Metadata-Version: 2.4
Name: vulnfeed-mcp
Version: 0.3.1
Summary: Dependency vulnerability monitoring MCP server — knows your lockfile, prioritizes by EPSS exploit probability, recommends fix versions.
Project-URL: Homepage, https://vulnfeed.novadyne.ai
Project-URL: Repository, https://github.com/infai-tech/vulnfeed-mcp
Project-URL: Issues, https://github.com/infai-tech/vulnfeed-mcp/issues
Author-email: Novadyne <support@infaicorp.com>
License: MIT
Keywords: cve,epss,mcp,security,vulnerability
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Requires-Python: >=3.10
Requires-Dist: mcp>=1.0
Description-Content-Type: text/markdown

# VulnFeed — Dependency Vulnerability Monitoring for Claude Code

An MCP server that scans your project dependencies for known vulnerabilities, enriches with EPSS exploit probability scores, and recommends fix versions.

**Free tier** — 10 scans/day, 1 monitored project, no signup required.

## Install

```bash
uvx vulnfeed-mcp
```

### MCP client config

Add to your MCP client config (`~/.claude/settings.json` for Claude Code, `claude_desktop_config.json` for Claude Desktop):

**Free tier** (no signup, no API key):
```json
{
  "mcpServers": {
    "vulnfeed": {
      "command": "uvx",
      "args": ["vulnfeed-mcp"]
    }
  }
}
```

**Paid** ($14/mo, unlimited scans + projects):
```json
{
  "mcpServers": {
    "vulnfeed": {
      "command": "uvx",
      "args": ["vulnfeed-mcp"],
      "env": {
        "VULNFEED_API_KEY": "YOUR_LICENSE_KEY_HERE"
      }
    }
  }
}
```

Get a license key at [vulnfeed.novadyne.ai](https://vulnfeed.novadyne.ai).

## Tools

### Scanning

| Tool | Description |
|------|-------------|
| `scan_project` | Auto-detect and scan all lockfiles in a directory |
| `scan_lockfile` | Scan a specific lockfile |
| `check_package` | Check a single package for vulnerabilities |
| `lookup_cve` | Detailed CVE info with EPSS + fix versions |

### Monitoring

| Tool | Description |
|------|-------------|
| `monitor_project` | Register for continuous monitoring |
| `check_alerts` | New vulns since last scan |
| `update_deps` | Update snapshot after upgrading packages |
| `list_monitored` | See all monitored projects |
| `unmonitor_project` | Remove from monitoring |

## Supported lockfiles

- `package-lock.json` (npm)
- `yarn.lock` (Yarn)
- `pnpm-lock.yaml` (pnpm)
- `requirements.txt` (pip)
- `Pipfile.lock` (Pipenv)
- `go.sum` / `go.mod` (Go)
- `Cargo.lock` (Rust)
- `Gemfile.lock` (Ruby)
- `composer.lock` (PHP)

## How it works

1. Parses your lockfile to extract dependency names + versions
2. Queries OSV.dev (NVD + GitHub Advisories) for known CVEs
3. Enriches with EPSS exploit probability scores
4. Filters noise — suppresses low-EPSS, non-critical CVEs by default
5. Sorts by exploitability — most likely to be exploited first
6. Returns fix version recommendations from package registries

### Smart filtering

By default, VulnFeed suppresses low-priority CVEs (EPSS < 10% AND CVSS < 9.0). This cuts noise by ~80%.

Pass `show_all=True` to any scan tool to see everything.

### Continuous monitoring

1. `monitor_project` — takes a baseline snapshot of current deps + known vulns
2. `check_alerts` — diffs against baseline, surfaces only new vulns
3. Run `check_alerts` periodically to catch newly published CVEs

## License

MIT
