Context Snipe
Context Snipe is a security-focused MCP server that provides two tools for giving AI assistants accurate, ground-truth information about a project's dependencies and vulnerabilities:
scan_dependencies— Parses lockfiles (Cargo.lock,package-lock.json,yarn.lock,pnpm-lock.yaml,poetry.lock,uv.lock,go.sum,requirements.txt) to return every resolved package name, version, and ecosystem. This eliminates AI guessing about what's actually installed.check_vulnerabilities— Cross-references your resolved dependency tree against the OSV.dev database (CVE, GHSA, RUSTSEC, PYSEC), returning only advisories that affect your project's actual packages and versions, with CVSS-based severity scores. Optionally filters by minimum severity (low,medium,high, orcritical).
Key highlights:
Supports Rust, npm, Python, and Go projects
Reads resolved lockfiles (not just manifests) for accuracy
No API key or signup required
No data leaves your machine except OSV.dev queries
Works with: Claude Desktop · Cursor · Windsurf · VS Code · Zed · any MCP client
$ context-snipe scan .
context-snipe — vulnerability scan
Project: ./my-api
Scanned: 412 entries (388 unique packages) from Cargo.lock, package-lock.json
FOUND 3 advisories affecting 2 of 388 package(s):
lodash 4.17.11 [npm]
[CRIT] CVE-2019-10744 Prototype Pollution in lodash
[HIGH] CVE-2021-23337 Command Injection in lodash
minimatch 3.0.4 [npm]
[HIGH] CVE-2022-3517 minimatch ReDoS vulnerability
Source: OSV.dev — packages actually in your resolved dependency tree.The problem
You ask Cursor or Claude: "Does my project have any security issues?"
It doesn't know your packages. It doesn't know your versions. It hallucinates an answer based on general knowledge — not your actual package-lock.json.
Your scanner (Dependabot, Snyk, whatever) floods you with 200 warnings, most of which don't apply to what you actually ship. You spend 45 minutes Googling CVEs that are irrelevant to your code.
context-snipe closes both gaps. It reads your resolved lockfiles (not your package.json — your actual installed packages), asks OSV.dev only about what you have, deduplicates the noise, ranks by real CVSS severity, and gives your AI a clean, accurate briefing it can actually reason about.
Related MCP server: CodeCortX-MCP
Install in 30 seconds
macOS / Linux — one line, picks the right binary for your platform:
curl -fsSL https://raw.githubusercontent.com/RP-Digital-Innovations/context-snipe/main/install.sh | shWindows (PowerShell):
irm https://raw.githubusercontent.com/RP-Digital-Innovations/context-snipe/main/install.ps1 | iexRust users — from crates.io:
cargo install context-snipe # build from source
cargo binstall context-snipe # or grab the prebuilt binary, no compileGrab the binary for your platform from the latest release:
Platform | Asset |
macOS (Apple Silicon) |
|
macOS (Intel) |
|
Linux x86_64 |
|
Linux ARM64 |
|
Windows x86_64 |
|
chmod +x it and move it onto your PATH.
Verify:
context-snipe --versionAdd to your AI tool (60 seconds)
Claude Desktop
Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"context-snipe": {
"command": "context-snipe",
"args": ["serve"]
}
}
}Cursor
Add to ~/.cursor/mcp.json:
{
"mcpServers": {
"context-snipe": {
"command": "context-snipe",
"args": ["serve"]
}
}
}Windsurf
Add to ~/.codeium/windsurf/mcp_config.json:
{
"mcpServers": {
"context-snipe": {
"command": "context-snipe",
"args": ["serve"]
}
}
}Restart your editor. Then ask your AI: "Check this project for vulnerable dependencies."
What your AI can now do
MCP Tool | What it does |
| Lists every resolved package in your project (name, version, ecosystem) |
| Cross-references your packages against OSV.dev — returns only advisories that affect what you actually have installed |
Your AI goes from guessing to knowing. In one tool call.
Supported ecosystems
Ecosystem | Resolved lockfile (preferred) | Fallback |
Rust |
| — |
npm |
|
|
Python |
|
|
Go |
|
|
How it compares
context-snipe | Dependabot | Snyk | socket.dev | |
MCP native — AI gets the results directly | ✅ | ❌ | ❌ | ❌ |
Reads resolved lockfiles (not just manifests) | ✅ | ✅ | ✅ | ✅ |
100% local — nothing leaves your machine | ✅ | ❌ | ❌ | ❌ |
No account, no signup, no API key | ✅ | ❌ | ❌ | ❌ |
Binary size | ~1 MB | N/A | 200 MB+ | N/A |
Free, open source | ✅ | ✅ | Partial | Partial |
CLI usage
context-snipe scan [PATH] # vulnerability report (defaults to current dir)
context-snipe deps [PATH] # list the full resolved dependency tree
context-snipe serve # start the MCP server over stdio
context-snipe --helpA note on honesty
context-snipe tells you which vulnerable packages are present in your resolved dependency tree. It does not perform call-graph reachability analysis. Presence is not proof of exploitability — the vulnerable function may not be reachable in your code. The tool says so in its own output, by design.
No tool that runs in seconds can tell you a CVE is definitely not exploitable. We won't pretend otherwise.
How it works
MCP engine — hand-rolled JSON-RPC 2.0 over stdio.
initialize,tools/list,tools/call,ping. stdout is the protocol channel; all diagnostics go to stderr.Lockfile parsers — TOML for Cargo, JSON for npm, custom parsers for pnpm/yarn, line parsers for requirements.txt and Go modules.
OSV client — one
querybatchcall filters the full tree to packages with advisories, then a focusedqueryper hit pulls details. CVSS v3.x base scores computed from vector strings. Duplicate advisories sharing a CVE are merged.TLS via rustls — pure-Rust, no OpenSSL, no system crypto dependency. Works identically on Windows, macOS, and musl Linux.
Build from source
cargo build --release
# Binary at: target/release/context-snipeRequires stable Rust. The release profile statically links the CRT — the binary is fully self-contained.
Roadmap
GitHub App — post CVE diffs on pull requests (shows what a PR introduces)
Policy layer — configurable CI failure thresholds per severity
More ecosystems — Ruby (Gemfile.lock), PHP (composer.lock), Java (pom.xml)
Contributing
PRs welcome. The codebase is ~1,000 lines of Rust split across:
src/
main.rs — CLI entry, mode routing
mcp.rs — JSON-RPC / MCP server
deps.rs — lockfile parsers
osv.rs — OSV.dev client + CVSS scoring
scan.rs — orchestration + report formatting
http.rs — ureq + rustls HTTP agentGood first issues: adding a new lockfile format, improving CVSS display, adding output formats (JSON, SARIF).
License
MIT — free forever. No telemetry. No accounts. No cloud.
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/RP-Digital-Innovations/context-snipe'
If you have feedback or need assistance with the MCP directory API, please join our Discord server