VibeCheck MCP Server

AI-powered security audit tool for codebases. Analyzes code for vulnerabilities using real-time data from MITRE CWE and npm audit.

Features

• AI-Powered Analysis: Uses MCP sampling to analyze code with Claude

• Real-Time CWE Data: Fetches vulnerability definitions from MITRE's CWE API

• Dependency Scanning: Uses npm audit for package vulnerability checks

• Zero Configuration: No API keys required to get started

Installation

Claude Code (Recommended)

/plugin marketplace add BPN-Solutions/vibecheck-mcp
/plugin install vibecheck@vibecheck

Manual Installation

Add to your Claude Desktop config (~/.claude/claude_desktop_config.json):

{
  "mcpServers": {
    "vibecheck": {
      "command": "npx",
      "args": ["-y", "vibecheck-audit-mcp"]
    }
  }
}

From Source

git clone https://github.com/BPN-Solutions/vibecheck-mcp.git
cd vibecheck-mcp
npm install && npm run build

Tools

scan_codebase

Full AI-powered security audit with real-time vulnerability data.

Analyzes:

• Authentication and authorization issues

• API security vulnerabilities

• Database security rules

• Exposed secrets and environment variables

• Dependency vulnerabilities (via npm audit)

• Data flow and injection vulnerabilities

Input:

{
  "path": "/path/to/codebase",
  "categories": ["auth", "api", "secrets-env"],
  "severityThreshold": "medium"
}

Or provide files directly:

{
  "files": [
    { "path": "src/auth.ts", "content": "..." }
  ]
}

Categories:

• auth - Authentication, sessions, middleware

• api - API routes, endpoints

• database-rules - Firebase/Supabase rules, Prisma schemas

• secrets-env - Environment variables, config files

• dependencies - package.json vulnerabilities

• data-flow - User input handling, injection points

check_dependencies

Quick dependency-only scan using npm audit.

Input:

{
  "path": "/path/to/project",
  "includeDevDependencies": false
}

Requirements:

• npm installed

• package-lock.json in the project

Data Sources

Development

# Build
npm run build

# Watch mode
npm run dev

# Run directly
npm start

How It Works

1. File Reading: Reads files from the specified path or accepts file contents directly

2. Hotspot Collection: Categorizes files by security relevance (auth, api, secrets, etc.)

3. Dependency Audit: Runs npm audit if package-lock.json exists

4. AI Analysis: Uses MCP sampling to analyze each category with expert prompts

5. CWE Enrichment: Fetches relevant CWE definitions from MITRE API

6. Results: Returns structured findings with severity, CWE/OWASP refs, and remediation steps

Output Format

{
  "findings": [
    {
      "id": "uuid",
      "type": "hardcoded-secret",
      "severity": "critical",
      "title": "Hardcoded API Key",
      "description": "...",
      "filePath": "src/config.ts",
      "lineNumber": 42,
      "codeSnippet": "const API_KEY = 'sk-...'",
      "aiReasoning": "...",
      "confidence": 95,
      "cwes": [{ "id": "CWE-798", "name": "..." }],
      "owasp": [{ "id": "A02:2021", "name": "..." }],
      "remediation": {
        "summary": "Use environment variables",
        "steps": ["..."]
      }
    }
  ],
  "dependencyVulnerabilities": [...],
  "summary": {
    "totalFindings": 5,
    "critical": 1,
    "high": 2,
    "medium": 2,
    "low": 0,
    "vulnerableDependencies": 3
  },
  "scanDuration": 12500
}

License

MIT