OverviewQuickstartResponse FieldsAPI ReferenceSDK Reference↳ Python↳ JavaScriptAccount & PortalAI Agent IntegrationCI/CD IntegrationIntegrations↳ MCP Server↳ LangChain↳ LangChain (JS)ProductsSupply chainFAQ
integrations / mcp

MCP server (@attestd/mcp)

The official Model Context Protocol server for Attestd. Once added to mcp.json, Claude Code gains native access to CVE risk and supply-chain integrity checks for every dependency decision it makes — no plugin, no wrapper code, no custom tool definition.

Transport: stdio (spawned as a child process). No server to run, no port to open. npx -y @attestd/mcp fetches the package on first use. Source: attestd-io/attestd-mcp.

installation

Add to Claude Code in 60 seconds

  1. Get an API key from the portal.
  2. Add the block below to ~/.claude/mcp.json (global) or .mcp.json in the project root.
  3. Restart Claude Code. The two Attestd tools appear automatically.
~/.claude/mcp.json
{
  "mcpServers": {
    "attestd": {
      "command": "npx",
      "args": ["-y", "@attestd/mcp"],
      "env": {
        "ATTESTD_API_KEY": "your-api-key-here"
      }
    }
  }
}

Node.js 18+ is required. npx downloads @attestd/mcp on the first run; subsequent starts use the npx cache.

tools

Available tools

check_package_vulnerability

Calls /v1/check and returns structured CVE and supply-chain data. Requires ATTESTD_API_KEY.

ArgumentDescription
productInfrastructure slug or monitored package name. Use list_covered_products if unsure. Examples: nginx, postgresql, litellm, log4j.
versionExact version string: 1.20.0, 2.14.1, 1.82.7.

list_covered_products

Returns all 62 covered infrastructure products (slug + display name). Static list baked into the package — no API key required, no network call. Use this when the product slug is uncertain before calling check_package_vulnerability. PyPI/npm packages monitored for supply-chain are not listed here — call check_package_vulnerability directly and handle outsideCoverage: true as unknown risk.

response examples

What Claude sees

Each tool call returns a single JSON text item. Claude branches on these fields to make deployment decisions.

Critical CVE with active exploitation (log4j 2.14.1)

json
// Claude calls: check_package_vulnerability({ product: "log4j", version: "2.14.1" })
{
  "outsideCoverage": false,
  "riskState": "critical",
  "activelyExploited": true,
  "patchAvailable": true,
  "fixedVersion": "2.16.0",
  "supplyChainCompromised": false,
  "supplyChainDescription": null
}

Supply chain compromise (litellm 1.82.7)

json
// Claude calls: check_package_vulnerability({ product: "litellm", version: "1.82.7" })
{
  "outsideCoverage": false,
  "riskState": "none",
  "activelyExploited": false,
  "patchAvailable": false,
  "fixedVersion": null,
  "supplyChainCompromised": true,
  "supplyChainDescription": "Malicious publish detected on PyPI: version 1.82.7 contains..."
}

Product outside coverage

This is not a safety signal. Attestd has no data for this product — treat the risk as unknown.

json
// Claude calls: check_package_vulnerability({ product: "wordpress", version: "6.4.2" })
{
  "outsideCoverage": true,
  "riskState": null,
  "message": "No Attestd coverage for 'wordpress'. Treat as unknown risk, not safe."
}

list_covered_products

json
// Claude calls: list_covered_products()
{
  "count": 62,
  "products": [
    { "slug": "nginx",      "display": "NGINX" },
    { "slug": "postgresql", "display": "PostgreSQL" },
    { "slug": "redis",      "display": "Redis" },
    // ... 62 total
  ]
}
return fields

Field reference

FieldSemantics
outsideCoveragetrue when Attestd has no CVE data for this product. Unknown risk — do not treat as safe.
riskState"critical" | "high" | "elevated" | "low" | "none" | null when outside coverage. Block on critical or high.
activelyExploitedtrue if the version is in the CISA KEV catalog. Hard block regardless of riskState.
patchAvailabletrue if a clean version is known. Pair with fixedVersion to tell Claude what to recommend.
fixedVersionEarliest version with no known critical/high CVEs. null when no patch exists yet.
supplyChainCompromisedtrue if a malicious publish or integrity event was detected on PyPI or npm. Hard block.
supplyChainDescriptionHuman-readable description of the supply-chain event when present.
errorPresent when the tool returns isError: true — bad key, rate limit, missing arguments.
system prompt

Recommended system prompt

Include this in the Claude Code project or global system prompt to make the deployment-gate policy explicit. Without it, Claude may treat outsideCoverage: true as if there were no known vulnerabilities, which is incorrect.

text
You are a security-aware deployment assistant with access to the Attestd MCP server.

Before approving any software dependency, infrastructure component, or package version:
1. Call check_package_vulnerability with the product slug and exact version.
2. Block deployment if riskState is "critical" or "high".
3. Block immediately if activelyExploited is true, regardless of riskState.
4. Block immediately if supplyChainCompromised is true.
5. If outsideCoverage is true, state explicitly that the risk is UNKNOWN — do not treat it as safe.
6. If patchAvailable is true, include fixedVersion in your recommendation.

Use list_covered_products if you are unsure whether a product slug is supported.
workflow

Example: dependency review

A developer asks Claude to review a requirements.txt or Dockerfile before deploying. Claude reads the file, calls check_package_vulnerability for each dependency, and synthesises a go/no-go decision.

bash
# Example: Claude Code reviewing a Dockerfile or requirements.txt

User: "Review my dependencies before I deploy"

# Claude will:
# 1. Parse the dependency list from the file
# 2. Call check_package_vulnerability for each item
# 3. Synthesize a security report

# For a requirements.txt containing:
#   litellm==1.82.7
#   nginx==1.20.0

# Claude calls:
check_package_vulnerability(product="litellm", version="1.82.7")
# → supplyChainCompromised: true  ← BLOCKED

check_package_vulnerability(product="nginx", version="1.20.0")
# → riskState: "high"             ← FLAGGED

# Claude output:
# "I cannot approve this deployment. litellm 1.82.7 has a confirmed supply-chain
#  compromise. nginx 1.20.0 has a high risk state — upgrade to 1.27.4 (riskState: none).
#  Remove litellm 1.82.7 entirely; no safe version is available at this time."

The same pattern applies to CI pipelines, pull request reviews, and infrastructure audits. Claude will call the tool proactively whenever a dependency or version appears in context.

verify

Verify the server works

Send a raw JSON-RPC tools/list request over stdin before adding to Claude Code:

bash
# Build and verify locally (requires Node 18+)
npm install -g @attestd/mcp   # optional: pin a version globally
# or just use npx (no install needed):
echo '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' \
  | ATTESTD_API_KEY=your-key npx -y @attestd/mcp

Expected output: a JSON response with both check_package_vulnerability and list_covered_products in the tools array. Exit code 0.

see also