@socketsecurity/mcp
Advanced tools
A Model Context Protocol (MCP) server for Socket integration, allowing AI assistants to efficiently check dependency vulnerability scores and security information.
https://mcp.socket.dev/ with no setup requiredš ļø This project is in early development and rapidly evolving.
The easiest way to get started is to use our public Socket MCP server. No API key or authentication required! Click a button below to install the public server in your favorite AI assistant.
[!NOTE] Custom integrations are not available to all paid versions of Claude. Check here for more information.
To use the public Socket MCP server with Claude Desktop:
In Claude Desktop, go to Settings > Developer > Edit Config.
Add the Socket MCP server configuration:
{
"mcpServers": {
"socket-mcp": {
"type": "http",
"url": "https://mcp.socket.dev/"
}
}
}
Save the configuration and restart Claude Desktop.
Now you can ask Claude questions like "Check the security score for express version 4.18.2".
The process is similar for Claude Code. See the Claude Code documentation for more details. Here's an example command to add the Socket MCP server:
claude mcp add --transport http socket-mcp https://mcp.socket.dev/
You can install the Socket MCP server using the VS Code CLI:
# For VS Code with GitHub Copilot
code --add-mcp '{"name":"socket-mcp","type":"http","url":"https://mcp.socket.dev/}'
After installation, the Socket MCP server will be available for use with your GitHub Copilot agent in VS Code.
Alternatively, you can manually add it to your VS Code MCP configuration in .vscode/mcp.json:
{
"servers": {
"socket-mcp": {
"type": "http",
"url": "https://mcp.socket.dev/"
}
}
}
Go to Cursor Settings -> MCP -> Add new MCP Server. Name it "socket-mcp", use http type with URL https://mcp.socket.dev/.
{
"mcpServers": {
"socket-mcp": {
"type": "http",
"url": "https://mcp.socket.dev/"
}
}
}
[!WARNING] Windsurf does not support
httptype MCP servers yet. Use thestdioconfiguration below.
To use the Socket MCP server in Windsurf:
{
"mcpServers": {
"socket-mcp": {
"serverUrl": "https://mcp.socket.dev/mcp"
}
}
}
If you prefer to run your own instance, you can deploy the Socket MCP server locally using either stdio or HTTP modes.
To use a local Socket MCP Server, you need to create an API key. You can do this by following these steps. The only required permission scope is packages:list, which allows the MCP server to query package metadata for dependency scores.
For local deployment, you have two options:
Click a button below to install the self-hosted stdio server in your favorite AI assistant.
Claude Code (stdio mode) can be set up with the following command:
claude mcp add socket-mcp -e SOCKET_API_KEY="your-api-key-here" -- npx -y @socketsecurity/mcp@latest
This is how the configuration looks like on most MCP clients:
{
"mcpServers": {
"socket-mcp": {
"command": "npx",
"args": ["@socketsecurity/mcp@latest"],
"env": {
"SOCKET_API_KEY": "your-api-key-here"
}
}
}
}
This approach automatically uses the latest version without requiring global installation.
Run the server in HTTP mode using npx:
MCP_HTTP_MODE=true SOCKET_API_KEY=your-api-key npx @socketsecurity/mcp@latest --http
Configure your MCP client to connect to the HTTP server:
{
"mcpServers": {
"socket-mcp": {
"type": "http",
"url": "http://localhost:3000"
}
}
}
The depscore tool allows AI assistants to query the Socket API for dependency scoring information. It provides comprehensive security and quality metrics for packages across different ecosystems.
Parameters:
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
packages | Array | ā Yes | - | Array of package objects to analyze |
packages[].ecosystem | String | No | "npm" | Package ecosystem (npm, pypi, cargo, etc.) |
packages[].depname | String | ā Yes | - | Name of the dependency/package |
packages[].version | String | No | "unknown" | Version of the dependency |
Example Usage:
{
"packages": [
{
"ecosystem": "npm",
"depname": "express",
"version": "4.18.2"
},
{
"ecosystem": "pypi",
"depname": "fastapi",
"version": "0.100.0"
}
]
}
Sample Response:
pkg:npm/express@4.18.2: supply_chain: 1.0, quality: 0.9, maintenance: 1.0, vulnerability: 1.0, license: 1.0
pkg:pypi/fastapi@0.100.0: supply_chain: 1.0, quality: 0.95, maintenance: 0.98, vulnerability: 1.0, license: 1.0
Ask your AI assistant to check dependencies:
Get comprehensive security insights including supply chain, quality, maintenance, vulnerability, and license scores.
You can further customize how the Socket MCP server interacts with your AI assistant by modifying your client rules. The rules are usually a markdown file and its location depends on the AI assistant you are using.
| MCP Client | Rules File Location |
|---|---|
| Claude Desktop/Code | CLAUDE.md |
| VSCode Copilot | .github/copilot-instructions.md |
| Cursor | .cursor/rules |
Rules that can be added to the client rules file include the following:
Always check dependency scores with the depscore tool when you add a new dependency. If the score is low, consider using an alternative library or writing the code yourself. If you are unsure about the score, ask for a review from someone with more experience. When checking dependencies, make sure to also check the imports not just the pyproject.toml/package.json/dependency file.
You can adjust the rules to fit your needs. For example, you can add rules to include specific manifest files, or guide the AI assistant on how to handle low scores. The rules are flexible and can be tailored to your workflow.
For most users, we recommend using either:
https://mcp.socket.dev/ (no setup required)npx @socketsecurity/mcp@latest (always latest version)If you want to contribute to the Socket MCP server development:
When running in HTTP mode, the server provides a health check endpoint for Kubernetes and Docker deployments:
GET /health
Response:
{
"status": "healthy",
"service": "socket-mcp",
"version": "0.0.3",
"timestamp": "2025-06-17T20:45:22.059Z"
}
This endpoint can be used for:
Clone the repository and install dependencies:
git clone https://github.com/SocketDev/socket-mcp.git
cd socket-mcp
npm install
To build the project:
npm run build
To run the Socket MCP server from source:
export SOCKET_API_KEY=your_api_key_here
node build/index.js
Or in HTTP mode:
MCP_HTTP_MODE=true SOCKET_API_KEY=your_api_key_here node build/index.js --http
Q: The public server isn't responding
https://mcp.socket.dev/Q: Local server fails to start
SOCKET_API_KEY environment variable is setpackages:list permissionQ: Getting authentication errors with local server
packages:list scopeQ: AI assistant can't find the depscore tool
FAQs
Socket MCP server for scanning dependencies
The npm package @socketsecurity/mcp receives a total of 715 weekly downloads. As such, @socketsecurity/mcp popularity was classified as not popular.
We found that @socketsecurity/mcp demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago.Ā It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
ECMAScript 2025 introduces Iterator Helpers, Set methods, JSON modules, and more in its latest spec update approved by Ecma in June 2025.
Security News
A new Node.js homepage button linking to paid support for EOL versions has sparked a heated discussion among contributors and the wider community.
Research
North Korean threat actors linked to the Contagious Interview campaign return with 35 new malicious npm packages using a stealthy multi-stage malware loader.