aigently
Provides GitHub Copilot with CVE-based security context and dependency advisories to enforce safe-coding rules.
๐ Catalog doubles to 12 stacks. Django, Rails, Go, iOS, and Android graduate to launch โ alongside a brand-new AI / LLM Apps stack covering LangChain, LlamaIndex, Hugging Face transformers, vLLM, and Ollama. Plus EPSS exploit-probability scoring on every CVE. Read the launch post โ
The open-source CVE catalog, pipeline, and MCP server behind aigent.ly. Every day, CI ingests fresh CVEs from six public threat sources, enriches them with AI-generated coding patterns, and commits ready-to-use security rules directly into this repo โ formatted for Cursor, Claude Code, Windsurf, GitHub Copilot, and Cline.
12 stacks ยท 6 sources ยท daily CI ยท MCP-native ยท Apache 2.0 ยท 0 keys required to consume.
How it works
CVE published โ pipeline detects it โ Claude generates safe-code patterns
โ rule committed to this repo โ your IDE enforces it while you typeAI coding assistants write production code fast. They don't know which CVEs landed last week, or how to write around them. Aigent.ly bridges that gap: it turns a live CVE feed into IDE rules that travel with your project, enforced at generation time โ not discovered at audit time.
Why it exists
AI assistants don't know which CVEs landed last week.
SAST catches issues at audit time. Aigent.ly catches them at generation time.
Free, open data. Private, paid product. The security boundary is by design.
Related MCP server: VSGuard MCP
Quick start
No API keys needed to consume. CI commits fresh snapshots daily โ point your IDE at the MCP server and you're done.
Use via MCP (recommended)
Add to your IDE's MCP config โ works with Claude Code, Cursor, Windsurf, Copilot, and Cline:
{
"mcpServers": {
"aigently": {
"command": "npx",
"args": ["-y", "@aigently/mcp-server@latest"]
}
}
}The MCP server reads static JSON from packages/catalog-data/ โ no database, no API keys, no setup.
Available MCP tools
Tool | Description | Returns EPSS? |
| Detect your stack and return relevant rules and top CVEs | โ |
| Generate an IDE-ready rules file for your stack | โ |
| Full-text and faceted CVE search; ranks by KEV โ severity โ EPSS | โ |
| Full CVE detail with AI-generated safe-code patterns | โ |
| Identify stack(s) from a file list | โ |
| Enumerate all 12 supported stacks | โ |
| Catalog version + counts | โ |
๐ก What's covered
Stacks (12)
# | Stack | Ecosystem | Family | Status |
1 | Next.js | npm | owasp_web | live |
2 | Express / Node.js | npm | owasp_web | live |
3 | FastAPI / Python | PyPI | owasp_web | live |
4 | NestJS | npm | owasp_web | live |
5 | Nuxt | npm | owasp_web | live |
6 | React SPA | npm | owasp_web | live |
7 | Django | PyPI | owasp_web | ๐ NOW LIVE |
8 | Ruby on Rails | RubyGems | owasp_web | ๐ NOW LIVE |
9 | Go | Go | owasp_web | ๐ NOW LIVE |
10 | iOS / Swift | SwiftURL | owasp_web | ๐ NOW LIVE |
11 | Android / Kotlin | Maven | owasp_web | ๐ NOW LIVE |
12 | AI / LLM Apps | PyPI | owasp_llm | โจ NEW |
To add a stack: open packages/mvp-catalog/src/stack-registry.ts, add a StackConfig entry (set family: "owasp_llm" for AI-application stacks; default is owasp_web), and open a PR.
Sources (6)
Source | Role | Auth | Rate limit (free) |
NVD (NIST) | Authoritative CVE registry. Backfills CVSS scores and CWE IDs. | Optional API key | 5 req/30s (50 with key) |
CISA KEV | Actively-exploited CVEs. Sets | None | Static feed |
GHSA (GitHub) | Advisories across npm, PyPI, RubyGems, Maven, Go, Swift. |
| 5,000 req/hr |
OSV (Google) | Per-package vulnerabilities, scoped to packages your stacks declare. | None | No published limit |
npm Audit | Direct package advisory scan per stack. Catches advisories not yet in OSV/GHSA. | None | No published limit |
EPSS (FIRST.org) | ๐ Daily-updated exploit-probability score (0โ1) per CVE. | None | 1,000 req/min |
๐ฆ How threats are prioritized
Every threat in the catalog carries multiple ranking signals so the MCP layer can surface the CVEs that actually matter:
final_rank = isActivelyExploited (CISA KEV) โ ground truth: it's being exploited NOW
+ severity (CVSS bucket) โ classic theoretical severity
+ epssScore โฅ 0.5 (+1) / โฅ 0.9 (+2) โ prediction: how likely 30-day exploitation
+ family match (owasp_web | owasp_llm) โ keep LLM threats from polluting web rankings
+ intent overlap (auth/inject/csrf/rag) โ what the developer is actually doingEPSS is the difference between "CVSS 9.8 โ patch in the next sprint" and "CVSS 9.8 with EPSS 0.94 โ drop everything." We expose both.
๐ง AI / LLM stack
The ai-llm stack ingests CVEs against the AI application toolchain and classifies them against the OWASP LLM Top 10 instead of the Web Top 10:
Watched packages: langchain, langchain-community, langchain-core, llama-index, llama-index-core, llama-cpp-python, transformers, huggingface_hub, vllm, gradio, ollama, anthropic, openai, pydantic-ai, crewai, autogen-agentchat, dspy-ai.
OWASP LLM mapping (excerpt โ see pipeline/scripts/lib/normalise.ts):
OWASP LLM | Common CWEs | Example |
LLM01 โ Prompt Injection | CWE-20 / 77 / 78 / 94 / 1321 | Untrusted retrieval context concatenated into the system prompt |
LLM02 โ Insecure Output / SSRF | CWE-200 / 918 | Tool-calling agent fetches arbitrary internal URLs from a crafted prompt |
LLM05 โ Supply Chain | CWE-116 / 502 | Untrusted model checkpoint deserialization |
LLM06 โ Sensitive Info / Authz | CWE-284 / 285 | Embeddings store leaks training-data secrets |
Threats from this stack flow through a dedicated LLM-aware prompt in amplify-threats.ts so guardrails are framed in LLM vocabulary (NEVER concatenate retrieved context into the system prompt without delimiters) rather than web vocabulary.
Threat intelligence pipeline
Pipeline stages
Daily CI run (GitHub Actions, 06:00 UTC)
Phase 0 CISA KEV map + stack registry preflight
Phase 1โ3 npm Audit + OSV + GHSA โ raw advisories
Phase 5 deduplicate (source-priority based)
Phase 4a EPSS exploit-probability enrichment โ NEW (batched, 50 CVEs/req)
Phase 4 NVD: backfill CVSS & CWE for low-confidence rows
Phase 6โ8 upsert threats + per-stack mapping + mitigation flags
Phase 9 close sync log
Amplify Claude: 2โ4 ALWAYS/NEVER patterns per CVE (family-aware prompt)
Summarize Claude: cluster CVEs into per-stack rule docs
Synthesize Claude: merge into pre-built guardrail blocks (patterns + deps)
Export write JSON snapshots to packages/catalog-data/
Commit auto-push catalog-data/ to this repoPath | Contents |
Live threat snapshots โ JSON committed daily by CI | |
MCP server ( | |
Drizzle schema shared between the pipeline and the web app | |
Stack registry โ add a stack entry here to onboard it | |
TypeScript client generated from the OpenAPI spec | |
| |
One file per data source (NVD, OSV, GHSA, npm-audit, CISA KEV, EPSS) | |
Daily CI: ingest CVEs โ AI guardrails โ commit |
Run the pipeline locally
git clone https://github.com/aelbuni/aigently-catalog
cd aigently-catalog
npm install
cp pipeline/.env.example pipeline/.env # default DATABASE_URL matches docker-compose
npm run db:setup # start Postgres, migrate, seed# pipeline/.env โ keys you need only when running the pipeline yourself:
ANTHROPIC_API_KEY=... # required for amplify, summarize, synthesize
GITHUB_TOKEN=... # required for GHSA source
NVD_API_KEY=... # optional โ increases NVD rate limit 10ร
# EPSS requires no key.
npm run sync:threats # ingest CVEs from all six sources
npm run amplify:threats # Claude: ALWAYS/NEVER patterns per CVE (family-aware)
npm run summarize:rules # Claude: cluster into per-stack rule docs
npm run synthesize:guardrails # Claude: pre-build guardrail blocks
npm run export:catalog # write JSON to packages/catalog-data/Scripts
Script | Purpose |
| Start Postgres via Docker Compose |
| First-time setup: start Postgres + migrate + seed |
| Apply Drizzle migrations |
| Full catalog seed |
| Non-destructive upsert |
| Ingest CVEs from all six sources |
| AI-generate patterns for new threats |
| AI-cluster CVEs into rule summaries |
| Pre-build per-stack guardrail blocks |
| Export DB โ |
Environment variables
Variable | Required | Purpose |
| Always | Postgres connection string |
| AI steps | Claude API access |
| Sync | GitHub advisory source (GHSA) |
| Optional | 10ร NVD rate limit |
| Optional | Limit a sync run to one stack slug (e.g. |
| Optional | Enrich + dedup without writing to DB |
Prerequisites
Node.js 22+
Docker (for local Postgres)
Anthropic API key (AI pipeline steps only)
๐บ Roadmap
Already shipped: 12 stacks ยท 6 sources ยท EPSS-ranked prioritization ยท family-aware (web + LLM) amplifier prompts.
Next on deck (PRs welcome):
PoC / exploit-availability detection โ GitHub + Exploit-DB + Nuclei templates
Vendor advisories โ MSRC + Red Hat + Ubuntu (for base-image / OS-level CVEs)
STIX 2.1 export โ for SIEM ingestion
KEV / EPSS watchlist webhooks โ alert when a CVE in your detected stack moves into KEV or above an EPSS threshold
Spring Boot, Laravel, .NET stacks โ open to contribution
Contributing
PRs are welcome. The highest-value contributions are:
New stacks โ add to
packages/mvp-catalog/src/stack-registry.ts(setfamily: "owasp_llm"for AI/LLM stacks)CVE curation โ improve
mustLines,ruleContext, oralwaysPininpackages/catalog-data/seed-master.jsonPattern quality โ open an issue if an
ALWAYS/NEVERline is wrong or too genericNew threat sources โ add a module under
pipeline/scripts/lib/sources/
See CONTRIBUTING.md for full guidelines.
License
Apache 2.0 โ threat data sourced from public domain (NVD, CISA KEV, GHSA, OSV, EPSS).
"We open-sourced everything the community needs โ the data, the pipeline, the stack registry. The web app that runs aigent.ly is private. Because a security product should practice what it preaches."
Aigent.ly and the Aigent.ly logo are trademarks of Aigently, Inc.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/aelbuni/aigently-catalog'
If you have feedback or need assistance with the MCP directory API, please join our Discord server