Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

Supply Chain Server

БесплатноНе проверен

Unifies 21 supply chain security data sources into a single MCP server, enabling AI agents to perform comprehensive package audits, vulnerability checks, proven

GitHubEmbed

Описание

Unifies 21 supply chain security data sources into a single MCP server, enabling AI agents to perform comprehensive package audits, vulnerability checks, provenance verification, and risk assessment across multiple ecosystems.

README

English | 简体中文 | 繁體中文 | 한국어 | Deutsch | Español | Français | Italiano | Dansk | 日本語 | Polski | Русский | Bosanski | العربية | Norsk | Português (Brasil) | ไทย | Türkçe | Українська | বাংলা | Ελληνικά | Tiếng Việt | हिन्दी


supply-chain-mcp-server

Supply chain security intelligence for AI agents.

OSV, GHSA, NVD, EPSS, CISA KEV, npm, PyPI, crates.io, RubyGems, NuGet, Packagist, Go, deps.dev, Scorecard, Libraries.io, ClearlyDefined, Rekor, Repology, typosquatting detection — unified into a single MCP server.
Your AI agent gets full-spectrum supply chain intelligence on demand, not 21 browser tabs and manual correlation.


The ProblemHow It's DifferentQuick StartWhat The AI Can DoTools (7 + 90)Data SourcesArchitectureChangelogContributing

npm License Bun MCP 7 Composite Tools 21 Sources

supply-chain-mcp-server demo


The Problem

Supply chain security intelligence is the missing layer in modern software development. Vulnerability databases, package registries, provenance verification, exploit prediction scoring, license compliance, security scorecards, typosquatting detection — the data you need is scattered across dozens of platforms, each with its own API, its own auth, its own rate limits, its own output format. Today you check OSV in one tab, NVD in another, pull up npm advisories, check EPSS scores on FIRST.org, verify Sigstore provenance in yet another tab, look up OpenSSF Scorecard, cross-reference CISA KEV, and then spend an hour manually piecing it all together.

Traditional supply chain security workflow:
  check vulnerabilities            ->  OSV + NVD + GitHub Advisories (3 separate UIs)
  assess exploit likelihood        ->  EPSS scores (separate API)
  check active exploitation        ->  CISA KEV catalog (separate JSON feed)
  verify package provenance        ->  Sigstore/Rekor + npm attestations (multiple CLIs)
  check security practices         ->  OpenSSF Scorecard + Best Practices Badge (2 UIs)
  audit dependencies               ->  deps.dev + Libraries.io (2 more UIs)
  check registry metadata          ->  npm + PyPI + crates.io + Go (4 registries)
  check for typosquatting          ->  manual name comparison (error-prone)
  verify license compliance        ->  ClearlyDefined (another UI)
  check distro packaging           ->  Repology (yet another UI)
  ────────────────────────────────
  Total: 45+ minutes per package audit, most of it switching contexts

supply-chain-mcp-server gives your AI agent 7 composite tools (orchestrating 90 techniques internally) across 21 data sources via the Model Context Protocol. The agent calls a single tool like vuln_scan or package_info, which automatically fans out to the right techniques in parallel, correlates vulnerability data with exploit predictions, verifies provenance, checks security posture, and presents a unified supply chain risk assessment — in a single conversation.

With supply-chain-mcp-server:
  You: "Audit the security posture of the express npm package"

  Agent: -> vuln_scan(mode:"package", ecosystem:"npm", name:"express")
            internally runs: osv_query + ghsa_package + epss_batch + kev_lookup
         -> package_info(ecosystem:"npm", name:"express", version:"4.21.2")
            internally runs: npm_package + npm_downloads + npm_maintainers + npm_scripts + npm_provenance
         -> quality(mode:"scorecard", owner:"expressjs", repo:"express")
            internally runs: scorecard_repo
         -> "express has a strong security posture. 2 known vulns but
            neither actively exploited (not in KEV). High EPSS on one
            CVE warrants patching priority. Provenance verified via
            Sigstore. OpenSSF Scorecard 8.2/10."

How It's Different

Existing tools give you raw data one source at a time. supply-chain-mcp-server gives your AI agent the ability to reason across vulnerability, provenance, and package intelligence simultaneously.

Traditional Approach supply-chain-mcp-server
Interface 21 different web UIs, CLIs, and APIs MCP — AI agent calls tools conversationally
Vulnerability data Check OSV, NVD, GHSA separately Agent queries all 3 + EPSS + KEV in parallel
Package registries npm, PyPI, crates.io, Go, RubyGems, NuGet, Packagist separately 7 ecosystems in one server — agent picks the right one
Provenance Manual Sigstore/Rekor verification, npm attestation checks Agent checks npm provenance + Rekor log + attestation bundles
License compliance Manual ClearlyDefined lookups, one package at a time Agent resolves licenses across ecosystems with batch support
Security posture OpenSSF Scorecard + Best Practices Badge separately Agent combines Scorecard + Badge + deps.dev + Libraries.io SourceRank
Typosquatting Manual name comparison, easy to miss Built-in Levenshtein + confusable character detection
API keys Required for most platforms 18 of 21 sources work free — API keys unlock higher rate limits
Setup Install multiple tools, manage each config npx supply-chain-mcp-server — one command, zero config

Quick Start

Option 1: npx (no install)

npx supply-chain-mcp-server

7 composite tools (90 techniques) work immediately. No API keys required for most data sources — 18 of 21 sources are fully free.

Option 2: Clone

git clone https://github.com/badchars/supply-chain-mcp-server.git
cd supply-chain-mcp-server
bun install

Environment variables (optional)

export GITHUB_TOKEN=your-token        # GHSA + Scorecard higher rate limits
export LIBRARIES_API_KEY=your-key     # Required for Libraries.io tools
export NVD_API_KEY=your-key           # 50 req/30s vs 5 req/30s without key

All API keys are optional. Without them, you still get 6 of 7 composite tools fully operational — only Libraries.io (within dep_tree) requires an API key.

Connect to your AI agent

Claude Code
# With npx
claude mcp add supply-chain-mcp-server -- npx supply-chain-mcp-server

# With local clone
claude mcp add supply-chain-mcp-server -- bun run /path/to/supply-chain-mcp-server/src/index.ts
Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "supply-chain": {
      "command": "npx",
      "args": ["-y", "supply-chain-mcp-server"],
      "env": {
        "GITHUB_TOKEN": "optional",
        "LIBRARIES_API_KEY": "optional",
        "NVD_API_KEY": "optional"
      }
    }
  }
}
Cursor / Windsurf / other MCP clients

Same JSON config format. Point the command to npx supply-chain-mcp-server or your local installation path.

Start querying

You: "Check if [email protected] has any known vulnerabilities and verify its provenance"

That's it. The agent handles vulnerability lookups, EPSS scoring, KEV checks, provenance verification, and more automatically.


What The AI Can Do

Full Package Audit

You: "Do a complete security audit of the lodash npm package"

Agent: -> vuln_scan {mode: "package", ecosystem: "npm", name: "lodash"}
          ↳ osv_query + ghsa_package + epss_batch + kev_lookup (parallel)
       -> package_info {ecosystem: "npm", name: "lodash", version: "4.17.21"}
          ↳ npm_package + npm_downloads + npm_maintainers + npm_scripts + npm_provenance + npm_attestations + npm_audit_bulk (parallel)
       -> quality {mode: "scorecard", owner: "lodash", repo: "lodash"}
          ↳ scorecard_repo
       -> license {mode: "lookup", type: "npm", name: "lodash", version: "4.17.21"}
          ↳ license_lookup
       -> "[email protected] security audit:
          Vulnerabilities: 3 historical (all fixed in 4.17.21),
          including prototype pollution CVE-2020-8203.
          Provenance: No Sigstore attestation (published pre-provenance era).
          OpenSSF Scorecard: 6.1/10 — no branch protection, no fuzzing.
          Dependencies: Zero runtime deps (self-contained).
          License: MIT (ClearlyDefined confirmed).
          Lifecycle scripts: None — clean.
          Recommendation: Safe to use at latest version. Consider
          migrating to lodash-es for tree-shaking."

Vulnerability Triage

You: "Triage CVE-2024-3094 — how urgent is this?"

Agent: -> vuln_scan {mode: "cve", cve_id: "CVE-2024-3094"}
          ↳ nvd_cve + osv_id + ghsa_id + epss_score + kev_lookup (parallel)
       -> "CVE-2024-3094 (xz-utils backdoor):
          CVSS: 10.0 Critical — backdoor in xz-utils 5.6.0/5.6.1
          EPSS: 0.95 (99th percentile) — extremely likely to be exploited
          CISA KEV: YES — actively exploited, deadline March 2024
          Affects: xz-utils/liblzma on Linux (sshd via systemd)
          This is CRITICAL. Immediate action required:
          1. Downgrade xz-utils to 5.4.x or remove 5.6.0/5.6.1
          2. Check all systems for affected versions
          3. This was a sophisticated supply chain attack via
             a compromised maintainer."

Dependency Risk Assessment

You: "Assess the supply chain risk of adding fastapi to our Python project"

Agent: -> package_info {ecosystem: "pypi", name: "fastapi"}
          ↳ pypi_package + pypi_releases + pypi_maintainers (parallel)
       -> vuln_scan {mode: "package", ecosystem: "PyPI", name: "fastapi"}
          ↳ osv_query + ghsa_package + epss + kev (parallel)
       -> dep_tree {mode: "dependencies", ecosystem: "pypi", name: "fastapi", version: "0.115.0"}
          ↳ deps_dependencies + deps_requirements + libraries_deps (parallel)
       -> quality {mode: "full", owner: "tiangolo", repo: "fastapi", repo_url: "https://github.com/tiangolo/fastapi"}
          ↳ scorecard_repo + badge_by_repo (parallel)
       -> security_check {mode: "typosquat", name: "fastapi", ecosystem: "pypi"}
          ↳ typosquat_check
       -> "fastapi supply chain risk assessment:
          Vulnerabilities: 1 low-severity (fixed in latest).
          Dependencies: 5 direct (starlette, pydantic, etc.), 23 transitive.
          OpenSSF Scorecard: 7.4/10 — good CI/CD, signed releases.
          Maintainer: single primary maintainer (tiangolo).
          Typosquatting: 'fast-api' and 'fastapi2' exist — verify
          you're installing the correct package.
          Risk: LOW. Well-maintained, active community, good security
          practices. Single-maintainer risk is mitigated by strong
          automation and community oversight."

Typosquatting Detection

You: "I'm about to install 'reqeusts' from PyPI — is this safe?"

Agent: -> security_check {mode: "typosquat", name: "reqeusts", ecosystem: "pypi"}
          ↳ typosquat_check
       -> security_check {mode: "compare_names", name_a: "reqeusts", name_b: "requests"}
          ↳ typosquat_compare
       -> "WARNING: 'reqeusts' is a likely typosquat of 'requests'.
          Edit distance: 2 (transposed 'ue' -> 'eu')
          Similarity: 87.5%
          The legitimate package is 'requests' (800M+ monthly downloads).
          'reqeusts' has very low downloads and was likely published
          to exploit typos. DO NOT install this package.
          Correct command: pip install requests"

Composite Tools (7 tools, 90 techniques)

The AI agent sees only 7 composite tools (~1K tokens), each orchestrating multiple techniques in parallel internally.

Composite Tool Techniques Modes Description
vuln_scan 24 package cve batch recent go_module Vulnerability intelligence across OSV, GHSA, NVD, EPSS, CISA KEV, Go Vuln DB
package_info 33 by ecosystem Package metadata — auto-dispatches to npm (10), PyPI (4), crates.io (4), Go (3), RubyGems (4), NuGet (4), Packagist (4)
dep_tree 14 dependencies dependents project similar search full Dependency graph intelligence via deps.dev + Libraries.io
security_check 7 typosquat compare_names provenance verify_hash search_log Supply chain threat detection: typosquatting, provenance, Sigstore
quality 8 scorecard badge distro compare full Project quality: OpenSSF Scorecard, Best Practices Badge, Repology
license 3 lookup batch search License compliance analysis via ClearlyDefined
meta 1 List all data sources with configuration status

Individual Techniques (90)

All 90 techniques are accessible via --tool CLI for backward compatibility

Run npx supply-chain-mcp-server --list-all to see the full list.

OSV.dev Vulnerabilities (5) — No API key
Tool Description
osv_query Query OSV database for known vulnerabilities affecting a specific package and optional version
osv_query_commit Query OSV database for vulnerabilities associated with a specific git commit hash
osv_query_purl Query OSV database using a Package URL (purl) for known vulnerabilities
osv_batch Batch query OSV database for vulnerabilities across multiple packages at once
osv_id Fetch full vulnerability details from OSV by ID (OSV, CVE, GHSA, RUSTSEC, PYSEC, etc.)
GitHub Advisory GHSA (4) — No API key (GITHUB_TOKEN optional for higher rate limits)
Tool Description
ghsa_id Fetch a GitHub Security Advisory by its GHSA or CVE identifier
ghsa_search Search GitHub Security Advisories by keyword, ecosystem, and severity
ghsa_package List GitHub Security Advisories affecting a specific package in a given ecosystem
ghsa_recent List the most recently updated GitHub Security Advisories
NIST NVD (3) — No API key (NVD_API_KEY optional for higher rate limits)
Tool Description
nvd_cve Fetch full CVE details from NVD (NIST National Vulnerability Database) by CVE ID
nvd_search Search NVD for CVEs by keyword and optional CVSS v3 severity
nvd_recent Fetch recently published CVEs from NVD within a given number of days
EPSS Exploit Prediction (4) — No API key
Tool Description
epss_score Get EPSS exploit probability and percentile for a single CVE ID
epss_batch Batch EPSS scores for multiple CVEs (up to 100) in a single request
epss_top Get the highest EPSS-scoring CVEs (most likely to be exploited)
epss_above_threshold Find CVEs with EPSS score above a given threshold
CISA KEV (4) — No API key
Tool Description
kev_lookup Check if a CVE is in the CISA Known Exploited Vulnerabilities (KEV) catalog
kev_search Search KEV entries by keyword (matched against vendor, product, name, description)
kev_recent Get recently added KEV entries within the last N days
kev_stats Get KEV catalog statistics: total count, top vendors, entries per year, and ransomware usage breakdown
npm Registry (10) — No API key
Tool Description
npm_package Fetch npm package metadata including description, latest version, maintainers, license, repository, homepage, and publish timeline
npm_version Fetch metadata for a specific npm package version including dependencies, dist info (tarball, shasum, integrity), scripts, and deprecation status
npm_downloads Fetch npm download counts for a package over a given period (last-day, last-week, last-month)
npm_search Search the npm registry for packages matching a query string
npm_maintainers Extract maintainers and publish timeline from an npm package — critical for detecting maintainer takeover attacks
npm_scripts Extract and analyze lifecycle scripts from a specific npm package version — flags suspicious commands (curl, wget, eval, exec, etc.) commonly used in supply-chain attacks
npm_provenance Check whether an npm package version has Sigstore provenance attestations and signatures
npm_audit_bulk Bulk query npm security advisories for a set of packages and versions
npm_attestations Fetch full Sigstore attestation bundles for an npm package version — returns SLSA provenance and publish attestations
npm_download_range Get day-by-day npm download counts for a date range — useful for detecting download anomalies or dependency confusion attacks
PyPI (4) — No API key
Tool Description
pypi_package Fetch PyPI package metadata including author, license, summary, project URLs, classifiers, and Python version requirements
pypi_version Fetch metadata for a specific PyPI package version including release URLs with upload times, file sizes, digests, and yanked status
pypi_releases List all releases of a PyPI package with upload dates, sizes, and yanked status — useful for detecting suspicious rapid version bumps
pypi_maintainers Extract author and maintainer information from a PyPI package — useful for detecting ownership changes
crates.io (4) — No API key
Tool Description
crate_info Fetch crates.io crate metadata including description, download counts, max version, repository, homepage, categories, and keywords
crate_versions List all versions of a crate with version number, yanked status, license, crate size, creation date, and download count
crate_deps Fetch dependencies for a specific crate version including dependency kind (normal/dev/build), version requirement, and optional flag
crate_owners List owners of a crate on crates.io — useful for detecting ownership changes
RubyGems (4) — No API key
Tool Description
gem_info Fetch RubyGems gem metadata including name, version, authors, description, download counts, project URI, and source code URI
gem_versions List all versions of a RubyGems gem with release dates, platform info, and version numbers
gem_search Search the RubyGems registry for gems matching a query string
gem_reverse_deps Get reverse dependencies of a RubyGems gem — useful for assessing blast radius of a compromised package
NuGet (4) — No API key
Tool Description
nuget_package Fetch NuGet package registration metadata including all versions, dependency groups, descriptions, and catalog entries
nuget_search Search the NuGet registry for packages matching a query string
nuget_versions List all published versions of a NuGet package from the flat container index
nuget_catalog_entry Get specific version details from NuGet including dependency groups, description, license, and catalog metadata
Packagist / Composer (4) — No API key
Tool Description
composer_package Get PHP/Composer package metadata from Packagist including versions, description, maintainers, and repository information
composer_search Search Packagist for PHP packages matching a query string
composer_stats Get Packagist package download statistics including total, monthly, and daily download counts
composer_advisories Get security advisories for PHP packages from Packagist — returns known vulnerabilities and CVEs
Go Module Proxy (3) — No API key
Tool Description
go_module Fetch Go module info from the module proxy: latest version and all available versions
go_version Fetch info and go.mod contents for a specific Go module version — returns parsed dependency list
go_sum Look up a Go module version in the checksum database (sum.golang.org) for hash verification
Go Vulnerability Database (4) — No API key
Tool Description
go_vuln_id Fetch a Go vulnerability by its ID from the Go Vulnerability Database
go_vuln_list List all Go vulnerability IDs from the database index
go_vuln_db_info Get Go Vulnerability Database metadata including last modified time
go_vuln_by_module Find Go vulnerabilities affecting a specific module
Google deps.dev (10) — No API key
Tool Description
deps_package Look up a package on deps.dev to get metadata, versions, and security information
deps_version Get detailed info about a specific package version from deps.dev including links, licenses, and advisories
deps_dependencies Get the dependency tree for a specific package version from deps.dev
deps_dependents Get packages that depend on a specific package version from deps.dev
deps_advisory Fetch a security advisory by key (e.g. GHSA-xxxx-xxxx-xxxx) from deps.dev
deps_project Get project information from deps.dev by repository URL
deps_query Look up a package by its SHA256 artifact hash on deps.dev
deps_requirements Get the requirements (version constraints) for a specific package version from deps.dev
deps_similar_packages Find similarly named packages on deps.dev for typosquatting detection
deps_purl_lookup Look up a package by Package URL (purl) on deps.dev
OpenSSF Scorecard (2) — No API key (GITHUB_TOKEN optional for higher rate limits)
Tool Description
scorecard_repo Get the OpenSSF Scorecard security score for a GitHub repository, including individual check results
scorecard_compare Compare OpenSSF Scorecard security scores across 2-5 GitHub repositories side by side
OpenSSF Best Practices (3) — No API key
Tool Description
badge_project Get OpenSSF Best Practices badge status and criteria for a project by ID
badge_search Search OpenSSF Best Practices badge projects
badge_by_repo Find OpenSSF Best Practices badge by GitHub repository URL
Libraries.io (4) — Requires LIBRARIES_API_KEY
Tool Description
libraries_package Get package metadata from Libraries.io including repository info, versions, and popularity metrics
libraries_deps Get dependencies for a specific package version from Libraries.io
libraries_dependents Get packages that depend on a specific package from Libraries.io
libraries_sourcerank Get the SourceRank quality score breakdown for a package from Libraries.io
ClearlyDefined (3) — No API key
Tool Description
license_lookup Get curated license data for a software component from ClearlyDefined
license_batch Batch license lookup for multiple components via ClearlyDefined
license_search Search ClearlyDefined for components by pattern
Sigstore Rekor (5) — No API key
Tool Description
rekor_search Search the Rekor transparency log by email, SHA256 hash, or public key fingerprint
rekor_entry Retrieve a specific Rekor transparency log entry by UUID, including body, attestation, and inclusion proof
rekor_log_info Get the current Rekor transparency log status including rootHash, treeSize, and signedTreeHead
rekor_entries_search Retrieve multiple Rekor log entries by their UUIDs or log indexes in a single request
rekor_verify Verify whether a SHA256 artifact hash has been recorded in the Rekor transparency log
Repology (3) — No API key
Tool Description
repology_project Get package versions across all Linux distributions from Repology
repology_problems Find packaging problems/issues for a repository on Repology
repology_search Search Repology projects by name
Typosquatting Detection (2) — No API key (built-in)
Tool Description
typosquat_check Check if a package name is suspiciously similar to popular packages (potential typosquatting) — returns matches with edit distance <= 2
typosquat_compare Compare two package names directly to assess typosquatting risk, showing edit distance, similarity percentage, character-level diff, and confusable character warnings
Meta (1) — No API key
Tool Description
supplychain_list_sources List all 21 supply chain security data sources with configuration status, API key status, and tool counts

CLI Usage

# List 7 composite tools
npx supply-chain-mcp-server --list

# List all 90 individual techniques
npx supply-chain-mcp-server --list-all

# Run composite tools
npx supply-chain-mcp-server --tool vuln_scan '{"mode":"cve","cve_id":"CVE-2024-3094"}'
npx supply-chain-mcp-server --tool vuln_scan '{"mode":"package","ecosystem":"npm","name":"express"}'
npx supply-chain-mcp-server --tool package_info '{"ecosystem":"npm","name":"express","version":"4.21.2"}'
npx supply-chain-mcp-server --tool security_check '{"mode":"typosquat","name":"reqeusts","ecosystem":"pypi"}'
npx supply-chain-mcp-server --tool quality '{"mode":"scorecard","owner":"expressjs","repo":"express"}'
npx supply-chain-mcp-server --tool dep_tree '{"mode":"dependencies","ecosystem":"npm","name":"express","version":"4.21.2"}'

# Individual techniques also work (backward compatible)
npx supply-chain-mcp-server --tool osv_query '{"ecosystem":"npm","name":"express"}'
npx supply-chain-mcp-server --tool epss_score '{"cve_id":"CVE-2024-3094"}'

Data Sources (21)

Source Auth Rate Limit What it provides
OSV.dev None 1 req/s Cross-ecosystem vulnerability database (npm, PyPI, Go, Rust, etc.)
GitHub Advisory Database Optional 1 req/s Security advisories for GitHub-tracked packages
NIST NVD Optional 5 req/30s (50 with key) CVE details, CVSS scores, CPE matching, keyword search
FIRST EPSS None 2 req/s Exploit Prediction Scoring System — probability of CVE exploitation
CISA KEV None 0.5 req/s Known Exploited Vulnerabilities catalog with remediation deadlines
npm Registry None 2 req/s Package metadata, versions, scripts, provenance, attestations, advisories
PyPI None 2 req/s Python package metadata, versions, releases, maintainer info
crates.io None 1 req/s Rust crate metadata, versions, dependencies, owners
RubyGems None 1 req/s Ruby gem metadata, versions, reverse dependencies
NuGet None 2 req/s .NET package metadata, versions, dependency groups
Packagist None 1 req/s PHP/Composer packages, download stats, security advisories
Go Module Proxy None 2 req/s Go module versions, go.mod contents, checksum verification
Go Vulnerability Database None 2 req/s Go-specific vulnerability advisories by module
Google deps.dev None 5 req/s Cross-ecosystem dependency graphs, advisories, project info, purl lookup
OpenSSF Scorecard Optional 1 req/s Repository security scoring across 18 checks
OpenSSF Best Practices None 1 req/s Best Practices badge status and criteria
Libraries.io LIBRARIES_API_KEY 1 req/s Package popularity, SourceRank, cross-platform dependency data
ClearlyDefined None 2 req/s Curated license data across ecosystems
Sigstore Rekor None 2 req/s Transparency log for software signing — provenance verification
Repology None 1 req/s Package versions across Linux distributions
Typosquatting Detection None N/A Built-in Levenshtein distance + confusable character analysis

Architecture

src/
  index.ts                # CLI entrypoint (--help, --list, --list-all, --tool, stdio server)
  composite/              # 7 composite tools (MCP-registered)
    helpers.ts            # callTool(), callToolsParallel(), buildCompositeResponse(), TOOL_REGISTRY
    vuln-scan.ts          # vuln_scan — 24 techniques (5 modes)
    package-info.ts       # package_info — 33 techniques (7 ecosystems)
    dep-tree.ts           # dep_tree — 14 techniques (6 modes)
    security-check.ts     # security_check — 7 techniques (5 modes)
    quality.ts            # quality — 8 techniques (5 modes)
    license.ts            # license — 3 techniques (3 modes)
    meta.ts               # meta — 1 technique
    index.ts              # compositeTools barrel export
  protocol/
    mcp-server.ts         # MCP server setup (stdio transport)
    tools.ts              # Tool registry — imports compositeTools
  types/
    index.ts              # Shared types (ToolDef, ToolContext, ToolResult)
  utils/
    rate-limiter.ts       # Per-provider rate limiter
    cache.ts              # TTL cache for API responses
    http.ts               # Native fetch() wrapper with error handling
    require-key.ts        # API key validation helper
  osv/                    # 5 techniques    govuln/        # 4 techniques
  ghsa/                   # 4 techniques    depsdev/       # 10 techniques
  nvd/                    # 3 techniques    scorecard/     # 2 techniques
  epss/                   # 4 techniques    badge/         # 3 techniques
  kev/                    # 4 techniques    libraries/     # 4 techniques
  npm/                    # 10 techniques   clearlydefined/# 3 techniques
  pypi/                   # 4 techniques    rekor/         # 5 techniques
  crates/                 # 4 techniques    repology/      # 3 techniques
  rubygems/               # 4 techniques    typosquat/     # 2 techniques
  nuget/                  # 4 techniques    meta/          # 1 technique
  packagist/              # 4 techniques
  go/                     # 3 techniques

Design decisions:

  • Composite architecture — 7 composite tools registered with MCP, each orchestrating multiple individual techniques. LLM context reduced from ~12K tokens (90 tool definitions) to ~1K tokens (7 composites).
  • 22 providers, 1 server — Every data source is an independent module. Composite tools dispatch to the right provider techniques based on mode/ecosystem.
  • Per-provider rate limiters — Each data source has its own RateLimiter instance calibrated to that API's limits. No shared bottleneck.
  • TTL caching — Vulnerability data (5-30min), package metadata (5-15min), KEV catalog (60min), scorecard data (30min) are cached to avoid redundant API calls during multi-tool workflows.
  • Graceful degradation — Missing API keys don't crash the server. Tools return descriptive error messages: "Set LIBRARIES_API_KEY to enable Libraries.io tools."
  • 2 dependencies@modelcontextprotocol/sdk and zod. All HTTP via native fetch(). No external HTTP libraries needed.
  • Backward compatible--tool CLI accepts both composite and individual technique names. --list-all shows all 90 techniques.

Limitations

  • Libraries.io tools require a (free) API key from libraries.io
  • NVD free tier is limited to 5 requests per 30 seconds (50 with API key)
  • GHSA and Scorecard benefit from GITHUB_TOKEN for higher rate limits
  • CISA KEV is fetched as a single JSON file (~2MB) and cached for 60 minutes
  • Typosquatting detection compares against a curated list of top npm/PyPI packages (not exhaustive)
  • Go checksum database (sum.golang.org) may return 404 for very old or vendored-only modules
  • Repology API has strict rate limits and may throttle aggressive querying
  • ClearlyDefined coverage varies by ecosystem — npm and Maven have best coverage
  • macOS / Linux tested (Windows not tested)

Part of the MCP Security Suite

Project Domain Tools
hackbrowser-mcp Browser-based security testing 39 tools, Firefox, injection testing
cloud-audit-mcp Cloud security (AWS/Azure/GCP) 38 tools, 60+ checks
github-security-mcp GitHub security posture 39 tools, 45 checks
cve-mcp Vulnerability intelligence 23 tools, 5 sources
osint-mcp-server OSINT & reconnaissance 37 tools, 12 sources
darknet-mcp-server Dark web & threat intelligence 66 tools, 16 sources
fingerprint-mcp Digital fingerprinting 13 tools, 103 techniques
supply-chain-mcp-server Software supply chain security 7 tools, 90 techniques, 21 sources

For authorized security testing and assessment only.
Always ensure you have proper authorization before performing supply chain analysis on any target.

MIT License • Built with Bun + TypeScript

from github.com/badchars/supply-chain-mcp-server

Установить Supply Chain Server в Claude Desktop, Claude Code, Cursor

Рекомендуется · одна команда, все IDE
unyly install supply-chain-mcp-server

Ставит в Claude Desktop, Claude Code, Cursor и VS Code — сам разбирается с npx, uvx и сборкой из исходников.

Впервые? Поставь CLI: curl -fsSL https://unyly.org/install | sh

Или настроить вручную

Выполни в терминале:

claude mcp add supply-chain-mcp-server -- npx -y supply-chain-mcp-server

FAQ

Supply Chain Server MCP бесплатный?

Да, Supply Chain Server MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для Supply Chain Server?

Нет, Supply Chain Server работает без API-ключей и переменных окружения.

Supply Chain Server — hosted или self-hosted?

Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.

Как установить Supply Chain Server в Claude Desktop, Claude Code или Cursor?

Открой Supply Chain Server на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare Supply Chain Server with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории ai