Pinner MCP

What is Pinner MCP?

Pinner MCP is a Model Context Protocol (MCP) server that helps to pin third-party dependencies, specifically GitHub Actions and Docker base images, to their immutable SHA hashes or digests. This process prevents supply chain attacks by ensuring that the exact, verified versions of these dependencies are always used.

How to use Pinner MCP?

Pinner MCP can be run as a container. Users can integrate it with tools like Cursor by adding specific configurations to their .cursor/mcp.json file. Once configured, users can leverage Composer prompts to pin GitHub Actions to commit hashes or container base images to digests. To update pinned versions, specific prompts can also be used.

Key Features of Pinner MCP

• Dependency Pinning: Supports pinning of Docker base images and GitHub Actions.
• Supply Chain Security: Mitigates supply chain attacks by enforcing immutable dependency versions.
• Containerized Deployment: Easily deployable as a Docker container.
• Integration with Cursor: Seamless integration with Cursor for automated pinning.
• Automatic Updates: Updates are pushed to GitHub Container Registry, requiring manual pull to update local images.

Use Cases of Pinner MCP

• Securing CI/CD Pipelines: Ensures that GitHub Actions used in CI/CD workflows are immutable and verified.
• Enhancing Container Security: Guarantees that Docker base images are pinned to specific, trusted digests, preventing unexpected changes.
• Preventing Supply Chain Attacks: A core tool for organizations looking to harden their software supply chain against malicious injections or tampering.
• Automated Dependency Management: Automates the process of securing third-party dependencies within development workflows.

FAQ from Pinner MCP

• How do I update Pinner MCP? Updates are automatically pushed to the latest tag on GitHub Container Registry. You need to manually pull the latest Docker image to update your local container: docker pull ghcr.io/safedep/pinner-mcp:latest.
• What types of dependencies can Pinner MCP pin? Currently, Pinner MCP supports pinning Docker base images and GitHub Actions.
• How does Pinner MCP integrate with development environments? It can be integrated with tools like Cursor by configuring the .cursor/mcp.json file and using Composer prompts for pinning and updating dependencies.

Pinner MCP 📍

A Model Context Protocol (MCP) server that can help pin 3rd party dependencies to immutable digests. Supported dependency types include:

• Docker base images
• GitHub Actions

📦 Usage

Run as a container with stdio transport.

docker run -it --rm ghcr.io/safedep/pinner-mcp:latest

💻 Cursor

Add the following to your .cursor/mcp.json file. You must enable the MCP server in the settings. Learn more here.

{
  "mcpServers": {
    "pinner-mcp-stdio-server": {
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "ghcr.io/safedep/pinner-mcp:latest"
      ]
    }
  }
}

Use a Composer prompt like the following to pin a specific commit hash.

Pin GitHub Actions to their commit hash

Pin container base images to digests

To update pinned versions, you can use a prompt like the following.

Update pinned versions of container base images

🔄 Tool Updates

Updates for the MCP server are automatically pushed to the latest tag on GitHub Container Registry. You must manually update your local container image to the latest version.

docker pull ghcr.io/safedep/pinner-mcp:latest

📚 References

• Originally built to protect vet from malicious GitHub Actions
• mcp-go is a great library for building MCP servers
• Built and maintained by SafeDep Engineering