Root.io Vulnerability Remediation MCP
MCP server that provides container image vulnerability scanning and remediation capabilities through Root.io.
478
5
11 Tools
Signed
Built by Docker
Requires Secrets
Add to Docker Desktop
Version 4.43 or later needs to be installed to add the server automatically
Tools
| Name | Description |
|---|---|
create_registry_integration | Creates a registry integration within root system. The integration will be used to pull images for remediating and push the resulted image with a new tag. Use this tool if the user wants to remediate an image from a registry they haven't integrated before. This tool uses a wizard approach to guide users through the setup process. Suggest using this tool if the user requests to remediate a private image with no registry integration for it. |
get_image_remediation | Retrieves image remediation for a given image_remediation_id (imgrmd_...). Provides detailed information about the remediation step including the list of packages that were upgraded, the FQIN of the resulted remediated image, or alternatively the decision of patching which might be not to patch with the reason. IMPORTANT NOTE: image remediation should ALWAYS be fetched together with get_remediation_continuity_summary to provide a report at the end of every remediation process. |
get_remediation_continuity_summary | Get remediation continuity summary for a specific FQIN showing aggregated fixes and vulnerability trends over time. This includes the number of root patches and upstream upgrades applied, as well as vulnerability counts by severity from the first tag ever remediated to the last tag remediated of this image. NOTE: This tool should be called after using the list_unique_fqins tool to get the exact FQIN. |
get_remediation_details_by_scan_id | Gets the remediation details for a given scan ID focusing mainly on the packages that were upgraded / patched by root and the resulted image name to perform docker pull. IMPORTANT NOTE: image remediation should ALWAYS be fetched together with get_remediation_continuity_summary to provide a report at the end of every remediation process. |
get_remediation_status | Get detailed status and results of an image remediation process. Use the remediation_id returned from 'trigger_remediation' tool. PROCESS STEPS: 'pulling' → 'scanning' → 'evaluating' → 'remediating' → 'rescanning' → 'pushing' → 'completed'. PROCESS STATUS: 'in_progress', 'completed', 'failed'. SCAN STATUS: 'scan_status_pending', 'scan_status_running', 'scan_status_completed', 'scan_status_failed'. Poll this endpoint to track progress and get final results including remediated image details. |
get_user_info | Get current user information including organization details. ESSENTIAL FIRST TOOL: Call this tool at the start of every session to get the organization_id required by most other tools. Returns user profile with organization memberships, roles, and access details. The organization_id from this response should be used in subsequent tool calls like registries_credentials_list, trigger_remediation, and get_remediation_status. |
list_remediation_continuity_summaries | List all remediation continuity summaries for an organization showing aggregated fixes and vulnerability trends for all FQINs. This provides an overview of all images that have been remediated in the organization, including the number of root patches and upstream upgrades applied, as well as vulnerability counts by severity for each image. NOTE: This tool should be called after using the list_unique_fqins tool to get the exact FQIN. |
list_unique_fqins | List all unique FQINs (fully qualified image names) for an organization. This returns a list of all unique image names that have been processed for remediation in the organization. Use this to discover which images are available for continuity summary analysis. |
ping | Health check endpoint that returns server status and timestamp |
registries_credentials_list | List all private registry credentials for an organization. WORKFLOW: First call 'get_user_info' to get organization_id, then use this tool to get creds_id values needed for triggering image remediation processes. Each credential entry includes an ID that can be used with the trigger_remediation tool to authenticate access to private registries containing the images to be remediated. |
trigger_remediation | Trigger an asynchronous image remediation process for a container image. WORKFLOW: 1) First use 'get_user_info' to get organization_id. 2) Use 'registries_credentials_list' to get available creds_id values for private registry access. 3) Then use this tool to start remediation. PROCESS: Scans image for vulnerabilities → Creates SBOM → Evaluates OS/arch support → Applies security patches → Rescans → Pushes remediated image to registry. Returns a remediation_id for status tracking with 'get_remediation_status' tool. |
Manual installation
You can install the MCP server using:
Installation for