fix Tool permissions for API (#22)

# fix Tool permissions for API

## Changes

* fix the tool API minimum permissions
* Updated the docs to include the required minimum permissions

Signed-off-by: S3B4SZ17 <[email protected]>

Author: S3B4SZ17

.pre-commit-config.yaml

@@ -6,10 +6,10 @@ repos:
         description: Format code with ruff.
         entry: make fmt
         language: system
-        stages: ["commit", "push"]
+        stages: ["pre-commit", "pre-push"]
       - id: ruff-check
         name: Ruff Check
         description: Check code style with ruff.
         entry: make lint
         language: system
-        stages: ["commit", "push"]
+        stages: ["pre-commit", "pre-push"]

README.md

@@ -17,9 +17,9 @@
   - [Requirements](#requirements)
     - [UV Setup](#uv-setup)
   - [Configuration](#configuration)
+    - [API Permissions](#api-permissions)
   - [Running the Server](#running-the-server)
     - [Docker](#docker)
-    - [K8s Deployment](#k8s-deployment)
     - [UV](#uv)
   - [Client Configuration](#client-configuration)
     - [Authentication](#authentication)
@@ -157,6 +157,32 @@ You can find your API token in the Sysdig Secure UI under **Settings > Sysdig Se
 
 You can set these variables in your shell or in a `.env` file.
 
+### API Permissions
+
+The minimum permissions needed for the tools to make the necessary API calls are the following:
+
+```bash
+"cli-scanner": ["secure.vm.cli-scanner.exec"],
+"threat-detection": ["policy-events.read"],
+"sysql": ["sage.exec","risks.read"],
+```
+
+We advise you to create a separate role for your MCP server ideally a SA. More information on the official [doc for roles-administration](https://docs.sysdig.com/en/administration/roles-administration/) and how to attach it to the SA and/or team user.
+
+The permissions needed for the Secure platform are:
+
+- Threats: "Policy Events" Read
+- Risks: "Access to risk feature" Read
+- Vulnerability Management: "CLI Execution" EXEC
+- Settings: "API Access Token" View, Read, Edit
+- Sage: "Use Sage chat" EXEC
+
+When selecting the above some other permissions dependent will be added.
+
+>[!IMPORTANT]
+> When using a SA token is expected that the `generate_and_run_sysql` will give a 500 error, to use that tool you should use a token assigned to a user for now.
+
+
 ## Running the Server
 
 You can run the MCP server using either Docker, `uv` or install it in your K8s cluster with helm.

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "sysdig-mcp-server"
-version = "0.3.0"
+version = "0.3.1"
 description = "Sysdig MCP Server"
 readme = "README.md"
 requires-python = ">=3.12"

utils/sysdig/helpers.py

@@ -5,6 +5,6 @@
 # Sysdig permissions needed for the different set of tools
 TOOL_PERMISSIONS = {
     "cli-scanner": ["secure.vm.cli-scanner.exec"],
-    "threat-detection": ["custom-events.read"],
-    "sysql": ["sage.exec", "sage.manage.exec"],
+    "threat-detection": ["policy-events.read"],
+    "sysql": ["sage.exec", "risks.read"],
 }