SSE-based MCP (Model Context Protocol) server that exposes the Open-Source-Vulnerabilities database so LLM apps can query package/commit vulnerability information.
https://github.com/StacklokLabs/osv-mcpStop context-switching between your development environment and security tools. The OSV MCP server brings comprehensive vulnerability data directly into your LLM conversations, making security analysis as natural as asking "what's wrong with this dependency?"
You're deep in a code review or troubleshooting a dependency issue when security questions arise. Instead of getting immediate answers, you're jumping between tabs, manually checking vulnerability databases, and losing your flow state. Your LLM can help with code, but it can't tell you if that specific version of lodash you're using has known security issues.
The OSV MCP server connects your LLM directly to the Open Source Vulnerabilities database, turning security analysis into a conversation:
Eliminate Context Switching: Security analysis happens in the same conversation where you're discussing code architecture, debugging, or planning features.
Batch Processing: Check dozens of dependencies at once instead of individual lookups. Perfect for dependency audits or when evaluating a new project's security posture.
Ecosystem Coverage: Works across npm, PyPI, Go modules, and other major package ecosystems with consistent tooling.
Commit-Level Precision: Query vulnerabilities by specific git commits, not just package versions - crucial for monorepo security analysis.
Dependency Audits: "Check these 15 packages from my requirements.txt for vulnerabilities" - get a comprehensive security report without leaving your chat.
Code Review Security: During PR reviews, instantly verify if newly added dependencies introduce security risks.
Incident Response: When a new vulnerability is disclosed, quickly check if your projects are affected by asking your LLM to cross-reference your dependency lists.
Architecture Decisions: "I'm choosing between these three HTTP libraries - check their security histories" - make informed decisions with real vulnerability data.
Deploy with ToolHive for zero-config setup:
# Install and run - that's it
thv run osv
# Your LLM clients automatically discover the server
thv config auto-discovery true
Or build from source for custom deployments:
git clone https://github.com/StacklokLabs/osv-mcp.git
cd osv-mcp
task build
./build/osv-mcp-server
Single Package Queries: Check specific package versions or commits with query_vulnerability
Batch Analysis: Process multiple packages simultaneously with query_vulnerabilities_batch
Vulnerability Details: Get comprehensive information about specific CVEs with get_vulnerability
Security isn't an afterthought anymore - it's part of every development decision. But traditional security tools create friction. By embedding vulnerability intelligence directly into your LLM workflow, you're not just making security easier - you're making it continuous and conversational.
Your LLM already understands your code. Now it understands the security landscape around it too.
The OSV MCP server transforms security from a separate process into a natural part of your development conversation. Install it once, and security intelligence becomes as accessible as asking "how does this function work?"