Skip to main content
Glama

Dep Guard MCP - Dependency Vulnerability Scanner

🔐 A fast, zero-config Model Context Protocol (MCP) server that scans Python, Node.js, Java/Spring, and PHP dependency manifests for known vulnerabilities.

Status: ⚡ Week 2 Complete

  • ✅ All tests passing

  • ✅ MCP server fully functional

  • ✅ Ready for Claude Desktop integration

  • ✅ Production-ready code

  • ✅ Free GitHub Advisory integration

  • ✅ CLI support for local and CI usage

CI Security Scan Release

Related MCP server: Dependency Checker MCP Server

Features

  • 📦 Multi-Language Support:

    • Python (requirements.txt, pyproject.toml)

    • Node.js (package.json)

    • Java/Spring (pom.xml, build.gradle, build.gradle.kts)

    • PHP (composer.json)

  • 🎯 Zero Config: Automatic dependency discovery and scanning

  • Multi-source Advisories:

    • OSV API (free)

    • GitHub Advisory API (free public endpoint, optional GITHUB_TOKEN for higher rate limits)

  • 🔧 3 Core Tools:

    • scan_dependencies(target_path) - Scan a project for vulnerabilities

    • health_check() - Verify server status

    • get_supported_files() - List scannable formats

  • 🎨 Clean Output: JSON-formatted vulnerability reports with severity levels

CLI Usage (Week 2)

# health check
dep-guard-scan health

# list supported files
dep-guard-scan supported-files

# scan and print JSON
dep-guard-scan scan /path/to/project

# scan and write report file
dep-guard-scan scan /path/to/project --output report.json

# fail CI if severity threshold is met
dep-guard-scan scan /path/to/project --fail-on-severity high

# disable GitHub advisories source
dep-guard-scan scan /path/to/project --no-github-advisories

Week 3 Launch Prep

GitHub Workflows

This repo now includes:

  • CI workflow: .github/workflows/ci.yml

  • Scheduled/manual security scan workflow: .github/workflows/security-scan.yml

Reusable GitHub Action

You can use the local action in this repository:

- uses: ./
  with:
    target-path: "."
    format: "json"
    output: "dep-guard-report.json"
    fail-on-severity: "high"

You can also consume it from another repository using the major tag:

- uses: mdjahidanwar/dep-guard-mcp@v1
  with:
    target-path: "."
    format: "json"
    fail-on-severity: "high"

VS Code Wrapper (Alpha)

An extension scaffold is available at vscode-extension/ with commands:

  • Dep Guard: Scan Workspace

  • Dep Guard: Health Check

Week 3 Completion Snapshot

  • CI/CD pipeline in place for push/PR checks

  • Scheduled security workflow in place

  • Release check workflow in place

  • Reusable GitHub Action available at repo root (action.yml)

  • VS Code extension scaffold available under vscode-extension/

  • Regression status: 7 passed

Week 4 Publishing Automation

This repo now includes release and publishing workflows:

  • .github/workflows/release.yml for GitHub releases and artifacts

  • .github/workflows/publish-pypi.yml for PyPI publish on tags (v*)

  • .github/workflows/publish-vscode.yml for VS Code marketplace publish (manual)

Use MARKETPLACE_CHECKLIST.md as your launch checklist for Claude Registry, VS Code Marketplace, GitHub Action marketplace, and PyPI.

Beginner Publishing Guides

If you are starting from zero, follow these guides in order:

  1. docs/marketplace/PUBLISH_VSCODE.md

  2. docs/marketplace/PUBLISH_CLAUDE_MCP.md

  3. docs/marketplace/PUBLISH_GITHUB_ACTION.md

Requirements

  • Python 3.12+ (pre-configured)

  • Virtual Environment (included)

Quick Start

1. Install & Run

# Virtual environment already created in .venv/
.venv/Scripts/activate

# Already installed, just run:
python -m dep_guard_mcp.main

2. Use with Claude Desktop

Add to ~/.anthropic/models.json (Mac/Linux) or %APPDATA%\Claude\models.json (Windows):

{
  "mcpServers": {
    "dep-guard": {
      "command": "d:/devops-issue-tracker/scanner/.venv/Scripts/python.exe",
      "args": ["-m", "dep_guard_mcp.main"]
    }
  }
}

Then in Claude Desktop, you'll have access to:

  • scan_dependencies - Analyze any project for CVEs

  • Example: "Scan /path/to/my/project for vulnerabilities"

3. Test Locally

# Run all tests
pytest tests/ -v

# Test scanner on a specific directory
python -c "from dep_guard_mcp.main import scan_dependencies; 
import json; 
result = scan_dependencies('./test-project'); 
print(json.dumps(result, indent=2))"

Usage Examples

Example 1: Health Check

from dep_guard_mcp.main import health_check
result = health_check()
# Output: {"status": "ok", "service": "dep-guard-mcp"}

Example 2: Scan Python Project

from dep_guard_mcp.main import scan_dependencies
result = scan_dependencies('/path/to/my-python-app')
# Returns:
# {
#   "ok": true,
#   "dependencies_scanned": 15,
#   "dependencies_with_vulns": 2,
#   "vulnerability_count": 5,
#   "findings": [...]
# }

Example 3: List Supported Files

from dep_guard_mcp.main import get_supported_files
result = get_supported_files()
# Output:
# {
#   "supported_files": ["requirements.txt", "package.json", ...],
#   "description": "These are the file formats that can be scanned..."
# }

Supported Dependency Files

Format

Language

Example

requirements.txt

Python

requests==2.25.1

pyproject.toml

Python

Modern Python packaging

package.json

Node.js

npm/yarn packages

pom.xml

Java/Spring

Maven dependencies

build.gradle

Java/Spring

Gradle string-based dependencies

build.gradle.kts

Java/Spring

Kotlin DSL Gradle dependencies

composer.json

PHP

Composer dependencies

Project Structure

scanner/
├── src/dep_guard_mcp/
│   ├── __init__.py
│   ├── main.py              # MCP entry point (3 tools)
│   ├── scanner.py           # Dependency discovery logic
│   ├── advisories.py        # Vulnerability lookup
│   └── server.py            # Original server helpers
├── tests/
│   └── test_scanner.py      # Unit tests (7/7 passing ✓)
├── .venv/                   # Python 3.12 virtual environment
├── pyproject.toml           # Project config & dependencies
├── README.md                # This file
└── .github/
    └── copilot-instructions.md  # VS Code customization

Testing

# Run all tests
pytest tests/ -v

# Run specific test
pytest tests/test_scanner.py::test_supported_files -v

Development

Add a New Tool

  1. Open src/dep_guard_mcp/main.py

  2. Add function with @mcp.tool() decorator:

@mcp.tool()
def my_new_tool(param: str) -> dict:
    """Tool description."""
    return {"result": "data"}
  1. Run tests: pytest tests/

Next Steps for Enhancement

  • Add NVD API integration (deeper CVE database)

  • Improve Gradle parser for variable-based versions

  • Improve Composer parser for complex version constraints

  • Create VS Code extension wrapper

  • Build GitHub Actions integration

  • Add webhook support (Slack, Teams integration)

Troubleshooting

Scanner returns "No supported files found"

  • Ensure your project has one of the supported dependency files

  • Check file is in the scanned directory

Import error when running

  • Activate virtual environment: .venv/Scripts/activate

  • Reinstall package: pip install -e .

Performance

  • Dependency discovery: < 100ms

  • Vulnerability lookup: < 1-2 seconds (depends on file count)

  • Supports projects with 100+ dependencies

Contributing

Contributions welcome! Areas to contribute:

  • Additional vulnerability data sources

  • Performance optimizations

  • Additional file format support

  • Documentation improvements

License

MIT - See LICENSE file for details


🚀 Ready to publish to Claude Registry and monetize? See the session notes for next steps!

F
license - not found
-
quality - not tested
C
maintenance

Maintenance

Maintainers
Response time
0dRelease cycle
3Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/mdjahidanwar/dep-guard-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server