Security Audit Tool
A powerful MCP (Model Context Protocol) Server that audits npm package dependencies for security vulnerabilities. Built with remote npm registry integration for real-time security checks.
Overview
What is MCP Security Audit?
MCP Security Audit is a powerful tool designed to audit npm package dependencies for security vulnerabilities. It utilizes the Model Context Protocol (MCP) to ensure that developers can maintain secure applications by identifying potential risks in their dependencies. The tool integrates seamlessly with remote npm registries, allowing for real-time security checks and providing developers with immediate feedback on the security status of their packages.
Features of MCP Security Audit
- Real-time Security Checks: The integration with remote npm registries enables instant security assessments of package dependencies.
- Comprehensive Vulnerability Reporting: MCP Security Audit provides detailed reports on identified vulnerabilities, including severity levels and recommended actions.
- User-friendly Interface: The tool is designed with usability in mind, making it easy for developers to navigate and understand the security status of their projects.
- Open Source: Being a public template, developers can contribute to its improvement and customize it according to their needs.
- Community Support: With an active community of users and contributors, developers can seek help and share insights regarding security practices.
How to Use MCP Security Audit
-
Installation: Begin by installing the MCP Security Audit tool via npm. Use the command:
npm install mcp-security-audit -
Running the Audit: After installation, navigate to your project directory and run the audit command:
mcp-security-audit -
Reviewing the Report: Once the audit is complete, review the generated report. It will list all vulnerabilities found, categorized by severity.
-
Taking Action: Follow the recommendations provided in the report to address the vulnerabilities. This may include updating packages, removing unused dependencies, or applying patches.
-
Continuous Monitoring: Regularly run the audit as part of your development workflow to ensure ongoing security compliance.
Frequently Asked Questions
What types of vulnerabilities can MCP Security Audit detect?
MCP Security Audit can detect a wide range of vulnerabilities, including outdated packages, known security flaws, and potential exploits in your npm dependencies.
Is MCP Security Audit free to use?
Yes, MCP Security Audit is an open-source tool and is free to use. Developers can also contribute to its development and improvement.
How often should I run the audit?
It is recommended to run the audit regularly, especially after adding new dependencies or updating existing ones. Integrating it into your CI/CD pipeline can help maintain security standards.
Can I customize the audit reports?
Yes, the tool allows for customization of reports to fit your project's specific needs. You can modify the output format and the level of detail included in the reports.
Where can I find more information about MCP Security Audit?
For more details, documentation, and community support, visit the official website at mcpdirs.com.
Details
Security Audit Tool
A powerful MCP (Model Context Protocol) Server that audits npm package dependencies for security vulnerabilities. Built with remote npm registry integration for real-time security checks.
Features
- 🔍 Real-time security vulnerability scanning
- 🚀 Remote npm registry integration
- 📊 Detailed vulnerability reports with severity levels
- 🛡️ Support for multiple severity levels (critical, high, moderate, low)
- 📦 Compatible with npm/pnpm/yarn package managers
- 🔄 Automatic fix recommendations
- 📋 CVSS scoring and CVE references
Installing via Smithery
To install Security Audit Tool for Claude Desktop automatically via Smithery:
npx -y @smithery/cli install @qianniuspace/mcp-security-audit --client claude
MCP Integration
Option 1: Using NPX (Recommended)
- Add MCP configuration to Cline /Cursor:
{
"mcpServers": {
"mcp-security-audit": {
"command": "npx",
"args": ["-y", "mcp-security-audit"]
}
}
}
Option 2: Download Source Code and Configure Manually
- Clone the repository:
git clone https://github.com/qianniuspace/mcp-security-audit.git
cd mcp-security-audit
- Install dependencies and build:
npm install
npm run build
- Add MCP configuration to Cline /Cursor :
{
"mcpServers": {
"mcp-security-audit": {
"command": "npx",
"args": ["-y", "/path/to/mcp-security-audit/build/index.js"]
}
}
}
Configuration Screenshots
Cursor Configuration
Cline Configuration
API Response Format
The tool provides detailed vulnerability information including severity levels, fix recommendations, CVSS scores, and CVE references.
Response Examples
1. When Vulnerabilities Found (Severity-response.json)
{
"content": [{
"vulnerability": {
"packageName": "lodash",
"version": "4.17.15",
"severity": "high",
"description": "Prototype Pollution in lodash",
"cve": "CVE-2020-8203",
"githubAdvisoryId": "GHSA-p6mc-m468-83gw",
"recommendation": "Upgrade to version 4.17.19 or later",
"fixAvailable": true,
"fixedVersion": "4.17.19",
"cvss": {
"score": 7.4,
"vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"cwe": ["CWE-1321"],
"url": "https://github.com/advisories/GHSA-p6mc-m468-83gw"
},
"metadata": {
"timestamp": "2024-04-23T10:00:00.000Z",
"packageManager": "npm"
}
}]
}
2. When No Vulnerabilities Found (no-Severity-response.json)
{
"content": [{
"vulnerability": null,
"metadata": {
"timestamp": "2024-04-23T10:00:00.000Z",
"packageManager": "npm",
"message": "No known vulnerabilities found"
}
}]
}
Development
For development reference, check the example response files in the public directory:
- Severity-response.json : Example response when vulnerabilities are found (transformed from npm audit API response)
- no-Severity-response.json : Example response when no vulnerabilities are found (transformed from npm audit API response)
Note: The example responses shown above are transformed from the raw npm audit API responses to provide a more structured format. The original npm audit API responses contain additional metadata and may have a different structure.
Contributing
Contributions are welcome! Please read our Contributing Guide for details on our code of conduct and the process for submitting pull requests.
License
This project is licensed under the MIT License - see the LICENSE file for details.
Author
ESX (qianniuspace@gmail.com)
Links
Server Config
{
"mcpServers": {
"mcp-security-audit": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"ghcr.io/metorial/mcp-container--qianniuspace--mcp-security-audit--mcp-security-audit",
"node ./build/index.js"
],
"env": {}
}
}
}
