securechain-mcp-server by securechaindev - MCP Server

Secure Chain MCP Server

An MCP server that provides tools for checking the status of your software supply chain within the context of Secure Chain.

Key Features

🔍 Multi-ecosystem support: Query packages from PyPI, NPM, Maven, Cargo, RubyGems, and NuGet ecosystems
🛡️ Vulnerability intelligence: Access detailed vulnerability, exploit, and CWE information
📊 Supply chain analysis: Explore direct and transitive dependencies in the software supply chain graph
📋 VEX support: Retrieve Vulnerability Exploitability eXchange documents for repositories
⚡ MCP integration: Seamlessly integrates with AI agents and LLMs via Model Context Protocol

Development requirements

Docker to deploy the tool.
Docker Compose for container orchestration.
It is recommended to use a GUI such as MongoDB Compass.
The Neo4J browser interface to visualize the graph built from the data is in localhost:7474 when the container is running.
Python 3.14 or higher.

Use Secure Chain MCP with VSCode

1. Register on Secure Chain

Go to Secure Chain official lading page, and register yourself as a user.

2. Add mcp configuration

Finally, inside the folder .vscode add the file mcp.json with the next configuration, and start the mcp server:

{
  "servers": {
    "Secure Chain MCP Server": {
      "type": "http",
      "url": "https://mcp.securechain.dev/mcp",
      "headers": {
        "X-Auth-Email": "your_email",
        "X-Auth-Pass": "your_super_secret_password"
      }
    }
  }
}

Deployment with docker

1. Clone the repository

Clone the repository from the official GitHub repository:

git clone https://github.com/securechaindev/securechain-mcp-server.git
cd securechain-mcp-server

2. Configure environment variables

Create a .env.local file from the .env.example file and place it in the root directory.

Get API Keys

How to get a GitHub API key.
Modify the Json Web Token (JWT) secret key and algorithm with your own. You can generate your own secret key with the command openssl rand -base64 32.

3. Create Docker network

Ensure you have the securechain Docker network created. If not, create it with:

docker network create securechain

4. Databases containers

For graphs and vulnerabilities information you need to download the zipped data dumps from Zenodo. Once you have unzipped the dumps, inside the root folder run the command:

docker compose up --build

The containerized databases will also be seeded automatically.

5. Start the application

Run the command from the project root:

docker compose -f dev/docker-compose.yml up --build

6. Create a User in Secure Chain local deployment

Go here and create an user, for example:

{
  "email": "mcp-bot@example.com",
  "password": "supersecre3T*"
}

7. Configure the MCP with VSCode

Inside the folder .vscode/ add the file mcp.json with this template:

{
  "servers": {
    "Secure Chain MCP Server": {
      "type": "http",
      "url": "http://localhost:8005/mcp",
      "headers": {
        "X-Auth-Email": "mcp-bot@example.com",
        "X-Auth-Pass": "supersecre3T*"
      }
    }
  }
}

And then start the MCP server and begin use it with Copilot for example.

Python Environment

The project uses Python 3.14 and uv as the package manager for faster and more reliable dependency management.

Setting up the development environment with uv

Install uv (if not already installed):

curl -LsSf https://astral.sh/uv/install.sh | sh

Activate the virtual environment (uv creates it automatically):
```
uv venv
source .venv/bin/activate
```
Install dependencies:
```
uv sync
```

Code Quality

# Install linter
uv sync --extra dev

# Linting
uv ruff check app/

# Formatting
uv ruff format app/

Contributing

Pull requests are welcome! For major changes, please open an issue first to discuss what you would like to change.

Future Works

New future works that can be developed:

Implement templates to return the information in a more semantic/textual way.

License

GNU General Public License 3.0

securechaindev/securechain-mcp-server