StackRox · Capability

StackRox Kubernetes Security

Unified workflow capability for Kubernetes security operations using StackRox. Combines alert triage, policy management, deployment risk analysis, container image vulnerability scanning, compliance checking, and cluster monitoring into a single security operations interface. Designed for security engineers, platform teams, and AI agents operating cloud-native security programs.

Run with Naftiko Kubernetes SecurityContainer SecurityComplianceRuntime ProtectionVulnerability Management

What You Can Do

GET
List alerts — List security alerts
/v1/alerts
GET
Get alert — Get alert details
/v1/alerts/{id}
PATCH
Resolve alert — Resolve an alert
/v1/alerts/{id}
GET
List deployments — List deployments
/v1/deployments
GET
List images — List container images
/v1/images
POST
Scan image — Scan an image for vulnerabilities
/v1/images
GET
List policies — List security policies
/v1/policies
POST
Create policy — Create a security policy
/v1/policies
GET
List compliance standards — List available compliance standards
/v1/compliance/standards
GET
Get compliance results — Get compliance scan results
/v1/compliance/results
GET
List clusters — List all clusters
/v1/clusters
GET
Search — Search across all resources
/v1/search

MCP Tools

list-alerts

List active security policy violation alerts in StackRox

read-only
get-alert

Get full details for a specific security alert

read-only
resolve-alert

Mark a security alert as resolved

idempotent
list-deployments

List all Kubernetes deployments monitored by StackRox

read-only
get-deployment

Get risk analysis and details for a specific deployment

read-only
list-images

List container images and their vulnerability status

read-only
scan-image

Scan a container image for CVEs and vulnerabilities

list-policies

List StackRox security policies

read-only
get-policy

Get details for a specific security policy

read-only
list-compliance-standards

List available compliance standards (CIS Benchmarks, NIST, PCI-DSS)

read-only
get-compliance-results

Get compliance scan results for the cluster

read-only
list-clusters

List all Kubernetes clusters registered with StackRox

read-only
search

Search across all StackRox resources (alerts, deployments, images, policies)

read-only

APIs Used

stackrox

Capability Spec

kubernetes-security.yaml Raw ↑ 
naftiko: "1.0.0-alpha1"

info:
  label: "StackRox Kubernetes Security"
  description: >-
    Unified workflow capability for Kubernetes security operations using StackRox.
    Combines alert triage, policy management, deployment risk analysis, container
    image vulnerability scanning, compliance checking, and cluster monitoring into
    a single security operations interface. Designed for security engineers,
    platform teams, and AI agents operating cloud-native security programs.
  tags:
    - Kubernetes Security
    - Container Security
    - Compliance
    - Runtime Protection
    - Vulnerability Management
  created: "2026-05-02"
  modified: "2026-05-02"

binds:
  - namespace: env
    keys:
      STACKROX_API_TOKEN: STACKROX_API_TOKEN
      STACKROX_CENTRAL_HOST: STACKROX_CENTRAL_HOST

capability:
  consumes:
    - import: stackrox
      location: ./shared/stackrox-api.yaml

  exposes:
    - type: rest
      port: 8080
      namespace: stackrox-security-api
      description: "Unified REST API for Kubernetes security operations with StackRox."
      resources:
        - path: /v1/alerts
          name: alerts
          description: "Security policy violation alerts"
          operations:
            - method: GET
              name: list-alerts
              description: "List security alerts"
              call: "stackrox.list-alerts"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/alerts/{id}
          name: alert
          description: "Single alert"
          operations:
            - method: GET
              name: get-alert
              description: "Get alert details"
              call: "stackrox.get-alert"
              with:
                id: "rest.id"
              outputParameters:
                - type: object
                  mapping: "$."
            - method: PATCH
              name: resolve-alert
              description: "Resolve an alert"
              call: "stackrox.resolve-alert"
              with:
                id: "rest.id"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/deployments
          name: deployments
          description: "Monitored deployments"
          operations:
            - method: GET
              name: list-deployments
              description: "List deployments"
              call: "stackrox.list-deployments"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/images
          name: images
          description: "Container images"
          operations:
            - method: GET
              name: list-images
              description: "List container images"
              call: "stackrox.list-images"
              outputParameters:
                - type: object
                  mapping: "$."
            - method: POST
              name: scan-image
              description: "Scan an image for vulnerabilities"
              call: "stackrox.scan-image"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/policies
          name: policies
          description: "Security policies"
          operations:
            - method: GET
              name: list-policies
              description: "List security policies"
              call: "stackrox.list-policies"
              outputParameters:
                - type: object
                  mapping: "$."
            - method: POST
              name: create-policy
              description: "Create a security policy"
              call: "stackrox.create-policy"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/compliance/standards
          name: compliance-standards
          description: "Compliance standards"
          operations:
            - method: GET
              name: list-compliance-standards
              description: "List available compliance standards"
              call: "stackrox.list-compliance-standards"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/compliance/results
          name: compliance-results
          description: "Compliance results"
          operations:
            - method: GET
              name: get-compliance-results
              description: "Get compliance scan results"
              call: "stackrox.get-compliance-results"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/clusters
          name: clusters
          description: "Kubernetes clusters"
          operations:
            - method: GET
              name: list-clusters
              description: "List all clusters"
              call: "stackrox.list-clusters"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/search
          name: search
          description: "Universal search"
          operations:
            - method: GET
              name: search
              description: "Search across all resources"
              call: "stackrox.search"
              with:
                query: "rest.query"
              outputParameters:
                - type: object
                  mapping: "$."

    - type: mcp
      port: 9090
      namespace: stackrox-security-mcp
      transport: http
      description: "MCP server for AI-assisted Kubernetes security operations."
      tools:
        - name: list-alerts
          description: "List active security policy violation alerts in StackRox"
          hints:
            readOnly: true
            openWorld: true
          call: "stackrox.list-alerts"
          with:
            query: "tools.query"
          outputParameters:
            - type: object
              mapping: "$."

        - name: get-alert
          description: "Get full details for a specific security alert"
          hints:
            readOnly: true
          call: "stackrox.get-alert"
          with:
            id: "tools.alert_id"
          outputParameters:
            - type: object
              mapping: "$."

        - name: resolve-alert
          description: "Mark a security alert as resolved"
          hints:
            readOnly: false
            idempotent: true
          call: "stackrox.resolve-alert"
          with:
            id: "tools.alert_id"
          outputParameters:
            - type: object
              mapping: "$."

        - name: list-deployments
          description: "List all Kubernetes deployments monitored by StackRox"
          hints:
            readOnly: true
            openWorld: true
          call: "stackrox.list-deployments"
          with:
            query: "tools.query"
          outputParameters:
            - type: object
              mapping: "$."

        - name: get-deployment
          description: "Get risk analysis and details for a specific deployment"
          hints:
            readOnly: true
          call: "stackrox.get-deployment"
          with:
            id: "tools.deployment_id"
          outputParameters:
            - type: object
              mapping: "$."

        - name: list-images
          description: "List container images and their vulnerability status"
          hints:
            readOnly: true
            openWorld: true
          call: "stackrox.list-images"
          with:
            query: "tools.query"
          outputParameters:
            - type: object
              mapping: "$."

        - name: scan-image
          description: "Scan a container image for CVEs and vulnerabilities"
          hints:
            readOnly: false
          call: "stackrox.scan-image"
          with:
            image_name: "tools.image_name"
          outputParameters:
            - type: object
              mapping: "$."

        - name: list-policies
          description: "List StackRox security policies"
          hints:
            readOnly: true
          call: "stackrox.list-policies"
          outputParameters:
            - type: object
              mapping: "$."

        - name: get-policy
          description: "Get details for a specific security policy"
          hints:
            readOnly: true
          call: "stackrox.get-policy"
          with:
            id: "tools.policy_id"
          outputParameters:
            - type: object
              mapping: "$."

        - name: list-compliance-standards
          description: "List available compliance standards (CIS Benchmarks, NIST, PCI-DSS)"
          hints:
            readOnly: true
          call: "stackrox.list-compliance-standards"
          outputParameters:
            - type: object
              mapping: "$."

        - name: get-compliance-results
          description: "Get compliance scan results for the cluster"
          hints:
            readOnly: true
          call: "stackrox.get-compliance-results"
          outputParameters:
            - type: object
              mapping: "$."

        - name: list-clusters
          description: "List all Kubernetes clusters registered with StackRox"
          hints:
            readOnly: true
          call: "stackrox.list-clusters"
          outputParameters:
            - type: object
              mapping: "$."

        - name: search
          description: "Search across all StackRox resources (alerts, deployments, images, policies)"
          hints:
            readOnly: true
            openWorld: true
          call: "stackrox.search"
          with:
            query: "tools.query"
          outputParameters:
            - type: object
              mapping: "$."