Skip to main content

Dependency vulnerability monitoring MCP server — knows your lockfile, prioritizes by EPSS exploit probability, recommends fix versions.

Project description

VulnFeed — Dependency Vulnerability Monitoring for Claude Code

CI PyPI License: MIT vulnfeed-mcp MCP server

An MCP server that scans your project dependencies for known vulnerabilities, enriches with EPSS exploit probability scores, and recommends fix versions.

Free tier — 10 scans/day, 1 monitored project, no signup required.

Homepage: vulnfeed.novadyne.ai

Install

uvx vulnfeed-mcp

MCP client config

Add to your MCP client config (~/.claude/settings.json for Claude Code, claude_desktop_config.json for Claude Desktop):

Free tier (no signup, no API key):

{
  "mcpServers": {
    "vulnfeed": {
      "command": "uvx",
      "args": ["vulnfeed-mcp"]
    }
  }
}

Paid ($14/mo, unlimited scans + projects):

{
  "mcpServers": {
    "vulnfeed": {
      "command": "uvx",
      "args": ["vulnfeed-mcp"],
      "env": {
        "VULNFEED_API_KEY": "YOUR_LICENSE_KEY_HERE"
      }
    }
  }
}

Get a license key at vulnfeed.novadyne.ai.

x402 micropayments

VulnFeed also accepts x402 micropayments — AI agents can pay per scan with USDC on Base, no API key or signup needed. When the free tier limit is reached, the API returns HTTP 402 with payment requirements that x402-compatible clients handle automatically.

  • $0.01 per scan
  • $0.002 per CVE lookup
  • $0.05 per project monitor setup

Tools

Scanning

Tool Description
scan_project Auto-detect and scan all lockfiles in a directory
scan_lockfile Scan a specific lockfile
check_package Check a single package for vulnerabilities
lookup_cve Detailed CVE info with EPSS + fix versions

Monitoring

Tool Description
monitor_project Register for continuous monitoring
check_alerts New vulns since last scan
update_deps Update snapshot after upgrading packages
list_monitored See all monitored projects
unmonitor_project Remove from monitoring

Supported lockfiles

  • package-lock.json (npm)
  • yarn.lock (Yarn)
  • pnpm-lock.yaml (pnpm)
  • requirements.txt (pip)
  • Pipfile.lock (Pipenv)
  • go.sum / go.mod (Go)
  • Cargo.lock (Rust)
  • Gemfile.lock (Ruby)
  • composer.lock (PHP)

How it works

  1. Parses your lockfile to extract dependency names + versions
  2. Queries OSV.dev (NVD + GitHub Advisories) for known CVEs
  3. Enriches with EPSS exploit probability scores
  4. Filters noise — suppresses low-EPSS, non-critical CVEs by default
  5. Sorts by exploitability — most likely to be exploited first
  6. Returns fix version recommendations from package registries

Smart filtering

By default, VulnFeed suppresses low-priority CVEs (EPSS < 10% AND CVSS < 9.0). This cuts noise by ~80%.

Pass show_all=True to any scan tool to see everything.

Continuous monitoring

  1. monitor_project — takes a baseline snapshot of current deps + known vulns
  2. check_alerts — diffs against baseline, surfaces only new vulns
  3. Run check_alerts periodically to catch newly published CVEs

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vulnfeed_mcp-0.3.6.tar.gz (12.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

vulnfeed_mcp-0.3.6-py3-none-any.whl (11.9 kB view details)

Uploaded Python 3

File details

Details for the file vulnfeed_mcp-0.3.6.tar.gz.

File metadata

  • Download URL: vulnfeed_mcp-0.3.6.tar.gz
  • Upload date:
  • Size: 12.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for vulnfeed_mcp-0.3.6.tar.gz
Algorithm Hash digest
SHA256 c4edadf21c756d05340e16e0ff6388c0f4d36f1d05ecb5861b1ddb6183f507ed
MD5 ccc78234918d1a9b618b7a1ad4a8c608
BLAKE2b-256 de4ca0c521f014fb33e51a20e504b0eca551fd56476ea32e9e66b4d4be9d1670

See more details on using hashes here.

File details

Details for the file vulnfeed_mcp-0.3.6-py3-none-any.whl.

File metadata

  • Download URL: vulnfeed_mcp-0.3.6-py3-none-any.whl
  • Upload date:
  • Size: 11.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for vulnfeed_mcp-0.3.6-py3-none-any.whl
Algorithm Hash digest
SHA256 6249511cb9815d441e00163331e1eaacb8deaf1b35ccdcaa86912b9caaa1e545
MD5 01977a172596b3487bb9a5bd86d4cd13
BLAKE2b-256 7606e190eabc83d9c3269c5d15e25af632aff9a3b9fbeb40cd4c2bd9b2592696

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page