VulniCheck

VulniCheck is an AI-powered security scanner that runs as an HTTP MCP server inside a Docker container. It analyzes Python projects and GitHub repositories for vulnerabilities, secrets exposure, and Dockerfile issues, and it integrates with MCP clients to provide quick, actionable risk assessments and remediation suggestions.

How to use

You connect an MCP client to the VulniCheck MCP server to start security scans. Use a single HTTP MCP endpoint to perform comprehensive checks on codebases, dependency files, Dockerfiles, and GitHub repositories. You can request AI-powered risk assessments and receive concrete remediation guidance. The server supports optional authentication and can scan public or private GitHub repos (up to 1GB) and analyze multiple data sources.

How to install

Prerequisites: Docker is required to run the MCP server. You also need an MCP client that supports standard HTTP transport (no SSE). Optional API keys can enhance AI features and rate limits.

Step 1: Pull the latest Docker image.

docker pull andrasfe/vulnicheck:latest

Step 2: Run the MCP server. Provide your OpenAI API key if you want enhanced AI-powered risk assessment; otherwise, run with basic vulnerability scanning.

docker run -d --name vulnicheck-mcp -p 3000:3000 \
  --restart=unless-stopped \
  -e OPENAI_API_KEY=your-openai-api-key \
  andrasfe/vulnicheck:latest

docker run -d --name vulnicheck-mcp -p 3000:3000 \
  --restart=unless-stopped \
  andrasfe/vulnicheck:latest

Step 3: Connect the MCP client to the server using the HTTP transport URL. The example URL shown assumes the server runs on your localhost: http://localhost:3000/mcp

https://localhost:3000/mcp

Optional: Enable Google OAuth 2.0 authentication for secure access control. If you enable authentication, configure client IDs, secrets, and base URL as shown in the configuration steps. If you plan to use external clients, consider running without authentication for public endpoints.

Configuration and notes

Key capabilities include: scanning dependencies across common Python files, detecting exposed secrets, analyzing Dockerfiles for vulnerable dependencies, validating MCP configurations, generating AI-powered risk assessments, and providing remediation recommendations. The server uses docker-based deployment with HTTP streaming and supports optional API keys for enhanced AI features.

Authentication is optional and disabled by default. When enabled, tokens are persisted to a local path inside the container, and you should mount a volume to preserve tokens across restarts.

If you need to expose the server to external clients (for example, via ngrok), run without authentication and tunnel the HTTP URL. Public access should be secured with a gateway or password protection for production use.

docker run -d --name vulnicheck-mcp -p 3000:3000 \
  --restart=unless-stopped \
  andrasfe/vulnicheck:latest

MCP connection details are available via the HTTP endpoint. If you need to use a local development workflow, you can build from source and run the server with the specific Python entry point as described in the build section.

Available tools

check_package_vulnerabilities

Check a specific Python package for vulnerabilities

scan_dependencies

Scan dependency files such as requirements.txt and pyproject.toml for known issues

scan_installed_packages

Scan currently installed Python packages for vulnerabilities

get_cve_details

Retrieve detailed information about a specific CVE

scan_for_secrets

Detect exposed secrets and credentials in code and configuration files

scan_dockerfile

Analyze Dockerfiles for vulnerable Python dependencies

scan_github_repo

Perform a comprehensive security scan of a GitHub repository

assess_operation_safety

AI-powered risk assessment for security-sensitive operations

validate_mcp_security

Validate MCP server security configurations

comprehensive_security_check

Interactive AI-powered security assessment