safedep/vet
1
0
Fork 0
mirror of https://github.com/safedep/vet.git synced 2025-12-10 13:43:01 -06:00
Code Issues Packages Projects Releases 68 Wiki Activity
vet/docs/mcp.md
Copilot cd7caffb4a
Add HTTP HEAD request support to SSE MCP server (#533) 
* Initial plan

* Add HTTP HEAD request support to SSE MCP server

- Created sseHandlerWithHeadSupport wrapper to handle HEAD requests to /sse endpoint
- HEAD requests return same headers as GET (text/event-stream, no-cache, etc.) without body
- Modified NewMcpServerWithSseTransport to use the wrapper
- Added comprehensive unit and integration tests
- Updated documentation to mention HEAD support for SSE endpoint
- Enables tools like Langchain to probe endpoint for health/capability checks

Co-authored-by: abhisek <31844+abhisek@users.noreply.github.com>

* Add HTTP HEAD request support to SSE MCP server

Co-authored-by: abhisek <31844+abhisek@users.noreply.github.com>

* Fix linter issues: remove trailing whitespace and handle w.Write error

Co-authored-by: abhisek <31844+abhisek@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: abhisek <31844+abhisek@users.noreply.github.com>
2025-07-05 13:41:37 +00:00

5.3 KiB
Raw Blame History

vet MCP Server

Install MCP Server

The vet MCP server is designed to run locally using stdio or sse transports. It provides tools for MCP clients such as Claude Code, Cursor and others to vet open source packages before they are used in a project through AI generated code.

vet MCP server can protect against Slopsquatting attacks, malicious packages, vulnerabilities and other security risks.

Supported Ecosystems

vet MCP server currently supports the following ecosystems:

  • npm
  • PyPI

Usage

Start the MCP server using SSE transport:

vet server mcp --server-type sse

Start the MCP server using stdio transport:

vet -s -l /tmp/vet-mcp.log server mcp --server-type stdio

Avoid using stdout logging as it will interfere with the MCP server output.

SSE Transport Features

The SSE (Server-Sent Events) transport supports:

  • GET requests: For establishing SSE connections to receive real-time events
  • HEAD requests: For endpoint health checks and capability probing (useful for tools like Langchain)
  • POST requests: For sending messages to the MCP server via the message endpoint

The SSE endpoint returns appropriate headers for HEAD requests without a body, allowing tools to verify endpoint availability and capabilities.

Configure MCP Client

Note: The example below uses pre-build docker image. You can build your own by running docker build -t ghcr.io/safedep/vet:latest .

Add following configuration to your MCP client configuration file:

"vet-mcp": {
  "command": "docker",
  "args": [
    "run",
    "--rm",
    "-i",
    "ghcr.io/safedep/vet:latest",
    "-l",
    "/tmp/vet-mcp.log",
    "server",
    "mcp"
  ]
}

vet uses stdio by default, if you wish to use SSE transport, add following args: "--server-type", "sse"

Note: While docker containers can help keep the MCP server process isolated, it needs to be periodically updated to the latest version.

Alternatively, you can use vet binary directly as an MCP server using stdio transport. Use the following command to start the MCP server:

vet -l /tmp/vet-mcp.log server mcp --server-type stdio

Configure IDE

Cursor

Add vet-mcp server to either .cursor/mcp.json (project specific configuration) or ~/.cursor/mcp.json (applies to all projects)

{
  "mcpServers": {
    "vet-mcp": {
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "ghcr.io/safedep/vet:latest",
        "-l",
        "/tmp/vet-mcp.log",
        "server",
        "mcp"
      ]
    }
  }
}

Add the following to .cursor/rules/vet-mcp.mdc file:

---
description: vet Open Source Packages using vet MCP server
alwaysApply: true
---

Always use vet-mcp to vet any open source library package suggested by AI generated code before installation.
Follow the rules below to use vet-mcp:

- Try to find the latest version. If not found, it is likely a slopsquatting vulnerability
- Always check for critical vulnerabilities and malware

Example usage with Cursor:

Cursor vet-mcp example

📄 Cursor MCP server reference

Visual Studio Code

Add vet-mcp server to .vscode/mcp.json (project specific configuration)

{
  "servers": {
    "vet-mcp": {
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "ghcr.io/safedep/vet:latest",
        "-l",
        "/tmp/vet-mcp.log",
        "server",
        "mcp"
      ]
    }
  }
}

In order to use vet-mcp for all projects in Visual Studio Code, add following mcp setting in Visual Studio Code User Settings (settings.json)

{
  "mcp": {
    "servers": {
      "vet-mcp": {
        "command": "docker",
        "args": [
          "run",
          "--rm",
          "-i",
          "ghcr.io/safedep/vet:latest",
          "-l",
          "/tmp/vet-mcp.log",
          "server",
          "mcp"
        ]
      }
    }
  }
}

Add the following to .github/copilot-instructions.md file:

Always use vet-mcp to vet any open source library package suggested by AI generated code before installation.
Follow the rules below to use vet-mcp:

- Try to find the latest version. If not found, it is likely a slopsquatting vulnerability
- Always check for critical vulnerabilities and malware

Example usage with Visual Studio Code:

Visual Studio Code vet-mcp example

📄 Visual Studio Code MCP server reference

Claude Code

Add the following to .mcp.json in your Claude Code project:

{
  "mcpServers": {
    "vet-mcp": {
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "ghcr.io/safedep/vet:latest",
        "server",
        "mcp"
      ]
    }
  }
}

Note: You can also use vet binary directly as an MCP server using stdio transport.