|
1 | | -# socket-mcp |
| 1 | +# Socket MCP Server |
| 2 | + |
| 3 | +A Model Context Protocol (MCP) server for Socket integration, allowing AI assistants to efficiently check dependency vulnerability scores and security information. |
| 4 | + |
| 5 | +## Tools |
| 6 | + |
| 7 | +### depscore |
| 8 | + |
| 9 | +The `depscore` tool allows AI assistants to query the Socket API for dependency scoring information. It provides security and quality metrics for packages across different ecosystems. |
| 10 | + |
| 11 | +**Parameters:** |
| 12 | + |
| 13 | +- `ecosystem`: The package ecosystem (e.g., npm, PyPI). Defaults to "npm". |
| 14 | +- `depname`: The name of the dependency. |
| 15 | +- `version`: The version of the dependency. Defaults to "unknown". |
| 16 | + |
| 17 | +**Example usage:** |
| 18 | + |
| 19 | +```text |
| 20 | +depscore("npm", "express", "4.18.2") |
| 21 | +``` |
| 22 | + |
| 23 | +## Configuration |
| 24 | + |
| 25 | +### Getting an API key |
| 26 | + |
| 27 | +To use the Socket MCP Server, you need to create an API key. You can do this by following [these steps](https://docs.socket.dev/reference/creating-and-managing-api-tokens). |
| 28 | + |
| 29 | + |
| 30 | +### Usage with Claude Desktop |
| 31 | + |
| 32 | +To use this MCP server with Claude Desktop: |
| 33 | + |
| 34 | +1. Install the Socket MCP server: |
| 35 | + |
| 36 | + ```bash |
| 37 | + npm install -g socket-mcp |
| 38 | + ``` |
| 39 | + |
| 40 | +2. Set the API key in your environment: |
| 41 | + |
| 42 | + ```bash |
| 43 | + export SOCKET_API_KEY=your_api_key_here |
| 44 | + ``` |
| 45 | + |
| 46 | +3. In Claude Desktop, go to Settings > Assistants > Add Custom Tool. |
| 47 | + |
| 48 | +4. Enter the following: |
| 49 | + - Name: Socket |
| 50 | + - Command: `depscore` |
| 51 | + - Save the configuration. |
| 52 | + |
| 53 | +5. Now you can ask Claude questions like "Check the security score for express version 4.18.2". |
| 54 | + |
| 55 | +### Usage with VS Code |
| 56 | + |
| 57 | +For quick installation, you can use the following link to install the Socket MCP server in VS Code: |
| 58 | + |
| 59 | + |
| 60 | +[](vscode:mcp/install?%7B%22name%22%3A%22socket-mcp%22%2C%22inputs%22%3A%5B%7B%22type%22%3A%22promptString%22%2C%22id%22%3A%22socket_api_key%22%2C%22description%22%3A%22Socket%20API%20Key%22%2C%22password%22%3Atrue%7D%5D%2C%22command%22%3A%22depscore%22%2C%22type%22%3A%22stdio%22%2C%22env%22%3A%7B%22SOCKET_API_KEY%22%3A%22%24%7Binput%3Asocket_api_key%7D%22%7D%7D) |
| 61 | + |
| 62 | + |
| 63 | +To use this MCP server in VS Code: |
| 64 | + |
| 65 | +1. Set the API key in your environment: |
| 66 | + |
| 67 | + ```bash |
| 68 | + export SOCKET_API_KEY=your_api_key_here |
| 69 | + ``` |
| 70 | + |
| 71 | +2. In VS Code settings, add the Socket MCP server to your configuration `.vscode/mcp.json` file: |
| 72 | + |
| 73 | + ```json |
| 74 | + { |
| 75 | + "inputs": [ |
| 76 | + { |
| 77 | + "type": "promptString", |
| 78 | + "id": "socket_api_key", |
| 79 | + "description": "Socket API Key", |
| 80 | + "password": true |
| 81 | + } |
| 82 | + ], |
| 83 | + "servers": { |
| 84 | + "socket-mcp": { |
| 85 | + "type": "stdio", |
| 86 | + "command": "depscore", |
| 87 | + "args": [], |
| 88 | + "env": { |
| 89 | + "SOCKET_API_KEY": "${input:socket_api_key}" |
| 90 | + }, |
| 91 | + } |
| 92 | + } |
| 93 | + } |
| 94 | + ``` |
| 95 | + |
| 96 | +3. Now you can ask questions about dependency security within your VS Code environment. |
| 97 | +4. Feel free to add the following to your `.github/copilot-instructions.md` file to control better how the tools is used by your agent: |
| 98 | + |
| 99 | + ```markdown |
| 100 | + ## Socket MCP Server |
| 101 | + Always check the dependencies scores with the depscore tool when you add a new dependency. If the score is low, consider using an alternative library or writing the code yourself. If you decide to use a library with a low score, make sure to document the reasons for your choice. If you are unsure about the score, ask for a review from someone with more experience. |
| 102 | + |
| 103 | + When checking dependencies, make sure to also check the imports not just the pyproject.toml/package.json/dependency file. |
| 104 | + ``` |
| 105 | + |
| 106 | +## Development |
| 107 | + |
| 108 | +### Prerequisites |
| 109 | + |
| 110 | +- Node.js v16 or higher |
| 111 | +- npm or yarn |
| 112 | + |
| 113 | +### Installation |
| 114 | + |
| 115 | +Clone the repository and install dependencies: |
| 116 | + |
| 117 | +```bash |
| 118 | +git clone https://github.com/SocketDev/socket-mcp.git |
| 119 | +cd socket-mcp |
| 120 | +npm install |
| 121 | +``` |
| 122 | + |
| 123 | +## Build |
| 124 | + |
| 125 | +To build the project: |
| 126 | + |
| 127 | +```bash |
| 128 | +npm run build |
| 129 | +``` |
| 130 | + |
| 131 | +This compiles the TypeScript files and makes the binary executable called `depscore`. |
| 132 | + |
| 133 | +## Run |
| 134 | + |
| 135 | +To run the Socket MCP server locally: |
| 136 | + |
| 137 | +```bash |
| 138 | +export SOCKET_API_KEY=your_api_key_here |
| 139 | +node build/index.js |
| 140 | +``` |
| 141 | + |
| 142 | +After installing globally, you can run the executable directly: |
| 143 | + |
| 144 | +```bash |
| 145 | +export SOCKET_API_KEY=your_api_key_here |
| 146 | +depscore |
| 147 | +``` |
| 148 | + |
| 149 | +### Global Installation |
| 150 | + |
| 151 | +To install the tool globally and make the `depscore` command available system-wide: |
| 152 | + |
| 153 | +```bash |
| 154 | +npm install -g . |
| 155 | +``` |
| 156 | + |
| 157 | +After global installation, you can use the `depscore` command from anywhere: |
| 158 | + |
| 159 | +```bash |
| 160 | +export SOCKET_API_KEY=your_api_key_here |
| 161 | +depscore |
| 162 | +``` |
0 commit comments