An MCP server that provides tools for checking the status of your software supply chain within the context of Secure Chain.
- 🔍 Multi-ecosystem support: Query packages from PyPI, NPM, Maven, Cargo, RubyGems, and NuGet ecosystems
- 🛡️ Vulnerability intelligence: Access detailed vulnerability, exploit, and CWE information
- 📊 Supply chain analysis: Explore direct and transitive dependencies in the software supply chain graph
- 📋 VEX support: Retrieve Vulnerability Exploitability eXchange documents for repositories
- ⚡ MCP integration: Seamlessly integrates with AI agents and LLMs via Model Context Protocol
- Docker to deploy the tool.
- Docker Compose for container orchestration.
- It is recommended to use a GUI such as MongoDB Compass.
- The Neo4J browser interface to visualize the graph built from the data is in localhost:7474 when the container is running.
- Python 3.14 or higher.
Go to Secure Chain official lading page, and register yourself as a user, then get an API Key from the top right key button.
Finally, inside the folder .vscode add the file mcp.json with the next configuration, and start the mcp server:
{
"servers": {
"Secure Chain": {
"type": "http",
"url": "https://mcp.securechain.dev/mcp",
"headers": {
"X-API-Key": "your-api-key-here"
}
}
}
}Clone the repository from the official GitHub repository:
git clone https://github.com/securechaindev/securechain-mcp-server.git
cd securechain-mcp-serverCreate a .env.local file from the .env.example file and place it in the root directory.
-
How to get a GitHub API key.
-
Modify the Json Web Token (JWT) secret key and algorithm with your own. You can generate your own secret key with the command openssl rand -base64 32.
Ensure you have the securechain Docker network created. If not, create it with:
docker network create securechainFor graphs and vulnerabilities information you need to download the zipped data dumps from Zenodo. Once you have unzipped the dumps, inside the root folder run the command:
docker compose up --buildThe containerized databases will also be seeded automatically.
Run the command from the project root:
docker compose -f dev/docker-compose.yml up --buildGo here and create an user, for example:
{
"email": "mcp-bot@example.com",
"password": "supersecre3T*"
}And then go here and get an API Key.
Inside the folder .vscode/ add the file mcp.json with this template:
{
"servers": {
"Secure Chain": {
"type": "http",
"url": "http://localhost:8005/mcp",
"headers": {
"X-API-Key": "your-api-key-here"
}
}
}
}And then start the MCP server and begin use it with Copilot for example.
The project uses Python 3.14 and uv as the package manager for faster and more reliable dependency management.
-
Install uv (if not already installed):
curl -LsSf https://astral.sh/uv/install.sh | sh -
Activate the virtual environment (uv creates it automatically):
uv venv source .venv/bin/activate -
Install dependencies:
uv sync
# Install linter
uv sync --extra dev
# Linting
uv run ruff check app/
# Formatting
uv run ruff format app/Pull requests are welcome! To contribute follow this guidelines.