Open Source Software Supply Chain
@apifyforge
关于 Open Source Software Supply Chain
Open source supply chain risk assessment for AppSec teams, engineering leads, and platform engineers who need more than a CVE scanner. This MCP server aggregates 7 live data sources — GitHub, NVD, CISA KEV, StackExchange, Hacker News, Federal Register, and Congress.
基本信息
配置
使用下面的配置,将此服务器添加到你的 MCP 客户端。
{
"mcpServers": {
"open-source-software-supply-chain-mcp": {
"url": "https://ryanclinton--open-source-software-supply-chain-mcp.apify.actor/mcp"
}
}
}工具
未检测到工具
工具是从 README 中自动提取的。维护者可以在 ## Tools 标题下列出工具,即可填充这部分内容。
概览
What is Open Source Software Supply Chain?
Open Source Software Supply Chain is an MCP server that aggregates 7 live data sources—GitHub, NVD, CISA KEV, StackExchange, Hacker News, Federal Register, and Congress.gov—into a composite Dependency Risk Score (0-100) with machine‑readable verdicts from LOW_RISK to DO_NOT_USE. It is built for AppSec teams, engineering leads, and platform engineers who need supply chain risk intelligence beyond CVE scanning.
How to use Open Source Software Supply Chain?
Add the server URL (https://ryanclinton--open-source-software-supply-chain-mcp.apify.actor/mcp) to your MCP client (Claude Desktop, Cursor, Windsurf) with your Apify API token as Authorization: Bearer YOUR_TOKEN. Call any of the 8 tools—for example, dependency_risk_assessment with a package name like "lodash"—to receive a structured verdict, composite score, signals, and recommendations.
Key features of Open Source Software Supply Chain
- Composite Dependency Risk Score using a weighted 4‑dimension formula
- Maintainer bus factor analysis with contributor Gini coefficient
- CISA KEV cross‑reference for active exploitation and ransomware use
- SBOM regulatory compliance tracking from Federal Register and Congress.gov
- Parallel execution of all 7 data sources with 120‑second timeouts
- Hard‑override rule: CISA KEV + single‑point bus factor forces
DO_NOT_USE
Use cases of Open Source Software Supply Chain
- AppSec team dependency audits to prioritize transitive vulnerabilities
- Engineering lead package selection comparing candidate libraries
- SBOM compliance and procurement for federal mandate tracking
- Security incident response cross‑referencing CVEs, KEV, and breach reports
- CI/CD pipeline gates using machine‑readable verdicts
- Vendor due diligence producing documented risk scores
FAQ from Open Source Software Supply Chain
What data sources does the server use?
It uses 7 sources: GitHub (bus factor, license, community), NVD (CVE severity), CISA KEV (active exploitation), StackExchange (Q&A), Hacker News (security mentions), Federal Register (regulatory), and Congress.gov (bills).
How is the composite risk score calculated?
The score uses a weighted formula: vulnerability exposure (35%), bus factor risk (25%), inverse community health (20%), and inverse SBOM compliance (20%). Sub‑scores for CVE severity, KEV entries, activity recency, and license copyleft are summed up to 100.
What verdicts can the server return?
Five verdicts: LOW_RISK, ACCEPTABLE, REVIEW_NEEDED, HIGH_RISK, and DO_NOT_USE. The hard‑override rule forces DO_NOT_USE if a package has both a CISA KEV entry and a SINGLE_POINT bus factor.
What is the pricing per tool call?
Each tool call costs $0.045. Spending limits are enforced per run to prevent runaway costs in automated pipelines.
Do I need a subscription or per‑seat license?
No. There is no subscription, no per‑seat pricing, and no CVE‑only blindspots. You pay per tool call ($0.045) and can use it with any MCP‑compatible client or API.
其他 分类下的更多 MCP 服务器
MCP Registry
modelcontextprotocolA community driven registry service for Model Context Protocol (MCP) servers.
Inbox Zero AI MCP
elie222The world's best AI personal assistant for email. Open source app to help you reach inbox zero fast.
XcodeBuildMCP
cameroncookeA Model Context Protocol (MCP) server and CLI that provides tools for agent use when working on iOS and macOS projects.

EverArt
modelcontextprotocolModel Context Protocol Servers
IDA Pro MCP
mrexodiaAI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.
评论