Dep Guard
БесплатноНе проверенScans Python, Node.js, Java/Spring, and PHP dependency manifests for known vulnerabilities using OSV and GitHub Advisory APIs.
Описание
Scans Python, Node.js, Java/Spring, and PHP dependency manifests for known vulnerabilities using OSV and GitHub Advisory APIs.
README
🔐 A fast, zero-config Model Context Protocol (MCP) server that scans Python, Node.js, Java/Spring, and PHP dependency manifests for known vulnerabilities.
Status: ⚡ Week 2 Complete
- ✅ All tests passing
- ✅ MCP server fully functional
- ✅ Ready for Claude Desktop integration
- ✅ Production-ready code
- ✅ Free GitHub Advisory integration
- ✅ CLI support for local and CI usage
Features
- 📦 Multi-Language Support:
- Python (
requirements.txt,pyproject.toml) - Node.js (
package.json) - Java/Spring (
pom.xml,build.gradle,build.gradle.kts) - PHP (
composer.json)
- Python (
- 🎯 Zero Config: Automatic dependency discovery and scanning
- ⚡ Multi-source Advisories:
- OSV API (free)
- GitHub Advisory API (free public endpoint, optional
GITHUB_TOKENfor higher rate limits)
- 🔧 3 Core Tools:
scan_dependencies(target_path)- Scan a project for vulnerabilitieshealth_check()- Verify server statusget_supported_files()- List scannable formats
- 🎨 Clean Output: JSON-formatted vulnerability reports with severity levels
CLI Usage (Week 2)
# health check
dep-guard-scan health
# list supported files
dep-guard-scan supported-files
# scan and print JSON
dep-guard-scan scan /path/to/project
# scan and write report file
dep-guard-scan scan /path/to/project --output report.json
# fail CI if severity threshold is met
dep-guard-scan scan /path/to/project --fail-on-severity high
# disable GitHub advisories source
dep-guard-scan scan /path/to/project --no-github-advisories
Week 3 Launch Prep
GitHub Workflows
This repo now includes:
- CI workflow:
.github/workflows/ci.yml - Scheduled/manual security scan workflow:
.github/workflows/security-scan.yml
Reusable GitHub Action
You can use the local action in this repository:
- uses: ./
with:
target-path: "."
format: "json"
output: "dep-guard-report.json"
fail-on-severity: "high"
You can also consume it from another repository using the major tag:
- uses: mdjahidanwar/dep-guard-mcp@v1
with:
target-path: "."
format: "json"
fail-on-severity: "high"
VS Code Wrapper (Alpha)
An extension scaffold is available at vscode-extension/ with commands:
- Dep Guard: Scan Workspace
- Dep Guard: Health Check
Week 3 Completion Snapshot
- CI/CD pipeline in place for push/PR checks
- Scheduled security workflow in place
- Release check workflow in place
- Reusable GitHub Action available at repo root (
action.yml) - VS Code extension scaffold available under
vscode-extension/ - Regression status:
7 passed
Week 4 Publishing Automation
This repo now includes release and publishing workflows:
.github/workflows/release.ymlfor GitHub releases and artifacts.github/workflows/publish-pypi.ymlfor PyPI publish on tags (v*).github/workflows/publish-vscode.ymlfor VS Code marketplace publish (manual)
Use MARKETPLACE_CHECKLIST.md as your launch checklist for Claude Registry, VS Code Marketplace, GitHub Action marketplace, and PyPI.
Beginner Publishing Guides
If you are starting from zero, follow these guides in order:
docs/marketplace/PUBLISH_VSCODE.mddocs/marketplace/PUBLISH_CLAUDE_MCP.mddocs/marketplace/PUBLISH_GITHUB_ACTION.md
Requirements
- Python 3.12+ (pre-configured)
- Virtual Environment (included)
Quick Start
1. Install & Run
# Virtual environment already created in .venv/
.venv/Scripts/activate
# Already installed, just run:
python -m dep_guard_mcp.main
2. Use with Claude Desktop
Add to ~/.anthropic/models.json (Mac/Linux) or %APPDATA%\Claude\models.json (Windows):
{
"mcpServers": {
"dep-guard": {
"command": "d:/devops-issue-tracker/scanner/.venv/Scripts/python.exe",
"args": ["-m", "dep_guard_mcp.main"]
}
}
}
Then in Claude Desktop, you'll have access to:
scan_dependencies- Analyze any project for CVEs- Example: "Scan /path/to/my/project for vulnerabilities"
3. Test Locally
# Run all tests
pytest tests/ -v
# Test scanner on a specific directory
python -c "from dep_guard_mcp.main import scan_dependencies;
import json;
result = scan_dependencies('./test-project');
print(json.dumps(result, indent=2))"
Usage Examples
Example 1: Health Check
from dep_guard_mcp.main import health_check
result = health_check()
# Output: {"status": "ok", "service": "dep-guard-mcp"}
Example 2: Scan Python Project
from dep_guard_mcp.main import scan_dependencies
result = scan_dependencies('/path/to/my-python-app')
# Returns:
# {
# "ok": true,
# "dependencies_scanned": 15,
# "dependencies_with_vulns": 2,
# "vulnerability_count": 5,
# "findings": [...]
# }
Example 3: List Supported Files
from dep_guard_mcp.main import get_supported_files
result = get_supported_files()
# Output:
# {
# "supported_files": ["requirements.txt", "package.json", ...],
# "description": "These are the file formats that can be scanned..."
# }
Supported Dependency Files
| Format | Language | Example |
|---|---|---|
requirements.txt |
Python | requests==2.25.1 |
pyproject.toml |
Python | Modern Python packaging |
package.json |
Node.js | npm/yarn packages |
pom.xml |
Java/Spring | Maven dependencies |
build.gradle |
Java/Spring | Gradle string-based dependencies |
build.gradle.kts |
Java/Spring | Kotlin DSL Gradle dependencies |
composer.json |
PHP | Composer dependencies |
Project Structure
scanner/
├── src/dep_guard_mcp/
│ ├── __init__.py
│ ├── main.py # MCP entry point (3 tools)
│ ├── scanner.py # Dependency discovery logic
│ ├── advisories.py # Vulnerability lookup
│ └── server.py # Original server helpers
├── tests/
│ └── test_scanner.py # Unit tests (7/7 passing ✓)
├── .venv/ # Python 3.12 virtual environment
├── pyproject.toml # Project config & dependencies
├── README.md # This file
└── .github/
└── copilot-instructions.md # VS Code customization
Testing
# Run all tests
pytest tests/ -v
# Run specific test
pytest tests/test_scanner.py::test_supported_files -v
Development
Add a New Tool
- Open
src/dep_guard_mcp/main.py - Add function with
@mcp.tool()decorator:
@mcp.tool()
def my_new_tool(param: str) -> dict:
"""Tool description."""
return {"result": "data"}
- Run tests:
pytest tests/
Next Steps for Enhancement
- Add NVD API integration (deeper CVE database)
- Improve Gradle parser for variable-based versions
- Improve Composer parser for complex version constraints
- Create VS Code extension wrapper
- Build GitHub Actions integration
- Add webhook support (Slack, Teams integration)
Troubleshooting
Scanner returns "No supported files found"
- Ensure your project has one of the supported dependency files
- Check file is in the scanned directory
Import error when running
- Activate virtual environment:
.venv/Scripts/activate - Reinstall package:
pip install -e .
Performance
- Dependency discovery: < 100ms
- Vulnerability lookup: < 1-2 seconds (depends on file count)
- Supports projects with 100+ dependencies
Contributing
Contributions welcome! Areas to contribute:
- Additional vulnerability data sources
- Performance optimizations
- Additional file format support
- Documentation improvements
License
MIT - See LICENSE file for details
🚀 Ready to publish to Claude Registry and monetize? See the session notes for next steps!
Установка Dep Guard
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/mdjahidanwar/dep-guard-mcpFAQ
Dep Guard MCP бесплатный?
Да, Dep Guard MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Dep Guard?
Нет, Dep Guard работает без API-ключей и переменных окружения.
Dep Guard — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить Dep Guard в Claude Desktop, Claude Code или Cursor?
Открой Dep Guard на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare Dep Guard with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
