feat: add Sonatype Guide plugin#191
Open
saoudrizwan wants to merge 2 commits into
Open
Conversation
Contributor
Author
|
Closing this plugin PR for now because this cleanup pass is limiting plugin marketplace PRs to plugins that only bundle MCP servers and/or skills. This PR includes additional plugin primitive(s): rules. Those primitives may still be useful, but we are keeping this batch scoped to MCP and skill distribution. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
sonatype-guide
Adds a Sonatype Guide plugin for dependency security, version recommendations, license and policy checks, malicious package detection, and supply-chain risk review.
The plugin bundles a dependency review skill and conditionally registers the
sonatype-guideremote MCP server whenSONATYPE_GUIDE_TOKENis available in the Cline environment. If the token is not set, the plugin still provides the skill and safety rule, but does not write an unusable MCP entry.Cline Primitives
sonatype-guideconnects to Sonatype Guide over Streamable HTTP using a bearer token fromSONATYPE_GUIDE_TOKEN.Requirements
Users need a Sonatype Guide account, an API token, and network access to
https://mcp.guide.sonatype.com/mcp.SONATYPE_GUIDE_TOKENmust be set in the environment where Cline loads plugins before installing or re-enabling the plugin if users want the MCP server registered. Without that token, the plugin intentionally skips MCP registration so Cline does not persist a broken static header.Trust Boundaries
When MCP tools are used, package coordinates from manifests or lockfiles are sent to Sonatype Guide for analysis. The returned vulnerability, license, policy, dependency, and package metadata should be treated as private and untrusted.
The MCP Authorization header is persisted in Cline's plugin-owned MCP settings while the plugin is installed or enabled. Disabling or uninstalling the plugin removes the plugin-owned MCP entry.
The bundled workflow asks before dependency manifest changes, lockfile changes, version changes, or package manager install/update commands, and it avoids claiming a dependency has been checked when MCP tools are unavailable.