Open Source Software Supply Chain
@apifyforge
About Open Source Software Supply Chain
Open source supply chain risk assessment for AppSec teams, engineering leads, and platform engineers who need more than a CVE scanner. This MCP server aggregates 7 live data sources — GitHub, NVD, CISA KEV, StackExchange, Hacker News, Federal Register, and Congress.
Basic information
Config
Add this server to your MCP-compatible client using the configuration below.
{
"mcpServers": {
"open-source-software-supply-chain-mcp": {
"url": "https://ryanclinton--open-source-software-supply-chain-mcp.apify.actor/mcp"
}
}
}Tools
No tools detected
We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.
Overview
What is Open Source Software Supply Chain?
Open Source Software Supply Chain is an MCP server that aggregates 7 live data sources—GitHub, NVD, CISA KEV, StackExchange, Hacker News, Federal Register, and Congress.gov—into a composite Dependency Risk Score (0-100) with machine‑readable verdicts from LOW_RISK to DO_NOT_USE. It is built for AppSec teams, engineering leads, and platform engineers who need supply chain risk intelligence beyond CVE scanning.
How to use Open Source Software Supply Chain?
Add the server URL (https://ryanclinton--open-source-software-supply-chain-mcp.apify.actor/mcp) to your MCP client (Claude Desktop, Cursor, Windsurf) with your Apify API token as Authorization: Bearer YOUR_TOKEN. Call any of the 8 tools—for example, dependency_risk_assessment with a package name like "lodash"—to receive a structured verdict, composite score, signals, and recommendations.
Key features of Open Source Software Supply Chain
- Composite Dependency Risk Score using a weighted 4‑dimension formula
- Maintainer bus factor analysis with contributor Gini coefficient
- CISA KEV cross‑reference for active exploitation and ransomware use
- SBOM regulatory compliance tracking from Federal Register and Congress.gov
- Parallel execution of all 7 data sources with 120‑second timeouts
- Hard‑override rule: CISA KEV + single‑point bus factor forces
DO_NOT_USE
Use cases of Open Source Software Supply Chain
- AppSec team dependency audits to prioritize transitive vulnerabilities
- Engineering lead package selection comparing candidate libraries
- SBOM compliance and procurement for federal mandate tracking
- Security incident response cross‑referencing CVEs, KEV, and breach reports
- CI/CD pipeline gates using machine‑readable verdicts
- Vendor due diligence producing documented risk scores
FAQ from Open Source Software Supply Chain
What data sources does the server use?
It uses 7 sources: GitHub (bus factor, license, community), NVD (CVE severity), CISA KEV (active exploitation), StackExchange (Q&A), Hacker News (security mentions), Federal Register (regulatory), and Congress.gov (bills).
How is the composite risk score calculated?
The score uses a weighted formula: vulnerability exposure (35%), bus factor risk (25%), inverse community health (20%), and inverse SBOM compliance (20%). Sub‑scores for CVE severity, KEV entries, activity recency, and license copyleft are summed up to 100.
What verdicts can the server return?
Five verdicts: LOW_RISK, ACCEPTABLE, REVIEW_NEEDED, HIGH_RISK, and DO_NOT_USE. The hard‑override rule forces DO_NOT_USE if a package has both a CISA KEV entry and a SINGLE_POINT bus factor.
What is the pricing per tool call?
Each tool call costs $0.045. Spending limits are enforced per run to prevent runaway costs in automated pipelines.
Do I need a subscription or per‑seat license?
No. There is no subscription, no per‑seat pricing, and no CVE‑only blindspots. You pay per tool call ($0.045) and can use it with any MCP‑compatible client or API.
More Other MCP servers
Blender
ahujasidOpen-source MCP to use Blender with any LLM
MCP Toolbox for Databases
googleapisMCP Toolbox for Databases is an open source MCP server for databases.
Inbox Zero AI MCP
elie222The world's best AI personal assistant for email. Open source app to help you reach inbox zero fast.

Sequential Thinking
modelcontextprotocolModel Context Protocol Servers
🚀 Model Context Protocol (MCP) Curriculum for Beginners
microsoftThis open-source curriculum introduces the fundamentals of Model Context Protocol (MCP) through real-world, cross-language examples in .NET, Java, TypeScript, JavaScript, Rust and Python. Designed for developers, it focuses on practical techniques for building modular, scalable,
Comments