Skip to main content
Glama

Aigent.ly

License: Apache 2.0 MCP Compatible Daily CI Stacks Sources

๐Ÿ†• Catalog doubles to 12 stacks. Django, Rails, Go, iOS, and Android graduate to launch โ€” alongside a brand-new AI / LLM Apps stack covering LangChain, LlamaIndex, Hugging Face transformers, vLLM, and Ollama. Plus EPSS exploit-probability scoring on every CVE. Read the launch post โ†’

The open-source CVE catalog, pipeline, and MCP server behind aigent.ly. Every day, CI ingests fresh CVEs from six public threat sources, enriches them with AI-generated coding patterns, and commits ready-to-use security rules directly into this repo โ€” formatted for Cursor, Claude Code, Windsurf, GitHub Copilot, and Cline.

12 stacks ยท 6 sources ยท daily CI ยท MCP-native ยท Apache 2.0 ยท 0 keys required to consume.


How it works

CVE published  โ†’  pipeline detects it  โ†’  Claude generates safe-code patterns
    โ†’  rule committed to this repo  โ†’  your IDE enforces it while you type

AI coding assistants write production code fast. They don't know which CVEs landed last week, or how to write around them. Aigent.ly bridges that gap: it turns a live CVE feed into IDE rules that travel with your project, enforced at generation time โ€” not discovered at audit time.

Why it exists

  • AI assistants don't know which CVEs landed last week.

  • SAST catches issues at audit time. Aigent.ly catches them at generation time.

  • Free, open data. Private, paid product. The security boundary is by design.


Related MCP server: VSGuard MCP

Quick start

No API keys needed to consume. CI commits fresh snapshots daily โ€” point your IDE at the MCP server and you're done.

Add to your IDE's MCP config โ€” works with Claude Code, Cursor, Windsurf, Copilot, and Cline:

{
  "mcpServers": {
    "aigently": {
      "command": "npx",
      "args": ["-y", "@aigently/mcp-server@latest"]
    }
  }
}

The MCP server reads static JSON from packages/catalog-data/ โ€” no database, no API keys, no setup.

Available MCP tools

Tool

Description

Returns EPSS?

get_security_context

Detect your stack and return relevant rules and top CVEs

โœ…

compose_guardrail

Generate an IDE-ready rules file for your stack

โ€“

search_threats

Full-text and faceted CVE search; ranks by KEV โ†’ severity โ†’ EPSS

โœ…

get_threat

Full CVE detail with AI-generated safe-code patterns

โœ…

detect_project_stack

Identify stack(s) from a file list

โ€“

list_stacks

Enumerate all 12 supported stacks

โ€“

get_manifest

Catalog version + counts

โ€“


๐Ÿ›ก What's covered

Stacks (12)

#

Stack

Ecosystem

Family

Status

1

Next.js

npm

owasp_web

live

2

Express / Node.js

npm

owasp_web

live

3

FastAPI / Python

PyPI

owasp_web

live

4

NestJS

npm

owasp_web

live

5

Nuxt

npm

owasp_web

live

6

React SPA

npm

owasp_web

live

7

Django

PyPI

owasp_web

๐Ÿ†• NOW LIVE

8

Ruby on Rails

RubyGems

owasp_web

๐Ÿ†• NOW LIVE

9

Go

Go

owasp_web

๐Ÿ†• NOW LIVE

10

iOS / Swift

SwiftURL

owasp_web

๐Ÿ†• NOW LIVE

11

Android / Kotlin

Maven

owasp_web

๐Ÿ†• NOW LIVE

12

AI / LLM Apps

PyPI

owasp_llm

โœจ NEW

To add a stack: open packages/mvp-catalog/src/stack-registry.ts, add a StackConfig entry (set family: "owasp_llm" for AI-application stacks; default is owasp_web), and open a PR.

Sources (6)

Source

Role

Auth

Rate limit (free)

NVD (NIST)

Authoritative CVE registry. Backfills CVSS scores and CWE IDs.

Optional API key

5 req/30s (50 with key)

CISA KEV

Actively-exploited CVEs. Sets isActivelyExploited as the hard prioritization signal.

None

Static feed

GHSA (GitHub)

Advisories across npm, PyPI, RubyGems, Maven, Go, Swift.

Bearer token

5,000 req/hr

OSV (Google)

Per-package vulnerabilities, scoped to packages your stacks declare.

None

No published limit

npm Audit

Direct package advisory scan per stack. Catches advisories not yet in OSV/GHSA.

None

No published limit

EPSS (FIRST.org)

๐Ÿ†• Daily-updated exploit-probability score (0โ€“1) per CVE.

None

1,000 req/min


๐Ÿšฆ How threats are prioritized

Every threat in the catalog carries multiple ranking signals so the MCP layer can surface the CVEs that actually matter:

final_rank =  isActivelyExploited (CISA KEV)        โ† ground truth: it's being exploited NOW
           +  severity (CVSS bucket)                 โ† classic theoretical severity
           +  epssScore โ‰ฅ 0.5  (+1) / โ‰ฅ 0.9 (+2)    โ† prediction: how likely 30-day exploitation
           +  family match (owasp_web | owasp_llm)   โ† keep LLM threats from polluting web rankings
           +  intent overlap (auth/inject/csrf/rag)  โ† what the developer is actually doing

EPSS is the difference between "CVSS 9.8 โ€” patch in the next sprint" and "CVSS 9.8 with EPSS 0.94 โ€” drop everything." We expose both.


๐Ÿง  AI / LLM stack

The ai-llm stack ingests CVEs against the AI application toolchain and classifies them against the OWASP LLM Top 10 instead of the Web Top 10:

Watched packages: langchain, langchain-community, langchain-core, llama-index, llama-index-core, llama-cpp-python, transformers, huggingface_hub, vllm, gradio, ollama, anthropic, openai, pydantic-ai, crewai, autogen-agentchat, dspy-ai.

OWASP LLM mapping (excerpt โ€” see pipeline/scripts/lib/normalise.ts):

OWASP LLM

Common CWEs

Example

LLM01 โ€” Prompt Injection

CWE-20 / 77 / 78 / 94 / 1321

Untrusted retrieval context concatenated into the system prompt

LLM02 โ€” Insecure Output / SSRF

CWE-200 / 918

Tool-calling agent fetches arbitrary internal URLs from a crafted prompt

LLM05 โ€” Supply Chain

CWE-116 / 502

Untrusted model checkpoint deserialization

LLM06 โ€” Sensitive Info / Authz

CWE-284 / 285

Embeddings store leaks training-data secrets

Threats from this stack flow through a dedicated LLM-aware prompt in amplify-threats.ts so guardrails are framed in LLM vocabulary (NEVER concatenate retrieved context into the system prompt without delimiters) rather than web vocabulary.


Threat intelligence pipeline

Pipeline stages

Daily CI run (GitHub Actions, 06:00 UTC)

  Phase 0     CISA KEV map + stack registry preflight
  Phase 1โ€“3   npm Audit + OSV + GHSA โ†’ raw advisories
  Phase 5     deduplicate (source-priority based)
  Phase 4a    EPSS exploit-probability enrichment    โ† NEW (batched, 50 CVEs/req)
  Phase 4     NVD: backfill CVSS & CWE for low-confidence rows
  Phase 6โ€“8   upsert threats + per-stack mapping + mitigation flags
  Phase 9     close sync log

  Amplify     Claude: 2โ€“4 ALWAYS/NEVER patterns per CVE (family-aware prompt)
  Summarize   Claude: cluster CVEs into per-stack rule docs
  Synthesize  Claude: merge into pre-built guardrail blocks (patterns + deps)
  Export      write JSON snapshots to packages/catalog-data/
  Commit      auto-push catalog-data/ to this repo

Path

Contents

packages/catalog-data/

Live threat snapshots โ€” JSON committed daily by CI

packages/mcp-server/

MCP server (@aigently/mcp-server) โ€” exposes catalog to AI agents

packages/db/

Drizzle schema shared between the pipeline and the web app

packages/mvp-catalog/

Stack registry โ€” add a stack entry here to onboard it

packages/api-client/

TypeScript client generated from the OpenAPI spec

pipeline/scripts/

sync, amplify, summarize, synthesize, export โ€” the full pipeline

pipeline/scripts/lib/sources/

One file per data source (NVD, OSV, GHSA, npm-audit, CISA KEV, EPSS)

.github/workflows/sync-threats.yml

Daily CI: ingest CVEs โ†’ AI guardrails โ†’ commit


Run the pipeline locally

git clone https://github.com/aelbuni/aigently-catalog
cd aigently-catalog
npm install

cp pipeline/.env.example pipeline/.env   # default DATABASE_URL matches docker-compose
npm run db:setup                         # start Postgres, migrate, seed
# pipeline/.env โ€” keys you need only when running the pipeline yourself:
ANTHROPIC_API_KEY=...   # required for amplify, summarize, synthesize
GITHUB_TOKEN=...        # required for GHSA source
NVD_API_KEY=...         # optional โ€” increases NVD rate limit 10ร—
# EPSS requires no key.

npm run sync:threats           # ingest CVEs from all six sources
npm run amplify:threats        # Claude: ALWAYS/NEVER patterns per CVE (family-aware)
npm run summarize:rules        # Claude: cluster into per-stack rule docs
npm run synthesize:guardrails  # Claude: pre-build guardrail blocks
npm run export:catalog         # write JSON to packages/catalog-data/

Scripts

Script

Purpose

npm run db:up

Start Postgres via Docker Compose

npm run db:setup

First-time setup: start Postgres + migrate + seed

npm run db:migrate

Apply Drizzle migrations

npm run db:seed

Full catalog seed

npm run db:seed:upsert

Non-destructive upsert

npm run sync:threats

Ingest CVEs from all six sources

npm run amplify:threats

AI-generate patterns for new threats

npm run summarize:rules

AI-cluster CVEs into rule summaries

npm run synthesize:guardrails

Pre-build per-stack guardrail blocks

npm run export:catalog

Export DB โ†’ packages/catalog-data/ JSON

Environment variables

Variable

Required

Purpose

DATABASE_URL

Always

Postgres connection string

ANTHROPIC_API_KEY

AI steps

Claude API access

GITHUB_TOKEN

Sync

GitHub advisory source (GHSA)

NVD_API_KEY

Optional

10ร— NVD rate limit

STACK_FILTER

Optional

Limit a sync run to one stack slug (e.g. ai-llm)

DRY_RUN

Optional

Enrich + dedup without writing to DB

Prerequisites

  • Node.js 22+

  • Docker (for local Postgres)

  • Anthropic API key (AI pipeline steps only)


๐Ÿ—บ Roadmap

Already shipped: 12 stacks ยท 6 sources ยท EPSS-ranked prioritization ยท family-aware (web + LLM) amplifier prompts.

Next on deck (PRs welcome):

  • PoC / exploit-availability detection โ€” GitHub + Exploit-DB + Nuclei templates

  • Vendor advisories โ€” MSRC + Red Hat + Ubuntu (for base-image / OS-level CVEs)

  • STIX 2.1 export โ€” for SIEM ingestion

  • KEV / EPSS watchlist webhooks โ€” alert when a CVE in your detected stack moves into KEV or above an EPSS threshold

  • Spring Boot, Laravel, .NET stacks โ€” open to contribution


Contributing

PRs are welcome. The highest-value contributions are:

See CONTRIBUTING.md for full guidelines.


License

Apache 2.0 โ€” threat data sourced from public domain (NVD, CISA KEV, GHSA, OSV, EPSS).

"We open-sourced everything the community needs โ€” the data, the pipeline, the stack registry. The web app that runs aigent.ly is private. Because a security product should practice what it preaches."

Aigent.ly and the Aigent.ly logo are trademarks of Aigently, Inc.

F
license - not found
-
quality - not tested
B
maintenance

Maintenance

โ€“Maintainers
โ€“Response time
โ€“Release cycle
โ€“Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/aelbuni/aigently-catalog'

If you have feedback or need assistance with the MCP directory API, please join our Discord server