Sonatype logo

Sonatype

Organization
sonatype

Component intelligence with versions, security analysis, and Trust Score recommendations

Publishersonatype
Repositorydependency-management-mcp-server
LanguageTypeScript
Forks
29
Stars
70
Available tools
0
Transport typestreamable-http
Categories
Auth SecurityDeveloper Tools
LicenseMIT
Links
GitHub
  • Connect tools to AI workflows

    Sonatype exposes MCP capabilities that can be used by compatible AI clients and agents.

  • 0 available tools

    Browse the callable actions below, including names and descriptions when provided by the server.

  • Ready-to-copy setup

    Use the installation snippets to configure this server in your preferred MCP client.

  • Open source signals

    70 stars and 29 forks from the linked repository.

Sonatype MCP Server

A Model Context Protocol (MCP) server that connects AI assistants to Sonatype's dependency management and security intelligence platform. Empower your AI coding assistant with real-time insights into open source security vulnerabilities, license compliance, and dependency health.

Overview

The Sonatype MCP Server enables AI assistants to access Sonatype's comprehensive dependency intelligence directly within your development workflow. By integrating with the Model Context Protocol, your AI assistant can help you make informed decisions about dependencies, identify security risks, and maintain compliance — all without leaving your IDE.

Key Features

  • Component Version Selection - Select the best version the first time, without the side quest
  • Security Vulnerability Scanning - Identify known vulnerabilities in your project dependencies
  • License Compliance Checking - Ensure your dependencies meet your organization's license policies
  • Dependency Health Analysis - Get insights into dependency quality, maintenance status, and risk factors
  • Real-time Security Advisories - Stay informed about the latest security threats affecting your dependencies
  • Remediation Guidance - Receive actionable recommendations to fix vulnerabilities and compliance issues

Prerequisites

  • For IDEs or tools that only support stdio MCP servers (like IntelliJ), install mcp-remote: 
    bash
    npm install -g mcp-remote

Setup

The Sonatype MCP Server runs as a remote MCP server. Choose the setup instructions for your IDE or AI assistant:

Gemini Code Assist

Replace <your-token> with your personal API token generated at https://guide.sonatype.com/settings/tokens

json
{
  "mcpServers": {
    "discoveredServer": {
      "httpUrl": "https://mcp.guide.sonatype.com/mcp",
      "headers": {
        "Authorization": "Bearer <your-token>"
      }
    }
  }
}

Claude Code

Add the server using the Claude CLI:

Replace <your-token> with your personal API token generated at https://guide.sonatype.com/settings/tokens

bash
claude mcp add --transport http --scope user sonatype-mcp https://mcp.guide.sonatype.com/mcp --header "Authorization: Bearer <your-token>"

VS Code Copilot

Add the following configuration to your global VS Code mcp.json or create a .vscode/mcp.json file in your workspace:

Replace <your-token> with your personal API token generated at https://guide.sonatype.com/settings/tokens

json
{
  "servers": {
		"sonatype-mcp": {
			"url": "https://mcp.guide.sonatype.com/mcp",
			"type": "http",
			"headers": {
				"Authorization": "Bearer <your-token>"
			}
		}
	}
}

Windsurf

Create or edit ~/.codeium/windsurf/mcp_config.json:

Replace <your-token> with your personal API token generated at https://guide.sonatype.com/settings/tokens

json
{
  "mcpServers": {
    "sonatype-mcp": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://mcp.guide.sonatype.com/mcp",
        "--header",
        "Authorization: Bearer <your-token>"
      ]
    }
  }
}

IntelliJ with Junie

Global Scope: Go to IDE settings → Tools → Junie → MCP Settings. Click "+" and add:

Project Scope: Create .junie/mcp/.mcp.json in your project root:

Replace <your-token> with your personal API token generated at https://guide.sonatype.com/settings/tokens

json
{
  "mcpServers": {
    "sonatype-mcp": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://mcp.guide.sonatype.com/mcp",
        "--header",
        "Authorization: Bearer <your-token>"
      ]
    }
  }
}

Kiro

Create or edit ~/.kiro/settings/mcp.json:

Replace <your-token> with your personal API token generated at https://guide.sonatype.com/settings/tokens

json
{
  "mcpServers": {
    "sonatype-mcp": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://mcp.guide.sonatype.com/mcp",
        "--header",
        "Authorization: Bearer <your-token>"
      ]
    }
  }
}

Cursor

Cursor supports remote servers directly. Add to your ~/.cursor/mcp.json:

Replace <your-token> with your personal API token generated at https://guide.sonatype.com/settings/tokens

json
{
  "mcpServers": {
    "sonatype-mcp": {
      "type": "http",
      "url": "https://mcp.guide.sonatype.com/mcp",
      "headers": {
        "Authorization": "Bearer <your-token>"
      }
    }
  }
}

Codex (IDE Plugin & CLI)

For both methods below, define an environment variable SONATYPE_GUIDE_MCP_TOKEN for your personal API token generated at https://guide.sonatype.com/settings/tokens.

Method 1: Using CLI command: codex mcp add sonatype-mcp --url https://mcp.guide.sonatype.com/mcp --bearer-token-env-var SONATYPE_GUIDE_MCP_TOKEN

Method 2: Create or edit ~/.codex/config.toml:

toml
[mcp_servers.sonatype-mcp]
url = "https://mcp.guide.sonatype.com/mcp"
bearer_token_env_var = "SONATYPE_GUIDE_MCP_TOKEN"

Authentication

The Sonatype MCP Server uses API token authentication:

  1. Create a Sonatype Guide account and generate your personal API token at https://guide.sonatype.com/settings/tokens
  2. Add the token to your MCP configuration using the Authorization: Bearer <your-token> header format
  3. Replace <your-token> with your actual token in the configuration examples above

Your API token authenticates all requests automatically. Keep your token secure and never commit it to version control.

Configuring AI Assistant Rules

To maximize the effectiveness of the Sonatype MCP Server, configure your AI assistant to prioritize using Sonatype MCP tools when working with dependencies, packages, or software supply chain security. Below are instructions for each supported IDE or tool.

Claude Code

Create custom instructions using CLAUDE.md files:

Global (all projects): Create ~/.claude/CLAUDE.md

Project (specific repository): Create .claude/CLAUDE.md in your project root

Add the following instruction:

markdown
## Sonatype MCP

When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.

Cursor

Create a .cursorrules file in your project root:

Project (specific repository): Create .cursorrules in your project root

Add the following instruction:

markdown
## Sonatype MCP

When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.

VS Code Copilot

Create custom instructions using a .github/copilot-instructions.md file:

Project (specific repository): Create .github/copilot-instructions.md in your project root

Add the following instruction:

markdown
## Sonatype MCP

When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.

Windsurf

Create rules using Windsurf's Customizations feature:

Global (all projects):

  1. Click the "Rules, Memories & Workflows" icon in the top right of Cascade Code or search Rules in Windsurf Settings
  2. Navigate to "Rules"
  3. Click "+ Global" to create a new global rule
  4. Add the following content:
markdown
## Sonatype MCP

When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.

Project (specific repository): Follow the instructions for Global but click "+ Workspace" or create .windsurf/rules/sonatype.md in your project root:

markdown
## Sonatype MCP

When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.

IntelliJ with Junie

Create custom guidelines using a .junie/guidelines.md file:

Project (specific repository): Create .junie/guidelines.md in your project root

Add the following instruction:

markdown
## Sonatype MCP

When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.

Kiro

Create steering files in the .kiro/steering/ directory:

Project (specific repository): Create .kiro/steering/sonatype.md in your project root

Add YAML front matter to make it always included:

markdown
---
inclusion: always
---

## Sonatype MCP

When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.

Gemini Code Assist

Create custom instructions using GEMINI.md files:

Global (all projects): Create ~/.gemini/GEMINI.md

Project (specific repository): Create GEMINI.md in your project root

Add the following instruction:

markdown
## Sonatype MCP

When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.

Example Use Cases

In the normal course of development, LLMs will decide to use or upgrade dependencies. Our MCP tools will be used transparently, offering better suggestions with more up-to-date information, eliminating the side quest of validating component and version choices.

Here are some ways to leverage the Sonatype MCP Server explicitly in your development workflow:

Analyze a Specific Version

Ask your AI assistant:

"Get detailed security information for react 18.2.0"

The assistant will return comprehensive details including CVEs with CVSS scores, license information, categories, end-of-life status, and catalog date.

Find the Latest Stable Version

Ask your AI assistant:

"What's the latest stable version of spring-boot?"

The assistant will return the latest version with full security analysis, policy violations, licenses, risk scores, and upgrade recommendations.

Security Assessment Workflow

The assistant can use both tools to compare your current version with the latest and provide actionable security guidance.

Available Tools

The Sonatype MCP Server provides three powerful tools for AI assistants:

  • getComponentVersion - Gets component information about a specific version of a component
  • getLatestComponentVersion - Gets component information about the latest version of a component
  • getRecommendedComponentVersions - Gets a set of recommended versions to upgrade to based on the current version of a component. If no version is provided, gets a set of recommended versions to start with for the component

Support & Feedback

About Sonatype

Sonatype is the leader in software supply chain security, providing solutions that help organizations manage open source risk throughout the development lifecycle. Learn more at sonatype.com.

Built with ❤️ for developers who care about secure software supply chains.

Installation

TypingMind
{
  "mcpServers": {
    "sonatype": {
      "url": "https://mcp.guide.sonatype.com/mcp",
      "env": null
    }
  }
}

Use Sonatype MCP with multiple AI models

TypingMind connects MCP tools at the workspace level, so once Sonatype is connected, you can use it with different AI models in TypingMind instead of setting it up separately for each model. This MCP connects through a hosted MCP server URL in TypingMind.

Add an MCP server URL

Use this when Sonatype is already hosted remotely or your team wants one shared connector that multiple users can access.

1

Open MCP connectors

In TypingMind, go to Plugins, open MCP connectors, then choose Add URL.

  1. Open TypingMind in your browser.
  2. Go to Plugins.
  3. Open MCP connectors.
  4. Click Add URL.
TypingMind Add Custom MCP Server URL form
2

Paste the server URL

Enter https://mcp.guide.sonatype.com/mcp in the Server URL field. Add a connection name, description, icon, custom HTTP headers, or OAuth client settings if the server requires them.

  1. Paste https://mcp.guide.sonatype.com/mcp into the Server URL field.
  2. Enter a connection name for Sonatype.
  3. Add a description and icon if you want it to be easier to identify.
  4. Add custom HTTP headers or OAuth client details if the server requires authentication.
3

Create the connection

Click Create connection, then return to the Plugins list and confirm the new MCP connection is active.

  1. Click Create connection.
  2. Return to the MCP connectors list.
  3. Confirm the Sonatype connection appears as active.
  4. Refresh the plugin list if the connection does not appear immediately.
4

Switch models without reconnecting

Start a chat with your preferred model, enable the Sonatype tools from Plugins, and switch to another model whenever needed. The MCP connection stays available to the TypingMind workspace.

  1. Start a new chat in TypingMind.
  2. Select the AI model you want to use.
  3. Enable the Sonatype tools from Plugins.
  4. Ask the model to use the tool when needed.
  5. Switch to another AI model and reuse the same MCP connection.
TypingMind chat using enabled MCP tools with a selected AI model
Can you use Sonatype to help me with this task?
Sonatype
Sure. I read it.
Here is what I found using Sonatype.

Frequently asked questions

What is the Sonatype MCP server used for?

Sonatype is an MCP server that lets compatible AI clients connect to external tools and context. In TypingMind, you can add this MCP server once and make its tools available in your AI workspace.

Can I use Sonatype MCP with multiple AI models in TypingMind?

Yes. TypingMind connects MCP tools at the workspace level, so you can use Sonatype with different AI models such as Claude, ChatGPT, Gemini, or other models you have configured in TypingMind without setting up the MCP server separately for each model.

Why use Sonatype MCP with TypingMind?

TypingMind is one of the best frontends for LLM chat because it brings multiple AI models, prompts, plugins, AI agents, API keys, and MCP tools into one workspace. With Sonatype connected, you can use its MCP tools across your preferred models while keeping your chat workflow organized in TypingMind.

How do I connect Sonatype MCP to TypingMind?

Sonatype can be connected in TypingMind by adding its hosted MCP server URL. This is useful when you want a remote MCP connection that is available from your TypingMind workspace.

What tools does Sonatype MCP provide in TypingMind?

Sonatype exposes MCP capabilities that can be enabled from the TypingMind Plugins page and used in chat or assigned to AI agents.

Do I need to share my API keys with TypingMind to use Sonatype MCP?

No. TypingMind is local-first and lets you keep your model providers, API keys, prompts, and MCP configuration under your control. If Sonatype requires authentication, add the required headers, OAuth settings, or local configuration for that MCP server when you create the connection.

Related MCP Servers

View all
LaurieWired logo

GhidraMCP

LaurieWired
CommunityPopular

MCP Server for Ghidra

900
8.9K
0 tools
View details
0x4m4 logo

HexStrike AI

0x4m4
CommunityPopular

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly bridge LLMs with real-world offensive security capabilities.

1.9K
8.7K
0 tools
View details
webflow logo

Webflow

webflow
CommunityPopular

Official Webflow MCP server. Manage sites, pages, CMS collections, and form submissions via Webflow's Data API. Publish drafts, update content, and automate site operations.

0
3.9K
16 tools
View details
integromat logo

Make.com (Integromat)

integromat
CommunityPopular

Official Make.com MCP server. Trigger scenarios, manage connections, and automate workflows across 2,000+ apps via Make's visual automation platform.

0
3.8K
16 tools
View details

Set up your own AI workspace now

Get notified about new features and future giveaways by subscribing to our newsletter 👇