audit-mcp-cli
A lightweight dependency vulnerability audit tool that works as both a CLI and an MCP Server — so your AI coding assistant can find and fix security issues for you
audit-mcp-cli
English | 中文
A lightweight dependency vulnerability audit tool for Node.js projects. Supports CLI and MCP Server modes, covers npm and pnpm projects, and generates structured Markdown/HTML reports with full dependency chains.
Features
- Full dependency chains — traces the complete path from your package.json to each vulnerable package
- npm + pnpm support — auto-detects package manager by lockfile
- Remote GitHub audit — audit any public or private repo without cloning
- MCP Server — integrates with AI coding assistants (Claude, Cursor, etc.)
- Markdown / HTML reports — clean, structured reports sorted by severity
- CI gate —
--fail-onexit code for CI/CD pipelines - Ignore mechanism — suppress accepted vulnerabilities with expiration dates
- Severity filtering — show only vulnerabilities above a threshold
Install
# Run directly
npx audit-mcp-cli
# Or install globally
npm install -g audit-mcp-cli
Requires Node.js >= 18.
Usage
# Audit current directory
audit-mcp-cli
# Specific project path
audit-mcp-cli --path /path/to/project
# Remote GitHub repo (branch)
audit-mcp-cli --remote github:facebook/react --ref main
# Remote GitHub repo (tag)
audit-mcp-cli --remote github:facebook/react --ref v18.2.0
# Remote GitHub repo (commit SHA)
audit-mcp-cli --remote github:facebook/react --ref abc123def
# HTML report
audit-mcp-cli --format html --output report.html
# CI: fail if high+ severity vulnerabilities found
audit-mcp-cli --fail-on high
# Severity filtering (only show high and critical)
audit-mcp-cli --severity high
CLI Options
| Option | Description | Default |
|---|---|---|
--path <path> | Local project path | process.cwd() |
--remote <repo> | Remote repo: github:owner/repo or https://github.com/owner/repo | — |
--ref <ref> | Git ref (branch name / tag / commit SHA) | main |
--token <token> | GitHub personal access token (for private repos) | GITHUB_TOKEN env |
--format <fmt> | Report format: md or html | md |
--output <path> | Output file path | audit-report.md or .html |
--severity <level> | Minimum severity to display: low / moderate / high / critical | low |
--fail-on <level> | CI fail threshold — exit 1 if vulnerabilities at this level or above exist | — |
--mcp | Start as MCP Server | — |
--lang <lang> | Language: en or zh-CN | Auto-detect from system |
--fail-on exit codes
| Value | Exits 1 when |
|---|---|
critical | Any critical vulnerability found |
high | Any high or critical found |
moderate | Any moderate, high, or critical found |
low | Any vulnerability found |
| (not set) | Always exits 0 |
MCP Server
Run as an MCP stdio server for AI assistants:
audit-mcp-cli --mcp
Claude Desktop
Basic (local projects & public repos):
{
"mcpServers": {
"audit-mcp-cli": {
"command": "npx",
"args": ["-y", "audit-mcp-cli", "--mcp"]
}
}
}
With GitHub token (private repos / avoid rate limits):
{
"mcpServers": {
"audit-mcp-cli": {
"command": "npx",
"args": ["-y", "audit-mcp-cli", "--mcp"],
"env": {
"GITHUB_TOKEN": "ghp_xxxx"
}
}
}
}
Cursor
Add to .cursor/mcp.json:
Basic (local projects & public repos):
{
"mcpServers": {
"audit-mcp-cli": {
"command": "npx",
"args": ["-y", "audit-mcp-cli", "--mcp"]
}
}
}
With GitHub token (private repos / avoid rate limits):
{
"mcpServers": {
"audit-mcp-cli": {
"command": "npx",
"args": ["-y", "audit-mcp-cli", "--mcp"],
"env": {
"GITHUB_TOKEN": "ghp_xxxx"
}
}
}
}
Tool: audit_dependencies
The MCP server exposes one tool that supports both local and remote auditing:
| Parameter | Description |
|---|---|
projectPath | Local project path |
remoteRepo | Remote repo: github:owner/repo |
ref | Git ref (branch / tag / SHA) |
token | GitHub token (for private repos, or use GITHUB_TOKEN env) |
format | md or html |
severity | Minimum severity filter |
outputPath | Custom output file path |
Returns: report file path + structured vulnerability details (CVSS, dependency chains, fix suggestions).
Token is optional. Local project auditing never requires a token. Remote public repos work without a token (60 requests/hour). Only private repos require a GitHub token.
Ignore Mechanism
Create .audit-mcp-cli-ignore.json in your project root to suppress accepted vulnerabilities:
{
"ignore": [
{
"packageName": "minimist",
"advisorySource": 1179,
"reason": "Accepted risk, limited impact in our usage",
"expiresAt": "2025-12-31T00:00:00Z"
}
]
}
packageName— match all advisories for this package, or combine withadvisorySourcefor exact matchexpiresAt— optional, ignore auto-expires after this date- Ignored vulnerabilities are shown in a separate section of the report and excluded from
--fail-onchecks
CI Integration
# GitHub Actions example
- name: Security Audit
run: npx audit-mcp-cli --fail-on high
# Generic CI
npx audit-mcp-cli --fail-on high && echo "pass" || echo "fail"
License
관련 서버
Chess UCI
Connect to UCI-compatible chess engines like Stockfish to play and analyze games. Requires a local chess engine binary.
Cyber Triage
Allows access to DFIR / forensics data that was collected from endpoints. Used for SOC and forensic investigations.
Autopsy
Allows access to DFIR / forensics data that was analyzed by the open source Autopsy platform
Currency Exchange & Crypto Rates
Real-time forex and crypto conversion with multi-source failover across 5 providers. 60+ fiat currencies, 30+ cryptocurrencies, no API keys needed.
OSINT MCP
Real-time OSINT intelligence platform for global security monitoring.
Sequential Ethical Thinking
A tool for structured, step-by-step ethical reasoning using multiple moral frameworks for transparent deliberation.
O'RLY MCP
Generates O'RLY? (O'Reilly parody) book covers.
Fast Mobile MCP
High-performance mobile automation architecture with a thin MCP gateway and dedicated Go workers for Android and iOS.
iPayX FX Audit
Forensic FX audit MCP. Detects hidden bank markups on cross-border payments. FINTRAC MSB registered.
Meta-Stamp Pockets
Licensed AI content access. 1,821 Dhar Mann Studios videos. $0.0025/pull, creator compensated automatically. 30ms delivery.