Dep Guard
FreeNot checkedScans Python, Node.js, Java/Spring, and PHP dependency manifests for known vulnerabilities using OSV and GitHub Advisory APIs.
About
Scans Python, Node.js, Java/Spring, and PHP dependency manifests for known vulnerabilities using OSV and GitHub Advisory APIs.
README
🔐 A fast, zero-config Model Context Protocol (MCP) server that scans Python, Node.js, Java/Spring, and PHP dependency manifests for known vulnerabilities.
Status: ⚡ Week 2 Complete
- ✅ All tests passing
- ✅ MCP server fully functional
- ✅ Ready for Claude Desktop integration
- ✅ Production-ready code
- ✅ Free GitHub Advisory integration
- ✅ CLI support for local and CI usage
Features
- 📦 Multi-Language Support:
- Python (
requirements.txt,pyproject.toml) - Node.js (
package.json) - Java/Spring (
pom.xml,build.gradle,build.gradle.kts) - PHP (
composer.json)
- Python (
- 🎯 Zero Config: Automatic dependency discovery and scanning
- ⚡ Multi-source Advisories:
- OSV API (free)
- GitHub Advisory API (free public endpoint, optional
GITHUB_TOKENfor higher rate limits)
- 🔧 3 Core Tools:
scan_dependencies(target_path)- Scan a project for vulnerabilitieshealth_check()- Verify server statusget_supported_files()- List scannable formats
- 🎨 Clean Output: JSON-formatted vulnerability reports with severity levels
CLI Usage (Week 2)
# health check
dep-guard-scan health
# list supported files
dep-guard-scan supported-files
# scan and print JSON
dep-guard-scan scan /path/to/project
# scan and write report file
dep-guard-scan scan /path/to/project --output report.json
# fail CI if severity threshold is met
dep-guard-scan scan /path/to/project --fail-on-severity high
# disable GitHub advisories source
dep-guard-scan scan /path/to/project --no-github-advisories
Week 3 Launch Prep
GitHub Workflows
This repo now includes:
- CI workflow:
.github/workflows/ci.yml - Scheduled/manual security scan workflow:
.github/workflows/security-scan.yml
Reusable GitHub Action
You can use the local action in this repository:
- uses: ./
with:
target-path: "."
format: "json"
output: "dep-guard-report.json"
fail-on-severity: "high"
You can also consume it from another repository using the major tag:
- uses: mdjahidanwar/dep-guard-mcp@v1
with:
target-path: "."
format: "json"
fail-on-severity: "high"
VS Code Wrapper (Alpha)
An extension scaffold is available at vscode-extension/ with commands:
- Dep Guard: Scan Workspace
- Dep Guard: Health Check
Week 3 Completion Snapshot
- CI/CD pipeline in place for push/PR checks
- Scheduled security workflow in place
- Release check workflow in place
- Reusable GitHub Action available at repo root (
action.yml) - VS Code extension scaffold available under
vscode-extension/ - Regression status:
7 passed
Week 4 Publishing Automation
This repo now includes release and publishing workflows:
.github/workflows/release.ymlfor GitHub releases and artifacts.github/workflows/publish-pypi.ymlfor PyPI publish on tags (v*).github/workflows/publish-vscode.ymlfor VS Code marketplace publish (manual)
Use MARKETPLACE_CHECKLIST.md as your launch checklist for Claude Registry, VS Code Marketplace, GitHub Action marketplace, and PyPI.
Beginner Publishing Guides
If you are starting from zero, follow these guides in order:
docs/marketplace/PUBLISH_VSCODE.mddocs/marketplace/PUBLISH_CLAUDE_MCP.mddocs/marketplace/PUBLISH_GITHUB_ACTION.md
Requirements
- Python 3.12+ (pre-configured)
- Virtual Environment (included)
Quick Start
1. Install & Run
# Virtual environment already created in .venv/
.venv/Scripts/activate
# Already installed, just run:
python -m dep_guard_mcp.main
2. Use with Claude Desktop
Add to ~/.anthropic/models.json (Mac/Linux) or %APPDATA%\Claude\models.json (Windows):
{
"mcpServers": {
"dep-guard": {
"command": "d:/devops-issue-tracker/scanner/.venv/Scripts/python.exe",
"args": ["-m", "dep_guard_mcp.main"]
}
}
}
Then in Claude Desktop, you'll have access to:
scan_dependencies- Analyze any project for CVEs- Example: "Scan /path/to/my/project for vulnerabilities"
3. Test Locally
# Run all tests
pytest tests/ -v
# Test scanner on a specific directory
python -c "from dep_guard_mcp.main import scan_dependencies;
import json;
result = scan_dependencies('./test-project');
print(json.dumps(result, indent=2))"
Usage Examples
Example 1: Health Check
from dep_guard_mcp.main import health_check
result = health_check()
# Output: {"status": "ok", "service": "dep-guard-mcp"}
Example 2: Scan Python Project
from dep_guard_mcp.main import scan_dependencies
result = scan_dependencies('/path/to/my-python-app')
# Returns:
# {
# "ok": true,
# "dependencies_scanned": 15,
# "dependencies_with_vulns": 2,
# "vulnerability_count": 5,
# "findings": [...]
# }
Example 3: List Supported Files
from dep_guard_mcp.main import get_supported_files
result = get_supported_files()
# Output:
# {
# "supported_files": ["requirements.txt", "package.json", ...],
# "description": "These are the file formats that can be scanned..."
# }
Supported Dependency Files
| Format | Language | Example |
|---|---|---|
requirements.txt |
Python | requests==2.25.1 |
pyproject.toml |
Python | Modern Python packaging |
package.json |
Node.js | npm/yarn packages |
pom.xml |
Java/Spring | Maven dependencies |
build.gradle |
Java/Spring | Gradle string-based dependencies |
build.gradle.kts |
Java/Spring | Kotlin DSL Gradle dependencies |
composer.json |
PHP | Composer dependencies |
Project Structure
scanner/
├── src/dep_guard_mcp/
│ ├── __init__.py
│ ├── main.py # MCP entry point (3 tools)
│ ├── scanner.py # Dependency discovery logic
│ ├── advisories.py # Vulnerability lookup
│ └── server.py # Original server helpers
├── tests/
│ └── test_scanner.py # Unit tests (7/7 passing ✓)
├── .venv/ # Python 3.12 virtual environment
├── pyproject.toml # Project config & dependencies
├── README.md # This file
└── .github/
└── copilot-instructions.md # VS Code customization
Testing
# Run all tests
pytest tests/ -v
# Run specific test
pytest tests/test_scanner.py::test_supported_files -v
Development
Add a New Tool
- Open
src/dep_guard_mcp/main.py - Add function with
@mcp.tool()decorator:
@mcp.tool()
def my_new_tool(param: str) -> dict:
"""Tool description."""
return {"result": "data"}
- Run tests:
pytest tests/
Next Steps for Enhancement
- Add NVD API integration (deeper CVE database)
- Improve Gradle parser for variable-based versions
- Improve Composer parser for complex version constraints
- Create VS Code extension wrapper
- Build GitHub Actions integration
- Add webhook support (Slack, Teams integration)
Troubleshooting
Scanner returns "No supported files found"
- Ensure your project has one of the supported dependency files
- Check file is in the scanned directory
Import error when running
- Activate virtual environment:
.venv/Scripts/activate - Reinstall package:
pip install -e .
Performance
- Dependency discovery: < 100ms
- Vulnerability lookup: < 1-2 seconds (depends on file count)
- Supports projects with 100+ dependencies
Contributing
Contributions welcome! Areas to contribute:
- Additional vulnerability data sources
- Performance optimizations
- Additional file format support
- Documentation improvements
License
MIT - See LICENSE file for details
🚀 Ready to publish to Claude Registry and monetize? See the session notes for next steps!
Install Dep Guard in Claude Desktop, Claude Code & Cursor
unyly install dep-guard-mcpInstalls into Claude Desktop, Claude Code, Cursor & VS Code — handles npx, uvx and build-from-source repos for you.
First time? Get the CLI: curl -fsSL https://unyly.org/install | sh
Or configure manually
Run in your terminal:
claude mcp add dep-guard-mcp -- uvx dep-guard-mcpFAQ
Is Dep Guard MCP free?
Yes, Dep Guard MCP is free — one-click install via Unyly at no cost.
Does Dep Guard need an API key?
No, Dep Guard runs without API keys or environment variables.
Is Dep Guard hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install Dep Guard in Claude Desktop, Claude Code or Cursor?
Open Dep Guard on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
GitHub
PRs, issues, code search, CI status
by GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
by mcpdotdirectCompare Dep Guard with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All development MCPs
