Debian Security Analyzer MCP Server

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for vasudev from gravatar.com vasudev

Unverified details

These details have not been verified by PyPI
Meta
  • Requires: Python >=3.11
  • Provides-Extra: test
Report project as malware

Project description

debsecan-mcp

Tests Coverage Built with opencode

A Model Context Protocol (MCP) server for Debian security vulnerability analysis. This server integrates with AI assistants (like Claude) to provide vulnerability scanning capabilities for Debian systems.

Features

  • List Vulnerabilities: Scan all installed packages on your Debian system for known vulnerabilities
  • CVE Research: Get detailed information about specific CVEs including EPSS scores
  • Automatic Suite Detection: Automatically detects your Debian suite (bookworm, trixie, sid, etc.)
  • EPSS Integration: Enriches vulnerability data with Exploit Prediction Scoring System (EPSS) scores

Installation

pip install -e .

Usage

Running the MCP Server

debsecan-mcp

Or with a specific Debian suite:

DEBSECAN_SUITE=bookworm debsecan-mcp

Command Line Options

debsecan-mcp --help

Options:

  • --transport {stdio,sse,streamable-http} - Transport mode (default: stdio)
  • --mount-path PATH - Mount path for HTTP transports (default: /mcp)
  • --host HOST - Host to bind to for HTTP transport (default: 0.0.0.0)
  • --port PORT - Port to bind to for HTTP transport (default: 8000)

Transport Modes

STDIO Mode (Default)

Used for direct integration with AI assistants like Claude Desktop or VSCode.

debsecan-mcp --transport stdio

HTTP Modes

For HTTP-based access, use sse or streamable-http:

# SSE mode
debsecan-mcp --transport sse --port 8080 --mount-path /mcp

# Streamable HTTP mode
debsecan-mcp --transport streamable-http --port 8080 --mount-path /mcp

Note: HTTP modes require running behind a web server. See HTTP Server Setup below.

HTTP Server Setup

The HTTP transport modes need to be served by a WSGI/ASGI server. Example with uvicorn:

# Install uvicorn
pip install uvicorn

# Run with stdio transport and wrap with uvicorn
uvicorn debsecan_mcp.main:mcp_app --app-dir src --host 0.0.0.0 --port 8000 --path /mcp

Or use the built-in development server:

# SSE mode
debsecan-mcp --transport sse --host 0.0.0.0 --port 8000 --mount-path /mcp

Available Tools

list_vulnerabilities

Lists all vulnerabilities affecting the currently installed packages on the system. Categorises them by severity (critical, high, medium, low, negligible) and EPSS score.

research_cves

Provides detailed information for a list of CVE IDs, including:

  • Package name
  • Urgency level
  • EPSS score and percentile
  • Whether a fix is available
  • Remote exploitability
  • Description

Adding to VSCode

To use this MCP server with VSCode and AI assistants:

  1. Open VSCode Settings (JSON):

    • On macOS: Cmd + Shift + P → "Preferences: Open Settings (JSON)"
    • On Linux/Windows: Ctrl + Shift + P → "Preferences: Open Settings (JSON)"

  2. Add the MCP server configuration:

{
  "mcpServers": {
    "debsecan": {
      "command": "debsecan-mcp",
      "args": [],
      "env": {
        "DEBSECAN_SUITE": "bookworm"
      }
    }
  }
}

  1. Replace bookworm with your Debian suite codename (e.g., trixie, sid, GENERIC)

  2. Restart VSCode or reload the window

Adding to opencode

Option 1: STDIO Mode (Default)

For local usage with opencode, use the default stdio transport:

{
  "mcpServers": {
    "debsecan": {
      "command": "debsecan-mcp",
      "args": ["--transport", "stdio"],
      "env": {
        "DEBSECAN_SUITE": "bookworm"
      }
    }
  }
}

Option 2: HTTP Mode

For remote or containerized setups, you can run the MCP server over HTTP:

  1. Start the server:
debsecan-mcp --transport streamable-http --port 8080 --mount-path /mcp
  1. Configure opencode to connect via HTTP:
{
  "mcpServers": {
    "debsecan": {
      "url": "http://localhost:8080/mcp"
    }
  }
}

Note: HTTP mode requires the MCP client to support HTTP transport.

How It Works

  1. Package Discovery: Uses python-apt to enumerate all installed packages on the system
  2. Vulnerability Data: Fetches compressed vulnerability data from the Debian Security Tracker
  3. EPSS Enrichment: Downloads EPSS scores from CISA to prioritize vulnerabilities
  4. Analysis: Compares installed package versions against vulnerability data using APT version comparison

Requirements

  • Python 3.11+
  • Debian-based distribution (Debian, Ubuntu, etc.)
  • Network access to download vulnerability data

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for vasudev from gravatar.com vasudev

Unverified details

These details have not been verified by PyPI
Meta
  • Requires: Python >=3.11
  • Provides-Extra: test

Release history Release notifications | RSS feed

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

debsecan_mcp-0.1.0.tar.gz (82.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

debsecan_mcp-0.1.0-py3-none-any.whl (18.2 kB view details)

Uploaded Python 3

File details

Details for the file debsecan_mcp-0.1.0.tar.gz.

File metadata

  • Download URL: debsecan_mcp-0.1.0.tar.gz
  • Upload date:
  • Size: 82.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for debsecan_mcp-0.1.0.tar.gz
Algorithm Hash digest
SHA256 f87da5235fb432dd6c8ecf79fa81a45e8fd68d0351ec91db7e21dcbc887bf825
MD5 925de36a689a84c6e3da273cfc8f3d6f
BLAKE2b-256 3237a9910239ea9c849d03a0bacdc40c2b942b6d760604122fbe81aef85fe7eb

See more details on using hashes here.

Provenance

The following attestation bundles were made for debsecan_mcp-0.1.0.tar.gz:

Publisher: ci.yml on copyninja/debsecan-mcp

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file debsecan_mcp-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: debsecan_mcp-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 18.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for debsecan_mcp-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b97e6ac18573c160ac12d99c82b7d3926ef1124c3775d7afdb19c2addaad8367
MD5 33a90b2f0d85b23457258c8cdf6a8192
BLAKE2b-256 35da3f6546b97bf3a5d9af30f0d1f73a69412ef6b69dc9ae837d4e3d61baa3b0

See more details on using hashes here.

Provenance

The following attestation bundles were made for debsecan_mcp-0.1.0-py3-none-any.whl:

Publisher: ci.yml on copyninja/debsecan-mcp

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page