This is an implementation of an MCP (Model Context Protocol) Server to allow different LLMs to query information from Sysdig Secure platform. It is still in early development and not yet ready for production use. New endpoints and functionalities will be added over time. The goal is to provide a simple and easy-to-use interface for querying information from Sysdig Secure platform using LLMs.
Get up and running with the Sysdig MCP Server quickly using our pre-built Docker image.
-
Get your API Token: Go to your Sysdig Secure instance and navigate to Settings > Sysdig Secure API. Here, you can generate or copy your API token. This token is required to authenticate requests to the Sysdig Platform (See the Configuration section for more details).
-
Pull the image:
Pull the latest Sysdig MCP Server image from the GitHub Container Registry:
docker pull ghcr.io/sysdiglabs/sysdig-mcp-server:latest -
Configure your client:
For example, you can configure Claude Desktop app to use the Sysdig MCP Server by editing the
claude_desktop_config.jsonfile. This is useful for running the server locally with thestdiotransport. You can apply this configuration to any other client that supports MCP (For more details, see the Client Configuration section).Substitute the following placeholders with your actual values:
<your_sysdig_host>: The hostname of your Sysdig Secure instance (e.g.,https://us2.app.sysdig.comorhttps://eu1.app.sysdig.com)<your_sysdig_secure_api_token>: Your Sysdig Secure API token
{ "mcpServers": { "sysdig-mcp-server": { "command": "docker", "args": [ "run", "-i", "--rm", "-e", "SYSDIG_MCP_API_HOST", "-e", "SYSDIG_MCP_TRANSPORT", "-e", "SYSDIG_MCP_API_SECURE_TOKEN", "ghcr.io/sysdiglabs/sysdig-mcp-server:latest" ], "env": { "SYSDIG_MCP_API_HOST": "<your_sysdig_host>", "SYSDIG_MCP_API_SECURE_TOKEN": "<your_sysdig_secure_api_token>", "SYSDIG_MCP_TRANSPORT": "stdio" } } } }
The server dynamically filters the available tools based on the permissions associated with the API token used for the request. If the token lacks the required permissions for a tool, that tool will not be listed.
-
get_event_info- Description: Retrieve detailed information for a specific security event by its ID.
- Required Permission:
policy-events.read - Sample Prompt: "Get full details for event ID 123abc"
-
list_runtime_events- Description: List runtime security events from the last given hours, optionally filtered by severity level.
- Required Permission:
policy-events.read - Sample Prompt: "Show me high severity events from the last 2 hours in cluster1"
-
get_event_process_tree- Description: Retrieve the process tree for a specific event (if available).
- Required Permission:
policy-events.read - Sample Prompt: "Get the process tree for event ID abc123"
-
generate_sysql- Description: Generates a SysQL query from a natural language question.
- Required Permission:
sage.exec - Sample Prompt: "List top 10 pods by memory usage in the last hour"
- Note: The
generate_sysqltool currently does not work with Service Account tokens and will return a 500 error. For this tool, use an API token assigned to a regular user account.
-
run_sysql- Description: Execute a pre-written SysQL query directly (use only when user provides explicit query).
- Required Permission:
sage.exec,risks.read - Sample Prompt: "Run this query: MATCH CloudResource WHERE type = 'aws_s3_bucket' LIMIT 10"
- Go 1.25 or higher (if running without Docker).
The following environment variables are required for configuring the Sysdig SDK:
SYSDIG_MCP_API_HOST: The URL of your Sysdig Secure instance (e.g.,https://us2.app.sysdig.com). Required when usingstdiotransport.SYSDIG_MCP_API_SECURE_TOKEN: Your Sysdig Secure API token. Required only when usingstdiotransport.
You can also set the following variables to override the default configuration:
SYSDIG_MCP_TRANSPORT: The transport protocol for the MCP Server (stdio,streamable-http,sse). Defaults to:stdio.SYSDIG_MCP_MOUNT_PATH: The URL prefix for the streamable-http/sse deployment. Defaults to:/sysdig-mcp-serverSYSDIG_MCP_LOGLEVEL: Log Level of the application (DEBUG,INFO,WARNING,ERROR). Defaults to:INFOSYSDIG_MCP_LISTENING_PORT: The port for the server when it is deployed using remote protocols (streamable-http,sse). Defaults to:8080SYSDIG_MCP_LISTENING_HOST: The host for the server when it is deployed using remote protocols (streamable-http,sse). Defaults to:localhost
You can find your API token in the Sysdig Secure UI under Settings > Sysdig Secure API. Make sure to copy the token as it will not be shown again.
Example configuration (stdio):
# Required
SYSDIG_MCP_API_HOST=https://us2.app.sysdig.com
SYSDIG_MCP_API_SECURE_TOKEN=your-api-token-here
# Optional
SYSDIG_MCP_TRANSPORT=stdio
SYSDIG_MCP_LOGLEVEL=INFO
Example configuration (streamable-http / sse):
# Required
SYSDIG_MCP_TRANSPORT=streamable-http
# Optional (Host and Token can be provided via HTTP headers)
# SYSDIG_MCP_API_HOST=https://us2.app.sysdig.com
# SYSDIG_MCP_API_SECURE_TOKEN=your-api-token-here
SYSDIG_MCP_LISTENING_PORT=8080
SYSDIG_MCP_LISTENING_HOST=localhost
SYSDIG_MCP_MOUNT_PATH=/sysdig-mcp-server
To use the MCP server tools, your API token needs specific permissions in Sysdig Secure. We recommend creating a dedicated Service Account (SA) with a custom role containing only the required permissions.
Permissions Mapping:
| Permission | Sysdig UI Permission Name |
|---|---|
policy-events.read |
Threats: "Policy Events" (Read) |
sage.exec |
SysQL: "AI Query Generation" (EXEC) |
risks.read |
Risks: "Access to risk feature" (Read) |
Additional Permissions:
- Settings: "API Access Token" - View, Read, Edit (required to generate and manage API tokens)
Setting up Permissions:
- Go to Settings > Users & Teams > Roles in your Sysdig Secure instance
- Create a new role with the permissions listed above
- Assign this role to a Service Account or user
- Use the API token from that account with the MCP server
Note: When selecting permissions, some dependent permissions may be automatically added by Sysdig.
For detailed instructions, see the official Sysdig Roles Administration documentation.
Important
Service Account Limitation: The generate_sysql tool currently does not work with Service Account tokens and will return a 500 error. For this tool, use an API token assigned to a regular user account.
You can run the MCP server using Docker (recommended for production) or directly with Go.
The easiest way to run the server is using the pre-built Docker image from GitHub Container Registry (as shown in the Quickstart Guide).
docker run -e SYSDIG_MCP_API_HOST=<your_sysdig_host> -e SYSDIG_MCP_API_SECURE_TOKEN=<your_sysdig_secure_api_token> -e SYSDIG_MCP_TRANSPORT=stdio -p 8080:8080 ghcr.io/sysdiglabs/sysdig-mcp-server:latest
To use the streamable-http or sse transports (for remote MCP clients), set the SYSDIG_MCP_TRANSPORT environment variable accordingly:
docker run -e SYSDIG_MCP_TRANSPORT=streamable-http -e SYSDIG_MCP_API_HOST=<your_sysdig_host> -e SYSDIG_MCP_API_SECURE_TOKEN=<your_sysdig_secure_api_token> -p 8080:8080 ghcr.io/sysdiglabs/sysdig-mcp-server:latest
You can run the server directly using Go without cloning the repository:
go run github.com/sysdiglabs/sysdig-mcp-server/cmd/server@latest
By default, the server will run using the stdio transport. To use the streamable-http or sse transports, set the SYSDIG_MCP_TRANSPORT environment variable:
SYSDIG_MCP_TRANSPORT=streamable-http go run github.com/sysdiglabs/sysdig-mcp-server/cmd/server@latest
For local development, we provide a flake.nix file that sets up a reproducible environment with all necessary dependencies (Go, development tools, linters, etc.).
If you have Nix installed, you can enter the development shell:
nix develop
If you use direnv, simply run:
direnv allow
To use the MCP server with a client like Claude or Cursor, you need to provide the server's URL and authentication details.
When using the sse or streamable-http transport, the server requires a Bearer token for authentication. The token is passed in the X-Sysdig-Token or default to Authorization header of the HTTP request (i.e Bearer SYSDIG_SECURE_API_TOKEN).
Additionally, you can specify the Sysdig Secure host by providing the X-Sysdig-Host header.
Note: When provided, the authentication headers (
Authorization,X-Sysdig-Token) and host header (X-Sysdig-Host) take precedence over the configured environment variables.
Example headers:
Authorization: Bearer <your_sysdig_secure_api_token>
X-Sysdig-Host: <your_sysdig_host>
If you are running the server with the sse or streamable-http transport, the URL will be http://<host>:<port>/sysdig-mcp-server/mcp.
For example, if you are running the server locally on port 8080, the URL will be http://localhost:8080/sysdig-mcp-server/mcp.
For the Claude Desktop app, you can manually configure the MCP server by editing the claude_desktop_config.json file.
-
Open the configuration file:
- Go to Settings > Developer in the Claude Desktop app.
- Click on Edit Config to open the
claude_desktop_config.jsonfile.
-
Add the MCP server configuration:
Option A: Using Docker (Recommended)
{ "mcpServers": { "sysdig-mcp-server": { "command": "docker", "args": [ "run", "-i", "--rm", "-e", "SYSDIG_MCP_API_HOST", "-e", "SYSDIG_MCP_TRANSPORT", "-e", "SYSDIG_MCP_API_SECURE_TOKEN", "ghcr.io/sysdiglabs/sysdig-mcp-server:latest" ], "env": { "SYSDIG_MCP_API_HOST": "<your_sysdig_host>", "SYSDIG_MCP_API_SECURE_TOKEN": "<your_sysdig_secure_api_token>", "SYSDIG_MCP_TRANSPORT": "stdio" } } } }Option B: Using Go
{ "mcpServers": { "sysdig-mcp-server": { "command": "go", "args": [ "run", "github.com/sysdiglabs/sysdig-mcp-server/cmd/server@latest" ], "env": { "SYSDIG_MCP_API_HOST": "<your_sysdig_host>", "SYSDIG_MCP_API_SECURE_TOKEN": "<your_sysdig_secure_api_token>", "SYSDIG_MCP_TRANSPORT": "stdio" } } } } -
Replace the placeholders:
- Replace
<your_sysdig_host>with your Sysdig Secure host URL. - Replace
<your_sysdig_secure_api_token>with your Sysdig Secure API token.
- Replace
-
Save the file and restart the Claude Desktop app for the changes to take effect.
- Run the MCP Inspector locally
- Select the transport type and have the Sysdig MCP server running accordingly.
- Pass the Authorization header if using "streamable-http" or the SYSDIG_SECURE_API_TOKEN env var if using "stdio"
- In your terminal run
goose configureand follow the steps to add the extension (more info on the goose docs). - Your
~/.config/goose/config.yamlconfig file should have one config like this one, check out the env vars.
Using Go:
extensions:
...
sysdig-mcp-server:
args: ["run", "github.com/sysdiglabs/sysdig-mcp-server/cmd/server@latest"]
bundled: null
cmd: go
description: Sysdig MCP server
enabled: true
env_keys:
- SYSDIG_MCP_TRANSPORT
- SYSDIG_MCP_API_HOST
- SYSDIG_MCP_API_SECURE_TOKEN
envs:
SYSDIG_MCP_TRANSPORT: stdio
name: sysdig-mcp-server
timeout: 300
type: stdio
- Have fun
