        Args:
+            ctx (Context): A context object containing configuration information.
+            sysql_query (str): A valid SysQL query string to execute directly.
+
+        Returns:
+            dict: A dictionary containing the results of the SysQL query execution with metadata.
+
+        Raises:
+            ToolError: If the SysQL query execution fails or if the query is invalid.
+
+        Examples:
+            # tool_run_sysql(sysql_query="MATCH Vulnerability WHERE severity = 'Critical' LIMIT 10")
+            # tool_run_sysql(sysql_query="MATCH KubeWorkload AS k AFFECTED_BY Vulnerability WHERE k.namespace = 'production'")
+            # tool_run_sysql(sysql_query="MATCH CloudResource WHERE type = 'aws_s3_bucket' RETURN *")
+            # tool_run_sysql(sysql_query="MATCH Vulnerability AS v WHERE v.name = 'CVE-2024-1234' RETURN v")
+        """
+        # Start timer
+        start_time = time.time()
+        # Get API instance
+        api_instances: dict = ctx.get_state("api_instances")
+        legacy_api_client: LegacySysdigApi = api_instances.get("legacy_sysdig_api")
+        if not legacy_api_client:
+            self.log.error("LegacySysdigApi instance not found")
+            raise ToolError("LegacySysdigApi instance not found")
+
+        if not sysql_query:
+            raise ToolError("No SysQL query provided. Please provide a valid SysQL query string.")
+
+        try:
+            self.log.debug(f"Executing SysQL query: {sysql_query}")
+            results = legacy_api_client.execute_sysql_query(sysql_query)
+            execution_time = (time.time() - start_time) * 1000
+            self.log.debug(f"SysQL query executed in {execution_time} ms")
+            response = create_standard_response(
+                results=results, execution_time_ms=execution_time,
+                metadata_kwargs={"sysql_query": sysql_query}
+            )
+
+            return response
+        except ToolError as e:
+            self.log.error(f"Failed to execute SysQL query: {e}")
+            raise e
diff --git a/utils/mcp_server.py b/utils/mcp_server.py
@@ -165,6 +165,18 @@ def add_tools(self) -> None:
             ),
             tags={"sysql", "sysdig_secure"},
         )
+        self.mcp_instance.tool(
+            name_or_fn=sysdig_sysql_tools.tool_run_sysql,
+            name="run_sysql",
+            description=(
+                """
+                Execute a pre-written SysQL query directly against the Sysdig API.
+                Use ONLY when the user provides an explicit SysQL query string.
+                For natural language questions, use generate_and_run_sysql instead.
+                """
+            ),
+            tags={"sysql", "sysdig_secure"},
+        )
 
         if self.app_config.transport() == "stdio":
             # Register the tools for STDIO transport
diff --git a/uv.lock b/uv.lock
