Updating the filter expression description for the tools (#5)

# Updating the filter expression description for the tools

## Changes

* Updating the filter expression description for the tools that need it.
Each API endpoint will define the supported fields in the description
and examples
* The common query language expressions and operators are defined now in
a separate resource
* Adding a default non-root user to the container definition

---------

Signed-off-by: S3B4SZ17 <[email protected]>

Author: S3B4SZ17

.github/workflows/publish.yaml

@@ -5,6 +5,7 @@ on:
   push:
     branches:
       - main
+      - beta
     paths:
       - pyproject.toml
       - Dockerfile
@@ -84,20 +85,22 @@ jobs:
     runs-on: ubuntu-latest
     needs: push_to_registry
     steps:
-      - name: Check out the repo
+      - name: Check out repository
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.sha }} # required for better experience using pre-releases
+          fetch-depth: '0' # Required due to the way Git works, without it this action won't be able to find any or the correct tags
 
       - name: Get tag version
         id: semantic_release
-        uses: anothrNick/github-tag-action@1.73.0
+        uses: anothrNick/github-tag-action@1.71.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           DEFAULT_BUMP: "patch"
-          TAG_CONTEXT: ${{ (github.base_ref != 'main') && 'branch' || 'repo' }}
+          TAG_CONTEXT: 'repo'
+          WITH_V: true
           PRERELEASE_SUFFIX: "beta"
           PRERELEASE: ${{ (github.base_ref != 'main') && 'true' || 'false' }}
-          DRY_RUN: false
-          INITIAL_VERSION: ${{ needs.push_to_registry.outputs.tag }}
 
       - name: Summary
         run: |

.github/workflows/test.yaml

@@ -66,11 +66,11 @@ jobs:
     permissions:
       contents: write # required for creating a tag
     steps:
-      - name: Check out the repo
+      - name: Check out repository
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.head_ref }}   # checkout the correct branch name
-          fetch-depth: 0   
+          ref: ${{ github.sha }} # required for better experience using pre-releases
+          fetch-depth: '0' # Required due to the way Git works, without it this action won't be able to find any or the correct tags
 
       - name: Extract current version
         id: pyproject_version
@@ -80,15 +80,15 @@ jobs:
 
       - name: Get tag version
         id: semantic_release
-        uses: anothrNick/github-tag-action@1.73.0
+        uses: anothrNick/github-tag-action@1.71.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           DEFAULT_BUMP: "patch"
-          TAG_CONTEXT: ${{ (github.base_ref != 'main') && 'branch' || 'repo' }}
+          TAG_CONTEXT: 'repo'
+          WITH_V: true
           PRERELEASE_SUFFIX: "beta"
           PRERELEASE: ${{ (github.base_ref != 'main') && 'true' || 'false' }}
           DRY_RUN: true
-          INITIAL_VERSION: ${{ steps.pyproject_version.outputs.TAG }}
 
       - name: Compare versions
         run: |

Dockerfile

@@ -33,4 +33,6 @@ COPY --from=builder --chown=app:app /app/app_config.yaml /app
 
 RUN pip install /app/sysdig_mcp_server.tar.gz
 
+USER 1001:1001
+
 ENTRYPOINT ["sysdig-mcp-server"]

README.md

@@ -7,6 +7,7 @@
   - [Description](#description)
   - [Quickstart Guide](#quickstart-guide)
   - [Available Tools](#available-tools)
+    - [Available Resources](#available-resources)
   - [Requirements](#requirements)
     - [UV Setup](#uv-setup)
   - [Configuration](#configuration)
@@ -124,6 +125,13 @@ Get up and running with the Sysdig MCP Server quickly using our pre-built Docker
 
 </details>
 
+### Available Resources
+
+- Sysdig Secure Vulnerability Management Overview:
+  - VM documentation based on the following [url](https://docs.sysdig.com/en/sysdig-secure/vulnerability-management/)
+- Sysdig Filter Query Language Instructions:
+  - Sysdig Filter Query Language for different API endpoint filters
+
 ## Requirements
 
 ### UV Setup

charts/sysdig-mcp/values.yaml

@@ -46,13 +46,12 @@ podLabels: {}
 podSecurityContext: {}
   # fsGroup: 2000
 
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+securityContext:
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  runAsUser: 1001
+  runAsGroup: 1001
+  fsGroup: 1001
 
 service:
   type: ClusterIP

main.py

@@ -3,7 +3,9 @@
 """
 
 import os
-import asyncio
+import signal
+import sys
+import logging
 from dotenv import load_dotenv
 
 # Application config loader
@@ -12,28 +14,49 @@
 # Register all tools so they attach to the MCP server
 from utils.mcp_server import run_stdio, run_http
 
+# Set up logging
+logging.basicConfig(
+    format="%(asctime)s-%(process)d-%(levelname)s- %(message)s",
+    level=os.environ.get("LOGLEVEL", "ERROR"),
+)
+log = logging.getLogger(__name__)
+
 # Load environment variables from .env
 load_dotenv()
 
 app_config = get_app_config()
 
 
+def handle_signals():
+    def signal_handler(sig, frame):
+        log.info(f"Received signal {sig}, shutting down...")
+        os._exit(0)
+
+    signal.signal(signal.SIGINT, signal_handler)
+    signal.signal(signal.SIGTERM, signal_handler)
+    signal.signal(signal.SIGHUP, signal_handler)
+
+
 def main():
     # Choose transport: "stdio" or "sse" (HTTP/SSE)
+    handle_signals()
     transport = os.environ.get("MCP_TRANSPORT", app_config["mcp"]["transport"]).lower()
-    print("""
+    log.info("""
     ▄▖     ▌▘    ▖  ▖▄▖▄▖  ▄▖
     ▚ ▌▌▛▘▛▌▌▛▌  ▛▖▞▌▌ ▙▌  ▚ █▌▛▘▌▌█▌▛▘
     ▄▌▙▌▄▌▙▌▌▙▌  ▌▝ ▌▙▖▌   ▄▌▙▖▌ ▚▘▙▖▌
       ▄▌     ▄▌
     """)
     if transport == "stdio":
         # Run MCP server over STDIO (local)
-        asyncio.run(run_stdio())
+        run_stdio()
     else:
         # Run MCP server over streamable HTTP by default
         run_http()
 
 
 if __name__ == "__main__":
-    main()
+    try:
+        sys.exit(main())
+    except KeyboardInterrupt:
+        os._exit(0)

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "sysdig-mcp-server"
-version = "0.1.1"
+version = "0.1.2-beta.0"
 description = "Sysdig MCP Server"
 readme = "README.md"
 requires-python = ">=3.12"

tests/conftest.py

@@ -6,6 +6,14 @@
 from fastmcp import FastMCP
 
 
+class MockMCP(FastMCP):
+    """
+    Mock class for FastMCP
+    """
+
+    pass
+
+
 def util_load_json(path):
     """
     Utility function to load a JSON file from the given path.
@@ -42,8 +50,8 @@ def mock_ctx():
     Returns:
         Context: A mocked Context object with 'fastmcp' tags.
     """
-    fastmcp: FastMCP = FastMCP(
-        name="Test",
+
+    fastmcp: MockMCP = MockMCP(
         tags=["sysdig", "mcp", "stdio"],
     )
     ctx = Context(fastmcp=fastmcp)

tools/events_feed/tool.py

@@ -14,6 +14,7 @@
 from fastmcp import Context
 from sysdig_client import ApiException
 from fastmcp.prompts.prompt import PromptMessage, TextContent
+from fastmcp.exceptions import ToolError
 from starlette.requests import Request
 from sysdig_client.api import SecureEventsApi
 from utils.sysdig.old_sysdig_api import OldSysdigApi
@@ -99,7 +100,7 @@ def tool_get_event_info(self, event_id: str, ctx: Context) -> dict:
             response = create_standard_response(results=raw, execution_time_ms=execution_time)
 
             return response
-        except ApiException as e:
+        except ToolError as e:
             logging.error("Exception when calling SecureEventsApi->get_event_v1: %s\n" % e)
             raise e
 
@@ -181,7 +182,7 @@ def tool_list_runtime_events(
                 execution_time_ms=duration_ms,
             )
             return response
-        except ApiException as e:
+        except ToolError as e:
             log.error(f"Exception when calling SecureEventsApi->get_events_v1: {e}\n")
             raise e
 
@@ -225,7 +226,7 @@ def tool_get_event_process_tree(self, ctx: Context, event_id: str) -> Dict[str,
             )
 
             return response
-        except ApiException as e:
+        except ToolError as e:
             log.error(f"Exception when calling Sysdig Sage API to get process tree: {e}")
             raise e
 

tools/inventory/tool.py

@@ -9,6 +9,7 @@
 from pydantic import Field
 from fastmcp.server.dependencies import get_http_request
 from fastmcp import Context
+from fastmcp.exceptions import ToolError
 from starlette.requests import Request
 from sysdig_client import ApiException
 from sysdig_client.api import InventoryApi
@@ -18,8 +19,8 @@
 from utils.query_helpers import create_standard_response
 
 # Configure logging
-log = logging.getLogger(__name__)
 logging.basicConfig(format="%(asctime)s-%(process)d-%(levelname)s- %(message)s", level=os.environ.get("LOGLEVEL", "ERROR"))
+log = logging.getLogger(__name__)
 
 # Load app config (expects keys: mcp.host, mcp.port, mcp.transport)
 app_config = get_app_config()
@@ -69,12 +70,78 @@ def tool_list_resources(
             Field(
                 description=(
                     """
-                    Sysdig Secure filter expression for inventory resources,
-                    base filter: platform in ("GCP", "AWS", "Azure", "Kubernetes"),
-                    Examples:
-                        not isExposed exists; category in ("IAM") and isExposed exists; category in ("IAM","Audit & Monitoring")
+                    Sysdig Secure query filter expression to filter inventory resources.
+
+                    Use the resource://filter-query-language to get the expected filter expression format.
+               
+                    List of supported fields:
+                    - accountName
+                    - accountId
+                    - cluster
+                    - externalDNS
+                    - distribution
+                    - integrationName
+                    - labels
+                    - location
+                    - name
+                    - namespace
+                    - nodeType
+                    - osName
+                    - osImage
+                    - organization
+                    - platform
+                    - control.accepted
+                    - policy
+                    - control.severity
+                    - control.failed
+                    - policy.failed
+                    - policy.passed
+                    - projectName
+                    - projectId
+                    - region
+                    - repository
+                    - resourceOrigin
+                    - type
+                    - subscriptionName
+                    - subscriptionId
+                    - sourceType
+                    - version
+                    - zone
+                    - category
+                    - isExposed
+                    - validatedExposure
+                    - arn
+                    - resourceId
+                    - container.name
+                    - architecture
+                    - baseOS
+                    - digest
+                    - imageId
+                    - os
+                    - container.imageName
+                    - image.registry
+                    - image.tag
+                    - package.inUse
+                    - package.info
+                    - package.path
+                    - package.type
+                    - vuln.cvssScore
+                    - vuln.hasExploit
+                    - vuln.hasFix
+                    - vuln.name
+                    - vuln.severity
+                    - machineImage
                 """
-                )
+                ),
+                examples=[
+                    'zone in ("zone1") and machineImage = "ami-0b22b359fdfabe1b5"',
+                    '(projectId = "1235495521" or projectId = "987654321") and vuln.severity in ("Critical")',
+                    'vuln.name in ("CVE-2023-0049")',
+                    'vuln.cvssScore >= "3"',
+                    'container.name in ("sysdig-container") and not labels exists',
+                    'imageId in ("sha256:3768ff6176e29a35ce1354622977a1e5c013045cbc4f30754ef3459218be8ac")',
+                    'platform in ("GCP", "AWS", "Azure", "Kubernetes") and isExposed exists',
+                ],
             ),
         ] = 'platform in ("GCP", "AWS", "Azure", "Kubernetes")',
         page_number: Annotated[int, Field(ge=1, description="Page number for pagination (1-based index)")] = 1,
@@ -112,7 +179,7 @@ def tool_list_resources(
             response = create_standard_response(results=api_response, execution_time_ms=execution_time)
 
             return response
-        except ApiException as e:
+        except ToolError as e:
             logging.error("Exception when calling InventoryApi->get_resources: %s\n" % e)
             raise e
 
@@ -141,6 +208,6 @@ def tool_get_resource(
             response = create_standard_response(results=api_response, execution_time_ms=execution_time)
 
             return response
-        except ApiException as e:
+        except ToolError as e:
             log.error(f"Exception when calling InventoryApi->get_resource: {e}")
             raise e