Attestd
БесплатноНе проверенCVE and supply chain checks for MCP clients. Covers infrastructure, PyPI, and npm packages.
Описание
CVE and supply chain checks for MCP clients. Covers infrastructure, PyPI, and npm packages.
README
Attestd checks whether a dependency version has exploitable CVEs or a confirmed supply-chain compromise. One API call returns a structured risk response.
Official Model Context Protocol (MCP) server for Attestd. Exposes CVE risk and supply-chain checks as tools for Claude Code, Claude Desktop, and any MCP-compatible client.
Get a free API key · Full docs
- stdio transport: run via
npx -y @attestd/mcpwith no global install. check_package_vulnerability: wraps GET /v1/check using @attestd/sdk.check_batch_vulnerabilities: checks up to 100 packages in one call. Use for lockfile and manifest audits.list_covered_products: returns Attestd-covered products. With an API key, returns live data fromGET /v1/products. Without a key, returns the static bundled infrastructure list.get_cve_details: returns CVSS, EPSS, KEV status, and affected products for a single CVE id.
Prerequisites
- Node.js 18+
- An Attestd API key from the portal. Required for
check_package_vulnerability,check_batch_vulnerabilities,get_cve_details, and livelist_covered_products.
Claude Code / MCP config
Add to ~/.claude/mcp.json or project .mcp.json:
{
"mcpServers": {
"attestd": {
"command": "npx",
"args": ["-y", "@attestd/mcp"],
"env": {
"ATTESTD_API_KEY": "your-api-key-here"
}
}
}
}
Optional: override the API base URL (e.g. dev):
"env": {
"ATTESTD_API_KEY": "your-api-key-here",
"ATTESTD_BASE_URL": "https://dev.api.attestd.io"
}
Tools
check_package_vulnerability
| Argument | Type | Description |
|---|---|---|
product |
string | Product slug (nginx, postgresql, litellm, …) |
version |
string | Exact version (1.20.0) |
Returns JSON with:
| Field | Meaning |
|---|---|
outsideCoverage |
true if the product is not covered. Unknown risk, not safe. |
riskState |
critical | high | elevated | low | none | null when outside coverage |
activelyExploited |
CISA KEV signal |
remoteExploitable |
true if any matching CVE is remotely exploitable |
authenticationRequired |
true only when all matching CVEs require authentication |
patchAvailable / fixedVersion |
Patch guidance |
confidence |
Synthesis confidence 0.0–1.0 |
cveIds |
CVE IDs contributing to the risk assessment |
typosquat |
Package name integrity: typosquat or AI-hallucinated name (kind, resembles, likely_intended) |
message |
Explanation when outsideCoverage is true |
supplyChainCompromised / supplyChainDescription |
PyPI/npm supply-chain signal |
On invalid/missing API key or rate limit, returns isError: true with a JSON error string.
check_batch_vulnerabilities
| Argument | Type | Description |
|---|---|---|
items |
array | Array of { product, version } objects. Maximum 100 per call. Each item costs one API call. |
Quota is checked upfront. If the batch would exceed your monthly quota, a 429 is returned before any calls are billed.
Returns JSON with count and results. Supported items include the same fields as check_package_vulnerability minus typosquat. Outside-coverage items return only product, version, outsideCoverage: true, and riskState: null.
list_covered_products
No arguments. With an API key, returns live JSON from GET /v1/products:
| Field | Meaning |
|---|---|
source |
"live" when fetched from the API |
total |
Combined count of CVE products and supply chain packages |
cveProducts |
CVE infrastructure slugs with display names |
supplyChainPackages |
Monitored PyPI/npm packages |
Without an API key, returns the static bundled list:
| Field | Meaning |
|---|---|
source |
"static" |
count |
Number of bundled infrastructure products |
products |
Array of { slug, display } entries |
get_cve_details
| Argument | Type | Description |
|---|---|---|
cve_id |
string | CVE identifier, e.g. CVE-2021-44228 |
Returns JSON with:
| Field | Meaning |
|---|---|
found |
true when the CVE is in Attestd's database; false on 404 (not an error) |
cveId |
CVE identifier |
description |
NVD description text |
cvssScore / cvssVector |
CVSS base score and vector |
activelyExploited |
CISA KEV signal |
remoteExploitable |
Remotely exploitable |
authenticationRequired |
Authentication required for exploitation |
affectedProducts |
Attestd product slugs affected by this CVE |
epssScore / epssPercentile |
EPSS probability and percentile |
sourcePublishedAt / lastCheckedAt |
ISO timestamps |
When the CVE is not found, returns { "found": false, "cveId": "..." } without isError. On invalid/missing API key or rate limit, returns isError: true with a JSON error string.
Verify locally
npm run build
echo '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' | node dist/index.js
License
MIT. See LICENSE.
Установить Attestd в Claude Desktop, Claude Code, Cursor
unyly install attestd-mcpСтавит в Claude Desktop, Claude Code, Cursor и VS Code — сам разбирается с npx, uvx и сборкой из исходников.
Впервые? Поставь CLI: curl -fsSL https://unyly.org/install | sh
Или настроить вручную
Выполни в терминале:
claude mcp add attestd-mcp -- npx -y @attestd/mcpFAQ
Attestd MCP бесплатный?
Да, Attestd MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Attestd?
Нет, Attestd работает без API-ключей и переменных окружения.
Attestd — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить Attestd в Claude Desktop, Claude Code или Cursor?
Открой Attestd на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare Attestd with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
