FOSSA MCP. Audit your software supply chain, conversationally.
FOSSA License Compliance connects your open-source auditing tools directly to your AI client. It automates security vulnerability checks and license compliance reviews across entire software supply chains, letting you query project dependencies in natural language. Stop clicking through dashboards; start asking questions about where every piece of code comes from.
Claude 
ChatGPT 
Cursor 
Gemini 
Windsurf 
VS Code 
JetBrains 
Vercel Give Claude and any AI agent real-world access
Retrieves a list of every project in your organization, supporting filtering by criteria like department or status.
Gets detailed metadata for any version locator, allowing you to audit a project at a precise point in time.
Deep-dives into the full dependency list of a revision, building an accurate software bill of materials (SBOM).
Determines which parent projects contain specific dependencies that are vulnerable or non-compliant.
Checks multiple dependency locators against the FOSSA database in a single query to find security risks.
Lists all available revisions for a given project, helping you track changes over time.
Ask an AI about this
Waiting for input…
What AI agents can do with FOSSA (License Compliance) with 6 Tools
These tools let you list projects, inspect historical revisions, map complex dependencies, and run vulnerability scans across your entire organization's codebase.
Make your AI actually useful.
Add this MCP to Claude, Cursor, or Windsurf and your AI stops guessing. It gets real tools to look things up, take action, and handle the stuff you keep doing by hand.
Start using FOSSA (License Compliance) MCPCheck Vulnerabilities
Checks a list of package locators to see if any are known security vulnerabilities.
Get Revision
Fetches detailed metadata for a specific, named project revision.
Get Parent Projects
Finds all parent projects that incorporate a given dependency.
List Projects
Lists every project in your organization, with filtering options to narrow the...
Get Revision Dependencies
Retrieves the full dependency list for a specific version of a project.
List Revisions
Lists all available revisions (versions) that exist for a given project.
Security and governance baked right in.
Pick your AI client below to get set up. Just create a Vinkius account, subscribe, and you're instantly up and running. We handle the entire backend infrastructure, delivering out-of-the-box support for HTTPS Streamable, SSE, and OAuth2—zero messy routing required.
Claude AI
Open Claude Settings
Go to claude.ai, click your profile icon, then navigate to Customize → Connectors.
Add Custom Connector
Click the "+" button and select Add custom connector. Paste your Vinkius endpoint URL:
https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp
Replace [YOUR_TOKEN_HERE] with your token
from cloud.vinkius.com. For OAuth-protected servers, expand
Advanced settings to add credentials.
Start a conversation
Open a new chat. The FOSSA integration is available immediately — no restart needed.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on each call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with FOSSA (License Compliance), then connect any of our 5,200+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 5,200+ others, all in one place
- Add new capabilities to your AI anytime you want
- Connections are secured and governed automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog weekly
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by FOSSA. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS CLOUD
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on each call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
The manual process of checking compliance is always chasing ghosts.
Right now, to audit your supply chain, you open the FOSSA web interface. You have to manually navigate from project list to specific revisions, then click through dependency trees, and finally run a separate vulnerability scan for every single library of concern. This process takes hours just to gather the data.
With this MCP connected via Vinkius, you skip all that clicking. You simply ask your agent: 'Show me all projects using version 1.2 of Library Z.' The system compiles the full answer—project list, revision status, and dependency map—and presents it back to you in plain language.
Get a complete project picture with FOSSA License Compliance.
You no longer need to copy-paste package names into separate forms or tabs. You use `get_revision_dependencies` and `list_projects` together, telling your agent exactly what you need for the whole system at once.
The difference is that data moves from siloed dashboards into a cohesive conversation. Your audit results are immediate and actionable, allowing engineers to patch vulnerabilities in minutes instead of days.
What FOSSA MCP does for your AI
Manually tracking open-source licenses or hunting down a single vulnerable dependency is a massive time sink. This MCP lets your AI client bypass the FOSSA web interface entirely. Instead, you talk to it naturally and get precise audit data for your whole organization's codebase. You can list every project, pinpoint exactly which parent applications rely on a risky package, or check dozens of dependencies for vulnerabilities all in one go.
When paired with Vinkius, this MCP becomes the central point for accessing enterprise-grade security intelligence from any compatible client. It takes deep, complex data—like dependency trees and revision metadata—and turns it into actionable answers you can use right away.
019e389b-01eb-735d-a35b-c5192044387b 
How to set up FOSSA MCP
The bottom line is you get a conversational interface for complex security audits, eliminating manual API calls and UI navigation.
Subscribe to this MCP and input your FOSSA API Token.
Direct your AI client to use the connected tools when prompted with an audit task.
Your agent executes the necessary commands, returning structured data on compliance or vulnerabilities.
Who uses FOSSA MCP
This MCP is built for the security engineer who needs to prove compliance instantly or the architect tired of manually mapping dependency risks across microservices. If your job involves knowing exactly what code runs where, this tool is essential.
Uses check_vulnerabilities to quickly identify where critical packages are used across the entire codebase, rather than just checking a single service.
Runs audits on specific project revisions and uses get_parent_projects to ensure every deployed application meets legal license standards.
Uses tools like list_projects and get_revision_dependencies to verify the complete dependency graph of an entire system before deployment.
Benefits of connecting FOSSA MCP
Pinpoint risks instantly. Instead of manually checking one package, you can run check_vulnerabilities against multiple locators in a single query, giving immediate security coverage.
See the full scope. Use get_parent_projects to answer questions like, 'Which services are using this deprecated library?' and get an exhaustive list of every consumer project.
Audit specific moments in time. By checking revisions using list_revisions and get_revision, you can audit a project's compliance state exactly as it was last month, not just its current state.
Cover the entire codebase. Start by running list_projects to get an inventory of all potential targets, ensuring no service is missed during your security sweep.
Understand dependency depth. The get_revision_dependencies tool doesn't just list what's in a project; it maps out the full tree structure you need for compliance checks.
FOSSA MCP use cases
The sudden vulnerability alert
A security engineer gets an alert about a critical CVE affecting npm+ssh2$0.6.1. Instead of spending hours checking every service's source code, they ask their agent to run the dependency locators through check_vulnerabilities and immediately get confirmation on which projects need patching.
License review before merger
A legal team needs to know if a newly acquired codebase is compliant. They use list_projects to get the inventory, then run detailed audits on specific revisions using get_revision, ensuring no non-compliant licenses sneak into the merged product.
Debugging dependency sprawl
A developer can't figure out why a feature is breaking. They ask their agent to use get_parent_projects for the failing library, instantly revealing that three unrelated microservices are relying on the problematic code.
FOSSA MCP tradeoffs
What to watch out for, and the recommended way to handle each one.
Only checking package.json
Assuming the top-level package.json file contains all necessary dependency data for a complete compliance audit.
You must use get_revision_dependencies to map the full, nested tree structure of the code. This captures every indirect and direct library used by the project.
Manually listing projects
Trying to keep a spreadsheet list of all 50+ services in your organization that need auditing.
Start with list_projects. This tool provides an up-to-date, filtered inventory of every project available for audit, ensuring you don't miss anything.
Using outdated version data
Running vulnerability checks against a local copy of code that hasn't been updated in months.
Always reference specific historical states using list_revisions and then fetching the metadata with get_revision. This ensures you are auditing the correct, verified version.
When to use FOSSA MCP
Use this MCP if your core problem is determining the scope of a risk. You need to answer questions like: 'What does Project X depend on?' or 'Which 15 projects use this vulnerable library?'. It’s for deep, systemic auditing where you must trace dependencies across multiple applications and time periods.
Don't use it if your only goal is to check the license of a single file or run a quick, isolated vulnerability scan. For that, simpler code analysis tools might suffice. But when the risk spans an entire organization—the 'blast radius' problem—you need the comprehensive view this MCP provides.
Frequently asked questions about FOSSA MCP
How does FOSSA License Compliance MCP help with dependency auditing? +
It allows your agent to analyze the full dependency tree using get_revision_dependencies, which builds a complete Software Bill of Materials (SBOM) without you having to manually map out every layer.
Can I check vulnerabilities across multiple projects with FOSSA License Compliance MCP? +
Yes. You can first use list_projects to gather the targets, and then use check_vulnerabilities in a single query against those combined locators.
What if I need data from an old version of a project? +
You can't rely on current data. Use list_revisions to find the historical versions, and then use get_revision to pull metadata for that specific point in time.
Does FOSSA License Compliance MCP tell me which project owns a risky dependency? +
Absolutely. The get_parent_projects tool will search your entire organization and list every single parent application using the problematic package, solving the 'blast radius' problem.