Back to MCP Servers

Sonatype MCP Server

Remote MCP server from Sonatype that brings component intelligence, vulnerability analysis, and version recommendations into AI coding assistants.

Developer Tools by Sonatype Bearer Token active
Connect (Remote Server) GitHub Docs
Overview

The Sonatype MCP Server connects AI coding assistants to Sonatype's component intelligence platform, surfacing dependency version data, known vulnerabilities, license posture, and upgrade recommendations directly inside the IDE. It is delivered as a remote HTTP MCP endpoint hosted by Sonatype at https://mcp.guide.sonatype.com/mcp, authenticated with a personal API token. The public GitHub repository contains setup guidance and per-client configuration snippets rather than runnable server code.

The server exposes three tools focused on component evaluation: getComponentVersion for inspecting a specific version, getLatestComponentVersion for the newest stable release with security analysis, and getRecommendedComponentVersions for safer upgrade paths. These tools let agents pick versions with fewer known CVEs, flag risky packages before they enter a project, and suggest remediation when an existing dependency is outdated or vulnerable.

It supports a broad set of clients out of the box. HTTP-native clients (Claude Code, Cursor, VS Code Copilot, Gemini Code Assist) talk to the URL directly, while stdio-only clients (IntelliJ with Junie, Windsurf, Kiro) connect through the mcp-remote npm wrapper. Codex uses its built-in CLI to register the server with a bearer-token environment variable.

Tools

Tool Description
getComponentVersion Gets component information about a specific version of a component, including security and license data.
getLatestComponentVersion Gets component information about the latest version of a component along with security analysis.
getRecommendedComponentVersions Returns a set of recommended versions to upgrade to from the current version. If no version is provided, returns recommended starting versions.
Setup Guide

Prerequisites

  • A Sonatype account and personal API token generated at https://guide.sonatype.com/settings/tokens
  • Node.js (for clients that need the mcp-remote stdio bridge)

Install the stdio bridge (only for stdio-only clients)

Clients like IntelliJ with Junie, Windsurf, and Kiro need the bridge:

npm install -g mcp-remote

HTTP-native clients (Claude Code, Cursor, VS Code Copilot, Gemini Code Assist) can connect directly without it.

Claude Code

{
  "mcpServers": {
    "sonatype-mcp": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://mcp.guide.sonatype.com/mcp",
        "--header",
        "Authorization: Bearer <your-token>"
      ]
    }
  }
}

Cursor

{
  "mcpServers": {
    "sonatype-mcp": {
      "type": "http",
      "url": "https://mcp.guide.sonatype.com/mcp",
      "headers": {
        "Authorization": "Bearer <your-token>"
      }
    }
  }
}

VS Code Copilot

{
  "servers": {
    "sonatype-mcp": {
      "url": "https://mcp.guide.sonatype.com/mcp",
      "type": "http",
      "headers": {
        "Authorization": "Bearer <your-token>"
      }
    }
  }
}

Codex

codex mcp add sonatype-mcp --url https://mcp.guide.sonatype.com/mcp --bearer-token-env-var SONATYPE_GUIDE_MCP_TOKEN

Replace <your-token> with the personal API token from your Sonatype account.

Use Cases
  • Pick the safest version of a new dependency before adding it to package.json, pom.xml, or requirements.txt
  • Audit an existing manifest and identify components with known CVEs or license risk
  • Suggest upgrade paths for outdated libraries that minimize breaking changes and CVE exposure
  • Gate AI-generated code that introduces dependencies, ensuring the chosen version passes security and policy checks
  • Generate remediation PRs that bump components to Sonatype's recommended versions
Example Prompts
  • "Before adding lodash to this project, check the latest version with Sonatype and confirm it has no known CVEs."
  • "Look up org.apache.logging.log4j:log4j-core version 2.14.1 and tell me if it is vulnerable."
  • "Recommend a safe upgrade path for express 4.16.0 in this repo."
  • "Scan the dependencies in package.json and use Sonatype to find any with high severity vulnerabilities."
  • "Suggest a starting version for pydantic for a new Python service."
Pros
  • Official server maintained by Sonatype, the vendor behind Nexus and OSS Index
  • Remote HTTP endpoint means no local server process for most clients
  • Broad client coverage with documented configs for Claude Code, Cursor, VS Code, IntelliJ, Windsurf, Kiro, Gemini, and Codex
  • Focused tool surface (three tools) keeps agent reasoning predictable
Limitations
  • Limited to component lookup and version recommendation; no manifest scanning, SBOM generation, or write actions
  • Input parameters for the tools are not explicitly documented in the README
  • Requires creating a Sonatype account and managing a personal API token
Alternatives
More Developer Tools MCP Servers
AWS API
Bridge that lets AI assistants manage AWS infrastructure by executing validated AWS CLI commands across every AWS service.
AWS CDK
Official AWS Labs MCP server that guides agents through AWS CDK development with prescriptive patterns, CDK Nag security validation, and Solutions Constructs discovery.
AWS CloudWatch
Official AWS Labs MCP server for CloudWatch. Query metrics, analyze logs, investigate alarms, and run PromQL queries for AI-powered root cause analysis.
Aiven
Official MCP server for the Aiven cloud data platform. Manage PostgreSQL, Apache Kafka, and other Aiven services from AI assistants.