Kubescape CLI as an MCP Server in Cursor
Kubescape exposes its Kubernetes security findings through an MCP (Model Context Protocol) server bundled inside the CLI. When you register this server in Cursor or Claude Desktop, the IDE can query live vulnerability and configuration data directly from your connected clusters.
High Level Diagram
flowchart LR
subgraph IDE["Cursor / Claude Desktop"]
UI["Chat / Tooling Panel"]
MCPClient["MCP Client Runtime"]
end
UI -->|MCP request| MCPClient
MCPClient -->|stdio| KubescapeCLI
subgraph KubescapeCLIGroup["Kubescape CLI"]
KubescapeCLI["kubescape mcpserver"]
MCPHandlers["Tool & Resource Handlers"]
end
KubescapeCLI -->|Go MCP server| MCPHandlers
MCPHandlers -->|client-go / protobuf| KubeAPI["Kubernetes API Server"]
KubeAPI -->|CRD reads| KubescapeCRDs["Kubescape CRDs\nVulnerabilityManifest\nWorkloadConfigurationScan"]
subgraph Cluster["Kubernetes Cluster"]
KubescapeOperator["Kubescape Operator"]
KubescapeOperator -->|publishes| KubescapeCRDs
KubeAPI
end
classDef grey fill:#f5f5f5,stroke:#ccc,color:#333;
classDef blue fill:#e8f1fb,stroke:#337ab7,color:#1a4876;
class IDE blue
class MCPClient,KubescapeCLI,MCPHandlers grey
class Cluster bluePrerequisites
kubescapeCLI (a release that includes themcpservercommand,beyondv3.0.44`).- Cursor version or Claude Desktop with MCP support enabled
- Reachable Kubernetes cluster with the Kubescape operator deployed and actively writing
VulnerabilityManifestandWorkloadConfigurationScanresources. - Local credentials for the cluster (
KUBECONFIGor in-cluster context) allowing read access to Kubescape CRDs.
Setup Steps
-
Install Kubescape CLI
-
Register the server in Cursor Add (or update) your
Restart Cursor or Claude Desktop to pick up the new MCP integration..cursor/mcp.jsonconfiguration:
Available MCP Tools
list_vulnerability_manifests— Enumerates all vulnerability manifests, filtered bylevel(image,workload, orboth). Returns metadata and template URIs such askubescape://vulnerability-manifests/<ns>/<name>.list_vulnerabilities_in_manifest— Lists CVEs contained within a specific manifest.list_vulnerability_matches_for_cve— Narrows down to workload/image matches for a given CVE.list_configuration_security_scan_manifests— Discovers configuration scan manifests per namespace.get_configuration_security_scan_manifest— Retrieves the full configuration scan payload for a workload.
Each response is returned as JSON text content, ready for follow‑up parsing in Cursor or downstream automations.
Resource Templates
kubescape://vulnerability-manifests/{namespace}/{manifest_name}/cve_list— Provides CVE inventory for a manifest.kubescape://vulnerability-manifests/{namespace}/{manifest_name}/cve_details/{cve_id}— Surfaces match details for a specific CVE.kubescape://configuration-manifests/{namespace}/{manifest_name}— Returns the full configuration scan document.
When Cursor accesses a template URI, the server pulls the corresponding CRD from the cluster and serializes it to JSON.
Operational Notes
- The server disables client-go rate limiting and enforces protobuf content to lower latency to the cluster.
- Namespace defaults: tools assume
kubescapewhen no namespace is supplied, but you can provide a specific namespace in each call. - The MCP server exits when the hosting terminal session closes; restart it before opening Cursor if needed.
Troubleshooting
- Server fails to start: verify the cluster credentials and that the Kubescape CRDs exist (
kubectl api-resources | grep vulnerabilitymanifest). - Empty tool responses: ensure the operator has published manifests and that the namespace filter matches the workloads you expect.
- Cursor cannot reach the server: confirm the binary path in
.cursor/mcp.jsonand that the terminal runningkubescape mcpserveris still active.