Black Duck MCP. Audit open source risks instantly from your IDE.
Gemini Works with every AI agent you already use
…and any MCP-compatible client
Just plug in your AI agents and start using Vinkius.
Black Duck (Synopsys) connects your open source supply chain security directly into any AI agent. Check project metadata, audit code dependencies for known CVEs, and track compliance status without leaving your editor.
It gives you a single pane of glass view over all your software assets and licenses.
What your AI agents can do
Get bom status
Checks if a project's Bill of Materials (BOM) calculation is up to date for a specific version.
Get project
Retrieves detailed metadata about one specific software project by name or ID.
Get vulnerability details
Fetches the precise technical details for a known CVE or vulnerability identifier.
Find specific projects by name or browse the entire catalog of known Black Duck projects.
Retrieve deep details about a specific software project, including its current status and versions.
List all known vulnerabilities (CVEs) linked to an entire project's dependency tree for quick risk assessment.
View and audit the exact security policy rules currently defined across your organization’s codebases.
Verify if a project's Bill of Materials (BOM) calculation is current, ensuring up-to-date compliance data for reporting.
Ask AI about this MCP
Supported MCP Clients
OAuth 2.0 Compatible Gemini Waiting for input…
Black Duck (Synopsys) MCP - 10 Tools
Use these tools to run specific security audits on projects, check policy status, find vulnerable dependencies, and retrieve project metadata.
Make your AI actually useful.
Add this MCP to Claude, Cursor, or Windsurf and your AI stops guessing. It gets real tools to look things up, take action, and handle the stuff you keep doing by hand.
Start using Black Duck (Synopsys) on Vinkius019d755dget bom status
Checks if a project's Bill of Materials (BOM) calculation is up to date for a specific version.
019d755dget project
Retrieves detailed metadata about one specific software project by name or ID.
019d755dget vulnerability details
Fetches the precise technical details for a known CVE or vulnerability identifier.
019d755dlist code locations
Lists every location within your codebase that was scanned by Black Duck's security tools.
019d755dlist policy rules
Retrieves a list of all security and compliance policies defined for the organization.
019d755dlist project versions
Lists every available version number for a single project.
019d755dlist projects
Returns a complete list of all Black Duck projects managed in the system.
019d755dlist users
Lists all user accounts and profiles within the Black Duck platform.
019d755dlist vulnerabilities
Generates a list of all identified vulnerabilities for an entire project version range.
019d755dsearch projects
Searches and filters the project database based on keywords or partial names.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on every call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with Black Duck (Synopsys), then connect any of our 4,800+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 4,800+ others, all in one place
- Add new capabilities to your AI anytime you want
- Every connection is secured and compliant automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog every week
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Black Duck (Synopsys). All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS INFRASTRUCTURE
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on every call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Works with Claude, ChatGPT, Cursor, and more
The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.
This server provides 10 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.
Manual audits force you into a cycle of dashboards and exports.
Today, checking open-source risk means navigating multiple tabs: first finding the project, then listing all versions to see which build is vulnerable, then exporting that list to Excel so your team can manually cross-reference against policy rules. It's slow and prone to copy/paste errors.
With this MCP, you tell your agent exactly what you need—for example, 'List all projects with critical CVEs.' The agent handles the whole sequence of checks, pulling data from multiple sources in one query. You get a clean, actionable list that requires zero manual cleanup.
Using `list_project_versions` for precise tracking.
Previously, if you wanted to check a specific dependency's status, you had to guess which version was the most accurate and then click through several layers of menus just to see a list of available versions. It's guesswork based on UI labels.
Now, running `list_project_versions` gives your agent a definitive, structured list of every single version ID for that project. That precision lets you target vulnerability checks exactly where they need to go.
What you can do with this MCP connector
Managing the risk in modern open-source code is a nightmare if you rely on dashboards. You need to know exactly which projects are vulnerable, what their dependencies are, and whether they meet policy standards—all while moving fast. This MCP lets your AI client talk directly to Black Duck’s core security data.
Instead of exporting reports or clicking through dozens of tabs, you just ask the question: 'What's wrong with Project X?' Your agent handles the complex queries for project versions, vulnerability details, and compliance status immediately. It pulls together all that critical metadata so you can act on it right away.
This capability is hosted and managed by Vinkius, giving your agent access to thousands of specialized connectors across every industry.
019d755d-f2ec-70e4-962b-2b66dd956dd0 
How Black Duck MCP Works
- 1 Subscribe to this MCP and enter your Black Duck Instance URL along with the required API Token.
- 2 Connect your preferred AI client or agent through Vinkius's centralized interface.
- 3 Ask your agent a natural language question, such as 'Show me all critical vulnerabilities for Project Alpha'.
The bottom line is you talk to your AI agent, and it executes the complex security checks against Black Duck's live data.
Who Is Black Duck MCP For?
Security Engineers, Compliance Officers, and Backend Developers. If manual dashboard exports are slowing down your incident response or audit cycle, this MCP is for you.
You use it to quickly gather vulnerability data across multiple projects without manually exporting reports from the dashboard.
You rely on it to retrieve summarized policy rules and BOM statuses for mandatory, periodic compliance reporting.
You use it directly from your IDE or terminal to check the security status of a dependency right after writing the code.
What Changes When You Connect
- You get instant status checks. Instead of navigating to a specific project and then checking the compliance tab, you can use
get_bom_statusvia natural conversation. - Stop manual searching for assets. You can run
search_projectsorlist_projectsthrough your agent to immediately identify all relevant codebases needing review. - Deep dive into risk. Don't just get a CVE count; you can use
get_vulnerability_detailsto pull the exact technical description and severity level for an incident report. - Streamline auditing. You can audit who has access and what rules are in place by running
list_usersor checking all defined security policies usinglist_policy_rules. - Get full visibility into code coverage. Need to know where a dependency was scanned? Use
list_code_locationsto pinpoint every file involved.
Real-World Use Cases
Emergency Dependency Audit
A developer realizes a major vulnerability (like Log4Shell) might be in their service. They ask the agent to identify all affected components by using list_vulnerabilities for the project version, and then confirm which files are impacted with list_code_locations.
Quarterly Compliance Report
A compliance officer needs assurance that a specific product line adheres to new rules. They use the agent to get policy rule summaries (list_policy_rules) and confirm all necessary BOM data is current using get_bom_status.
New Team Onboarding
A security engineer needs to understand who has access to sensitive code. They simply ask the agent to run through all available user profiles via list_users, providing an immediate audit log without touching the main admin dashboard.
Project Discovery and Scope Creep
A project manager needs a list of every single software product in the company. They ask to run list_projects first, then use get_project on any given name to pull its specific metadata.
The Tradeoffs
Over-relying on the GUI dashboard
A user spends 20 minutes clicking from 'Projects' -> 'Versions' -> 'Vulnerabilities' to find a simple CVE count.
→
Just ask your agent. Ask it to list_vulnerabilities for the specific project version you need. It gets the data instantly.
Treating all vulnerabilities equally
Getting a long list of CVEs and not knowing which ones are critical or what they affect.
→
First, run list_vulnerabilities for the project. Then, pick one specific ID and use get_vulnerability_details to get actionable depth.
Assuming version data is current
Deploying a build without confirming that the Bill of Materials (BOM) has been freshly calculated.
→
Before deployment, confirm compliance by running get_bom_status. If it's not 'UP_TO_DATE', you know there are gaps.
When It Fits, When It Doesn't
Use this MCP if your primary need is deep, structured security data about code dependencies and licensing. You need to audit history, check specific policy adherence (list_policy_rules), or validate a build's compliance status using get_bom_status. Don't use it if you just want general team communication (use a messaging MCP) or simple file retrieval (use a document storage tool). If your only goal is to find out what projects exist, running list_projects is the starting point. But for actual security intelligence, this is your core source.
Common Questions About Black Duck MCP
How do I check if my BOM is ready using get_bom_status? +
You run get_bom_status and it returns the current compliance status. If the result isn't 'UP_TO_DATE', you know your data needs manual review before deployment.
Which tool should I use to see all my projects? +
Use list_projects. It returns a complete list of every managed project ID. If you need more detail on one, follow up with get_project using the returned name.
Can I find out why a specific vulnerability exists? Use get_vulnerability_details. +
Yes, use get_vulnerability_details. You feed it the CVE ID and it pulls the technical write-up, severity rating, and exploit details instantly.
I need to see all policies. Should I use list_policy_rules? +
Yes, list_policy_rules is your go-to tool. It gives you a comprehensive rundown of every security rule currently active within the system.
How do I use `list_users` to audit who has access or manage user accounts? +
It provides a full list of all Black Duck users configured in your instance. You can use this output to audit which profiles have read/write permissions across the platform.
I need comprehensive metadata for one project; what does `get_project` provide? +
get_project returns detailed information about a single software asset. This includes overall status, associated compliance details, and key identifiers beyond just the name.
I know vulnerabilities exist for my project; how do I pinpoint exactly where they are located using `list_code_locations`? +
list_code_locations returns specific file paths within your codebase. This lets you track the exact location of a vulnerability or scan finding, which is critical for developers.
Before running vulnerability checks, how do I use `list_project_versions` to see all available versions? +
list_project_versions fetches an exhaustive list of every version recorded for a specific project. This ensures you are checking the security status against the correct build number.
Use it with your favorite AI tools
Connect this server to Cursor, Claude, VS Code, and more.