# FOSSA MCP > FOSSA License Compliance connects your open-source auditing tools directly to your AI client. It automates security vulnerability checks and license compliance reviews across entire software supply chains, letting you query project dependencies in natural language. Stop clicking through dashboards; start asking questions about where every piece of code comes from. ## Overview - **Category:** developer-tools - **Price:** Free - **Tags:** open-source, license-compliance, vulnerability-scanning, dependency-management, software-audit ## Description Manually tracking open-source licenses or hunting down a single vulnerable dependency is a massive time sink. This MCP lets your AI client bypass the FOSSA web interface entirely. Instead, you talk to it naturally and get precise audit data for your whole organization's codebase. You can list every project, pinpoint exactly which parent applications rely on a risky package, or check dozens of dependencies for vulnerabilities all in one go. When paired with Vinkius, this MCP becomes the central point for accessing enterprise-grade security intelligence from any compatible client. It takes deep, complex data—like dependency trees and revision metadata—and turns it into actionable answers you can use right away. ## Tools ### check_vulnerabilities Checks a list of package locators to see if any are known security vulnerabilities. ### get_revision Fetches detailed metadata for a specific, named project revision. ### get_parent_projects Finds all parent projects that incorporate a given dependency. ### list_projects Lists every project in your organization, with filtering options to narrow the search. ### get_revision_dependencies Retrieves the full dependency list for a specific version of a project. ### list_revisions Lists all available revisions (versions) that exist for a given project. ## Prompt Examples **Prompt:** ``` List all projects in my FOSSA organization named 'DocsExample'. ``` **Response:** ``` I've found the project: 'custom+27932/DocsExample'. Would you like to see its recent revisions or check for vulnerabilities? ``` **Prompt:** ``` Check for vulnerabilities in npm+ssh2$0.6.1 and npm+coa$2.0.2. ``` **Response:** ``` I've analyzed those locators. 'npm+ssh2$0.6.1' has 2 critical vulnerabilities related to command injection. 'npm+coa$2.0.2' is currently clear of known vulnerabilities in the FOSSA database. ``` **Prompt:** ``` Which projects are using the dependency npm+coa$2.0.2? ``` **Response:** ``` The dependency 'npm+coa$2.0.2' is found in 3 parent projects: 'Core-API', 'Frontend-Dashboard', and 'Legacy-Auth-Service'. ``` ## Capabilities ### List all projects Retrieves a list of every project in your organization, supporting filtering by criteria like department or status. ### Analyze specific revisions Gets detailed metadata for any version locator, allowing you to audit a project at a precise point in time. ### Map dependency trees Deep-dives into the full dependency list of a revision, building an accurate software bill of materials (SBOM). ### Identify project impact areas Determines which parent projects contain specific dependencies that are vulnerable or non-compliant. ### Scan for vulnerabilities Checks multiple dependency locators against the FOSSA database in a single query to find security risks. ### View project history Lists all available revisions for a given project, helping you track changes over time. ## Use Cases ### The sudden vulnerability alert A security engineer gets an alert about a critical CVE affecting `npm+ssh2$0.6.1`. Instead of spending hours checking every service's source code, they ask their agent to run the dependency locators through `check_vulnerabilities` and immediately get confirmation on which projects need patching. ### License review before merger A legal team needs to know if a newly acquired codebase is compliant. They use `list_projects` to get the inventory, then run detailed audits on specific revisions using `get_revision`, ensuring no non-compliant licenses sneak into the merged product. ### Debugging dependency sprawl A developer can't figure out why a feature is breaking. They ask their agent to use `get_parent_projects` for the failing library, instantly revealing that three unrelated microservices are relying on the problematic code. ## Benefits - Pinpoint risks instantly. Instead of manually checking one package, you can run `check_vulnerabilities` against multiple locators in a single query, giving immediate security coverage. - See the full scope. Use `get_parent_projects` to answer questions like, 'Which services are using this deprecated library?' and get an exhaustive list of every consumer project. - Audit specific moments in time. By checking revisions using `list_revisions` and `get_revision`, you can audit a project's compliance state exactly as it was last month, not just its current state. - Cover the entire codebase. Start by running `list_projects` to get an inventory of all potential targets, ensuring no service is missed during your security sweep. - Understand dependency depth. The `get_revision_dependencies` tool doesn't just list what's in a project; it maps out the full tree structure you need for compliance checks. ## How It Works The bottom line is you get a conversational interface for complex security audits, eliminating manual API calls and UI navigation. 1. Subscribe to this MCP and input your FOSSA API Token. 2. Direct your AI client to use the connected tools when prompted with an audit task. 3. Your agent executes the necessary commands, returning structured data on compliance or vulnerabilities. ## Frequently Asked Questions **How does FOSSA License Compliance MCP help with dependency auditing?** It allows your agent to analyze the full dependency tree using `get_revision_dependencies`, which builds a complete Software Bill of Materials (SBOM) without you having to manually map out every layer. **Can I check vulnerabilities across multiple projects with FOSSA License Compliance MCP?** Yes. You can first use `list_projects` to gather the targets, and then use `check_vulnerabilities` in a single query against those combined locators. **What if I need data from an old version of a project?** You can't rely on current data. Use `list_revisions` to find the historical versions, and then use `get_revision` to pull metadata for that specific point in time. **Does FOSSA License Compliance MCP tell me which project owns a risky dependency?** Absolutely. The `get_parent_projects` tool will search your entire organization and list every single parent application using the problematic package, solving the 'blast radius' problem.