Open Source Software Supply Chain MCP Server

OSS dependency risk and SBOM compliance intelligence for application security teams, engineering leadership, and procurement. This MCP server orchestrates 7 data sources across GitHub repositories, NVD vulnerability data, CISA Known Exploited Vulnerabilities, developer community signals, and regulatory tracking. It delivers dependency risk assessment, maintainer bus factor analysis, vulnerability exposure timelines, license compliance checking, community health scoring, SBOM regulatory tracking, security incident monitoring, and package risk comparison with a composite Dependency Risk Score (0-100).

What data can you access?

Data Point	Source	Coverage
Repository activity and contributors	GitHub	Public repositories worldwide
CVE vulnerability data	NVD	National Vulnerability Database
Known exploited vulnerabilities	CISA KEV	Actively exploited CVEs
Developer Q&A and reputation	StackExchange	Stack Overflow and related sites
Security incident coverage	Hacker News	Tech community breach reports
SBOM regulatory requirements	Federal Register	Software supply chain regulations
Cybersecurity legislation	Congress.gov	Software security bills

MCP Tools

Tool	Price	Description
dependency_risk_assessment	$0.10	Full dependency risk assessment: bus factor, vulnerabilities, community health, SBOM compliance. Dependency Risk Score (0-100).
maintainer_bus_factor	$0.10	Maintainer bus factor analysis: contributor Gini coefficient, activity recency, and community support breadth.
vulnerability_exposure_timeline	$0.10	CVE severity distribution, CISA KEV active exploitation status, and mean-time-to-patch analysis.
license_compliance_check	$0.10	License compliance risk: copyleft vs permissive classification, SBOM regulatory requirements, and license conflict detection.
community_health_score	$0.10	Community health index: GitHub stars/activity, StackExchange Q&A volume, and Hacker News tech visibility.
sbom_regulatory_tracker	$0.10	Track SBOM regulatory landscape: federal regulations, congressional legislation, and compliance requirement evolution.
security_incident_monitor	$0.10	Monitor security incidents: Hacker News breach reports, new CVE disclosures, and CISA KEV additions.
compare_package_risks	$0.10	Compare package risk profiles: bus factor, vulnerability exposure, and community health side by side.

Data Sources

• GitHub Repo Search -- Public repository metadata including star counts, fork counts, contributor numbers, commit activity, issue counts, and last-updated timestamps for maintainer health assessment
• NVD CVE Vulnerability Search -- National Vulnerability Database CVE entries with CVSS severity scores, affected product versions, and vulnerability descriptions for dependency exposure analysis
• CISA KEV Catalog -- Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities catalog listing CVEs with confirmed active exploitation and binding remediation deadlines
• StackExchange Search -- Stack Overflow and related developer community Q&A data providing package adoption signals, known issue discussions, and community problem-solving activity
• Hacker News Search -- Y Combinator Hacker News discussions covering security incidents, supply chain attacks, vulnerability disclosures, and package ecosystem discussions
• Federal Register -- Federal regulatory actions related to software supply chain security, SBOM requirements, and cybersecurity compliance mandates
• Congress Bill Tracker -- Congressional legislation tracking for cybersecurity bills, software supply chain regulation, and SBOM mandates affecting OSS usage

How the scoring works

Five specialized scoring models contribute to the composite Dependency Risk Score.

Maintainer Bus Factor: Contributor Gini coefficient measures how concentrated development effort is. A high Gini (approaching 1.0) means one or two developers do most of the work, creating project continuity risk. Activity recency indicates whether maintainers are still active.

Vulnerability Exposure Timeline: CVE count and severity distribution (critical, high, medium, low), CISA KEV entries indicating active exploitation, and mean-time-to-patch analysis for how quickly the project addresses vulnerabilities.

License Compliance Risk: License type classification (copyleft vs permissive), license compatibility analysis for dependency trees, and SBOM regulatory requirement tracking across jurisdictions.

Community Health Index: Multi-signal health assessment combining GitHub repository metrics (stars, forks, contributors, recent activity), StackExchange Q&A volume and quality, and Hacker News tech community visibility.

SBOM Compliance Readiness: Federal Register regulatory actions and Congressional legislation related to software supply chain security. Tracks the evolving SBOM mandate landscape to assess compliance readiness.

Score Range	Risk Level	Interpretation
0-20	LOW	Well-maintained, low vulnerability, strong community
21-40	MODERATE	Some maintainer concentration or moderate CVE history
41-60	ELEVATED	Bus factor concerns or unpatched vulnerabilities
61-80	HIGH	Critical CVEs, single maintainer, or declining community
81-100	CRITICAL	Actively exploited vulnerabilities or abandoned project

How to connect this MCP server

Claude Desktop

Add to your claude_desktop_config.json:

{
  "mcpServers": {
    "open-source-software-supply-chain": {
      "url": "https://open-source-software-supply-chain-mcp.apify.actor/mcp"
    }
  }
}

Programmatic (cURL)

curl -X POST https://open-source-software-supply-chain-mcp.apify.actor/mcp \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_APIFY_TOKEN" \
  -d '{"jsonrpc":"2.0","method":"tools/call","params":{"name":"dependency_risk_assessment","arguments":{"package":"log4j","ecosystem":"java"}},"id":1}'

Other MCP clients

This server works with any MCP-compatible client including Cursor, Windsurf, Cline, and custom integrations. Point your client to https://open-source-software-supply-chain-mcp.apify.actor/mcp.

Use cases for OSS supply chain intelligence

Dependency risk assessment

Evaluate OSS dependencies beyond vulnerability scanning. The composite risk score incorporates maintainer health, community vibrancy, and license compliance alongside CVE exposure for a complete picture of dependency risk.

Package selection decisions

Compare alternative packages before adoption. The compare_package_risks tool provides side-by-side bus factor, vulnerability exposure, and community health analysis to inform technology selection decisions.

SBOM compliance readiness

Track the evolving SBOM regulatory landscape across federal agencies and Congressional legislation. The sbom_regulatory_tracker tool monitors Federal Register and Congress for new software supply chain mandates.

Security incident monitoring

Monitor OSS dependencies for new security incidents using Hacker News breach coverage, NVD CVE disclosures, and CISA KEV additions. Early detection of supply chain attacks enables faster response.

Maintainer risk identification

Identify single-maintainer projects and projects with declining contributor activity. The bus factor analysis reveals projects where a single developer's departure would leave the project unmaintained.

License compliance auditing

Assess license compliance risk for enterprise OSS adoption. Identify copyleft licenses that may conflict with proprietary distribution, and track SBOM regulatory requirements that mandate license documentation.

How much does it cost?

This MCP uses pay-per-event pricing. You are only charged when a tool is called.

Each tool call costs $0.10. The Apify Free plan includes $5 of monthly platform credits, enough for approximately 50 OSS supply chain queries per month.

Usage Example	Estimated Cost
Single dependency risk assessment	$0.10
Compare two alternative packages	$0.20
Weekly security incident monitoring	$0.40/month
SBOM regulatory tracking	$0.10

How it works

1. Tool call received -- Your MCP client sends a package name with optional ecosystem identifier (npm, pypi, cargo, etc.).
2. Parallel actor execution -- Up to 7 Apify actors run simultaneously across GitHub, NVD, CISA KEV, StackExchange, Hacker News, Federal Register, and Congress bill databases.
3. Signal aggregation -- Repository metrics, vulnerability data, community discussions, and regulatory actions are aggregated into a unified assessment.
4. Risk scoring -- Five specialized models score bus factor, vulnerability exposure, license compliance, community health, and SBOM readiness independently.
5. Composite assessment -- Individual scores are combined into the Dependency Risk Score (0-100) with a risk level determination and supporting signals.

FAQ

Q: Does this scan actual code or package registries? A: It analyzes GitHub repository metadata, NVD vulnerability data, and community signals. It does not perform static code analysis or scan package registry contents directly.

Q: Can it build a full dependency tree? A: It analyzes individual packages rather than resolving transitive dependency trees. For full SBOM generation from lock files, use dedicated SBOM tools (Syft, CycloneDX CLI) and then analyze key dependencies here.

Q: How current is the vulnerability data? A: NVD CVE and CISA KEV data are fetched live at query time. New CVE disclosures and KEV additions are reflected immediately.

Q: Does it cover private repositories? A: No. GitHub data is limited to public repositories. Vulnerability data from NVD covers both public and commercial software.

Q: Is it legal to use this data? A: All data sources are publicly available. NVD and CISA KEV are US government databases. GitHub public repository metadata is openly accessible.

Q: Can I monitor dependencies continuously? A: Use Apify scheduling to run security incident monitoring on a daily or weekly basis and set up webhooks for new CVE or KEV additions.

Related MCP servers

MCP Server	Focus
ryanclinton/entity-attack-surface-mcp	Broader attack surface assessment
ryanclinton/digital-infrastructure-exposure-mcp	Infrastructure exposure analysis
ryanclinton/open-source-supply-chain-risk-mcp	OSS supply chain risk with typosquat detection

Integrations

This MCP server runs on the Apify platform and integrates with the broader Apify ecosystem:

• Apify API -- Call this MCP programmatically from any language via the Apify API
• Scheduling -- Set up daily vulnerability monitoring for critical dependencies
• Webhooks -- Trigger alerts when new CVEs or CISA KEV entries affect monitored packages
• Integrations -- Connect to Slack, Zapier, Make, or any webhook-compatible service for security notifications