Root.io Vulnerability Remediation MCP
MCP server that provides container image vulnerability scanning and remediation capabilities through Root.io.
469
5
11 Tools
Version 4.43 or later needs to be installed to add the server automatically
Use cases
About
Root.io Vulnerability Remediation MCP MCP Server
MCP server that provides container image vulnerability scanning and remediation capabilities through Root.io.
Characteristics
| Attribute | Details |
|---|---|
| Docker Image | mcp/root |
| Author | rootio-avr |
| Repository | https://github.com/rootio-avr/mcp-proxy |
| Dockerfile | https://github.com/rootio-avr/mcp-proxy/blob/main/Dockerfile |
| Docker Image built by | Docker Inc. |
| Docker Scout Health Score | |
| Verify Signature | COSIGN_REPOSITORY=mcp/signatures cosign verify mcp/root --key https://raw.githubusercontent.com/docker/keyring/refs/heads/main/public/mcp/latest.pub |
| Licence | MIT License |
Available Tools (11)
| Tools provided by this Server | Short Description |
|---|---|
create_registry_integration | Creates a registry integration within root system. |
get_image_remediation | Retrieves image remediation for a given image_remediation_id (imgrmd_...). |
get_remediation_continuity_summary | Get remediation continuity summary for a specific FQIN showing aggregated fixes and vulnerability trends over time. |
get_remediation_details_by_scan_id | Gets the remediation details for a given scan ID focusing mainly on the packages that were upgraded / patched by root and the resulted image name to perform docker pull. |
get_remediation_status | Get detailed status and results of an image remediation process. |
get_user_info | Get current user information including organization details. |
list_remediation_continuity_summaries | List all remediation continuity summaries for an organization showing aggregated fixes and vulnerability trends for all FQINs. |
list_unique_fqins | List all unique FQINs (fully qualified image names) for an organization. |
ping | Health check endpoint that returns server status and timestamp |
registries_credentials_list | List all private registry credentials for an organization. |
trigger_remediation | Trigger an asynchronous image remediation process for a container image. |
Tools Details
Tool: create_registry_integration
Creates a registry integration within root system. The integration will be used to pull images for remediating and push the resulted image with a new tag. Use this tool if the user wants to remediate an image from a registry they haven't integrated before. This tool uses a wizard approach to guide users through the setup process. Suggest using this tool if the user requests to remediate a private image with no registry integration for it.
| Parameters | Type | Description |
|---|---|---|
display_name | string | A convenient informative name for this registry integration (e.g., 'backend_dockerhub_prod') |
organization_id | string | The organization ID to create the registry integration for |
registry | string | The registry type to integrate with. Options: dockerhub, ghcr, gitlab, ecr, gar, sonatype_nexus, quay, acr |
test_image | string | An image to test connection with the registry (should exist in the registry but won't be remediated) |
access_key_id | stringoptional | AWS Access Key ID for ECR registry |
account_service_key_file | stringoptional | Google Cloud Service Account Key File (JSON string) for GAR registry |
client_id | stringoptional | Azure Client ID for ACR registry |
client_secret | stringoptional | Azure Client Secret for ACR registry |
personal_access_token | stringoptional | Personal Access Token for registries that use PAT authentication (DockerHub, GHCR, GitLab, Sonatype Nexus, Quay) |
region | stringoptional | AWS Region for ECR registry |
role_arn | stringoptional | AWS Role ARN for ECR registry using assumed role |
secret_key | stringoptional | AWS Secret Key for ECR registry |
username | stringoptional | Username for registries that use Personal Access Token authentication (DockerHub, GHCR, GitLab, Sonatype Nexus, Quay) |
This tool may perform destructive updates.
This tool interacts with external entities.
Tool: get_image_remediation
Retrieves image remediation for a given image_remediation_id (imgrmd_...). Provides detailed information about the remediation step including the list of packages that were upgraded, the FQIN of the resulted remediated image, or alternatively the decision of patching which might be not to patch with the reason. IMPORTANT NOTE: image remediation should ALWAYS be fetched together with get_remediation_continuity_summary to provide a report at the end of every remediation process.
| Parameters | Type | Description |
|---|---|---|
image_remediation_id | string | The image remediation ID to retrieve details for |
organization_id | string | The organization ID that owns the image remediation. Get this from 'get_user_info' tool. |
This tool may perform destructive updates.
This tool interacts with external entities.
Tool: get_remediation_continuity_summary
Get remediation continuity summary for a specific FQIN showing aggregated fixes and vulnerability trends over time. This includes the number of root patches and upstream upgrades applied, as well as vulnerability counts by severity from the first tag ever remediated to the last tag remediated of this image. NOTE: This tool should be called after using the list_unique_fqins tool to get the exact FQIN.
| Parameters | Type | Description |
|---|---|---|
organization_id | string | The organization ID that owns the images. Get this from 'get_user_info' tool. |
untagged_fqin | string | The fully qualified image name without tag (e.g., 'docker.io/library/ubuntu') |
This tool may perform destructive updates.
This tool interacts with external entities.
Tool: get_remediation_details_by_scan_id
Gets the remediation details for a given scan ID focusing mainly on the packages that were upgraded / patched by root and the resulted image name to perform docker pull. IMPORTANT NOTE: image remediation should ALWAYS be fetched together with get_remediation_continuity_summary to provide a report at the end of every remediation process.
| Parameters | Type | Description |
|---|---|---|
organization_id | string | The organization ID that owns the image remediations. Get this from 'get_user_info' tool. |
scan_id | string | Required scan ID to get remediation details for a specific scan |
This tool may perform destructive updates.
This tool interacts with external entities.
Tool: get_remediation_status
Get detailed status and results of an image remediation process. Use the remediation_id returned from 'trigger_remediation' tool. PROCESS STEPS: 'pulling' → 'scanning' → 'evaluating' → 'remediating' → 'rescanning' → 'pushing' → 'completed'. PROCESS STATUS: 'in_progress', 'completed', 'failed'. SCAN STATUS: 'scan_status_pending', 'scan_status_running', 'scan_status_completed', 'scan_status_failed'. Poll this endpoint to track progress and get final results including remediated image details.
| Parameters | Type | Description |
|---|---|---|
organization_id | string | The organization ID that owns the remediation. Get this from 'get_user_info' tool. |
remediation_id | string | The remediation ID returned from the 'trigger_remediation' tool |
This tool may perform destructive updates.
This tool interacts with external entities.
Tool: get_user_info
Get current user information including organization details. ESSENTIAL FIRST TOOL: Call this tool at the start of every session to get the organization_id required by most other tools. Returns user profile with organization memberships, roles, and access details. The organization_id from this response should be used in subsequent tool calls like registries_credentials_list, trigger_remediation, and get_remediation_status.
Tool: list_remediation_continuity_summaries
List all remediation continuity summaries for an organization showing aggregated fixes and vulnerability trends for all FQINs. This provides an overview of all images that have been remediated in the organization, including the number of root patches and upstream upgrades applied, as well as vulnerability counts by severity for each image. NOTE: This tool should be called after using the list_unique_fqins tool to get the exact FQIN.
| Parameters | Type | Description |
|---|---|---|
organization_id | string | The organization ID that owns the images. Get this from 'get_user_info' tool. |
This tool may perform destructive updates.
This tool interacts with external entities.
Tool: list_unique_fqins
List all unique FQINs (fully qualified image names) for an organization. This returns a list of all unique image names that have been processed for remediation in the organization. Use this to discover which images are available for continuity summary analysis.
| Parameters | Type | Description |
|---|---|---|
organization_id | string | The organization ID that owns the images. Get this from 'get_user_info' tool. |
This tool may perform destructive updates.
This tool interacts with external entities.
Tool: ping
Health check endpoint that returns server status and timestamp
Tool: registries_credentials_list
List all private registry credentials for an organization. WORKFLOW: First call 'get_user_info' to get organization_id, then use this tool to get creds_id values needed for triggering image remediation processes. Each credential entry includes an ID that can be used with the trigger_remediation tool to authenticate access to private registries containing the images to be remediated.
| Parameters | Type | Description |
|---|---|---|
organization_id | string | The organization ID to list credentials for. Get this from 'get_user_info' tool. |
This tool may perform destructive updates.
This tool interacts with external entities.
Tool: trigger_remediation
Trigger an asynchronous image remediation process for a container image. WORKFLOW: 1) First use 'get_user_info' to get organization_id. 2) Use 'registries_credentials_list' to get available creds_id values for private registry access. 3) Then use this tool to start remediation. PROCESS: Scans image for vulnerabilities → Creates SBOM → Evaluates OS/arch support → Applies security patches → Rescans → Pushes remediated image to registry. Returns a remediation_id for status tracking with 'get_remediation_status' tool.
| Parameters | Type | Description |
|---|---|---|
image_name | string | Full image name including registry, repository, and tag (e.g., 'registry.com/repo/image:tag') |
organization_id | string | The organization ID that owns the image and credentials. Get this from 'get_user_info' tool. |
arch | stringoptional | Target architecture (e.g., 'amd64', 'arm64'). Optional, will auto-detect if not specified. |
creds_id | stringoptional | Registry credential ID from 'registries_credentials_list' tool. Required for private registries, SHOULD NOT be provided for public images. |
This tool may perform destructive updates.
This tool interacts with external entities.
Use this MCP Server
{
"mcpServers": {
"root": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"-e",
"API_ACCESS_TOKEN",
"mcp/root"
],
"env": {
"API_ACCESS_TOKEN": "sk_your_access_token"
}
}
}
}
Manual installation
You can install the MCP server using:
Installation for