Black Duck (Synopsys) MCP. Audit code dependencies and compliance status instantly.
Gemini Works with every AI agent you already use
…and any MCP-compatible client
Just plug in your AI agents and start using Vinkius.
Black Duck (Synopsys) MCP Server. Automate open source security and license compliance. List projects, track vulnerabilities (CVEs), and audit Bill of Materials (BOM) status directly from your AI client.
Get detailed metadata, scan history, and policy rule summaries without leaving your code editor.
What your AI agents can do
Get bom status
Checks if a project's Bill of Materials calculation is current for a specific version.
Get project
Retrieves core details about a specific software project.
Get vulnerability details
Gets detailed information for a specific CVE or vulnerability entry.
Retrieves core metadata for a specific software project.
Generates a list of every version associated with a given project.
Provides a complete list of all managed software projects in the instance.
Filters the list of projects using a partial name search.
Retrieves a complete list of defined security policies for auditing.
Determines if a project's Bill of Materials calculations are current and ready for compliance review.
Pulls detailed information on a specific Common Vulnerabilities and Exposures (CVE) entry.
Ask AI about this MCP
Supported MCP Clients
Gemini Waiting for input…
Black Duck (Synopsys) MCP Server: 10 Tools for Security Audits
These tools let your AI client audit project metadata, track vulnerabilities, and check compliance status across your entire codebase.
019d755dget bom status
Checks if a project's Bill of Materials calculation is current for a specific version.
019d755dget project
Retrieves core details about a specific software project.
019d755dget vulnerability details
Gets detailed information for a specific CVE or vulnerability entry.
019d755dlist code locations
Lists all physical locations within the code that were scanned.
019d755dlist policy rules
Retrieves the full set of security policy rules defined in the organization.
019d755dlist project versions
Lists every known version for a specified project.
019d755dlist projects
Lists all projects managed within the Black Duck instance.
019d755dlist users
Retrieves a list of all user accounts within the platform.
019d755dlist vulnerabilities
Lists all known vulnerabilities for a project version.
019d755dsearch projects
Searches for projects using a partial name match.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on every call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with Black Duck (Synopsys), then connect any of our 4,700+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 4,700+ others, all in one place
- Add new capabilities to your AI anytime you want
- Every connection is secured and compliant automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog every week
What you can do with this MCP connector
You'll use this server to automate open source security and license compliance checks right from your AI client. It lets you audit your codebase and track dependencies. You'll get access to core project details, list every version a project has, and list all Black Duck projects in the instance. You can also search for projects using a partial name match.
To keep tabs on compliance, you'll check if a project's Bill of Materials calculation is current for a specific version. You can pull detailed information for a specific Common Vulnerabilities and Exposures (CVE) entry. The platform lets you list all security policy rules defined for auditing. You'll find a list of all known vulnerabilities for a project version, and you can get the project's core details.
You'll see a list of all user accounts within the platform. You can also list all physical locations within the code that were scanned. You'll list every known version for a specified project, and you can get the project's core details.
How Black Duck (Synopsys) MCP Works
- 1 Subscribe to the server, then enter your Black Duck Instance URL and API Token.
- 2 Your AI agent connects and authorizes the connection to your Black Duck instance.
- 3 You prompt the agent with a request (e.g., 'List vulnerabilities for project X, version Y.') and get the detailed security report back.
The bottom line is, you run deep security audits and compliance checks via natural language prompts, without needing to navigate the Black Duck UI.
Who Is Black Duck (Synopsys) MCP For?
Security Engineers who spend hours manually exporting vulnerability data. Developers who need to check dependency risk without switching IDE tabs. Compliance Officers who need periodic, auditable summaries of BOM status and policy adherence. This tool cuts out the dashboard clicking.
Uses the agent to quickly audit vulnerabilities across multiple projects, pulling reports that would otherwise require manual dashboard exports.
Checks the security status of project dependencies directly from the code editor, getting immediate feedback on CVEs.
Retrieves summarized policy rule lists and BOM statuses to prepare for scheduled regulatory reporting.
What Changes When You Connect
- Automate vulnerability checks. Instead of manually exporting CVE data, use
list_vulnerabilitiesto query a project version and get a clean list of known flaws and their severity. - Verify compliance status instantly. Run
get_bom_statusto check if the Bill of Materials is 'UP_TO_DATE', eliminating manual checks needed for audit readiness. - Scope your search quickly. If you know the project name, use
search_projectsinstead of sifting through hundreds of entries withlist_projects. - Audit access control. Use
list_usersandlist_policy_rulesto pull user profiles and security rules in bulk. This saves hours of clicking through the administration panel. - Trace code origins.
list_code_locationstells you exactly where in the repository a scan found a dependency, which is critical for pinpointing remediation efforts. - Get deep vulnerability context. Don't just know a CVE exists; use
get_vulnerability_detailsto pull the full technical report for that specific vulnerability.
Real-World Use Cases
Responding to a critical zero-day alert
An engineer gets a zero-day warning. Instead of navigating to the dashboard and filtering by dependency, they ask their agent to list_vulnerabilities for the target project's latest version. The agent instantly returns all affected CVEs, allowing the team to scope the impact in minutes.
Preparing for a quarterly compliance audit
A compliance officer needs to prove the software supply chain is current. They ask the agent to get_bom_status for the main product line and then run list_policy_rules to show auditors that the organization's rules are consistently applied across all projects.
Checking a new developer's dependency risk
A new developer finishes a module and needs a security check. They prompt the agent to get_project using the module name. The agent returns the project's metadata, giving the developer an immediate, actionable risk profile before merging code.
Auditing user access post-merger
After a team merger, an administrator needs to confirm access control. They ask the agent to list_users and then use list_policy_rules to confirm that the necessary roles and permissions are correctly mapped across the entire organization.
The Tradeoffs
Using only the UI dashboard
Manually clicking through Project -> Versions -> Vulnerabilities, then exporting 10 separate CSV files for a full audit.
→
Use the agent to chain calls: First, call list_project_versions for the project. Then, iterate through the results and call list_vulnerabilities for each version. This automates the data collection process.
Guessing the project scope
A developer assumes all related microservices are listed in one place and manually checks them one by one.
→
Start by running list_projects to get a comprehensive list of all managed services. Then, use search_projects to narrow the scope quickly when you know a partial name.
Missing the policy context
A developer fixes a vulnerability but doesn't know if the fix meets the corporate standard, so they skip the policy check.
→
After finding a vulnerability using get_vulnerability_details, immediately call list_policy_rules to confirm the remediation plan adheres to current security policy guidelines.
When It Fits, When It Doesn't
Use this server if your security process requires repeatable, verifiable data extraction from Black Duck. You need to run structured audits (like checking BOM status or listing all users) and get the results back into a conversation. Don't use this if you just need a simple visualization or a basic report that doesn't require API calls. If you only need to see if a single project is vulnerable, you can do that manually, but if you need to check all projects and their full version history, this server is necessary. The key is the ability to chain tools—using list_projects to feed data into list_project_versions, and so on.
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Black Duck (Synopsys). All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS INFRASTRUCTURE
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on every call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Works with Claude, ChatGPT, Cursor, and more
The Model Context Protocol standardizes how applications expose capabilities to LLMs. Instead of operating in isolation, your AI gains direct access to external platforms, live data, and real-world actions through secure, standardized connections.
This server provides 10 capabilities that interface natively with Claude, ChatGPT, Cursor, and any MCP client. No middleware. No custom integration required.
Available Capabilities
Security audits shouldn't require jumping between five different admin tabs.
Today, auditing dependencies means clicking into the main dashboard, then navigating to the 'Projects' section. From there, you have to select a project, then find its version history, and finally click on the 'Vulnerabilities' tab. If you have fifty projects, you're doing this cycle fifty times, manually copying identifiers along the way.
With the Black Duck MCP Server, you just tell your agent: 'Give me the vulnerability status for all my production projects.' The agent handles the project listing, version checking, and vulnerability querying across the board. You get a unified, structured report in your chat window.
Black Duck (Synopsys) MCP Server: Get project and vulnerability data
The agent eliminates the need to run separate reports for each project. You can ask for the project metadata (`get_project`) and then immediately request the list of vulnerabilities (`list_vulnerabilities`) for that specific project's version. It's a single, continuous audit session.
You don't just get data; you get a complete, traceable audit trail. This means your security team saves hours of manual data aggregation and gets straight to the actionable findings.
Common Questions About Black Duck (Synopsys) MCP
How do I use the get_bom_status tool with Black Duck (Synopsys) MCP Server? +
You ask the agent to check the BOM status for a specific project version. The agent runs get_bom_status, which confirms if the Bill of Materials is calculated and up-to-date for compliance reporting.
Can I find all vulnerabilities for a project version using list_vulnerabilities? +
Yes. The list_vulnerabilities tool takes the project version as input and returns a comprehensive list of all known CVEs associated with that dependency.
What is the best way to list all projects using list_projects? +
Simply ask the agent to 'List all projects.' The list_projects tool returns the full directory of every Black Duck project in your instance, giving you a starting point for any audit.
How do I find a specific CVE using get_vulnerability_details? +
Provide the CVE ID and the tool runs get_vulnerability_details. It returns the technical details, severity, and impact assessment for that specific vulnerability.
Can I check security policies using list_policy_rules? +
Yes. The list_policy_rules tool retrieves a complete list of all security policies defined in your organization, allowing you to audit compliance rules.
How do I list all user profiles and manage access with list_users? +
You use list_users to retrieve all user profiles within Black Duck. This tool helps you audit who has access and manage credentials across your organization's code dependencies.
What information can I get about a specific project using get_project? +
The get_project tool returns detailed metadata for a single project. You can use this to confirm project IDs, check its overall status, and verify its scope before running deeper scans.
Can I see all code locations that were scanned using list_code_locations? +
Yes, list_code_locations retrieves every physical location where your code was scanned. This lets you track security coverage and see exactly where vulnerabilities were found across different repositories.
Can I check for critical vulnerabilities in a specific project version? +
Yes! Use the list_vulnerabilities tool with the Project and Version IDs. Your agent will fetch the list of components with known security flaws and their severity levels.
How do I know if my Black Duck scan is finished? +
Simply ask the agent to get_bom_status for the specific project version. It will return the current calculation status, showing if the BOM is 'Up to date' or still processing.
What happens if I trigger API rate limits? +
Black Duck limits connections to 100 requests per 10 seconds or 10,000 per 30 minutes. If you exceed this sustained load protection, you will temporarily receive a HTTP 429 error code restricting your IP for 15 minutes.
Use it with your favorite AI tools
Connect this server to Cursor, Claude, VS Code, and more.
More in this category
Datadog Cloud SIEM
Manage cloud security via Datadog — search security signals, triage alerts, and audit detection rules directly from any AI agent.
Atlassian Crowd
Equip your AI agent to manage users, groups, and directory memberships via the Atlassian Crowd API.
Veracode
Bring Veracode AppSec to your AI. Analyze source code flaws, extract application profiles, and track vulnerabilities conversationaly.
You might also like
Standard Notes
Connect your AI to the Standard Notes encrypted ecosystem. Sync items natively, modify protected notes, and manage tags seamlessly.
Dropbox Sign
Get documents signed electronically with legally binding e-signatures, templates, and audit trails your business can trust.
Meta Ads
Equip your AI agent with direct access to Meta Ads — manage Facebook and Instagram campaigns, track ad performance, and optimize spend without opening Meta Ads Manager.