MCP HubMCP Hub
qianniuspace

mcp-security-audit

by: qianniuspace

A powerful MCP (Model Context Protocol) Server that audits npm package dependencies for security vulnerabilities. Built with remote npm registry integration for real-time security checks.

24created 20/02/2025
Visit
npm
security

📌Overview

Purpose: This framework aims to provide a robust auditing solution for npm package dependencies, detecting security vulnerabilities in real-time.

Overview: The Security Audit Tool is a powerful MCP (Model Context Protocol) Server designed to audit npm package dependencies for security vulnerabilities. It integrates with remote npm registries to deliver immediate security checks and detailed reporting capabilities.

Key Features:

  • Real-time vulnerability scanning: Continuously checks package dependencies for potential security threats, ensuring timely detection.

  • Remote npm registry integration: Leverages real-time data from npm registries for accurate vulnerability assessments.

  • Comprehensive vulnerability reports: Generates detailed reports that classify vulnerabilities by severity levels and provide actionable insights.

  • Multiple severity support: Acknowledges various severity levels (critical, high, moderate, low) to prioritize security fixes effectively.

  • Compatibility with package managers: Works seamlessly with npm, pnpm, and yarn, making it versatile across different development environments.

  • Automatic fix recommendations: Suggests direct fixes for vulnerabilities, facilitating quick resolutions.

  • CVSS scoring and CVE references: Offers scoring metrics and references to Common Vulnerabilities and Exposures (CVE) for further research and validation of vulnerabilities.

Security Audit Tool

A powerful MCP (Model Context Protocol) Server that audits npm package dependencies for security vulnerabilities. Built with remote npm registry integration for real-time security checks.

Features

  • Real-time security vulnerability scanning
  • Remote npm registry integration
  • Detailed vulnerability reports with severity levels
  • Support for multiple severity levels (critical, high, moderate, low)
  • Compatible with npm/pnpm/yarn package managers
  • Automatic fix recommendations
  • CVSS scoring and CVE references

Installing via Smithery

To install Security Audit Tool for Claude Desktop automatically via Smithery:

npx -y @smithery/cli install @qianniuspace/mcp-security-audit --client claude

MCP Integration

Option 1: Using NPX (Recommended)

Add MCP configuration to Cline / Cursor:

{
  "mcpServers": {
    "mcp-security-audit": {
      "command": "npx",
      "args": ["-y", "mcp-security-audit"]
    }
  }
}

Option 2: Download Source Code and Configure Manually

  1. Clone the repository:
git clone https://github.com/qianniuspace/mcp-security-audit.git
cd mcp-security-audit
  1. Install dependencies and build:
npm install
npm run build
  1. Add MCP configuration to Cline / Cursor:
{
  "mcpServers": {
    "mcp-security-audit": {
      "command": "npx",
      "args": ["-y", "/path/to/mcp-security-audit/build/index.js"]
    }
  }
}

API Response Format

The tool provides detailed vulnerability information including severity levels, fix recommendations, CVSS scores, and CVE references.

Response Examples

1. When Vulnerabilities Found

{
  "content": [{
    "vulnerability": {
      "packageName": "lodash",
      "version": "4.17.15",
      "severity": "high",
      "description": "Prototype Pollution in lodash",
      "cve": "CVE-2020-8203",
      "githubAdvisoryId": "GHSA-p6mc-m468-83gw",
      "recommendation": "Upgrade to version 4.17.19 or later",
      "fixAvailable": true,
      "fixedVersion": "4.17.19",
      "cvss": {
        "score": 7.4,
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
      },
      "cwe": ["CWE-1321"],
      "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw"
    },
    "metadata": {
      "timestamp": "2024-04-23T10:00:00.000Z",
      "packageManager": "npm"
    }
  }]
}

2. When No Vulnerabilities Found

{
  "content": [{
    "vulnerability": null,
    "metadata": {
      "timestamp": "2024-04-23T10:00:00.000Z",
      "packageManager": "npm",
      "message": "No known vulnerabilities found"
    }
  }]
}

Development

For development reference, check the example response files in the public directory:

  • Severity-response.json : Example response when vulnerabilities are found (transformed from npm audit API response)
  • no-Severity-response.json : Example response when no vulnerabilities are found (transformed from npm audit API response)

Note: The example responses shown above are transformed from the raw npm audit API responses to provide a more structured format.

Contributing

Contributions are welcome! Please read our Contributing Guide for details on our code of conduct and the process for submitting pull requests.

License

This project is licensed under the MIT License.

Author

ESX (qianniuspace@gmail.com)

Links