MCP.so
登录

Open Source Software Supply Chain

@apifyforge

关于 Open Source Software Supply Chain

Open source supply chain risk assessment for AppSec teams, engineering leads, and platform engineers who need more than a CVE scanner. This MCP server aggregates 7 live data sources — GitHub, NVD, CISA KEV, StackExchange, Hacker News, Federal Register, and Congress.

基本信息

分类

其他

许可证

MIT

发布者

apifyforge

配置

使用下面的配置,将此服务器添加到你的 MCP 客户端。

{
  "mcpServers": {
    "open-source-software-supply-chain-mcp": {
      "url": "https://ryanclinton--open-source-software-supply-chain-mcp.apify.actor/mcp"
    }
  }
}

工具

未检测到工具

工具是从 README 中自动提取的。维护者可以在 ## Tools 标题下列出工具,即可填充这部分内容。

概览

What is Open Source Software Supply Chain?

Open Source Software Supply Chain is an MCP server that aggregates 7 live data sources—GitHub, NVD, CISA KEV, StackExchange, Hacker News, Federal Register, and Congress.gov—into a composite Dependency Risk Score (0-100) with machine‑readable verdicts from LOW_RISK to DO_NOT_USE. It is built for AppSec teams, engineering leads, and platform engineers who need supply chain risk intelligence beyond CVE scanning.

How to use Open Source Software Supply Chain?

Add the server URL (https://ryanclinton--open-source-software-supply-chain-mcp.apify.actor/mcp) to your MCP client (Claude Desktop, Cursor, Windsurf) with your Apify API token as Authorization: Bearer YOUR_TOKEN. Call any of the 8 tools—for example, dependency_risk_assessment with a package name like "lodash"—to receive a structured verdict, composite score, signals, and recommendations.

Key features of Open Source Software Supply Chain

  • Composite Dependency Risk Score using a weighted 4‑dimension formula
  • Maintainer bus factor analysis with contributor Gini coefficient
  • CISA KEV cross‑reference for active exploitation and ransomware use
  • SBOM regulatory compliance tracking from Federal Register and Congress.gov
  • Parallel execution of all 7 data sources with 120‑second timeouts
  • Hard‑override rule: CISA KEV + single‑point bus factor forces DO_NOT_USE

Use cases of Open Source Software Supply Chain

  • AppSec team dependency audits to prioritize transitive vulnerabilities
  • Engineering lead package selection comparing candidate libraries
  • SBOM compliance and procurement for federal mandate tracking
  • Security incident response cross‑referencing CVEs, KEV, and breach reports
  • CI/CD pipeline gates using machine‑readable verdicts
  • Vendor due diligence producing documented risk scores

FAQ from Open Source Software Supply Chain

What data sources does the server use?

It uses 7 sources: GitHub (bus factor, license, community), NVD (CVE severity), CISA KEV (active exploitation), StackExchange (Q&A), Hacker News (security mentions), Federal Register (regulatory), and Congress.gov (bills).

How is the composite risk score calculated?

The score uses a weighted formula: vulnerability exposure (35%), bus factor risk (25%), inverse community health (20%), and inverse SBOM compliance (20%). Sub‑scores for CVE severity, KEV entries, activity recency, and license copyleft are summed up to 100.

What verdicts can the server return?

Five verdicts: LOW_RISK, ACCEPTABLE, REVIEW_NEEDED, HIGH_RISK, and DO_NOT_USE. The hard‑override rule forces DO_NOT_USE if a package has both a CISA KEV entry and a SINGLE_POINT bus factor.

What is the pricing per tool call?

Each tool call costs $0.045. Spending limits are enforced per run to prevent runaway costs in automated pipelines.

Do I need a subscription or per‑seat license?

No. There is no subscription, no per‑seat pricing, and no CVE‑only blindspots. You pay per tool call ($0.045) and can use it with any MCP‑compatible client or API.

评论

其他 分类下的更多 MCP 服务器