kubescape-mcp-server
Kubescape MCP Server is a middleware that exposes Kubescape Kubernetes vulnerability manifests and related querying capabilities via the Mark3 Labs MCP protocol over stdio. It supports listing vulnerability manifests for image/workload levels, listing vulnerabilities in a manifest, and listing vulnerability matches for a specific CVE, also exposing manifest data through MCP resource templates.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Traffic is via stdio (not network TLS). Authentication/authorization is not described beyond requiring kubeconfig/context; no MCP-level authN/authZ, scopes, or input/output constraints are documented. As a vulnerability-data interface, strict operational controls are recommended (least-privilege kubeconfig, process isolation, logging hygiene), but the README provides no details to verify these.
⚡ Reliability
Best When
Used in controlled environments where an MCP-capable agent runs with access to a Kubernetes cluster (via kubeconfig) and Kubescape storage APIs to retrieve vulnerability manifests.
Avoid When
Avoid deploying as-is in untrusted or multi-tenant settings where tool inputs could be abused, since the README does not describe authZ/authN controls, input validation, or output filtering.
Use Cases
- • Agent-assisted discovery of available Kubernetes vulnerability manifests (image/workload scopes)
- • Querying vulnerability details from Kubescape manifests via MCP tools
- • Finding all matches for a specific CVE within a manifest
- • Building automated workflows that inspect cluster vulnerability exposure using MCP-compatible agents
Not For
- • Public internet-facing API use without strong operational controls
- • Use as a general-purpose Kubernetes vulnerability scanner replacement without understanding Kubescape storage/API expectations
- • Workloads requiring fine-grained authorization and multi-tenant isolation at the tool level (not evidenced in docs)
Interface
Authentication
README only states the server requires access to the Kubernetes cluster and expects appropriate kubeconfig/context. No MCP-level authentication method, token auth, or per-tool scope model is described.
Pricing
No pricing information provided; repository appears to be a source project.
Agent Metadata
Known Gotchas
- ⚠ Server communicates via stdio MCP; agents must be able to spawn and interact with the process correctly.
- ⚠ Tool behavior depends on accessible kubeconfig/context and availability of Kubescape storage API; failures may appear as tool errors but are not documented.
- ⚠ No documented pagination/limits for listing tools; agents may need to handle large manifest/vulnerability result sets.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for kubescape-mcp-server.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-04-04.