Skip to main content

2 posts tagged with "DevOps"

DevOps tools, infrastructure, and automation

View All Tags

Container CVE Triage: Local Scans, Three Buckets, and Explainable Policies

· 5 min read
MCPBundles

TL;DR

  • Vulnerability Intelligence runs Trivy on your Mac via Desktop, enriches with NVD + CISA KEV + EPSS, and buckets every CVE into exploit priority / patch today / defer — each row includes a plain-English reason.
  • On our own bases (June 2026 scans): python:3.13-slim has 46 unique CVEs and 0 patch-today rows under balanced ( 2 under permissive_patches ); node:20-slim has 97 unique CVEs and 29 patch-today rows — same scanner, different nightly workload.
  • Built for security and platform teams who already have Trivy output and need shared rules across client images, not another dashboard that dumps CVSS-sorted noise.

Picture Monday after a base-image rebuild. Trivy finished overnight. The spreadsheet has 103 rows before anyone's had coffee. That's the moment this post is about — not picking Wiz over Snyk, but agreeing what actually patches tonight.

In April we open-sourced an MCP server that combines NIST NVD, CISA KEV, and EPSS into a composite risk score. That solved ranking — why a CVSS 5.0 in active ransomware campaigns should beat a CVSS 9.8 nobody is exploiting.

The next bottleneck is operations: your scanner still dumps hundreds of rows, and every team reinvents spreadsheet triage. Paste-JSON workflows do not scale when you run ten client images a week.

We shipped a hosted path that closes the loop: Desktop runs Trivy on your machine, the cloud enriches findings, and scan_triage buckets every CVE with a bucket_reason you can tune via policy presets.

Try Vulnerability Intelligence on MCPBundles — or keep reading for the bucketing rules and real numbers from our own Dockerfiles.

SonarCloud with AI: Code Quality Workflows That Start at the Gate

· 5 min read
MCPBundles

TL;DR

  • The SonarCloud MCP server reads your connected tenant — orgs, projects, issues, gates, hotspots, measures — from chat instead of five SonarCloud tabs before standup.
  • Built for the questions that land minutes before deploy: gate status on main, blockers still open, hotspots waiting for human review, which PR failed analysis last night.
  • Engineering leads, platform engineers, and security champions who already run SonarCloud in CI but hate exporting lists when someone asks in Slack.

SonarCloud is good at being the quality record for a repo. It is less good at being the place you answer when the question arrives in a thread two minutes before deploy.

That question rarely stays inside one screen. Standup wants open blockers across services. Release management wants gate status on main plus coverage and vulnerability counts. Security review wants hotspots still marked TO_REVIEW — not the automatic issue list. Platform wants to know whether last night's pull request analysis passed before someone merges anyway.

None of that is "learn to prompt better." It is normal release work that cuts across projects, and the SonarCloud UI was built for people who live inside it all day.

The SonarCloud MCP server on MCPBundles connects your SonarCloud account to the agent host you already use so those cross-project questions get answered in the thread where the decision is happening.

Cartoon illustration of a code quality dashboard with green and red quality gates, bug icons, and security shields on colorful developer screens