A agentic tool for handling and orchestrating Black Duck SCA products.
Project description
Black Duck SCA — MCP Server
Connect your AI coding assistant to the Black Duck Software Composition Analysis (SCA) products. The MCP server exposes your Black Duck SCA instance as a set of tools that any MCP-compatible AI harness can call to perform actions such as: investigate your software's security posture and vulnerabilities, triage findings, generate vulnerability reports and SBOMs.
Capabilities
These are the MCP tool areas currently available.
| Area | Available Features | Related Tool Names |
|---|---|---|
| Dashboard | View instance-wide security posture, activity trends, and vulnerability breakdowns | get_dashboard_summary |
| Projects | Find projects and versions, inspect BOM contents, and review project-level vulnerabilities | search_projects_versions fetch_project_components fetch_project_vulnerabilities |
| Components | Search components across projects and see where specific versions are used | search_components |
| Vulnerabilities | Search the global vulnerability dataset and update remediation/triage status | search_vulnerabilities update_vulnerability_remediation |
| Policies | Check policy violation status and compliance at project version level | fetch_policy_violation_status |
| Scanning | Run scans for source, binary, container, and SBOM inputs; check scan status and results; match code snippets | scan search_scans get_scan_status match_code_snippet |
| Reports | Generate SBOM, VEX/CSAF, and Notices reports | create_report |
| Connectivity | Validate backend connectivity and credential health | check_connectivity |
Prerequisites
- Black Duck SCA instance with a user account and API token
- Python 3.13 or later+
- uv — Python package manager
- Java 11+ (optional) — required only for source scanning via Detect
Installation
FIXME: fixup urls for pypi when released
Claude Code
claude mcp add blackduck-bdsca-mcp \
--env BLACKDUCK_BDSCA_URL=https://<your-instance-url> \
--env BLACKDUCK_BDSCA_TOKEN=<api-token> \
-- uvx \
--managed-python --python 3.13 \
--from 'blackduck-sca-mcp' bdsca \
--transport stdio
Claude Desktop/Cowork
Add via UI and make sure the config file has similar values afterward.
{
"managedMcpServers": [
{
"name": "blackduck-bdsca-mcp",
"source": "user",
"transport": "stdio",
"command": "/bin/uvx",
"args": [
"--managed-python",
"--python", "3.13",
"--from", "blackduck-sca-mcp", "bdsca",
"--transport", "stdio"
],
"env": {
"BLACKDUCK_BDSCA_URL": "https://<your-instance-url>",
"BLACKDUCK_BDSCA_TOKEN": "<api-token>"
}
}
]
}
VS Code
Add to .vscode/mcp.json in your project:
{
"servers": {
"blackduck-bdsca-mcp": {
"command": "uvx",
"args": [
"--managed-python",
"--python", "3.13",
"--from", "blackduck-sca-mcp", "bdsca",
"--transport", "stdio"
],
"env": {
"BLACKDUCK_BDSCA_URL": "https://<your-instance-url>",
"BLACKDUCK_BDSCA_TOKEN": "<api-token>"
}
}
}
}
Copilot CLI
Copilot CLI currently does not implement the full
MCP spec, it is missing handling of MCP resources. To work around that, we can expose those resources as tools
by specifying the BLACKDUCK_MCP_ENABLE_RESOURCES_AS_TOOLS=true environment variable.
copilot mcp add blackduck-bdsca-mcp \
--env BLACKDUCK_BDSCA_URL=https://<your-instance-url> \
--env BLACKDUCK_BDSCA_TOKEN=<api-token> \
--env BLACKDUCK_MCP_ENABLE_RESOURCES_AS_TOOLS=true \
-- uvx \
--managed-python --python 3.13 \
--from 'blackduck-sca-mcp' bdsca \
--transport stdio
{
"servers": {
"blackduck-bdsca-mcp": {
"command": "uvx",
"args": [
"--managed-python",
"--python", "3.13",
"--from", "blackduck-sca-mcp", "bdsca",
"--transport", "stdio"
],
"env": {
"BLACKDUCK_BDSCA_URL": "https://<your-instance-url>",
"BLACKDUCK_BDSCA_TOKEN": "<api-token>"
}
}
}
}
Roo Code
Use the same .vscode/mcp.json configuration as GitHub Copilot above.
SSL/TLS
If your instance uses a self-signed certificate, either add it to your system's trusted certificate store or set below for the MCP to allow it to connect:
export BLACKDUCK_BDSCA_SSL_VERIFY=false
Security
API tokens inherit the full permissions of the associated user account. If you provide a token with write access, the AI assistant can modify data in your Black Duck SCA instance — including updating vulnerability remediation status and policy overrides.
We recommend creating a dedicated service account with the minimum permissions required for your use case. See the Role and Permission Matrix for details.
Support
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file blackduck_sca_mcp-0.9.0-cp313-none-any.whl.
File metadata
- Download URL: blackduck_sca_mcp-0.9.0-cp313-none-any.whl
- Upload date:
- Size: 226.9 kB
- Tags: CPython 3.13
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.19 {"installer":{"name":"uv","version":"0.11.19","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
779f14a4de65d42a1ce61e1be4951e4397385918b16f840a7f2691b8c6bbce82
|
|
| MD5 |
eed6bfffa884f1eac3ac01e52a3007d2
|
|
| BLAKE2b-256 |
57e248c4c58c083db255a0450aebbed3b518e360d636a9ff59284bd2fd0e83e0
|
