MCP Server for AI Assistants
Meterian Security ships a built-in Model Context Protocol (MCP) server that exposes the vulnerability database directly to your AI assistant.
Once connected, you can ask your AI things like:
"Is any of my libraries currently vulnerable?" "What's a safe version for the axios library?" "Get me a list of all critical vulnerabilities in this project."
Why does my AI need an MCP server?
The AI assistants in IDEs are pre-trained on a set of data, which eventually becomes old. New vulnerabilities are emerging on a daily basis, and the AI model is not aware of the vulnerabilities that appeared after the pre-trained model's cutoff date. The MCP server, provided standalone or bundled with the Meterian extension, feeds the AI assistant in your IDE with the latest information on vulnerabilities, enabling it to detect vulnerabilities in your dependencies and suggest the best alternatives with the help of the latest security data.
See it in action
English
Italian
How it works
When the VS Code extension activates, it automatically registers the MCP server with any supported IDEs it finds on your machine (VS Code, Cursor, Windsurf). For AI CLI tools (Claude Code, Gemini CLI, Codex), use the VS Code commands below or the standalone installer.
The server exposes two tools:
| Tool | Description |
|---|---|
advisories/get |
Returns known security advisories for a given library and version |
advisories/getNextSafe |
Returns the earliest safe version to upgrade to |
Supported AI tools
| Tool | Integration method | Website |
|---|---|---|
| VS Code (Copilot) | Config file updated automatically | code.visualstudio.com |
| Cursor | Config file updated automatically | cursor.com |
| Windsurf | Config file updated automatically | windsurf.com |
| Claude Code | Via VS Code command or standalone installer | claude.ai/code |
| Gemini CLI | Via VS Code command or standalone installer | github.com/google-gemini/gemini-cli |
| Codex CLI | Via VS Code command or standalone installer | github.com/openai/codex |
| mcp-cli | Via standalone installer | github.com/philschmid/mcp-cli |
VS Code commands
Use these from the Command Palette (Ctrl+Shift+P) to manually manage registration:
| Command | Description |
|---|---|
Register Meterian MCP on Claude Code |
Register with Claude Code |
Unregister Meterian MCP from Claude Code |
Remove registration from Claude Code |
Register Meterian MCP on Gemini CLI |
Register with Gemini CLI |
Unregister Meterian MCP from Gemini CLI |
Remove registration from Gemini CLI |
Register Meterian MCP on Codex CLI |
Register with Codex CLI |
Unregister Meterian MCP from Codex CLI |
Remove registration from Codex CLI |
Standalone installation (without VS Code)
If you use AI CLI tools without VS Code, you can install the MCP server standalone using the installer script. It downloads the latest version from OpenVSX, smoke-tests it, and registers it with all AI CLIs it finds on your machine.
Prerequisites
node(any recent LTS version)unzipcurl(for downloading from OpenVSX)
Install
curl -sSfL https://raw.githubusercontent.com/MeterianHQ/vscode-extension-tracker/main/scripts/install-meterian-mcp.sh | bash
Or download and run it yourself:
curl -sSfL https://raw.githubusercontent.com/MeterianHQ/vscode-extension-tracker/main/scripts/install-meterian-mcp.sh -o install-meterian-mcp.sh
chmod +x install-meterian-mcp.sh
./install-meterian-mcp.sh
The script will:
- Download the latest
.vsixfrom OpenVSX - Extract the MCP server files to
~/.meterian/mcp-server/ - Run a smoke test to verify the server starts correctly
- Register the server with any AI CLIs found (
claude,gemini,codex)
Uninstall
./install-meterian-mcp.sh --uninstall
This removes ~/.meterian/mcp-server/ and deregisters the server from all AI CLIs.
Useful prompts
Here are some prompts to get the most out of the Meterian MCP server with your AI assistant.
Check for vulnerabilities:
"Are any of my project's dependencies currently vulnerable?"
Get a safe version:
"What is the safest version I can upgrade axios to?"
Triage by severity:
"List all critical and high severity vulnerabilities in this project."
Fix all vulnerable dependencies within the patch version:
"Using the Meterian MCP server, check all dependencies in this project for known vulnerabilities. For each vulnerable dependency, get the next safe version and apply a fix — but only if the safe version is a patch-level upgrade (same major and minor version). Update the manifest files accordingly."
Known issues
Due to an issue in Claude that prematurely closes stdin, a reconnect to the MCP server may be needed after starting Claude for the first time. Enter /mcp, select the mcp server with the arrows, and click reconnect.
Premium recommended
The MCP server works in Free mode, but Premium mode provides broader language coverage and more detailed advisory information.