Context Snipe
БесплатноНе проверенDeterministic dependency + CVE context for AI coding tools, over the Model Context Protocol. A ~0.85 MB pure-Rust MCP server.
Описание
Deterministic dependency + CVE context for AI coding tools, over the Model Context Protocol. A ~0.85 MB pure-Rust MCP server.
README
context-snipe
Your AI coding assistant doesn't know your dependencies.
It's guessing. This fixes that.
CI License: MIT GitHub release MCP
A ~1 MB pure-Rust binary that reads your lockfiles, cross-references every package against OSV.dev, and hands your AI a short, ranked, accurate vulnerability report — over the Model Context Protocol.
Works with: Claude Desktop · Cursor · Windsurf · VS Code · Zed · any MCP client
$ context-snipe scan .
context-snipe — vulnerability scan
Project: ./my-api
Scanned: 412 entries (388 unique packages) from Cargo.lock, package-lock.json
FOUND 3 advisories affecting 2 of 388 package(s):
lodash 4.17.11 [npm]
[CRIT] CVE-2019-10744 Prototype Pollution in lodash
[HIGH] CVE-2021-23337 Command Injection in lodash
minimatch 3.0.4 [npm]
[HIGH] CVE-2022-3517 minimatch ReDoS vulnerability
Source: OSV.dev — packages actually in your resolved dependency tree.
The problem
You ask Cursor or Claude: "Does my project have any security issues?"
It doesn't know your packages. It doesn't know your versions. It hallucinates an answer based on general knowledge — not your actual package-lock.json.
Your scanner (Dependabot, Snyk, whatever) floods you with 200 warnings, most of which don't apply to what you actually ship. You spend 45 minutes Googling CVEs that are irrelevant to your code.
context-snipe closes both gaps. It reads your resolved lockfiles (not your package.json — your actual installed packages), asks OSV.dev only about what you have, deduplicates the noise, ranks by real CVSS severity, and gives your AI a clean, accurate briefing it can actually reason about.
Install in 30 seconds
macOS / Linux — one line, picks the right binary for your platform:
curl -fsSL https://raw.githubusercontent.com/RP-Digital-Innovations/context-snipe/main/install.sh | sh
Windows (PowerShell):
irm https://raw.githubusercontent.com/RP-Digital-Innovations/context-snipe/main/install.ps1 | iex
Rust users — from crates.io:
cargo install context-snipe # build from source
cargo binstall context-snipe # or grab the prebuilt binary, no compile
Manual download
Grab the binary for your platform from the latest release:
| Platform | Asset |
|---|---|
| macOS (Apple Silicon) | context-snipe-aarch64-apple-darwin |
| macOS (Intel) | context-snipe-x86_64-apple-darwin |
| Linux x86_64 | context-snipe-x86_64-linux |
| Linux ARM64 | context-snipe-aarch64-linux |
| Windows x86_64 | context-snipe-x86_64-pc-windows.exe |
chmod +x it and move it onto your PATH.
Verify:
context-snipe --version
Add to your AI tool (60 seconds)
Claude Desktop
Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):
{
"mcpServers": {
"context-snipe": {
"command": "context-snipe",
"args": ["serve"]
}
}
}
Cursor
Add to ~/.cursor/mcp.json:
{
"mcpServers": {
"context-snipe": {
"command": "context-snipe",
"args": ["serve"]
}
}
}
Windsurf
Add to ~/.codeium/windsurf/mcp_config.json:
{
"mcpServers": {
"context-snipe": {
"command": "context-snipe",
"args": ["serve"]
}
}
}
Restart your editor. Then ask your AI: "Check this project for vulnerable dependencies."
What your AI can now do
| MCP Tool | What it does |
|---|---|
scan_dependencies |
Lists every resolved package in your project (name, version, ecosystem) |
check_vulnerabilities |
Cross-references your packages against OSV.dev — returns only advisories that affect what you actually have installed |
Your AI goes from guessing to knowing. In one tool call.
Supported ecosystems
| Ecosystem | Resolved lockfile (preferred) | Fallback |
|---|---|---|
| Rust | Cargo.lock |
— |
| npm | pnpm-lock.yaml, yarn.lock, package-lock.json v1–v3 |
package.json |
| Python | poetry.lock, uv.lock |
requirements.txt (pinned ==) |
| Go | go.sum |
go.mod |
How it compares
| context-snipe | Dependabot | Snyk | socket.dev | |
|---|---|---|---|---|
| MCP native — AI gets the results directly | ✅ | ❌ | ❌ | ❌ |
| Reads resolved lockfiles (not just manifests) | ✅ | ✅ | ✅ | ✅ |
| 100% local — nothing leaves your machine | ✅ | ❌ | ❌ | ❌ |
| No account, no signup, no API key | ✅ | ❌ | ❌ | ❌ |
| Binary size | ~1 MB | N/A | 200 MB+ | N/A |
| Free, open source | ✅ | ✅ | Partial | Partial |
CLI usage
context-snipe scan [PATH] # vulnerability report (defaults to current dir)
context-snipe deps [PATH] # list the full resolved dependency tree
context-snipe serve # start the MCP server over stdio
context-snipe --help
A note on honesty
context-snipe tells you which vulnerable packages are present in your resolved dependency tree. It does not perform call-graph reachability analysis. Presence is not proof of exploitability — the vulnerable function may not be reachable in your code. The tool says so in its own output, by design.
No tool that runs in seconds can tell you a CVE is definitely not exploitable. We won't pretend otherwise.
How it works
- MCP engine — hand-rolled JSON-RPC 2.0 over stdio.
initialize,tools/list,tools/call,ping. stdout is the protocol channel; all diagnostics go to stderr. - Lockfile parsers — TOML for Cargo, JSON for npm, custom parsers for pnpm/yarn, line parsers for requirements.txt and Go modules.
- OSV client — one
querybatchcall filters the full tree to packages with advisories, then a focusedqueryper hit pulls details. CVSS v3.x base scores computed from vector strings. Duplicate advisories sharing a CVE are merged. - TLS via rustls — pure-Rust, no OpenSSL, no system crypto dependency. Works identically on Windows, macOS, and musl Linux.
Build from source
cargo build --release
# Binary at: target/release/context-snipe
Requires stable Rust. The release profile statically links the CRT — the binary is fully self-contained.
Roadmap
- GitHub App — post CVE diffs on pull requests (shows what a PR introduces)
- Policy layer — configurable CI failure thresholds per severity
- More ecosystems — Ruby (Gemfile.lock), PHP (composer.lock), Java (pom.xml)
Contributing
PRs welcome. The codebase is ~1,000 lines of Rust split across:
src/
main.rs — CLI entry, mode routing
mcp.rs — JSON-RPC / MCP server
deps.rs — lockfile parsers
osv.rs — OSV.dev client + CVSS scoring
scan.rs — orchestration + report formatting
http.rs — ureq + rustls HTTP agent
Good first issues: adding a new lockfile format, improving CVSS display, adding output formats (JSON, SARIF).
License
MIT — free forever. No telemetry. No accounts. No cloud.
Установка Context Snipe
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/RP-Digital-Innovations/context-snipeFAQ
Context Snipe MCP бесплатный?
Да, Context Snipe MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Context Snipe?
Нет, Context Snipe работает без API-ключей и переменных окружения.
Context Snipe — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить Context Snipe в Claude Desktop, Claude Code или Cursor?
Открой Context Snipe на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
Fetch
Web content fetching and conversion for efficient LLM usage.
AWS KB Retrieval
Retrieval from AWS Knowledge Base using Bedrock Agent Runtime.
автор: modelcontextprotocolSpring AI MCP Server
Provides auto-configuration for setting up an MCP server in Spring Boot applications.
llm-analysis-assistant
A very streamlined mcp client that supports calling and monitoring stdio/sse/streamableHttp, and can also view request responses through the /logs page. It also
автор: xuzexin-hzCompare Context Snipe with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории ai
