playbooks

Home / MCP / Security Analyst MCP Server

Security Analyst MCP Server

Provides vulnerability checks via OSV.dev and basic security analysis with optional Semgrep integration through MCP.

go
12stars
View on GitHub
Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
    "mcpServers": {
        "security_analyst": {
            "command": "/usr/local/bin/mcp-osv",
            "args": []
        }
    }
}

You run an MCP server that combines vulnerability data from OSV.dev with AI-driven security analysis to inspect your codebase. It helps you identify known vulnerabilities, perform basic security checks on code files, and receive security insights from AI models through the MCP protocol. Optional static analysis can be enabled if Semgrep is installed.

How to use

Connect with an MCP client to access vulnerability checks and security analysis tools. Use the available tools to check dependencies for known vulnerabilities and to analyze specific files or code directories. You can query for vulnerabilities in a package or analyze a file to get actionable security insights. The server is designed to work with AI models via MCP, so you can incorporate security checks into your AI-assisted workflows.

How to install

Prerequisites you need before installation:

make deps
make install

Additional content

Configuration and usage notes follow to help you integrate the MCP server into your security tooling and IDEs. The server is designed to run as a local stdio MCP agent, and you can register it with your MCP-enabled AI tools. When Semgrep is installed, the server can perform optional static code analysis; otherwise it will skip that portion.

Key tools this server exposes include vulnerability checking against the OSV.dev database and security analysis of code files.

To enable Cursor or Claude integrations, you include the MCP server configuration in your client settings so the client can reach the local agent via the MCP protocol.

Usage examples for integration

Open your MCP-enabled IDE or assistant and issue requests like: ”Check for vulnerabilities in the package 'express' version '4.17.1'” or ”Analyze the security of the file 'main.go'.” The server will respond with security findings and recommendations.

Available tools

check_vulnerabilities

Check for known vulnerabilities in dependencies using the OSV.dev database. Provide package_name and version to query the vulnerability status.

analyze_security

Analyze code for potential security issues based on OSV.dev. Provide file_path to assess a specific file.