DEV Community

Piks
Piks

Posted on

audit-mcp-cli: Let AI Audit Your Node.js Dependencies

#ai #mcp #node #security

A lightweight dependency vulnerability audit tool that works as both a CLI and an MCP Server — so your AI coding assistant can find and fix security issues for you.

The Problem

You run npm audit. You get a wall of text. Some vulnerabilities are direct, some are buried five levels deep in your dependency tree. The output tells you what's vulnerable, but figuring out how it got there and what to do about it takes manual effort.

Now multiply that across every project you maintain.

What It Does

audit-mcp-cli runs a full dependency vulnerability audit and produces a clean, structured report with complete dependency chains — showing you the exact path from your package.json to each vulnerable package.

npx audit-mcp-cli
Enter fullscreen mode Exit fullscreen mode

That's it. It auto-detects your package manager (npm or pnpm), runs the audit, and generates a Markdown or HTML report.

But Here's the Interesting Part

It also runs as an MCP Server. That means AI coding assistants like Claude and Cursor can call it directly.

Instead of you reading an audit report, your AI assistant can:

  • Audit your project's dependencies in conversation
  • Show you exactly which vulnerabilities exist, their severity, and CVSS scores
  • Trace the full dependency chain for each issue
  • Suggest specific fixes with upgrade commands

Set It Up in 30 Seconds

Add this to your Claude Desktop config (claude_desktop_config.json):

{
  "mcpServers": {
    "audit-mcp-cli": {
      "command": "npx",
      "args": ["-y", "audit-mcp-cli", "--mcp"]
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

Or for Cursor (.cursor/mcp.json):

{
  "mcpServers": {
    "audit-mcp-cli": {
      "command": "npx",
      "args": ["-y", "audit-mcp-cli", "--mcp"]
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

Then just ask: "Audit this project for vulnerabilities."

What You Get

Full Dependency Chains

Not just "minimist has a vulnerability" — but:

my-project → jest → @jest/core → jest-config → minimist
Enter fullscreen mode Exit fullscreen mode

So you know exactly why it's in your project and how to remove it.

Structured Reports

Reports are sorted by severity (critical → high → moderate → low) with:

  • CVSS scores and vectors — how bad is it, really?
  • CWE classifications — what type of vulnerability?
  • Advisory links — full details from GitHub Advisory Database
  • Fix suggestions — specific upgrade commands and target versions
  • Transitive vulnerability attribution — when package A is vulnerable because it depends on vulnerable package B, you see both, clearly separated

Remote Repo Audit

Audit any public or private GitHub repo without cloning:

audit-mcp-cli --remote github:facebook/react --ref main
audit-mcp-cli --remote github:facebook/react --ref v18.2.0
Enter fullscreen mode Exit fullscreen mode

Works with branches, tags, and commit SHAs.

CI/CD Integration

Fail your pipeline when vulnerabilities exceed a threshold:

# GitHub Actions
- name: Security Audit
  run: npx audit-mcp-cli --fail-on high
Enter fullscreen mode Exit fullscreen mode 
# Generic CI
npx audit-mcp-cli --fail-on high && echo "pass" || echo "fail"
Enter fullscreen mode Exit fullscreen mode

Ignore Mechanism

Accept known risks and track them:

// .audit-mcp-cli-ignore.json
{
  "ignore": [
    {
      "packageName": "minimist",
      "advisorySource": 1179,
      "reason": "Accepted risk, limited impact in our usage",
      "expiresAt": "2025-12-31T00:00:00Z"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Ignored vulnerabilities appear in a separate report section and don't trigger --fail-on.

Quick Reference 

# Audit current directory
npx audit-mcp-cli

# Specific project
npx audit-mcp-cli --path /path/to/project

# Remote GitHub repo
npx audit-mcp-cli --remote github:owner/repo --ref main

# HTML report
npx audit-mcp-cli --format html --output report.html

# Only show high and critical
npx audit-mcp-cli --severity high

# CI: fail on high+
npx audit-mcp-cli --fail-on high

# MCP Server mode
npx audit-mcp-cli --mcp
Enter fullscreen mode Exit fullscreen mode

Tech Details

  • npm + pnpm support — auto-detects package manager by lockfile
  • Node.js >= 18 — no extra runtime requirements
  • Zero config — works out of the box
  • Lightweight — minimal dependencies (commander, execa, eta, zod, MCP SDK)
  • Bilingual — English and Chinese (auto-detects system language, override with --lang)
  • MIT License

Install 

# Run directly (no install needed)
npx audit-mcp-cli

# Or install globally
npm install -g audit-mcp-cli
Enter fullscreen mode Exit fullscreen mode

npm: https://www.npmjs.com/package/audit-mcp-cli
GitHub: https://github.com/double527/audit-mcp-cli

If you find this useful, a star on GitHub goes a long way. Issues and PRs welcome.

Top comments (0)