Open source · MIT · v0.3.0

Your AI knows your code.
Now it knows your CVEs.

context-snipe reads your lockfiles, queries OSV.dev, and hands your AI assistant a short, ranked, deterministic vulnerability report — over the Model Context Protocol. One binary. No runtime. No telemetry.

↓ Download ★ Star on GitHub
Works with Claude Desktop · Cursor · Windsurf · any MCP client
Terminal
~/my-api $ context-snipe scan . context-snipe — vulnerability scan Project: ./my-api Scanned: 412 entries (388 unique packages) from Cargo.lock, package-lock.json FOUND 3 advisories affecting 2 of 388 package(s): lodash 4.17.11 [npm] [CRIT] GHSA-jf85-cpcp-j695 (CVE-2019-10744) Prototype Pollution in lodash [HIGH] GHSA-35jh-r3h4-6jhm (CVE-2021-23337) Command Injection in lodash minimatch 3.0.4 [npm] [HIGH] GHSA-f8q6-p94x-37v3 (CVE-2022-3517) minimatch ReDoS vulnerability Source: OSV.dev. These advisories affect packages actually present in your dependency tree. Note: presence is not the same as exploitability — confirm the vulnerable code path is reachable.

One line. Drop it in.

One command grabs the right binary for your platform and puts it on your PATH. No package manager, no build, no runtime.

macOS / Linux curl -fsSL https://raw.githubusercontent.com/RP-Digital-Innovations/context-snipe/main/install.sh | sh
Windows · PowerShell irm https://raw.githubusercontent.com/RP-Digital-Innovations/context-snipe/main/install.ps1 | iex

Prefer to grab a binary by hand? Pick your platform:

Linux
Statically linked (musl):
↓ x86_64 ↓ ARM64
Windows
Self-contained .exe:
↓ x86_64 .exe

Connect to your AI tool

Add context-snipe as an MCP server. Claude Desktop and Cursor use the same shape.

claude_desktop_config.json — or ~/.cursor/mcp.json
{
  "mcpServers": {
    "context-snipe": {
      "command": "/usr/local/bin/context-snipe",
      "args": ["serve"]
    }
  }
}

Restart your client, then ask: "Check this project for vulnerable dependencies."

Not another scanner. AI-native CVE context.

Generic vulnerability scanners dump hundreds of advisories. context-snipe gives your AI exactly the signal it needs, nothing more.

🔒
Reads lockfiles, not manifests
Cargo.lock, package-lock.json, poetry.lock, go.sum — the exact resolved transitive versions, not the declared ranges. No false positives from unpinned dependencies.
🤖
Built for your AI, not a dashboard
Returns a short, ranked, deduplicated report your AI can actually act on. CVEs are merged across GHSA/PYSEC/RUSTSEC and graded by a computed CVSS base score.
📦
Single binary, ~1 MB
No Node, no Python, no Docker, no runtime. A pure-Rust executable that spawns in milliseconds — fast enough for an MCP tool call.
🕵️
Zero telemetry
Your code and lockfiles never leave your machine. Only package names and versions are sent to OSV.dev for vulnerability matching.
🌐
OSV.dev as the source
One open-source database covering GHSA, RUSTSEC, PyPI advisories, Go vulndb, and more. No proprietary data, no subscription to a scanner vendor.
Two-phase batch query
A single querybatch call filters your whole tree in one round-trip, then focused queries pull details only for packages with hits. Fast even on large monorepos.

Four ecosystems, one scan.

Prefer the lockfile when present; fall back to the manifest when not.

Ecosystem Lockfile (preferred) Manifest fallback
Rust Cargo.lock
Node / npm pnpm-lock.yaml
yarn.lock
package-lock.json
package.json
Python poetry.lock
uv.lock
requirements.txt
Go go.sum go.mod

Open source. MIT licensed.

Read the source, file issues, submit PRs. Built by RP Digital Innovations.

★ Star on GitHub