The osv-ui-mcp server enables AI agents to scan projects for CVE vulnerabilities, visualize findings, and apply fixes with a human-in-the-loop workflow. All analysis runs 100% locally, ensuring your code never leaves your environment.
Scan projects for CVEs (
scan_project): Automatically detect and scan manifest files (e.g.,package-lock.json,requirements.txt,go.sum,Cargo.lock,pom.xml) across npm, Python, Go, Rust, Java, PHP, and Ruby ecosystems. Queries live CVE data from OSV.dev and returns structured reports with severity counts, risk scores, and fix recommendations. Supports filtering by severity (critical, high, moderate, low).Launch a visual dashboard (
open_dashboard): Opens a zero-config, privacy-first browser-based dashboard for human review of CVE details, severity charts, and upgrade guides β the recommended step before applying any fixes.Preview fix commands (
get_fix_commands): Retrieves safe upgrade commands (e.g.,npm install,pip install) for vulnerable packages without executing them, allowing users to review proposed changes before action.Apply security fixes (
apply_fixes): Executes package upgrade commands to remediate CVEs. Supports dry-run mode for final confirmation; requires explicit package selection to prevent unintended modifications.
Utilizes the GitHub Advisory Database as a core source for vulnerability data to provide accurate security assessments.
Enables security auditing within GitLab CI/CD pipelines to monitor for vulnerabilities and block deployments containing critical security risks.
Scans npm projects by parsing package-lock.json files to identify security vulnerabilities, calculate risk scores, and provide clear upgrade guides.
Provides specific support for auditing Python dependencies defined in poetry.lock manifest files.
Integrates with the PyPI Advisory Database to identify known vulnerabilities in Python package dependencies.
Audits Python projects for CVEs by scanning manifest files such as requirements.txt, Pipfile.lock, and poetry.lock.
Identifies and reports known security vulnerabilities in Rust projects by analyzing Cargo.lock files.
osv-ui
A beautiful, zero-config visual CVE dashboard for npm, Python, Go, Rust, Java, PHP, and Ruby projects.
One command. No signup. No API key. Runs 100% locally β your code never leaves your machine.
π npm version
π npm version (mcp)
π npm downloads
π License: MIT
π PRs Welcome
π Node.js
π»π³ TiαΊΏng Viα»t Β· πΊπΈ English Β· π¨π³ δΈζ Β· π―π΅ ζ₯ζ¬θͺ
The problem
$ npm audit
# ... 300 lines of this ...
# moderate Regular Expression Denial of Service in semver
# package semver
# patched in >=7.5.2
# ...
# 12 vulnerabilities (3 moderate, 6 high, 3 critical)Nobody reads that. Security gets ignored. Dependencies stay vulnerable.
Related MCP server: CVE Checker for Node Modules
The solution
npx osv-uiβ Opens a dashboard. Every CVE, every fix, all your services. Done.
Why give it a try?
Zero-config: No complex setup, no signup, no API key required.
Privacy First: Analysis is done 100% on your machine.
Fast & Visual: Real-time Risk Scores, vulnerability charts, and clear upgrade guides in seconds.
Multi-platform: Native support for Node.js (npm), Python, Go, Rust, Java, PHP, and Ruby.
Features
π Multi-Ecosystem | Scans |
π‘ Live CVE data | Powered by OSV.dev β updated daily from NVD, GitHub Advisory, PyPI Advisory. No API key. |
π’ Multi-service | Scan your entire monorepo in one command β frontend, backend, workers, ML services |
π Fix guide | Dependabot-style upgrade table: current version β safe version + one-click copy command |
π Built-in REST API | Power your own security dashboards with |
π― Risk score | 0β100 per service so you know where to focus first |
π CVE drill-down | Click any row β CVSS score, description, NVD link, GitHub Advisory link |
π Dark Mode | Eye-friendly security audits, day or night |
Quick start
Scan current directory:
npx osv-uiScan a monorepo (multiple services at once):
npx osv-ui ./frontend ./api ./worker ./ml-serviceAuto-discover all services under the current directory:
npx osv-ui -dAdd to your package.json scripts:
{
"scripts": {
"audit:ui": "npx osv-ui",
"audit:all": "npx osv-ui ./frontend ./api ./worker"
}
}--discover, -d Auto-find service dirs that contain a supported manifest
--port=2003 Use a custom port (default: 2003)
--json[=file] Save report as JSON without opening browser (defaults to osv-report.json)
--html[=file] Save report as HTML without opening browser (defaults to osv-report.html)
--cyclonedx[=file] Save CycloneDX SBOM JSON (defaults to osv-sbom.cdx.json)
--spdx[=file] Save SPDX SBOM JSON (defaults to osv-sbom.spdx.json)
--baseline=file Compare with a previous --json report
--markdown[=file] Save a Markdown PR/comment report (defaults to osv-report.md)
--fail-on=level Exit non-zero for critical/high/moderate/low findings
--webhook-url=url POST matching findings to a webhook
--webhook-severity=level Webhook threshold (default: critical)
--watch Keep dashboard running and re-scan when manifests change
--no-open Don't auto-open the browser
--offline Skip OSV.dev lookup β parse manifests only
-h, --help Show help messageπ€ AI Agent Integration (MCP)
osv-ui is now a Model Context Protocol (MCP) server. This allows AI agents like Claude Desktop, Cursor, and Claude Code to:
Scan your project for CVEs automatically.
Open the visual dashboard for you to review findings (Human-in-the-loop).
Apply fixes after your explicit confirmation.
Quick setup (npx):
{
"mcpServers": {
"osv-ui": {
"command": "npx",
"args": ["-y", "osv-ui-mcp"]
}
}
}See the MCP Package README for detailed setup instructions.
π Powerful built-in API
osv-ui isn't just a dashboard; it's a security data engine.
Once the dashboard is running, you can pull the raw security data for your whole project:
# Get full JSON payload for all services
curl http://localhost:2003/api/data
# Use it in your custom scripts
curl -s http://localhost:2003/api/data | jq '.[0].vulns'CI reports, PR diffs, and SBOMs
Generate machine-readable reports without opening the browser:
npx osv-ui -d --json=osv-report.json --markdown=osv-report.md --cyclonedx=sbom.cdx.json --spdx=sbom.spdx.json --no-openCompare a PR scan against a baseline report and fail on newly introduced high+ findings:
npx osv-ui -d --json=current.json --baseline=main-osv-report.json --markdown=osv-pr.md --fail-on=high --no-openMinimal GitHub Actions flow:
name: osv-ui
on: [pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
- run: npx osv-ui -d --json=current.json --markdown=osv-pr.md --cyclonedx=sbom.cdx.json --fail-on=high --no-open
- uses: actions/upload-artifact@v4
if: always()
with:
name: osv-ui-report
path: |
current.json
osv-pr.md
sbom.cdx.jsonSend new critical findings to a webhook:
npx osv-ui -d --baseline=main-osv-report.json --webhook-url="$SECURITY_WEBHOOK_URL" --webhook-severity=critical --json=current.jsonSupported manifest files
Ecosystem | Files |
npm / JS |
|
Python |
|
Go |
|
Rust |
|
Java |
|
PHP |
|
Ruby |
|
More ecosystems coming β see Roadmap.
How it works
Your project files
β
ββ package-lock.json βββ
ββ Pipfile / poetry βββ€βββΊ parser βββΊ package list
ββ go.sum / Cargo.lock βββ
β
βΌ
OSV.dev batch API (free, no key)
β
βΌ
CVE matches + fix versions
β
βΌ
Express server β browser dashboard
http://localhost:2003CVE data comes from OSV.dev β a free, open database maintained by Google that aggregates:
πΊπΈ NVD β NIST National Vulnerability Database
π GitHub Advisory Database (GHSA)
π¦ npm Advisory Database
π¦ RustSec Β· Go Vuln DB Β· OSS-Fuzz Β· and more
Updated daily. No account. No rate limit. No vendor lock-in.
Works great alongside osv-scanner (Google)
osv-ui and osv-scanner use the same OSV.dev data source. osv-ui adds the visual layer that osv-scanner lacks:
Browser dashboard instead of terminal output
Multi-service sidebar
Dependabot-style upgrade guide with copy commands
vs alternatives
osv-ui |
| Snyk | Dependabot | |
Visual dashboard | β | β terminal only | β | β |
npm support | β | β | β | β |
Python support | β | β | β | β |
Multi-service in one view | β | β | β paid | β |
No signup required | β | β | β | β |
Works on GitLab Free | β | β | β | β |
Self-hosted / local | β | β | β | β |
Fix commands | β | partial | β | β |
Open source | β | β | β | β |
GitLab CI β block deploys on critical CVEs
No Dependabot on GitLab Free? Add this to .gitlab-ci.yml:
audit:
stage: test
image: node:20-alpine
script:
- npm audit --json > /tmp/audit.json || true
- |
node -e "
const r = require('/tmp/audit.json');
const crit = Object.values(r.vulnerabilities || {})
.filter(v => v.severity === 'critical').length;
if (crit > 0) {
console.error('BLOCKED: ' + crit + ' critical CVE(s). Run: npx osv-ui');
process.exit(1);
}
console.log('OK: no critical vulnerabilities');
"
artifacts:
paths: [/tmp/audit.json]
when: alwaysRequirements
Node.js >= 18
Internet access for OSV.dev queries β or use
--offlinenpm projects: run
npm installfirst sopackage-lock.jsonexistsPython projects: any of the supported manifest files listed above
Roadmap
All contributions are welcome. If you want to work on something, open an issue first so we can coordinate.
Go support β parse
go.sum/go.modRust support β parse
Cargo.lockJava / Maven β parse
pom.xmlPHP / Composer β parse
composer.lockRuby / Bundler β parse
Gemfile.lockExport report β save as HTML / JSON
Dark mode β eye-friendly dashboard UI
GitHub Actions / CI diff β generate Markdown PR comments and fail on new CVEs
SBOM export β CycloneDX / SPDX format
Watch mode β re-scan on manifest file changes
Slack / webhook β notify on new critical CVEs
Parser hardening β Maven property inheritance, lockfile edge cases, workspace layouts
Live dashboard refresh β push watch-mode updates to an open browser tab without reload
Contributing
This project is built by the community. All skill levels welcome.
Good first issues:
Write unit tests for the parsers
Improve Python parser edge cases
Improve Maven/Gradle and workspace parser edge cases
# Clone and run locally
git clone https://github.com/toan203/osv-ui
cd osv-ui
npm install
# Run against your own project
node bin/cli.js /path/to/your/project
# Run against multiple services
node bin/cli.js ./frontend ./backendPlease read CONTRIBUTING.md for code style and PR process.
License
MIT β use it, fork it, embed it, build on it. Attribution appreciated but not required.
Did osv-ui catch a real CVE in your project?
A β helps other developers find this tool.
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/toan203/osv-ui'
If you have feedback or need assistance with the MCP directory API, please join our Discord server