Updating overall init config of the client

S3B4SZ17 · S3B4SZ17 · commit 9009eea25366 · 2025-07-08T12:50:38.000-06:00
Signed-off-by: S3B4SZ17 &lt;sebastian.zumbado@sysdig.com&gt;
diff --git a/README.md b/README.md
@@ -85,6 +85,21 @@ Get up and running with the Sysdig MCP Server quickly using our pre-built Docker
 
 ## Available Tools
 
+You can select what group of tools to add when running the server by adding/removing them from the `mcp.allowed_tools` list in the app_config.yaml file
+
+```yaml
+...
+mcp:
+  transport: stdio
+  ...
+  allowed_tools:
+    - "events-feed"
+    - "inventory"
+    - "vulnerability-management"
+    - "sysdig-sage"
+    - "sysdig-cli-scanner" # Only available in stdio local transport mode
+```
+
 <details>
 <summary><strong>Events Feed</strong></summary>
 
@@ -131,6 +146,15 @@ Get up and running with the Sysdig MCP Server quickly using our pre-built Docker
 
 </details>
 
+<details>
+<summary><strong>Sysdig CLI scanner</strong></summary>
+
+| Tool Name | Description | Sample Prompt |
+|-----------|-------------|----------------|
+| `run_sysdig_cli_scanner` | Run the Sysdig CLI Scanner to analyze a container image or IaC files for vulnerabilities and posture and misconfigurations. | "Scan this image ubuntu:latest for vulnerabilities" |
+
+</details>
+
 ### Available Resources
 
 - Sysdig Secure Vulnerability Management Overview:
@@ -171,6 +195,8 @@ This file contains the main configuration for the application, including:
 - **sysdig**: The Sysdig Secure host to connect to.
 - **mcp**: Transport protocol (stdio, sse, streamable-http), URL, host, and port for the MCP server.
 
+> You can set the path for the app_config.yaml using the `APP_CONFIG_FILE=/path/to/app_config.yaml` env var. By default the app will search the file in the root of the app.
+
 ### Environment Variables
 
 The following environment variables are required for configuring the Sysdig SDK:
@@ -250,6 +276,12 @@ configMap:
       transport: streamable-http
       host: "0.0.0.0"
       port: 8080
+      allowed_tools:
+        - "events-feed"
+        - "inventory"
+        - "vulnerability-management"
+        - "sysdig-sage"
+        - "sysdig-cli-scanner" # You need the sysdig-cli-scanner binary installed in your server to use this tool
 ```
 
 Install the chart
diff --git a/charts/sysdig-mcp/values.yaml b/charts/sysdig-mcp/values.yaml
@@ -8,7 +8,7 @@ image:
   repository: ghcr.io/sysdiglabs/sysdig-mcp-server
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "v0.1.2"
+  tag: "v0.1.3-beta.0"
 
 imagePullSecrets: []
 nameOverride: ""
@@ -126,3 +126,9 @@ configMap:
       transport: streamable-http
       host: "0.0.0.0"
       port: 8080
+      allowed_tools:
+      - "events-feed"
+      - "sysdig-cli-scanner" # You need the sysdig-cli-scanner binary installed in your server to use this tool
+      - "vulnerability-management"
+      - "inventory"
+      - "sysdig-sage"
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "sysdig-mcp-server"
-version = "0.1.2"
+version = "0.1.3-beta.0"
 description = "Sysdig MCP Server"
 readme = "README.md"
 requires-python = ">=3.12"
@@ -10,7 +10,7 @@ dependencies = [
     "pyyaml==6.0.2",
     "sqlalchemy==2.0.36",
     "sqlmodel==0.0.22",
-    "sysdig-sdk @ git+https://github.com/sysdiglabs/sysdig-sdk-python@ccdf3effe27a339deaa04a7248b319443d20e5aa",
+    "sysdig-sdk @ git+https://github.com/sysdiglabs/sysdig-sdk-python@e9b0d336c2f617f3bbd752416860f84eed160c41",
     "dask==2025.4.1",
     "oauthlib==3.2.2",
     "fastapi==0.115.12",
diff --git a/tools/events_feed/tool.py b/tools/events_feed/tool.py
@@ -24,7 +24,6 @@
 from utils.sysdig.api import initialize_api_client
 
 logging.basicConfig(format="%(asctime)s-%(process)d-%(levelname)s- %(message)s", level=os.environ.get("LOGLEVEL", "ERROR"))
-
 log = logging.getLogger(__name__)
 
 # Load app config (expects keys: mcp.host, mcp.port, mcp.transport)
@@ -46,12 +45,11 @@ def init_client(self, old_api: bool = False) -> SecureEventsApi | OldSysdigApi:
             old_api (bool): If True, initializes the OldSysdigApi client instead of SecureEventsApi.
         Returns:
             SecureEventsApi | OldSysdigApi: An instance of the SecureEventsApi or OldSysdigApi client.
-        Raises:
-            ValueError: If the SYSDIG_SECURE_TOKEN environment variable is not set.
         """
         secure_events_api: SecureEventsApi = None
         old_sysdig_api: OldSysdigApi = None
-        if app_config.get("mcp", {}).get("transport", "") == "streamable-http":
+        transport = os.environ.get("MCP_TRANSPORT", app_config["mcp"]["transport"]).lower()
+        if transport in ["streamable-http", "sse"]:
             # Try to get the HTTP request
             log.debug("Attempting to get the HTTP request to initialize the Sysdig API client.")
             request: Request = get_http_request()
@@ -60,15 +58,11 @@ def init_client(self, old_api: bool = False) -> SecureEventsApi | OldSysdigApi:
         else:
             # If running in STDIO mode, we need to initialize the API client from environment variables
             log.debug("Running in STDIO mode, initializing the Sysdig API client from environment variables.")
-            SYSDIG_SECURE_TOKEN = os.environ.get("SYSDIG_SECURE_TOKEN", "")
-            if not SYSDIG_SECURE_TOKEN:
-                raise ValueError("Can not initialize client, SYSDIG_SECURE_TOKEN environment variable is not set.")
-            SYSDIG_HOST = os.environ.get("SYSDIG_HOST", app_config["sysdig"]["host"])
-            cfg = get_configuration(SYSDIG_SECURE_TOKEN, SYSDIG_HOST)
+            cfg = get_configuration()
             api_client = initialize_api_client(cfg)
             secure_events_api = SecureEventsApi(api_client)
             # Initialize the old Sysdig API client for process tree requests
-            old_cfg = get_configuration(SYSDIG_SECURE_TOKEN, SYSDIG_HOST, old_api=True)
+            old_cfg = get_configuration(old_api=True)
             old_sysdig_api = initialize_api_client(old_cfg)
             old_sysdig_api = OldSysdigApi(old_sysdig_api)
 
diff --git a/tools/inventory/tool.py b/tools/inventory/tool.py
@@ -38,26 +38,21 @@ def init_client(self) -> InventoryApi:
         using the Sysdig Secure token and host from the environment variables.
         Returns:
             InventoryApi: An instance of the InventoryApi client.
-        Raises:
-            ValueError: If the SYSDIG_SECURE_TOKEN environment variable is not set.
         """
-        secure_events_api: InventoryApi = None
-        if app_config.get("mcp", {}).get("transport", "") == "streamable-http":
+        inventory_api: InventoryApi = None
+        transport = os.environ.get("MCP_TRANSPORT", app_config["mcp"]["transport"]).lower()
+        if transport in ["streamable-http", "sse"]:
             # Try to get the HTTP request
             log.debug("Attempting to get the HTTP request to initialize the Sysdig API client.")
             request: Request = get_http_request()
-            secure_events_api = request.state.api_instances["inventory"]
+            inventory_api = request.state.api_instances["inventory"]
         else:
             # If running in STDIO mode, we need to initialize the API client from environment variables
             log.debug("Running in STDIO mode, initializing the Sysdig API client from environment variables.")
-            SYSDIG_SECURE_TOKEN = os.environ.get("SYSDIG_SECURE_TOKEN", "")
-            if not SYSDIG_SECURE_TOKEN:
-                raise ValueError("Can not initialize client, SYSDIG_SECURE_TOKEN environment variable is not set.")
-            SYSDIG_HOST = os.environ.get("SYSDIG_HOST", app_config["sysdig"]["host"])
-            cfg = get_configuration(SYSDIG_SECURE_TOKEN, SYSDIG_HOST)
+            cfg = get_configuration()
             api_client = initialize_api_client(cfg)
-            secure_events_api = InventoryApi(api_client)
-        return secure_events_api
+            inventory_api = InventoryApi(api_client)
+        return inventory_api
 
     def tool_list_resources(
         self,
diff --git a/tools/sysdig_sage/tool.py b/tools/sysdig_sage/tool.py
@@ -37,25 +37,18 @@ def init_client(self) -> OldSysdigApi:
         using the Sysdig Secure token and host from the environment variables.
         Returns:
             OldSysdigApi: An instance of the OldSysdigApi client.
-
-        Raises:
-            ValueError: If the SYSDIG_SECURE_TOKEN environment variable is not set.
         """
         old_sysdig_api: OldSysdigApi = None
-        if app_config.get("mcp", {}).get("transport", "") == "streamable-http":
+        transport = os.environ.get("MCP_TRANSPORT", app_config["mcp"]["transport"]).lower()
+        if transport in ["streamable-http", "sse"]:
             # Try to get the HTTP request
             log.debug("Attempting to get the HTTP request to initialize the Sysdig API client.")
             request: Request = get_http_request()
             old_sysdig_api = request.state.api_instances["old_sysdig_api"]
         else:
             # If running in STDIO mode, we need to initialize the API client from environment variables
             log.debug("Running in STDIO mode, initializing the Sysdig API client from environment variables.")
-            SYSDIG_SECURE_TOKEN = os.environ.get("SYSDIG_SECURE_TOKEN", "")
-            if not SYSDIG_SECURE_TOKEN:
-                raise ValueError("Can not initialize client, SYSDIG_SECURE_TOKEN environment variable is not set.")
-
-            SYSDIG_HOST = os.environ.get("SYSDIG_HOST", app_config["sysdig"]["host"])
-            cfg = get_configuration(SYSDIG_SECURE_TOKEN, SYSDIG_HOST, old_api=True)
+            cfg = get_configuration(old_api=True)
             api_client = initialize_api_client(cfg)
             old_sysdig_api = OldSysdigApi(api_client)
         return old_sysdig_api
diff --git a/tools/vulnerability_management/tool.py b/tools/vulnerability_management/tool.py
@@ -40,23 +40,18 @@ def init_client(self) -> VulnerabilityManagementApi:
         using the Sysdig Secure token and host from the environment variables.
         Returns:
             VulnerabilityManagementApi: An instance of the VulnerabilityManagementApi client.
-        Raises:
-            ValueError: If the SYSDIG_SECURE_TOKEN environment variable is not set.
         """
         vulnerability_management_api: VulnerabilityManagementApi = None
-        if app_config.get("mcp", {}).get("transport", "") == "streamable-http":
+        transport = os.environ.get("MCP_TRANSPORT", app_config["mcp"]["transport"]).lower()
+        if transport in ["streamable-http", "sse"]:
             # Try to get the HTTP request
             log.debug("Attempting to get the HTTP request to initialize the Sysdig API client.")
             request: Request = get_http_request()
             vulnerability_management_api = request.state.api_instances["vulnerability_management"]
         else:
             # If running in STDIO mode, we need to initialize the API client from environment variables
             log.debug("Running in STDIO mode, initializing the Sysdig API client from environment variables.")
-            SYSDIG_SECURE_TOKEN = os.environ.get("SYSDIG_SECURE_TOKEN", "")
-            if not SYSDIG_SECURE_TOKEN:
-                raise ValueError("Can not initialize client, SYSDIG_SECURE_TOKEN environment variable is not set.")
-            SYSDIG_HOST = os.environ.get("SYSDIG_HOST", app_config["sysdig"]["host"])
-            cfg = get_configuration(SYSDIG_SECURE_TOKEN, SYSDIG_HOST)
+            cfg = get_configuration()
             api_client = initialize_api_client(cfg)
             vulnerability_management_api = VulnerabilityManagementApi(api_client)
         return vulnerability_management_api
diff --git a/utils/mcp_server.py b/utils/mcp_server.py
@@ -39,6 +39,8 @@
 
 middlewares = [Middleware(CustomAuthMiddleware)]
 
+MCP_MOUNT_PATH = "/sysdig-mcp-server"
+
 
 def create_simple_mcp_server() -> FastMCP:
     """
@@ -52,7 +54,6 @@ def create_simple_mcp_server() -> FastMCP:
         instructions="Provides Sysdig Secure tools and resources.",
         host=app_config["mcp"]["host"],
         port=app_config["mcp"]["port"],
-        debug=True,
         tags=["sysdig", "mcp", os.environ.get("MCP_TRANSPORT", app_config["mcp"]["transport"]).lower()],
     )
 
@@ -96,12 +97,12 @@ def run_http():
     add_tools(mcp=mcp, allowed_tools=app_config["mcp"]["allowed_tools"], transport_type=app_config["mcp"]["transport"])
     # Add resources to the MCP server
     add_resources(mcp)
-    # Mount the MCP HTTP/SSE app at '/sysdig-mcp-server'
-    mcp_app = mcp.http_app(
-        path="/mcp", transport=os.environ.get("MCP_TRANSPORT", app_config["mcp"]["transport"]).lower(), middleware=middlewares
-    )
+    # Mount the MCP HTTP/SSE app at 'MCP_MOUNT_PATH'
+    transport = os.environ.get("MCP_TRANSPORT", app_config["mcp"]["transport"]).lower()
+    mcp_app = mcp.http_app(transport=transport, middleware=middlewares)
+    suffix_path = mcp.settings.streamable_http_path if transport == "streamable-http" else mcp.settings.sse_path
     app = FastAPI(lifespan=mcp_app.lifespan)
-    app.mount("/sysdig-mcp-server", mcp_app)
+    app.mount(MCP_MOUNT_PATH, mcp_app)
 
     @app.get("/healthz", response_class=Response)
     async def health_check(request: Request) -> Response:
@@ -115,7 +116,9 @@ async def health_check(request: Request) -> Response:
         """
         return JSONResponse({"status": "ok"})
 
-    log.info(f"Starting {mcp.name} at http://{app_config['app']['host']}:{app_config['app']['port']}/sysdig-mcp-server/mcp")
+    log.info(
+        f"Starting {mcp.name} at http://{app_config['app']['host']}:{app_config['app']['port']}{MCP_MOUNT_PATH}{suffix_path}"
+    )
     # Use Uvicorn's Config and Server classes for more control
     config = uvicorn.Config(
         app,
@@ -270,7 +273,7 @@ def add_tools(mcp: FastMCP, allowed_tools: list, transport_type: Literal["stdio"
             ),
         )
 
-    if transport_type == "stdio" and "sysdig-cli-scanner" in allowed_tools:
+    if "sysdig-cli-scanner" in allowed_tools:
         # Register the tools for STDIO transport
         cli_scanner_tool = CLIScannerTool()
         log.info("Adding Sysdig CLI Scanner Tool...")
diff --git a/utils/query_helpers.py b/utils/query_helpers.py
@@ -25,6 +25,7 @@ def create_standard_response(results: RESTResponseType, execution_time_ms: str,
         raise ApiException(
             status=results.status,
             reason=results.reason,
+            data=results.data,
         )
     else:
         response = results.json() if results.data else {}
diff --git a/utils/sysdig/api.py b/utils/sysdig/api.py
@@ -20,7 +20,7 @@ def get_api_client(config: Configuration) -> ApiClient:
     return api_client_instance
 
 
-def initialize_api_client(config: Configuration) -> ApiClient:
+def initialize_api_client(config: Configuration = None) -> ApiClient:
     """
     Initializes the Sysdig API client with the provided token and host.
     This function creates a new ApiClient instance and returns a dictionary of API instances
diff --git a/utils/sysdig/client_config.py b/utils/sysdig/client_config.py
@@ -6,14 +6,17 @@
 import os
 import logging
 import re
+from typing import Optional
 
 # Set up logging
 logging.basicConfig(format="%(asctime)s-%(process)d-%(levelname)s- %(message)s", level=os.environ.get("LOGLEVEL", "ERROR"))
 log = logging.getLogger(__name__)
 
 
 # Lazy-load the Sysdig client configuration
-def get_configuration(token: str, sysdig_host_url: str, old_api: bool = False) -> sysdig_client.Configuration:
+def get_configuration(
+    token: Optional[str] = None, sysdig_host_url: Optional[str] = None, old_api: bool = False
+) -> sysdig_client.Configuration:
     """
     Returns a configured Sysdig client using environment variables.
 
@@ -24,6 +27,11 @@ def get_configuration(token: str, sysdig_host_url: str, old_api: bool = False) -
     Returns:
         sysdig_client.Configuration: A configured Sysdig client instance.
     """
+    # Check if the token and sysdig_host_url are provided, otherwise fetch from environment variables
+    if not token and not sysdig_host_url:
+        env_vars = get_api_env_vars()
+        token = env_vars["SYSDIG_SECURE_TOKEN"]
+        sysdig_host_url = env_vars["SYSDIG_HOST"]
     if not old_api:
         sysdig_host_url = _get_public_api_url(sysdig_host_url)
         log.info(f"Using public API URL: {sysdig_host_url}")
@@ -35,6 +43,28 @@ def get_configuration(token: str, sysdig_host_url: str, old_api: bool = False) -
     return configuration
 
 
+def get_api_env_vars() -> dict:
+    """
+    Get the necessary environment variables for the Sysdig API client.
+
+    Returns:
+        dict: A dictionary containing the required environment variables.
+    Raises:
+        ValueError: If any of the required environment variables are not set.
+    """
+    required_vars = ["SYSDIG_SECURE_TOKEN", "SYSDIG_HOST"]
+    env_vars = {}
+    for var in required_vars:
+        value = os.environ.get(var)
+        if not value:
+            log.error(f"Missing required environment variable: {var}")
+            raise ValueError(f"Environment variable {var} is not set. Please set it before running the application.")
+        env_vars[var] = value
+    log.info("All required environment variables are set.")
+
+    return env_vars
+
+
 def _get_public_api_url(base_url: str) -> str:
     """
     Get the public API URL from the base URL.
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@ def create_standard_response(results: RESTResponseType, execution_time_ms: str,`
`25`	`25`	`raise ApiException(`
`26`	`26`	`status=results.status,`
`27`	`27`	`reason=results.reason,`
	`28`	`+ data=results.data,`
`28`	`29`	`)`
`29`	`30`	`else:`
`30`	`31`	`response = results.json() if results.data else {}`