{"id":28437195,"url":"https://github.com/stackloklabs/osv-mcp","last_synced_at":"2026-04-02T21:47:49.262Z","repository":{"id":291581831,"uuid":"978077626","full_name":"StacklokLabs/osv-mcp","owner":"StacklokLabs","description":"An MCP server for OSV","archived":false,"fork":false,"pushed_at":"2025-06-16T12:39:11.000Z","size":68,"stargazers_count":5,"open_issues_count":2,"forks_count":2,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-06-16T13:23:54.888Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/StacklokLabs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-05T12:43:11.000Z","updated_at":"2025-06-12T02:15:03.000Z","dependencies_parsed_at":"2025-05-05T13:52:56.099Z","dependency_job_id":"282774ca-c115-413b-aeb5-89d9d5847e61","html_url":"https://github.com/StacklokLabs/osv-mcp","commit_stats":null,"previous_names":["stackloklabs/osv-mcp"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/StacklokLabs/osv-mcp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StacklokLabs%2Fosv-mcp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StacklokLabs%2Fosv-mcp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StacklokLabs%2Fosv-mcp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StacklokLabs%2Fosv-mcp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/StacklokLabs","download_url":"https://codeload.github.com/StacklokLabs/osv-mcp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StacklokLabs%2Fosv-mcp/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262327112,"owners_count":23294204,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-05T23:09:10.496Z","updated_at":"2026-04-02T21:47:49.247Z","avatar_url":"https://github.com/StacklokLabs.png","language":"Go","funding_links":[],"categories":["Security"],"sub_categories":["How to Submit"],"readme":"# OSV MCP Server\n[![Trust Score](https://archestra.ai/mcp-catalog/api/badge/quality/StacklokLabs/osv-mcp)](https://archestra.ai/mcp-catalog/stackloklabs__osv-mcp)\n\nAn MCP (Model Context Protocol) server that provides access to the\n[OSV (Open Source Vulnerabilities) database](https://osv.dev/).\n\n## Overview\n\nThis project implements an SSE-based MCP server that allows LLM-powered\napplications to query the OSV database for vulnerability information. The server\nprovides tools for:\n\n1. Querying vulnerabilities for a specific package version or commit\n2. Batch querying vulnerabilities for multiple packages or commits\n3. Getting detailed information about a specific vulnerability by ID\n\n## Installation\n\n### Prerequisites\n\n- Go 1.21 or later\n- [Task](https://taskfile.dev/) (optional, for running tasks)\n- [ko](https://ko.build/) (optional, for building container images)\n\n### Building from source\n\n```bash\n# Clone the repository\ngit clone https://github.com/StacklokLabs/osv-mcp.git\ncd osv-mcp\n\n# Build the server\ntask build\n```\n\n## Usage\n\n### Running with ToolHive (Recommended)\n\nThe easiest way to run the OSV MCP server is using\n[ToolHive](https://github.com/stacklok/toolhive), which provides secure,\ncontainerized deployment of MCP servers:\n\n```bash\n# Install ToolHive (if not already installed)\n# See: https://docs.stacklok.com/toolhive/guides-cli/install\n\n# Register a supported client so ToolHive can auto-configure your environment\nthv client setup\n\n# Run the OSV MCP server (packaged as 'osv' in ToolHive)\nthv run osv\n\n# List running servers\nthv list\n\n# Get detailed information about the server\nthv registry info osv\n```\n\nThe server will be available to your MCP-compatible clients and can query the\nOSV database for vulnerability information.\n\n### Running from Source\n\n### Server Configuration\n\nThe server can be configured using environment variables:\n\n- `MCP_PORT`: The port number to run the server on (default: 8080)\n\n  - Must be a valid integer between 0 and 65535\n  - If invalid or not set, the server will use port 8080\n\n- `MCP_TRANSPORT`: The transport mode for the server (default: `sse`)\n  - Supported values: `sse`, `streamable-http`\n  - If invalid or not set, the server will use SSE transport mode\n\nExample:\n\n```bash\n# Run on port 3000\nMCP_PORT=3000 ./build/osv-mcp-server\n\n# Run on default port 8080\n./build/osv-mcp-server\n```\n\n### MCP Tools\n\nThe server provides the following MCP tools:\n\n#### query_vulnerability\n\nQuery for vulnerabilities affecting a specific package version or commit.\n\n**Input Schema:**\n\n```json\n{\n  \"type\": \"object\",\n  \"properties\": {\n    \"commit\": {\n      \"type\": \"string\",\n      \"description\": \"The commit hash to query for. If specified, version should not be set.\"\n    },\n    \"version\": {\n      \"type\": \"string\",\n      \"description\": \"The version string to query for. If specified, commit should not be set.\"\n    },\n    \"package_name\": {\n      \"type\": \"string\",\n      \"description\": \"The name of the package.\"\n    },\n    \"ecosystem\": {\n      \"type\": \"string\",\n      \"description\": \"The ecosystem for this package (e.g., PyPI, npm, Go).\"\n    },\n    \"purl\": {\n      \"type\": \"string\",\n      \"description\": \"The package URL for this package. If purl is used, package_name and ecosystem should not be set.\"\n    }\n  }\n}\n```\n\n#### query_vulnerabilities_batch\n\nQuery for vulnerabilities affecting multiple packages or commits at once.\n\n**Input Schema:**\n\n```json\n{\n  \"type\": \"object\",\n  \"properties\": {\n    \"queries\": {\n      \"type\": \"array\",\n      \"description\": \"Array of query objects\",\n      \"items\": {\n        \"type\": \"object\",\n        \"properties\": {\n          \"commit\": {\n            \"type\": \"string\",\n            \"description\": \"The commit hash to query for. If specified, version should not be set.\"\n          },\n          \"version\": {\n            \"type\": \"string\",\n            \"description\": \"The version string to query for. If specified, commit should not be set.\"\n          },\n          \"package_name\": {\n            \"type\": \"string\",\n            \"description\": \"The name of the package.\"\n          },\n          \"ecosystem\": {\n            \"type\": \"string\",\n            \"description\": \"The ecosystem for this package (e.g., PyPI, npm, Go).\"\n          },\n          \"purl\": {\n            \"type\": \"string\",\n            \"description\": \"The package URL for this package. If purl is used, package_name and ecosystem should not be set.\"\n          }\n        }\n      }\n    }\n  },\n  \"required\": [\"queries\"]\n}\n```\n\n#### get_vulnerability\n\nGet details for a specific vulnerability by ID.\n\n**Input Schema:**\n\n```json\n{\n  \"type\": \"object\",\n  \"properties\": {\n    \"id\": {\n      \"type\": \"string\",\n      \"description\": \"The OSV vulnerability ID\"\n    }\n  },\n  \"required\": [\"id\"]\n}\n```\n\n## Examples\n\n### Querying vulnerabilities for a package\n\n```json\n{\n  \"package_name\": \"lodash\",\n  \"ecosystem\": \"npm\",\n  \"version\": \"4.17.15\"\n}\n```\n\n### Querying vulnerabilities for a commit\n\n```json\n{\n  \"commit\": \"6879efc2c1596d11a6a6ad296f80063b558d5e0f\"\n}\n```\n\n### Batch querying vulnerabilities\n\n```json\n{\n  \"queries\": [\n    {\n      \"package_name\": \"lodash\",\n      \"ecosystem\": \"npm\",\n      \"version\": \"4.17.15\"\n    },\n    {\n      \"package_name\": \"jinja2\",\n      \"ecosystem\": \"PyPI\",\n      \"version\": \"2.4.1\"\n    }\n  ]\n}\n```\n\n### Getting vulnerability details\n\n```json\n{\n  \"id\": \"GHSA-vqj2-4v8m-8vrq\"\n}\n```\n\n## Development\n\n### Running tests\n\n```bash\ntask test\n```\n\n### Linting\n\n```bash\ntask lint\n```\n\n### Formatting code\n\n```bash\ntask fmt\n```\n\n## Contributing\n\nWe welcome contributions to this MCP server! If you'd like to contribute, please\nreview the [CONTRIBUTING guide](./CONTRIBUTING.md) for details on how to get\nstarted.\n\nIf you run into a bug or have a feature request, please\n[open an issue](https://github.com/StacklokLabs/osv-mcp/issues) in the\nrepository or join us in the `#mcp-servers` channel on our\n[community Discord server](https://discord.gg/stacklok).\n\n## License\n\nThis project is licensed under the Apache v2 License - see the LICENSE file for\ndetails.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackloklabs%2Fosv-mcp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstackloklabs%2Fosv-mcp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstackloklabs%2Fosv-mcp/lists"}