OSV.dev Security Analyzer MCP server

The MCP Security Analyst provides security analysis capabilities by integrating with OSV.dev and AI models to help identify and analyze potential vulnerabilities in your codebase. It works as a Model Context Protocol (MCP) server that seamlessly connects with coding assistants like Cursor and Claude.

Features

• Vulnerability checking using OSV.dev database
• Basic security analysis of code files
• Integration with AI models for security insights
• MCP protocol support for seamless integration with various AI tools
• Optional static code analysis using Semgrep (if installed)

Requirements

Core Requirements

make deps
make install

Optional: Semgrep Installation

For enhanced static code analysis, you can install Semgrep:

macOS:

brew install semgrep

Linux:

python3 -m pip install semgrep

For other platforms, visit the Semgrep Installation Guide for detailed instructions.

The MCP server will work without Semgrep installed, but will skip the static analysis portion when analyzing directories.

Installation

Install the MCP Security Analyst with:

make deps
make install

The mcp-osv command will be installed on PATH and use the stdin/stdout method.

Configuration

Cursor IDE Configuration

Configure Cursor to use mcp-osv by navigating to Configuration → MCP tab and adding:

{
  "mcpServers": {
    "security_analyst": {
      "name": "Security Analyst",
      "type": "stdio",
      "command": "/usr/local/bin/mcp-osv"
    }
  }
}

Claude Configuration

Configure Claude under Settings → Developer using:

{
  "mcpServers": {
    "mcp-osv": {
      "command": "/usr/local/bin/mcp-osv",
      "args": []
    }
  }
}

Available Tools

check_vulnerabilities

This tool checks for known vulnerabilities in dependencies using OSV.dev database.

Parameters:

• package_name: Name of the package to check
• version: Version of the package to check

analyze_security

Analyzes code for potential security issues based on the OSV.dev vulnerability database.

Parameters:

• file_path: Path to the file to analyze

Usage Examples

After setting up the server, restart your IDE and you can ask:

"Analyze the security of my project using mcp-osv"

To check for vulnerabilities in a specific package:

"Check for vulnerabilities in the package 'express' version '4.17.1'"

To analyze a specific file:

"Analyze the security of the file 'main.go'"

The server will process your requests and provide security insights through the MCP protocol.

Debugging

To debug in VSCode, go to Help → Toggle developer tools and look for MCP in the console.

How to add this MCP server to Cursor

There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.

If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.

Adding an MCP server to Cursor globally

To add a global MCP server go to Cursor Settings > MCP and click "Add new global MCP server".

When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:

{
    "mcpServers": {
        "cursor-rules-mcp": {
            "command": "npx",
            "args": [
                "-y",
                "cursor-rules-mcp"
            ]
        }
    }
}

Adding an MCP server to a project

To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.

How to use the MCP server

Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.

The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.

You can also explictly ask the agent to use the tool by mentioning the tool name and describing what the function does.