supplyscan-mcp
Verified Safeby seanhalberthal
Overview
A security scanner for JavaScript ecosystem lockfiles, detecting supply chain compromises and known vulnerabilities.
Installation
supplyscan --mcpEnvironment Variables
- GITHUB_TOKEN
Security Notes
The server is built in Go, inherently making it immune to typical JavaScript supply chain attacks. It fetches Indicators of Compromise (IOC) from reputable public sources (DataDog, GitHub Advisory Database) and integrates with the npm audit API. There are no indications of 'eval' usage, code obfuscation, or hardcoded sensitive secrets within the provided source. Network calls are made to known security-related APIs and public data sources. File system operations are confined to reading lockfiles and managing a local cache. The custom JSONC parser includes robust handling for comments and strings, preventing misinterpretation of code or data. The dependency on an optional GitHub token for higher API rate limits is appropriately handled.
Similar Servers
mcp-watch
A comprehensive security scanner for Model Context Protocol (MCP) servers, detecting various vulnerabilities in their implementations.
mcp-audit
Security audit and governance for AI agent configurations (MCPs) in development environments and GitHub repositories.
mcp-cybersec-watchdog
A Linux server security auditing and continuous monitoring tool that provides security posture analysis and anomaly detection capabilities, designed to be integrated with AI agents.
mcp-security-scanner
A Python-based penetration testing tool designed to scan and identify vulnerabilities in Model Context Protocol (MCP) servers.