MCP.so
Sign In
A

Attestd - Deterministic CVE & Supply Chain Data

@attestd-io

About Attestd - Deterministic CVE & Supply Chain Data

Deterministic, machine-readable CVE and supply chain risk data for infrastructure, PyPI, and npm packages. Built for AI agents and coding assistants to act on directly, no CVSS interpretation required. Covers nginx, PostgreSQL, Redis, Docker, Kubernetes, and more.

Basic information

License

MIT

Runtime

node

Transports

stdio

Publisher

attestd-io

Submitted by

Robert Marshall

Config

Add this server to your MCP-compatible client using the configuration below.

{
  "mcpServers": {
    "attestd": {
      "command": "npx",
      "args": [
        "-y",
        "@attestd/mcp"
      ],
      "env": {
        "ATTESTD_API_KEY": "<YOUR_API_KEY>"
      }
    }
  }
}

Tools

3

check a single package or infrastructure product by slug and version, returns risk state, active exploitation status, patch availability, and supply chain compromise signal

check up to 100 packages in one call, use for lockfile or dependency manifest audits instead of looping the single-check tool

list all 350+ covered infrastructure products by slug, useful to confirm a slug before checking it

Overview

What is Attestd - Deterministic CVE & Supply Chain Data?

Attestd checks whether a dependency version has exploitable CVEs or a confirmed supply-chain compromise. One API call returns a structured risk response. This MCP server exposes these checks as tools for Claude Code, Claude Desktop, and any MCP-compatible client.

How to use Attestd - Deterministic CVE & Supply Chain Data?

Run the server via npx -y @attestd/mcp and configure an API key in the ATTESTD_API_KEY environment variable inside your MCP client’s configuration (e.g., ~/.claude/mcp.json). The server exposes four tools: check_package_vulnerability, check_batch_vulnerabilities, list_covered_products, and get_cve_details.

Key features of Attestd - Deterministic CVE & Supply Chain Data

  • Check a single package version for CVEs and supply-chain risks
  • Batch-check up to 100 packages in one call (lockfile/manifest audits)
  • Query covered products (live or static bundled list)
  • Retrieve full CVE details including CVSS, EPSS, CISA KEV status
  • Structured JSON response with risk state, patch guidance, and confidence

Use cases of Attestd - Deterministic CVE & Supply Chain Data

  • Automatically audit a project’s dependencies before deployment
  • Scan lockfiles or manifests for known vulnerabilities
  • Investigate specific CVE identifiers for enterprise risk assessment
  • Monitor supply-chain compromise signals (typosquat, PyPI/npm alerts)

FAQ from Attestd - Deterministic CVE & Supply Chain Data

What are the prerequisites?

Node.js 18+ and an Attestd API key (free from the portal) are required for most tools.

Can I use the server without an API key?

list_covered_products returns a static bundled list without a key; all other tools require a valid API key.

How many packages can I check in a single batch?

Up to 100 items per call. Each item counts toward your API quota, and the quota is checked before any calls are billed.

What happens if the API key is invalid or rate‑limited?

The tool returns isError: true with a JSON error string.

What data does check_package_vulnerability return?

It returns risk state, CVE IDs, CISA KEV signal, remote exploitability, patch availability, supply-chain compromise flags, and more.

Comments

More MCP servers