MCP.so
Sign In

Open Source Supply Chain Risk

@apifyforge

About Open Source Supply Chain Risk

Open source supply chain risk analysis via MCP — give your AI agent direct access to CVE records, CISA KEV exploits, maintainer bus-factor scores, and typosquat detection across 7 live intelligence sources.

Basic information

Category

Other

License

MIT

Publisher

apifyforge

Config

Add this server to your MCP-compatible client using the configuration below.

{
  "mcpServers": {
    "open-source-supply-chain-risk-mcp": {
      "url": "https://ryanclinton--open-source-supply-chain-risk-mcp.apify.actor/mcp"
    }
  }
}

Tools

No tools detected

We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.

Overview

What is Open Source Supply Chain Risk?

An MCP server that analyzes open source supply chain risk through CVE records, CISA KEV exploits, maintainer bus-factor scores, and typosquat detection across seven live intelligence sources. It is built for security engineers, DevSecOps teams, and AI-assisted workflows requiring SBOM-grade risk intelligence within an AI client.

How to use Open Source Supply Chain Risk?

Add the server to your MCP client (e.g., Claude Desktop, Cursor, Windsurf) using the Streamable HTTP endpoint https://open-source-supply-chain-risk-mcp.apify.actor/mcp with your Apify API token in the Authorization: Bearer header. Start with the generate_oss_risk_report tool on a package or repository name.

Key features of Open Source Supply Chain Risk

  • Typed OSS dependency network graph with 7 node types
  • Maintainer bus-factor scoring with abandonment decay model
  • CVE blast radius estimation via BFS graph traversal
  • CISA KEV cross-referencing with active exploitation factor
  • Levenshtein typosquat detection across discovered repository names
  • 5-factor weighted supply chain risk scoring (0–1)
  • Parallel queries across all 7 data sources (under 30 seconds)
  • 5-minute in-process cache per session query

Use cases of Open Source Supply Chain Risk

  • DevSecOps pipeline gate – block PRs on high‑risk or exploited dependencies
  • SBOM audit and vendor risk management – generate reports with CISA remediation steps
  • Incident response triage – discover blast radius of a new critical CVE
  • Package vetting before adoption – compare maintainer health and risk scores
  • Supply chain attack early warning – monitor ArXiv papers and community discussion trends
  • Typosquat monitoring for package registries – detect malicious lookalike packages

FAQ from Open Source Supply Chain Risk

What data sources does the server use?

It queries GitHub, NVD, CISA KEV, Hacker News, StackExchange, ArXiv, and Censys concurrently.

How much does a tool call cost?

Each MCP tool call costs $0.035 (USD) under the Apify platform pricing.

Which MCP clients are supported?

Any client supporting Streamable HTTP or SSE transport works, including Claude Desktop, Cursor, Windsurf, and Cline.

Is there caching to avoid duplicate upstream queries?

Yes, a 5‑minute in-process cache keyed by source:query reuses upstream data for repeated tool calls on the same package within a session.

How do I authenticate with the server?

Use your Apify API token as a Bearer token in the Authorization header when connecting to the endpoint.

Comments

More Other MCP servers