From fadc0e56073e49ddf820486441a47e21d6daa478 Mon Sep 17 00:00:00 2001 From: S3B4SZ17 Date: Fri, 3 Oct 2025 10:37:45 -0600 Subject: [PATCH] fix: Updating the tools permissions and updated docs to reflect minimum permissions Signed-off-by: S3B4SZ17 --- .pre-commit-config.yaml | 4 ++-- README.md | 28 +++++++++++++++++++++++++++- pyproject.toml | 2 +- utils/sysdig/helpers.py | 4 ++-- uv.lock | 4 ++-- 5 files changed, 34 insertions(+), 8 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e719b6e..072185c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -6,10 +6,10 @@ repos: description: Format code with ruff. entry: make fmt language: system - stages: ["commit", "push"] + stages: ["pre-commit", "pre-push"] - id: ruff-check name: Ruff Check description: Check code style with ruff. entry: make lint language: system - stages: ["commit", "push"] + stages: ["pre-commit", "pre-push"] diff --git a/README.md b/README.md index 3f62b69..831eb6a 100644 --- a/README.md +++ b/README.md @@ -17,9 +17,9 @@ - [Requirements](#requirements) - [UV Setup](#uv-setup) - [Configuration](#configuration) + - [API Permissions](#api-permissions) - [Running the Server](#running-the-server) - [Docker](#docker) - - [K8s Deployment](#k8s-deployment) - [UV](#uv) - [Client Configuration](#client-configuration) - [Authentication](#authentication) @@ -157,6 +157,32 @@ You can find your API token in the Sysdig Secure UI under **Settings > Sysdig Se You can set these variables in your shell or in a `.env` file. +### API Permissions + +The minimum permissions needed for the tools to make the necessary API calls are the following: + +```bash +"cli-scanner": ["secure.vm.cli-scanner.exec"], +"threat-detection": ["policy-events.read"], +"sysql": ["sage.exec","risks.read"], +``` + +We advise you to create a separate role for your MCP server ideally a SA. More information on the official [doc for roles-administration](https://docs.sysdig.com/en/administration/roles-administration/) and how to attach it to the SA and/or team user. + +The permissions needed for the Secure platform are: + +- Threats: "Policy Events" Read +- Risks: "Access to risk feature" Read +- Vulnerability Management: "CLI Execution" EXEC +- Settings: "API Access Token" View, Read, Edit +- Sage: "Use Sage chat" EXEC + +When selecting the above some other permissions dependent will be added. + +>[!IMPORTANT] +> When using a SA token is expected that the `generate_and_run_sysql` will give a 500 error, to use that tool you should use a token assigned to a user for now. + + ## Running the Server You can run the MCP server using either Docker, `uv` or install it in your K8s cluster with helm. diff --git a/pyproject.toml b/pyproject.toml index 56f31c0..f747b30 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "sysdig-mcp-server" -version = "0.3.0" +version = "0.3.1" description = "Sysdig MCP Server" readme = "README.md" requires-python = ">=3.12" diff --git a/utils/sysdig/helpers.py b/utils/sysdig/helpers.py index a211dc0..c1e163e 100644 --- a/utils/sysdig/helpers.py +++ b/utils/sysdig/helpers.py @@ -5,6 +5,6 @@ # Sysdig permissions needed for the different set of tools TOOL_PERMISSIONS = { "cli-scanner": ["secure.vm.cli-scanner.exec"], - "threat-detection": ["custom-events.read"], - "sysql": ["sage.exec", "sage.manage.exec"], + "threat-detection": ["policy-events.read"], + "sysql": ["sage.exec", "risks.read"], } diff --git a/uv.lock b/uv.lock index c6961dc..2eaca92 100644 --- a/uv.lock +++ b/uv.lock @@ -1,5 +1,5 @@ version = 1 -revision = 3 +revision = 2 requires-python = ">=3.12" [[package]] @@ -1368,7 +1368,7 @@ wheels = [ [[package]] name = "sysdig-mcp-server" -version = "0.3.0" +version = "0.3.1" source = { editable = "." } dependencies = [ { name = "dask" },