Content
Analyze dependency security and supply chain risks with Socket's comprehensive vulnerability detection. Scan dependencies for known vulnerabilities, analyze security scores, detect supply chain attacks, monitor package health, generate detailed security reports, export SBOMs, manage license policies, and support multiple package managers (npm, PyPI, Go, Maven, Packagist)—all through natural language commands. Supports OAuth authentication for MCP access and API key authentication for Socket API calls.
Features
- Scan dependencies for known vulnerabilities (CVE database integration)
- Analyze security scores for packages (risk assessment metrics)
- Detect supply chain attacks and risks (malicious package detection)
- Monitor package health metrics (maintenance and popularity indicators)
- Generate detailed security reports (comprehensive vulnerability analysis)
- SBOM export capabilities (Software Bill of Materials generation)
- License policy management (compliance and license risk assessment)
- Multi-package manager support (npm, PyPI, Go, Maven, Packagist)
Use Cases
- Audit project dependencies for vulnerabilities (comprehensive security audit)
- Check security before adding new packages (pre-installation validation)
- Monitor supply chain security risks (continuous threat monitoring)
- Validate package updates are safe (update security verification)
- Generate security compliance reports (regulatory compliance documentation)
- Track security scores across projects (organization-wide security metrics)
- Detect malicious packages and typosquatting (supply chain attack prevention)
- Manage license compliance and policies (open source license governance)
Socket vs Other Dependency Scanners
Socket takes a different approach from advisory-database scanners — it analyzes what a package actually does (install scripts, network/filesystem access, obfuscation), so it can flag supply-chain attacks before they become published CVEs:
| Tool |
Detection approach |
Catches zero-day supply-chain attacks? |
Where it runs |
| Socket (this MCP) |
Behavioral analysis of package capabilities + supply-chain risk signals |
Yes — flags malware/suspicious behavior pre-CVE |
In Claude via MCP, plus CI/GitHub app |
| npm audit |
Matches installed versions against the npm advisory database |
No — known CVEs only |
Local CLI |
| Snyk |
Vulnerability DB + license and IaC scanning |
Partially — DB-driven, plus some heuristics |
CLI, CI, and SaaS |
Use Socket for pre-install/supply-chain risk review of new or updated packages; pair it with npm audit or Snyk for breadth of known-CVE coverage.
Installation
Claude Code
- Run: claude mcp add --transport http socket https://mcp.socket.dev/
- Verify installation: claude mcp list
- Test connection: claude mcp status socket
- Authenticate with your Socket account (OAuth flow)
- Grant required permissions for dependency scanning
Claude Desktop
- Open Claude Desktop configuration file (see configPath below)
- Add the Socket server configuration with HTTP transport and URL
- Restart Claude Desktop
- Authenticate with your Socket account (OAuth flow)
- Grant required permissions for dependency scanning
- Verify connection in Claude Desktop
Requirements
- Socket account (free or paid plan)
- OAuth authentication setup (for mcp.socket.dev MCP connection)
- Socket API key (for Socket API access, available in Socket Dashboard)
- Network access to mcp.socket.dev (HTTPS required)
- Understanding of dependency security concepts (vulnerabilities, supply chain risks)
- Package manager files (package.json, requirements.txt, go.mod, pom.xml, composer.json)
- Claude Desktop 0.7.0+ or Claude Code with MCP support
- Understanding of SBOM (Software Bill of Materials) concepts
- Understanding of Socket rate limits (600 requests/minute, 10 req/second average)
- Optional: Organization access for team-based security policies
Configuration
{
"socket": {
"url": "https://mcp.socket.dev/",
"transport": "http"
}
}
Examples
Scan my package.json for vulnerabilities
Common usage pattern for this MCP server
Ask Claude: "Scan my package.json for vulnerabilities"
Check the security score of lodash
Common usage pattern for this MCP server
Ask Claude: "Check the security score of lodash"
Find risky dependencies in my project
Common usage pattern for this MCP server
Ask Claude: "Find risky dependencies in my project"
Generate a security report
Common usage pattern for this MCP server
Ask Claude: "Generate a security report"
Security
- OAuth authentication required for MCP server access (secure token-based auth)
- Socket API key authentication for API calls (stored securely, managed in Dashboard)
- Regular security scans recommended (continuous dependency monitoring)
- Monitor critical security alerts (vulnerability notifications)
- Review and apply suggested fixes (automated remediation guidance)
Troubleshooting
Rate limit exceeded - 429 Too Many Requests error
Socket API rate limit is 600 requests/minute (average 10 requests/second). Implement random exponential backoff for retries (wait time increases with each retry). Space out API calls to stay under the 10 req/second average. Monitor rate limit headers in API responses. Batch multiple package scans when possible. Cache scan results to avoid redundant requests. Contact support@socket.dev to request rate limit increase for your organization. Consider upgrading to a plan with higher rate limits.
Authentication failed or API key invalid
Socket API uses API key authentication. Provide API token via HTTP Basic auth (token as username, blank password) or use Authorization: Bearer YOUR_API_KEY header format. Verify API key in Socket Dashboard settings (Settings > API Keys). Generate new key if expired or compromised. Ensure API key has required permissions for the operations you're performing. For MCP server connection, ensure OAuth authentication is completed at https://mcp.socket.dev/. Check token not revoked or disabled in dashboard.
Package scan failed or unsupported package manager
Socket supports npm (package.json, package-lock.json), PyPI (requirements.txt), Go modules (go.mod), Maven (pom.xml), and Packagist (composer.json). Verify package file format is valid JSON or proper dependency format. Check package exists in the registry (npm, PyPI, Maven Central, etc.). Ensure package file paths are correct and accessible. Review scan output for specific error messages. For npm, ensure package-lock.json is present for accurate dependency resolution. Check package manager version compatibility.
SBOM export or security report generation errors
Verify account has access to SBOM export features (may require paid plan). Check report snapshot hash authentication (SHA2) is correct. Ensure sufficient permissions for license policy management in organization settings. Review API response for specific error details. Verify organization membership and access level. Check if report ID exists and hasn't expired. Ensure file paths in report creation are valid and accessible. For license policy errors, verify organization has license policy management enabled.