Vulnicheck

Name: Vulnicheck
Author: andrasfe

andrasfe/vulnicheck

Run Python dependency and vulnerability checks from your agent via HTTP MCP with NVD and GitHub advisory context before you ship.

Overview

Vulnicheck is a MCP server for the Ship phase that exposes Python vulnerability scanning and security analysis over HTTP MCP with NVD and GitHub advisory integrations.

What is this MCP server?

HTTP streamable MCP at configurable URL (default http://localhost:3000/mcp) via Docker image docker.io/andrasfe/vulniche
NVD_API_KEY raises NIST rate limits; GITHUB_TOKEN improves GitHub Advisory Database access
Optional OPENAI_API_KEY or ANTHROPIC_API_KEY for LLM-based risk assessment in MCP passthrough flows
Comprehensive Python-focused vulnerability scanning and security analysis positioning
OCI registry distribution—agent connects over HTTP rather than stdio
Server schema version 0.1.0
NVD rate limit improves from 5 to 50 requests per 30 seconds with NVD_API_KEY (per server env docs)
GitHub token documented up to 5000 requests per hour for Advisory Database access

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

What problem does it solve?

Shipping Python apps without integrated CVE and advisory checks forces context switching and leaves agents unable to run a consistent security scan.

Who is it for?

Builders maintaining Python codebases who want agent-driven security scans tied to NVD and GitHub advisories before release.

Skip if: Non-Python-only stacks, teams without appetite for Docker plus optional LLM keys, or orgs needing certified penetration testing deliverables.

What do I get? / Deliverables

After you run the container and register the HTTP MCP endpoint, your agent can trigger vulnerability scans and richer risk views using your configured API keys.

Agent-invoked Python security and vulnerability analysis
Advisory-enriched scan results via configured external APIs
Optional LLM-assisted risk assessment when API keys are set

Recommended MCP Servers

1Claw Vault1clawAI/1claw-mcp

1Claw Vault exposes a stdio MCP server (@1claw/mcp) that connects AI agents to HSM-backed secret storage with just-in-ti…2 stars

1passwordCakeRepository/1Password-MCP

The 1Password MCP server lets solo builders wire service-account access into Claude Code, Cursor, or other stdio MCP hos…16 stars

402sentinel Mcpkaditang/402sentinel-mcp

402 Sentinel MCP gives solo builders and agent authors a pre-flight check before honoring x402 payment flows on Base. In…1 stars

A2adependencyinspector Mcpclauxel/a2a-dependency-inspector-mcp

A2A Dependency Inspector MCP is a hosted Clauxel server for builders shipping agent-to-agent (A2A) workflows who must pr…

A2a Governance Bridge Mcp

A2A Governance Bridge is a Model Context Protocol server that exposes governance-oriented tools for multi-agent setups: …

A2aidentitytoll Mcpclauxel/a2a-identity-toll-mcp

A2A Identity Toll MCP is a Clauxel-hosted remote MCP server that acts as an identity and policy toll booth for agent-to-…

Journey fit

Primary fit

Vulnerability scanning belongs in Ship when you harden the codebase and dependencies ahead of release or CI gates. security is the shelf for MCP servers that assess CVEs, advisories, and risk—not for generic coding or deployment automation.

How it compares

HTTP MCP vulnerability scanner for Python, not a general code linter or infrastructure CSPM product.

Common Questions / FAQ

Who is Vulnicheck for?

Indie developers and small teams shipping Python software who want MCP-accessible vulnerability scanning with national and GitHub advisory feeds.

When should I use Vulnicheck?

Use it in ship and security prep—pre-release, after dependency bumps, or when onboarding an agent to audit a Python repo.

How do I add Vulnicheck to my agent?

Run the vulnicheck Docker image, set MCP_PORT if needed, configure NVD_API_KEY and GITHUB_TOKEN (and optional LLM keys), then add the streamable-http MCP URL to your agent config.

Vulnicheck

andrasfe/vulnicheck

Run Python dependency and vulnerability checks from your agent via HTTP MCP with NVD and GitHub advisory context before you ship.

Overview

Vulnicheck is a MCP server for the Ship phase that exposes Python vulnerability scanning and security analysis over HTTP MCP with NVD and GitHub advisory integrations.

What is this MCP server?

HTTP streamable MCP at configurable URL (default http://localhost:3000/mcp) via Docker image docker.io/andrasfe/vulniche
NVD_API_KEY raises NIST rate limits; GITHUB_TOKEN improves GitHub Advisory Database access
Optional OPENAI_API_KEY or ANTHROPIC_API_KEY for LLM-based risk assessment in MCP passthrough flows
Comprehensive Python-focused vulnerability scanning and security analysis positioning
OCI registry distribution—agent connects over HTTP rather than stdio
Server schema version 0.1.0
NVD rate limit improves from 5 to 50 requests per 30 seconds with NVD_API_KEY (per server env docs)
GitHub token documented up to 5000 requests per hour for Advisory Database access

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

What problem does it solve?

Shipping Python apps without integrated CVE and advisory checks forces context switching and leaves agents unable to run a consistent security scan.

Who is it for?

Builders maintaining Python codebases who want agent-driven security scans tied to NVD and GitHub advisories before release.

Skip if: Non-Python-only stacks, teams without appetite for Docker plus optional LLM keys, or orgs needing certified penetration testing deliverables.

What do I get? / Deliverables

After you run the container and register the HTTP MCP endpoint, your agent can trigger vulnerability scans and richer risk views using your configured API keys.

Agent-invoked Python security and vulnerability analysis
Advisory-enriched scan results via configured external APIs
Optional LLM-assisted risk assessment when API keys are set

Recommended MCP Servers

1Claw Vault1clawAI/1claw-mcp

1Claw Vault exposes a stdio MCP server (@1claw/mcp) that connects AI agents to HSM-backed secret storage with just-in-ti…2 stars

1passwordCakeRepository/1Password-MCP

The 1Password MCP server lets solo builders wire service-account access into Claude Code, Cursor, or other stdio MCP hos…16 stars

402sentinel Mcpkaditang/402sentinel-mcp

402 Sentinel MCP gives solo builders and agent authors a pre-flight check before honoring x402 payment flows on Base. In…1 stars

A2adependencyinspector Mcpclauxel/a2a-dependency-inspector-mcp

A2A Dependency Inspector MCP is a hosted Clauxel server for builders shipping agent-to-agent (A2A) workflows who must pr…

A2a Governance Bridge Mcp

A2A Governance Bridge is a Model Context Protocol server that exposes governance-oriented tools for multi-agent setups: …

A2aidentitytoll Mcpclauxel/a2a-identity-toll-mcp

A2A Identity Toll MCP is a Clauxel-hosted remote MCP server that acts as an identity and policy toll booth for agent-to-…

Journey fit

Primary fit

How it compares

HTTP MCP vulnerability scanner for Python, not a general code linter or infrastructure CSPM product.

Common Questions / FAQ

Who is Vulnicheck for?

Indie developers and small teams shipping Python software who want MCP-accessible vulnerability scanning with national and GitHub advisory feeds.

When should I use Vulnicheck?

Use it in ship and security prep—pre-release, after dependency bumps, or when onboarding an agent to audit a Python repo.

How do I add Vulnicheck to my agent?

Run the vulnicheck Docker image, set MCP_PORT if needed, configure NVD_API_KEY and GITHUB_TOKEN (and optional LLM keys), then add the streamable-http MCP URL to your agent config.

Overview

What is this MCP server?

What problem does it solve?

Who is it for?

What do I get? / Deliverables

Recommended MCP Servers

Journey fit

Who is Vulnicheck for?

When should I use Vulnicheck?

How do I add Vulnicheck to my agent?

This week for builders

Overview

What is this MCP server?

What problem does it solve?

Who is it for?

What do I get? / Deliverables

Recommended MCP Servers

Journey fit

Who is Vulnicheck for?

When should I use Vulnicheck?

How do I add Vulnicheck to my agent?