# Security Hacker MCP > Google Deps.dev Security Hacker turns your AI client into a specialized DevSecOps auditor. It instantly scans open-source packages and full GitHub repositories for deep supply-chain vulnerabilities, known CVEs, and governance gaps across npm, PyPI, Maven, and more. You get to hunt down hidden threats that basic scanners miss. ## Overview - **Category:** industry-titans - **Price:** Free - **Tags:** supply-chain-security, dependency-analysis, vulnerability-scanning, open-source-security, devsecops ## Description This MCP connects your agent directly to Google's Open Source Insights (deps.dev). It lets you perform serious security audits on any open-source code, making your AI client a true DevSecOps auditor. Instead of running multiple command-line tools or cross-referencing documentation pages for vulnerabilities, your agent handles the entire process in chat. Need to check if an old version of Express is safe? Just ask. Need to know every single dependency that package relies on, including the ones you never knew existed? The agent maps the whole tree. You can even paste a GitHub URL and get a full governance score based on industry best practices. Vinkius hosts this MCP so your AI client can access all of these checks from one place. It's what developers actually need when they're worried about supply chain attacks. ## Tools ### analyze_dependency Checks a specific open-source package across multiple systems (npm, pypi, etc.) for security flaws and governance scores. ### analyze_github_repository Runs a full audit of a GitHub repository to assess its overall development security practices using OSSF Scorecards. ### get_transitive_dependencies Maps the complete dependency tree for a package, finding hidden or indirect components that pose security risks. ### get_vulnerability_details Retrieves specific technical details about any known vulnerability using its CVE or GHSA identifier. ## Prompt Examples **Prompt:** ``` Audit the npm package 'express' version 4.16.0 for any security vulnerabilities. ``` **Response:** ``` I checked `express` v4.16.0 on deps.dev. It has **4 known security advisories**, including GHSA-8X4W-MXXF-XXXX (High Severity - CVSS 7.5). The project has an OSSF Scorecard of 6.8/10. I strongly recommend upgrading. ``` **Prompt:** ``` I found this GHSA-xvch-5gv4-984h advisory. What does it do and what packages are affected? ``` **Response:** ``` That ID corresponds to a **CRITICAL (CVSS: 9.8)** vulnerability: "Prototype Pollution in Lodash". It allows an attacker to inject properties into Object.prototype. It affects the npm package `lodash` on versions `< 4.17.15`. You must upgrade immediately. ``` **Prompt:** ``` Check the dependency tree for the pypi package 'requests' v2.28.1. Are there any hidden threats? ``` **Response:** ``` I mapped the entire transitive tree (total 8 dependencies). **⚠️ WARNING: Found 1 hidden threat:** The indirect dependency `certifi` (v2022.6.15) has a known security advisory. You should override this dependency in your requirements. ``` **Prompt:** ``` Generate a security governance audit for https://github.com/facebook/react ``` **Response:** ``` Here is the OSSF Scorecard audit for `facebook/react`. It scores a **7.2/10** overall. They excel in Code-Review (10/10) and Branch-Protection (10/10), but lost points on Pinned-Dependencies (3/10) and lack of Fuzzing (0/10). ``` **Prompt:** ``` Is the 'log4j' maven package safe to use right now? ``` **Response:** ``` Let me check the latest versions on deps.dev. The older 2.14.x versions are famously compromised (Log4Shell - CVE-2021-44228, CVSS 10.0). However, the latest version `2.20.0` has **✅ No known security advisories** and is safe to use. Always ensure you are pinning the latest version. ``` ## Capabilities ### Audit single dependencies Check any open-source package across major ecosystems (npm, PyPI, etc.) for known security flaws and adherence to governance standards. ### Map hidden supply chain risks Trace the full dependency tree of a package to find indirect or deep-level vulnerabilities that aren't immediately obvious. ### Scan repository health Run comprehensive security and governance audits on an entire GitHub repository, checking for best practices like code reviews and fuzzing. ### Look up vulnerability details Retrieve specific technical information about a given CVE or GitHub Security Advisory ID so you know exactly what's compromised. ## Use Cases ### Vetting a new third-party library A developer finds a promising open-source library but isn't sure if it's safe. They ask their agent to run `analyze_dependency` on the package name, immediately getting an OSSF score and a list of known CVEs without installing anything locally. ### Investigating supply chain risks A security engineer suspects a core service has been compromised by a hidden dependency. They use `get_transitive_dependencies` to map the full tree, spotting an obscure, unpatched component that needs overriding. ### Assessing team code quality A manager wants to know if their internal teams are following security best practices. They input a GitHub URL and run `analyze_github_repository`, getting actionable feedback on branch protection or code review enforcement. ### Responding to a critical zero-day alert A team gets an alert about an old vulnerability ID (like Log4Shell). They use `get_vulnerability_details` with the specific CVE ID, getting immediate confirmation of severity and affected package versions. ## Benefits - Never trust a dependency blindly. Use the `get_transitive_dependencies` tool to map every single indirect component, finding hidden malware or unpatched flaws deep in the stack. - Cut down on manual research time. Instead of checking multiple documentation sites for CVEs, let your agent use `analyze_dependency` to instantly flag known security advisories across npm, PyPI, and more. - Gauge project maturity automatically. Paste a GitHub URL and run `analyze_github_repository`. You get an OSSF Scorecard that tells you if the project even follows basic security best practices. - Understand exactly what's broken. If you find a weird CVE ID, use `get_vulnerability_details` to pull down the exact exploit mechanism, severity, and affected versions for immediate patching. - Support every major language stack. This MCP works natively across npm (Node.js), PyPI (Python), Maven (Java), Cargo (Rust), and more, so you never have to switch tools. ## How It Works The bottom line is you get professional-grade supply chain security analysis without leaving your chat window. 1. Tell your agent which package, repository, or vulnerability ID you need to check. For example: 'Audit the PyPI package requests.' 2. The MCP connects to Google's deps.dev API and executes the necessary security scan (e.g., mapping dependencies or checking governance). 3. You get a plain-language report detailing known CVEs, high-risk components, OSSF scores, and immediate upgrade recommendations. ## Frequently Asked Questions **How does Google Deps.dev Security Hacker check dependencies?** It connects directly to the deps.dev API and supports major package managers like npm, PyPI, Cargo, Maven, and NuGet for comprehensive coverage. **Can I use analyze_github_repository with private repos?** The MCP requires a publicly accessible GitHub URL to run the OSSF Scorecard audit. It analyzes public governance practices only. **Does get_transitive_dependencies find everything?** It maps and scans the entire dependency graph, finding indirect components that could contain hidden security threats or unpatched vulnerabilities. **What is an OSSF Scorecard?** The OSSF Scorecard is a metric used to rate how well a repository enforces development best practices like code review and branch protection. **Is this better than running local vulnerability scanners?** Yes. While local tools are good, the Security Hacker MCP provides immediate, centralized analysis across multiple ecosystems without needing to install anything or manage complex environments yourself.