Pinner MCP Server

Automate and enforce immutable dependency pinning for Docker images and GitHub Actions with FlowHunt’s Pinner MCP Server, improving security and reproducibility in your software projects.

Pinner MCP Server

What does “Pinner” MCP Server do?

The Pinner MCP Server is a Model Context Protocol (MCP) server designed to help developers pin third-party dependencies—specifically Docker base images and GitHub Actions—to their immutable digests. By ensuring that dependencies are referenced by an exact, unchangeable version, Pinner helps enhance supply chain security and reproducibility in software projects. This server acts as a bridge between AI assistants and external systems, enabling automated workflows for dependency management tasks such as resolving, updating, or enforcing pinned versions. Pinner MCP is particularly useful for environments that require strict control over dependencies, supporting software reliability and development best practices.

List of Prompts

  • Pin GitHub Actions to their commit hash
    Use this prompt template to automatically convert GitHub Actions workflow references to their specific commit hashes.
  • Pin container base images to digests
    This prompt ensures Docker base images are referenced using their immutable digests rather than tags.
  • Update pinned versions of container base images
    A workflow prompt to update Docker base images to their latest digests where appropriate.

List of Resources

No explicit resource primitives are detailed in the repository or documentation.

List of Tools

No direct tool definitions found in the available code or documentation.

Use Cases of this MCP Server

  • Enforcing Immutable Dependencies
    Automatically update CI/CD configurations to use immutable digests for Docker images and GitHub Actions, reducing the risk of supply chain attacks.
  • Automated Dependency Pinning
    Streamline code reviews and merges by ensuring all third-party actions and images are pinned, improving reproducibility.
  • Continuous Compliance
    Integrate with development workflows to regularly audit and update dependency pins, helping teams maintain compliance with internal or external security policies.
  • Collaborative Codebase Maintenance
    Enable AI assistants to assist developers by suggesting or applying pinning best practices across repositories.
  • Security Hardening for DevOps
    Reduce drift and unintended updates in build environments by strictly controlling dependency versions.

How to set it up

Windsurf

No explicit Windsurf setup details provided.

Claude

No explicit Claude setup details provided.

Cursor

  1. Ensure you have Docker installed and can run containers.
  2. Open (or create) .cursor/mcp.json in your project.
  3. Add the following JSON snippet to define the Pinner MCP server:
    {
  "mcpServers": {
    "pinner-mcp-stdio-server": {
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "ghcr.io/safedep/pinner-mcp:latest"
      ]
    }
  }
}
  4. Enable the MCP server in Cursor’s settings.
  5. Save the configuration and restart Cursor if needed.

Securing API Keys

No API key requirements are specified for Pinner MCP. If needed, you would typically use an env section to pass environment variables. Example:

{
  "mcpServers": {
    "pinner-mcp-stdio-server": {
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "ghcr.io/safedep/pinner-mcp:latest"
      ],
      "env": {
        "API_KEY": "${env:PINNER_API_KEY}"
      },
      "inputs": {}
    }
  }
}

Cline

No explicit Cline setup details provided.

How to use this MCP inside flows

Using MCP in FlowHunt

To integrate MCP servers into your FlowHunt workflow, start by adding the MCP component to your flow and connecting it to your AI agent:

FlowHunt MCP flow

Click on the MCP component to open the configuration panel. In the system MCP configuration section, insert your MCP server details using this JSON format:

{
  "pinner-mcp": {
    "transport": "streamable_http",
    "url": "https://yourmcpserver.example/pathtothemcp/url"
  }
}

Once configured, the AI agent is now able to use this MCP as a tool with access to all its functions and capabilities. Remember to change “MCP-name” to whatever the actual name of your MCP server is (e.g., “pinner-mcp”) and replace the URL with your own MCP server URL.

Overview

SectionAvailabilityDetails/Notes
Overview
List of Prompts3 prompt templates described in README
List of ResourcesNot specified
List of ToolsNot specified
Securing API KeysNot required or not described
Sampling Support (less important in evaluation)Not specified

Based on the tables above, the Pinner MCP Server provides a clear and valuable workflow for pinning dependencies but lacks detailed documentation about its resources, tools, and advanced MCP features. Its strong README and practical use case focus are strengths, but it could benefit from richer protocol-level detail and broader platform support documentation.

MCP Score

Has a LICENSE✅ (Apache-2.0)
Has at least one tool
Number of Forks3
Number of Stars9

Rating:
I would rate this MCP server a 4/10 for protocol completeness. It provides a clear purpose and usage for dependency pinning, but is missing documentation and explicit implementation of MCP resources, tools, and advanced features like roots or sampling. It is practical and open source, but not fully documented as a generic MCP server implementation.

Frequently asked questions

What does the Pinner MCP Server do?

The Pinner MCP Server helps developers automatically pin Docker base images and GitHub Actions to their immutable digests or commit hashes, improving supply chain security and reproducibility.

Why is dependency pinning important?

Pinning ensures your builds always use the exact same dependency versions, preventing unexpected changes or supply chain attacks from untrusted updates.

How do I set up the Pinner MCP Server in FlowHunt?

Add the MCP component to your flow, open its configuration, and insert your Pinner MCP server details in the MCP configuration section as described above.

Do I need API keys for Pinner MCP?

No API keys are required for the default Pinner MCP setup. If you deploy a custom instance that requires authentication, use environment variables to pass credentials.

What are typical use cases for the Pinner MCP Server?

It is used for enforcing immutable dependencies in CI/CD pipelines, automating dependency pinning in code reviews, ensuring continuous compliance, and supporting secure, reproducible builds in DevOps workflows.

Try FlowHunt's Pinner MCP Server

Strengthen your software supply chain by automating dependency pinning for your workflows. Experience secure, reproducible builds with FlowHunt's Pinner MCP Server.

Get Started Free Book a demo

Learn more

GitHub MCP Server Integration
GitHub MCP Server Integration

GitHub MCP Server Integration

The GitHub MCP Server enables seamless AI-powered automation and data extraction from the GitHub ecosystem by bridging AI agents and GitHub APIs. Enhance your d...

3 min read
AI GitHub +4
GitHub Enterprise MCP Server
GitHub Enterprise MCP Server

GitHub Enterprise MCP Server

The GitHub Enterprise MCP Server connects AI assistants to private GitHub Enterprise repositories, enabling automation of repository management, issue tracking,...

4 min read
GitHub MCP Server +6
GitHub Actions MCP Server
GitHub Actions MCP Server

GitHub Actions MCP Server

The GitHub Actions MCP Server empowers AI assistants to manage GitHub Actions workflows, automate CI/CD tasks, analyze workflow runs, and enhance security in so...

5 min read
AI DevOps +5