MCP Servers

vet-mcp

README

<p><strong>🚀 Enterprise grade open source software supply chain security</strong></p>

<p> <a href="https://github.com/safedep/vet/releases"><strong>Download</strong></a> • <a href="#-quick-start"><strong>Quick Start</strong></a> • <a href="https://docs.safedep.io/"><strong>Documentation</strong></a> • <a href="#-community"><strong>Community</strong></a> </p> </div>

</div>

🎯 Why vet?

70-90% of modern software constitute code from open sources — How do we know if it's safe?

vet is an open source software supply chain security tool built for developers and security engineers who need:

✅ Next-gen Software Composition Analysis — Vulnerability and malicious package detection
✅ Policy as Code — Express opinionated security policies using CEL
✅ Real-time malicious package detection — Powered by SafeDep Cloud active scanning
✅ Multi-ecosystem support — npm, PyPI, Maven, Go, Docker, GitHub Actions, and more
✅ CI/CD native — Built for DevSecOps workflows with support for GitHub Actions, GitLab CI, and more
✅ MCP Server — Run vet as a MCP server to vet open source packages from AI suggested code

⚡ Quick Start

Install in seconds:

# macOS & Linux
brew install safedep/tap/vet

or download a pre-built binary

Scan your project:

# Scan current directory
vet scan -D .

# Scan a single file
vet scan -M package-lock.json

# Fail CI on critical vulnerabilities
vet scan -D . --filter 'vulns.critical.exists(p, true)' --filter-fail

# Fail CI on OpenSSF Scorecard requirements
vet scan -D . --filter 'scorecard.scores.Maintained < 5' --filter-fail

# Fail CI if a package is published from a GitHub repository with less than 5 stars
vet scan -D . --filter 'projects.exists(p, p.type == "GITHUB" && p.stars < 5)' --filter-fail

🔒 Key Features

🕵️ Code Analysis

Unlike dependency scanners that flood you with noise, vet analyzes your actual code usage to prioritize real risks. See dependency usage evidence for more details.

🛡️ Malicious Package Detection

Integrated with SafeDep Cloud for real-time protection against malicious packages in the wild. Free for open source projects. Fallback to Query Mode when API key is not provided. Read more about malicious package scanning.

📋 Policy as Code

Define security policies using CEL expressions to enforce context specific security requirements.

# Block packages with critical CVEs
vet scan \
--filter 'vulns.critical.exists(p, true)'

# Enforce license compliance
vet scan \
--filter 'licenses.contains_license("GPL-3.0")'

# Enforce OpenSSF Scorecard requirements
# Require minimum OpenSSF Scorecard scores
vet scan \
--filter 'scorecard.scores.Maintained < 5'

🎯 Multi-Format Support

Package Managers: npm, PyPI, Maven, Go, Ruby, Rust, PHP
Container Images: Docker, OCI
SBOMs: CycloneDX, SPDX
Binary Artifacts: JAR files, Python wheels
Source Code: Direct repository scanning

🔥 See vet in Action

🚀 Production Ready Integrations

📦 GitHub Actions

Zero config security guardrails against vulnerabilities and malicious packages in your CI/CD pipeline with your own opinionated policies:

- uses: safedep/vet-action@v1
  with:
    policy: '.github/vet/policy.yml'

See more in vet-action documentation.

🔧 GitLab CI

Enterprise grade scanning with vet CI Component:

include:
  - component: gitlab.com/safedep/ci-components/vet@main

🐳 Container Integration

Run vet anywhere, even your internal developer platform or custom CI/CD environment using our container image.

docker run --rm -v $(pwd):/app ghcr.io/safedep/vet:latest scan -D /app

📦 Installation Options

🍺 Homebrew (Recommended)

brew tap safedep/tap
brew install safedep/tap/vet

📥 Direct Download

See releases for the latest version.

🐹 Go Install

go install github.com/safedep/vet@latest

🐳 Container Image

# Quick test
docker run --rm ghcr.io/safedep/vet:latest version

# Scan local directory
docker run --rm -v $(pwd):/workspace ghcr.io/safedep/vet:latest scan -D /workspace

⚙️ Verify Installation

vet version
# Should display version and build information

🎮 Advanced Usage

🔍 Scanning Options

📁 Directory Scanning

# Scan current directory
vet scan

# Scan a given directory
vet scan -D /path/to/project

# Resolve and scan transitive dependencies
vet scan -D . --transitive

📄 Manifest Files

# Package managers
vet scan -M package-lock.json
vet scan -M requirements.txt
vet scan -M pom.xml
vet scan -M go.mod
vet scan -M Gemfile.lock

</td> <td width="50%">

🐙 GitHub Integration

# Setup GitHub access
vet connect github

# Scan repositories
vet scan --github https://github.com/user/repo

# Organization scanning
vet scan --github-org https://github.com/org

📦 Artifact Scanning

# Container images
vet scan --image nginx:latest
vet scan --image /path/to/image-saved-file.tar

# Binary artifacts
vet scan -M app.jar
vet scan -M package.whl

</td> </tr> </table>

🎯 Policy Enforcement Examples

# Security-first scanning
vet scan -D . \
  --filter 'vulns.critical.exists(p, true) || vulns.high.exists(p, true)' \
  --filter-fail

# License compliance
vet scan -D . \
  --filter 'licenses.contains_license("GPL-3.0")' \
  --filter-fail

# OpenSSF Scorecard requirements
vet scan -D . \
  --filter 'scorecard.scores.Maintained < 5' \
  --filter-fail

# Popularity-based filtering
vet scan -D . \
  --filter 'projects.exists(p, p.type == "GITHUB" && p.stars < 50)' \
  --filter-fail

🔧 SBOM Support

# Scan a CycloneDX SBOM
vet scan -M sbom.json --type bom-cyclonedx

# Scan a SPDX SBOM
vet scan -M sbom.spdx.json --type bom-spdx

# Generate SBOM output
vet scan -D . --report-cdx=output.sbom.json

# Package URL scanning
vet scan --purl pkg:npm/lodash@4.17.21

📊 Query Mode & Data Persistence

For large codebases and repeated analysis:

# Scan once, query multiple times
vet scan -D . --json-dump-dir ./scan-data

# Query with different filters
vet query --from ./scan-data \
  --filter 'vulns.critical.exists(p, true)'

# Generate focused reports
vet query --from ./scan-data \
  --filter 'licenses.contains_license("GPL")' \
  --report-json license-violations.json

📊 Reporting

vet generate reports that are tailored for different stakeholders:

📋 Report Formats

<table> <tr> <td width="30%"><strong>🔍 For Security Teams</strong></td> <td width="70%">

# SARIF for GitHub Security tab
vet scan -D . --report-sarif=report.sarif

# JSON for custom tooling
vet scan -D . --report-json=report.json

# CSV for spreadsheet analysis
vet scan -D . --report-csv=report.csv

</td> </tr> <tr> <td><strong>📖 For Developers</strong></td> <td>

# Markdown reports for PRs
vet scan -D . --report-markdown=report.md

# Console summary (default)
vet scan -D . --report-summary

</td> </tr> <tr> <td><strong>🏢 For Compliance</strong></td> <td>

# SBOM generation
vet scan -D . --report-cdx=sbom.json

# Dependency graphs
vet scan -D . --report-graph=dependencies.dot

</td> </tr> </table>

🎯 Report Examples

# Multi-format output
vet scan -D . \
  --report-json=report.json \
  --report-sarif=report.sarif \
  --report-markdown=report.md

# Focus on specific issues
vet scan -D . \
  --filter 'vulns.high.exists(p, true)' \
  --report-json=report.json

🤖 MCP Server

vet can be used as an MCP server to vet open source packages from AI suggested code.

# Start the MCP server with SSE transport
vet server mcp --server-type sse

For more details, see vet MCP Server documentation.

🛡️ Malicious Package Detection

Malicious package detection through active scanning and code analysis powered by SafeDep Cloud. vet requires an API key for active scanning of unknown packages. When API key is not provided, vet will fallback to Query Mode which detects known malicious packages from SafeDep and OSV databases.

Grab a free API key from SafeDep Platform App or use vet cloud quickstart
API access is free forever for open source projects
No proprietary code is collected for malicious package detection
Only open source package scanning from public repositories is supported

🚀 Quick Setup

Malicious package detection requires an API key for SafeDep Cloud.

# One-time setup
vet cloud quickstart

# Enable malware scanning
vet scan -D . --malware

# Query for known malicious packages without API key
vet scan -D . --malware-query

Example malicious packages detected and reported by SafeDep Cloud malicious package detection:

🎯 Advanced Malicious Package Analysis

🔍 Scan packages with malicious package detection enabled

# Real-time scanning
vet scan -D . --malware

# Timeout adjustment
vet scan -D . --malware \
  --malware-analysis-timeout=300s

# Batch analysis
vet scan -D . --malware \
  --json-dump-dir=./analysis

</td> <td width="50%">

🎭 Specialized Scans

# VS Code extensions
vet scan --vsx --malware

# GitHub Actions
vet scan -D .github/workflows --malware

# Container Images
vet scan --image nats:2.10 --malware

# Scan a single package and fail if its malicious
vet scan --purl pkg:/npm/nyc-config@10.0.0 --fail-fast

# Active scanning of a single package (requires API key)
vet inspect malware \
  --purl pkg:npm/nyc-config@10.0.0

</td> </tr> </table>

🔒 Security Features

✅ Real-time analysis of packages against known malware databases
✅ Behavioral analysis using static and dynamic analysis
✅ Zero day protection through active code scanning
✅ Human in the loop for triaging and investigation of high impact findings
✅ Real time analysis with public analysis log

📊 Privacy and Telemetry

vet collects anonymous usage telemetry to improve the product. Your code and package information is never transmitted.

# Disable telemetry (optional)
export VET_DISABLE_TELEMETRY=true

🎊 Community & Support

🌟 Join the Community

</div>

💡 Get Help & Share Ideas

🚀 Interactive Tutorial - Learn vet hands-on
📚 Complete Documentation - Comprehensive guides
💬 Discord Community - Real-time support
🐛 Issue Tracker - Bug reports & feature requests
🤝 Contributing Guide - Join the development

⭐ Star History

🙏 Built With Open Source

vet stands on the shoulders of giants:

OSV • OpenSSF Scorecard • SLSA • OSV-SCALIBR • Syft

<p><strong>⚡ Secure your supply chain today. Star the repo ⭐ and get started!</strong></p>

Created with ❤️ by SafeDep and the open source community

</div>

Recommended Servers

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official

Featured

TypeScript

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official

Featured

Local

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official

Featured

TypeScript

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official

Featured

Python

E2B

Using MCP to run code via e2b.

Official

Featured

Neon Database

MCP server for interacting with Neon Management API and databases

Official

Featured

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official

Featured

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official

Featured