Happy slice of mcp pizzaMCP.pizza
Fire in da houseTop Tip:Paying $100+ per month for Perplexity, MidJourney, Runway, ChatGPT and other tools is crazy - get all your AI tools in one site starting at $15 per month with Galaxy AI Fire in da houseCheck it out free

mcp-osv

MCP.Pizza Chef: gleicon

mcp-osv is a Model Context Protocol (MCP) server that integrates with the OSV.dev open source vulnerabilities database to provide automated security analysis of codebases. It supports vulnerability checking, basic code security analysis, and AI-driven security insights. The server seamlessly integrates with AI models and optionally uses Semgrep for static code analysis, making it ideal for supply-chain security and co-pilot coding environments.

Use This MCP server To

Check codebase for known open source vulnerabilities Perform basic security analysis on code files Integrate AI-driven security insights into development workflows Use with co-pilot IDEs for real-time supply-chain security checks Automate dependency risk management using custom rulesets Combine static analysis with vulnerability database lookups

README

MCP Security Analyst

Go

A Model Context Protocol (MCP) server that provides security analysis capabilities by integrating with OSV.dev and AI models to help identify and analyze potential vulnerabilities in your codebase.

Features

  • Vulnerability checking using OSV.dev database
  • Basic security analysis of code files
  • Integration with AI models for security insights
  • MCP protocol support for seamless integration with various AI tools
  • Optional static code analysis using Semgrep (if installed)

Cursor/Cline and other co-pilots IDE supply-chain preventions

mcp-osv is the ideal companion for co-pilot coding. Use the [supply-chain-security-check.mdc] ruleset in this repo or build your own to manage dependencies and reduce risk. See below how to setup your IDE.

Requirements

Core Requirements

make deps
make install

Optional: Semgrep Installation

For enhanced static code analysis, you can install Semgrep:

macOS
brew install semgrep
Linux
python3 -m pip install semgrep
Other platforms

Visit Semgrep Installation Guide for detailed instructions.

The MCP server will work without Semgrep installed, but will skip the static analysis portion when analyzing directories.

Installation

make deps
make install

The mcp-osv command will be installed on PATH and use the stdin/stdout method.

Configure your LLM to use mcp-osv as an agent.

For Cursor use the configuration below on configuration -> MCP tab:

{"mcpServers":{"security_analyst":{"name":"Security Analyst","type":"stdio","command":"/usr/local/bin/mcp-osv"}}}

If you are using Claude just configure it under Settings -> Developer using the config below:

{
    "mcpServers": {
        "mcp-osv": {
            "command": "/usr/local/bin/mcp-osv",
            "args": []
        }
    }
}
  1. The server provides the following tools:

check_vulnerabilities

Check for known vulnerabilities in dependencies using OSV.dev database.

Parameters:

  • package_name: Name of the package to check
  • version: Version of the package to check

analyze_security

Analyze code for potential security issues based on https://osv.dev - a comprehensive database of open-source vulnerabilities.

Parameters:

  • file_path: Path to the file to analyze

Integration with AI Models

This server is designed to work with AI models like Claude and Cursor through the MCP protocol. The AI models can use the provided tools to:

  1. Check dependencies for known vulnerabilities
  2. Analyze code for security issues
  3. Provide recommendations for security improvements

Connecting with Cursor

Sample output

output-1 output-2 output-3

Usage

See mcp.json-template for an example that works with Cursor IDE.

After the setup, restart and ask something like "Analyze the security of my project using mcp-osv".

To Debug in VSCode go to Help -> Toggle developer tools and at the console look for mcp.

To test the security analysis capabilities:

# Check for vulnerabilities in a package
"Check for vulnerabilities in the package 'express' version '4.17.1'"

# Analyze a specific file
"Analyze the security of the file 'main.go'"

The server will process your requests and provide security insights through the MCP protocol.

Connect to Claude

Edit the config file and add the following section (that's the whole file, consider the mcp_osv section if you already have other tools installed.)

{
    "mcpServers": {
        "mcp_osv": {
            "command": "/usr/local/bin/mcp-osv",
            "args": []
        }
    }
}

Development

To add new security analysis capabilities:

  1. Create a new tool using mcp.NewTool
  2. Implement the tool handler
  3. Add the tool to the server using s.AddTool
  4. check https://github.com/mark3labs/mcp-go for a comprehensive framework to build MCPs in Go.

License

MIT

mcp-osv FAQ

How does mcp-osv integrate with AI models?
mcp-osv uses the MCP protocol to connect with AI models, enabling them to query vulnerability data and receive security insights in real time.
Can mcp-osv perform static code analysis?
Yes, optionally it can use Semgrep if installed to perform static code analysis alongside vulnerability checks.
What is OSV.dev and why is it used?
OSV.dev is an open source vulnerabilities database that mcp-osv queries to identify known security issues in dependencies and code.
How do I set up mcp-osv in my development environment?
Follow the installation steps including 'make deps' and 'make install', then configure your IDE or MCP client to connect to mcp-osv.
Is mcp-osv suitable for supply-chain security?
Yes, it supports supply-chain security by managing dependencies and reducing risk through vulnerability checks and custom rulesets.
Which AI providers are compatible with mcp-osv?
mcp-osv is provider-agnostic and works with OpenAI, Anthropic Claude, and Google Gemini models via MCP.
Can mcp-osv be used with co-pilot coding tools?
Yes, it is designed to integrate with co-pilot IDEs to provide real-time security feedback during coding.