Pinner MCP Server
Automate and enforce immutable dependency pinning for Docker images and GitHub Actions with FlowHunt’s Pinner MCP Server, improving security and reproducibility in your software projects.
What does “Pinner” MCP Server do?
The Pinner MCP Server is a Model Context Protocol (MCP) server designed to help developers pin third-party dependencies—specifically Docker base images and GitHub Actions—to their immutable digests. By ensuring that dependencies are referenced by an exact, unchangeable version, Pinner helps enhance supply chain security and reproducibility in software projects. This server acts as a bridge between AI assistants and external systems, enabling automated workflows for dependency management tasks such as resolving, updating, or enforcing pinned versions. Pinner MCP is particularly useful for environments that require strict control over dependencies, supporting software reliability and development best practices.
List of Prompts
- Pin GitHub Actions to their commit hash
Use this prompt template to automatically convert GitHub Actions workflow references to their specific commit hashes. - Pin container base images to digests
This prompt ensures Docker base images are referenced using their immutable digests rather than tags. - Update pinned versions of container base images
A workflow prompt to update Docker base images to their latest digests where appropriate.
List of Resources
No explicit resource primitives are detailed in the repository or documentation.
List of Tools
No direct tool definitions found in the available code or documentation.
Use Cases of this MCP Server
- Enforcing Immutable Dependencies
Automatically update CI/CD configurations to use immutable digests for Docker images and GitHub Actions, reducing the risk of supply chain attacks. - Automated Dependency Pinning
Streamline code reviews and merges by ensuring all third-party actions and images are pinned, improving reproducibility. - Continuous Compliance
Integrate with development workflows to regularly audit and update dependency pins, helping teams maintain compliance with internal or external security policies. - Collaborative Codebase Maintenance
Enable AI assistants to assist developers by suggesting or applying pinning best practices across repositories. - Security Hardening for DevOps
Reduce drift and unintended updates in build environments by strictly controlling dependency versions.
How to set it up
Windsurf
No explicit Windsurf setup details provided.
Claude
No explicit Claude setup details provided.
Cursor
- Ensure you have Docker installed and can run containers.
- Open (or create)
.cursor/mcp.jsonin your project. - Add the following JSON snippet to define the Pinner MCP server:
{ "mcpServers": { "pinner-mcp-stdio-server": { "command": "docker", "args": [ "run", "--rm", "-i", "ghcr.io/safedep/pinner-mcp:latest" ] } } } - Enable the MCP server in Cursor’s settings.
- Save the configuration and restart Cursor if needed.
Securing API Keys
No API key requirements are specified for Pinner MCP. If needed, you would typically use an env section to pass environment variables. Example:
{
"mcpServers": {
"pinner-mcp-stdio-server": {
"command": "docker",
"args": [
"run",
"--rm",
"-i",
"ghcr.io/safedep/pinner-mcp:latest"
],
"env": {
"API_KEY": "${env:PINNER_API_KEY}"
},
"inputs": {}
}
}
}
Cline
No explicit Cline setup details provided.
How to use this MCP inside flows
Using MCP in FlowHunt
To integrate MCP servers into your FlowHunt workflow, start by adding the MCP component to your flow and connecting it to your AI agent:
Click on the MCP component to open the configuration panel. In the system MCP configuration section, insert your MCP server details using this JSON format:
{
"pinner-mcp": {
"transport": "streamable_http",
"url": "https://yourmcpserver.example/pathtothemcp/url"
}
}
Once configured, the AI agent is now able to use this MCP as a tool with access to all its functions and capabilities. Remember to change “MCP-name” to whatever the actual name of your MCP server is (e.g., “pinner-mcp”) and replace the URL with your own MCP server URL.
Overview
| Section | Availability | Details/Notes |
|---|---|---|
| Overview | ✅ | |
| List of Prompts | ✅ | 3 prompt templates described in README |
| List of Resources | ⛔ | Not specified |
| List of Tools | ⛔ | Not specified |
| Securing API Keys | ⛔ | Not required or not described |
| Sampling Support (less important in evaluation) | ⛔ | Not specified |
Based on the tables above, the Pinner MCP Server provides a clear and valuable workflow for pinning dependencies but lacks detailed documentation about its resources, tools, and advanced MCP features. Its strong README and practical use case focus are strengths, but it could benefit from richer protocol-level detail and broader platform support documentation.
MCP Score
| Has a LICENSE | ✅ (Apache-2.0) |
|---|---|
| Has at least one tool | ⛔ |
| Number of Forks | 3 |
| Number of Stars | 9 |
Rating:
I would rate this MCP server a 4/10 for protocol completeness. It provides a clear purpose and usage for dependency pinning, but is missing documentation and explicit implementation of MCP resources, tools, and advanced features like roots or sampling. It is practical and open source, but not fully documented as a generic MCP server implementation.
Frequently asked questions
- What does the Pinner MCP Server do?
The Pinner MCP Server helps developers automatically pin Docker base images and GitHub Actions to their immutable digests or commit hashes, improving supply chain security and reproducibility.
- Why is dependency pinning important?
Pinning ensures your builds always use the exact same dependency versions, preventing unexpected changes or supply chain attacks from untrusted updates.
- How do I set up the Pinner MCP Server in FlowHunt?
Add the MCP component to your flow, open its configuration, and insert your Pinner MCP server details in the MCP configuration section as described above.
- Do I need API keys for Pinner MCP?
No API keys are required for the default Pinner MCP setup. If you deploy a custom instance that requires authentication, use environment variables to pass credentials.
- What are typical use cases for the Pinner MCP Server?
It is used for enforcing immutable dependencies in CI/CD pipelines, automating dependency pinning in code reviews, ensuring continuous compliance, and supporting secure, reproducible builds in DevOps workflows.
Try FlowHunt's Pinner MCP Server
Strengthen your software supply chain by automating dependency pinning for your workflows. Experience secure, reproducible builds with FlowHunt's Pinner MCP Server.
Learn more
