pinner-mcp

@safedep12

Model Context Protocol (MCP) server to pin components to their immutable version

MCP

dependency

security

docker

github-actions

immutable

Pinner MCP 📍

A Model Context Protocol (MCP) server that can help pin 3rd party dependencies to immutable digests. Supported dependency types include:

Docker base images
GitHub Actions

Pinner MCP

📦 Usage

Run as a container with stdio transport.

docker run -it --rm ghcr.io/safedep/pinner-mcp:latest

💻 VS Code

Add the following to your .vscode/mcp.json file in your workspace. You must have the GitHub Copilot extension installed and enabled.

{
  "servers": {
    "pinner-mcp": {
      "type": "stdio",
      "command": "docker",
      "args": ["run", "--rm", "-i", "ghcr.io/safedep/pinner-mcp:latest"]
    }
  }
}

Use GitHub Copilot Chat with prompts like:

Pin GitHub Actions to their commit hash

Pin container base images to digests

To update pinned versions, you can use a prompt like the following:

Update pinned versions of container base images

💻 Cursor

Add the following to your .cursor/mcp.json file. You must enable the MCP server in the settings. Learn more here.

{
  "mcpServers": {
    "pinner-mcp-stdio-server": {
      "command": "docker",
      "args": ["run", "--rm", "-i", "ghcr.io/safedep/pinner-mcp:latest"]
    }
  }
}

Use a Composer prompt like the following to pin a specific commit hash.

Pin GitHub Actions to their commit hash

Pin container base images to digests

To update pinned versions, you can use a prompt like the following.

Update pinned versions of container base images

🔄 Tool Updates

Updates for the MCP server are automatically pushed to the latest tag on GitHub Container Registry. You must manually update your local container image to the latest version.

docker pull ghcr.io/safedep/pinner-mcp:latest

🔧 Development

Building Locally

For local development on this project, build the container image locally:

docker build -t pinner-mcp:local .

The .vscode/mcp.json and .cursor/mcp.json files in this repository are configured to use the local image (pinner-mcp:local) for development and testing of unpublished changes.

After building locally, you can use VS Code or Cursor with GitHub Copilot as described in the usage sections above.

📚 References

Originally built to protect vet from malicious GitHub Actions
mcp-go is a great library for building MCP servers
Built and maintained by SafeDep Engineering

Transport:

stdio

Language:

Created: 3/22/2025

Updated: 3/21/2026

Homepage:

https://github.com/safedep/pinner-mcp

Recommend MCP Servers 💡

@zephyr-mcp/gitlab

ZephyrDeng

A GitLab integration MCP server providing RESTful API tools for tasks like merge requests and project searches.

2025-04-09

@modelcontextprotocol/server-svgl

sam-trost

An MCP server implementation that processes SVG content using SVGL (Scalable Vector Graphics Language), providing validation and repository access capabilities.

2025-04-25

srcgrp/sentry-mcp-server

srcgrp

Integrates Sentry error tracking into MCP-enabled environments, providing access to release health data and issue details.

2025-04-12

proxymock

Speedscale

An MCP server built into proxymock that enables Agent-based LLM tools to interact with proxymock for recording API/Database calls, generating tests, and creating service mocks.

2025-07-31