SBOMApp SBOM Generator & Vulnerability Scanner
Wire SBOM generation and dependency vulnerability scans into your agent so you can audit a repo before release without leaving Claude Code or Cursor.
Overview
SBOMApp (sbom-mcp) is an MCP server for the Ship phase that generates SBOMs, scans dependency vulnerabilities, and analyzes dependency graphs from local or Git-backed projects.
What is this MCP server?
- Generate SBOMs from local project paths or Git repository sources
- Scan dependencies for vulnerabilities alongside dependency graph analysis
- Remote streamable-http MCP at https://mcp.sbomapp.com/mcp (v1.1.0)
- Bearer API key authentication—keys issued at https://sbomapp.com
- MCP integration for agents, not a standalone CLI you run outside the catalog workflow
- MCP server version 1.1.0 (schema 2025-12-11)
- Single documented remote: https://mcp.sbomapp.com/mcp (streamable-http)
- Repository source: github.com/mcpsbom/sbomapp-mcp-server
What problem does it solve?
You cannot confidently ship when you do not know what is in your dependency tree or whether known CVEs are hiding in packages you never opened manually.
Who is it for?
Indie builders preparing a release, opening a security-focused PR, or documenting third-party components for compliance without spinning up a separate SBOM-only desktop app.
Skip if: Teams that already enforce SBOM and SCA only in locked-down CI with no agent access, or builders who need interactive pentesting rather than dependency supply-chain analysis.
What do I get? / Deliverables
After you add the MCP remote and API key, your agent can produce SBOMs and vulnerability-oriented dependency reports you can attach to release checklists or follow-up fixes.
- Generated SBOM artifacts for the analyzed project or repository
- Vulnerability-oriented findings tied to declared dependencies
- Dependency structure analysis usable in release or security review notes
Recommended MCP Servers
Journey fit
Supply-chain checks belong in Ship because solo builders need SBOMs and vuln signals before they tag a release, open a PR for production, or hand artifacts to users. Security is the canonical shelf for SBOM output and CVE-style dependency scanning rather than generic dev tooling or post-launch analytics.
How it compares
Remote MCP security integration for SBOM and dependency scanning, not an in-repo Claude skill or a generic package manager UI.
Common Questions / FAQ
Who is SBOMApp sbom-mcp for?
Solo builders and small teams using MCP-enabled agents who want SBOM generation and dependency vulnerability analysis from local folders or Git repos during Ship and ongoing maintenance.
When should I use sbom-mcp?
Use it before tagging a release, after large dependency upgrades, or when you need a citable SBOM and vuln snapshot without leaving your agent session.
How do I add sbom-mcp to my agent?
Register the streamable-http remote https://mcp.sbomapp.com/mcp in your MCP client, set the Authorization header to a Bearer token from https://sbomapp.com, then invoke the server's SBOM and scan tools from Claude Code, Cursor, or compatible hosts.