Sonatype
OfficialProvides real-time security vulnerability scanning, license compliance checking, and dependency health analysis for open source components through Sonatype's intelligence platform.
Component intelligence with versions, security analysis, and Trust Score recommendations
What it does
- Scan dependencies for security vulnerabilities
- Check license compliance for project dependencies
- Analyze dependency health and maintenance status
- Get component version recommendations
- Receive security advisories and threat alerts
- Generate remediation guidance for vulnerabilities
Best for
About Sonatype
Sonatype is an official MCP server published by sonatype that provides AI assistants with tools and capabilities via the Model Context Protocol. Sonatype: component intelligence with version tracking, security analysis, and Trust Score recommendations to secure and It is categorized under auth security, developer tools.
How to install
You can install Sonatype in your AI client of choice. Use the install panel on this page to get one-click setup for Cursor, Claude Desktop, VS Code, and other MCP-compatible clients. This server supports remote connections over HTTP, so no local installation is required.
License
Sonatype is released under the MIT license. This is a permissive open-source license, meaning you can freely use, modify, and distribute the software.
Sonatype MCP Server
A Model Context Protocol (MCP) server that connects AI assistants to Sonatype's dependency management and security intelligence platform. Empower your AI coding assistant with real-time insights into open source security vulnerabilities, license compliance, and dependency health.
Overview
The Sonatype MCP Server enables AI assistants to access Sonatype's comprehensive dependency intelligence directly within your development workflow. By integrating with the Model Context Protocol, your AI assistant can help you make informed decisions about dependencies, identify security risks, and maintain compliance — all without leaving your IDE.
Key Features
- Component Version Selection - Select the best version the first time, without the side quest
- Security Vulnerability Scanning - Identify known vulnerabilities in your project dependencies
- License Compliance Checking - Ensure your dependencies meet your organization's license policies
- Dependency Health Analysis - Get insights into dependency quality, maintenance status, and risk factors
- Real-time Security Advisories - Stay informed about the latest security threats affecting your dependencies
- Remediation Guidance - Receive actionable recommendations to fix vulnerabilities and compliance issues
Prerequisites
- For IDEs or tools that only support stdio MCP servers (like IntelliJ), install
mcp-remote:npm install -g mcp-remote
Setup
The Sonatype MCP Server runs as a remote MCP server. Choose the setup instructions for your IDE or AI assistant:
Gemini Code Assist
Replace <your-token> with your personal API token generated at https://guide.sonatype.com/settings/tokens
{
"mcpServers": {
"discoveredServer": {
"httpUrl": "https://mcp.guide.sonatype.com/mcp",
"headers": {
"Authorization": "Bearer <your-token>"
}
}
}
}
Claude Code
Add the server using the Claude CLI:
Replace <your-token> with your personal API token generated at https://guide.sonatype.com/settings/tokens
claude mcp add --transport http --scope user sonatype-mcp https://mcp.guide.sonatype.com/mcp --header "Authorization: Bearer <your-token>"
VS Code Copilot
Add the following configuration to your global VS Code mcp.json or create a .vscode/mcp.json file in your workspace:
Replace <your-token> with your personal API token generated at https://guide.sonatype.com/settings/tokens
{
"servers": {
"sonatype-mcp": {
"url": "https://mcp.guide.sonatype.com/mcp",
"type": "http",
"headers": {
"Authorization": "Bearer <your-token>"
}
}
}
}
Windsurf
Create or edit ~/.codeium/windsurf/mcp_config.json:
Replace <your-token> with your personal API token generated at https://guide.sonatype.com/settings/tokens
{
"mcpServers": {
"sonatype-mcp": {
"command": "npx",
"args": [
"mcp-remote",
"https://mcp.guide.sonatype.com/mcp",
"--header",
"Authorization: Bearer <your-token>"
]
}
}
}
IntelliJ with Junie
Global Scope: Go to IDE settings → Tools → Junie → MCP Settings. Click "+" and add:
Project Scope: Create .junie/mcp/.mcp.json in your project root:
Replace <your-token> with your personal API token generated at https://guide.sonatype.com/settings/tokens
{
"mcpServers": {
"sonatype-mcp": {
"command": "npx",
"args": [
"mcp-remote",
"https://mcp.guide.sonatype.com/mcp",
"--header",
"Authorization: Bearer <your-token>"
]
}
}
}
Kiro
Create or edit ~/.kiro/settings/mcp.json:
Replace <your-token> with your personal API token generated at https://guide.sonatype.com/settings/tokens
{
"mcpServers": {
"sonatype-mcp": {
"command": "npx",
"args": [
"mcp-remote",
"https://mcp.guide.sonatype.com/mcp",
"--header",
"Authorization: Bearer <your-token>"
]
}
}
}
Cursor
Cursor supports remote servers directly. Add to your ~/.cursor/mcp.json:
Replace <your-token> with your personal API token generated at https://guide.sonatype.com/settings/tokens
{
"mcpServers": {
"sonatype-mcp": {
"type": "http",
"url": "https://mcp.guide.sonatype.com/mcp",
"headers": {
"Authorization": "Bearer <your-token>"
}
}
}
}
Codex (IDE Plugin & CLI)
For both methods below, define an environment variable SONATYPE_GUIDE_MCP_TOKEN for your personal API token generated at https://guide.sonatype.com/settings/tokens.
Method 1:
Using CLI command: codex mcp add sonatype-mcp --url https://mcp.guide.sonatype.com/mcp --bearer-token-env-var SONATYPE_GUIDE_MCP_TOKEN
Method 2:
Create or edit ~/.codex/config.toml:
[mcp_servers.sonatype-mcp]
url = "https://mcp.guide.sonatype.com/mcp"
bearer_token_env_var = "SONATYPE_GUIDE_MCP_TOKEN"
Authentication
The Sonatype MCP Server uses API token authentication:
- Create a Sonatype Guide account and generate your personal API token at https://guide.sonatype.com/settings/tokens
- Add the token to your MCP configuration using the
Authorization: Bearer <your-token>header format - Replace
<your-token>with your actual token in the configuration examples above
Your API token authenticates all requests automatically. Keep your token secure and never commit it to version control.
Configuring AI Assistant Rules
To maximize the effectiveness of the Sonatype MCP Server, configure your AI assistant to prioritize using Sonatype MCP tools when working with dependencies, packages, or software supply chain security. Below are instructions for each supported IDE or tool.
Claude Code
Create custom instructions using CLAUDE.md files:
Global (all projects): Create ~/.claude/CLAUDE.md
Project (specific repository): Create .claude/CLAUDE.md in your project root
Add the following instruction:
## Sonatype MCP
When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.
Cursor
Create a .cursorrules file in your project root:
Project (specific repository): Create .cursorrules in your project root
Add the following instruction:
## Sonatype MCP
When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.
VS Code Copilot
Create custom instructions using a .github/copilot-instructions.md file:
Project (specific repository): Create .github/copilot-instructions.md in your project root
Add the following instruction:
## Sonatype MCP
When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.
Windsurf
Create rules using Windsurf's Customizations feature:
Global (all projects):
- Click the "Rules, Memories & Workflows" icon in the top right of Cascade Code or search Rules in Windsurf Settings
- Navigate to "Rules"
- Click "+ Global" to create a new global rule
- Add the following content:
## Sonatype MCP
When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.
Project (specific repository):
Follow the instructions for Global but click "+ Workspace" or create .windsurf/rules/sonatype.md in your project root:
## Sonatype MCP
When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.
IntelliJ with Junie
Create custom guidelines using a .junie/guidelines.md file:
Project (specific repository): Create .junie/guidelines.md in your project root
Add the following instruction:
## Sonatype MCP
When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.
Kiro
Create steering files in the .kiro/steering/ directory:
Project (specific repository): Create .kiro/steering/sonatype.md in your project root
Add YAML front matter to make it always included:
---
inclusion: always
---
## Sonatype MCP
When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.
Gemini Code Assist
Create custom instructions using GEMINI.md files:
Global (all projects): Create ~/.gemini/GEMINI.md
Project (specific repository): Create GEMINI.md in your project root
Add the following instruction:
## Sonatype MCP
When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use th
---
*README truncated. [View full README on GitHub](https://github.com/sonatype/dependency-management-mcp-server).*
Alternatives
Related Skills
Browse all skillsUse when working with the OpenAI API (Responses API) or OpenAI platform features (tools, streaming, Realtime API, auth, models, rate limits, MCP) and you need authoritative, up-to-date documentation (schemas, examples, limits, edge cases). Prefer the OpenAI Developer Documentation MCP server tools when available; otherwise guide the user to enable `openaiDeveloperDocs`.
Security audit and validation tools for the Agent Skills ecosystem. Scan skill packages for common vulnerabilities like credential leaks, unauthorized file access, and Git history secrets. Use when you need to audit skills for security before installation, validate skill packages against Agent Skills standards, or ensure your skills follow best practices.
Azure Identity SDK for Rust authentication. Use for DeveloperToolsCredential, ManagedIdentityCredential, ClientSecretCredential, and token-based authentication. Triggers: "azure-identity", "DeveloperToolsCredential", "authentication rust", "managed identity rust", "credential rust".
CCXT cryptocurrency exchange library for TypeScript and JavaScript developers (Node.js and browser). Covers both REST API (standard) and WebSocket API (real-time). Helps install CCXT, connect to exchanges, fetch market data, place orders, stream live tickers/orderbooks, handle authentication, and manage errors. Use when working with crypto exchanges in TypeScript/JavaScript projects, trading bots, arbitrage systems, or portfolio management tools. Includes both REST and WebSocket examples.
.NET/C# backend developer for ASP.NET Core APIs with Entity Framework Core. Builds REST APIs, minimal APIs, gRPC services, authentication with Identity/JWT, authorization, database operations, background services, SignalR real-time features. Activates for: .NET, C#, ASP.NET Core, Entity Framework Core, EF Core, .NET Core, minimal API, Web API, gRPC, authentication .NET, Identity, JWT .NET, authorization, LINQ, async/await C#, background service, IHostedService, SignalR, SQL Server, PostgreSQL .NET, dependency injection, middleware .NET.
Build full-stack applications with Supabase (PostgreSQL, Auth, Storage, Real-time, Edge Functions). Use when implementing authentication, database design with RLS, file storage, real-time features, or serverless functions.