dep-guard-mcp
Uses the GitHub Advisory API to fetch known vulnerability data for dependencies.
Provides a reusable GitHub Action for scanning dependencies in CI/CD pipelines.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@dep-guard-mcpscan /path/to/project for vulnerabilities"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Dep Guard MCP - Dependency Vulnerability Scanner
🔐 A fast, zero-config Model Context Protocol (MCP) server that scans Python, Node.js, Java/Spring, and PHP dependency manifests for known vulnerabilities.
Status: ⚡ Week 2 Complete
✅ All tests passing
✅ MCP server fully functional
✅ Ready for Claude Desktop integration
✅ Production-ready code
✅ Free GitHub Advisory integration
✅ CLI support for local and CI usage
Related MCP server: Dependency Checker MCP Server
Features
📦 Multi-Language Support:
Python (
requirements.txt,pyproject.toml)Node.js (
package.json)Java/Spring (
pom.xml,build.gradle,build.gradle.kts)PHP (
composer.json)
🎯 Zero Config: Automatic dependency discovery and scanning
⚡ Multi-source Advisories:
OSV API (free)
GitHub Advisory API (free public endpoint, optional
GITHUB_TOKENfor higher rate limits)
🔧 3 Core Tools:
scan_dependencies(target_path)- Scan a project for vulnerabilitieshealth_check()- Verify server statusget_supported_files()- List scannable formats
🎨 Clean Output: JSON-formatted vulnerability reports with severity levels
CLI Usage (Week 2)
# health check
dep-guard-scan health
# list supported files
dep-guard-scan supported-files
# scan and print JSON
dep-guard-scan scan /path/to/project
# scan and write report file
dep-guard-scan scan /path/to/project --output report.json
# fail CI if severity threshold is met
dep-guard-scan scan /path/to/project --fail-on-severity high
# disable GitHub advisories source
dep-guard-scan scan /path/to/project --no-github-advisoriesWeek 3 Launch Prep
GitHub Workflows
This repo now includes:
CI workflow:
.github/workflows/ci.ymlScheduled/manual security scan workflow:
.github/workflows/security-scan.yml
Reusable GitHub Action
You can use the local action in this repository:
- uses: ./
with:
target-path: "."
format: "json"
output: "dep-guard-report.json"
fail-on-severity: "high"You can also consume it from another repository using the major tag:
- uses: mdjahidanwar/dep-guard-mcp@v1
with:
target-path: "."
format: "json"
fail-on-severity: "high"VS Code Wrapper (Alpha)
An extension scaffold is available at vscode-extension/ with commands:
Dep Guard: Scan Workspace
Dep Guard: Health Check
Week 3 Completion Snapshot
CI/CD pipeline in place for push/PR checks
Scheduled security workflow in place
Release check workflow in place
Reusable GitHub Action available at repo root (
action.yml)VS Code extension scaffold available under
vscode-extension/Regression status:
7 passed
Week 4 Publishing Automation
This repo now includes release and publishing workflows:
.github/workflows/release.ymlfor GitHub releases and artifacts.github/workflows/publish-pypi.ymlfor PyPI publish on tags (v*).github/workflows/publish-vscode.ymlfor VS Code marketplace publish (manual)
Use MARKETPLACE_CHECKLIST.md as your launch checklist for Claude Registry, VS Code Marketplace, GitHub Action marketplace, and PyPI.
Beginner Publishing Guides
If you are starting from zero, follow these guides in order:
docs/marketplace/PUBLISH_VSCODE.mddocs/marketplace/PUBLISH_CLAUDE_MCP.mddocs/marketplace/PUBLISH_GITHUB_ACTION.md
Requirements
Python 3.12+ (pre-configured)
Virtual Environment (included)
Quick Start
1. Install & Run
# Virtual environment already created in .venv/
.venv/Scripts/activate
# Already installed, just run:
python -m dep_guard_mcp.main2. Use with Claude Desktop
Add to ~/.anthropic/models.json (Mac/Linux) or %APPDATA%\Claude\models.json (Windows):
{
"mcpServers": {
"dep-guard": {
"command": "d:/devops-issue-tracker/scanner/.venv/Scripts/python.exe",
"args": ["-m", "dep_guard_mcp.main"]
}
}
}Then in Claude Desktop, you'll have access to:
scan_dependencies- Analyze any project for CVEsExample: "Scan /path/to/my/project for vulnerabilities"
3. Test Locally
# Run all tests
pytest tests/ -v
# Test scanner on a specific directory
python -c "from dep_guard_mcp.main import scan_dependencies;
import json;
result = scan_dependencies('./test-project');
print(json.dumps(result, indent=2))"Usage Examples
Example 1: Health Check
from dep_guard_mcp.main import health_check
result = health_check()
# Output: {"status": "ok", "service": "dep-guard-mcp"}Example 2: Scan Python Project
from dep_guard_mcp.main import scan_dependencies
result = scan_dependencies('/path/to/my-python-app')
# Returns:
# {
# "ok": true,
# "dependencies_scanned": 15,
# "dependencies_with_vulns": 2,
# "vulnerability_count": 5,
# "findings": [...]
# }Example 3: List Supported Files
from dep_guard_mcp.main import get_supported_files
result = get_supported_files()
# Output:
# {
# "supported_files": ["requirements.txt", "package.json", ...],
# "description": "These are the file formats that can be scanned..."
# }Supported Dependency Files
Format | Language | Example |
| Python |
|
| Python | Modern Python packaging |
| Node.js | npm/yarn packages |
| Java/Spring | Maven dependencies |
| Java/Spring | Gradle string-based dependencies |
| Java/Spring | Kotlin DSL Gradle dependencies |
| PHP | Composer dependencies |
Project Structure
scanner/
├── src/dep_guard_mcp/
│ ├── __init__.py
│ ├── main.py # MCP entry point (3 tools)
│ ├── scanner.py # Dependency discovery logic
│ ├── advisories.py # Vulnerability lookup
│ └── server.py # Original server helpers
├── tests/
│ └── test_scanner.py # Unit tests (7/7 passing ✓)
├── .venv/ # Python 3.12 virtual environment
├── pyproject.toml # Project config & dependencies
├── README.md # This file
└── .github/
└── copilot-instructions.md # VS Code customizationTesting
# Run all tests
pytest tests/ -v
# Run specific test
pytest tests/test_scanner.py::test_supported_files -vDevelopment
Add a New Tool
Open
src/dep_guard_mcp/main.pyAdd function with
@mcp.tool()decorator:
@mcp.tool()
def my_new_tool(param: str) -> dict:
"""Tool description."""
return {"result": "data"}Run tests:
pytest tests/
Next Steps for Enhancement
Add NVD API integration (deeper CVE database)
Improve Gradle parser for variable-based versions
Improve Composer parser for complex version constraints
Create VS Code extension wrapper
Build GitHub Actions integration
Add webhook support (Slack, Teams integration)
Troubleshooting
Scanner returns "No supported files found"
Ensure your project has one of the supported dependency files
Check file is in the scanned directory
Import error when running
Activate virtual environment:
.venv/Scripts/activateReinstall package:
pip install -e .
Performance
Dependency discovery: < 100ms
Vulnerability lookup: < 1-2 seconds (depends on file count)
Supports projects with 100+ dependencies
Contributing
Contributions welcome! Areas to contribute:
Additional vulnerability data sources
Performance optimizations
Additional file format support
Documentation improvements
License
MIT - See LICENSE file for details
🚀 Ready to publish to Claude Registry and monetize? See the session notes for next steps!
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/mdjahidanwar/dep-guard-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server