VulniCheck provides comprehensive security analysis for Python projects and GitHub repositories using AI-powered vulnerability detection. It runs as a Docker-based HTTP MCP server with standard HTTP streaming (no SSE required), providing secure containerized deployment with comprehensive vulnerability scanning capabilities.
# Pull the latest image from Docker Hub
docker pull andrasfe/vulnicheck:latest
# Run with OpenAI API key (for enhanced AI-powered risk assessment)
docker run -d --name vulnicheck-mcp -p 3000:3000 \
--restart=unless-stopped \
-e OPENAI_API_KEY=your-openai-api-key \
andrasfe/vulnicheck:latest
# Or run without API key (basic vulnerability scanning)
docker run -d --name vulnicheck-mcp -p 3000:3000 \
--restart=unless-stopped \
andrasfe/vulnicheck:latestclaude mcp add --transport http vulnicheck http://localhost:3000/mcpThat's it! VulniCheck is now available in Claude Code.
Once installed, simply ask Claude:
"Run a comprehensive security check on my project"
"Scan https://github.com/owner/repo for vulnerabilities"
"Check my dependencies for security issues"
"Scan my Dockerfile for vulnerable packages"
VulniCheck will:
- ✅ Scan dependencies for known vulnerabilities (requirements.txt, pyproject.toml, setup.py)
- ✅ Detect exposed secrets and credentials
- ✅ Analyze Dockerfiles for security issues
- ✅ Validate MCP configurations
- ✅ Generate AI-powered risk assessments
- ✅ Provide actionable remediation recommendations
- Docker Deployment: Secure containerized deployment with HTTP streaming (no SSE/Server-Sent Events required)
- Optional Authentication: Supports Google OAuth 2.0 for secure access control (disabled by default)
- Production Ready: Scalable HTTP server architecture
- Comprehensive Coverage: Queries 5+ vulnerability databases (OSV.dev, NVD, GitHub Advisory, CIRCL, Safety DB)
- GitHub Integration: Scan any public/private GitHub repository directly (up to 1GB)
- AI-Powered Analysis: Uses OpenAI/Anthropic APIs for intelligent security assessment
- Secrets Detection: Finds exposed API keys, passwords, and credentials
- Docker Security: Analyzes Dockerfiles for vulnerable dependencies
- Smart Caching: Avoids redundant scans with commit-level caching
- Space Management: Automatic cleanup prevents disk exhaustion (2GB total limit)
- Zero Config: Works out of the box, enhanced with optional API keys
| Tool | Description |
|---|---|
check_package_vulnerabilities |
Check a specific Python package for vulnerabilities |
scan_dependencies |
Scan dependency files (requirements.txt, pyproject.toml, etc.) |
scan_installed_packages |
Scan currently installed Python packages |
get_cve_details |
Get detailed information about a specific CVE |
scan_for_secrets |
Detect exposed secrets and credentials in code |
scan_dockerfile |
Analyze Dockerfiles for vulnerable Python dependencies |
scan_github_repo |
Comprehensive security scan of GitHub repositories |
assess_operation_safety |
AI-powered risk assessment for operations |
validate_mcp_security |
Validate MCP server security configurations |
comprehensive_security_check |
Interactive AI-powered security assessment |
Enhance VulniCheck with API keys for better rate limits and AI features:
docker run -d --name vulnicheck-mcp -p 3000:3000 \
--restart=unless-stopped \
-e OPENAI_API_KEY=your-key \ # AI-powered risk assessment
-e ANTHROPIC_API_KEY=your-key \ # Alternative AI provider
-e GITHUB_TOKEN=your-token \ # Higher GitHub API rate limits
-e NVD_API_KEY=your-key \ # Higher NVD rate limits
andrasfe/vulnicheck:latestVulniCheck supports optional Google OAuth 2.0 authentication for secure access control. By default, authentication is disabled.
-
Get Google OAuth Credentials:
- Go to Google Cloud Console
- Create a project and enable Google+ API
- Create OAuth 2.0 credentials (Web application)
- Add authorized redirect URI:
http://localhost:3000/oauth/callback(or your domain)
-
Configure Environment Variables:
export FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_ID="your-client-id.apps.googleusercontent.com" export FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_SECRET="GOCSPX-your-secret-here" export FASTMCP_SERVER_BASE_URL="http://localhost:3000"
-
Run with Authentication:
docker run -d --name vulnicheck-mcp -p 3000:3000 \ --restart=unless-stopped \ -e FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_ID=your-client-id \ -e FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_SECRET=your-secret \ -e FASTMCP_SERVER_BASE_URL=http://localhost:3000 \ -v vulnicheck_tokens:/home/vulnicheck/.vulnicheck/tokens \ andrasfe/vulnicheck:latest \ python -m vulnicheck.server --auth-mode google
-
Using docker-compose: See
docker-compose.auth-example.ymlfor a complete configuration example.
Note: OAuth tokens are persisted in /home/vulnicheck/.vulnicheck/tokens. Use a Docker volume to persist tokens across container restarts.
FastMCP OAuth + HTTP Transport Incompatibility
Due to a limitation in FastMCP 2.12.4, OAuth authentication does not work properly with HTTP transport (streamable-http). The authorization endpoints (/oauth/authorize, /oauth/callback) are not correctly mounted, resulting in 404 errors.
When OAuth Works:
- ✅ Local connections (when supported in future FastMCP versions)
- ✅ OAuth discovery endpoint works (
/.well-known/oauth-protected-resource)
When OAuth Does NOT Work:
- ❌ HTTP transport with external clients (ChatGPT, Claude Desktop, etc.)
- ❌ Authorization endpoints return 404
- ❌ Token exchange fails
Workaround for External Clients (ChatGPT, etc.):
Run VulniCheck without authentication when accessing through ngrok or other public URLs:
# Start without OAuth (recommended for external clients)
docker run -d --name vulnicheck-mcp -p 3000:3000 \
--restart=unless-stopped \
andrasfe/vulnicheck:latest
# Then configure ngrok
ngrok http 3000In your MCP client (ChatGPT, etc.):
- URL:
https://your-ngrok-url.ngrok-free.dev/mcp - Authentication: None
Security Considerations:
- ✅ Traffic is encrypted via HTTPS (ngrok)
⚠️ No authentication - anyone with URL can access- 💡 ngrok free URLs change on restart (security through obscurity)
- 🔒 For production, use ngrok paid tier with password protection or IP whitelisting
Future Resolution: This limitation will be resolved when:
- FastMCP fixes OAuth + HTTP transport support, OR
- Alternative authentication mechanisms are implemented
Quick Start (No OAuth):
# 1. Start VulniCheck
docker run -d --name vulnicheck-mcp -p 3000:3000 \
--restart=unless-stopped \
andrasfe/vulnicheck:latest
# 2. Start ngrok
ngrok http 3000
# 3. Use the ngrok URL in your MCP client
# URL: https://your-generated-url.ngrok-free.dev/mcp
# Authentication: NoneOptional OAuth Script (Experimental - OAuth Not Functional):
A convenience script restart-vulnicheck-ngrok.sh is provided for testing OAuth, but OAuth does not currently work due to FastMCP limitations:
# Copy the example environment file
cp .env.example .env
# Edit .env and add your credentials
GOOGLE_CLIENT_ID=your-client-id.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-your-secret-here
NGROK_URL=https://your-ngrok-url.ngrok-free.dev
# Run the script (OAuth will not work)
./restart-vulnicheck-ngrok.shNote: The script is provided for future use when FastMCP OAuth + HTTP transport is fixed. Currently, always run without OAuth for external clients.
# Clone the repository
git clone https://github.com/andrasfe/vulnicheck.git
cd vulnicheck
# Build Docker image
docker build -t vulnicheck .
# Run locally built image (no auth)
docker run -d --name vulnicheck-mcp -p 3000:3000 --restart=unless-stopped vulnicheck
# Run with Google OAuth
docker run -d --name vulnicheck-mcp -p 3000:3000 \
--restart=unless-stopped \
-e FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_ID=your-client-id \
-e FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_SECRET=your-secret \
-e FASTMCP_SERVER_BASE_URL=http://localhost:3000 \
-v vulnicheck_tokens:/home/vulnicheck/.vulnicheck/tokens \
vulnicheck \
python -m vulnicheck.server --auth-mode googleThe official Docker image is available at:
- Docker Hub: andrasfe/vulnicheck
- Latest Tag:
andrasfe/vulnicheck:latest
- Docker
- Claude Code or any MCP client with HTTP transport support (standard HTTP, no SSE required)
- Optional: API keys for enhanced features
- Dependencies:
requirements.txt,pyproject.toml,setup.py, lock files - Containers:
Dockerfile,docker-compose.yml - Secrets: All text-based source files
- GitHub: Any public or private repository URL
- Issues: Report problems at https://github.com/andrasfe/vulnicheck/issues
- Development: See CLAUDE.md for development details
- Security: Report security issues privately via GitHub Security Advisories
DISCLAIMER: Vulnerability data provided "AS IS" without warranty. Users are responsible for verification and remediation.