MCP HubMCP Hub
qianniuspace

mcp-security-audit

by: qianniuspace

A powerful MCP (Model Context Protocol) Server that audits npm package dependencies for security vulnerabilities. Built with remote npm registry integration for real-time security checks.

24created 20/02/2025
Visit
npm
security

πŸ“ŒOverview

Purpose: This framework aims to provide a robust auditing solution for npm package dependencies, detecting security vulnerabilities in real-time.

Overview: The Security Audit Tool is a powerful MCP (Model Context Protocol) Server designed to audit npm package dependencies for security vulnerabilities. It integrates with remote npm registries to deliver immediate security checks and detailed reporting capabilities.

Key Features:

  • Real-time vulnerability scanning: Continuously checks package dependencies for potential security threats, ensuring timely detection.

  • Remote npm registry integration: Leverages real-time data from npm registries for accurate vulnerability assessments.

  • Comprehensive vulnerability reports: Generates detailed reports that classify vulnerabilities by severity levels and provide actionable insights.

  • Multiple severity support: Acknowledges various severity levels (critical, high, moderate, low) to prioritize security fixes effectively.

  • Compatibility with package managers: Works seamlessly with npm, pnpm, and yarn, making it versatile across different development environments.

  • Automatic fix recommendations: Suggests direct fixes for vulnerabilities, facilitating quick resolutions.

  • CVSS scoring and CVE references: Offers scoring metrics and references to Common Vulnerabilities and Exposures (CVE) for further research and validation of vulnerabilities.

Security Audit Tool

A powerful MCP (Model Context Protocol) Server that audits npm package dependencies for security vulnerabilities, built with remote npm registry integration for real-time security checks.

Features

  • πŸ” Real-time security vulnerability scanning
  • πŸš€ Remote npm registry integration
  • πŸ“Š Detailed vulnerability reports with severity levels
  • πŸ›‘οΈ Support for multiple severity levels (critical, high, moderate, low)
  • πŸ“¦ Compatible with npm/pnpm/yarn package managers
  • πŸ”„ Automatic fix recommendations
  • πŸ“‹ CVSS scoring and CVE references

Installation

Via Smithery

To install the Security Audit Tool for Claude Desktop automatically:

npx -y @smithery/cli install @qianniuspace/mcp-security-audit --client claude

MCP Integration

Option 1: Using NPX (Recommended)

  1. Add MCP configuration to Cursor:

    {
  "Name": "mcp-security-audit",
  "Type": "command",
  "Command": "npx -y mcp-security-audit"
}

  2. Add MCP configuration to Cline:

    {
  "mcpServers": {
    "mcp-security-audit": {
      "command": "npx",
      "args": ["-y", "mcp-security-audit"]
    }
  }
}

Option 2: Manual Configuration

  1. Clone the repository:

    git clone https://github.com/qianniuspace/mcp-security-audit.git
cd mcp-security-audit

  2. Install dependencies and build:

    npm install
npm run build

  3. Add MCP configuration to Cursor:

    {
  "Name": "mcp-security-audit",
  "Type": "command",
  "Command": "node /path/to/mcp-security-audit/build/index.js"
}

  4. Add MCP configuration to Cline:

    {
  "mcpServers": {
    "mcp-security-audit": {
      "command": "npx",
      "args": ["-y", "/path/to/mcp-security-audit/build/index.js"]
    }
  }
}

API Response Format

The tool provides vulnerability information, including severity levels, fix recommendations, CVSS scores, and CVE references.

Response Examples

When Vulnerabilities Found

{
  "content": [{
    "vulnerability": {
      "packageName": "lodash",
      "version": "4.17.15",
      "severity": "high",
      "description": "Prototype Pollution in lodash",
      "cve": "CVE-2020-8203",
      "recommendation": "Upgrade to version 4.17.19 or later",
      "fixAvailable": true,
      "fixedVersion": "4.17.19",
      "cvss": {
        "score": 7.4
      },
      "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw"
    },
    "metadata": {
      "timestamp": "2024-04-23T10:00:00.000Z",
      "packageManager": "npm"
    }
  }]
}

When No Vulnerabilities Found

{
  "content": [{
    "vulnerability": null,
    "metadata": {
      "timestamp": "2024-04-23T10:00:00.000Z",
      "packageManager": "npm",
      "message": "No known vulnerabilities found"
    }
  }]
}

Development

For development reference, check the example response files in the public directory:

Contributing

Contributions are welcome! Please read our 1 for details on our code of conduct and the process for submitting pull requests.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Author

ESX (qianniuspace@gmail.com)

Links