{"id":47809711,"url":"https://github.com/godaddy/oss-review","last_synced_at":"2026-04-03T18:05:20.906Z","repository":{"id":320069111,"uuid":"1080650391","full_name":"godaddy/oss-review","owner":"godaddy","description":"MCP server to accelerate the reviewing process for Open Source releases of your projects","archived":false,"fork":false,"pushed_at":"2025-10-21T20:23:13.000Z","size":35,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-10-21T20:24:40.526Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/godaddy.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-10-21T17:06:52.000Z","updated_at":"2025-10-21T20:23:17.000Z","dependencies_parsed_at":"2025-10-21T20:24:50.435Z","dependency_job_id":"1dfac1e0-bc5e-408d-961a-1876ae4cf4f3","html_url":"https://github.com/godaddy/oss-review","commit_stats":null,"previous_names":["godaddy/oss-review"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/godaddy/oss-review","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/godaddy%2Foss-review","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/godaddy%2Foss-review/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/godaddy%2Foss-review/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/godaddy%2Foss-review/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/godaddy","download_url":"https://codeload.github.com/godaddy/oss-review/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/godaddy%2Foss-review/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31368157,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-03T17:53:18.093Z","status":"ssl_error","status_checked_at":"2026-04-03T17:53:17.617Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-03T18:05:20.303Z","updated_at":"2026-04-03T18:05:20.897Z","avatar_url":"https://github.com/godaddy.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OSS Review MCP Server\n\nA Model Context Protocol (MCP) server that helps organizations safely release internal code as open source. It scans repositories for secrets, license violations, security vulnerabilities, and sensitive internal references that shouldn't be public.\n\n## What does it do?\n\nThis tool automates the tedious parts of preparing code for open source release. Before you can safely publish internal code, you need to check for leaked credentials, ensure license compatibility, scan for security vulnerabilities, and remove internal references like private URLs or employee emails. This MCP server provides AI assistants with the tools to perform these checks automatically.\n\nThe server exposes specialized tools through the Model Context Protocol, allowing AI assistants like Claude to orchestrate security scans, analyze software bill of materials (SBOMs), check license policies, and provide guidance on manual review areas that require human judgment.\n\n## Installation\n\n```bash\n# Install globally for CLI usage\nnpm install -g oss-review\n\n# Or add as a development dependency to your project\nnpm install --save-dev oss-review\n```\n\n## Getting Started\n\nStart the MCP server and it will communicate with your AI assistant over standard input/output. The simplest way to use it is through an MCP-compatible client like Claude Desktop.\n\n```bash\n# Start with default configuration\noss-review\n\n# Provide custom configuration\noss-review --config ./my-config.mjs\n\n# Load configuration from a published npm package\noss-review --config @mycompany/oss-config\n\n# With published config package, private registry\noss-review --config @mycompany/oss-config --registry https://my.registry.here\n\n# Multiple configs (merged in order, last wins)\noss-review --config @mycompany/base --config ./overrides.mjs\n```\n\nWhen you provide multiple configurations, they merge together with later configurations taking precedence. This lets you establish organization-wide defaults while allowing teams to override specific settings.\n\n### Connecting to Claude Desktop\n\nAdd the server to Claude Desktop's configuration file at `~/Library/Application Support/Claude/claude_desktop_config.json`:\n\n```json\n{\n  \"mcpServers\": {\n    \"oss-review\": {\n      \"command\": \"oss-review\",\n      \"args\": [\"--config\", \"@mycompany/oss-config\"]\n    }\n  }\n}\n```\n\nAfter restarting Claude Desktop, the assistant will have access to all the review tools and can help you prepare repositories for open source release.\n\n### Running a Review\n\nOnce connected, ask Claude to review your repository:\n\n```\nCan you review /path/to/my-project for open source readiness?\n```\n\nOr use the review prompt directly:\n\n```\n/review repository=my-project focus=\"security and licensing\"\n```\n\nThe assistant will use the available tools to scan for issues, check licenses, find vulnerabilities, and provide guidance on areas requiring manual review.\n\n## How It Works\n\nThe server provides five specialized tools that the AI assistant orchestrates based on your request:\n\n### Pattern Detection (`search`)\n\nThis tool scans your codebase for sensitive patterns you've defined in your configuration. Unlike secret scanners that look for credentials, this finds internal references like private domain names, internal URLs, employee email addresses, and infrastructure identifiers that reveal your internal architecture.\n\nYou define detection patterns in your configuration using regular expressions or keywords, organized into buckets like \"internal-references\" or \"employee-info\". When the AI scans your code, it reports findings with their locations and severity levels.\n\n### Secret Scanning (`secretlint`)\n\nIntegrates with Secretlint to find leaked credentials, API keys, tokens, and other secrets. The tool scans files and directories, treating warnings as errors by default to ensure nothing slips through. It catches hardcoded passwords, AWS keys, GitHub tokens, JWT tokens, and other credential patterns that would compromise security if published.\n\n### License Auditing (`licenses`)\n\nAnalyzes your project's dependencies and checks their licenses against your organization's policy. You define which licenses are approved (green), conditionally approved (yellow), or forbidden (red). The tool can generate software bill of materials (SBOMs) automatically or use existing ones, then validates every dependency's license and reports violations.\n\nThis catches issues like accidentally including GPL-licensed code in proprietary projects or dependencies with unknown licenses that need legal review.\n\n### Vulnerability Scanning (`security`)\n\nRuns security audits on your dependencies using npm audit to find known vulnerabilities. You can set severity thresholds, ignore specific advisories, and get detailed reports about security issues that need fixing before release. The tool helps ensure you're not releasing code with critical vulnerabilities that attackers could exploit.\n\n### Comprehensive Review (`review`)\n\nThis tool (or prompt) orchestrates all the others into a complete readiness review. It checks required documentation, runs automated scans, and provides guidance on manual review areas that tools can't fully automate—like assessing whether code contains proprietary business logic or requires export control review.\n\n## Configuration\n\nOrganizations publish their policies as configuration packages. Here's what a configuration looks like:\n\n```javascript\nimport Config from 'oss-review/config';\n\nconst config = new Config({\n  // Organization information used in templates\n  profile: {\n    name: 'Acme Corporation',\n    securityEmail: 'security@acme.com'\n  },\n\n  // License policy: define what's allowed\n  licenses: {\n    green: [\n      { id: 'MIT' },\n      { id: 'Apache-2.0' },\n      { id: 'BSD-3-Clause' }\n    ],\n    yellow: [\n      { id: 'MPL-2.0', notes: 'Requires legal review' }\n    ],\n    red: [\n      { id: 'GPL-3.0', notes: 'Incompatible with proprietary code' }\n    ]\n  },\n\n  // Detection patterns for internal references\n  detection: {\n    'internal-references': [\n      {\n        id: 'internal-domains',\n        match: '\\\\.(corp|internal|local)\\\\b',\n        severity: 'high',\n        remediation: 'Remove internal domain references before release'\n      },\n      {\n        id: 'private-ips',\n        match: '\\\\b10\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\.\\\\d{1,3}\\\\b',\n        severity: 'high',\n        remediation: 'Replace private IPs with environment variables'\n      }\n    ]\n  }\n});\n\n// Register document templates\nconfig.resource('LICENSE', './templates/LICENSE');\nconfig.resource('SECURITY.md', './templates/SECURITY.md');\nconfig.resource('CODE_OF_CONDUCT.md', './templates/CODE_OF_CONDUCT.md');\n\nexport default config;\n```\n\nYou can publish this configuration as an npm package and share it across your organization. Teams reference it when starting the MCP server, ensuring everyone uses the same policies and detection patterns.\n\nFor complete configuration documentation, see [packages/config/README.md](packages/config/README.md).\n\n## Document Templates\n\nThe server can provide document templates to the AI assistant. When reviewing code, if required files like LICENSE or SECURITY.md are missing, the assistant can fetch templates and create them automatically.\n\nTemplates support variable substitution using your organization's profile:\n\n- `{{ year }}` becomes the current year\n- `{{ profile.name }}` becomes your organization name\n- `{{ profile.securityEmail }}` becomes your security contact\n\nThis ensures generated documentation is consistent and properly branded with your organization's information.\n\n## What Gets Reviewed\n\nWhen you run a review, the assistant checks both automated and manual concerns:\n\n**Automated checks** that tools can verify completely:\n- Required documentation exists (LICENSE, SECURITY.md, CODE_OF_CONDUCT.md, CONTRIBUTING.md)\n- No secrets or credentials in the code\n- No internal references like private URLs or infrastructure details\n- All dependency licenses comply with your policy\n- No known security vulnerabilities above your threshold\n\n**Manual review areas** where tools provide guidance but human judgment is required:\n- Does the code contain proprietary business logic or competitive advantages?\n- Are there complex algorithms that might have IP protection considerations?\n- Does any cryptographic code require export control review?\n- Are there novel algorithms that might warrant patent searches?\n- Does the repository history need sanitization?\n- Is there clear maintainer commitment, or is this a one-time code dump?\n- Does releasing this code reveal architectural details competitors could exploit?\n- Are contribution policies clear and welcoming?\n\nThe assistant provides specific guidance for each manual concern it identifies, helping you make informed decisions about what requires human review before release.\n\n## Development\n\nTo work on the MCP server itself:\n\n```bash\ngit clone https://github.com/your-org/oss-review.git\ncd oss-review\nnpm install\nnpm run build\nnpm test\n```\n\nThe codebase is organized into specialized packages under `packages/`:\n\n- `config/` - Configuration utilities and API\n- `mcp/` - MCP server implementation, tools, prompts, and resources\n- `advisory/` - Vulnerability advisory handling\n- `resolver/` - Configuration resolution and merging\n- `syft/` - SBOM generation wrapper\n\nThe CLI entry point is `bin/cli.ts` and the MCP server starts in `packages/mcp/index.ts`.\n\n## License\n\nSee LICENSE file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgodaddy%2Foss-review","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgodaddy%2Foss-review","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgodaddy%2Foss-review/lists"}