Socket-MCP Dependency Security Scan for MCP Servers with AI Integration and Multi-Deployment

Socket MCP

The Socket MCP server is a Model Context Protocol service for dependency security scanning, providing security scores and vulnerability detection functions for software package ecosystems such as npm and PyPI, supporting AI assistant integration and multiple deployment methods.

Security Developer tools #Dependency security #Vulnerability detection #AI integration #Multi - ecosystem support .TypeScript

rating : 2.5 points

downloads : 0

update time : 2025-09-09

Open Site

What is the Socket MCP Server?

The Socket MCP Server is a dependency security scanning service specifically designed for AI assistants. Through the Model Context Protocol, it enables your AI assistants (such as Claude, VS Code Copilot, etc.) to query and analyze the security scores, vulnerability information, and quality metrics of software dependency packages in real - time.

How to use the Socket MCP Server?

It's very simple to use: choose the public server without any settings, or deploy it locally and use your own API key. After configuration, just ask questions to the AI assistant to get the security scores of dependency packages.

Applicable scenarios

Suitable for developers to check dependency security in real - time when writing code, evaluate third - party library risks during project initialization, and verify the security status of dependency packages during the code review process.

Main Features

Dependency Security Scanning

Provide comprehensive security scores for multiple package ecosystems such as npm and PyPI, including evaluations in multiple dimensions such as supply chain, quality, maintenance, vulnerabilities, and licenses.

Public Hosting Service

A public service that can be used without any settings, no API key or registration required, ready to use out of the box.

Multiple Deployment Options

Support running in three ways: through stdio, HTTP, or using the public service, meeting the needs of different usage scenarios.

AI Assistant Integration

Seamlessly integrate with mainstream AI assistants such as Claude, VS Code Copilot, and Cursor, providing a natural language interaction experience.

Batch Processing

Support checking multiple dependencies in a single request to improve efficiency.

Advantages

No authentication required: The public server is completely free and does not require an API key

Easy to use: One - click installation and configuration, supporting multiple AI assistant platforms

Comprehensive coverage: Support multiple package ecosystems and security dimension evaluations

Real - time feedback: Instantly get the security scores and risk information of dependencies

Limitations

Early development: The project is in the early stage, and the functions may still be continuously improved

Network dependency: Requires a stable network connection to access the Socket API service

Ecosystem limitations: Mainly support mainstream package managers, and some niche ecosystems may not be fully covered

How to Use

Choose the deployment method

Choose to use the public server or deploy it locally according to your needs. It is recommended for beginners to use the public server.

Configure the AI assistant

Add the Socket MCP server configuration to the AI assistant platform you are using.

Start using

After restarting the AI assistant, you can query the security information of dependencies through natural language.

Usage Examples

Dependency evaluation for new projects

When creating a new project, evaluate the security of the proposed dependency packages in real - time through the AI assistant to avoid introducing high - risk dependencies.

Security audit of existing projects

Conduct a batch security review of the dependencies in the package.json or requirements.txt of an existing project.

Dependency upgrade decision - making

When considering upgrading the dependency version, compare the security differences between different versions.

Frequently Asked Questions

What if the public server does not respond?

What if the local server fails to start?

What if the AI assistant cannot find the depscore tool?

Is it necessary to pay for use?

Related Resources

Socket official documentation

Complete documentation on using the Socket platform and API reference

GitHub project repository

Source code and issue tracking for the Socket MCP server

Problem feedback

Report problems encountered during use or suggest new features

Community discussion

Exchange usage experiences and best practices with other users

🚀 Socket MCP Server

The Socket MCP Server is a Model Context Protocol (MCP) server designed for Socket integration. It enables AI assistants to efficiently check dependency vulnerability scores and access security information, enhancing the security of software development.

✨ Features

🔍 Dependency Security Scanning: Obtain comprehensive security scores for packages in npm, PyPI, and other ecosystems.
🌐 Public Hosted Service: Utilize our public server at https://mcp.socket.dev/ without any setup requirements.
🚀 Multiple Deployment Options: Run the server locally via stdio, HTTP, or use our hosted service.
🤖 AI Assistant Integration: Seamlessly integrate with Claude, VS Code Copilot, Cursor, and other MCP clients.
📊 Batch Processing: Check multiple dependencies in a single request for increased efficiency.
🔒 No Authentication Required: The public server does not require API keys or registration.

🛠️ This project is in its early development stage and is evolving rapidly.

🚀 Quick Start

Option 1: Use the Public Socket MCP Server (Recommended)

The simplest way to begin is by using our public Socket MCP server. No API key or authentication is needed! Click one of the buttons below to install the public server in your preferred AI assistant.

Manual Installation Instructions & more MCP Clients

Install in Claude Desktop or Claude Code

⚠️ Important Note

Custom integrations are not available for all paid versions of Claude. Refer to this link for more information.

To use the public Socket MCP server with Claude Desktop:

In Claude Desktop, navigate to Settings > Developer > Edit Config.
Add the following Socket MCP server configuration:

{
  "mcpServers": {
    "socket-mcp": {
      "type": "http",
      "url": "https://mcp.socket.dev/"
    }
  }
}

Save the configuration and restart Claude Desktop.
You can now ask Claude questions such as "Check the security score for express version 4.18.2".

The process is similar for Claude Code. Refer to the Claude Code documentation for more details. Here is an example command to add the Socket MCP server:

claude mcp add --transport http socket-mcp https://mcp.socket.dev/

Install in VS Code

You can install the Socket MCP server using the VS Code CLI:

# For VS Code with GitHub Copilot
code --add-mcp '{"name":"socket-mcp","type":"http","url":"https://mcp.socket.dev/}'

After installation, the Socket MCP server will be available for use with your GitHub Copilot agent in VS Code.

Alternatively, you can manually add it to your VS Code MCP configuration in .vscode/mcp.json:

{
  "servers": {
    "socket-mcp": {
      "type": "http",
      "url": "https://mcp.socket.dev/"
    }
  }
}

Install in Cursor

Go to Cursor Settings -> MCP -> Add new MCP Server. Name it "socket-mcp", set the type to http, and use the URL https://mcp.socket.dev/.

{
  "mcpServers": {
    "socket-mcp": {
      "type": "http",
      "url": "https://mcp.socket.dev/"
    }
  }
}

Install in Windsurf

⚠️ Important Note

Windsurf does not currently support http type MCP servers. Use the stdio configuration below.

To use the Socket MCP server in Windsurf:

Open Windsurf Settings.
Navigate to the MCP Servers section.
Add a new server with the following configuration:

{
    "mcpServers": {
        "socket-mcp": {
            "serverUrl": "https://mcp.socket.dev/mcp"
        }
    }
}

Save the configuration and restart Windsurf if necessary.

Option 2: Deploy Socket MCP Server on your machine

If you prefer to run your own instance, you can deploy the Socket MCP server locally using either stdio or HTTP modes.

Getting an API key

To use a local Socket MCP Server, you need to create an API key. Follow these steps to create one. The only required permission scope is packages:list, which allows the MCP server to query package metadata for dependency scores.

For local deployment, you have two options:

Option 2a: Stdio Mode (Default)

Click one of the buttons below to install the self-hosted stdio server in your favorite AI assistant.

Claude Code (stdio mode) can be set up with the following command:

claude mcp add socket-mcp -e SOCKET_API_KEY="your-api-key-here" -- npx -y @socketsecurity/mcp@latest

This is how the configuration looks on most MCP clients:

{
  "mcpServers": {
    "socket-mcp": {
      "command": "npx",
      "args": ["@socketsecurity/mcp@latest"],
      "env": {
        "SOCKET_API_KEY": "your-api-key-here"
      }
    }
  }
}

This approach automatically uses the latest version without requiring global installation.

Option 2b: HTTP Mode

Run the server in HTTP mode using npx:

MCP_HTTP_MODE=true SOCKET_API_KEY=your-api-key npx @socketsecurity/mcp@latest --http

Configure your MCP client to connect to the HTTP server:

{
  "mcpServers": {
    "socket-mcp": {
      "type": "http",
      "url": "http://localhost:3000"
    }
  }
}

💻 Usage Examples

Basic Usage

The Socket MCP Server exposes the depscore tool, which allows AI assistants to query the Socket API for dependency scoring information.

{
  "packages": [
    {
      "ecosystem": "npm",
      "depname": "express",
      "version": "4.18.2"
    },
    {
      "ecosystem": "pypi",
      "depname": "fastapi",
      "version": "0.100.0"
    }
  ]
}

Advanced Usage

Here is a sample response from the depscore tool:

pkg:npm/express@4.18.2: supply_chain: 1.0, quality: 0.9, maintenance: 1.0, vulnerability: 1.0, license: 1.0
pkg:pypi/fastapi@0.100.0: supply_chain: 1.0, quality: 0.95, maintenance: 0.98, vulnerability: 1.0, license: 1.0

How to Use the Socket MCP Server

Ask your AI assistant to check dependencies:
- "Check the security score for express version 4.18.2"
- "Analyze the security of my package.json dependencies"
- "What are the vulnerability scores for react, lodash, and axios?"
Get comprehensive security insights including supply chain, quality, maintenance, vulnerability, and license scores.

Adjust tool usage with custom rules

You can customize how the Socket MCP server interacts with your AI assistant by modifying your client rules. The rules are usually in a markdown file, and its location depends on the AI assistant you are using.

MCP Client	Rules File Location
Claude Desktop/Code	`CLAUDE.md`
VSCode Copilot	`.github/copilot-instructions.md`
Cursor	`.cursor/rules`

Here is an example of rules that can be added to the client rules file:

Always check dependency scores with the depscore tool when you add a new dependency. If the score is low, consider using an alternative library or writing the code yourself. If you are unsure about the score, ask for a review from someone with more experience. When checking dependencies, make sure to also check the imports not just the pyproject.toml/package.json/dependency file.

You can adjust the rules to fit your needs, such as including specific manifest files or guiding the AI assistant on how to handle low scores.

🔧 Technical Details

Development

For End Users

For most users, we recommend using either:

Public server: https://mcp.socket.dev/ (no setup required)
NPX command: npx @socketsecurity/mcp@latest (always latest version)

For Contributors

If you want to contribute to the Socket MCP server development:

Health Check Endpoint

When running in HTTP mode, the server provides a health check endpoint for Kubernetes and Docker deployments:

GET /health

Response:

{
  "status": "healthy",
  "service": "socket-mcp",
  "version": "0.0.3",
  "timestamp": "2025-06-17T20:45:22.059Z"
}

This endpoint can be used for:

Kubernetes liveness and readiness probes
Docker health checks
Load balancer health monitoring
General service monitoring

Prerequisites

Node.js v16 or higher
npm or yarn

Installation

Clone the repository and install dependencies:

git clone https://github.com/SocketDev/socket-mcp.git
cd socket-mcp
npm install

Build

This project is a directly runnable Node.js project using Type stripping. If you are on Node.js 22, run with node --experimental-strip-types index.ts. On any later versions of Node.js, you can simply run node index.ts. In either version, you can also run the npm run scripts which include the correct flags.

The js files will automatically be built when running npm publish, and cleaned up afterwards with npm run clean.

If you want to preview the build, you can run:

npm run build

Run from Source

To run the Socket MCP server from source:

export SOCKET_API_KEY=your_api_key_here
node --experimental-strip-types index.ts

Or in HTTP mode:

MCP_HTTP_MODE=true SOCKET_API_KEY=your_api_key_here node --experimental-strip-types index.ts --http

🔧 Troubleshooting

Common Issues

⚠️ Important Note

Here are some common issues and their solutions:

Q: The public server isn't responding
- Check that you're using the correct URL: https://mcp.socket.dev/
- Verify your MCP client configuration is correct
- Try restarting your MCP client
Q: Local server fails to start
- Ensure you have Node.js v16+ installed
- Check that your SOCKET_API_KEY environment variable is set
- Verify the API key has packages:list permission
Q: Getting authentication errors with local server
- Double-check your Socket API key is valid
- Ensure the key has the required packages:list scope
- Try regenerating your API key from the Socket dashboard
Q: AI assistant can't find the depscore tool
- Restart your MCP client after configuration changes
- Verify the server configuration is saved correctly
- Check that the MCP server is running (for local deployments)