winget install --id=Interlynk.lynk-mcp -e MCP server for Interlynk API, enabling AI assistants to interact with Lynk organizations for SBOM management, vulnerability tracking, and compliance checking.
MCP server for Interlynk API. This server enables AI assistants like Claude, Cursor, and VS Code Copilot to interact with your Lynk organization for SBOM management, vulnerability tracking, and compliance checking.
# Install via Homebrew on macOS
brew install --cask interlynk-io/interlynk/lynk-mcp
# Configure your API token
lynk-mcp configure
# Verify connection
lynk-mcp verify
Then add to your AI assistant and start asking questions about your SBOMs!
Managing software supply chain security is complex. With lynk-mcp, you can use natural language to:
Once configured with your AI assistant, try these:
"Show me all critical vulnerabilities in my organization"
"List vulnerabilities with KEV (Known Exploited Vulnerabilities) status"
"What vulnerabilities in [product] have a fix available?"
"Which components have the most vulnerabilities?"
"Are any of my products affected by the XZ backdoor (CVE-2024-3094)?"
"Check if my organization is vulnerable to Log4Shell (CVE-2021-44228)"
"Search for any components affected by CVE-2023-44487 (HTTP/2 Rapid Reset)"
"Find all occurrences of OpenSSL vulnerabilities in my SBOMs"
"Generate a security summary for [product] with all critical vulnerabilities"
"Create an executive summary of our vulnerability posture"
"List all components with known vulnerabilities grouped by severity"
"Summarize vulnerability trends between the last two versions"
"Compare the last two versions of [product] and highlight security changes"
"What new vulnerabilities were introduced in the latest version?"
"Show me components that were added or removed between versions"
"Has our security posture improved since the last release?"
"What policies are currently failing for [environment]?"
"Show me all versions that violate security policies"
"List all components using GPL licenses"
"Which products have deprecated licenses?"
"Find all instances of log4j across my organization"
"List all components from [vendor]"
"Show me direct vs transitive dependencies in [version]"
"Which components are missing PURL identifiers?"
brew install --cask interlynk-io/interlynk/lynk-mcp
Homebrew installs update with normal Homebrew workflows:
brew update
brew upgrade --cask lynk-mcp
The release workflow opens a PR against interlynk-io/homebrew-interlynk when a new tag is published.
Download the latest .deb, .rpm, or .apk package from the GitHub releases, then install the package for your distribution:
# Debian/Ubuntu
sudo dpkg -i lynk-mcp_*_linux_*.deb
# Fedora/RHEL
sudo rpm -Uvh lynk-mcp_*_linux_*.rpm
# Alpine
sudo apk add --allow-untrusted lynk-mcp_*_linux_*.apk
Linux packages are built automatically on every release. A hosted apt, yum, or apk repository is not currently published, so package-manager upgrades require installing the newer release package.
Using Scoop:
scoop bucket add interlynk https://github.com/interlynk-io/homebrew-interlynk
scoop install interlynk/lynk-mcp
Using winget:
winget install Interlynk.lynk-mcp
The release workflow opens a PR for the Scoop bucket manifest and a winget package manifest PR when a new tag is published.
go install github.com/interlynk-io/lynk-mcp/cmd/lynk-mcp@latest
# Pull from GitHub Container Registry
docker pull ghcr.io/interlynk-io/lynk-mcp:latest
# Run with API token
docker run -e LYNK_API_TOKEN=lynk_live_xxx ghcr.io/interlynk-io/lynk-mcp serve
git clone https://github.com/interlynk-io/lynk-mcp.git
cd lynk-mcp
make build
The binary is placed in ./build/lynk-mcp. You can run it directly from there, or run make install to install it to $GOPATH/bin (typically ~/go/bin) and use it from anywhere.
Tagged releases publish binaries, archives, checksums, Linux packages, Docker images, and package-manager manifests. The release workflow expects these repository secrets when package-manager publishing is enabled:
| Secret | Purpose |
|---|---|
INTERLYNK_RELEASE_GITHUB_TOKEN | Opens Homebrew, Scoop, and winget manifest PRs |
INTERLYNK_RELEASE_SSH_KEY | Pushes signed Homebrew/Scoop PR branches to interlynk-io/homebrew-interlynk |
INTERLYNK_RELEASE_GPG_PRIVATE_KEY | Imports the release signing key used for tap commits |
INTERLYNK_RELEASE_GPG_PASSPHRASE | Unlocks the release signing key |
The public key for INTERLYNK_RELEASE_GPG_PRIVATE_KEY must be uploaded to the GitHub account that owns the interlynk-support-bot commit identity so GitHub marks tap PR commits as verified. See Release Distribution for the shared release model used across Interlynk OSS tools.
lynk-mcp configure
This prompts for:
lynk_live_*, lynk_staging_*, lynk_test_*, or lynk_service_test_*)The token is stored securely in your system keychain.
lynk-mcp verify
Stored in ~/.lynk-mcp/config.yaml:
api:
endpoint: "https://api.interlynk.io/lynkapi"
timeout: 30s
logging:
level: "info"
| Variable | Description |
|---|---|
LYNK_API_TOKEN | API token (alternative to keychain) |
LYNK_MCP_API_ENDPOINT | Override API endpoint |
LYNK_MCP_LOGGING_LEVEL | Logging level (debug, info, warn, error) |
Add to your config file:
macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
Linux: ~/.config/Claude/claude_desktop_config.json
{
"mcpServers": {
"lynk": {
"command": "lynk-mcp",
"args": ["serve"]
}
}
}
claude mcp add lynk -- lynk-mcp serve
Or add to ~/.claude/settings.json:
{
"mcpServers": {
"lynk": {
"command": "lynk-mcp",
"args": ["serve"]
}
}
}
Add to settings.json or .vscode/mcp.json:
{
"mcp": {
"servers": {
"lynk": {
"command": "lynk-mcp",
"args": ["serve"]
}
}
}
}
Add to ~/.cursor/mcp.json:
{
"mcpServers": {
"lynk": {
"command": "lynk-mcp",
"args": ["serve"]
}
}
}
Add to ~/.config/zed/settings.json:
{
"context_servers": {
"lynk": {
"command": {
"path": "lynk-mcp",
"args": ["serve"]
}
}
}
}
{
"mcpServers": {
"lynk": {
"command": "docker",
"args": ["run", "-i", "--rm", "-e", "LYNK_API_TOKEN=lynk_live_xxx", "ghcr.io/interlynk-io/lynk-mcp", "serve"]
}
}
}
| Tool | Description |
|---|---|
get_organization | Get current organization information including metrics |
list_products | List all products in the organization |
get_product | Get details of a specific product including its environments |
list_environments | List environments within a product |
get_environment | Get details of a specific environment |
list_products supports cursor pagination with limit and after. Responses include hasMore and endCursor; pass endCursor as after to fetch the next page.
Product responses include lightweight repository import metadata when available. list_products also includes a compact Jira defaults summary; get_product, list_environments, and get_environment include per-environment jiraDefaults without invoking the heavier ticketing status scan.
| Tool | Description |
|---|---|
list_versions | List versions in an environment |
get_version | Get version details with statistics |
find_version | Find versions by exact version string with optional product/environment disambiguation |
download_sbom | Download SBOM content with configurable format, vulnerabilities, files, lite/original, support status, and latest-version lookup |
compare_versions | Compare two versions and show drift analysis |
get_version can include a per-component vulnerability summary with include_component_vuln_summary=true. download_sbom returns ready, processing status, filename/content type, content length, and content unless include_content=false; provide version_id directly or product/environment details to resolve the latest version.
| Tool | Description |
|---|---|
list_doctor_results | List SBOM Doctor findings for a version |
| Tool | Description |
|---|---|
list_components | List components in a version |
get_component | Get component details |
update_component | Update component metadata; requires confirm=true |
update_component_supplier | Update component supplier metadata; requires confirm=true |
| Tool | Description |
|---|---|
list_vulnerabilities | List vulnerabilities in a version with optional filters |
get_vulnerability | Get vulnerability details by CVE or UUID |
search_vulnerabilities | Search across all products |
list_vulnerabilities supports cursor pagination with limit and after. Responses include hasMore and endCursor; pass endCursor as after to fetch the next page.
list_vulnerabilities can filter a version by component_id or exact component purl. search_vulnerabilities can filter across the organization by component_id, component_ids, or exact purl, and supports after/endCursor pagination.
Vulnerability responses include both fixedIn and fixedVersions; prefer fixedVersions when present because it is structured.
Vulnerability responses include customFieldAttributes when component vulnerability custom fields are present. Each attribute includes its value, field definition ID, and definition metadata such as displayName, internalName, and fieldType.
| Tool | Description |
|---|---|
list_vex_statuses | List VEX statuses with UUIDs for CVE triage |
list_vex_justifications | List VEX justifications with UUIDs for CVE triage |
update_component_vex | Update VEX data for a component vulnerability; requires confirm=true |
bulk_update_component_vex | Update VEX data for multiple component vulnerabilities with one shared payload; requires confirm=true |
Use component_vuln_custom_field_attributes on update_component_vex or bulk_update_component_vex to update custom VEX fields. Pass componentVulnCustomFieldDefinitionId and value to set a field, include id when updating an existing attribute, or pass _destroy: true with id to remove one.
| Tool | Description |
|---|---|
list_security_incidents | List supply-chain security incidents visible to the current organization |
get_security_incident | Get a supply-chain security incident, including markers and impact state |
create_security_incident | Create a draft security incident; requires operator permissions and confirm=true |
update_security_incident | Update editable security incident fields; requires operator permissions and confirm=true |
add_security_incident_markers | Add markers to a security incident; requires confirm=true |
withdraw_security_incident_markers | Withdraw active markers and resolve related active findings; requires confirm=true |
publish_security_incident | Publish a draft incident and queue the initial impact scan; requires confirm=true |
resolve_security_incident | Resolve an active security incident; requires confirm=true |
archive_security_incident | Archive a security incident; requires confirm=true |
create_security_incident_update | Add a timeline update to a security incident; requires operator permissions and confirm=true |
get_security_incident_findings | Get customer-facing findings for a security incident in the current organization |
suppress_security_incident_finding | Suppress a security incident finding; requires confirm=true and a reason |
rerun_security_incident_impact_scan | Queue impact scanning for an active or resolved incident; requires confirm=true |
dry_run_security_incident_impact_scan | Queue a dry-run impact scan for an incident; requires confirm=true |
get_security_incident_dry_run_result | Get latest dry-run impact scan results |
| Tool | Description |
|---|---|
list_policies | List security policies |
get_policy | Get policy details with rules |
list_policy_violations | List policy evaluation results |
| Tool | Description |
|---|---|
get_ticketing_status | Get ticketing provider connection and policy application status |
get_ticketing_status supports independent cursors for products, policies, and created-ticket scans with products_after, policies_after, and ticket_links_after. Responses include productsEndCursor, policiesEndCursor, and ticketsEndCursor. Set include_created_tickets=false for configuration-only lookups that should skip the component vulnerability ticket-link scan.
| Tool | Description |
|---|---|
list_licenses | List licenses with filtering |
| Resource URI | Description |
|---|---|
version:///{version_id} | Complete version information |
version:///{version_id}/components | All components in a version |
version:///{version_id}/vulnerabilities | All vulnerabilities in a version |
version:///{version_id}/doctor-results | SBOM Doctor findings for a version |
environment:///{environment_id}/latest-version | Most recent version |
organization:///summary | Organization overview |
vulnerability:///{cve_id} | Vulnerability details by CVE |
make build # Build for current platform
make install # Build and install to $GOPATH/bin
make build-all # Build for all platforms
make test # Run tests
make lint # Run linter
lynk-mcp/
├── cmd/lynk-mcp/ # CLI entry point
├── internal/
│ ├── api/ # High-level API client
│ ├── config/ # Configuration and keyring
│ ├── graphql/ # GraphQL client and queries
│ └── mcp/ # MCP server implementation
├── Dockerfile # Multi-platform container build
├── go.mod
├── Makefile
└── README.md
Apache License 2.0
Made with care by Interlynk.io