Attestd - Deterministic CVE & Supply Chain Data
@attestd-io
Deterministic, machine-readable CVE and supply chain risk data for infrastructure, PyPI, and npm packages. Built for AI agents and coding assistants to act on directly, no CVSS interpretation required. Covers nginx, PostgreSQL, Redis, Docker, Kubernetes, and more.
Overview
What is Attestd - Deterministic CVE & Supply Chain Data?
Attestd checks whether a dependency version has exploitable CVEs or a confirmed supply-chain compromise. One API call returns a structured risk response. This MCP server exposes these checks as tools for Claude Code, Claude Desktop, and any MCP-compatible client.
How to use Attestd - Deterministic CVE & Supply Chain Data?
Run the server via npx -y @attestd/mcp and configure an API key in the ATTESTD_API_KEY environment variable inside your MCP client’s configuration (e.g., ~/.claude/mcp.json). The server exposes four tools: check_package_vulnerability, check_batch_vulnerabilities, list_covered_products, and get_cve_details.
Key features of Attestd - Deterministic CVE & Supply Chain Data
- Check a single package version for CVEs and supply-chain risks
- Batch-check up to 100 packages in one call (lockfile/manifest audits)
- Query covered products (live or static bundled list)
- Retrieve full CVE details including CVSS, EPSS, CISA KEV status
- Structured JSON response with risk state, patch guidance, and confidence
Use cases of Attestd - Deterministic CVE & Supply Chain Data
- Automatically audit a project’s dependencies before deployment
- Scan lockfiles or manifests for known vulnerabilities
- Investigate specific CVE identifiers for enterprise risk assessment
- Monitor supply-chain compromise signals (typosquat, PyPI/npm alerts)
FAQ from Attestd - Deterministic CVE & Supply Chain Data
What are the prerequisites?
Node.js 18+ and an Attestd API key (free from the portal) are required for most tools.
Can I use the server without an API key?
list_covered_products returns a static bundled list without a key; all other tools require a valid API key.
How many packages can I check in a single batch?
Up to 100 items per call. Each item counts toward your API quota, and the quota is checked before any calls are billed.
What happens if the API key is invalid or rate‑limited?
The tool returns isError: true with a JSON error string.
What data does check_package_vulnerability return?
It returns risk state, CVE IDs, CISA KEV signal, remote exploitability, patch availability, supply-chain compromise flags, and more.