Dependency vulnerability monitoring MCP server — knows your lockfile, prioritizes by EPSS exploit probability, recommends fix versions.
Project description
VulnFeed — Dependency Vulnerability Monitoring for Claude Code
An MCP server that scans your project dependencies for known vulnerabilities, enriches with EPSS exploit probability scores, and recommends fix versions.
Free tier — 10 scans/day, 1 monitored project, no signup required.
Install
uvx vulnfeed-mcp
MCP client config
Add to your MCP client config (~/.claude/settings.json for Claude Code, claude_desktop_config.json for Claude Desktop):
Free tier (no signup, no API key):
{
"mcpServers": {
"vulnfeed": {
"command": "uvx",
"args": ["vulnfeed-mcp"]
}
}
}
Paid ($14/mo, unlimited scans + projects):
{
"mcpServers": {
"vulnfeed": {
"command": "uvx",
"args": ["vulnfeed-mcp"],
"env": {
"VULNFEED_API_KEY": "YOUR_LICENSE_KEY_HERE"
}
}
}
}
Get a license key at vulnfeed.novadyne.ai.
Tools
Scanning
| Tool | Description |
|---|---|
scan_project |
Auto-detect and scan all lockfiles in a directory |
scan_lockfile |
Scan a specific lockfile |
check_package |
Check a single package for vulnerabilities |
lookup_cve |
Detailed CVE info with EPSS + fix versions |
Monitoring
| Tool | Description |
|---|---|
monitor_project |
Register for continuous monitoring |
check_alerts |
New vulns since last scan |
update_deps |
Update snapshot after upgrading packages |
list_monitored |
See all monitored projects |
unmonitor_project |
Remove from monitoring |
Supported lockfiles
package-lock.json(npm)yarn.lock(Yarn)pnpm-lock.yaml(pnpm)requirements.txt(pip)Pipfile.lock(Pipenv)go.sum/go.mod(Go)Cargo.lock(Rust)Gemfile.lock(Ruby)composer.lock(PHP)
How it works
- Parses your lockfile to extract dependency names + versions
- Queries OSV.dev (NVD + GitHub Advisories) for known CVEs
- Enriches with EPSS exploit probability scores
- Filters noise — suppresses low-EPSS, non-critical CVEs by default
- Sorts by exploitability — most likely to be exploited first
- Returns fix version recommendations from package registries
Smart filtering
By default, VulnFeed suppresses low-priority CVEs (EPSS < 10% AND CVSS < 9.0). This cuts noise by ~80%.
Pass show_all=True to any scan tool to see everything.
Continuous monitoring
monitor_project— takes a baseline snapshot of current deps + known vulnscheck_alerts— diffs against baseline, surfaces only new vulns- Run
check_alertsperiodically to catch newly published CVEs
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vulnfeed_mcp-0.3.1.tar.gz.
File metadata
- Download URL: vulnfeed_mcp-0.3.1.tar.gz
- Upload date:
- Size: 38.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1a8fea7778e005134046acd744159f73281aac7129d3b24abc814528a75b6549
|
|
| MD5 |
65d830bda69b149792ca1fcfdffce255
|
|
| BLAKE2b-256 |
39368d96cc5804a7ba26f6ee6a1509e260273730ce4aea824952806c7679e87f
|
File details
Details for the file vulnfeed_mcp-0.3.1-py3-none-any.whl.
File metadata
- Download URL: vulnfeed_mcp-0.3.1-py3-none-any.whl
- Upload date:
- Size: 10.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d03ed9d588aab69c1e31d0bee94222b49bd20d39463a61247c6f124cb315e867
|
|
| MD5 |
bbc631f06f846a148552eeeb4ec2a574
|
|
| BLAKE2b-256 |
687438d429a022c81c6a654040eb055469ea418b2c37189dd2d50849873a5cea
|
