MCP.so
ログイン
A

Attestd - Deterministic CVE & Supply Chain Data

@attestd-io

Attestd - Deterministic CVE & Supply Chain Data について

Deterministic, machine-readable CVE and supply chain risk data for infrastructure, PyPI, and npm packages. Built for AI agents and coding assistants to act on directly, no CVSS interpretation required. Covers nginx, PostgreSQL, Redis, Docker, Kubernetes, and more.

基本情報

ライセンス

MIT

ランタイム

node

トランスポート

stdio

公開者

attestd-io

投稿者

Robert Marshall

設定

以下の設定を使って、このサーバーを MCP 対応クライアントに追加してください。

{
  "mcpServers": {
    "attestd": {
      "command": "npx",
      "args": [
        "-y",
        "@attestd/mcp"
      ],
      "env": {
        "ATTESTD_API_KEY": "<YOUR_API_KEY>"
      }
    }
  }
}

ツール

3

check a single package or infrastructure product by slug and version, returns risk state, active exploitation status, patch availability, and supply chain compromise signal

check up to 100 packages in one call, use for lockfile or dependency manifest audits instead of looping the single-check tool

list all 350+ covered infrastructure products by slug, useful to confirm a slug before checking it

概要

What is Attestd - Deterministic CVE & Supply Chain Data?

Attestd checks whether a dependency version has exploitable CVEs or a confirmed supply-chain compromise. One API call returns a structured risk response. This MCP server exposes these checks as tools for Claude Code, Claude Desktop, and any MCP-compatible client.

How to use Attestd - Deterministic CVE & Supply Chain Data?

Run the server via npx -y @attestd/mcp and configure an API key in the ATTESTD_API_KEY environment variable inside your MCP client’s configuration (e.g., ~/.claude/mcp.json). The server exposes four tools: check_package_vulnerability, check_batch_vulnerabilities, list_covered_products, and get_cve_details.

Key features of Attestd - Deterministic CVE & Supply Chain Data

  • Check a single package version for CVEs and supply-chain risks
  • Batch-check up to 100 packages in one call (lockfile/manifest audits)
  • Query covered products (live or static bundled list)
  • Retrieve full CVE details including CVSS, EPSS, CISA KEV status
  • Structured JSON response with risk state, patch guidance, and confidence

Use cases of Attestd - Deterministic CVE & Supply Chain Data

  • Automatically audit a project’s dependencies before deployment
  • Scan lockfiles or manifests for known vulnerabilities
  • Investigate specific CVE identifiers for enterprise risk assessment
  • Monitor supply-chain compromise signals (typosquat, PyPI/npm alerts)

FAQ from Attestd - Deterministic CVE & Supply Chain Data

What are the prerequisites?

Node.js 18+ and an Attestd API key (free from the portal) are required for most tools.

Can I use the server without an API key?

list_covered_products returns a static bundled list without a key; all other tools require a valid API key.

How many packages can I check in a single batch?

Up to 100 items per call. Each item counts toward your API quota, and the quota is checked before any calls are billed.

What happens if the API key is invalid or rate‑limited?

The tool returns isError: true with a JSON error string.

What data does check_package_vulnerability return?

It returns risk state, CVE IDs, CISA KEV signal, remote exploitability, patch availability, supply-chain compromise flags, and more.

コメント

マーケットプレイスの他のコンテンツ