Skip to main content

Automate with Sonatype Guide

The sections below provide guidance to help you connect your AI coding environment and development tools to Sonatype’s trusted open-source intelligence.

Note

As Sonatype Guide is currently in Preview; features are still rapidly evolving.

Sonatype MCP Server

The Sonatype MCP Server extends Sonatype Guide’s automation capabilities by connecting AI coding assistants to Sonatype’s open-source intelligence. With the MCP Server configured, your coding assistant can evaluate dependencies as you work. This integration ensures that automated recommendations remain accurate, compliant, and consistent across IDEs and AI assistants.

What Can You Do with Sonatype MCP Server?

Sonatype MCP Server provides three powerful tools for AI assistants:

  • getComponentVersion - Gets component information about a specific version of a component

  • getLatestComponentVersion - Gets component information about the latest version of a component

  • getRecommendedComponentVersions - Gets a set of recommended versions to upgrade to based on the current version of a component. If no version is provided, gets a set of recommended versions to start with for the component

With these tools, you can use Sonatype MCP Server and your preferred AI assistant to do the following:

  • Research a specific component version – Use getComponentVersion to retrieve detailed information about a particular version of a component. Your AI assistant can display metadata such as release date, license, known vulnerabilities, and dependency relationships.

  • Check for the most recent version – Use getLatestComponentVersion to identify the latest available release of a component. This helps ensure your projects stay up to date with the most secure, stable, and actively maintained versions.

  • Get upgrade recommendations – Use getRecommendedComponentVersions to receive curated upgrade options based on Sonatype’s data. The AI assistant can suggest optimal versions that minimize breaking changes, improve security posture, or align with your organization’s policies.

Supported IDEs and AI Assistants

Sonatype MCP Server supports the following IDEs/AI assistants:

  • Gemini Code Assist

  • Claude Code

  • VS Code Copilot

  • Windsurf

  • IntelliJ with Junie

  • Kiro

  • Cursor

Setup Instructions

The Sonatype MCP Server runs as a remote MCP server. Follow the setup instructions for your IDE or AI assistant as detailed in the sections below.

Prerequisites

For IDEs or tools that only support stdio MCP servers (e.g., IntelliJ), install mcp-remote with the following command before proceeding:

npm install -g mcp-remote

Gemini Code Assist

{
  "mcpServers": {
    "discoveredServer": {
      "httpUrl": "http://mcp.guide.sonatype.com/mcp"
    }
  }
}

Claude Code

Add the server using the Claude CLI:

claude mcp add --transport http --scope user sonatype-mcp http://mcp.guide.sonatype.com/mcp

VS Code Copilot

Add the following to your global VS Code mcp.json or create a .vscode/mcp.json in your workspace:

{
  "servers": {
                "sonatype-mcp": {
                        "url": "http://mcp.guide.sonatype.com/mcp",
                        "type": "http"
                }
        }
}

Windsurf

Create or edit ~/.codeium/windsurf/mcp_config.json:

{
  "mcpServers": {
    "sonatype-mcp": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "http://mcp.guide.sonatype.com/mcp"
      ]
    }
  }
}

IntelliJ with Junie

Global Scope: Go to IDE settingsToolsJunieMCP Settings. Select "+" and add the code below.

Project Scope: Create .junie/mcp/.mcp.json in your project root and add the code below.

{
  "mcpServers": {
    "sonatype-mcp": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "http://mcp.guide.sonatype.com/mcp"
      ]
    }
  }
}

Kiro

Create or edit ~/.kiro/settings/mcp.json:

{
  "mcpServers": {
    "sonatype-mcp": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "http://mcp.guide.sonatype.com/mcp"
      ]
    }
  }
}

Cursor

Cursor supports remote servers directly. Add to your ~/.cursor/mcp.json:

{
  "mcpServers": {
    "sonatype-mcp": {
      "type": "http",
      "url": "http://mcp.guide.sonatype.com/mcp"
    }
  }
}

Authentication

The Sonatype MCP Server uses OAuth 2.0 for secure authentication:

  1. When you first connect to the server through your AI assistant, you'll be prompted to authenticate

  2. You'll be redirected to the Sonatype authentication page

  3. Log in or sign up

  4. Grant the necessary permissions for the MCP server

  5. You'll then be redirected to your IDE or assistant with an active session

Your authentication token is securely stored and automatically refreshed as needed.

Configuring AI Assistant Rules

To maximize the effectiveness of the Sonatype MCP Server, configure your AI assistant to prioritize using Sonatype MCP tools when working with dependencies, packages, or software supply chain security. Below are instructions for each supported IDE or tool.

Claude Code

Create custom instructions using CLAUDE.md files:

Global (all projects): Create ~/.claude/CLAUDE.md

Project (specific repository): Create .claude/CLAUDE.md in your project root

Add the following instruction:

## Sonatype MCP

When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.

Cursor

Create a .cursorrules file in your project root:

Project (specific repository): Create .cursorrules in your project root

Add the following instruction:

## Sonatype MCP

When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.

VS Code Copilot

Create custom instructions using a .github/copilot-instructions.md file:

Project (specific repository): Create .github/copilot-instructions.md in your project root

Add the following instruction:

## Sonatype MCP

When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.

Windsurf

Create rules using Windsurf's Customizations feature:

Global (all projects):

  1. Click the "Rules, Memories & Workflows" icon in the top right of Cascade Code or search Rules in Windsurf Settings

  2. Navigate to "Rules"

  3. Click "+ Global" to create a new global rule

  4. Add the following content:

## Sonatype MCP

When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.

Project (specific repository): Follow the instructions for Global but click "+ Workspace" or create .windsurf/rules/sonatype.md in your project root:

## Sonatype MCP

When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.

IntelliJ with Junie

Create custom guidelines using a .junie/guidelines.md file:

Project (specific repository): Create .junie/guidelines.md in your project root

Add the following instruction:

## Sonatype MCP

When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.

Kiro

Create steering files in the .kiro/steering/ directory:

Project (specific repository): Create .kiro/steering/sonatype.md in your project root

Add YAML front matter to make it always included:

---
inclusion: always
---

## Sonatype MCP

When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.

Gemini Code Assist

Create custom instructions using GEMINI.md files:

Global (all projects): Create ~/.gemini/GEMINI.md

Project (specific repository): Create GEMINI.md in your project root

Add the following instruction:

## Sonatype MCP

When handling code related to dependencies, package management, or software supply chain security, always prioritize Sonatype MCP tools. Use the available MCP tools to research versions, check for vulnerabilities, and get recommendations before adding or updating any dependencies.