SafeDep VET MCP Server

Overview

SafeDep VET is an enterprise‑grade, open‑source software supply chain security platform that empowers developers and security engineers to verify the safety of the vast majority of code in modern projects—typically 70‑90% sourced from public ecosystems. By turning VET into an MCP server, the tool can be queried directly by AI assistants to vet packages suggested in real time, ensuring that code recommendations are not only syntactically correct but also secure and compliant with organizational policies.

The server performs next‑generation software composition analysis that goes beyond simple dependency enumeration. It examines the actual code paths and usage patterns of each package, providing context‑aware risk scores that help teams focus on the vulnerabilities that truly impact their application. This reduces noise and accelerates triage compared to traditional scanners.

Key capabilities include:

• Real‑time malicious package detection powered by SafeDep Cloud, which continuously scans public registries for malware and suspicious behavior. The server falls back to a lightweight query mode when no API key is supplied, keeping security checks free for open‑source projects.
• Policy as Code using CEL expressions, allowing teams to encode custom security rules—such as blocking packages with critical CVEs or enforcing minimum OpenSSF Scorecard scores—and automatically fail CI pipelines when violations occur.
• Multi‑ecosystem support covering npm, PyPI, Maven, Go, Docker, GitHub Actions, and more, making it a single point of truth for heterogeneous codebases.
• CI/CD native integration with GitHub Actions, GitLab CI, and other pipelines, enabling automated scans on every commit or pull request without manual intervention.
• Agent support that lets AI agents query scan results and recommend mitigations, bridging the gap between security tooling and developer workflows.

In practice, SafeDep VET is invaluable for DevSecOps teams that need to maintain strict compliance while accelerating feature delivery. For example, a fintech application can run the MCP server during code reviews to immediately flag insecure dependencies suggested by an AI pair programmer, or a cloud‑native startup can enforce OpenSSF Scorecard thresholds across all container images before they reach production. By integrating directly into AI‑driven development environments, SafeDep VET ensures that every line of code added—whether written by humans or suggested by assistants—is vetted for safety, reducing risk and accelerating secure software delivery.