Skip to main content

Debian Vulnerability Analyzer — MCP server, CLI, and Prometheus exporter

Project description

[!WARNING] This package has been renamed to debvulns. debsecan-mcp 0.1.5 is the final release under this name. Please update your dependency:

pip install debvulns

debvulns

Tests Coverage Built with opencode

Debian vulnerability analysis toolkit — MCP server, standalone CLI, and Prometheus exporter. Integrates with AI assistants (like Claude) and monitoring stacks (Prometheus + Grafana) to track, prioritize, and alert on package vulnerabilities across Debian systems.

[!NOTE] This project was previously published on PyPI as debsecan-mcp. The final release under that name is 0.1.5. All future development happens here as debvulns.

Features

  • MCP Server (debvulns-mcp): Integrates with Claude Desktop, VSCode, and opencode for AI-assisted vulnerability analysis
  • Standalone CLI (debvulns): Scan and report vulnerabilities from the command line in JSON or CSV format
  • Prometheus Exporter (debvulns-exporter): Expose vulnerability metrics for Grafana dashboards and alerting
  • List Vulnerabilities: Scan all installed packages for known vulnerabilities
  • CVE Research: Get detailed information about specific CVEs including EPSS scores
  • Automatic Suite Detection: Automatically detects your Debian suite (bookworm, trixie, sid, etc.)
  • EPSS Integration: Enriches vulnerability data with Exploit Prediction Scoring System (EPSS) scores

Installation

pip install debvulns

Or from source:

pip install -e .

Usage

Running the MCP Server

debvulns-mcp

Or with a specific Debian suite:

DEBSECAN_SUITE=bookworm debvulns-mcp

Command Line Options

debvulns-mcp --help

Options:

  • --transport {stdio,sse,streamable-http} - Transport mode (default: stdio)
  • --mount-path PATH - Mount path for HTTP transports (default: /mcp)
  • --host HOST - Host to bind to for HTTP transport (default: 0.0.0.0)
  • --port PORT - Port to bind to for HTTP transport (default: 8000)

Transport Modes

STDIO Mode (Default)

Used for direct integration with AI assistants like Claude Desktop or VSCode.

debvulns-mcp --transport stdio

HTTP Modes

For HTTP-based access, use sse or streamable-http:

# SSE mode
debvulns-mcp --transport sse --port 8080 --mount-path /mcp

# Streamable HTTP mode
debvulns-mcp --transport streamable-http --port 8080 --mount-path /mcp

Note: HTTP modes require running behind a web server. See HTTP Server Setup below.

HTTP Server Setup

The HTTP transport modes need to be served by a WSGI/ASGI server. Example with uvicorn:

# Install uvicorn
pip install uvicorn

# Run with stdio transport and wrap with uvicorn
uvicorn debvulns.main:mcp_app --app-dir src --host 0.0.0.0 --port 8000 --path /mcp

Or use the built-in development server:

# SSE mode
debvulns-mcp --transport sse --host 0.0.0.0 --port 8000 --mount-path /mcp

Standalone CLI Tool (debvulns)

The package includes a standalone CLI tool debvulns that allows you to scan for vulnerabilities directly from the command line without running the MCP server.

On first run, debvulns downloads the vulnerabilities and EPSS data and caches them locally (defaulting to /var/cache/debvulns or falling back to ~/.cache/debvulns if the default path is unwritable). The cache is refreshed automatically if it is older than 24 hours.

Running the CLI Tool

debvulns

Command Line Options

debvulns --help

Options:

  • -s, --severity {critical,high,medium,low,negligible} - Filter vulnerabilities by severity. By default, lists all vulnerabilities grouped by severity.
  • -f, --format {json,csv} - Output format (default: json).
  • --sort-by {package,cve} - Sort vulnerabilities by package name or CVE ID.
  • --suite SUITE - Debian suite name (e.g., bookworm, sid). Automatically detected by default.
  • --cache-dir PATH - Directory to cache fetched and parsed data (default: /var/cache/debvulns).
  • --no-cache - Do not use cached data, force downloading and parsing.
  • --vuln-url URL - Custom URL or local path for Debian Security Tracker data.
  • --epss-url URL - Custom URL or local path for EPSS scores data.
  • -v, --verbose - Enable verbose debug logging (sent to stderr).

Examples

Filter high severity vulnerabilities, sort by CVE, and output in CSV format:

debvulns --severity high --sort-by cve --format csv

Run for a specific suite without using cached data:

debvulns --suite trixie --no-cache

Available Tools

list_vulnerabilities

Lists all vulnerabilities affecting the currently installed packages on the system. Categorises them by severity (critical, high, medium, low, negligible) and EPSS score.

research_cves

Provides detailed information for a list of CVE IDs, including:

  • Package name
  • Urgency level
  • EPSS score and percentile
  • Whether a fix is available
  • Remote exploitability
  • Description

Adding to VSCode

To use this MCP server with VSCode and AI assistants:

  1. Open VSCode Settings (JSON):

    • On macOS: Cmd + Shift + P → "Preferences: Open Settings (JSON)"
    • On Linux/Windows: Ctrl + Shift + P → "Preferences: Open Settings (JSON)"
  2. Add the MCP server configuration:

{
  "mcpServers": {
    "debvulns": {
      "command": "debvulns-mcp",
      "args": [],
      "env": {
        "DEBSECAN_SUITE": "bookworm"
      }
    }
  }
}
  1. Replace bookworm with your Debian suite codename (e.g., trixie, sid, GENERIC)

  2. Restart VSCode or reload the window

Adding to opencode

Option 1: STDIO Mode (Default)

For local usage with opencode, use the default stdio transport:

{
  "mcpServers": {
    "debvulns": {
      "command": "debvulns-mcp",
      "args": ["--transport", "stdio"],
      "env": {
        "DEBSECAN_SUITE": "bookworm"
      }
    }
  }
}

Option 2: HTTP Mode

For remote or containerized setups, you can run the MCP server over HTTP:

  1. Start the server:
debvulns-mcp --transport streamable-http --port 8080 --mount-path /mcp
  1. Configure opencode to connect via HTTP:
{
  "mcpServers": {
    "debvulns": {
      "url": "http://localhost:8080/mcp"
    }
  }
}

Note: HTTP mode requires the MCP client to support HTTP transport.

How It Works

  1. Package Discovery: Uses python-apt to enumerate all installed packages on the system
  2. Vulnerability Data: Fetches compressed vulnerability data from the Debian Security Tracker
  3. EPSS Enrichment: Downloads EPSS scores from CISA to prioritize vulnerabilities
  4. Analysis: Compares installed package versions against vulnerability data using APT version comparison

Requirements

  • Python 3.11+
  • Debian-based distribution (Debian, Ubuntu, etc.)
  • Network access to download vulnerability data

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

debvulns-0.2.0.tar.gz (113.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

debvulns-0.2.0-py3-none-any.whl (32.6 kB view details)

Uploaded Python 3

File details

Details for the file debvulns-0.2.0.tar.gz.

File metadata

  • Download URL: debvulns-0.2.0.tar.gz
  • Upload date:
  • Size: 113.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for debvulns-0.2.0.tar.gz
Algorithm Hash digest
SHA256 ad6d85704d66e6690b4c7f1b6c393935c86ab5a1639ad128d000797fec800893
MD5 9b37642bdc6842aef2a5b891b77b9b52
BLAKE2b-256 15fb3a302e100c2ab2b4fedac1f5061630edf6160b9bec930eb60cbeaca796d8

See more details on using hashes here.

Provenance

The following attestation bundles were made for debvulns-0.2.0.tar.gz:

Publisher: ci.yml on copyninja/debsecan-mcp

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file debvulns-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: debvulns-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 32.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for debvulns-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 509b90520e98c5ba33d676cbf2f0c188e5d1a3830a6c78e78c7a9262143fe7c0
MD5 f9edc14401c0b559a7a90f62e9264411
BLAKE2b-256 44e3ea43cd5ec84df1ded949808eff2de502539c07824e4d6accc249ef39c8a4

See more details on using hashes here.

Provenance

The following attestation bundles were made for debvulns-0.2.0-py3-none-any.whl:

Publisher: ci.yml on copyninja/debsecan-mcp

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page