Labsco
SocketDev logo

Socket

β˜… 117

from SocketDev

Scan dependencies for vulnerabilities and security issues using the Socket API.

πŸ”₯πŸ”₯πŸ”₯πŸ”₯βœ“ VerifiedAccount requiredAdvanced setup

Socket MCP Server

Socket Badge CI Coverage

Follow @SocketSecurity Follow @socket.dev on Bluesky

A Model Context Protocol (MCP) server for Socket integration β€” lets AI assistants query dependency vulnerability scores and security metadata.

Why this repo exists

Socket MCP exposes Socket.dev's package-scoring API through the Model Context Protocol, so any MCP-aware AI assistant (Claude, VS Code Copilot, Cursor, Windsurf) can score a package, audit a package.json, or flag risky dependencies as part of a conversation. It ships as both a hosted public server (https://mcp.socket.dev/, no setup) and a self-hostable npm package, so you can choose between zero-friction and full data isolation.

✨ Features

  • πŸ” Dependency Security Scanning - Get comprehensive security scores for npm, PyPI, cargo, Maven, NuGet, RubyGems, Go Modules, and more (supported ecosystems)
  • 🌐 Public Hosted Service - Use our public server at https://mcp.socket.dev/; sign in once via OAuth, no self-hosting
  • πŸš€ Multiple Deployment Options - Run locally via stdio, HTTP, or use our service
  • πŸ€– AI Assistant Integration - Works seamlessly with Claude, VS Code Copilot, Cursor, and other MCP clients
  • πŸ“Š Batch Processing - Check multiple dependencies in a single request
  • πŸ”’ OAuth Sign-In - Public server authenticates through your MCP client's OAuth flow; no API key to copy or manage

πŸ› οΈ This project is in early development and rapidly evolving.

Claude Code Hook (Optional)

The repo ships an optional Claude Code hook that blocks high-risk packages before installation. When Claude Code runs an install command, the hook queries the public Socket MCP server at https://mcp.socket.dev/ and denies the install when the package's supply chain score is below 20 (known malware, typosquats, high-risk supply chain signals). No CLI to install β€” copy the file and wire it up; the public server signs in via OAuth on first use.

Supported ecosystems and package managers:

EcosystemCommands
npmnpm install, npm i, npm add, yarn add, pnpm add, bun add
PyPIpip install, pip3 install, uv add, uv pip install, poetry add, pipenv install
Cargocargo add, cargo install
RubyGemsgem install, bundle add
Gogo get, go install
NuGetdotnet add package, nuget install

Setup

Prerequisites: Node.js 22+.

  1. Copy the whole socket-gate directory into your hooks folder. The bundled socket-gate.cjs is self-contained, so it runs without any dependencies beside it. From a checkout, run pnpm run build first to produce it; from a published install, copy from node_modules/@socketsecurity/mcp/:
Copy & paste β€” that's it
mkdir -p ~/.claude/hooks
cp -R hooks/socket-gate ~/.claude/hooks/
  1. Add to ~/.claude/settings.json:
Copy & paste β€” that's it
{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
            "command": "node ~/.claude/hooks/socket-gate/socket-gate.cjs"
          }
        ]
      }
    ]
  }
}

See hooks/socket-gate/README.md for the full reference.

How it works

The hook denies installation when supplyChain < 20, allows it otherwise β€” e.g. express/lodash/react (75–97) allow, browserlist (typosquat of browserslist, 15) and confirmed malware (0) block. Network, timeout, or parse errors all fail open, so a Socket outage will not block legitimate work.

Limitations

A best-effort guardrail, not a complete defense. Known gaps:

  • Manifest edits + lockfile installs. If Claude edits a manifest directly (package.json, requirements.txt, Cargo.toml, Gemfile, go.mod, *.csproj) then runs a bare install (npm install, pip install -r requirements.txt, cargo build, bundle install, go mod tidy, dotnet restore), there is no package name on the command line to check.
  • Package-manager invocations only. Direct downloads (curl | sh, wget), post-install scripts of already-accepted packages, and transitive dependencies are not re-checked.
  • Indirect Claude paths. Sub-agents, MCP tools that shell out, and non-Bash tool calls are not covered unless the matcher is broadened.

Inspired by Jimmy Vo's dependency hook.

Development

<details> <summary>Contributor commands</summary>
Copy & paste β€” that's it
git clone https://github.com/SocketDev/socket-mcp.git
cd socket-mcp
npm install
npm run build

Run from source (stdio mode):

Copy & paste β€” that's it
export SOCKET_API_TOKEN=your_api_token_here
node --experimental-strip-types index.ts

Or in HTTP mode:

Copy & paste β€” that's it
MCP_HTTP_MODE=true SOCKET_API_TOKEN=your_api_token_here node --experimental-strip-types index.ts --http

Health check endpoint

When running in HTTP mode, GET /health returns:

Copy & paste β€” that's it
{
  "status": "healthy",
  "service": "socket-mcp",
  "version": "0.0.18",
  "timestamp": "2025-06-17T20:45:22.059Z"
}

Suitable for Kubernetes liveness/readiness probes, Docker health checks, load balancers.

Troubleshooting

Q: The public server isn't responding β€” Check the URL https://mcp.socket.dev/, verify your MCP client configuration, restart your MCP client.

Q: Local server fails to start β€” Ensure Node.js 22+ is installed, check SOCKET_API_TOKEN is set, verify the API token has packages:list permission.

Q: Getting authentication errors with local server β€” Double-check your API key is valid, ensure packages:list scope, regenerate if needed.

Q: AI assistant can't find the depscore tool β€” Restart your MCP client after configuration changes, verify config is saved, check the server is running.

Getting help

</details>

License

MIT

<br/> <div align="center"> <picture> <source media="(prefers-color-scheme: dark)" srcset="logo-white.png"> <source media="(prefers-color-scheme: light)" srcset="logo-black.png"> <img width="324" height="108" alt="Socket Logo" src="logo-black.png"> </picture> </div>