Meet Chainguard MCPs: Bringing supply chain security to the AI era

Today, we’re excited to share that Chainguard now builds and maintains Model Context Protocol (MCP) images for customers, and we’re actively accepting requests. Our first MCP — mcp-grafana — is now available in the Chainguard catalog, which enables AI assistants and automation tools to interact with your Grafana dashboards, incidents, alerts, and datasources. Compared to alternatives, the security and efficiency gains of Chainguard’s mcp-grafana image are dramatic. The Chainguard image ships with 0 CVEs and is just 18.83 MB, while a common alternative contains 38 CVEs and is almost three times as large at 54.19 MB.

Why does MCP security matter?

Over the past year, real incidents and new research have pushed MCP risks from abstract theory into concrete reality. Researchers discovered a malicious email MCP server quietly exfiltrating user messages via hidden BCC headers—showing how untrusted MCPs can become direct supply-chain threats. Other published analyses have exposed deeper structural issues across community MCP implementations, including cross-tool data leaks, parasitic toolchain attacks, and widespread cryptographic misuse. Though we have not yet seen a large-scale MCP breach, the risk has clearly shifted from theoretical to operational as adoption accelerates.

Despite these risks, MCP security tooling is still catching up. Our review of seven open source scanners revealed an ecosystem that is immature and highly inconsistent. The tools vary widely in quality and approach, and while they detect both MCP-specific issues (prompt injection, tool poisoning, data leaks, shadowing) and general software hygiene problems, their findings can diverge sharply even when scanning the same MCP servers. Overall, the scanners generate many false positives, and even “true” findings often reflect intentional design tradeoffs rather than clear vulnerabilities, highlighting how early and unsettled MCP security still is.

At Chainguard, we hear a wide range of perspectives on MCPs from both customers and internal teams. Some users are enthusiastic — one customer even shared that MCPs were the reason he “finally started using AI.” Others, however, report feeling underwhelmed once they try them in practice. Some believe MCPs simply need better design, while others argue that agents and alternative approaches will eventually make them obsolete. Yet despite these mixed reactions, adoption continues to grow, and more engineering and security leaders are beginning to examine what MCPs mean for their security posture.

CVE-free, minimal images for MCPs

Hardened, minimal, and continuously updated images don’t solve every challenge in the MCP ecosystem, but they provide a trustworthy, defensible foundation. Chainguard MCP images eliminate CVEs, remove unnecessary components, shrink the attack surface, and deliver transparent provenance and SBOMs. They eliminate entire classes of risk that often appear before an MCP server even starts running, and they provide teams with a baseline they can confidently build upon while the broader tooling and security guidance mature.

Our first hardened MCP — mcp-grafana — is now available, with more to follow based on customer needs. For teams who want to adopt MCPs without expanding their attack surface or operational overhead, Chainguard’s hardened MCPs offer a meaningfully safer and more lightweight choice. If you're exploring MCP-powered automation and want a Chainguard MCP, get in touch with our team to get started.