npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@black-duck/mcp-server

v1.1.4

Published

Black Duck MCP brings Signal's AI-powered security analysis directly into your development environment. Provides vulnerability detection through the Model Context Protocol.

Downloads

462

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

blackduck-adminblackduck-admin

Keywords

mcpmodel-context-protocolblack-ducksecurityvulnerabilityscanningaisarifstatic-analysis

Readme

Black Duck MCP

Black Duck MCP brings Signal's AI-powered security analysis directly into your development environment. It enables code scanning through leading coding assistants – including Claude, Gemini, Cursor, Copilot, and others – so you can detect security issues, receive actionable insights, and apply recommended fixes quickly and consistently.

Key Features & Benefits

  • Git Code Diff Scan:
    • Performs fast, incremental security scans focused only on the code changes introduced by the developer.
    • Ideal for early-stage detection of issues as code is written
  • File Scan:
    • Runs a targeted security analysis on specific files or directories.
    • Best suited for projects that do not use Git or for developers who want to analyze specific portions of the codebase
  • Cross-Platform Support:
    • Works on Windows, macOS, and Linux

Requirements

Getting started

Step 1: Add to your MCP client

Add the following configuration to your MCP client (using Claude user level config as example):

{
  "mcpServers": {
    "black-duck-signal": {
      "command": "npx",
      "args": ["-y", "@black-duck/mcp-server"],
      "env": {
        "BLACKDUCK_MCP_GATEWAY_KEY": "your-api-key-here"
      }
    }
  }
}

Step 2: Your first scan

Use one of following prompts in your MCP client to get you started:

Scan my code changes for security vulnerabilities

Your MCP client should execute a security scan and report any vulnerabilities found on the code changes made. Requires that the project is git based to determine what files have changed.

Scan the changed files with respect to the main branch

Your MCP client should execute a security scan taking into account only code changes in the current branch vs the main branch and report any vulnerabilities found on the code changes made. Requires that the project is git based to determine what files have changed.

Scan all files under folder foobar for security vulnerabilities

Your MCP client should execute a security scan and report any vulnerabilities found.

Tools

| Tool | Parameters | Returns | Best Use Cases | |------|------------|---------|----------------| | run_diff_security_scan | projectPath (required): Absolute path to git projectgitPatchMode (required):all-uncommitted: Scan staged + unstaged changesreference-branch: Scan changes since branchingreferenceBranch (optional): Reference branch name (e.g., main) | • sarifFilePath: Path to SARIF reportstatus: success or failureresourceUris: MCP resource URIsissueCounts: Counts by severityanalysisGuidance: Analysis steps | • Faster: Analyzes only changed codeFocused: Shows issues from your changesIterative: Perfect for dev workflows & CI/CDEfficient: Reduces scan cost and time | | run_security_scan | projectPath (required): Absolute path to projectfilePaths (required): Array of file/directory absolute paths to scan | • sarifFilePath: Path to SARIF reportstatus: success or failureresourceUris: MCP resource URIsissueCounts: Counts by severityanalysisGuidance: Analysis steps | • Analyzing specific files/directories• Focused security review of critical paths• Quick checks during development• Non-git projects |

Optional Configuration

The Black Duck Signal MCP server supports the following environment variables:

| Variable | Default | Description | |----------|---------|-------------| | BLACKDUCK_MCP_GATEWAY_KEY | None (required) | API key for enhanced AI analysis | | BLACKDUCK_HOME | User's home directory | Override the default .blackduck folder location | | BLACKDUCK_MCP_TOOL_TIMEOUT | 1800000 (30 min) | Scan timeout in milliseconds | | BLACKDUCK_MCP_LOG_LEVEL | info | Log level: error, warn, info, or debug |

You can set these variables in your MCP client configuration:

{
  "mcpServers": {
    "black-duck": {
      "command": "npx",
      "args": ["-y", "@black-duck/mcp-server"],
      "env": {
        "BLACKDUCK_MCP_GATEWAY_KEY": "your-api-key-here",
        "BLACKDUCK_MCP_LOG_LEVEL": "debug"
      }
    }
  }
}

Logging and Troubleshooting

Log Location

All MCP logs are written to /Users/<username>/.blackduck/mcp/logs/ for linux/mac and C:\Users\<Username>\AppData\Roaming\BlackDuck\mcp\logs\ (customizable via BLACKDUCK_HOME):

  • black-duck-mcp.log - Combined log (all levels)
  • black-duck-mcp-error.log - Error-only log

IP Allowlist

The following URLs and IP addresses must be accessible for the MCP server to function properly:

| URL | IP Address | |-----|------------| | repo.blackduck.com | 34.149.5.115 | | llm.core.blackduck.com | 104.18.36.253 |

Ensure your firewall allows outbound HTTPS (port 443) connections to these endpoints

License Terms

By downloading this package, you are agreeing to the Black Duck End User License Agreement.

Resources