mcp-security-audit
MCP server for automated npm package security auditing.
Key Features
Use Cases
README
Security Audit Tool
A powerful MCP (Model Context Protocol) Server that audits npm package dependencies for security vulnerabilities. Built with remote npm registry integration for real-time security checks.
Features
- 🔍 Real-time security vulnerability scanning
- 🚀 Remote npm registry integration
- 📊 Detailed vulnerability reports with severity levels
- 🛡️ Support for multiple severity levels (critical, high, moderate, low)
- 📦 Compatible with npm/pnpm/yarn package managers
- 🔄 Automatic fix recommendations
- 📋 CVSS scoring and CVE references
Installing via Smithery
To install Security Audit Tool for Claude Desktop automatically via Smithery:
npx -y @smithery/cli install @qianniuspace/mcp-security-audit --client claude
MCP Integration
Option 1: Using NPX (Recommended)
- Add MCP configuration to Cline /Cursor:
{
"mcpServers": {
"mcp-security-audit": {
"command": "npx",
"args": ["-y", "mcp-security-audit"]
}
}
}
Option 2: Download Source Code and Configure Manually
- Clone the repository:
git clone https://github.com/qianniuspace/mcp-security-audit.git
cd mcp-security-audit
- Install dependencies and build:
npm install
npm run build
- Add MCP configuration to Cline /Cursor :
{
"mcpServers": {
"mcp-security-audit": {
"command": "npx",
"args": ["-y", "/path/to/mcp-security-audit/build/index.js"]
}
}
}
Configuration Screenshots
Cursor Configuration
Cline Configuration
API Response Format
The tool provides detailed vulnerability information including severity levels, fix recommendations, CVSS scores, and CVE references.
Response Examples
1. When Vulnerabilities Found (Severity-response.json)
{
"content": [{
"vulnerability": {
"packageName": "lodash",
"version": "4.17.15",
"severity": "high",
"description": "Prototype Pollution in lodash",
"cve": "CVE-2020-8203",
"githubAdvisoryId": "GHSA-p6mc-m468-83gw",
"recommendation": "Upgrade to version 4.17.19 or later",
"fixAvailable": true,
"fixedVersion": "4.17.19",
"cvss": {
"score": 7.4,
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"cwe": ["CWE-1321"],
"url": "https://github.com/advisories/GHSA-p6mc-m468-83gw"
},
"metadata": {
"timestamp": "2024-04-23T10:00:00.000Z",
"packageManager": "npm"
}
}]
}
2. When No Vulnerabilities Found (no-Severity-response.json)
{
"content": [{
"vulnerability": null,
"metadata": {
"timestamp": "2024-04-23T10:00:00.000Z",
"packageManager": "npm",
"message": "No known vulnerabilities found"
}
}]
}
Development
For development reference, check the example response files in the public directory:
- Severity-response.json : Example response when vulnerabilities are found (transformed from npm audit API response)
- no-Severity-response.json : Example response when no vulnerabilities are found (transformed from npm audit API response)
Note: The example responses shown above are transformed from the raw npm audit API responses to provide a more structured format. The original npm audit API responses contain additional metadata and may have a different structure.
Contributing
Contributions are welcome! Please read our Contributing Guide for details on our code of conduct and the process for submitting pull requests.
License
This project is licensed under the MIT License - see the LICENSE file for details.
Author
ESX (qianniuspace@gmail.com)
Links
Star History
Repository Owner
User
Repository Details
Programming Languages
Tags
Topics
Join Our Newsletter
Stay updated with the latest AI tools, news, and offers by subscribing to our weekly newsletter.
Related MCPs
Discover similar Model Context Protocol servers
RAD Security MCP Server
AI-powered security insights for Kubernetes and cloud environments via the Model Context Protocol.
RAD Security MCP Server is an implementation of the Model Context Protocol designed to deliver AI-powered security insights and operations for Kubernetes and cloud platforms. It serves as an MCP server for RAD Security, providing a range of toolkits for container, cluster, identity, audit, and threat management. The server is easily configurable via environment variables, allowing for flexible toolkit activation and authentication options. Multiple deployment options are supported, including Node.js, Docker, and integration with development environments like Cursor IDE and Claude Desktop.
- ⭐ 5
- MCP
- rad-security/mcp-server
SafeDep VET
Enterprise-grade open source software supply chain security with MCP capabilities.
SafeDep VET is an open source tool that provides supply chain security for open source software, featuring advanced software composition analysis and policy-as-code driven security enforcement. It supports multiple package ecosystems and integrates with CI/CD pipelines. Notably, it offers an MCP (Model Context Protocol) server mode to vet open source packages arising from AI-suggested code, and includes agent-based querying and scan result analysis powered by AI. The tool enables real-time malicious package detection through cloud integration and prioritizes actionable insights by analyzing actual code usage.
- ⭐ 829
- MCP
- safedep/vet
CVE-Search MCP Server
MCP server for querying and managing CVE-Search vulnerability data.
CVE-Search MCP Server implements the Model Context Protocol to provide structured access to the CVE-Search API. It enables querying vendors, products, and vulnerabilities, as well as retrieving detailed information for specific CVEs. The server facilitates model context integration via MCP client tools, supporting seamless interactions for vulnerability data management.
- ⭐ 67
- MCP
- roadwy/cve-search_mcp
OSV MCP Server
SSE-based MCP server for querying the OSV vulnerability database
OSV MCP Server implements a Model Context Protocol (MCP) server that provides secure, programmatic access to the Open Source Vulnerabilities (OSV) database. It supports real-time streaming communication using SSE or streamable HTTP and allows querying of vulnerabilities for single or multiple packages, versions, or commits. The server is designed for integration with LLM-powered applications and supports configuration through environment variables and containerized deployments via ToolHive.
- ⭐ 25
- MCP
- StacklokLabs/osv-mcp
Semgrep MCP Server
A Model Context Protocol server powered by Semgrep for seamless code analysis integration.
Semgrep MCP Server implements the Model Context Protocol (MCP) to enable efficient and standardized communication for code analysis tasks. It facilitates integration with platforms like LM Studio, Cursor, and Visual Studio Code, providing both Docker and Python (PyPI) deployment options. The tool is now maintained in the main Semgrep repository with continued updates, enhancing compatibility and support across developer tools.
- ⭐ 611
- MCP
- semgrep/mcp
vuln-nist-mcp-server
Query and structure NIST NVD vulnerability data for LLMs via the Model Context Protocol.
vuln-nist-mcp-server serves as a Model Context Protocol (MCP) server, providing structured and formatted access to the NIST National Vulnerability Database (NVD) for downstream AI models. It offers a suite of tools for querying and processing CVE and KEV data, with advanced filtering, temporal awareness, chunked querying for large date ranges, and robust input validation. This server is designed for seamless integration with MCP-compatible clients to support context-rich, time-relative, and targeted vulnerability information retrieval.
- ⭐ 7
- MCP
- HaroldFinchIFT/vuln-nist-mcp-server
Didn't find tool you were looking for?