osv-ui-mcp
Visual CVE audit dashboard for npm, Python, Go, and Rust projects. Scans your project manifests (package-lock.json, requirements.txt, go.sum, Cargo.lock) against OSV.dev live data, opens a browser dashboard for human review, then applies fixes only after explicit confirmation. Supports multi-service monorepos in one command.
README
<div align="center">
osv-ui
A beautiful, zero-config visual CVE dashboard for npm, Python, Go, and Rust projects.
One command. No signup. No API key. Runs 100% locally β your code never leaves your machine.
π»π³ TiαΊΏng Viα»t Β· πΊπΈ English Β· π¨π³ δΈζ Β· π―π΅ ζ₯ζ¬θͺ
</div>
The problem
$ npm audit
# ... 300 lines of this ...
# moderate Regular Expression Denial of Service in semver
# package semver
# patched in >=7.5.2
# ...
# 12 vulnerabilities (3 moderate, 6 high, 3 critical)
Nobody reads that. Security gets ignored. Dependencies stay vulnerable.
The solution
npx osv-ui
β Opens a dashboard. Every CVE, every fix, all your services. Done.
Why give it a try?
- Zero-config: No complex setup, no signup, no API key required.
- Privacy First: Analysis is done 100% on your machine.
- Fast & Visual: Real-time Risk Scores, vulnerability charts, and clear upgrade guides in seconds.
- Multi-platform: Native support for Node.js (npm), Python, Go, and Rust.
Features
| π¨ npm + π Python + π΅ Go + π¦ Rust | Scans package-lock.json, Pipfile.lock, poetry.lock, requirements.txt, go.sum, Cargo.lock |
| π‘ Live CVE data | Powered by OSV.dev β updated daily from NVD, GitHub Advisory, PyPI Advisory. No API key. |
| π’ Multi-service | Scan your entire monorepo in one command β frontend, backend, workers, ML services |
| π Fix guide | Dependabot-style upgrade table: current version β safe version + one-click copy command |
| π Built-in REST API | Power your own security dashboards with GET /api/data or CLI export flags |
| π― Risk score | 0β100 per service so you know where to focus first |
| π CVE drill-down | Click any row β CVSS score, description, NVD link, GitHub Advisory link |
| π Dark Mode | Eye-friendly security audits, day or night |
Quick start
Scan current directory:
npx osv-ui
Scan a monorepo (multiple services at once):
npx osv-ui ./frontend ./api ./worker ./ml-service
Auto-discover all services under the current directory:
npx osv-ui -d
Add to your package.json scripts:
{
"scripts": {
"audit:ui": "npx osv-ui",
"audit:all": "npx osv-ui ./frontend ./api ./worker"
}
}
--discover, -d Auto-find service dirs that contain a supported manifest
--port=2003 Use a custom port (default: 2003)
--json[=file] Save report as JSON without opening browser (defaults to osv-report.json)
--html[=file] Save report as HTML without opening browser (defaults to osv-report.html)
--no-open Don't auto-open the browser
--offline Skip OSV.dev lookup β parse manifests only
-h, --help Show help message
π€ AI Agent Integration (MCP)
osv-ui is now a Model Context Protocol (MCP) server. This allows AI agents like Claude Desktop, Cursor, and Claude Code to:
- Scan your project for CVEs automatically.
- Open the visual dashboard for you to review findings (Human-in-the-loop).
- Apply fixes after your explicit confirmation.
Quick setup (npx):
{
"mcpServers": {
"osv-ui": {
"command": "npx",
"args": ["-y", "osv-ui-mcp"]
}
}
}
See the MCP Package README for detailed setup instructions.
π Powerful built-in API
osv-ui isn't just a dashboard; it's a security data engine.
Once the dashboard is running, you can pull the raw security data for your whole project:
# Get full JSON payload for all services
curl http://localhost:2003/api/data
# Use it in your custom scripts
curl -s http://localhost:2003/api/data | jq '.[0].vulns'
Supported manifest files
| Ecosystem | Files |
|---|---|
| npm | package-lock.json (lockfileVersion 1, 2, 3) |
| Python | requirements.txt Β· Pipfile.lock Β· poetry.lock Β· pyproject.toml |
| Go | go.sum |
| Rust | Cargo.lock |
More ecosystems coming β see Roadmap.
How it works
Your project files
β
ββ package-lock.json βββ
ββ Pipfile / poetry βββ€βββΊ parser βββΊ package list
ββ go.sum / Cargo.lock βββ
β
βΌ
OSV.dev batch API (free, no key)
β
βΌ
CVE matches + fix versions
β
βΌ
Express server β browser dashboard
http://localhost:2003
CVE data comes from OSV.dev β a free, open database maintained by Google that aggregates:
- πΊπΈ NVD β NIST National Vulnerability Database
- π GitHub Advisory Database (GHSA)
- π PyPI Advisory Database
- π¦ npm Advisory Database
- π¦ RustSec Β· Go Vuln DB Β· OSS-Fuzz Β· and more
Updated daily. No account. No rate limit. No vendor lock-in.
vs alternatives
| osv-ui | npm audit |
Snyk | Dependabot | |
|---|---|---|---|---|
| Visual dashboard | β | β terminal only | β | β |
| npm support | β | β | β | β |
| Python support | β | β | β | β |
| Multi-service in one view | β | β | β paid | β |
| No signup required | β | β | β | β |
| Works on GitLab Free | β | β | β | β |
| Self-hosted / local | β | β | β | β |
| Fix commands | β | partial | β | β |
| Open source | β | β | β | β |
GitLab CI β block deploys on critical CVEs
No Dependabot on GitLab Free? Add this to .gitlab-ci.yml:
audit:
stage: test
image: node:20-alpine
script:
- npm audit --json > /tmp/audit.json || true
- |
node -e "
const r = require('/tmp/audit.json');
const crit = Object.values(r.vulnerabilities || {})
.filter(v => v.severity === 'critical').length;
if (crit > 0) {
console.error('BLOCKED: ' + crit + ' critical CVE(s). Run: npx osv-ui');
process.exit(1);
}
console.log('OK: no critical vulnerabilities');
"
artifacts:
paths: [/tmp/audit.json]
when: always
Requirements
- Node.js >= 16
- Internet access for OSV.dev queries β or use
--offline - npm projects: run
npm installfirst sopackage-lock.jsonexists - Python projects: any of the supported manifest files listed above
Roadmap
All contributions are welcome. If you want to work on something, open an issue first so we can coordinate.
- [x] Go support β parse
go.sum/go.mod - [x] Rust support β parse
Cargo.lock - [x] Export report β save as HTML / JSON
- [x] Dark mode β eye-friendly dashboard UI
- [ ] Java / Maven β parse
pom.xml - [ ] GitHub Actions β post a CVE diff comment on PRs
- [ ] SBOM export β CycloneDX / SPDX format
- [ ] Watch mode β re-scan on manifest file changes
- [ ] Slack / webhook β notify on new critical CVEs
Contributing
This project is built by the community. All skill levels welcome.
Good first issues:
- Add Java/Maven parser (
pom.xml) β follow the pattern insrc/parsers.js - Write unit tests for the parsers
- Improve Python parser edge cases
# Clone and run locally
git clone https://github.com/toan203/osv-ui
cd osv-ui
npm install
# Run against your own project
node bin/cli.js /path/to/your/project
# Run against multiple services
node bin/cli.js ./frontend ./backend
Please read CONTRIBUTING.md for code style and PR process.
License
MIT β use it, fork it, embed it, build on it. Attribution appreciated but not required.
<div align="center">
Did osv-ui catch a real CVE in your project?
A β helps other developers find this tool.
Share on Twitter Β· Post on Reddit
</div>
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.