# Socket.dev (Dependency Security) MCP

> Socket.dev (Dependency Security) immediately scans your open-source packages to hunt down vulnerabilities in your software supply chain. Your agent checks package security scores, analyzes manifest files like `package.json`, and monitors real-time threat feeds for malicious dependencies before you ever run an install command.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** supply-chain-security, dependency-scanning, open-source-security, malware-detection, devsecops, package-analysis

## Description

When developing software, the biggest risk often isn't the code you write; it's the packages you download. This MCP connects your AI agent directly to Socket.dev's security platform, letting you proactively defend against supply chain attacks. Instead of treating dependency checking as a manual, multi-step process that slows down sprints, you pass your manifest files—whether they're for npm, PyPI, or Go—and get an instant audit report. Your agent can check specific packages for known issues or grab the overall security score in seconds. If anything looks suspicious, it flags it immediately and provides details on why it’s risky. By connecting through Vinkius, you give your AI client access to this deep layer of security intelligence, allowing you to catch typosquatting and backdoors right inside your chat window or IDE. You stop guessing if a package is safe; you just know.

## Tools

### create_scan
Uploads manifest files (like package.json) to start a new project-wide dependency scan.

### delete_scan
Removes an existing, unnecessary security scan record.

### get_package_issues
Checks for known vulnerabilities and specific issues associated with a single package name.

### get_package_score
Retrieves the overall security score (e.g., 98/100) for a specified software package.

### get_quota
Shows how many API scan requests are left for the current billing period.

### get_report
Fetches all the detailed results and findings from a specific, completed security report.

### get_scan
Retrieves metadata about a scan to check its current status (running or finished).

### get_threat_feed
Accesses the real-time feed of packages flagged by Socket's analysis engine as malicious.

### list_organizations
Lists all different organizations that the provided API token has permission to access and audit.

### list_reports
Retrieves a list of historical security reports, providing IDs needed for deeper inspection.

## Prompt Examples

**Prompt:** 
```
Check the security score for the npm package 'axios'.
```

**Response:** 
```
I've checked the security score for `pkg:npm/axios`. It currently has a high security score of 98/100, with no critical issues detected in the latest version.
```

**Prompt:** 
```
List all security reports for my organization.
```

**Response:** 
```
I've retrieved the reports. You have 3 recent scans available. Would you like me to get the details for the most recent report (ID: rep_12345)?
```

**Prompt:** 
```
Show me the real-time threat feed from Socket.
```

**Response:** 
```
Fetching the threat feed... I found several recently flagged malicious packages, including 'discord-selfbot-v14' which was flagged for containing malware. Be cautious if these appear in your dependencies.
```

## Capabilities

### Scan code dependencies
Upload manifest files like `requirements.txt` or `package.json` to create a full security scan of your project.

### Check package safety scores
Instantly retrieve the detailed security score and issue alerts for any specific open-source package using its name.

### Access real-time threat intel
Pull a live feed listing packages that Socket's engine has recently flagged as malicious or dangerous.

### Review and manage reports
List, retrieve, and organize historical security reports for your entire organization.

## Use Cases

### Auditing a new microservice dependency
A developer needs to add a logging library. Instead of running `npm install` and hoping for the best, they tell their agent to use `get_package_score` on the library's name. The agent instantly returns an A+ score with no critical issues reported, confirming safety before the first line of code is written.

### Triage after a major security bulletin
A DevOps team receives a warning about a common vulnerability. They instruct their agent to use `create_scan` on all existing project manifest files, creating multiple scans to identify which internal services are affected and what needs immediate patching.

### Checking organizational compliance
A security engineer must ensure that every team meets a minimum dependency safety standard. They use `list_organizations` first, then run targeted scans across all departments to generate a unified report for leadership review.

### Reacting to zero-day threats
During an active threat window, the team needs immediate intelligence. The agent runs `get_threat_feed` and immediately flags several packages that have been recently flagged with malware, allowing the team to pull them from deployment lists instantly.

## Benefits

- Stop worrying about obscure dependencies. By checking package safety scores, you get a single number that tells you how secure a component is—no guesswork required.
- Keep your codebase clean by using the `create_scan` tool to upload full manifest files. This provides a comprehensive security audit for every dependency in one go.
- Stay ahead of bad actors. The dedicated `get_threat_feed` tool gives you real-time alerts on malicious packages, letting you block them before they hit production.
- Manage compliance effortlessly. Use the report listing tools (`list_reports`, `get_report`) to keep a centralized record of your security posture across multiple projects and organizations.
- Eliminate manual research time. Instead of searching documentation for known issues, simply ask your agent to run `get_package_issues` on any package name.

## How It Works

The bottom line is that your AI client treats dependency security like another searchable function in the conversation, eliminating manual CLI steps entirely.

1. Subscribe to this MCP and input your personal Socket.dev API token.
2. Direct your AI agent to use the dependency scanning tools, providing it with the manifest file data (e.g., package names or a full `package.json`).
3. Your agent runs the scan and returns detailed security reports, showing you which packages are vulnerable or if they have high-risk issues.

## Frequently Asked Questions

**How do I check the overall safety score using Socket.dev (Dependency Security)?**
You use `get_package_score` and provide the full package identifier, like `pkg:npm/react`. The tool returns a simple numerical score that tells you how healthy the dependency is right now.

**Can Socket.dev (Dependency Security) scan multiple manifest files at once?**
Yes. You first use `create_scan` and upload all necessary manifest data, allowing a single job to audit dependencies from various sources like package.json and requirements.txt.

**What is the difference between running `get_package_issues` and `get_report`?**
`get_package_issues` gives you specific, immediate alerts for one package. `get_report` provides a comprehensive summary of all findings from an entire scan run.

**Do I need to worry about my API usage quota with Socket.dev (Dependency Security)?**
No problem. You can use the `get_quota` tool anytime your agent needs it, which simply tells you how many scan requests are remaining for your account.

**Does this MCP help me find brand new malware?**
Yes. The dedicated `get_threat_feed` accesses Socket's real-time intelligence feed, alerting you to packages recently flagged by the community or security experts as malicious.