Bring Chainguard's secure container images and hardened library dependencies into your Cursor AI workflow. Query images, check security advisories, inspect SBOMs, migrate Dockerfiles, and configure Chainguard Libraries for Java, JavaScript, and Python — all from the agent chat.
Invoke with / in the agent chat:
| Skill | What it does |
|---|---|
/chainguard-find-image |
Find the right cgr.dev image for your language, framework, or tool |
/chainguard-inspect-image |
List packages, SBOM summary, entrypoint, and config for an image |
/chainguard-check-advisories |
Query CVEs and security advisories for an image or APK package |
/chainguard-compare-versions |
Show version history, changelogs, and digests across image tags |
/chainguard-migrate-dockerfile |
Rewrite a Dockerfile to use Chainguard base images |
/chainguard-libraries-java |
Configure Maven or Gradle to use Chainguard Libraries |
/chainguard-libraries-javascript |
Configure npm, Yarn, or pnpm to use Chainguard Libraries |
/chainguard-libraries-python |
Configure pip, uv, or Poetry to use Chainguard Libraries |
/chainguard-setup-auth |
Verify and set up Chainguard authentication via chainctl |
Applied automatically based on the file you're editing:
| Rule | Activates on |
|---|---|
| Prefer Chainguard Images | Dockerfile, docker-compose.yml |
| Chainguard Libraries — Java | pom.xml, build.gradle, *.gradle.kts |
| Chainguard Libraries — JavaScript | package.json, .npmrc, .yarnrc* |
| Chainguard Libraries — Python | requirements*.txt, pyproject.toml, Pipfile |
| Supply Chain Policy | GitHub Actions workflows |
The skills above use four Chainguard MCP servers for live data:
| Server | Endpoint | Provides |
|---|---|---|
cg-oci |
cgr.dev/mcp |
Image lookup, tags, digests |
cg-apk |
apk.cgr.dev/mcp |
APK package queries |
cg-versions |
versions.cgr.dev/mcp |
Version history and changelogs |
cg-api |
console-api.enforce.dev/mcp |
Policies, advisories, org context |
- Cursor
- A Chainguard account — sign up free at chainguard.dev
The MCP servers authenticate via OAuth 2.0. Cursor handles this natively — no manual configuration required.
When you first invoke a skill that uses an MCP server, Cursor will open a browser tab to complete authentication. Sign in with your Chainguard account and return to Cursor. Each server authenticates once and stays connected.
If a server shows as disconnected in Settings → MCP, click the reconnect button to re-authenticate.
Chainguard Libraries provides hardened, continuously-patched builds of popular open source packages for Java (Maven/Gradle), JavaScript (npm/Yarn/pnpm), and Python (pip/uv/Poetry).
Use the /chainguard-libraries-java, /chainguard-libraries-javascript, or /chainguard-libraries-python skills to configure your project. Each will walk you through obtaining a registry token and updating your package manager configuration.
You'll need a Chainguard Libraries subscription — contact chainguard.dev for access.
/chainguard-find-image — find me a Python 3.12 image for production
Resolves your organization, queries the catalog, and returns a digest-pinned reference:
cgr.dev/mycompany/python:latest@sha256:a1b2c3... # minimal, distroless runtime cgr.dev/mycompany/python:latest-dev # includes shell + pip for builds
/chainguard-inspect-image — what packages are in cgr.dev/mycompany/nginx:latest?
Lists all APK packages, the entrypoint, architecture, and whether the image runs as non-root.
/chainguard-check-advisories — are there any open CVEs in cgr.dev/mycompany/go:latest?
Returns CVE IDs, severity, affected versions, and Chainguard's advisory status (
fixed,not_affected, etc.). Reports explicitly if none are found.
/chainguard-compare-versions — what changed between the last two releases of cgr.dev/mycompany/node?
Shows a changelog with package version bumps, CVE fixes, and the
sha256digest for each release so you can pin to a known-good version.
/chainguard-migrate-dockerfile — harden this Dockerfile:
FROM node:20
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
CMD ["node", "server.js"]
Rewrites the Dockerfile using a multi-stage build:
-devvariant for the build stage, minimal distroless runtime for the final stage, pinned to the current digest.
/chainguard-libraries-java — configure our Maven project to pull from Chainguard Libraries
Walks through adding the Chainguard Maven registry to
settings.xmland the token configuration for authenticated pulls.
/chainguard-libraries-javascript — we use pnpm. Set up Chainguard Libraries as our npm registry.
Produces the
.npmrcconfiguration with the Chainguard registry URL and auth token setup for pnpm workspaces.
/chainguard-libraries-python — configure uv to use Chainguard Libraries as our PyPI index
Updates
pyproject.tomloruv.tomlto point to the Chainguard Python registry with token-based authentication.
/chainguard-setup-auth — I'm on a new machine, walk me through getting set up
Checks for
chainctl, runschainctl auth loginif needed, and confirms access withchainctl iam organizations list.
Apache 2.0 — see LICENSE.