Skip to main content
Glama
andrasfe

VulniCheck

by andrasfe
OverviewSchemaRelated ServersScoreDiscussions
Python
Remote

VulniCheck - AI-Powered Security Scanner

VulniCheck provides comprehensive security analysis for Python projects and GitHub repositories using AI-powered vulnerability detection. It runs as a Docker-based HTTP MCP server with standard HTTP streaming (no SSE required), providing secure containerized deployment with comprehensive vulnerability scanning capabilities.

Quick Start

1. Pull and Run the Docker Container

# Pull the latest image from Docker Hub
docker pull andrasfe/vulnicheck:latest

# Run with OpenAI API key (for enhanced AI-powered risk assessment)
docker run -d --name vulnicheck-mcp -p 3000:3000 \
  --restart=unless-stopped \
  -e OPENAI_API_KEY=your-openai-api-key \
  andrasfe/vulnicheck:latest

# Or run without API key (basic vulnerability scanning)
docker run -d --name vulnicheck-mcp -p 3000:3000 \
  --restart=unless-stopped \
  andrasfe/vulnicheck:latest

2. Add to Claude Code

claude mcp add --transport http vulnicheck http://localhost:3000/mcp

That's it! VulniCheck is now available in Claude Code.

Related MCP server: Security Scanner MCP

Usage

Once installed, simply ask Claude:

"Run a comprehensive security check on my project"

"Scan https://github.com/owner/repo for vulnerabilities"

"Check my dependencies for security issues"

"Scan my Dockerfile for vulnerable packages"

VulniCheck will:

  • ✅ Scan dependencies for known vulnerabilities (requirements.txt, pyproject.toml, setup.py)

  • ✅ Detect exposed secrets and credentials

  • ✅ Analyze Dockerfiles for security issues

  • ✅ Validate MCP configurations

  • ✅ Generate AI-powered risk assessments

  • ✅ Provide actionable remediation recommendations

Key Features

  • Docker Deployment: Secure containerized deployment with HTTP streaming (no SSE/Server-Sent Events required)

  • Optional Authentication: Supports Google OAuth 2.0 for secure access control (disabled by default)

  • Production Ready: Scalable HTTP server architecture

  • Comprehensive Coverage: Queries 5+ vulnerability databases (OSV.dev, NVD, GitHub Advisory, CIRCL, Safety DB)

  • GitHub Integration: Scan any public/private GitHub repository directly (up to 1GB)

  • AI-Powered Analysis: Uses OpenAI/Anthropic APIs for intelligent security assessment

  • Secrets Detection: Finds exposed API keys, passwords, and credentials

  • Docker Security: Analyzes Dockerfiles for vulnerable dependencies

  • Smart Caching: Avoids redundant scans with commit-level caching

  • Space Management: Automatic cleanup prevents disk exhaustion (2GB total limit)

  • Zero Config: Works out of the box, enhanced with optional API keys

Available Tools

Tool

Description

check_package_vulnerabilities

Check a specific Python package for vulnerabilities

scan_dependencies

Scan dependency files (requirements.txt, pyproject.toml, etc.)

scan_installed_packages

Scan currently installed Python packages

get_cve_details

Get detailed information about a specific CVE

scan_for_secrets

Detect exposed secrets and credentials in code

scan_dockerfile

Analyze Dockerfiles for vulnerable Python dependencies

scan_github_repo

Comprehensive security scan of GitHub repositories

assess_operation_safety

AI-powered risk assessment for operations

validate_mcp_security

Validate MCP server security configurations

comprehensive_security_check

Interactive AI-powered security assessment

Optional API Keys

Enhance VulniCheck with API keys for better rate limits and AI features:

docker run -d --name vulnicheck-mcp -p 3000:3000 \
  --restart=unless-stopped \
  -e OPENAI_API_KEY=your-key \           # AI-powered risk assessment
  -e ANTHROPIC_API_KEY=your-key \        # Alternative AI provider
  -e GITHUB_TOKEN=your-token \           # Higher GitHub API rate limits
  -e NVD_API_KEY=your-key \              # Higher NVD rate limits
  andrasfe/vulnicheck:latest

Authentication (Optional)

VulniCheck supports optional Google OAuth 2.0 authentication for secure access control. By default, authentication is disabled.

Enabling Google OAuth

  1. Get Google OAuth Credentials:

    • Go to Google Cloud Console

    • Create a project and enable Google+ API

    • Create OAuth 2.0 credentials (Web application)

    • Add authorized redirect URI: http://localhost:3000/oauth/callback (or your domain)

  2. Configure Environment Variables:

    export FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_ID="your-client-id.apps.googleusercontent.com"
export FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_SECRET="GOCSPX-your-secret-here"
export FASTMCP_SERVER_BASE_URL="http://localhost:3000"

  3. Run with Authentication:

    docker run -d --name vulnicheck-mcp -p 3000:3000 \
  --restart=unless-stopped \
  -e FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_ID=your-client-id \
  -e FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_SECRET=your-secret \
  -e FASTMCP_SERVER_BASE_URL=http://localhost:3000 \
  -v vulnicheck_tokens:/home/vulnicheck/.vulnicheck/tokens \
  andrasfe/vulnicheck:latest \
  python -m vulnicheck.server --auth-mode google

  4. Using docker-compose: See docker-compose.auth-example.yml for a complete configuration example.

Note: OAuth tokens are persisted in /home/vulnicheck/.vulnicheck/tokens. Use a Docker volume to persist tokens across container restarts.

⚠️ Known OAuth Limitations

FastMCP OAuth + HTTP Transport Incompatibility

Due to a limitation in FastMCP 2.12.4, OAuth authentication does not work properly with HTTP transport (streamable-http). The authorization endpoints (/oauth/authorize, /oauth/callback) are not correctly mounted, resulting in 404 errors.

When OAuth Works:

  • ✅ Local connections (when supported in future FastMCP versions)

  • ✅ OAuth discovery endpoint works (/.well-known/oauth-protected-resource)

When OAuth Does NOT Work:

  • ❌ HTTP transport with external clients (ChatGPT, Claude Desktop, etc.)

  • ❌ Authorization endpoints return 404

  • ❌ Token exchange fails

Workaround for External Clients (ChatGPT, etc.):

Run VulniCheck without authentication when accessing through ngrok or other public URLs:

# Start without OAuth (recommended for external clients)
docker run -d --name vulnicheck-mcp -p 3000:3000 \
  --restart=unless-stopped \
  andrasfe/vulnicheck:latest

# Then configure ngrok
ngrok http 3000

In your MCP client (ChatGPT, etc.):

  • URL: https://your-ngrok-url.ngrok-free.dev/mcp

  • Authentication: None

Security Considerations:

  • ✅ Traffic is encrypted via HTTPS (ngrok)

  • ⚠️ No authentication - anyone with URL can access

  • 💡 ngrok free URLs change on restart (security through obscurity)

  • 🔒 For production, use ngrok paid tier with password protection or IP whitelisting

Future Resolution: This limitation will be resolved when:

  1. FastMCP fixes OAuth + HTTP transport support, OR

  2. Alternative authentication mechanisms are implemented

Using with ngrok

Quick Start (No OAuth):

# 1. Start VulniCheck
docker run -d --name vulnicheck-mcp -p 3000:3000 \
  --restart=unless-stopped \
  andrasfe/vulnicheck:latest

# 2. Start ngrok
ngrok http 3000

# 3. Use the ngrok URL in your MCP client
# URL: https://your-generated-url.ngrok-free.dev/mcp
# Authentication: None

Optional OAuth Script (Experimental - OAuth Not Functional):

A convenience script restart-vulnicheck-ngrok.sh is provided for testing OAuth, but OAuth does not currently work due to FastMCP limitations:

# Copy the example environment file
cp .env.example .env

# Edit .env and add your credentials
GOOGLE_CLIENT_ID=your-client-id.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-your-secret-here
NGROK_URL=https://your-ngrok-url.ngrok-free.dev

# Run the script (OAuth will not work)
./restart-vulnicheck-ngrok.sh

Note: The script is provided for future use when FastMCP OAuth + HTTP transport is fixed. Currently, always run without OAuth for external clients.

Building from Source

# Clone the repository
git clone https://github.com/andrasfe/vulnicheck.git
cd vulnicheck

# Build Docker image
docker build -t vulnicheck .

# Run locally built image (no auth)
docker run -d --name vulnicheck-mcp -p 3000:3000 --restart=unless-stopped vulnicheck

# Run with Google OAuth
docker run -d --name vulnicheck-mcp -p 3000:3000 \
  --restart=unless-stopped \
  -e FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_ID=your-client-id \
  -e FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_SECRET=your-secret \
  -e FASTMCP_SERVER_BASE_URL=http://localhost:3000 \
  -v vulnicheck_tokens:/home/vulnicheck/.vulnicheck/tokens \
  vulnicheck \
  python -m vulnicheck.server --auth-mode google

Docker Hub

The official Docker image is available at:

Requirements

  • Docker

  • Claude Code or any MCP client with HTTP transport support (standard HTTP, no SSE required)

  • Optional: API keys for enhanced features

Supported File Types

  • Dependencies: requirements.txt, pyproject.toml, setup.py, lock files

  • Containers: Dockerfile, docker-compose.yml

  • Secrets: All text-based source files

  • GitHub: Any public or private repository URL

Support

DISCLAIMER: Vulnerability data provided "AS IS" without warranty. Users are responsible for verification and remediation.

This server cannot be installed

A
license - permissive license
-
quality - not tested
F
maintenance

How are these scores calculated?

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/andrasfe/vulnicheck'

If you have feedback or need assistance with the MCP directory API, please join our Discord server