feat: add server for automated container vulnerability patching

[duffney]

Overview

This PR introduces a Model Context Protocol (MCP) server that exposes Copacetic's container patching capabilities to AI agents and automation tools. Built with the official Go SDK, this server enables programmatic access to Copa's vulnerability patching workflows through a standardized protocol.

Features

The MCP server provides six comprehensive tools for container security automation:

• version: Get the version of the Copa CLI tool
• workflow-guide: Get guidance on which Copacetic tools to use for different container patching scenarios
• scan-container: Scan container images for vulnerabilities using Trivy - creates vulnerability reports required for report-based patching
• patch-report-based: Patch container image vulnerabilities using a pre-generated vulnerability report from 'scan-container' tool (RECOMMENDED approach for vulnerability-based patching)
• patch-platform-selective: Patch specific container image platforms with Copa - patches only the specified platforms WITHOUT vulnerability scanning
• patch-comprehensive: Comprehensively patch all container image platforms with Copa - patches all available platforms WITHOUT vulnerability scanning

Usage

The server supports multiple deployment options:

• Binary: Direct execution for local development and CI/CD integration
• Container: Docker image for containerized environments and orchestration

Detailed installation and usage instructions are available in the README.

Benefits

• AI Integration: Enables AI agents to automate container vulnerability remediation
• Workflow Flexibility: Supports both targeted vulnerability-based and comprehensive patching strategies
• Multi-platform Support: Handles complex multi-architecture container scenarios
• Standardized Interface: Uses MCP protocol for consistent integration across tools

Next Steps

Upon merge, this MCP server will be submitted to the Docker MCP catalog, making it available through the Docker MCP Gateway for broader ecosystem integration. A few other things worth mentioning as follow up feature would be: logging, improved error handling, and better output from the tools to include output from the copa cli (new patch tag etc..) I'm happy to continue working on these items but want to get a PR submitted for review first. :)

[robert-cronin]

Just a few comments otherwise LGTM!!

[robert-cronin]

Should this be changed to github.com/project-copacetic/mcp-server?

[robert-cronin]

should this be github.com/project-copacetic/mcp-server?

[robert-cronin]

I might be misunderstanding here but I think the main token for auth in workflows is called secrets.GITHUB_TOKEN https://docs.github.com/en/actions/tutorials/authenticate-with-github_token

[duffney]

You are correct. :) I normally generate my own token so I don't have to mess with org permissions or publishing to the org vs the repo for packages. But I've switched it to use the github_token so we don't have go worry about generating one for this project. Thank you for calling that out.

[robert-cronin]

I think TempDir() points to a single static folder, could this result in multiple mcp-server containers reading/writing to the same vex document? If so, perhaps we can create a new dir for it with os.MkdirTemp()?

[duffney]

Good call, I'll make that change. :) Thanks for the suggestion!