auth-securitydeveloper-tools

Socket Security▌

by socketdev

Socket Security integrates with Socket's API to analyze npm and PyPI packages for detailed vulnerability and quality met

Integrates with Socket's dependency security API to analyze npm and PyPI packages, returning detailed security and quality metrics for vulnerability assessment and dependency management.

github stars

★ 87

GitHub npm

Public hosted service — zero setupNo API key requiredBatch processing support

best for

/ Developers auditing project dependencies
/ Security teams reviewing package safety
/ DevOps teams implementing security gates
/ Code reviewers checking new dependencies

capabilities

/ Scan npm packages for security vulnerabilities
/ Analyze PyPI packages for quality metrics
/ Check dependency security scores in batches
/ Generate vulnerability reports for packages
/ Assess package maintenance status
/ Evaluate dependency risk levels

what it does

Analyzes npm and PyPI packages for security vulnerabilities and quality metrics using Socket's dependency security API. Helps identify risky dependencies before adding them to projects.

about

Socket Security is an official MCP server published by socketdev that provides AI assistants with tools and capabilities via the Model Context Protocol. Socket Security integrates with Socket's API to analyze npm and PyPI packages for detailed vulnerability and quality met It is categorized under auth security, developer tools.

how to install

You can install Socket Security in your AI client of choice. Use the install panel on this page to get one-click setup for Cursor, Claude Desktop, VS Code, and other MCP-compatible clients. This server runs locally on your machine via the stdio transport.

license

MIT

Socket Security is released under the MIT license. This is a permissive open-source license, meaning you can freely use, modify, and distribute the software.

readme

Socket MCP Server

A Model Context Protocol (MCP) server for Socket integration, allowing AI assistants to efficiently check dependency vulnerability scores and security information.

✨ Features

🔍 Dependency Security Scanning - Get comprehensive security scores for npm, PyPI, and other package ecosystems
🌐 Public Hosted Service - Use our public server at https://mcp.socket.dev/ with no setup required
🚀 Multiple Deployment Options - Run locally via stdio, HTTP, or use our service
🤖 AI Assistant Integration - Works seamlessly with Claude, VS Code Copilot, Cursor, and other MCP clients
📊 Batch Processing - Check multiple dependencies in a single request
🔒 No Authentication Required - Public server requires no API keys or registration

🛠️ This project is in early development and rapidly evolving.

🚀 Quick Start

Option 1: Use the Public Socket MCP Server (Recommended)

The easiest way to get started is to use our public Socket MCP server. No API key or authentication required! Click a button below to install the public server in your favorite AI assistant.

<details><summary>Manual Installation Instructions & more MCP Clients</summary> <details><summary>Install in Claude Desktop or Claude Code</summary>

[!NOTE] Custom integrations are not available to all paid versions of Claude. Check here for more information.

To use the public Socket MCP server with Claude Desktop:

In Claude Desktop, go to Settings > Developer > Edit Config.
Add the Socket MCP server configuration:

{
  "mcpServers": {
    "socket-mcp": {
      "type": "http",
      "url": "https://mcp.socket.dev/"
    }
  }
}

Save the configuration and restart Claude Desktop.
Now you can ask Claude questions like "Check the security score for express version 4.18.2".

The process is similar for Claude Code. See the Claude Code documentation for more details. Here's an example command to add the Socket MCP server:

claude mcp add --transport http socket-mcp https://mcp.socket.dev/

</details> <details><summary>Install in VS Code</summary>

You can install the Socket MCP server using the VS Code CLI:

# For VS Code with GitHub Copilot
code --add-mcp '{"name":"socket-mcp","type":"http","url":"https://mcp.socket.dev/}'

After installation, the Socket MCP server will be available for use with your GitHub Copilot agent in VS Code.

Alternatively, you can manually add it to your VS Code MCP configuration in .vscode/mcp.json:

{
  "servers": {
    "socket-mcp": {
      "type": "http",
      "url": "https://mcp.socket.dev/"
    }
  }
}

</details> <details><summary>Install in Cursor</summary>

Go to Cursor Settings -> MCP -> Add new MCP Server. Name it "socket-mcp", use http type with URL https://mcp.socket.dev/.

{
  "mcpServers": {
    "socket-mcp": {
      "type": "http",
      "url": "https://mcp.socket.dev/"
    }
  }
}

</details> <details><summary>Install in Windsurf</summary>

[!WARNING] Windsurf does not support http type MCP servers yet. Use the stdio configuration below.

To use the Socket MCP server in Windsurf:

Open Windsurf Settings
Navigate to MCP Servers section
Add a new server with the following configuration:

{
    "mcpServers": {
        "socket-mcp": {
            "serverUrl": "https://mcp.socket.dev/mcp"
        }
    }
}

Save the configuration and restart Windsurf if needed.

</details> </details>

Option 2: Deploy Socket MCP Server on your machine

If you prefer to run your own instance, you can deploy the Socket MCP server locally using either stdio or HTTP modes.

Getting an API key

To use a local Socket MCP Server, you need to create an API key. You can do this by following these steps. The only required permission scope is packages:list, which allows the MCP server to query package metadata for dependency scores.

For local deployment, you have two options:

Option 2a: Stdio Mode (Default)

Click a button below to install the self-hosted stdio server in your favorite AI assistant.

Claude Code (stdio mode) can be set up with the following command:

claude mcp add socket-mcp -e SOCKET_API_KEY="your-api-key-here" -- npx -y @socketsecurity/mcp@latest

This is how the configuration looks like on most MCP clients:

{
  "mcpServers": {
    "socket-mcp": {
      "command": "npx",
      "args": ["@socketsecurity/mcp@latest"],
      "env": {
        "SOCKET_API_KEY": "your-api-key-here"
      }
    }
  }
}

This approach automatically uses the latest version without requiring global installation.

Option 2b: HTTP Mode

Run the server in HTTP mode using npx:

MCP_HTTP_MODE=true SOCKET_API_KEY=your-api-key npx @socketsecurity/mcp@latest --http

Configure your MCP client to connect to the HTTP server:

{
  "mcpServers": {
    "socket-mcp": {
      "type": "http",
      "url": "http://localhost:3000"
    }
  }
}

Tools exposed by the Socket MCP Server

depscore

The depscore tool allows AI assistants to query the Socket API for dependency scoring information. It provides comprehensive security and quality metrics for packages across different ecosystems.

Parameters:

Parameter	Type	Required	Default	Description
`packages`	Array	✅ Yes	-	Array of package objects to analyze
`packages[].ecosystem`	String	No	`"npm"`	Package ecosystem (`npm`, `pypi`, `cargo`, etc.)
`packages[].depname`	String	✅ Yes	-	Name of the dependency/package
`packages[].version`	String	No	`"unknown"`	Version of the dependency

Example Usage:

{
  "packages": [
    {
      "ecosystem": "npm",
      "depname": "express",
      "version": "4.18.2"
    },
    {
      "ecosystem": "pypi",
      "depname": "fastapi",
      "version": "0.100.0"
    }
  ]
}

Sample Response:

pkg:npm/express@4.18.2: supply_chain: 1.0, quality: 0.9, maintenance: 1.0, vulnerability: 1.0, license: 1.0
pkg:pypi/fastapi@0.100.0: supply_chain: 1.0, quality: 0.95, maintenance: 0.98, vulnerability: 1.0, license: 1.0

How to Use the Socket MCP Server

Ask your AI assistant to check dependencies:
- "Check the security score for express version 4.18.2"
- "Analyze the security of my package.json dependencies"
- "What are the vulnerability scores for react, lodash, and axios?"
Get comprehensive security insights including supply chain, quality, maintenance, vulnerability, and license scores.

Adjust tool usage with custom rules

You can further customize how the Socket MCP server interacts with your AI assistant by modifying your client rules. The rules are usually a markdown file and its location depends on the AI assistant you are using.

MCP Client	Rules File Location
Claude Desktop/Code	`CLAUDE.md`
VSCode Copilot	`.github/copilot-instructions.md`
Cursor	`.cursor/rules`

Rules that can be added to the client rules file include the following:

Always check dependency scores with the depscore tool when you add a new dependency. If the score is low, consider using an alternative library or writing the code yourself. If you are unsure about the score, ask for a review from someone with more experience. When checking dependencies, make sure to also check the imports not just the pyproject.toml/package.json/dependency file.

You can adjust the rules to fit your needs. For example, you can add rules to include specific manifest files, or guide the AI assistant on how to handle low scores. The rules are flexible and can be tailored to your workflow.

Development

For End Users

For most users, we recommend using either:

Public server: https://mcp.socket.dev/ (no setup required)
NPX command: npx @socketsecurity/mcp@latest (always latest version)

For Contributors

If you want to contribute to the Socket MCP server development:

Health Check Endpoint

When running in HTTP mode, the server provides a health check endpoint for Kubernetes and Docker deployments:

GET /health

Response:

{
  "status": "healthy",
  "service": "socket-mcp",
  "ver

---