Google Deps.dev Security Hacker

Google Deps.dev Security Hacker MCP Connector for Claude

F

Transform your AI into a Senior DevSecOps Engineer. Instantly audit any open-source package, hunt for hidden supply-chain threats in dependency trees, and analyze full GitHub repositories using Google's deps.dev API. No authentication required.

4 tools Official Updated Jun 28, 2026 Official Vinkius Partner

Equip your AI agent with the ultimate "Hacker" toolkit for open-source security. This MCP connects your agent directly to Google's Open Source Insights (deps.dev), turning it into a specialized DevSecOps auditor capable of uncovering deep vulnerabilities that basic scanners miss.

The 4 Superpowers

  • 1. Instant Vulnerability Audits: Drop a package name into the chat and ask the AI to "Audit this dependency." It will instantly flag any library with known CVEs or GitHub Security Advisories.
  • 2. Supply Chain Threat Hunting: A package might look safe, but what about its dependencies? The AI can map the entire transitive dependency tree to find hidden malware or unpatched vulnerabilities lurking deep in the stack.
  • 3. Repository Governance (OSSF): Paste any GitHub URL and let the AI generate a full governance audit. It uses the OSSF Scorecard to check if the repository enforces code reviews, uses fuzzing, and signs its releases.
  • 4. CVE Encyclopedia: Give the AI any CVE or GHSA ID, and it will pull down the exact exploit details, severity, and the specific package versions affected so you can patch immediately.

Works natively with npm (Node.js), PyPI (Python), Cargo (Rust), Go, Maven (Java), and NuGet (.NET).

supply-chain-securitydependency-analysisvulnerability-scanningopen-source-securitydevsecops

4 tools expose this connector's capabilities to your AI agent.

analyze_dependency

Support systems: npm, pypi, go, cargo, maven, nuget. Analyzes an open-source package for security advisories and OSSF scorecard using Google deps.dev

analyze_github_repository

Performs a full security and governance audit of a GitHub repository using OSSF Scorecards

get_transitive_dependencies

Hunts for hidden security threats by analyzing the entire transitive dependency tree of a package

get_vulnerability_details

Retrieves detailed information about a specific CVE or GitHub Security Advisory (GHSA)

See how to talk to your AI agent using Google Deps.dev Security Hacker.

Audit the npm package 'express' version 4.16.0 for any security vulnerabilities.

I checked `express` v4.16.0 on deps.dev. It has **4 known security advisories**, including GHSA-8X4W-MXXF-XXXX (High Severity - CVSS 7.5). The project has an OSSF Scorecard of 6.8/10. I strongly recommend upgrading.

I found this GHSA-xvch-5gv4-984h advisory. What does it do and what packages are affected?

That ID corresponds to a **CRITICAL (CVSS: 9.8)** vulnerability: "Prototype Pollution in Lodash". It allows an attacker to inject properties into Object.prototype. It affects the npm package `lodash` on versions `< 4.17.15`. You must upgrade immediately.

Check the dependency tree for the pypi package 'requests' v2.28.1. Are there any hidden threats?

I mapped the entire transitive tree (total 8 dependencies). **⚠️ WARNING: Found 1 hidden threat:** The indirect dependency `certifi` (v2022.6.15) has a known security advisory. You should override this dependency in your requirements.

Generate a security governance audit for https://github.com/facebook/react

Here is the OSSF Scorecard audit for `facebook/react`. It scores a **7.2/10** overall. They excel in Code-Review (10/10) and Branch-Protection (10/10), but lost points on Pinned-Dependencies (3/10) and lack of Fuzzing (0/10).

Is the 'log4j' maven package safe to use right now?

Let me check the latest versions on deps.dev. The older 2.14.x versions are famously compromised (Log4Shell - CVE-2021-44228, CVSS 10.0). However, the latest version `2.20.0` has **✅ No known security advisories** and is safe to use. Always ensure you are pinning the latest version.

No! The Google deps.dev API is completely free and public. Just connect the MCP and your AI agent can start auditing immediately.

Related Connectors