Dependency vulnerability monitoring MCP server — knows your lockfile, prioritizes by EPSS exploit probability, recommends fix versions.
Project description
VulnFeed — Security MCP Server
Vulnerability scanning and continuous monitoring for Claude Code. Monitors your project's dependencies against NVD, GitHub Advisories, and EPSS exploit data.
Setup
-
Install the MCP Python SDK:
pip install mcp
-
Add to your Claude Code settings (
.claude/settings.jsonor~/.claude/settings.json):{ "mcpServers": { "vulnfeed": { "type": "stdio", "command": "python3", "args": ["/path/to/server.py"], "env": { "VULNFEED_WORKER_URL": "https://...", "VULNFEED_API_KEY": "your-key" } } } }
-
Restart Claude Code. The tools are now available.
Remote mode (SSE)
Run as a remote server for shared/team access:
python3 server.py --transport sse --host 0.0.0.0 --port 8383
Then connect from Claude Code settings:
{
"mcpServers": {
"vulnfeed": {
"type": "sse",
"url": "http://your-server:8383/sse"
}
}
}
Or set VULNFEED_TRANSPORT=sse to default to SSE mode.
Tools
Scanning
scan_lockfile
Scan a specific lockfile for vulnerabilities.
scan_lockfile(lockfile_path="/path/to/package-lock.json")
check_package
Check a single package for known vulnerabilities.
check_package(name="express", version="4.17.1", ecosystem="npm")
lookup_cve
Get detailed info on a specific vulnerability.
lookup_cve(cve_id="CVE-2024-29041")
scan_project
Auto-detect and scan all lockfiles in a project directory.
scan_project(project_path="/path/to/project")
Monitoring
monitor_project
Register a project for continuous vulnerability monitoring. Takes a baseline snapshot of current dependencies and known vulns.
monitor_project(project_path="/path/to/project", project_name="my-app")
check_alerts
Check for new vulnerabilities since the last scan. Returns only vulns that weren't in the baseline.
check_alerts(project_id="f47e98b0e47a")
list_monitored
List all projects registered for monitoring.
list_monitored()
update_deps
Update the dependency snapshot after upgrading packages (e.g. after npm update).
update_deps(project_id="f47e98b0e47a", project_path="/path/to/project")
unmonitor_project
Remove a project from monitoring.
unmonitor_project(project_id="f47e98b0e47a")
Supported lockfiles
package-lock.json(npm)yarn.lock(Yarn)pnpm-lock.yaml(pnpm)Pipfile.lock(Pipenv)requirements.txt(pip)go.sum/go.mod(Go)Cargo.lock(Rust / crates.io)Gemfile.lock(Ruby / RubyGems)composer.lock(PHP / Packagist)
Smart filtering
By default, VulnFeed suppresses low-priority CVEs (EPSS < 10% exploit probability AND CVSS < 9.0). This cuts noise by ~80% — most CVEs are theoretical, not actively exploited.
To see everything, pass show_all=True to any scan tool:
scan_lockfile(lockfile_path="package-lock.json", show_all=True)
How it works
- Parses your lockfile to extract dependency names + versions
- Batch-queries OSV.dev (which includes NVD + GitHub Advisories)
- Enriches each vulnerability with EPSS exploit probability scores
- Filters by exploitability — suppresses low-EPSS, non-critical CVEs by default
- Sorts results by exploitability — the CVEs most likely to be used in real attacks appear first
- Returns fix version recommendations from package registries
Monitoring flow
monitor_projectscans your deps and stores a baseline (known vulns + dep versions)check_alertsre-scans against the same dep list and diffs — new vulns that appeared since last check are surfaced, resolved vulns are noted- Run
check_alertsperiodically (e.g. daily) to catch newly published CVEs affecting your deps
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vulnfeed_mcp-0.3.0.tar.gz.
File metadata
- Download URL: vulnfeed_mcp-0.3.0.tar.gz
- Upload date:
- Size: 29.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7d8117114ab0a383e742507d17aaa791b662fa92466cfb9c1e22ef3a7f9ae2db
|
|
| MD5 |
b0206dd195284e6e7af0dd97241ff224
|
|
| BLAKE2b-256 |
eac624d6cc97fbf38fb6da5168ee3ed362ffaf131d2149a7f30905eb5104ce47
|
File details
Details for the file vulnfeed_mcp-0.3.0-py3-none-any.whl.
File metadata
- Download URL: vulnfeed_mcp-0.3.0-py3-none-any.whl
- Upload date:
- Size: 10.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
61a4f6aa5407b1e310f8c87910ee75f04f6c86a99c29225fc6a3121b8598b3c1
|
|
| MD5 |
aab961f8279e54f916bb10bc3c62bc68
|
|
| BLAKE2b-256 |
189b22bc9d3b025a81921a7e4e493192ce948273720895bd44f3e8f96dd050ab
|
