VulniCheck
AI-powered security scanner for Python projects and GitHub repositories. Detects vulnerabilities, secrets, and provides AI risk assessment.
README
VulniCheck - AI-Powered Security Scanner
VulniCheck provides comprehensive security analysis for Python projects and GitHub repositories using AI-powered vulnerability detection. It runs as a Docker-based HTTP MCP server with standard HTTP streaming (no SSE required), providing secure containerized deployment with comprehensive vulnerability scanning capabilities.
Quick Start
1. Pull and Run the Docker Container
# Pull the latest image from Docker Hub
docker pull andrasfe/vulnicheck:latest
# Run with OpenAI API key (for enhanced AI-powered risk assessment)
docker run -d --name vulnicheck-mcp -p 3000:3000 \
--restart=unless-stopped \
-e OPENAI_API_KEY=your-openai-api-key \
andrasfe/vulnicheck:latest
# Or run without API key (basic vulnerability scanning)
docker run -d --name vulnicheck-mcp -p 3000:3000 \
--restart=unless-stopped \
andrasfe/vulnicheck:latest
2. Add to Claude Code
claude mcp add --transport http vulnicheck http://localhost:3000/mcp
That's it! VulniCheck is now available in Claude Code.
Usage
Once installed, simply ask Claude:
"Run a comprehensive security check on my project"
"Scan https://github.com/owner/repo for vulnerabilities"
"Check my dependencies for security issues"
"Scan my Dockerfile for vulnerable packages"
VulniCheck will:
- ✅ Scan dependencies for known vulnerabilities (requirements.txt, pyproject.toml, setup.py)
- ✅ Detect exposed secrets and credentials
- ✅ Analyze Dockerfiles for security issues
- ✅ Validate MCP configurations
- ✅ Generate AI-powered risk assessments
- ✅ Provide actionable remediation recommendations
Key Features
- Docker Deployment: Secure containerized deployment with HTTP streaming (no SSE/Server-Sent Events required)
- Optional Authentication: Supports Google OAuth 2.0 for secure access control (disabled by default)
- Production Ready: Scalable HTTP server architecture
- Comprehensive Coverage: Queries 5+ vulnerability databases (OSV.dev, NVD, GitHub Advisory, CIRCL, Safety DB)
- GitHub Integration: Scan any public/private GitHub repository directly (up to 1GB)
- AI-Powered Analysis: Uses OpenAI/Anthropic APIs for intelligent security assessment
- Secrets Detection: Finds exposed API keys, passwords, and credentials
- Docker Security: Analyzes Dockerfiles for vulnerable dependencies
- Smart Caching: Avoids redundant scans with commit-level caching
- Space Management: Automatic cleanup prevents disk exhaustion (2GB total limit)
- Zero Config: Works out of the box, enhanced with optional API keys
Available Tools
| Tool | Description |
|---|---|
check_package_vulnerabilities |
Check a specific Python package for vulnerabilities |
scan_dependencies |
Scan dependency files (requirements.txt, pyproject.toml, etc.) |
scan_installed_packages |
Scan currently installed Python packages |
get_cve_details |
Get detailed information about a specific CVE |
scan_for_secrets |
Detect exposed secrets and credentials in code |
scan_dockerfile |
Analyze Dockerfiles for vulnerable Python dependencies |
scan_github_repo |
Comprehensive security scan of GitHub repositories |
assess_operation_safety |
AI-powered risk assessment for operations |
validate_mcp_security |
Validate MCP server security configurations |
comprehensive_security_check |
Interactive AI-powered security assessment |
Optional API Keys
Enhance VulniCheck with API keys for better rate limits and AI features:
docker run -d --name vulnicheck-mcp -p 3000:3000 \
--restart=unless-stopped \
-e OPENAI_API_KEY=your-key \ # AI-powered risk assessment
-e ANTHROPIC_API_KEY=your-key \ # Alternative AI provider
-e GITHUB_TOKEN=your-token \ # Higher GitHub API rate limits
-e NVD_API_KEY=your-key \ # Higher NVD rate limits
andrasfe/vulnicheck:latest
Authentication (Optional)
VulniCheck supports optional Google OAuth 2.0 authentication for secure access control. By default, authentication is disabled.
Enabling Google OAuth
-
Get Google OAuth Credentials:
- Go to Google Cloud Console
- Create a project and enable Google+ API
- Create OAuth 2.0 credentials (Web application)
- Add authorized redirect URI:
http://localhost:3000/oauth/callback(or your domain)
-
Configure Environment Variables:
export FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_ID="your-client-id.apps.googleusercontent.com" export FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_SECRET="GOCSPX-your-secret-here" export FASTMCP_SERVER_BASE_URL="http://localhost:3000" -
Run with Authentication:
docker run -d --name vulnicheck-mcp -p 3000:3000 \ --restart=unless-stopped \ -e FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_ID=your-client-id \ -e FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_SECRET=your-secret \ -e FASTMCP_SERVER_BASE_URL=http://localhost:3000 \ -v vulnicheck_tokens:/home/vulnicheck/.vulnicheck/tokens \ andrasfe/vulnicheck:latest \ python -m vulnicheck.server --auth-mode google -
Using docker-compose: See
docker-compose.auth-example.ymlfor a complete configuration example.
Note: OAuth tokens are persisted in /home/vulnicheck/.vulnicheck/tokens. Use a Docker volume to persist tokens across container restarts.
⚠️ Known OAuth Limitations
FastMCP OAuth + HTTP Transport Incompatibility
Due to a limitation in FastMCP 2.12.4, OAuth authentication does not work properly with HTTP transport (streamable-http). The authorization endpoints (/oauth/authorize, /oauth/callback) are not correctly mounted, resulting in 404 errors.
When OAuth Works:
- ✅ Local connections (when supported in future FastMCP versions)
- ✅ OAuth discovery endpoint works (
/.well-known/oauth-protected-resource)
When OAuth Does NOT Work:
- ❌ HTTP transport with external clients (ChatGPT, Claude Desktop, etc.)
- ❌ Authorization endpoints return 404
- ❌ Token exchange fails
Workaround for External Clients (ChatGPT, etc.):
Run VulniCheck without authentication when accessing through ngrok or other public URLs:
# Start without OAuth (recommended for external clients)
docker run -d --name vulnicheck-mcp -p 3000:3000 \
--restart=unless-stopped \
andrasfe/vulnicheck:latest
# Then configure ngrok
ngrok http 3000
In your MCP client (ChatGPT, etc.):
- URL:
https://your-ngrok-url.ngrok-free.dev/mcp - Authentication: None
Security Considerations:
- ✅ Traffic is encrypted via HTTPS (ngrok)
- ⚠️ No authentication - anyone with URL can access
- 💡 ngrok free URLs change on restart (security through obscurity)
- 🔒 For production, use ngrok paid tier with password protection or IP whitelisting
Future Resolution: This limitation will be resolved when:
- FastMCP fixes OAuth + HTTP transport support, OR
- Alternative authentication mechanisms are implemented
Using with ngrok
Quick Start (No OAuth):
# 1. Start VulniCheck
docker run -d --name vulnicheck-mcp -p 3000:3000 \
--restart=unless-stopped \
andrasfe/vulnicheck:latest
# 2. Start ngrok
ngrok http 3000
# 3. Use the ngrok URL in your MCP client
# URL: https://your-generated-url.ngrok-free.dev/mcp
# Authentication: None
Optional OAuth Script (Experimental - OAuth Not Functional):
A convenience script restart-vulnicheck-ngrok.sh is provided for testing OAuth, but OAuth does not currently work due to FastMCP limitations:
# Copy the example environment file
cp .env.example .env
# Edit .env and add your credentials
GOOGLE_CLIENT_ID=your-client-id.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-your-secret-here
NGROK_URL=https://your-ngrok-url.ngrok-free.dev
# Run the script (OAuth will not work)
./restart-vulnicheck-ngrok.sh
Note: The script is provided for future use when FastMCP OAuth + HTTP transport is fixed. Currently, always run without OAuth for external clients.
Building from Source
# Clone the repository
git clone https://github.com/andrasfe/vulnicheck.git
cd vulnicheck
# Build Docker image
docker build -t vulnicheck .
# Run locally built image (no auth)
docker run -d --name vulnicheck-mcp -p 3000:3000 --restart=unless-stopped vulnicheck
# Run with Google OAuth
docker run -d --name vulnicheck-mcp -p 3000:3000 \
--restart=unless-stopped \
-e FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_ID=your-client-id \
-e FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_SECRET=your-secret \
-e FASTMCP_SERVER_BASE_URL=http://localhost:3000 \
-v vulnicheck_tokens:/home/vulnicheck/.vulnicheck/tokens \
vulnicheck \
python -m vulnicheck.server --auth-mode google
Docker Hub
The official Docker image is available at:
- Docker Hub: andrasfe/vulnicheck
- Latest Tag:
andrasfe/vulnicheck:latest
Requirements
- Docker
- Claude Code or any MCP client with HTTP transport support (standard HTTP, no SSE required)
- Optional: API keys for enhanced features
Supported File Types
- Dependencies:
requirements.txt,pyproject.toml,setup.py, lock files - Containers:
Dockerfile,docker-compose.yml - Secrets: All text-based source files
- GitHub: Any public or private repository URL
Support
- Issues: Report problems at https://github.com/andrasfe/vulnicheck/issues
- Development: See CLAUDE.md for development details
- Security: Report security issues privately via GitHub Security Advisories
DISCLAIMER: Vulnerability data provided "AS IS" without warranty. Users are responsible for verification and remediation.
推荐服务器
Baidu Map
百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。
Playwright MCP Server
一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。
Magic Component Platform (MCP)
一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。
Audiense Insights MCP Server
通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。
VeyraX
一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。
graphlit-mcp-server
模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。
Kagi MCP Server
一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。
e2b-mcp-server
使用 MCP 通过 e2b 运行代码。
Neon MCP Server
用于与 Neon 管理 API 和数据库交互的 MCP 服务器
Exa MCP Server
模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。