Back to MCP Servers

JFrog MCP Server

Official MCP server for the JFrog Platform: manage repositories, builds, runtime clusters, projects, package vulnerabilities, and artifact security scans.

Developer Tools by JFrog Bearer Token active
GitHub Docs npm: @jfrog/mcp-jfrog
Overview

The JFrog MCP Server is an experimental Model Context Protocol implementation maintained by JFrog that connects AI assistants to the JFrog Platform API. It exposes 22 tools covering repository management (local, remote, virtual), Artifactory Query Language (AQL) execution, build tracking, runtime cluster and container image monitoring, project and environment administration, public package intelligence, and security scanning of artifacts.

The server can run via stdio for local clients like Claude Desktop or Cursor, or in Server-Sent Events (SSE) mode for remote/multi-client setups. SSE mode adds connection ID tracking, automatic reconnection with exponential backoff, a /health endpoint, and structured logging. It is distributed as an npm package, a Docker image, and via Smithery.

Note: JFrog also offers an officially hosted, remote MCP server for production use. This open-source repo is marked experimental, but is the canonical self-hostable implementation maintained under the jfrog GitHub org.

Tools

Tool Description
check_jfrog_availability Check whether the configured JFrog platform instance is reachable and responsive.
create_local_repository Create a local Artifactory repository.
create_remote_repository Create a remote repository proxying an upstream source.
create_virtual_repository Create a virtual repository aggregating multiple repos.
list_repositories List repositories on the platform with optional filters.
set_folder_property Set properties on a folder, optionally applied recursively.
execute_aql_query Run an Artifactory Query Language (AQL) query.
list_jfrog_builds List all builds tracked in Artifactory.
get_specific_build Retrieve details for a specific build.
list_jfrog_runtime_clusters List runtime clusters monitored by JFrog Runtime.
get_jfrog_runtime_specific_cluster Get details for a specific runtime cluster.
list_jfrog_running_images List running container images across runtime clusters.
list_jfrog_environments List configured environments on the platform.
list_jfrog_projects List projects on the platform.
get_specific_project Get detailed information about a specific project.
create_project Create a new project with administrative settings.
jfrog_get_package_info Retrieve public package metadata across PyPI, npm, Maven, Go, NuGet, Hugging Face, RubyGems.
jfrog_get_package_versions Get the version history and publication dates for a package.
jfrog_get_package_version_vulnerabilities List known vulnerabilities for a specific package version.
jfrog_get_vulnerability_info Look up detailed information for a CVE or vulnerability ID.
jfrog_get_package_curation_status Check whether a package is approved, blocked, or inconclusive under curation policies.
jfrog_get_artifacts_summary Generate a security issues summary for artifacts by severity (Low, Medium, High, Critical, Unknown).
Setup Guide

Prerequisites

  • Node.js v18 or higher (or Docker)
  • A valid JFrog platform instance (e.g. https://your-instance.jfrog.io)
  • A JFrog access token or identity token with sufficient permissions

Install via Smithery (recommended for Claude Desktop)

npx -y @smithery/cli install @jfrog/mcp-jfrog --client claude

Local build

git clone git@github.com:jfrog/mcp-jfrog.git
cd mcp-jfrog
npm i && npm run build

Docker

docker build -t mcp/jfrog -f Dockerfile .

Claude Desktop config (npm via github)

{
  "mcpServers": {
    "MCP-JFrog": {
      "command": "npm",
      "args": ["exec", "-y", "github:jfrog/mcp-jfrog"],
      "env": {
        "JFROG_ACCESS_TOKEN": "YOUR_TOKEN",
        "JFROG_URL": "https://your-instance.jfrog.io"
      }
    }
  }
}

Claude Desktop config (Docker)

{
  "mcpServers": {
    "jfrog": {
      "command": "docker",
      "args": ["run", "--rm", "-i", "-e", "JFROG_ACCESS_TOKEN", "-e", "JFROG_URL", "mcp/jfrog"],
      "env": {
        "JFROG_ACCESS_TOKEN": "YOUR_TOKEN",
        "JFROG_URL": "https://your-instance.jfrog.io"
      }
    }
  }
}

Environment variables

Variable Required Purpose
JFROG_ACCESS_TOKEN Yes Authentication credential
JFROG_URL Yes Platform instance URL
TRANSPORT No stdio (default) or sse
PORT No SSE server port, default 8080
CORS_ORIGIN No CORS allowlist for SSE, default *
LOG_LEVEL No DEBUG, INFO, WARN, ERROR (default INFO)
MAX_RECONNECT_ATTEMPTS No SSE reconnection attempts, default 5
RECONNECT_DELAY_MS No Base delay between SSE reconnects, default 2000
Use Cases
  • Provision new local, remote, or virtual Artifactory repositories from a chat prompt during onboarding.
  • Investigate build provenance by listing builds and pulling details for a specific build name and number.
  • Audit container security across runtime clusters by listing running images and generating artifact issue summaries by severity.
  • Check whether a third-party npm, PyPI, or Maven package is approved by curation policy and surface its known CVEs before adoption.
  • Run AQL queries to find artifacts by properties (e.g. outdated SHA, missing license tag) and bulk-set folder properties.
Example Prompts
  • "Create a virtual npm repository called npm-virtual that aggregates npm-local and npm-remote."
  • "List all builds for the payments-service and show details for build number 482."
  • "Show me running container images across our prod runtime cluster and flag any with Critical vulnerabilities."
  • "Is lodash@4.17.20 curated as approved in our platform, and what CVEs affect it?"
  • "Run an AQL query for all artifacts in libs-release-local modified in the last 7 days."
Pros
  • Maintained under the official jfrog GitHub org with broad coverage of 22 tools across repos, builds, runtime, projects, packages, and security.
  • Supports both stdio and SSE transports, plus npm, Docker, and Smithery distribution.
  • Covers package and CVE intelligence across multiple ecosystems (PyPI, npm, Maven, Go, NuGet, Hugging Face, RubyGems), useful for supply-chain workflows.
Limitations
  • Marked experimental by JFrog, with a separate officially hosted remote MCP server recommended for production.
  • Requires a JFrog Platform instance and access token; not usable without a paid/configured tenant.
  • Tool input schemas are documented sparsely in the README, so some calls require trial-and-error or reading source.
Alternatives
  • Sonatype Nexus - alternative artifact repository; no official MCP server, community implementations only.
  • GitHub MCP server - for source and package management on GitHub Packages.
  • JFrog's officially hosted remote MCP server, referenced from JFrog Platform docs, for production use without self-hosting.
More Developer Tools MCP Servers
AWS API
Bridge that lets AI assistants manage AWS infrastructure by executing validated AWS CLI commands across every AWS service.
AWS CDK
Official AWS Labs MCP server that guides agents through AWS CDK development with prescriptive patterns, CDK Nag security validation, and Solutions Constructs discovery.
AWS CloudWatch
Official AWS Labs MCP server for CloudWatch. Query metrics, analyze logs, investigate alarms, and run PromQL queries for AI-powered root cause analysis.
Aiven
Official MCP server for the Aiven cloud data platform. Manage PostgreSQL, Apache Kafka, and other Aiven services from AI assistants.