Open Source Software Supply Chain
@apifyforge
Open source supply chain risk assessment for AppSec teams, engineering leads, and platform engineers who need more than a CVE scanner. This MCP server aggregates 7 live data sources — GitHub, NVD, CISA KEV, StackExchange, Hacker News, Federal Register, and Congress.
Overview
What is Open Source Software Supply Chain?
Open Source Software Supply Chain is an MCP server that aggregates 7 live data sources—GitHub, NVD, CISA KEV, StackExchange, Hacker News, Federal Register, and Congress.gov—into a composite Dependency Risk Score (0-100) with machine‑readable verdicts from LOW_RISK to DO_NOT_USE. It is built for AppSec teams, engineering leads, and platform engineers who need supply chain risk intelligence beyond CVE scanning.
How to use Open Source Software Supply Chain?
Add the server URL (https://ryanclinton--open-source-software-supply-chain-mcp.apify.actor/mcp) to your MCP client (Claude Desktop, Cursor, Windsurf) with your Apify API token as Authorization: Bearer YOUR_TOKEN. Call any of the 8 tools—for example, dependency_risk_assessment with a package name like "lodash"—to receive a structured verdict, composite score, signals, and recommendations.
Key features of Open Source Software Supply Chain
- Composite Dependency Risk Score using a weighted 4‑dimension formula
- Maintainer bus factor analysis with contributor Gini coefficient
- CISA KEV cross‑reference for active exploitation and ransomware use
- SBOM regulatory compliance tracking from Federal Register and Congress.gov
- Parallel execution of all 7 data sources with 120‑second timeouts
- Hard‑override rule: CISA KEV + single‑point bus factor forces
DO_NOT_USE
Use cases of Open Source Software Supply Chain
- AppSec team dependency audits to prioritize transitive vulnerabilities
- Engineering lead package selection comparing candidate libraries
- SBOM compliance and procurement for federal mandate tracking
- Security incident response cross‑referencing CVEs, KEV, and breach reports
- CI/CD pipeline gates using machine‑readable verdicts
- Vendor due diligence producing documented risk scores
FAQ from Open Source Software Supply Chain
What data sources does the server use?
It uses 7 sources: GitHub (bus factor, license, community), NVD (CVE severity), CISA KEV (active exploitation), StackExchange (Q&A), Hacker News (security mentions), Federal Register (regulatory), and Congress.gov (bills).
How is the composite risk score calculated?
The score uses a weighted formula: vulnerability exposure (35%), bus factor risk (25%), inverse community health (20%), and inverse SBOM compliance (20%). Sub‑scores for CVE severity, KEV entries, activity recency, and license copyleft are summed up to 100.
What verdicts can the server return?
Five verdicts: LOW_RISK, ACCEPTABLE, REVIEW_NEEDED, HIGH_RISK, and DO_NOT_USE. The hard‑override rule forces DO_NOT_USE if a package has both a CISA KEV entry and a SINGLE_POINT bus factor.
What is the pricing per tool call?
Each tool call costs $0.045. Spending limits are enforced per run to prevent runaway costs in automated pipelines.
Do I need a subscription or per‑seat license?
No. There is no subscription, no per‑seat pricing, and no CVE‑only blindspots. You pay per tool call ($0.045) and can use it with any MCP‑compatible client or API.