Support MCP

[Fix3dP0int]

Is anyone interested in adding MCP protocol support to Scorecard? I believe this could be a valuable enhancement — it would enable large language models (LLMs) to assess the security posture of open-source projects more effectively. With MCP integration, an LLM could quickly identify potential vulnerabilities, suggest remediations, and even generate pull requests automatically. I’d be happy to collaborate if others are interested in exploring this idea.

[spencerschrock]

With MCP integration

Can you clarify what sort of integration would be needed? Is this something that would integrate locally with the Scorecard binary? Or would it be a hosted integration?

[Fix3dP0int]

Thanks for replying. I believe the integration will be with the binary. The MCP Server functions like a REST API, but it's designed for LLMs. We can refer to GitHub's MCP Server, which translates standard REST APIs into ones compatible with the MCP protocol.

Many MCP servers are deployed locally on users' machines, but GitHub has also considered support for remote MCP servers — a feature that has attracted user interest.

I’ve implemented a simple version in Python. I developed an MCP tool that invokes the Scorecard server locally. However, it currently requires an additional forwarding step. If it were integrated into the Scorecard binary, we could use it natively without that extra step.

[spencerschrock]

Many MCP servers are deployed locally on users' machines, but GitHub has also considered support for remote MCP servers

Local is better in this case, less infrastructure for Scorecard to maintain.

I developed an MCP tool that invokes the Scorecard server locally

The Scorecard server being --serve referenced in your other issue? #4627

[Fix3dP0int]

The Scorecard server being --serve referenced in your other issue?

Yeah. So MCP and REST API are essentially consistent; they just use different frameworks/protocols. The MCP Server exposes its functionalities to the client in the form of tools, resources, and prompts, whereas the REST API exposes them using methods like GET, POST, and PUT. The MCP Server will be developed on top of the REST API.

[steiza]

I think there might be two opportunities here, one from the perspective of someone consuming open source software and one from the perspective of an open source maintainer - both of which the Scorecard project serve in different ways.

I wrote a Scorecard MCP server from the perspective of someone consuming open source software so you can ask your LLM questions like:

What security best practices does node-semver follow?

For folks who aren't familiar with MCP servers (which was me until this week) the way I would recommend using this is telling your IDE to download https://pypi.org/project/scorecard-mcp/ and run it locally. That package (running locally) calls the Scorecard REST API to get the result and then render the response to the user - so no additional server is needed for this MCP "server".

I think there is also an opportunity for a Scorecard MCP "server" that also runs locally, but from the perspective of an open source maintainer, who might ask questions like:

What steps should I take to secure my project?

The MCP server could then get the current results and make recommendations. Some flows might be available without authorization, but the user may need to provide an API token for more advanced checks.