Security Advisory MCP — CVE/GHSA/RustSec/OSV search, dependency mapping, risk scoring, patch plans, compliance evidence
Security Advisory MCP Server
Let your AI agents check for vulnerabilities. This MCP server queries the OSV.dev advisory database to search CVEs, map vulnerabilities to your dependencies, score risk, generate patch plans, and export compliance evidence.
What It Does
When your agent adds a dependency, reviews a PR, or audits a project, it can check for known security vulnerabilities and recommend fixes — using real advisory data from GitHub Advisory DB, RustSec, NVD, and more.
Architecture
Tools (6)
| Tool | What It Does | When To Use |
|------|-------------|-------------|
| search_advisories | Search by package, ecosystem, or keyword | "Are there vulnerabilities in hyper?" |
| get_advisory | Get full details by CVE/GHSA/RUSTSEC/OSV ID | "Tell me about GHSA-5h46-h7hh-c6x9" |
| map_vulnerability_to_dependency | Scan lockfile against advisory database | "Are any of our deps vulnerable?" |
| rank_security_risk | Score practical risk (severity × exposure) | "How urgent is this vulnerability?" |
| generate_patch_plan | Recommend upgrade path and rollout | "How do we fix this?" |
| export_security_evidence | Bundle findings for audit/compliance | "Generate a security report" |
Verified Output
Tested against live OSV.dev:
> search_advisories(package: "hyper", ecosystem: "crates.io")
{ "count": 14, "advisories": [
{ "id": "GHSA-5h46-h7hh-c6x9", "summary": "Integer Overflow in Chunked Transfer-Encoding", "severity": "high" },
{ "id": "RUSTSEC-2024-0003", "summary": "Lenient HTTP/1 parsing allows request smuggling", "severity": "medium" }
]}
> get_advisory(id: "GHSA-5h46-h7hh-c6x9")
{ "id": "GHSA-5h46-h7hh-c6x9", "summary": "Integer Overflow in Chunked Transfer-Encoding",
"affected": [{ "package": "hyper", "ecosystem": "crates.io", "ranges": [{"fixed": "0.14.10"}] }],
"source_url": "https://osv.dev/vulnerability/GHSA-5h46-h7hh-c6x9" }
> rank_security_risk(advisory_id: "GHSA-5h46-h7hh-c6x9", direct_dependency: true, internet_exposed: true)
{ "risk_score": 5.5, "priority": "medium",
"recommendation": "Schedule patch in next sprint. Monitor for exploit development." }
> generate_patch_plan(advisory_id: "GHSA-5h46-h7hh-c6x9", package: "hyper", current_version: "0.14.0")
{ "action": "upgrade", "fixed_version": "0.14.10",
"steps": ["1. Update to 0.14.10", "2. Run tests", "3. Review changelog", "4. Deploy staging → production"] }
> map_vulnerability_to_dependency(path: "/my-project")
{ "packages_scanned": 267, "vulnerable_packages": 2,
"findings": [{ "package": "hyper", "installed_version": "0.14.0", "advisories_found": 3 }] }
Supported Identifiers
| Type | Example | Source |
|------|---------|--------|
| CVE | CVE-2023-26964 | NVD / MITRE |
| GHSA | GHSA-5h46-h7hh-c6x9 | GitHub Advisory DB |
| RUSTSEC | RUSTSEC-2024-0003 | RustSec |
| OSV | OSV-2023-1234 | OSV.dev |
Supported Ecosystems
crates.io · npm · PyPI · Go · Maven · NuGet · Packagist · RubyGems
Supported Lockfiles
| File | Ecosystem |
|------|-----------|
| Cargo.lock | Rust |
| package-lock.json | npm |
| requirements.txt | Python |
| go.sum | Go |
Installation
1. Build
git clone https://github.com/zavora-ai/mcp-security-advisory
cd mcp-security-advisory
cargo build --release
No API key needed — OSV.dev is a free, open database.
2. Add to your MCP client
Claude Desktop / Kiro / Cursor / Windsurf:
{
"mcpServers": {
"security": {
"command": "/path/to/mcp-security-advisory"
}
}
}
3. Use it
Ask your agent:
- "Are there any known vulnerabilities in our dependencies?"
- "Tell me about CVE-2023-26964"
- "How risky is this vulnerability for us?"
- "Generate a patch plan for GHSA-5h46-h7hh-c6x9"
- "Export a security report for compliance"
Risk Scoring Model
The rank_security_risk tool uses a weighted factors model:
| Factor | Weight | Description | |--------|--------|-------------| | Severity (CVSS) | 40% | Base vulnerability severity | | Direct dependency | +1.5 | Direct dep vs transitive | | Internet exposed | +2.0 | Service faces the internet | | Known exploit | +2.5 | Exploit exists in the wild |
Score 0-10: critical (≥8) · high (≥6) · medium (≥4) · low (<4)
Provenance
Every response includes provenance metadata:
source— where the data came from (osv.dev)queried_at— timestamp of the queryconfidence— data reliability indicatoridentifier_type— CVE/GHSA/RUSTSEC/OSV
MCP Server Manifest
server_id = "mcp_security_advisory"
display_name = "Security Advisory MCP"
version = "1.0.0"
domain = "developer"
risk_level = "low"
writes_allowed = "artifact_producing"
transports = ["stdio"]
governance_gates = []
Contributors
| 
James Karanja Maina |
|:---:|
License
Apache-2.0 — see LICENSE for details.
Part of the ADK-Rust Enterprise MCP server ecosystem.
Registry Compliance
This server implements the ADK MCP SDK contract:
- HealthCheck — async health probe for registry monitoring
- mcp-server.toml — manifest declaring tools, risk classes, and credentials
- Structured tracing —
RUST_LOGenv-filter for observability