Socket MCP

🚀 Socket MCP Server

The Socket MCP Server is a Model Context Protocol (MCP) server designed for Socket integration. It enables AI assistants to efficiently check dependency vulnerability scores and access security information, enhancing the security of software development.

✨ Features

• 🔍 Dependency Security Scanning: Obtain comprehensive security scores for packages in npm, PyPI, and other ecosystems.
• 🌐 Public Hosted Service: Utilize our public server at https://mcp.socket.dev/ without any setup requirements.
• 🚀 Multiple Deployment Options: Run the server locally via stdio, HTTP, or use our hosted service.
• 🤖 AI Assistant Integration: Seamlessly integrate with Claude, VS Code Copilot, Cursor, and other MCP clients.
• 📊 Batch Processing: Check multiple dependencies in a single request for increased efficiency.
• 🔒 No Authentication Required: The public server does not require API keys or registration.

🛠️ This project is in its early development stage and is evolving rapidly.

🚀 Quick Start

Option 1: Use the Public Socket MCP Server (Recommended)

The simplest way to begin is by using our public Socket MCP server. No API key or authentication is needed! Click one of the buttons below to install the public server in your preferred AI assistant.

{
  "mcpServers": {
    "socket-mcp": {
      "type": "http",
      "url": "https://mcp.socket.dev/"
    }
  }
}

claude mcp add --transport http socket-mcp https://mcp.socket.dev/

# For VS Code with GitHub Copilot
code --add-mcp '{"name":"socket-mcp","type":"http","url":"https://mcp.socket.dev/}'

{
  "servers": {
    "socket-mcp": {
      "type": "http",
      "url": "https://mcp.socket.dev/"
    }
  }
}

{
  "mcpServers": {
    "socket-mcp": {
      "type": "http",
      "url": "https://mcp.socket.dev/"
    }
  }
}

{
    "mcpServers": {
        "socket-mcp": {
            "serverUrl": "https://mcp.socket.dev/mcp"
        }
    }
}

Option 2: Deploy Socket MCP Server on your machine

If you prefer to run your own instance, you can deploy the Socket MCP server locally using either stdio or HTTP modes.

Getting an API key

To use a local Socket MCP Server, you need to create an API key. Follow these steps to create one. The only required permission scope is packages:list, which allows the MCP server to query package metadata for dependency scores.

For local deployment, you have two options:

Option 2a: Stdio Mode (Default)

Click one of the buttons below to install the self-hosted stdio server in your favorite AI assistant.

Claude Code (stdio mode) can be set up with the following command:

claude mcp add socket-mcp -e SOCKET_API_KEY="your-api-key-here" -- npx -y @socketsecurity/mcp@latest

This is how the configuration looks on most MCP clients:

{
  "mcpServers": {
    "socket-mcp": {
      "command": "npx",
      "args": ["@socketsecurity/mcp@latest"],
      "env": {
        "SOCKET_API_KEY": "your-api-key-here"
      }
    }
  }
}

This approach automatically uses the latest version without requiring global installation.

Option 2b: HTTP Mode

1. Run the server in HTTP mode using npx:

MCP_HTTP_MODE=true SOCKET_API_KEY=your-api-key npx @socketsecurity/mcp@latest --http

2. Configure your MCP client to connect to the HTTP server:

{
  "mcpServers": {
    "socket-mcp": {
      "type": "http",
      "url": "http://localhost:3000"
    }
  }
}

💻 Usage Examples

Basic Usage

The Socket MCP Server exposes the depscore tool, which allows AI assistants to query the Socket API for dependency scoring information.

{
  "packages": [
    {
      "ecosystem": "npm",
      "depname": "express",
      "version": "4.18.2"
    },
    {
      "ecosystem": "pypi",
      "depname": "fastapi",
      "version": "0.100.0"
    }
  ]
}

Advanced Usage

Here is a sample response from the depscore tool:

pkg:npm/express@4.18.2: supply_chain: 1.0, quality: 0.9, maintenance: 1.0, vulnerability: 1.0, license: 1.0
pkg:pypi/fastapi@0.100.0: supply_chain: 1.0, quality: 0.95, maintenance: 0.98, vulnerability: 1.0, license: 1.0

How to Use the Socket MCP Server

1. Ask your AI assistant to check dependencies:
   • "Check the security score for express version 4.18.2"
   • "Analyze the security of my package.json dependencies"
   • "What are the vulnerability scores for react, lodash, and axios?"
2. Get comprehensive security insights including supply chain, quality, maintenance, vulnerability, and license scores.

Adjust tool usage with custom rules

You can customize how the Socket MCP server interacts with your AI assistant by modifying your client rules. The rules are usually in a markdown file, and its location depends on the AI assistant you are using.

Here is an example of rules that can be added to the client rules file:

Always check dependency scores with the depscore tool when you add a new dependency. If the score is low, consider using an alternative library or writing the code yourself. If you are unsure about the score, ask for a review from someone with more experience. When checking dependencies, make sure to also check the imports not just the pyproject.toml/package.json/dependency file.

You can adjust the rules to fit your needs, such as including specific manifest files or guiding the AI assistant on how to handle low scores.

🔧 Technical Details

Development

For End Users

For most users, we recommend using either:

1. Public server: https://mcp.socket.dev/ (no setup required)
2. NPX command: npx @socketsecurity/mcp@latest (always latest version)

For Contributors

If you want to contribute to the Socket MCP server development:

Health Check Endpoint

When running in HTTP mode, the server provides a health check endpoint for Kubernetes and Docker deployments:

GET /health

Response:

{
  "status": "healthy",
  "service": "socket-mcp",
  "version": "0.0.3",
  "timestamp": "2025-06-17T20:45:22.059Z"
}

This endpoint can be used for:

• Kubernetes liveness and readiness probes
• Docker health checks
• Load balancer health monitoring
• General service monitoring

Prerequisites

• Node.js v16 or higher
• npm or yarn

Installation

Clone the repository and install dependencies:

git clone https://github.com/SocketDev/socket-mcp.git
cd socket-mcp
npm install

Build

This project is a directly runnable Node.js project using Type stripping. If you are on Node.js 22, run with node --experimental-strip-types index.ts. On any later versions of Node.js, you can simply run node index.ts. In either version, you can also run the npm run scripts which include the correct flags.

The js files will automatically be built when running npm publish, and cleaned up afterwards with npm run clean.

If you want to preview the build, you can run:

npm run build

Run from Source

To run the Socket MCP server from source:

export SOCKET_API_KEY=your_api_key_here
node --experimental-strip-types index.ts

Or in HTTP mode:

MCP_HTTP_MODE=true SOCKET_API_KEY=your_api_key_here node --experimental-strip-types index.ts --http

🔧 Troubleshooting

Common Issues

⚠️ Important Note

Here are some common issues and their solutions:

• Q: The public server isn't responding
  • Check that you're using the correct URL: https://mcp.socket.dev/
  • Verify your MCP client configuration is correct
  • Try restarting your MCP client
• Q: Local server fails to start
  • Ensure you have Node.js v16+ installed
  • Check that your SOCKET_API_KEY environment variable is set
  • Verify the API key has packages:list permission
• Q: Getting authentication errors with local server
  • Double-check your Socket API key is valid
  • Ensure the key has the required packages:list scope
  • Try regenerating your API key from the Socket dashboard
• Q: AI assistant can't find the depscore tool
  • Restart your MCP client after configuration changes
  • Verify the server configuration is saved correctly
  • Check that the MCP server is running (for local deployments)

Getting Help

• 📖 Socket Documentation
• 🐛 Report Issues
• 💬 Community Support

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.