reversinglabs/rl-mcp-community

Verified Publisher

By ReversingLabs

Updated 21 days ago

MCP server for Spectra Assure Community.

Image
2

827

reversinglabs/rl-mcp-community repository overview

Spectra Assure Community MCP Server

The ReversingLabs Spectra Assure Community MCP Server checks open source packages for malware, vulnerabilities, tampering, and policy violations using Spectra Assure Community data.

It runs as a Docker container and integrates with any MCP client (Gemini CLI, Claude Desktop, Claude Code, Cursor, and more) to enable on-demand security analysis directly within your development environment.

Table of Contents

Overview

Tools
rl_protect_scan

Scan open source packages for supply chain risk. Call this tool before adding, recommending, or importing any open source package. A REJECT result means the package has violated configured policy and should not be used.

Arguments:

  • purls (str, required): A comma-separated list of package PURLs. Version is optional; omitting it scans the latest version.

    Examples:

    pkg:npm/express
    
  • report_name (str, required): A descriptive name for the report (e.g. "express-scan", "deps-update"). A random suffix is appended automatically to avoid collisions.

  • profile (str, optional): Scanning profile keyword (minimal, baseline, hardened) or path to a custom profile. Default: hardened.

  • check_deps (str, optional): Comma-separated dependency scopes to scan. Must include release or develop. Values: release, develop, optional, transitive. Default: release only.

Returns:

A compact JSON summary. Use rl_protect_summarize for full assessment detail on any package.

{
  "report_id": "express-scan-a1b2c3d4",
  "metadata": { "timestamp": "...", "duration": "...", "profile": "..." },
  "summary": { "reject": 0, "warn": 1, "pass": 0, "total": 1 },
  "packages": [
    {
      "purl": "pkg:npm/[email protected]",
      "recommendation": "APPROVE",
      "worst_status": "warning",
      "worst_label": "1 high severity vulnerabilities"
    }
  ],
  "errors": []
}
rl_protect_scan_manifest

Scan a manifest or lock file (package.json, requirements.txt, pyproject.toml, setup.cfg, Gemfile, gemspec) for supply chain risk. The file must be accessible inside the container via a volume mount.

Arguments:

  • manifest_path (str, required): Container-relative path to the manifest file (e.g. "/project/package.json").
  • report_name (str, required): A descriptive name for the report.
  • profile (str, optional): Scanning profile keyword or path. If not specified, the predefined hardened profile is used by default.
  • check_deps (str, optional): Comma-separated dependency scopes to scan. Must include release or develop. Values: release, develop, optional, transitive. Default: release only.

Returns:

The same compact JSON structure as rl_protect_scan. Use rl_protect_summarize for full assessment details on any package.

rl_protect_summarize

Summarize packages with issues from a saved report. Returns full assessment details (secrets, licenses, vulnerabilities, hardening, tampering, malware, repository) for packages with a REJECT recommendation or any non-pass result. Passing packages are omitted. Aggregate counts cover the full scan.

Arguments:

  • report_id (str, required): The report_id returned by rl_protect_scan.
rl_protect_interpret

Extract a specific slice of a saved report as structured JSON.

Arguments:

  • report_id (str, required): The report_id returned by rl_protect_scan.
  • task (str, required): One of: vulnerabilities, indicators, malware, overrides, governance, dependencies, errors.
  • package (str, optional): PURL substring to filter results to a specific package.
rl_protect_diff_behavior

Compare behaviors between two versions of the same package. Detects suspicious changes that may indicate supply chain tampering — assessment regressions, new malware indicators, added CVEs, and policy violations.

Arguments:

  • package (str, required): Package name to compare (substring match).
  • report_id (str): Report containing both versions (from a single scan).
  • old_report_id / new_report_id (str): Separate reports for old and new versions.
  • old_version / new_version (str, optional): Pin specific versions when more than two are present.
  • reverse (bool, optional): Swap old and new (use when downgrading).
rl_protect_report

Generate a structured Markdown report from a saved scan report. The report includes a summary table, per-package assessment details, malware and governance callouts, a vulnerability table, and a prioritised version update plan.

Arguments:

  • report_id (str, required): The report_id returned by rl_protect_scan.

  • template (str, optional): Report template controlling the level of detail. Default: expanded.

    TemplateContent
    conciseSummary table (linked to Spectra Assure Community) + Version Update Plan only
    expandedRejected packages with assessment, vulnerabilities, and license info
    verboseFull detail: rejected + warnings + passing, assessment table, policy violations
  • output_path (str, optional): Container path inside /output where the Markdown file will be written (e.g. "/output/report.md"). Requires the /output volume mount. When omitted, the Markdown is returned as a string.

Returns:

The file path (when output_path is provided) or a Markdown string (when omitted).

Examples
Example 1: Checking a specific package version

Prompt:

Check if @crowdstrike/commitlint version 8.1.2 is okay to use

The LLM calls rl_protect_scan with purls="pkg:npm/@crowdstrike/[email protected]" and presents the results using the display format embedded in the tool description.

Example 2: Scanning a manifest file

Prompt:

Scan my project dependencies for security issues

The container must have the project directory mounted (-v /path/to/project:/project:ro). The LLM calls rl_protect_scan_manifest with the path to the manifest file (e.g. "/project/package.json"). It can then use rl_protect_interpret to drill into specific findings.

Example 3: Comparing package versions

Prompt:

I'm upgrading express from 4.21.0 to 5.1.0 — are there any new risks?

The LLM scans both versions together with rl_protect_scan, then calls rl_protect_diff_behavior with the report_id to compare assessment changes, new CVEs, and behavior indicator diffs between versions.

Adjusting tool usage with custom prompts

The tool descriptions influence how the LLM uses them. rl_protect_scan includes the hint "Call this tool before adding, recommending, or importing any open source package", which nudges proactive scanning. You can reinforce or adjust this behavior through your MCP client's system prompt or custom instructions.

Installation and usage

Prerequisites:

Getting the Docker image

The image is on Docker Hub. Docker pulls it automatically on first run, so just configure your MCP client as shown below.

To build it yourself (e.g. to add a corporate CA certificate):

git clone https://github.com/reversinglabs/rl-mcp
docker build -t reversinglabs/rl-mcp-community:latest rl-mcp
Mounting your project directory

The container cannot access your host filesystem by default. Two optional volume mounts extend its capabilities:

MountPurposeAccess
-v /path/to/your/project:/project:roManifest scanning with rl_protect_scan_manifest — pass container-relative paths like "/project/package.json"Read-only
-v /path/to/your/reports:/outputReport file output with rl_protect_report — pass output_path="/output/report.md" to write thereRead-write

Keeping the project mount read-only ensures the container can never write back into your source tree. The /output mount is separate so write access is scoped only to the reports directory.

Add the relevant -v flags to the args array in your MCP client configuration. See the per-client examples below.

Example setup with Gemini CLI

Prerequisites:

Add the following to your Gemini settings.json file:

  • Windows: %USERPROFILE%\.gemini\settings.json
  • macOS & Linux: ~/.gemini/settings.json

NOTE: A local .gemini/settings.json in your project's directory can override the global settings.

Community account:

{
  // ... other settings
  "mcpServers": {
    "rl_mcp_server": {
      "command": "docker",
      "args": [
        "run", "--rm", "-i",
        "-e", "RL_TOKEN=rlcmm-your-token-here",
        "-v", "/path/to/your/project:/project:ro",  // optional: for manifest scanning
        "-v", "/path/to/your/reports:/output",       // optional: for report file output
        "reversinglabs/rl-mcp-community:latest"
      ]
    }
  }
}

Enterprise account:

{
  // ... other settings
  "mcpServers": {
    "rl_mcp_server": {
      "command": "docker",
      "args": [
        "run", "--rm", "-i",
        "-e", "RL_TOKEN=rls3c-your-token-here",
        "-e", "RL_PORTAL_SERVER=https://my.secure.software/organization",
        "-e", "RL_PORTAL_ORG=MyOrganization",
        "-v", "/path/to/your/project:/project:ro",  // optional: for manifest scanning
        "-v", "/path/to/your/reports:/output",       // optional: for report file output
        "reversinglabs/rl-mcp-community:latest"
      ]
    }
  }
}
Example setup with Claude Code
claude mcp add --transport stdio rl-protect \
  -- docker run --rm -i \
  -e RL_TOKEN=rlcmm-your-token-here \
  -v /path/to/your/project:/project:ro \
  -v /path/to/your/reports:/output \
  reversinglabs/rl-mcp-community:latest

Note: the token must be passed via -e in the Docker args, not via --env, since --env sets variables on the host process and they don't propagate into the container. Both -v mounts are optional — see Mounting your project directory.

Example setup with Claude Desktop

Add to your Claude Desktop configuration file:

  • Windows: %APPDATA%\Claude\claude_desktop_config.json
  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
{
  "mcpServers": {
    "rl-protect": {
      "command": "docker",
      "args": [
        "run", "--rm", "-i",
        "-e", "RL_TOKEN=rlcmm-your-token-here",
        "-v", "/path/to/your/project:/project:ro",
        "-v", "/path/to/your/reports:/output",
        "reversinglabs/rl-mcp-community:latest"
      ]
    }
  }
}

Both -v mounts are optional — see Mounting your project directory.

Example setup with Ollama + Continue (Visual Studio Code)

Prerequisites:

  1. Add the MCP Server in Continue:

    • Open the Continue extension (left sidebar) and go to Settings -> Tools -> Add MCP Server.
    • This will create a new-mcp-server.yaml file in your workspace.
  2. Configure the MCP Server:

    name: Spectra Assure Community MCP
    version: 0.0.1
    schema: v1
    mcpServers:
      - name: Spectra Assure Community MCP
        command: docker
        args:
          - run
          - --rm
          - -i
          - -e
          - RL_TOKEN=rlcmm-your-token-here
          - -v
          - /path/to/your/project:/project:ro  # optional: for manifest scanning
          - -v
          - /path/to/your/reports:/output      # optional: for report file output
          - reversinglabs/rl-mcp-community:latest
        env: {}
    
  3. Verify the setup:

    • The server should appear under Continue Settings -> Tools -> MCP Servers and be running.
  4. Configure the Continue Agent:

    • In Continue, use the Plan or Agent mode to interact with MCP Servers (Chat mode is not supported).
    • Select the Agent mode.
    • Add the local LLM you have installed (e.g., Llama 3.1 8B).

Configuration reference

All configuration is via environment variables passed to the container.

Authentication
VariableRequiredDescription
RL_TOKENYesSpectra Assure Community token. Prefix determines account type: rlcmm = Community, rls3c = Enterprise.
RL_PORTAL_SERVEREnterprise onlyPortal server URL (e.g. https://my.secure.software/organization)
RL_PORTAL_ORGEnterprise onlyPortal organization name
RL_PORTAL_GROUPNoPortal group (Enterprise only)
Scan options
VariableDefaultDescription
RL_PROFILErl-protect defaultScan profile: minimum, baseline, hardened, or path to custom profile
RL_CONCURRENCYNumber of threads for dependency lookups
RL_SCAN_TIMEOUT600Scan timeout in seconds
RL_PROTECT_BINrl-protectPath to the rl-protect binary
RL_REPORTS_DIR/app/reportsDirectory where scan reports are stored inside the container
RL_SCRIPTS_DIR/app/scriptsDirectory where interpretation scripts are located inside the container
RL_OUTPUT_DIR/outputDirectory where rl_protect_report writes Markdown files; mount a host directory here for access
Network
VariableDescription
RL_CA_PATHPath to custom CA certificate store
RL_PROXY_SERVERProxy URL
RL_PROXY_PORTProxy port
RL_PROXY_USERProxy username
RL_PROXY_PASSWORDProxy password

Tag summary

Content type

Image

Digest

sha256:d629c606c

Size

72.1 MB

Last updated

21 days ago

docker pull reversinglabs/rl-mcp-community

This week's pulls

Pulls:

77

Last week