Web Audit
Scans Node.js projects for security vulnerabilities in dependencies using npm audit and generates structured markdown reports. Works with both local projects and remote repositories.
Provides web-based security audit capabilities for Node.js projects by scanning package.json files, running npm audit commands, and generating structured markdown reports categorized by vulnerability severity levels for automated security assessment workflows.
What it does
- Scan package.json files for vulnerabilities
- Run npm audit commands automatically
- Generate markdown security reports
- Audit remote GitHub repositories
- Categorize vulnerabilities by severity level
- Analyze dependency chains and indirect dependencies
Best for
About Web Audit
Web Audit is a community-built MCP server published by shen-zhihao that provides AI assistants with tools and capabilities via the Model Context Protocol. Web Audit scans Node.js package.json, runs npm audit, and creates markdown reports by severity for automated security as It is categorized under auth security, developer tools.
How to install
You can install Web Audit in your AI client of choice. Use the install panel on this page to get one-click setup for Cursor, Claude Desktop, VS Code, and other MCP-compatible clients. This server runs locally on your machine via the stdio transport.
License
Web Audit is released under the MIT license. This is a permissive open-source license, meaning you can freely use, modify, and distribute the software.
mcp-web-audit
一个基于 Node.js 的前端工程安全审计工具,支持对本地项目和远程仓库进行全面的依赖安全审计。
🔍 功能特性
- 🛡️ 全面审计: 审计前端工程的所有直接和间接依赖
- 🌐 多源支持: 支持本地工程和远程仓库(GitHub 等)的审计
- 📊 详细报告: 生成标准格式的 Markdown 审计报告
- 🔌 MCP 集成: 作为 MCP (Model Context Protocol) 服务器提供审计服务
- ⚡ 自动化: 全自动化的审计流程,无需手动干预
- 🚀 CLI 支持: 支持通过 npx 直接调用,无需安装
📋 审计内容
- 漏洞检测: 识别依赖包中的已知安全漏洞
- 版本分析: 检查依赖包版本的安全性和兼容性
- 依赖链分析: 深入分析间接依赖关系
- 风险评估: 按严重程度分类漏洞(Critical、High、Moderate、Low)
- 修复建议: 提供具体的修复方案和建议
🚀 快速开始
使用 npx (推荐)
无需安装,直接使用:
# 审计本地项目
npx mcp-web-audit /path/to/your/project
# 审计远程仓库
npx mcp-web-audit https://github.com/user/repo
# 指定输出文件
npx mcp-web-audit /path/to/project -o ./my-audit.md
# 查看帮助
npx mcp-web-audit --help
# 查看版本
npx mcp-web-audit --version
全局安装
# 全局安装
npm install -g mcp-web-audit
# 使用命令
mcp-web-audit /path/to/your/project
本地安装开发版本
# 克隆仓库
git clone https://github.com/shenzhihao/mcp-web-audit.git
cd mcp-web-audit
# 安装依赖
npm install
# 本地测试
node bin/cli.js /path/to/test/project
🚀 CLI 使用说明
基本用法
npx mcp-web-audit [options] <项目路径>
参数说明
<项目路径>: 要审计的项目路径(本地绝对路径或远程仓库 URL)
选项
-o, --output <文件>: 指定输出报告的文件路径 (默认:./audit-report.md)-h, --help: 显示帮助信息-v, --version: 显示版本信息
使用示例
# 审计当前目录
npx mcp-web-audit .
# 审计指定本地项目
npx mcp-web-audit /Users/username/my-project
# 审计GitHub仓库
npx mcp-web-audit https://github.com/facebook/react
# 指定输出文件名
npx mcp-web-audit ./my-project -o security-report.md
# 查看帮助信息
npx mcp-web-audit --help
作为 MCP 服务器运行
作为 MCP 服务器运行
node src/mcpServer.js
编程式调用
import { auditPackage } from "mcp-web-audit";
// 审计本地项目
await auditPackage("/path/to/your/project", "./audit-report.md");
// 审计远程仓库
await auditPackage("https://github.com/user/repo", "./audit-report.md");
📊 审计报告示例
生成的审计报告包含以下信息:
- 项目概述: 项目名称、版本等基本信息
- 漏洞汇总: 按严重程度统计的漏洞数量
- 详细漏洞列表: 每个漏洞的详细信息,包括:
- 漏洞描述
- 影响的包和版本
- 严重程度评级
- 修复建议
- 相关链接
📝 要求
- Node.js: >= 14.0.0
- 网络: 审计远程仓库时需要网络连接
- 磁盘空间: 至少 100MB 空闲空间(用于临时文件)
📁 项目结构
src/
├── audit/ # 审计核心模块
│ ├── currentAudit.js # 当前项目审计
│ ├── getDepChain.js # 依赖链分析
│ ├── index.js # 审计主入口
│ ├── normalizeAuditResult.js # 结果标准化
│ ├── npmAudit.js # NPM 审计
│ └── remoteAudit.js # 远程审计
├── common/ # 通用工具
│ └── utils.js # 工具函数
├── entry/ # 程序入口
│ └── index.js # 主要 API 入口
├── generateLock/ # Lock 文件生成
│ ├── generateLock.js # Lock 文件生成逻辑
│ └── index.js # 模块入口
├── main/ # 主程序
│ └── index.js # 主程序入口
├── parseProject/ # 项目解析
│ ├── index.js # 解析入口
│ ├── parseLocalProject.js # 本地项目解析
│ └── parseRemoteProject.js # 远程项目解析
├── render/ # 报告渲染
│ ├── index.js # 渲染入口
│ ├── markdown.js # Markdown 渲染
│ └── test/ # 测试文件
├── workDir/ # 工作目录管理
│ └── index.js # 工作目录操作
└── mcpServer.js # MCP 服务器
🔧 API 参考
auditPackage(projectRoot, savePath)
审计指定项目的所有依赖包。
参数:
projectRoot(string): 项目根目录的绝对路径或远程仓库 URLsavePath(string): 审计报告保存路径
示例:
// 本地项目
await auditPackage("/Users/username/my-project", "./audit.md");
// 远程仓库
await auditPackage("https://github.com/facebook/react", "./react-audit.md");
📊 审计报告
生成的审计报告包含以下信息:
- 项目概述: 项目名称、版本等基本信息
- 漏洞汇总: 按严重程度统计的漏洞数量
- 详细漏洞列表: 每个漏洞的详细信息,包括:
- 漏洞描述
- 影响的包和版本
- 严重程度评级
- 修复建议
- 相关链接
🛠️ 技术栈
- 运行环境: Node.js (ES Modules)
- 核心依赖:
@modelcontextprotocol/sdk: MCP 协议支持ejs: 模板引擎zod: 数据验证
🔒 安全审计流程
- 项目解析: 解析项目的
package.json文件 - 依赖分析: 分析所有直接和间接依赖
- Lock 文件生成: 生成依赖锁定文件
- 安全扫描: 使用 npm audit 进行安全扫描
- 结果标准化: 将审计结果标准化处理
- 报告生成: 生成 Markdown 格式的审计报告
🤝 贡献指南
欢迎提交 Issue 和 Pull Request 来帮助改进这个项目。
📄 许可证
ISC License
📞 支持
如果您在使用过程中遇到问题,请提交 Issue 或联系维护者。
Alternatives
Related Skills
Browse all skillsCCXT cryptocurrency exchange library for TypeScript and JavaScript developers (Node.js and browser). Covers both REST API (standard) and WebSocket API (real-time). Helps install CCXT, connect to exchanges, fetch market data, place orders, stream live tickers/orderbooks, handle authentication, and manage errors. Use when working with crypto exchanges in TypeScript/JavaScript projects, trading bots, arbitrage systems, or portfolio management tools. Includes both REST and WebSocket examples.
.NET/C# backend developer for ASP.NET Core APIs with Entity Framework Core. Builds REST APIs, minimal APIs, gRPC services, authentication with Identity/JWT, authorization, database operations, background services, SignalR real-time features. Activates for: .NET, C#, ASP.NET Core, Entity Framework Core, EF Core, .NET Core, minimal API, Web API, gRPC, authentication .NET, Identity, JWT .NET, authorization, LINQ, async/await C#, background service, IHostedService, SignalR, SQL Server, PostgreSQL .NET, dependency injection, middleware .NET.
Comprehensive security engineering skill for application security, penetration testing, security architecture, and compliance auditing. Includes security assessment tools, threat modeling, crypto implementation, and security automation. Use when designing security architecture, conducting penetration tests, implementing cryptography, or performing security audits.
This skill allows Claude to conduct comprehensive security audits of code, infrastructure, and configurations. It leverages various tools within the security-pro-pack plugin, including vulnerability scanning, compliance checking, cryptography review, and infrastructure security analysis. Use this skill when a user requests a "security audit," "vulnerability assessment," "compliance review," or any task involving identifying and mitigating security risks. It helps to ensure code and systems adhere to security best practices and compliance standards.
Use when working with the OpenAI API (Responses API) or OpenAI platform features (tools, streaming, Realtime API, auth, models, rate limits, MCP) and you need authoritative, up-to-date documentation (schemas, examples, limits, edge cases). Prefer the OpenAI Developer Documentation MCP server tools when available; otherwise guide the user to enable `openaiDeveloperDocs`.
Security audit and inspection skill for Clawdbot skills. Use this when you need to check skills for security vulnerabilities before installation, perform regular security audits on installed skills, verify skill description matches actual behavior, scan for prompt injection attempts, check for hardcoded secrets or credentials, verify no malicious intent in skill code or documentation, review file access patterns for potential configuration or secrets exposure, or audit dependencies for known vulnerabilities. This skill provides automated scanning tools and manual security checklists for comprehensive skill security assessment.